Identification and Collection
description
Transcript of Identification and Collection
![Page 1: Identification and Collection](https://reader030.fdocuments.in/reader030/viewer/2022033108/568161cb550346895dd1b438/html5/thumbnails/1.jpg)
Identification and Collection
INFM 718X/LBSC 708XDouglas W. Oard
![Page 2: Identification and Collection](https://reader030.fdocuments.in/reader030/viewer/2022033108/568161cb550346895dd1b438/html5/thumbnails/2.jpg)
“Data” Mapping
• Organizational
• Application-al
• Logical
• Physical
• Geographic
![Page 3: Identification and Collection](https://reader030.fdocuments.in/reader030/viewer/2022033108/568161cb550346895dd1b438/html5/thumbnails/3.jpg)
Levels of Analysis
![Page 4: Identification and Collection](https://reader030.fdocuments.in/reader030/viewer/2022033108/568161cb550346895dd1b438/html5/thumbnails/4.jpg)
How Disks Work
Extracted From Shelly Cashman Vermatt’s Discovering Computers 2004
![Page 5: Identification and Collection](https://reader030.fdocuments.in/reader030/viewer/2022033108/568161cb550346895dd1b438/html5/thumbnails/5.jpg)
Windows “NTFS” File Metadata• Time file created (or copied)– Most recent one; optionally “journaled”
• Time file content changed (or made changeable)– Most recent one; optionally “journaled”
• Time file renamed (or moved)– Most recent one
• Time file metadata created or changed– Most recent one
• Time file accessed (content or metadata)– Most recent one; optionally disabled
![Page 6: Identification and Collection](https://reader030.fdocuments.in/reader030/viewer/2022033108/568161cb550346895dd1b438/html5/thumbnails/6.jpg)
Microsoft Word Metadata
• Author• Title• Dates (may not agree with NTFS!)– Created– Modified– Accessed– Printed– Each tracked change
![Page 7: Identification and Collection](https://reader030.fdocuments.in/reader030/viewer/2022033108/568161cb550346895dd1b438/html5/thumbnails/7.jpg)
EXIF Image Metadata
• Time• Location• Camera manufacturer and model• Camera orientation• Exposure information (shutter speed, f stop)• Thumbnail versions– Altering the image may not change the thumbnail!
![Page 8: Identification and Collection](https://reader030.fdocuments.in/reader030/viewer/2022033108/568161cb550346895dd1b438/html5/thumbnails/8.jpg)
![Page 9: Identification and Collection](https://reader030.fdocuments.in/reader030/viewer/2022033108/568161cb550346895dd1b438/html5/thumbnails/9.jpg)
Email Metadata
• Message metadata– Times
• Sent• Resent• Received
– Route– In-reply-to– Attachment file type
• System metadata– Folder
![Page 10: Identification and Collection](https://reader030.fdocuments.in/reader030/viewer/2022033108/568161cb550346895dd1b438/html5/thumbnails/10.jpg)
File Types
• Extensions– MyDocument.xls
• MIME type
• Magic bytes
• Supervised machine learning
![Page 11: Identification and Collection](https://reader030.fdocuments.in/reader030/viewer/2022033108/568161cb550346895dd1b438/html5/thumbnails/11.jpg)
![Page 12: Identification and Collection](https://reader030.fdocuments.in/reader030/viewer/2022033108/568161cb550346895dd1b438/html5/thumbnails/12.jpg)
Capture
• Imaging– Tape copy– Disk image
• Active file capture– Hardware write block– Software write blocking
• File system copy
![Page 13: Identification and Collection](https://reader030.fdocuments.in/reader030/viewer/2022033108/568161cb550346895dd1b438/html5/thumbnails/13.jpg)
Culling
• Custodian
• De-NISTing– Based on NIST list of known program hashes
• Date range
![Page 14: Identification and Collection](https://reader030.fdocuments.in/reader030/viewer/2022033108/568161cb550346895dd1b438/html5/thumbnails/14.jpg)
Preservation
• Future accessibility– Replication– Service copies
• Authenticity– Documented traceable process– Separately stored hashes