what is Master boot record
MBR is first sector of a data storage device such as HD. It stores information about logical Partition like C:, D: (max 4) - File type -Store/end (CHS Format) -Offset -Partition Size -Weather partition is boot-able or not - Works with Max 2 TB Drives Boot Loader - Small bit of code which is used to store boot information. When an os marks a cluster as a used, but does not allocate any files to them, such clusters are lost clusters. In windows OS, ScanDisk utility or CheckDisk (windows 10) can identify such lost clusters Another way to check the status of your HD is though command prompt in windows:
Cluster is smallest allocation unit in a hard-drive. Cluster is a set of sectors and tracks. The file system divides the storage on a disk volume into discreet chunks of data for efficient disk usage & performance. This chunks are called cluster.
To put it in simple terms, you get a sector when you take a bunch of things and divide them. You get a cluster when you take a bunch of things and put them together. Sector is smallest physical storage unit on a disk platter. Normally holds 512 Bytes and few additional bytes for drive control & error correction.
Data is stored on a disk in a contiguous series (Sharing a common border) For example: if file size in 700 Bytes, two 512 sectors are allocated to the file. 2015 is already a year of healthcare data breaches and it’s getting worse every day. Earlier this year hackers broke into Antham Database containing around 78 million records. This month, Excellus Blue Cross Blue Shield is the latest health care company to discover a
data breach. Now the big question is why hackers are targeting Health Care Data? Health care data brings significant value, much more than the financial data. Financial data has a limited lifespan. Prescription & Medical records are permanent. Health care data is also a great resource for identity theft. Health care data has a significant resale value in markets too. Core aggregate functions like SUM, COUNT, MAX, MIN
Ranking functions like ROWNUM, RANK, NTILE String functions like SUBSTR, REPLACE,INSTR Data conversion functions like CAST, CONVERT Slack space is unused space in a cluster.
If a file requires less space than a cluster, the center cluster will be reversed but data will be stored in it. Any extra space(Sector) not used to write data is a slack space, and it might contain data of the previously stored file. Block or Cluster will be either used or unused in a file system. When I say it’s unused, so it doesn’t mean that the block or cluster is ‘Blank’. It might be possible that it has some deleted data.
For example- If a word file was stored is multiple blocks, and you deleted it. Some blocks are used by the file system to store another file. Question: Is it possible to recover the whole work file? No, but you can recover some fragments (Unused blocks) of the file (might be half of the file or One page) General
Control + A Select All Text or Items Control + C Copy Control + V Paste Control + Z Undo Control + Shift +F Advanced Find Tab Move Cursor to Next Field Shift + Tab Move Cursor to Previous Field Alt-Tab Switch between Open Windows Outlook Navigation Control + 1 Go to Email Control + 2 Go to Calendar Control + 3 Go to Contacts Control + 4 Go to Tasks Control + 5 Go to Notes Inbox Organization Delete Delete Selected Item Control + Shift + V Move Selected Item to a Folder Control + Y View a Folder Insert Flag for Follow-Up Control + E Quick Search Contacts Control + Shift + C Create a New Contact F11 Contact Quick Search Control + Shift + B Display the Address Book Alt + S Save and Close Email Writing Control + Shift + M Create a New Email Message Control + R Reply Control + Shift + R Reply to All Control + F Forward Control + K Insert Hyperlink Control + S Save as Draft Alt + S Send Calendar Control + G Jump to a Date Alt + Up/Down Arrows Jump up and Down a week Alt + Minus Week View Alt + Equals Month View Alt + Number (1-9, 0) View # of Days Control + E Quick Search Appointments Control + Shift + A Create a New Appointment Alt + S Save and Close Tasks Control + Shift + K Create a New Task Alt + S Save and Close Command Line Basics:
Standard Format : Command Options Arguments 1) Know current users: whoami 2) List files:: Command: ls Options: 3) Create Directory: Command: mkdir [Filename] Creating files: vim Filename.txt vi Filename.txt Press i to insert text esc+wq! to save file 4) wc-wordcount Command: wc [FILENAME] 5) mv- move Syntax: mv [FILENAME] [Destination] Rename mv [FirstFilename] [SecondFilename] Remove Files/Dir Syntax: rm -r [Filename] -r: Recrusive Info about interface: Syntac: ifconfig Present working directory Syntax: pwd Change to Home directory -cd ~ Everything is inside the / just like everything in windows ins in C: or some drive. Tab key to complete the command -How to check command History Syntax: history Create a text file of a History: history > XYZ.txt Clear Screen Syntax: Ctrl+L Ways to check current logged on user of Windows Machines:
I am sure a lot of people are not aware of windows "God Mode" feature. Its a simple way to access all control settings in your windows PC. How to access it? Step 1: Create a new folder with "Godmode.{ED7BA470-8E54-465E-825C-99712043E01C}" name. Step 2: Hit enter Acquire the evidence without altering or damaging the original. Usually, professionals recommend to create two copies of the original evidence.
Authenticate the image, it's always a good idea to check "MD5 Hash -Match" of the image. Analyze the data without modifying it. EC Council Certified Hacking Forensic Investigator (CHFI)
SANS Certification EnCase Certification Access Data Certified Examiner Find Current database location
SELECT name, physical_name AS current_file_location FROM sys.master_files |
Mac Forensics
|