Computer Forensics

Instruction: Must be written in APA format and must include references. 750 words total.

1. Network Data Collection

Network forensics is considered a very hard problem for a number of reasons:

First, the general anonymity of users on the Internet makes is extremely difficult to determine who a suspect is. (Do we ever really know who is sitting a keyboard or public facing IP address? What about VPNs, TOR exit nodes, etc.?)

Second, the fact that international borders make it difficult to determine jurisdiction on the Internet, it is sometimes impossible to backtrack all the way from a victim to a perpetrator.

Third, logs are not kept forever, so if efforts are not made relatively quickly, they may be erased.

What can we do in forensics to speed up the process of collecting data? Hypothesize a solution knowing what you know about network data collection. (Try to keep the focus on forensics rather than general network security.


2. NTFS vs. FAT in forensics

In NTFS, file metadata is stored in the Master File Table ($MFT) as opposed to the File Allocation Table in FAT systems. (Here we are talking about FAT32, which is still used on USB flash drives and in digital cameras. We’re not talking FAT12 and FAT16, which were used on floppy disks.)

There is much more rich data available in the $MFT, but what is the one thing provided by the MFT and not the FAT that makes it difficult to find small files?

Are there other noteworthy challenges?