1 Introduction

Syllabus
Understanding of forensic science, digital forensic, The digital forensic process, Locard'
exchange principle, Scientific models.

Contents
1.1 Understanding of Forensic Science
1.2 Digital Forensic Winter-21, Marks 3
1.3 Locard's Exchange Principle .Winter-21,. Marks 7
1.4 Scientific Models

(1-1)
 1-2 Introduction
Digital Forensics

of Forensic Science
1.1 Understanding
methods or expertise to investigate crimes
.Forensic science is the use of scientific
that might be presented in a court
of law. Forensic science
or examine evidence

a diverse array of disciplines,

from fingerprint and DNA analysis to
comprises
anthropology and wildlife forensics.
of science to solve a legal problem. In forensics, the
Forensics is the application
iand science are forever integrated.
scientists and law enforcement officials use cutting-edge scientific
Forensic

techniques to preserve and examine

evidence in process known as "chain of
a

evidence." This process ensures that evidence is pure and has not had an

opportunity to become tainted through mishandling.

The field of forensic science draws from a number of scientific branches, including
the recognition,
physics, chemistry and biology, with its focus being
on

identification, and evaluation of physical evidence. It has become an essential part

of the judicial system.

Forensic scientists perform both physical and chemical analyses on physical
evidence obtained by investigators and law enforcement officials at the
crime scene

crime scene. These scientific experts use microscopic examining techniques,

and reference
complex instruments, mathematical principles, scientific principles,
literature to analyze evidence as to identify both class and individual
characteristics.

1.2 Digital Forensic GTU: Winter-21

Digital forensics is processes of analyzing and evaluating digital data as evidence.
Any information stored on a digital media can be piece of digital evidence to be
analyzed during digital forensic process.
Computer forensics is the scientific examination and analysis of data held on or
retrieved from, computer staorage media in such a way that the information can be
used as evidence in a court of law.

Investigative process of digital forensics can be divided into several stages. Four
major stages are: Preservation, collection, examination and analysis.
.Computer forensics activities commonly include:
a. The secure collection of computer data.
b. The identification of suspect data.
c. The examination of suspect data to determine details such as origin and
content.

TECHNICAL PUBLICATIONS an up-thrust for knowledge

 1-3 Introduction
Digital Forensics

d. The presentation of computer-based information to courts of law.

e. The application of a country's laws to computer practice.
Digital evidence can be useful in a wide range of criminal investigations including
homicides, sex offenses, missing persons, child abuse, drug dealing, fraud and
theft of personal information. Digital information is all information in digital form
and can be divided into the content itself.
Hard copy print outs of digital information are not digital evidence in the strict
sense of this definition; it is considered a starting point for applying digital
evidence gathering in the future.
.Forensics is the applicationof investigative and analytical techniques that confom
to evidentiary standards used in or appropriate for a court of law or other legal
context.
.There are three basic and essential principles in digital forensics
1. The evidence is acquired without altering it;
2. Demonstrably so;
3.Analysis is conducted in an accountable and repeatable way
Digital forensic processes, hardware and software have been designed to ensure
compliance with these requirements. The process of digital forensics is typically as
follows:
1. Preservation of the state of the device.
2. Survey and analysis of the data for evidence.
3. Event reconstruction.

1.2.1 Digital Forensics Principle

1. When dealing with digital evidence, all of the general forensic and procedural
principles must be applied.
2. Upon seizing digital evidence, actions taken should not change that evidence.
3. When it is necessary for a person to access original digital evidence, that person
should be trained for the purpose that person should be trained for the purpose.
4. All activity relating to the seizure, access, storage or transfer of digital evidence
must be fully documented, preserved and available for review.
5. An individual is responsible for all actions taken with respect to digital evidence
whilst the digital evidence is in their possession.
6. Any agency, which is responsible for seizing, accessing storing or transferring
digital evidence is responsible for compliance with these principles.

TECHNICAL PUBLICATIONS - an up-thrust for krnowledge

 1-4 Introduction
Digital Forensics

Process of Digital Forensics

and Stages of Investigative
1.2.2 Scope
are as follows:
The scopes of the forensic investigations
activities.
1. To identify the malicious
the security lapse in their network.
2. To identify
network system was compromised.
3. To find out the impact if the
if needed.
4. To identify the legal procedures,
the system.
5. To provide the remedial action in order to harden

digital forensics
Stages of investigative process of
1. Preservation Preservation freezing the crime scene. It
stage corresponds to

involves operations such as preventing people

from using computers during
the safest way to
collection, stopping ongoing deletion processes and choosing
collect information.
2. Collection: Collection stage consists in collecting digital information
finding and
information means
that may be relevant to the investigation. Collection of digital
collection of the equipment containing the information or recording
the
information on some medium.
is search of digital The output of examination is data
evidence.
3. Examination : It
objects found in the collected information which includes log and data files
etc.
containing specific phrases, times-tamps
is to draw conclusions based evidence found.
4 Analysis The aim of analysis on

1.2.3 Forensic Duplication and Investigation

.Computer forensics is the task of recovering data that have hidden or

users

deleted, with the goal of ensuring that the recovered data is valid so that it can be
used as evidence.

The computer investigations group manages investigations and conducts forensic

analysis of systems suspected of containing evidence related to an incident or a
crime.
For complex casework, the computer investigations group draws on resources
from those involved in vulnerability assessment, risk management and network
intrusion detection and incident response. This group resolves or terminates all
case investigations.
Digital forensic investigation: A process that uses science and technology to
examine digital objects and that develops and tests theories, which can be entered
into court of law, to
a answer
questions
about events that occurred.

TECHNICAL PUBLICATIONS an up-thrust for knowledge

Digital Forensics 1-5 Introduction

Forensic analysis includes reviewing all the data collected. This includes reviewing
log files, systen configuration files, web browser history files,
trust relationships,
email mes-ages and their attachments, installed applications and graphic files.
.You perform soft-ware analysis, review time/date stamps, perform keyword
searches and take any other necessary investigative steps.
.Forensic analysis also includes performing more low-level tasks, such as looking
through information that has been logically deleted from the system to determine
if deleted files, slack space or free space contain data fragments ór entire files that
may be useful to the investigation.
Fig. 1.2.1 shows forensic analysis.

Analys1s of data
Extra Review
email and browser
attachments history files
Preparation of data

Create Perform
statistical data
Review
Review data
collected
file installed
partition table during
ists applications
file systems ive response

Perform Create a
Recover Perform file Search for Review a
forensic working copy
of all
deleted signature relevant the network
duplication data analysis things based evidence
evidence media

Identity and
Recover Identity Perform
unalfocated known software decrypt
space system files analysis encrypted
files

Perform Perform
file-by-fle specialisedd
review analysis

Fig. 1.2.1 Forensics analysis

Investigative process of digital forensics can be divided into several stages. Four
major stages are: Preservation, collection, examination and analysis.
Computer forensics activities commonly include
a. The secure collection of
computer data.
b. The identification of
suspect data.
C. The examination of suspect data to determine details such as origin and
content.

TECHNICAL PUBLICATIONS an
up-thrust for knowiedge
 1-6
Introduction
Digital Forensics
of law.
information to courts
d. The presentation of computer-based

country's laws to computer practice.

The application of a
e.
wide range of criminal
investigations including
Digital evidence can be useful in a

child abuse, drug dealing, fraud and

homicides, sex offenses, missing persons,
information is all information in digital form
theft of personal information. Digital
and can be divided into the content itself.

of digital information are not digital evidence in the strict

Hard copy print outs
starting point for applying digital
of this definition; it is considered
a
sense
evidence gathering in the future.
techniques that conform
Forensics is the application of investigative and analytical
standards used in or appropriate court of law or other
for a legal
to evidentiary
context.

the must be followed when a person conducts the

Following are principles
computer forensic investigation.
1. Data stored in a computer or storage media must not be altered or changed, as

those data may be later presented in the court.

the original data held on a
2. A person must be competent enough in handling
computer or storage media if it is necessary.

3. An audit trail or other of all processes applied

documentation to

computer-based electronic evidence should be created and preserved.

the must have overall
4. A person who is responsible for investigation
responsibility for accounting that the law.

University Question
GTU Winter-21, Marks 3
1. What is Digitalforensics?
1.3 Locard's Exchange Principle GTU : Winter-21

Edmond Locard was an important forensic scientist of the 19th century. In forensic
science, Locard's exchange principle holds that the perpetrator of a crime will
bring something into the crime scene and leave with something from it, and that
both can be used as forensic evidence.
He formulated the basic principle of forensic science as: "very contact leaves a
trace". It is generally understood as "with contact between two items, there will be
an exchange."

TECHNICAL PUBLICATIONS an up-thrust for knowledge

 Digital Forensics 1-7 Introduction

.This basic principle is that "every contact leaves a trace". Thus NO perpetrator can
leave the scene without leaving a trace. Fingerprints, gunshot residue or blood are
the main evidence, which is involuntarily left behind at the crime scene.

Although Locard's thoughts were highly unusual at that time, he realized early the
great significance of using scientific tools in the investigation of crimes. Finally, a
new discipline, forensics, was created for these reasons.
Paul L. Kirk expressed the principle as follows Wherever he steps, whatever he
touches, whatever he leaves, even unconsciously, will serve as a silent witness
against him. Not only his fingerprints or his footprints, but his hair, the fibres
from his clothes, the glass he breaks, the tool mark he leaves, the paint he
scratches, the blood or semen he deposits or collects. All of these and more, bear
mute witness against him. This is evidence that does not forget.
When a crime is committed, fragmentary or trace evidence needs to be collected
from the scene. A team of specialised police technicians goes to the scene of the
crime and seals it off. They record video and take photographs of the crime scene,
victim/s and items of evidence.
If necessary, they undertake ballistics examinations. They check for foot, shoe, and
tire mark impressions, plus hair as well as examine any vehicles and check for
fingerprints, whole or partial.
.Example: website visit: Suppose user visit "technicalpublications.org" and login
there. What evidence of this "visit" do user leave at the technicalpublications.org
webserver? An entry in the webserver log. What evidence do user take with you?
First of all a cookie from the technicalpublications.org server. Second of al, user
browser caches a copy of the webpages visit - ie. it stores a copy on user machine
of each webpage. Third of all, user browser keeps a history of all the pages user
have visited which it uses to offer you a list of completions of the URL you're
currently typing
University Question
1. Explain Locard's Exchange Principle with suitable scenario. .GTU: Winter-21, Marks 7

1.4 Scientific Models

Scientific models are developed as a means of helping people understand scientific
concepts and representing them in a visual medium. Models are used to make
predictions. They may include physical and digital models, which can be refined
over time by the inclusion of new scientific knowledge.
TECHNICAL PUBLICATIONS an up-thrust for knowledge
 1-8 Introduction
Digitel Forensics

1. Scientific Working Group Digital Evidence (SWGDE)

on

on Digital
Evidence (SWGDE) brings together
T h e Scientific Working Group
in the field of digital
and multimedia evidence to
organizations actively engaged
ensure quality and consistency
as well as to
foster communication and cooperation
within the forensic community
and efforts of a wide range
of Scientifjic
T h e FBI has supported the formation
Technical Working Groups (TWGs) (Federal Bureau
Working Groups (SWGs) and
of Investigation).
T h e mission of the Working Group on Imaging Technology (SWGIT) was
Scientific
and systems within the
to facilitate the integration of imaging technologies
and guidelines for the
Criminal Justice System (CIS) by providing best practices
of image and archiving.
capture, storage, processing, analysis, transmission, output
2. American Academy of Forensic Sciences
is a multidisciplinary
T h e American Academy of Forensic Sciences (AAFS)
advance science and its
professional organization that provides leadership to
application to the legal system.

AAFS members are 6,600+ represent all 50 United States and 71 other countries.
Membership is comprised of pathologists, attorneys, dentists, toxicologists,
anthropologists, document examiners, digital evidence experts, psychiatrists,
and others.
engineers, physicists, chemists, criminalists, educators, researchers,
AAFS provides
a) Leadership to advance science and its application to the legal system

b) Education to elevate the accuracy, precision, and specificity in the forensic

sciences

c)Initiation of actions way of

and reactions to various and relevant issues by
AAFS Position Statements and Statements from the AAFS Board of Directors,

3. American Society of Crime Laboratory Directors/Laboratory Accreditation Board

The American Society of Crime Laboratory Directors (ASCLD) is a nonprofit
professional society of crime laboratory directors and forensic science managers
dedicated to providing excellence in forensic science through leadership and
innovation.
The purpose of the organization is to foster professional interests, assist the
development of laboratory management principles and techniques; acquire,
preserve, and disseminate forensic based information; maintain and improve
communication among crime laboratory directors; and to promote, encourage, ana
maintain the highest standards of practice in the field.

TECHNICAL PUBLICATIONS an up-thrust for knowledge

Digital Forensics
1-9 Introduction

4. Natlonal Institute of Standards and Technology (NIST)

The isNational Institute of Standards and Technology (NIST) was founded in 1901
and now part of the U.s. Department of Commerce. NIST is
oldest physical science laboratories.
one of the nation's

From the smart electric

power gridand electronic health records to atomic clocks,
advanced nano-materials, and computer chips, innumerable products and services
rely in some way on technology, measurement, and standards provided by the
National nstitute of Standards and Technology.
Today, NIST measurements support the smallest of technologies to the largest and
most complex of human-made creations from nano-scale devices so tiny that tens
of thousands can fit on the end of a single human hair up
skyscrapers and global communication.
to earthquake-resistant

OO0

TECHNICAL PUBLICATIONS an up-thrust for knowledge

 1-110 Introduction
Digital Forensics

Notes

TECHNICAL PUBLICATIONS an up-thrust for knowledge

ion

Understanding
2 of the Technical Concepts

Syllabus
Basic computer organization, File system, Memory orgamization concept, Data storage concepts.

Contents
2.1 Basic Computer Organization.............. Winter-21 Marks 3
22 Flynn's Classificationof Computers...... Winter21 Marks 4
2.3 File System

2.4 Memory Organization Concept. ... Winter-21 Marks 4

2.5 Cache Memory . . . Winter-21 . Marks 7
2.6 Data Storage Concepts . Winter-21 Marks 3

(2-1)
 2-2 Concepts
Understanding of the Technical Cono

Digital Forensies
GTU: Winter-21
Organization
2.1 Basic Computer
software that are combinodd to
hardware
device and
system consists
of
Computer
tool to user for solving problems.
provide a

Fig 2.1.! shows modern computer system.

CD ROM
Hard disk Display

Disk controller
Graphics
adapter
Central
processin9
unit

BUS Controller

USB Pen drive

controller

Main memory

Keyboard Mouse Printer

Fig. 2.1.1 Modern computer system

Computer system consists of CPU, memory and I/0 devices with one or more
modules of each type. These all components are interconnected. Common bus is
used for communication between these devices. Each device has its own device
controller.
Main structural elements are as follows
1. Central processing unit: CPU controls the operation of the computer. It
performs processing function.
data
2. Main memory: Used for storing programs and data. The memory is typicaly
volatile. Main memory is also referred as primary memory or real memory,
User program and data are stored in the main memory. Main memory 15
volatile, so it can not stored permanently.

TECHNICAL PUBLICATIONS an up-thrust for knowledge

 Digitel Forensics Understanding of the Technical Concepts

3. VO modules : These modules are used for moving data between computer and
its external environment. The external environment consists of variety of
devices, including secondary memory devices, communication equipmene's and
terminals.
4.System bus : It provides for communication among processors, main memory
and 1/O modules.
CPU and device controller use memory cycle for execution purposes. But memory
cycle is only available to one device at a time.

Bootstrap program loaded when user start the computer. It initializes all the
is
device connected to the computer systern and then loads required device drivers.
After this, operating system loads in the computer systerm. In UNX OS, an 'init' is
the first process which execute by OS.

Interrupt is software and hardware. It is used to send signal to CPU. Software

interrupt is sometime called system call.
When interrupt is trigger, the CPU stops executing the instruction and control is
transfer to the fixed location. Starting address is stored at fixed location where the
service routine executes. Interrupts do not alter the control flow of the process
executing on the processor.

Processor access the data from main memory before executing any instruction.
Main memory is also called Random Access Memory (RAM).
A t the top of the hierarchy, we have storage on the CPU registers. For accessing
the CPU, it is fastest form of storage.

Every device uses a device controller to connect it to the computer's address and
data bus. Devices can be classified as a block oriented or character oriented,
depending on the number of bytes transferred on an individual operation.

Storage devices are used to store data while the computer is off. Device controller
manage the data transfer between peripheral device and its controller. Device
driver is handled by device controller.

2.1.1 Control Unit

The control unit is the main component of a Central Processing Unit (CPU) in
computers that can direct the operations during the execution of a program by the
processor / computer.
Central Processing Unit has three main parts which are the Arithmetic Logic Unit
(ALU), the Control Unit (CU), and the Memory Unit. The control unit is an
important component of the CPU. It directly controls the functions of the memory
urit, the ALU and the input and output devices.

TECHNICAL PUBLICATIONS an up hrust for knowledge

 Understanding of
the Technical
2-4
Concepts
Digital Forensics

unit of computer
2.1.2 shows block diagram of control
Fig.

Instructor register

Control signals
within CPU

Control signals from controi bus

Flags Control unit

control buS
Clock- Control signals to

control unit
Fig. 2.1.2 block diagram of
instruction registers, signals within the
control
The components of control unit are
and clock signals.
CPU, control signals to/from the bus, control bus, input flags
the functional units
Control unit co-ordinates and controls the activities amongst
instructions stored in the main
The basic function of control unit is to fetch the
involved in it and accordingly
memory, identify the operations and the devices
generate control signals to execute the desired operations.
It controls input and output operations, data transfer between the processor,

memory and input/output devices using timing signal.

University Question

1. Draw and explain Control Unit of basic compruter. GTU: Winter-21, Marks 3
2.2 Flynn's Classification of Computers GTU: Winter-21

These models are called Flynn's Taxonomy. These models proposed in

1972 and
general 4 category system. It does not clearly classify all models in use today
M. J. Flynn introduced a system for the categorization of the system architectures
of computers. Categorizes all computers according to the number of instruction
streams and data streams they have, where a stream is a sequence of instructions
or data on which a
computer operates.
Two types of information flow into a processor : Instruction and data.
This classification is based upon the
manipulated data.
relationship between the instructions and the
Four Categories Terminology

TECHNICAL PUBLICATIONS an up-thrust for knowledge

pts Digital Forensics
2-5 Understanding of the Technical Concepts

S Single
I= Instruction Stream
M Multiple
D Data Stream

Logical organization refers to a programmer's view of the platform. Physical

organization refers to the actual hardware organization of the platform.
Stream refers to a sequence or flow of either instructions or data operated on by
the computer.
T h e instruction stream is defined as the sequence of instructions performed by the
processingunit. It is a flow of instructions from main memory to the CPU. The
data stream is defined as the data traffic exchanged between the memory
and the processing unit.

the
Data stream Central
Primary memory Processing
its Unit (CPU)
Instruction stream
ain
gly Fig. 2.2.1 Data and instruction stream
T o Flynn's classification, either of the instruction or data streams can be single or
sor,
multiple. Computer architecture can be classified into the following four distinct
computer architecture categories
1. SISD (Single Instruction and Single Data Stream)
2. SIMD (Single Instruction and Muliple Data Streams)
3. MISD (Multiple Instructions and Single Data Stream)
3
4. MIMD (Multiple Instructions and Multiple Data Streams)

Computer architecture classification

nd
res
ion SISD SIMD MISD MIMD
ons Fig. 2.2.2
2.2.1 Single Instruction and Single Data Stream
A sequential computer which exploits no parallelism in either the instruction or
the data streams. This is the common Von Neumann model used in virtually all single
processor computers. These are uniprocessor computer that process one instruction
at a time.

TECHNICAL PUBLICATIONS -an up-thrust for knowledge

 Understanding of the Technicel Concept
2-6
Digital Forensics
instruction per cycle such as readin
one
performs
The simplest type of computer values etc. it uses only one set of data or operand
of two
addition
from memory, in their execution
be overlapped
Instructions are executed sequentially but may
stages. Fig. 2.2.3 shows SISD.

Data Primary
Instruction CPU memory
. input Controllerstreamn Stream

Output

Fig. 2.2.3 SISD

level parallelism.
There is no parallelism and data
instruction level
Amdhal 470/6 which has
which vector processing and
Examples: Cray-1 supports
pipelined instruction processing.

2.2.2 Single Instruction and Multiple Data Streams

single instruction stream. The
There are multiple data streams in parallel with a

the processors. This is typically done by

controller transmits this instruction to all
arithmetic units in CPU and allowing the different units to refer to
replacing 2.2.4 shows SIMD.
different operands, but follows a common instruction. Fig.
Data
Host computer

Instruction

Controller

CPU1 CPU 2 CPUNN

Data Data Data

Local Local Local

memory1 memory 2 memory N

Data Data Data

High speed internetwork

Fig. 2.2.4 SIMD

TECHNICAL PUBLICATIONS an up-thrust for knowledge

Digitel Forensics 2-7 Understanding of the Technical Concepts

.Each processor has its local memory. Processors can communicate

own with each
other through the interconnection network. Each processor takes the data from its
own memory and hence it has on distinct data streams.
Instructions are broadcast globally by a single control unit. There is single control
thread, single program.
.Every processor must be allowed to completeits instruction before the next
instruction is taken for execution. So, the execution of instructions is synchronous.
A n array or matrix is also processed in SIMD. Vector computer and array
processors are examples of SIMD.

2.2.3 Multiple Instructions and Single Data Stream

.Multiple instruction streams in parallel operating on single instruction stream. Not
commonly used. Systolic array is one example of MISD architecture.
.Uncommon architecture which is generally used for fault tolerance.
I n the MISD category, the same stream of data flows through a linear
array of processors executing different instruction streams. Fig. 2.2.5 shows
MISD.

Memory

Instructions Instructions Instructions

Controiler 1 Controller 2 Controller N

Instructions |Instructions Instructions

Processor 1 Processor 2 Processor N

Data Data Data

Fig. 2.2.5 MISD

Examples include the space shuttle flight control computer.

2.2.4 Multiple Instructions and Multiple Data Streams

Multiple-instruction multiple-data architectures are made of
streams parallel
multiple processors and multiple memory modules connected together via
Some interconnection network.
Multiple autonomous processors simultaneously
executing different instructions on different data. Processors are asynchronous.
TECHNICAL PUBLICATIONS an up-thrust for knowledge
 2-8
Understanding of he
Technical Concepts
- -

Digital Forensics
include the most

MIMD's have been considered

researchers
by most researd
to
owerful
and least restricted computers.
shared memory
or by use of , message
use of
either through
Communications are handled

passing. Fig. 2.2.6 shows MIMD.

Interconnection network

Interconnection network

MiMD
(a) Shared memory MiMD organization (b) Message passing organization

Fig. 2.2.6 MIMD Organization

A shared memory system typically accomplishes inter-processor coordination

through a global memory shared by all processors.
Because accesS to shared
memory is balanced, these systems are also
called SMP (Symmetric
Multiprocessor) systems.
A message passing system typically combines the local memory and
processor at each node of the interconnection network. It is also called
distributed memory. There is no global memory, so it is necessary to move data
from one local memory to another by means of message passing. This is
typically done by a Send/Receive pair of commands, which must be written
into the application software by a programmer.
A message is defined as a block of related information that travels
among
processors over direct links. Examples of message passing systems include the
cosmic cube, workstation cluster etc.
MIMD's have been considered by most researchers to include the most
and least restricted
powertul
computers.
One method for
programming MIMDs is for all
processors to execute the same
program.
1. Execution of tasks by processors is still
asynchronous
2. Called single program, multiple data method
3. Usual method when numbers of
processors large.are
4. Considered to be a "data parallel
programming" style for MIMDs.
TECHNICAL PUBLICATIONS an
up-thrust for knowledge
s
Digitel Forensics 2-9 Understanding of the Technical Concepts
ul
Shared Memory MIMDs
e All processors have access to all memory locations. Two types: UMA and NUMA
1. UMA (Uniform Memory Access)
. I t is also called symmetric multiprocessors. Each processor has equal access to

memory and do that any other procesor do. Fig. 22.7 shows
can anything can
UMA.

CPU

CPU

Interconnection network Memory

c CPU

n
d CPU
c
Fig. 2.2.7 UMA
d For these systems the time to access a work in memory is constant for
d all processors. Such a parallel computer is said to have a Uniform Memory
a Access (UMA).

2. Non Unifom Memory Access (NUMA)

n
I n a distributed shared memory computer system, each processormay its
own local memory and may or may not share a common memory. For

g these systems, the time taken to access a word in local memory smaller
e than the time taken to access a word stored in memory of other computer
or common shared memory. Thus this systems said to have Non Uniform
Memory Access (NUMA).
ul
Access time to a given memory location varies considerably for different CPUs.
Normally, fast cache is used with NUMA systems to reduce the problem of
e different memory access time for PEs.

Possibly performance at higher levels of parallelism than one

effective SMP. Not
very supportive of software changes. Performance can breakdown if too much
access to remote memory.
Not transparent: Page allocation, process allocation and load balancing changes
can be difficult.

TECHNICAL PUBLICATIONS an up-thrust for knowledge

 Understanding of the Technicel Concepts
Digital Forensics 2-10

2.2.5 Single Program, Multiple Data

four architectural definitions. Very

only
Flynn's classifications traditionally covers
under the banner of
few people would argue that this fifth definition truly belongs
It is almost a
Classification. This is more a model for parallel processing.
Flynn's
hybrid between SIMD and MIMD
its own data. Each PE uses
A l l PE's execute the program in parallel, but has
same

a unique ID to access its portion of

data. Differer.t PE can follow different paths

thro h the same code. Fig. 2.2.8 shows

SPMD.

task 1 task 2 task 3 task n

Flg. 2.2.8 SPMD

.SPMD is by far the most ommonly used pattern for structuring parallel programs.
Main advantage : Tasks and their interactions visible in one piece of source code,
no need to correlated multiple sources.

.Typical SPMD Program Phases:

a. Initialize: Establish localized data structure and communication channels
b. Obtain a unique identifier: Each thread acquires a unique identifier, typically
range from 0 to N=1, where N is the number of threads. Both OpenMP and
CUDA have built-in support for this.
c. Distribute Data Decompose global data into chunks and localize them, or
:

Sharing/replicating major data structure using thread ID to associate subset of

the data to threads
d. Run the core computation
e. Finalize: Reconcile global data structure, prepare for the next major iteration

2.2.6 Dataflow Models

.The basic concept is to enable the execution of an instruction whenever its
required operands become available.
Programs for data driven computations can be represented by data flow graphs.
Each instruction in a data flow computer is implemented as a template, which
consists of the operator, operand receivers and result destinations. Operands are
marked on the incoming arcs and results are on outgoing arcs.
Dataflow model of execution is asynchronous, i.e., the execution of an instruction
is based on the availability of its operands
Instructions in the dataflow model do not impose any constraints on sequencing
except the data dependencies in the program.

TECHNICAL PUBLICATIONS an up-thrust for knowiedge

Digital Forensics
2-11 Understanding of the Technicel Concepts

The dataflow model incurs more

overhead in the execution of an instruction cycle
compared to its control-flow counterpart due to its fine-grained approach to
parallelism.
In dataflow achines each instruction is considered to be a
separate
process. To facilitate data-driven execution each instruction that produces a
value contains
pointers to all its consumers. Since an instruction in such a
dataflow program contains
only references to other instructions, it can be
viewed as a node in a graph.
Dataflow program is
represented as a directed graph, G =
GN, A), where nodes
in N represent instructions and in A
arcs represent data dependencies between the
nodes. The operands are conveyed from one node to another in data packets
called tokens.
I n dataflow computers, the machine level language is represented dataflow
by
graphs. Fig. 2.2.9 shows basic primitives of the dataflow
graph.

(a) Operator (b) Predicate (c) Copy

(d) Switch (e) Merge

Fig. 2.2.9 Basic primitives of the dataflow graph.

. For example:
x = a *b

y 3 *c

then(x+Y)*(x-y)/c
Acyclic dataflow graph is used for representing arithmetic and logical expression.
Following is the acyclic dsataflow graph for given expression.
TECHNICAL PUBLICATIONS -

an up-thrust fo. knowledge

 Understanding of the
Technical Concepts
2-12
Digital Forensics

a D

s5:

Fig. 2.2.10 Acyclic flow graph

soon as tokens are

Nodes s1 and s2 in the figure are both enabled for execution as
the b and They all execute simultaneously or one by
placed on input ares a, c.

one.
the side false side,
Switch routes its data input to the output arc on true or

of input tokens is directed

according the value of the control input. The
to wave

to the true or false arm of the conditional.

Dataflow exhibits two kinds of parallelism in instruction execution.

graphs
a. Spatial parallelism: Any two nodes can be potentially executed concurrently

if there is no data dependence between them.

results from pipelining
b.Temporal parallelism: This type of parallelism
independent waves of computation through the graph.
is similar to dependence graph used in intermediate
The dataflow graph a

representations of compilers.
Dataflow models are classified as static and dynamic.

Static Model
The static model allows at most onenode to be enabled for firing. A
instance of a

dataflow actor can be executed only when all of the tokens are available on its
input arcs and no tokens exist on any of its output arcs.
Fig. 2.2.11 shows basic organization of the static dataflow mode.

TECHNICAL PUBLICATIONS an up-thrust for knowledge

 Digital Forensics 2-13 Understanding of the Technical Concepts

Update unit

Data
Tokens

Processor Instruction | Address

Memory

Operation
Packets
Fetch unit

Fig. 2.2.11 Static dataflow mode

Memory contains instruction templates which represent the nodes in dataflow

graph. Fach instruction template contains an operation code, slots for the operands
a

and destination addresses.

Presence Bits (PBs) is used to determine the availability of the
operands. Detecting
the executable of instructions is done
by update unit. After verifying this
condition, the update unit sends the address of the enabled instruction to the fetch
unit.
Fetch unit fetches and sends a complete
operation packet containing the
corresponding op-code, data and destination list to the processor. The
processor
performs the operation and sends the result of the update unit.
Update unit stores each result in the appropriate operand slot and checks the
presence bits to determine whether the activity is enabled.

Advantage of static model : Simple model

Limitation of static model
1. Consecutive iterations of a
loop can only be pipelined.
2. Due to
acknowledgment tokens, the token traffic is doubled.
3. Lack of support for
programming constructs that are essential to modern
programming language.
Dynamic Model
I n the dynamic model, it permits activation of several instances of a node at the
same time during run-time. To
distinguish between different instances of a node, a
tag is associated with each token that identifies the context in which
token was generated.
a
particular

TECHNICAL PUBLICATIONS an up-thr:st for knowledge

 of the Technical
2-14
Understanding oncepts
Digital Forensics

when its input

arcs
contain a set
tokens with
of toker

A n actor is considered executable

of the dynamic« dataflow model
rganization
2.2.12 shows basic
identical tags. Fig.
Matching unit

Data
Tokens

token set Memory

Matched
Processor

Enable
instructions
Fetch unit

dataflow model
Fig. 2.2.12 Dynamic
tokens with identical tags. If a
Operation of the matching unit is to bring together
extracted from the matching unit and the
match exists, the corresponding token is
If no match is found, the token is
matched token set is passed on to the fetch unit.
stored in the matching unit to await a partner.

and Limitation of Dynamic Dataflow

Advantages
Advantage : Better performance as it allows multiple tokens on each arc
thereby
unfolding more parallelism.
Limitations:
1. Efficient implementation of the matching unit that collects tokens with matching

tags.
2. Associative memory would be ideal.
3. It is not cost-effective.
4. All existing machines use some form of hashing techniques that are typically
not as fast as associative memory.

2.2.7 Demand-driven Computation

I n demand-driven computation, each processor assigns a task to perform and is
responsible for all computaions related to those tasks. Demand-driven machines
also known as reduction machines.
It uses
top-down approach for instruction
execution. In a reduction machine, the
computation is triggered by the demand for an operation's result.

TECHNICAL PUBLICATIONS an
up-thrust for knowledge
pts
Digital Forensics 2- 15 Understanding of the Technical Concepts

h
The demand-driven approach matches naturally with functional programming8
languages
.Operations are executed only when their results required by another instruction in
demand driven model. So because of this reason it is called lazy evaluation.

2.2.8 Difference between SIMD and MIMD

www.wwmwaroenmaaewenwwwww.wwweeoeno
*** **

SIMD MIMD

SIMD stands for single instruction multiple MIMD stands for multiple instruction multiple
datä. data.

Architecture is simple. Architecture is complex.

Low cost Medium cost.

Size and pertormance is scalable. Complex size and good performance.

Automatic synchronization of all send and Explicit synchronization and identification

protocols needed.
a receive operationis.
wwww.wwwwwwwwwwwwwwwwwww.wwwwww..wwwwww.wwwwwwwwwwwwwwwww.wwwwwwwwwwwwwww.wwwwwwwww

e
s University Question
1. Explain Flynn's classification of computers. GTU: Winter-21, Marks 4
y 2.3 File System
File systems are abstraction that enables users to read, manipulate and organize
data. Typically the data is stored in units known as files in a hierarchical tree
g
where the nodes are known as directories.
The file system enables a uniform view, independent of the underlying storage
devices which can range between anything from floppy drives to hard drives and
flash memory cards. Since file systems evolved from stand-alone computers the
connection between the logical file system and the storage device was typically a
one-to-one mapping.
The DOS and Windows file systems use fixed-size clusters. Even if the actual data
being stored requires less storage than the cluster size, an entire cluster is reserved
for the file. This unused space is called the slack space.
A cluster, also knouwn as an allocation unit, consists of one or more sectors of storage
space and represents the minimum amount of space that an operating system
allocates when saving the contents of a file to a disk.

TECHNICAL PUBLICATIONS - an up-thrust for knowledge

 Technical Concepts
Understanding of the
-16
Digital Forensics
on the system.
be available to processes
mounted before it
can

Fle system must be follows.

file system is as
Procedure for mounting mounted file system will be
at which the
1. Mount point is
an empty directory
attached.
which to attach the
location within the file structure at
device and
2. Name of the
file system is required.
contains a valid file system.
verifies that the device
3. Operating system verifications.
for these
4. Device driver is
used by operating system
at a specified mount point.
mounts the file system
5. Finally operating system

2.3.1 File Allocation Table

a disk. Due to
uses to locate files on

A table that the operating system scattered around

sections that are

fragmentation, a file may be divided into many

track of all these pieces.
the disk. The FAT keeps FAT16 and the one for
of Windows 95 is called
versions
.The system for older and Windows 98 is called FAT32.
FAT
new versions of
Windows 95
disks, flash memory
cards, digital
FAT file
on
are commonly found floppy
systems relative simplicity.
portable devices because of their
cameras and many other
uses directory and
fornmatted volume which
File and folders are organized on FAT defined location on
The (C:\ or D:\) is the root folder at a per
file allocation table. and.subdirectories.
2.3.1 shows the
Fig.
a list of file
the volume. Folder contains
folder view of the file system.
www.wwww
ce k Rer 7 oK y e

vaboow wwwiwawwovoivewbevwvovwN oww*

w enowwwww.

Contents of selected folders

Tree view of folders

enion

Fig. 2.3.1 Folder vlew

file. FAT file
time associated with each
Folder view contains starting cluster, date,
time. At command line, "dir" command
system shows only last accessed date not
is used to gate the information about files and directory.

TECHNICAL PUBLICATIONS- an up-thrust for knowledge

 Digitlal Forenslcs 2-17 Understanding of the Technical Concepts

Start of file

End of filee Start of a WordPerfect

document

Flg. 2.3.2
r The FAT shows only a list with one entry for each cluster in a volume. Each entry
in the FAT indicates what the associated cluster is being used for the following
l Fig 2.3.2 shows output from norton disk editor on file allocation table.
Free allocation is marked by zero in the cluster. If it contains some value (i.e.
Greater than zero) then that number is given to the next cluster for a given file or
n folder. EOF means end of file. Where file end, FAT marked it as EOF.
e Subdirectories are a special type of file. It contains information such as names,
attributes, dates, times, sizes and the first cluster of each file on the system.

Ubjeci Edit Link Uiew info vo ls ielp ure>

Caste
pa
19 92 40
dutilneof

SLO 13081 1 15-03 27

0ld html urEN
1334is-0
curcaebl N
LCURE 1 HTMF 8204
99 115 09 01 p
ansgir
ster631 Seutorb2
ar iiganseait LP
ERIS LP
P
e 18378 15 082z
d
Fig. 2.3.3
TECHNICAL PUBLICATIONS - an up-thrust for knowledge
 Understanding of tho
Technical Concepta
18
Digital Forensics

on the
one of two tasks
When a file is deleted, the file system will perform
as "free space"
on the file
allocation table marked
allocation table. The file's entry free.
list is erased and then
the space is marked as
or the file's on the
entry will put the
lf a file needs to be placed on the storage unit, the operating systemn
written to the "empty
the space marked as empty. After the new file is
file in
to be recovered,
When a deleted file is
space", the deleted file is now gone forever.
is used, then
because if the "empty space
the user must not manipulate any files
the file can never be retrieved.
Directory formt
Hoot dir D r f s e t O, hx
Sector 7 in root directory Attr ibutes
Hid Dir ol
Cluster Arc R/0 Sys
Date Time
F i l e n a e Ext Sie

dge
12-05-90 11:19 am
12-0390 2 z pm
1516 12-01-90 1256 pm
SHELL EX 10025
16 11-28-90 2:20 Pn
N L SHL 1391 12:06 a

S53512-es 0 2:34 p
CATHCU 2330 12-0390 2:34 pm
DaTOR
DTTOR
3779
914
12-01-90
12-01-D0
2:11
2:41 P
Pa

5517 12-05-90 11:14 am 6

NFO 36 11-21-90 9:11 am arc
Arc
1930 12e5-90 11:14 am 24
Dir
STAS 12-0S-90 11:21 am 76
Dir
CATACOMB 12-05-90 11:21 am Dir
DDAU 9-0691 250
Arc
ATDAUE 132
EUEL11 CK2 2792 11-20-90 1:301
erased e n t r i e s
Filenanes beginning with
Filenames beg ' i n d icate
Enter to continu L8Choos 9Udo10u1t
10ir 5FAT 6Partn7
2He lp 2Hex 3 f e x t
Fig. 2.3.4

12 bits in the FAT.

contains
Floppy diskette uses FAT12 file system. Each entry
28 bits
FAT16 uses 16 bit fields to identify a cluster. Hard disk uses FAT32 and

4 bit reserved field used to identify the cluster.

plus
2.3.2 Network File System
of file records. Each
Master file table is the heart of NTFS. The MFT is an array
is for the MFT itself. The name of
record is 1024 bytes. The first record in the MFT
MFT are reserved for metadata files.
the MFT is $MFT. The first 16 records in the

A n MFT can volume used to have lots of files that were deleted.
be too big if a
in the MFT. These holes are
The files that were deleted cause internal holes
reclaim this space.
that are unused by files. It is impossible to
significant regions
This is at least true on a live NTFS volume.

Fig. 2.3.5 shows NTFS Partition.

A s files are added to an NTFS volume, more entries are added to the MFT and so
the MFT increases in size. When files are deleted from an NTFS volume, their
TECHNICAL PUBLICATIONS an up-thrust for knowledge
pta
Digital Foronsics
19 Understanding of the Tochnicel Concepts
he
e" entries are marked
MFT
Thus, used
as free and may be reused, but the MFT does not shrink
space by these entries is not reclaimed from the disk.
he
ty
MBR VBR SMt Directories and files
d,
en
Measured in Measured in clusters

Fig. 2.3.5 NTFS partition

Directories are treated in NTFS as index entries and store folder entries in a B-Tree
to
accelerate access and facilitate
encoding scheme called unicode.
resorting when entries are deleted. NTFS uses an

The attribute places INDX records in B+ tree, where the is the file A
a
key name.
B+ tree is data structure where records
a
arbitrary are
organized by a sortable key
value, such as a number or a string. For a forensic investigator, the effect of the
B+ tree is that INDX records associated with a node are stored as a chunk in
alphanumeric order.
The size of a B+ node is 4096 bytes. When file is added to
a a
directory, a new
record is added to the INDX attribute of the
directory. Within the B+ tree, NTFS
finds the appropriate node and inserts the new record,
shifting records down, if
necessary.
Fig. 2.3.6 shows the file with a
logical size that is larger than its valid data length,
T. leaving un-initialized space.
its
File content Un-initialized space File slack
Valid data length

ch
of Logical size
Physical size
d.
re
Fig. 2.3.6 File with logical size
e.
Fig. 2.3.7 shows the behavior of the Microsoft NTFS driver as an INDX record is
deleted. When the driver INDX record "F", it shifts the records "G" and
removes
"H" to fill the space. As the contents of record "H" shift, a recoverable
so copy
(inactive record "H ") remains in the newly expanded slack space.
eir

TECHNICAL PUBLICATIONS an up-thrust for knowledge

 Understanding of the Technical Concepts
2- 20
Digital Forensics

Slack space
INDX node Active INDX record
header

Slack
INDX
ADEF|
INDX record "F" deleted

Slack
INDX
from slack
"H" is recoverable
Active INDX records shift to fill space; a copy of record
Slack
INDX

Fig. 2.3.7 Behavior of NTFS driver

logical file size and valid data length in two

NTFS captures the difference between
MFT fields.
MFT entries whenever
file is deleted, NTFS simply
required. When a
NTFS creates
and available for a n e w file. It is
marks the associated MFT entry as deleted
about a deleted file from the MFT entry,
possible to recover all of the information
of data on disk for
including the data for resident files and the location
non-resident files.

Recovery of deleted files in the NTFS is complicated. when

a file is deleted, the
the deleted file.
next file that is created may overwrite the MFT entry for

2.4 Memory Organization Concept GTU: Winter-21

Memory is used to store information. Secondary storage memory is long term
such disk drive.
persistent memory that is held in storage device
as

Primary memory is faster than secondary memory. Memory manager is

responsible for allocating primary memory to processes

Memory management is performed by both software and special purpose

hardware. The memory manager is an operating system component. Managing the
sharing of primary memory and minimizing memory access time are the basic
goals of the memory manager.
Primary memory requirements
1. Access time It should be
: as small as possible. This need influences both software
and hardware design.
2. Size: Size must be as large as possible. It can accomodate many programs into
memory.
3. Cost:Cost of the memory is less than the total cost of the computer.

TECHNICAL PUBLICATIONS an up-thrust for knowledge

ts
Digitel Forenslcs 2-21 Understanding of the Technical Concepts

2.4.1 Memory Management Function

1. Allocate primary
memory space to processes.
2. Minimize access time.
3. Determining allocation
policy for memory
4. Deallocation technique and policy.
2.4.2 Basic Hardware of Memory
CPU can access content of main memory and register directly. If the data is not
available into the memory, it load into memory from disk
Registers are built on the processor. Using one cycle of the CPU clock, processor
access data from register.
o
Accessing memory may take many CPU clock cycle. Mismatch of speed between
CPU and memory is overcome by using cache memory.
y T h e use of base and bound (limit) registers are restrict a process memory
s references upto a certain limit. Hardware is used to protect user address space.
y,
Each process requires its own address space operating system define legal address
or for each process. Maximum and minimum limit is also decided so that process can
access only these legal address.
e Fig. 24.1 shows the protection User
of process by using registers. process 6

A n address space is the set of Free space

addresses that a process
m Free space
program can use to address
main memory. Each process has User
Limit process 1
s its own address space. User Allocated space
base process 4 for process
User programs are loaded into
e consecutive memory locations Base Free space
e by using base and limit
c
Operating
register. When process is system
executing, the base register is kernel
loaded with the physical Pnimary
memory
address where itsprogram
e begins in memory and the limit
Flg. 2.4.1 Address space and memory

register is loaded with the

o length of the program.

TECHNICAL PUBLICATIONS an up-thrust for knowledge

 the Technical Conce

2-22
Understanding of ncepts
Digital Forensics
between programs existing
avoid interference
Memory protection is used to every memory addrese
hardware compares
main memory. The memory
protection a n a limit) to
ensur
registers (base
of two
used by the program with the
contents

area.
that it lies with the allocated memory
address space.
Multiple hardware memories are used to provide a larger
is adding two registers to the CPU
The simplest method of memory protection
for all memory is allocated
contiguously. Non-contiguous
This works good
memory is harder to protect.
decoder adds on the
to address, the memory
When a process reads from or writes
value of the base register. The actual operation
of read or write to address = base
1se

register + limit register.

than zero, then the memory
fthe input address higher than limit or lower
is
hardware generates error. This is informed to the operating system by using
these limits.
interrupt. Processes can memory within
only access
Each process has its own pair of base register and limit register.

2.4.3 Address Space Mapping

Secondary storage device stores program in binary executable format. Before
executing, the program is loaded into the main memory.
Most of the operating systems allow a user process to store in any section of the
main memory. Source program uses symbolic addresses.
Binding of instruction and data to main memory address is following ways
1. Compile time
2. Load time

3. Execution time

Compile time
Source program is translated at compile time to produce
:
a
relocatable object module. At compile time, the translator
generates code to
allocate storage for the variable. This storage address is used for code
reference.
Target address is unknown at compile time, it cannot be bound at compile time.
Example of compile time binding is MS DOS.com programs.
Load time : Compiler
generates relocatable code if compile time binding is not
performed. The loader modifies the addresses in the load module at load time to
produce the executable image stored in main memory. Final
until program load time. binding is delayed
.Execution time: Memory address of the
then execution time binding is used.
program is changed at execution time
is Binding delayed until the run time of the

TECHNICAL PUBLICATIONS a n up-thrust

for knowledge
 s Digital Forensics Understanding of the Technical Concepts
2-23

se program. Normally all operating system uses execution time binding Special
hardware is used for execution time
ur binding
Source
Memory
Compiler Inkage
editor -Loader image
program of program

U
Load
s Compile me
Execution
time time

e Fig. 2.4.2 Processing of user program

ee
.Memory allocation and deallocation is done using run-time support of the
programming language in which a program is coded. Allocation and deallocation
y requests are made by calling appropriate routines of the run time library.
g
Kernel is not involved in this kind of memory management.

2.4.4 Concept of Memory Addresss

.Logical address is generated by the CPU. This address is also called virtual
address.
e
Main memory address uses physical address. This address also called real
address.
.Logical address space: Set of all logical addresses generated by a program.
.Logical address and physical address is iderntical when load time and compile time
address binding is performed. The execution time address binding generates
different physical and logical address.
Memory Management Unit (MMU) is responsible for run time address mapping
from vitual to physical address.
Dynamic Relocation
Base register is sometimes called as a relocation register. The value of the
relocation register is added to every address generated by a user process at the
time it is sent to main memory.
User can load a process with only absolute addresses for instructions and data,
only when those specific addresses are free in main memory. Program's
instruction, data and any other data structure required by the process can be
accesssed easily if the addresses are relative.

TECHNICAL PUBLICATIONS an up-thrust for knowiedge

 Understanding ofthe Technical Concepts
2-24
Digital Forensics
the main men

relocation. User programs

never
reads

emory
2.4.3 shows dynamic
8
physical address.

Relocation
Main memory
register Kernel

free

Physical
Logical
addresS
Processor TaddresSRelocation x* Y)
free

Data
Memory
management
unit

relocation
Fig. 2.4.3 Dynamic

It is mapping
ot the virtual addresa
extra hardware.
Dynamic relocation requires
time.
address space at run
space to the physical
move a partially
executed process from
Dynamic relocation makes it possible to
another without affecting other process.
one area of main memory into
it is necessary to pertorm an addition and a
Problem with relocation is that,
comparison on every memory reference.
address space is bound
with a separate
For good memory management, logical
physical address space.

University Question

1. Explain main memory with example. GTU Winter-21, Marks 4

2.5 Cache Memory GTU: Winter-21

Cache is small, fast storage used to improve average access time to slow memory
It applied whenever buffering is employed to reuse commonly occurring items, ie
file caches, name caches, and so on.

.Caches are introduced into a system to bufer the mismatch between main
memory and processor speeds. A cache is a relatively smal, fast memory placed
between the processor and the main memory. The cache is designed so that its
access time matches the processor cycle time.
Physical address cache : When the cache is accessed with a physical memory
address, it is called physical address cache.

TECHNICAL PUBLICATIONS -
an up-thrust for knowledge
s
Digital Forensics 2- 25 Understanding of the Technicel Concepts

When the processor makes a memory request, the request first passes to the
primary cache. If the data item is found in this cache, we have a cache hit.
I f the data item is not found in the primary cache, we have a cache miss and the
memory request is forwarded the L2 cache. If the data item is found in this
to
cache, we have an L2 cache hit and the data is passed back to the primary cache.

.Ifthe forwarded to the

data is not found in the L2 cache, the request is finally
main memory. When the main memory responds to the memory request, the data
item is passed back to the L2 cache and then the primary cache.
Virtual address cache When cache is indexed with virtual address then it is
called virtual address.

2.5.1 Direct Mapping

.In direct mapping, the cache consists of normal high speed random access
sa
memory and each location in the cache holds the data, at an address in the cache
given by the lower significant bits of the main memory address. This enables the
m block to be selected directly from the lower significant bits of the memory address.
The remaining higher significant bits of the address are stored in the cache with
a the data to complete the identification of the cached data.
Each block maps to one and only one ine of cache always. The mapping is
te expressed as
i=j mod m
where, j is main memory block
no., i is cache line no., m is Memory address

number of lines in cache. from processor

Tag ndexag and Index
The address from the
processor is divided into Main
Main
two fields, a tag and an memory
accessedmemory
ry index. The tag consists of Cache if tags do
the higher significant bits of Index not matcCn
e
the address, which are
Tag Data
stored with the data. The
in index is the lower significant Read
ed bits of the address used to Compare
ts address the cache.
Same -Different-f-
Fig. 2.5.1 shows direct
ry
mapping. Access location

Fig. 2.5.1 Direct mappling

TECHNICAL PUBLICATIONS - an up-thrust for knowledge

 -26 Understanding of the Technicel Concepts
Digital Forensics

word in the
When the memory is referenced, the index is first used to access a

cache. Then the tag stored in the accessed word is read and compared with the
tag in the address. If the two tags are the same, then the required memory block
is already in the cache and it is h1t. The required word is selected from
the cache

using the word field of the address.

match, the required memory block is not in the cache
I f the two tag bits do not
and it is a miss. Hence a main memory read has to be initiated.
whereit
For a memory read operation, the word is then transferred into the cache
is accesed. It is possible to pass the information to the cache and the processor
simultaneously, ie., to read-through the cache, on a miss. The cache location is
altered for a write operation. The main memory may be altered at the same time
or later.

.If the direct mapped cache with a line consisting than one word then
of more
main memory address is composed of a tag, an index, and a word within a line. All
the words within a line in the cache have the same stored tag.
The index part to the address is used to access the cache and the stored tag is

compared with required tag address. For a read operation, if the tags are the same
the word within the block is selected for transfer to the processor. If the tags are
not the same, the block containing the required word is first transferred to the
cache.

Advantage: No need of expensive associative search.

Disadvantages:
1. Miss rate may increases.
2. Mapping conflicts.

2.5.2 Set Associative Mapping

A set-associative scheme is a hybrid between a fully associative cache, and direct
mapped cache. It's considered a reasonable compromise between the complex
hardware needed for fully associative caches and the simple direct-mapped
scheme, which may cause collisions of addresses to the same slot.
It allows a limited number of blocks, with the same index and different tags, in
the cache and can therefore be considered as a compromise between a fully
associative cache and a direct mapped cache. Fig. 2.5.2 shows set associative cache
memory organization.

TECHNICAL PUBLICATIONS an up-thrust for knowledge

 Digital Forensics
2-27 Understanding of the Technical Concepts

.
Fig 2.5.2 shows
memory address filed.
+W
k

Memory address Cache

Tag Data Main memory
Tag Set Word
B
-
Set 0
r
i
Compare Set 1

-(hit in cache)

(Miss in cache)

Fig. 2.5.2 Set associative cache memory

organization

Block Address Block Offset (w bits)

Tag (s u bits) Index (u bits)
wwwwww.wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
**wwww wwwww

The cache is divided into "sets" of blocks. A

four-way set associative cache would
have four blocks in each set. The number of blocks in a set is known as the
associativity or set size. Each block in each set has a stored tag which, together
with the index, completes the identification of the block.

If set is represented by u-bits in address field, then set no. can be found by index
of u bits. The tag filed of each row is then s -
u bits.
Algorithm to find cache hit ls:
1. Pick up the bits out of total (s u) + u bits
u out of
-

block address, use the

u bits as index to reach to 2" set in the cache.
2. Next, compare the s -

u bits from address field with tag fields of all the 25u
lines in that set.

TECHNICAL PUBLICATIONS up-thrust for

an
knowledge
 Underslandng o ical (concepts
Ue 9cnnical
2-28

Digital Forensics
has the
and line
whose tag is matched,

it is
requir
it is hit to CPU, else mie
any
match occurs,

from that
word is
transferred
and
block. And, the byte
from RAM. access the set,
replaced to

iincoming Then,
the block is 1s Usea

address from
the processor
set with the
First, the index of the the selected
all of tags accessed, other wise, tag
omparators
f a
are

match is found, the

used to compare
corresponding
location is before,
made.
an access to the main memory is

2.5.3 Fully Associative Mapping

of associative mem
cache requires the
cache to be composed memory
incom
A
fully associative address and the
data for each
cached line. The
ming
holding both the memory
with all stored addresses usine he
compared
memory address is simultaneously
internal logic of the associative memory.
line in the cache. When a memory
Allow address to be stored in any
any
the request must be compared
is sent to the cache, the address of to
operation
determine whether
the data referenced by tho
the
each entry in the array to
tag
operation is contained in the cache.
data is read out. Single words form
ta match is found, the corresponding
if the associative
could be held in the cache,
anywhere within the main memory
a full address.
part of the cache is capable of holding
of holdine
T h e fully associate mapping cache gives the greatest flexibility
conflict for a given sized cache
combinations of blocks in the cache and minimum
but is also the most expensive, due to the cost of the associative memory.

Disadvantages: All tags must be searched in order to determine

a hit or miss.f
number of tags are large, then this search can be time consuming

University Question

1. What is cache memory ? Explain direct mapping of cache memory with example.

GTU: Winter-21, Marks 7

2.6 Data Storage Concepts GTU: Winter-21
Data storage refers to magnetic, optical or mechanical media that records and
preserves digital information for ongoing or future operations
Data storage makes it easy to back up files for safekeeping and quick recovery in
the event of an unexpected computing crash or
cyberattack. Data storage can occur
on physical hard drives, disk drives, USB drives.

TECHNICAL PUBLICATIONS an up-thrust for knowledge

ts

Digital Forensics
2-29 Understending of the Technical Concepts

nd Auxiliary memory also referred to as secondary storage is the non-volatile

memory lowest-cost, highest-capacity and slowest-access storage in a
computer
n, system.
g 2.6.1 Types of Storage Devices
e,
Physical components or materials
which data is stored are called storage
on
media. Hardware
components that read/write to storage media are called storage
devices. A floppy disk drive is a storage device.
Two main categories of
y storage technology usedtodayare magnetic storageand
g optical storage. Storage devices hold data, even when the computer is tumed off.
The physical material that
e actually holds data is called storage medium. The
surface of a floppy disk is storage medium.
The two primary storage techrnologies
y are
magnetic and optical.
Primary magnetic storage are as follows
o 1. Diskettes
eo 2. Hard disks (both fixed and removable)
3. High capacity floppy disks
m 4. Disk cartridges
e
5. Magnetic tape
Primary optical storage are as follows
e 1. Compact Disk Read Only Menory (CD ROM)
e 2. Digital Video Disk Read Only Memory (DVD ROM)
3. CD Recordable (CD R)
f 4. CD Rewritable (CD RW)
5. Photo CD

2.6.1.1 Magnetic Disk

Magnetic disks provide bulk of secondary storage of modern computers.
Bits of data (0's and 1's) stored
are on circular magnetic platters called disks. A
disk rotates rapidly.
A disk head reads and writes bits of data
pass under the head. Often,
as they
several platters are organized into a disk pack or disk drive.
1. Disk contains concentric tracks.
2. Tracks are divided into sectors.
3. A sector is the smallest addressable unit in a disk.

TECHNICAL PUBLICATIONS - an up-thruat for knowledge

 Understanding
of he TechnicAl Concepts
2-30

Digital Forensics
sectors
and
showing
tracks
2.6.1 shows surface of disk
8

Tracks

Sector
sectors
Fig. 2.6.1 Tracks and

second.
Drives rotate at 60 to 200 times per
drive and computer.
is rate at which data
flow between
Transfer rate
time) is time to move
desired disk arm to
Positioning time (random-access rotate under the disk head.
for desired sector to
cylinder (seek time) and time
surface.
contact with the disk
Head crash results from disk head making
is coated with magnetic material on both surfaces. All
Each platter (disc-shaped)
surfaces has extended from fixed position. Tip of the arm contains
platter arm

read/write head for reading or writing data.

to the edge of the disc.
T h e arm moves the heads from the spindle edge

byte from the disk, the operating system locates the

When a program reads a

surface, track and sector containing that byte, and reads the entire sector into a

special area in main memory called buffer.

Track t Spindle

Sector S -Arm assembly

Cylinder c Read-write
head

Platter
Arm
Rotation
Fig.2.6.2 Moving-head dlsk mechanlsm
TECHNICAL PUBLICATIONS an up-thrust for knowledge
pts
Digital Forensics 2-331 Understanding of the Technical Concepts

The bottleneck of a disk access is moving the read/write arm

A cylinder is the set of tracks at a given radius of a disk pack. A cylinder is the
set of tracks that can be accessed without moving the disk arm. Al the
information on a cylinder can be accessed without moving the read/write arm.

.Fig 2.6.2 shows moving-head disk mechanism.

The arm assembly is moved in or out to position a head on a desired track. Tracks
under heads make a cylinder. Only one head reads/writes at any one time. Block

size is a multiple of sector size.

.Disks can be removable. Drive attached to computer via 1/O bus. Busses vary,
including EIDE, ATA, SATA, USB, Fibre Channel, SCSI etc.
.Host controller in computer uses bus to talk to disk controller built into drive or
storage array.
ed
Disk controllers typically embedded in the disk drive, which acts as an interface
between the CPU and the disk hardware. The controller has an internal cache that
it uses to buffer data for read/write requests.
ll
ns 2.6.1.2 Magnetic Tape
.Magnetic tape is a medium for magnetic recording generally consisting of a thin
magnetically coating on a long and narrow strip of plastic. Nearly all recording
tape is of this type, whether used for recording audio or video or for computer
he data storage.
a Devices that record and playback audio and video using magnetic tape are
generally called tape recorders and device that
video tape recorders respectively. A
stores computer data on magnetic tape can be called a tape drive, a tape unit, or a
streamer.
.The purpose of any magnetic tape unit is to write data on and read data from the
tape used by the device. Tape is moved from a supply reel or hub to a take-up
reel or hub on the magnetic tape transport section of the unit The magnetic oxide
coated side of the tape passes in close proximity of a read/write.

Relatively permanent and holds large quantities of data. Magnetic tape access time
is slow.
Mainly used for backup, storage of infrequently-used data, transfer medium
between systems.
I t is kept in spool and wound or rewound past read-write head. Once data under
head, transfer rates comparable to disk.
Typical storage is 20 GB to 200 GB. Common technologies are 4 mm, 8 mm,
19 mm, LTO-2 and SDLT.

TECHNICAL PUBLIGATIONS- an up-thnustfor knowledge

 Understanding of
the Technícel Concept
2-332
Digital Forensics

2.6.1.3 Optical Devices drive uses reflected

medium. An optical
disk is high-capacity storage covered with tiny
An optical disk's metal surface is
To store data, the
ght to read data. which cause light
to be reflected diferently.
dents (pits) and flat spots (lands), reflected back.
cannot be
drive shines light into a pit, the light
wnen an optical bit value of 0 (off). A land reflects light back to its source,
This represents a

representing a bit value of 1 (on).

CD-ROM
technology is called Compact
in PCs, the commonly used optical storage
most
can store up to
Disk Read-Only Memory (CD-ROM). A
standard CD-ROM disk
written to a standard
650 MB of data, or about 70 minutes of
audio. Once data is

CD-ROM disk, the data cannot be altered or overwritten.

and read data at a rate of
Early CD-ROM drives were called single speed,
of up to 7800 kbps.
150 kbps. CD-ROM drives now can transfer data at speeds
used to store software
Data transfer speeds are getting faster. It is typically
and program
video data, as well as text
programs. CDs can store audio and
instructions.
continuous spiral that starts at the
Data is laid out on a CD-ROM disk in a long,
the form of
outer and winds inwards towards the centre. Data is stored in
edge
which are depressions
lands, which are flat areas on the metals surface, and pits,
or hollows. A land reflects the laser light into the sensor (a data bit of 1) and a pit
scatters the light (a data bit of 0).
.On a full CD-ROM the spiral of data stretches almost 3 miles long. A standard CD
can store 650 MB of data or about 70 mins of audio.

DVD-ROM
.Digital video disk read only memory, is a high-density medium capable of storing
a ful-length movie on a single disk the size of a CD. Achieves such high storage
capacities by using both sides of the disk and special data compression
technologies.
The latest generation of DVD-ROM use layers of data tracks; the laser beam reads
data from the first layer and then looks through it to read data from the second
layer. Each side of a standard DVD-ROM can hold up to 4.7 GB. Dual layer
DVD-ROM can hold 17 GB of data.

University Question

1. Explain auxriliary memory with example. GTU Winter-21, Marks 3

TECHNICAL PUBLICATIONS -
an up-thrust for knowledge
 ncept

ected

3
tiny

back.
Digital Forensics Process Model
urce,

mpact Syllabus
p to niroduction to cybercrime scene, documenting the scene and evidence, maintaining the chain f
dard CuStody, forensic cloning of evidence, Iive and dead system.forensic, hashing concepts to maintai
the integrity ofevidence, report drafting
e of
bps.
Contents
3.1
ware Introductionto Cybercrime Scene........ Winter-21, . .

Marks 3
3.2
ram Documenting the Scene and Evidence.. Winter-21, *** Marks 33
3.3 Maintaining the Chain of Custody
the 3.4 Forensic Cloning
m of
of Evidenoe. Winter-21, Marks 7
3.5 Live and Dead System Forensic. ... Winter-21, Marks 4
ons
3.6 Hashing Concepts to Maintain the Integrity of Evidence
pit
Winter-21, ..Marks 7
CD 3.7 Report Drafting

ing
age
ion

ads
ond
yer

(3-1)
 Process Model
Digital Forensics
3-2
Digital Forensics
GTU: Winter-21
Scene
3.1 Introduction to Cybercrime
networks. cyber The
involving computers and
crime is any
criminal activity
networks and
Internet. LAN and
yber computer
space inchudes computer systems,
WAN is also part of cyber space.
music files to stealing
from downloading illegal
Cyber crime incorporate anything
accounts.
millions of rupees from online bank
object of the crime
which a computer is the
is defined as a crime in
Cyber crime or is used as a tool
to commit an
offense (child
(hacking phishing, spamming) vulnerable to crime.
are as
Internet connected activities
pornography, hate crimes).
that is perpetrated through
the use
of a
Computer crime is any illegal activity
computer. ot a
other person in charge
of owner or any
a person without the permission or secures
accessto
computer network,
accesses
computer, computer system
or
torts and
the said acts are
such computer, computer system or computer network,
crimes under the Indian cyber law.
used to describe the
"CYBER". This word is
There is no standard definition for
refers to a block of data
world of an object in cyberspace
virtual computers e.g.
network.
floating around a computer system or

who used it in his book,

T h e word "cyberspace" is credited to William Gibson,
neuromancer, writtern in 1984
and community formed by computers,
Cyberspace : The impression of space
Internet users inhabit
the virtual "world" that
computer networks and their users;
when they are online.

T h e term 'cyber' 'cybernetics' which means science of

is derived from the word
man. Cyberspace is the new horizon
communication and control over machine and
and communication between
which is controlled by machine for information
human beings across the world.

cyber crimes. In
Therefore, crimes committed in cyberspace are
to be treated as

wide sense, cyber crime is a crime on the Internet hacking,

which includes
terrorism, fraud, gambling, cyber stalking, cyber theft, cyber pornography, flowing
of viruses etc.
Over the past few years, the global cyber crime landscape has changed
with criminals employing more sophisticated technology and greater
dramatically, 3
knowledge of cyber security.

TECHNICAL PUBLICATIONS an up-thrust for knowledge

odel
Digital Forensics 3-3 Digital Forensics Process Model
1
Until
recently, malware, spam emails, hacking
ber artacks of this nature
into corporate sites ana ouier

and their talent.

were mostly the work of computer 'geniuses showcasing

ing 3.1.1 Elements of Cyber Crime

1. Location / Place : Where offender is in relation to crime.
me 2. Victim:
hild
Target of offense Government, corporation, organization, individual.
3. Offender: Who the offender is in terms of
me. demographics, motivation, level or
sophistication.
fa 4. Action: What is necessary to eliminate threat.
t a 3.1.2 Types of Cyber Crime
sto
h e r e are
and many types of cyber crimes and the most common ones are explained
below
1.
the Hacking : This is a type of crime wherein a
person's computer is broken so
that his personal or sensitive information can be accessed.
ata
2. Theft: This crime when
occurs a
person violates copyrights and downloads
music, movies, games and software.
ok,
3. Cyber stalking: This is a kind of online harassment wherein the victim is
subjected to a barrage of online messages and emails.
ers,
abit
4. Identify theft: This has become a major problem with people using the
Internet for cash transactions and banking services. In
thi_ cyber crime, a
criminal accesses data about a person's bank account, credit cards, debit card
of and other sensitive information to
zon siphon money or to buy things online in the
victim's name.
een 5. Malicious software: These are Intermet-based software or
programs that are
used to disrupt a network. The software is used to
In gain access to a system to
steal sensitive information or data or
causing damage to software present in
ng, the system.
ing 6. Child soliciting and abuse : This is also a
type of cyber crime wherein
criminals solicit minors via chat rooms for the purpose of child
ged pornography.
ater 3.1.3 Examples of Cyber Crime
Cyber crime example : Child pornography, which includes the creation,
distribution or accessing of materials that sexually exploit
underage children.
Contraband include transferring illegal items via the Internet.
to

TECHNICAL PUBLICATIONS an up-thrust for knowledge

 Proc9ss Model
Digitel Forensics
3-4
Digital Forensics
of computer-related
attacks are just some examples
Unline fraud and hacking
crimes that are committed on a large scale every day.
a. Online banking fraud
b. Fake antivirus
c. Standed traveler scams
d. Fake escrow' scams
e. Advanced fraud

f. Infringing pharmaceuticals
& Copyright-infringing software

h. Copyright-infringing music and video

i. Online payment card fraud

j. In-person payment card fraud

k. Industrial cyber-espionage and extortion
1. Welfare fraud.
material
and dissemination of obscene
The trafficking, distribution, posting constitutes one
and child pornography,
ncluding pornography, indecent exposure
the significant
of the most important Cybercrimes known today. Stealing
transmit the data from one
information, data, account number, credit card number
and are amongst the gravestybercrimes
cracking
place to another. Hacking
known till date.

3.1.4 Three Categories of Cyber Crime

a. Cyberpiracy: Using cyber-technology in unauthorized ways to reproduce copies
of proprietary software and proprietary information or distribute proprietary
information (in digital form) across a computer network.
Example: Distributing proprietary MP3 files on the Internet via peer-to-peer
(P2P) technology.
b. Cybertrespass: Using cyber-technology to gain or to exceed unauthorized access
to an individual's or an organization's computer system or a password-protected
website
oExample : Unleashing the ILOVEYOU computer virus.
c. Cybervandalism: Using cyber-technology to unleash one or more programs that
disrupt the transmission of electronic information across one or more computer
networks, including the Internet or destroy data resident in a computer or damage
a computer system's resources or both.

TECHNICAL PUBLICATIONS an up-thrust for knowledge

l
Digital Forensics
3-5 Digital Forensics Process Model

d Example :
Launching the denial-of-service attacks on commercial web sites.
3.1.5 Traditlonal Problems Associated with Cyber Crime
Individuals seeking a crime have
always displayed a remarkable ability to adapt
to cnanging technologies, environments and lifestyles. Computer crime poses a
daunting task for law enforcement agencies because they are highly techrical
crimes.
Law enforcement agencies have individuals trained in computer forensics in
must
order to
prToperly investigate computer crimes. Additionally, countries must update
and create
legislation, which prohibits computer crimes and outlines appropriate
punishments for those crimes.
Computer crimes will likely become more frequent with the advent of further
technologies. It is important that civilians, law enforcement officials and other
members of the criminal justice
system are knowledgeable about computer crimes
in order to reduce the threat
they pose.
The eariest computer crimes were characterized as non-technological speific.
het of computer components and software piracy were particular favorites.
Hacking and technologically complicated computer crime came later.
t
3.1.6 Issues and Challenges in Cyber Crime
Investigation is a process that develops and tests hypotheses to answer questions
about events that occurred. In general, computer forensics investigates data that
can be retrieved from a computer's hard disk or other storage media.

Computer forensics is the task of recovering data that users have hidden or
deleted, with the goal of ensuring that the recovered data is valid so that it can be
used as evidence.
The computer investigations group manages investigations and conducts forensic
analysis of systems suspected of containing evidence related to an incident or a
crime.

Challenges of cyber-crime are as follows:

1. Lack of awareness and the culture of cyber security, at individual as well as
organizational level.

2. Lack of trained and qualified manpower to implement the counter measures

3. No email account policy especially for the defense forces, police and the
security agency personnel.
4. Cyber-attacks have come not only from terrorists but also from neighboring
contries contrary to our National interests.
TECHNICAL PUBLICATIONS an up-thrust for knowledge
 Process Modef
Digltal Forensics
Digital Forensics 3-6

doesn't include any

to join the police
he minimum necessary eligibility illiterate to
are almost
of the computers sector so that they
knowledge
cyber-crime. of the
beats the progress
.1he speed of cyber technology changes always ot these
able to identify the origin
not
government sector so that they are

cyber-crimes.
and law enforcement personnel; are not equipped to address
.Security forces
high-tech crimes.
the investigative
8. Fresent protocols are not self-sufficient, which identifies

responsibility for crimes that stretch internationally.

for the training of
Budgets for security purpose by the government especially less as compare to
are
law entorcement, security personnel's and investigators

other crimes.

University Question

?
1. What are the main challenges of investigating computer-related crime
GTU: Winter-21, Marks 3

3.2 Documenting the Scene and Evidence GTU: Winter-21

as such
wide range of criminal investigations
evidence is useful in
Digital a
theft.
homicides, sex offenses, missing persons, child abuse, fraud and
Digital evidence helps in tracking how a crime was committed, provide
investigativeleads, or disprove witness statements
supportand identify likely
suspects.
is defined information stored transmitted in binary form
Digital evidence as or

that may be relied upon in court.

.For considering multiple sources of digital evidence, computer systems can be
categorised into three groups
1. Open computer systems
2. Communication systems
3. Embedded computer systems
A digital crime scene in its original state can never exists as some evidence
dynamics is expected.
Any influence that changes, relocates, obscures or obliterates evidence, regardless
of intent between the time evidence is transferred and the time the case is
resolved. Ofenders,
anyone else who had
victims, first responders,
digital evidence examinaters and
access to digital evidence prior to its preservation can cause
evidence dynamics.

TECHNICAL PUBLICATIONS an up-thrust for knowledge

Digitel Forensics
3-7 Digital Forensics Process Model

Storin8 media or digital evidence

fire, water, jet fuel and can deteriorate over time or when exposea
toxic chemicals.
Evidence dynamics create
to investigative and legal challenges and are more difficult
prove that the evidence is authentic and reliable.
m n a l s use mobile phones, laptop computers and network servers in the course
of
committing their crimes
Two
in
terms cybercrime and digital forensics are defined to address developments
criminal activities
involving computers and
legislation in
investigative and
technologies to address them.
Digital evidence as a form of physical evidence creates several challenges for
digital forensic analysis
1. Messy or
slippery form of evidence that is very difficult to handle.
2. Digital evidence is
generally an abstraction of some digital object or event
3. Digital evidence is
usually circumstantial, making it difficult to attribute
computer activity to an individual.
4. Digital evidence be
can manipulated or destroyed so easily arises new
challenges for digital investigators.

3.2.1 Order of Volatility

The order of volatility is the sequence order which the digital evidence is
or in
collected. The order is maintained from highly volatile to less volatile data.
Highly volatile data resides in the memory, cache, or CPU registers and it will be
lost as soon as the power to the computer is turmed off. Less volatile data cannot
be lost easily and is relatively permanent because it may be stored on disk drives
or other permanent storage media, such as floppy disks and CD-ROM discs.
The crime scene technicians should collect evidence beginning with the most
volatile and then movingg towards a least volatile. The order of volatility for data
from most volatile to least volatile is
a) Cache memory, b) Regular RAM,
c)Swap or paging file, d) Hard drive data,
e) Logs stored on remote systems, Archived media.
University Question

1. Explain onder of volatility in brief GTU Winter-21, Marks 3

TECHNICAL PUBLICATIONsan up-thrust for knowledge