 Hello. In this lecture we're going to talk about how to make sense of the data that's stored on the disks or the data that we recover during our investigations. We make sense of that data through something called data structures, which we'll talk about today. So first off, the data location. Like we talked about last time, in digital forensic investigations a lot of the times our data that we're acquiring is coming from a physical disk. It could be coming from random access memory or some other storage locations, but most of the data we work with is coming from some hard drive. It could be a hard drive in a phone, could be a hard drive in a computer. It's usually a hard drive in a computer, although now phones are getting very, very popular. So data location. All data is located on some sort of physical storage device. It doesn't matter whether it's RAM or a hard drive, there has to be some sort of physical representation somewhere of that data, which means we can access that physical device and make copies directly of the data. Today we're going to be focusing mostly on the acquisition of hard drives, especially with computers that are off, just because it's the easiest and the best way to basically start and get into data acquisition. So when saving data, like we talked about with file systems, if we want to recover the original meaning of the data later we have to organize the data in a known way and store it in a known location. So we have to organize the data in a known way and store that data in a known location if we want to actually recover the meaning later. Think about if we don't know the organization or the structure of the data, how can we actually get the meaning back? If we don't know the location of it, well we can't even find it to figure out what the meaning might be anyway. So we need at least the organization of the data and the location to be able to try to make some sense of that. If we know the organization's structure and location we can recover the original meaning of the data and that's what investigators are trying to do. Remember we're trying to go from this binary level, these ones and zeros, to information that's relevant to our case. So we have to go from data to information and we need to make sure that we're preserving the actual meaning of that data or we're actually getting the real meaning of the data. And of course encryption makes this difficult because even if we know the location it kind of changes the organization of the data so we can't actually get any meaning out of it. So encryption is a big part of our considerations during digital forensic investigations. So data acquisition for forensics, whenever we're trying to acquire data or copy suspect data, when possible digital forensics examiners want to collect, like I said before, a physical disk image. This is a copy of the lowest layer of data because that will allow us to recover as much information about the system as we can or about the suspect as we can. A lot more than if we're collecting for example a logical disk image or even just a file. A physical disk image is a bit for bit copy of the data from the physical disk and this is an exactly identical copy. So we have some hard drive, a USB stick, a mobile phone hard drive, a hard drive from a computer. We want to copy the data bit for bit exactly the same into another location. The physical disk image can allow for the recovery of the greatest amount of information and once we can recover that information we can start to get information for example like deleted files. Why were they deleted? Different actions that the user did on the system. We can start to reconstruct once we get a physical disk image. That information might be missing in a logical disk image. So here I give a representation of data on a hard drive in hexadecimal view. Oftentimes investigators whenever they're analyzing a hard drive manually they'll switch it to hexadecimal view and it helps the human at least to be able to pick out patterns whereas if we were just looking at the ones and zeros doesn't really mean much to us but with a hex view and some practice you can really start to understand where some known patterns are that we can potentially pull out information for use in our investigations. So whenever we're talking about data we want to figure out what this data actually represents and we want to do that accurately. So in this slide I have data structures. Data structures are essentially rules that apply to groups of data so we can understand what this data actually means. So in the image in the slides I essentially have ones and zeros a binary string and those ones and zeros if we know how what the data structure is for those ones and zeros we can split them up and we can actually pull out a timestamp. This is very common way to save timestamps on a computer. We just see these binary strings. We can extract those binary strings and we know the structure of them so we can know exactly how to pull out the timestamps. I'll talk more about that and I'll give more resources links in the form about how to do that shortly. In the next slide I also show in hex decimal view how investigators tend to go about pulling different pieces of information out of the data. If you don't have any reference material it becomes very very difficult to know what this data means because we just see ones and zeros or a hex view but if we know what each of those bits actually mean together then we can start to pull out all of the information we need for the case. So how do we actually find data structures? The data structure are essentially the rules that we use to pull out meaning from the ones and zeros or the data. Finding the data structures there's a couple different ways. First off is online. The first place you want to start is with an online search. Looking for the data structure for common data types may be found online in forums or other places where especially digital investigators are because they also need to know what these data structures are to pull out meaning for their cases as well. If you can't find something with a quick online search look for developer documentation. So the companies that actually make these data structures for example a word file has its own data structure. The company might make some information about that word file data structure available to developers. If in this case Microsoft doesn't make that word file data structure available groups that are trying to make either open source potentially open source support for that file type might also have documentation about the data structure of that file type. So they've already done the work for you. Look for developer documentation on what these data structures mean especially for extremely common or sometimes even less common files may be available. Also research articles. So digital investigation journals information security journals have a lot of information on data sources data structures for a lot of especially common types of files or in some cases new types of files that's not very many people know about yet may have been published in journals. So look at these journals and see if the data structure that you want is available there. And if all of this fails you just have to do your own research. It's relatively easy in some cases to find the data structure for certain types of data that's available. So for example if you're investigating a new program that's only available in your country and you think nobody else will investigate that program you might want to know the data structure for files that this program creates. In this case you are the one that's going to have to be able to go through and do that and also give brief instructions about how to investigate your own data structures in a link in the form. So if you have any questions about data structures please send me a forum topic and we'll talk about it more. Thank you.