1 Introduction

Syllabus
Understanding of forensic science, digital forensic, The digital forensic process, Locard'
exchange principle, Scientific models.
Contents
1.1 Understanding of Forensic Science
1.2 Digital Forensic Winter-21, Marks 3
1.3 Locard's Exchange Principle .Winter-21,. Marks 7
1.4 Scientific Models
(1-1)
 1-2 Introduction
1-3 Introduction
Digital Forensics Digital Forensics

of Forensic Science d. The presentation of computer-based information to courts of law.

1.1 Understanding
methods or expertise to investigate crimes e. The application of a country's laws to computer practice.
.Forensic science is the use of scientific
or examine evidence
that might be presented in a court of law. Forensic science Digital evidence can be useful in a wide range of criminal investigations including
a diverse array of disciplines,
from fingerprint and DNA analysis to homicides, sex offenses, missing persons, child abuse, drug dealing, fraud and
comprises
and wildlife forensics. theft of personal information. Digital information is all information in digital form
anthropology
In forensics, the and can be divided into the content itself.
Forensics is the application of science to solve a legal problem.
Hard copy print outs of digital information are not digital evidence in the strict
iand science are forever integrated.
scientific
sense of this definition; it is considered a starting point for applying digital
Forensic scientists and law enforcement officials use cutting-edge
evidence gathering in the future.
techniques to preserve and examine evidence in a process known as "chain of
evidence." This process ensures that evidence is pure and has not had an .Forensics is the application of investigative and analytical techniques that confom
to evidentiary standards used in or appropriate for a court of law or other legal
opportunity to become tainted through mishandling.
context.
The field of forensic science draws from a number of scientific branches, including
the recognition, .There are three basic and essential principles in digital forensics
physics, chemistry and biology, with its focus being
on

identification, and evaluation of physical evidence. It has become an essential part 1. The evidence is acquired without altering it;
of the judicial system. 2. Demonstrably so;
Forensic scientists perform both physical and chemical analyses on physical 3. Analysis is conducted in an accountable and repeatable way
evidence obtained by investigators and law enforcement officials at the
crime scene
Digital forensic processes, hardware and software have been designed to ensure
crime scene. These scientific experts use microscopic examining techniques, compliance with these requirements. The process of digital forensics is typically as
and reference
complex instruments, mathematical principles, scientific principles, follows:
literature to analyze evidence as to identify both class and individual 1. Preservation of the state of the device.
characteristics. 2. Survey and analysis of the data for evidence.

1.2 Digital Forensic GTU: Winter-21 3. Event reconstruction.

data evidence. 1.2.1 Digital Forensics Principle

Digital forensics is processes of analyzing and evaluating digital as

to be
Any information stored on a digital media can be piece of digital evidence 1. When dealing with digital evidence, all of the general forensic and procedural
analyzed during digital forensic process.
principles must be applied.
Computer forensics is the scientific examination and analysis of data held on or
retrieved from, computer staorage media in such a way that the information can be 2. Upon seizing digital evidence, actions taken should not change that evidence.

used as evidence in a court of law. 3. When it is necessary for a person to access original digital evidence, that person
should be trained for the purpose that person should be trained for the purpose.
Investigative process of digital forensics can be divided into several stages. Four
major stages are: Preservation, collection, examination and analysis. 4. All activity relating to the seizure, access, storage or transfer of digital evidence

.Computer forensics activities commonly include:

must be fully documented, preserved and available for review.
a. The secure collection of computer data. 5. An individual is responsible for all actions taken with respect to digital evidence
whilst the digital evidence is in their possession.
b. The identification of suspect data.
c. The examination of suspect data to determine details such as origin and
6. Any agency, which is responsible for seizing, accessing storing or transferring
content.
digital evidence is responsible for compliance with these principles.

TECHNICAL PUBLICATIONS TECHNICAL PUBLICATIONS - an up-thrust for krnowledge

an up-thrust for knowledge
 Digital Forensics 1-5 Introduction
1-4 Introduction
Digital Forensics
Forensic analysis includes reviewing all the data collected. This includes reviewing
Process of Digital Forensics
and Stages of Investigative trust relationships, web browser history files,
log files, systen configuration files,
1.2.2 Scope email mes-ages and their attachments, installed applications and graphic files.
are as follows:
The scopes of the forensic investigations .You perform soft-ware analysis, review time/date stamps, perform keyword
activities.
1. To identify the malicious searches and take any other necessary investigative steps.
the security lapse in their network.
2. To identify .Forensic analysis also includes performing more low-level tasks, such as looking
if the network system was compromised.
3. To find out the impact through information that has been logically deleted from the system to determine
if needed. if deleted files, slack space or free space contain data fragments ór entire files that
4. To identify the legal procedures,
the system. may be useful to the investigation.
5. To provide the remedial action in order to harden
Fig. 1.2.1 shows forensic analysis.
digital forensics
Stages of investigative process of
Analys1s of data
1. Preservation Preservation freezing the crime scene. It
stage corresponds to

involves operations such as preventing people from using computers during Extra Review
email and browser
the safest way to
collection, stopping ongoing deletion processes and choosing attachments history files
Preparation of data
collect information.
information
stage consists in finding and collecting digital Perform Review data
2. Collection: Collection Create Review
statistical data collected
information means
that may be relevant to the investigation. Collection of digital
file installed
partition table during
ists applications
collection of the equipment containing the information or recording
the file systems ive response

information on some medium. Create a

Perform Recover Perform file Search for Review a
is search of digital The output of examination is data
evidence. forensic working copy
3. Examination : It duplication
of all
deleted signature relevant the network
found in the collected information which includes log and data files evidence media
data analysis things based evidence
objects
etc.
containing specific phrases, times-tamps
Identity and
is to draw conclusions based evidence found. Recover Identity Perform
4 Analysis The aim of analysis on
unalfocated known software decrypt
space system files analysis encrypted
files
1.2.3 Forensic Duplication and Investigation

.Computer forensics is the task of recovering data that users have hidden or Perform Perform
is valid so that it can be
file-by-fle specialisedd
deleted, with the goal of ensuring that the recovered data review analysis
used as evidence.

The computer investigations group manages investigations and conducts forensic Fig. 1.2.1 Forensics analysis
analysis of systems suspected of containing evidence related to an incident or a
crime. Investigative process of digital forensics can be divided into several stages. Four
For complex casework, the computer investigations group draws on resources major stages are: Preservation, collection, examination and analysis.
from those involved in vulnerability assessment, risk management and network Computer forensics activities commonly include
intrusion detection and incident response. This group resolves or terminates all a. The secure collection of
computer data.
case investigations. b. The identification of
suspect data.
Digital forensic investigation: A process that uses science and technology to C. The examination of suspect data to determine details such as origin and
examine
into
digital objects and that developsabout
court of law, to
and tests theories, which can be entered content.
a answer
questions
events that occurred.
TECHNICAL PUBLICATIONS an
up-thrust for knowiedge
TECHNICAL PUBLICATIONS an up-thrust for knowledge
 1-6
Introduction
Digital Forensics Digital Forensics 1-7 Introduction
of law.
information to courts
d. The presentation of computer-based .This basic principle is that "every contact leaves a trace". Thus NO perpetrator can

country's laws to computer practice. leave the scene without leaving a trace. Fingerprints, gunshot residue or blood are
e. The application of a

wide range of criminal

investigations including the main evidence, which is involuntarily left behind at the crime scene.
Digital evidence can be useful in a

child abuse, drug dealing, fraud and

homicides, sex offenses, missing persons,
information is all information in digital form Although Locard's thoughts were highly unusual at that time, he realized early the
theft of personal information. Digital great significance of using scientific tools in the investigation of crimes. Finally, a
be divided into the content itself.
and can new discipline, forensics, was created for these reasons.
of digital information are not digital evidence in the strict Paul L. Kirk expressed the principle as follows Wherever he steps, whatever he
Hard copy print outs
starting point for applying digital
of this definition; it is considered
a
sense touches, whatever he leaves, even unconsciously, will serve as a silent witness
evidence gathering in the future. against him. Not only his fingerprints or his footprints, but his hair, the fibres
techniques that conform
Forensics is the application of investigative and analytical
court of law or other
from his clothes, the glass he breaks, the tool mark he leaves, the paint he
standards used in appropriate for a legal
to evidentiary or
scratches, the blood or semen he deposits or collects. All of these and more, bear
context. mute witness against him. This is evidence that does not forget.
the must be followed when a person conducts the
Following are principles When a crime is committed, fragmentary or trace evidence needs to be collected
computer forensic investigation. from the scene. A team of specialised police technicians goes to the scene of the
1. Data stored in a computer or storage media must not be altered or changed, as
crime and seals it off. They record video and take photographs of the crime scene,
those data may be later presented in the court.
victim/s and items of evidence.
the original data held on a
2. A person must be competent enough in handling If necessary, they undertake ballistics examinations. They check for foot, shoe, and
computer or storage media if it is necessary.
tire mark impressions, plus hair as well as examine any vehicles and check for
3. An audit trail or other documentation of all processes applied to
fingerprints, whole or partial.
computer-based electronic evidence should be created and preserved.
.Example: website visit: Suppose user visit "technicalpublications.org" and login
the must have overall
4. A person who is responsible for investigation there. What evidence of this "visit" do user leave at the technicalpublications.org
responsibility for accounting that the law. webserver? An entry in the webserver log. What evidence do user take with you?
First of all a cookie from the technicalpublications.org server. Second of al, user
University Question browser caches a copy of the webpages visit - ie. it stores a copy on user machine

GTU Winter-21, Marks 3 of each webpage. Third of all, user browser keeps a history of all the pages user
1. What is Digitalforensics?
have visited which it uses to offer you a list of completions of the URL you're
1.3 Locard's Exchange Principle GTU : Winter-21
currently typing
Edmond Locard was an important forensic scientist of the 19th century. In forensic
science, Locard's exchange principle holds that the perpetrator of a crime will
University Question
bring something into the crime scene and leave with something from it, and that 1. Explain Locard's Exchange Principle with suitable scenario. .GTU: Winter-21, Marks 7
both can be used as forensic evidence.
He formulated the basic principle of forensic science as: "very contact leaves a 1.4 Scientific Models
trace". It is generally understood as "with contact between two items, there will be
Scientific models are developed as a means of helping people understand scientific
an exchange."
concepts and representing them in a visual medium. Models are used to make
predictions. They may include physical and digital models, which can be refined
over time by the inclusion of new scientific knowledge.
TECHNICAL PUBLICATIONS an up-thrust for knowledge TECHNICAL PUBLICATIONS an up-thrust for knowledge
 1-8 Introduction
Digitel Forensics Digital Forensics
1-9 Introduction

Digital Evidence (SWGDE)

1. Scientific Working Group on
4. Natlonal Institute of Standards and
on Digital
Evidence (SWGDE) brings together Technology (NIST)
T h e Scientific Working Group
organizations actively engaged
in the field of digital and multimedia evidence to The isNational Institute of Standards and Technology (NIST) was founded in 1901

foster communication and cooperation as well as to

ensure quality and consistency and now part of the U.s. Department of Commerce. NIST is
oldest physical science laboratories.
one of the nation's

within the forensic community

From the smart electric
T h e FBI has supported the formation
and efforts of a wide range
of Scientifjic power gridand electronic health records to atomic clocks,
advanced nano-materials, and computer chips, innumerable products and services
and Technical Working Groups (TWGs)
(Federal Bureau
Working Groups (SWGs) rely in some way on technology, measurement, and standards provided by the
of Investigation). National nstitute of Standards and Technology.
T h e mission of the Working Group on Imaging Technology (SWGIT) was
Scientific Today, NIST measurements support the smallest of technologies to the largest and
and systems within the
to facilitate the integration of imaging technologies most complex of human-made creations from nano-scale devices so tiny that tens
best practices and guidelines for the
Criminal Justice System (CIS) by providing
of image and archiving.
of thousands can fit on the end of a single human hair up to earthquake-resistant
capture, storage, processing, analysis, transmission, output skyscrapers and global communication.
2. American Academy of Forensic Sciences
is a multidisciplinary OO0
T h e American Academy of Forensic Sciences (AAFS)
that leadership to advance science and its
professional organization provides
application to the legal system.

AAFS members are 6,600+ represent all 50 United States and 71 other countries.
Membership is comprised of pathologists, attorneys, dentists, toxicologists,
anthropologists, document examiners, digital evidence experts, psychiatrists,
and others.
engineers, physicists, chemists, criminalists, educators, researchers,
AAFS provides
a) Leadership to advance science and its application to the legal system

b) Education to elevate the accuracy, precision, and specificity in the forensic

sciences

c)Initiationof actions and reactions to various and relevant issues by way of

AAFS Position Statements and Statements from the AAFS Board of Directors,

3. American Society of Crime Laboratory Directors/Laboratory Accreditation Board

The American Society of Crime Laboratory Directors (ASCLD) is a nonprofit
professional society of crime laboratory directors and forensic science managers
dedicated to providing excellence in forensic science through leadership and
innovation.
The purpose of the organization is to foster professional interests, assist the
development of laboratory management principles and techniques; acquire,
preserve, and disseminate forensic based information; maintain and improve
communication among crime laboratory directors; and to promote, encourage, ana
maintain the highest standards of practice in the field.

TECHNICAL PUBLICATIONS an up-thrust for knowledge TECHNICAL PUBLICATIONS an up-thrust for knowledge
 1-110 Introduction
Digital Forensics

Notes

Understanding
2 of the Technical Concepts

Syllabus
Basic computer organization, File system, Memory orgamization concept, Data storage concepts.

Contents
2.1 Basic Computer Organization.............. Winter-21 Marks 3
22 Flynn's Classificationof Computers...... Winter21 Marks 4
2.3 File System

2.4 Memory Organization Concept. ... Winter-21 Marks 4

2.5 Cache Memory . . . Winter-21 . Marks 7
2.6 Data Storage Concepts . Winter-21 Marks 3

TECHNICAL PUBLICATIONS an up-thrust for knowledge (2-1)

 Understanding of the Technical Cono

2-2 Concepts
Digital Forensies
GTU: Winter-21 Digitel Forensics Understanding of the Technical Concepts
Organization
2.1 Basic Computer that are combinodd to
software
hardware
device and 3. VO modules : These modules are used for moving data between computer and
consists of
Computer system its external environment. The external environment consists of variety of
a tool to user for solving problems.
provide devices, including secondary memory devices, communication equipmene's and
Fig 2.1.! shows modern computer system. terminals.
4.System bus : It provides for communication among processors, main memory
CD ROM and 1/O modules.
Hard disk Display
CPU and device controller use memory cycle for execution purposes. But memory
cycle is only available to one device at a time.

Graphics Bootstrap program is loaded when user start the computer. It initializes all the
Disk controller
adapter device connected to the computer systern and then loads required device drivers.
Central
processin9 After this, operating system loads in the computer systerm. In UNX OS, an 'init' is
unit
the first process which execute by OS.

Interrupt is software and hardware. It is used to send signal to CPU. Software

interrupt is sometime called system call.
BUS Controller When interrupt is trigger, the CPU stops executing the instruction and control is
transfer to the fixed location. Starting address is stored at fixed location where the
service routine executes. Interrupts do not alter the control flow of the process
executing on the processor.
USB Pen drive Processor access the data from main memory before executing any instruction.
controller
Main memory is also called Random Access Memory (RAM).
Main memory
A t the top of the hierarchy, we have storage on the CPU registers. For accessing
the CPU, it is fastest form of storage.
Keyboard Mouse Printer
Every device uses a device controller to connect it to the computer's address and
data bus. Devices can be classified as a block oriented or character oriented,
Fig. 2.1.1 Modern computer system
depending on the number of bytes transferred on an individual operation.

Computer system consists of CPU, memory and I/0 devices with one or more Storage devices are used to store data while the computer is off. Device controller
modules of each type. These all components are interconnected. Common bus is
manage the data transfer between peripheral device and its controller. Device
used for communication between these devices. Each device has its own device
driver is handled by device controller.
controller.
Main structural elements are as follows 2.1.1 Control Unit
1. Central processing unit: CPU controls the operation of the computer. It
is the main component of a Central Processing Unit (CPU) in
performs processing function.
data The control unit
computers that can direct the operations during the execution of a program by the
2. Main memory: Used for storing programsand data. The memory is typicaly processor / computer.
volatile. Main memory is also referred as primary memory or real memory, Central Processing Unit has three main parts which are the Arithmetic Logic Unit
User program and data are stored in the main memory. Main memory 15 (ALU), the Control Unit (CU), and the Memory Unit. The control unit is an
volatile, so it can not stored permanently.
important component of the CPU. It directly controls the functions of the memory
urit, the ALU and the input and output devices.
TECHNICAL PUBLICATIONS an up-thrust for knowledge
TECHNICAL PUBLICATIONS an up hrust for knowledge
 Understanding of
the Technical
2-4
Concepts Digital Forensics
2-5 Understanding of the Technical Concepts
Digital Forensics

unit of computer
2.1.2 shows block diagram of control S Single
Fig.
I= Instruction Stream
Instructor register M Multiple
D Data Stream

Logical organization refers to a programmer's view of the platform. Physical

Control signals organization refers to the actual hardware organization of the platform.
within CPU
Stream refers to a sequence or flow of either instructions or data operated on by
Control signals from controi bus the computer.
Flags Control unit
T h e instruction stream is defined as the sequence of instructions performed by the

Clock- Control signals to

control buS processing unit. It is a flow of instructions from main memory to the CPU. The
data stream is defined as the data traffic exchanged between the memory
and the processing unit.
control unit
Fig. 2.1.2 block diagram of
instruction registers, signals within the
control
The components of control unit are
flags and clock signals. Data stream
CPU, control signals to/from the bus, control bus, input Central

the functional units Primary memory Processing

Control unit co-ordinates and controls the activities amongst Unit (CPU)
Instruction stream
instructions stored in the main
The basic function of control unit is to fetch the
and the devices involved in it and accordingly
memory, identify the operations Fig. 2.2.1 Data and instruction stream
control signals to execute the desired operations.
generate T o Flynn's classification, either of the instruction or data streams can be single or
It controls input and output operations, data transfer between the processor,
multiple. Computer architecture can be classified into the following four distinct
memory and input/output devices using timing signal. computer architecture categories
1. SISD (Single Instruction and Single Data Stream)
University Question 2. SIMD (Single Instruction and Muliple Data Streams)
GTU: Winter-21, Marks 3. MISD (Multiple Instructions and Single Data Stream)
1. Draw and explain Control Unit of basic compruter. 3
4. MIMD (Multiple Instructions and Multiple Data Streams)
2.2 Flynn's Classification of Computers GTU: Winter-21
Computer architecture classification
These models are called Flynn's Taxonomy. These models proposed in
1972 and
general 4 category system. It does not clearly classify all models in use today
M. J. Flynn introduced a system for the categorization of the system architectures
of computers. Categorizes all computers according to the number of instruction SISD SIMD MISD MIMD
streams and data streams they have, where a stream is a sequence of instructions
Fig. 2.2.2
or data on which a
computer operates. 2.2.1 Single Instruction and Single Data Stream
Two types of information flow into a processor : Instruction and data.
A sequential computer which exploits no parallelism in either the instruction or
This classification is based upon the
manipulated data.
relationship between the instructions and the data streams. This is the common Von Neumann model used in virtually all single
processor computers. These are uniprocessor computer that process one instruction
Four Categories Terminology at a time.

TECHNICAL PUBLICATIONS -an up-thrust for knowledge

TECHNICAL PUBLICATIONS an up-thrust for knowledge
 Understanding of the Technicel Concept
2-6 Digitel Forensics 2-7 Understanding of the Technical Concepts
Digital Forensics
instruction per cycle such as readin
one
performs .Each processor has its
The simplest type of computer values etc. it uses only one set of data or operand own local memory. Processors can communicate with each
from memory,
of two
addition other through the interconnection network. Each processor takes the data from its
be overlapped
in their execution
Instructions are executed sequentially but may own memory and hence it has on distinct data streams.

stages. Fig. 2.2.3 shows SISD. Instructions are broadcast globally by a single control unit. There is single control
Primary thread, single program.
Data
Instruction memory
. input
Output
Controllerstreamn CPU Stream
.Every processor must be allowed to completeits instruction before the next
instruction is taken for execution. So, the execution of instructions is synchronous.
A n array or matrix is also processed in SIMD. Vector computer and array
processors are examples of SIMD.
Fig. 2.2.3 SISD

level parallelism.
There is no instruction level parallelism and data 2.2.3 Multiple Instructions and Single Data Stream
Amdhal 470/6 which has
which supports vector processing and
Examples: Cray-1 .Multiple instruction streams in parallel operating on single instruction stream. Not
pipelined instruction processing.
commonly used. Systolic array is one example of MISD architecture.
Instruction and Multiple Data Streams .Uncommon architecture which is generally used for fault tolerance.
2.2.2 Single
single instruction stream. The I n the MISD category, the same stream of data flows through a linear
There are multiple data streams in parallel with a

controller transmits this instruction to all

the processors. This is typically done by array of processors executing different instruction streams. Fig. 2.2.5 shows
the different units to refer to MISD.
arithmetic units in CPU and allowing
replacing
different operands, but follows a common instruction. Fig. 2.2.4 shows SIMD.
Data Memory
Host computer

Instruction Instructions Instructions Instructions

Controiler 1 Controller 2 Controller N

Controller
Instructions |Instructions Instructions
Processor 1 Processor 2 Processor N

CPU1 CPU 2 CPUNN

Data Data Data

Data Data Data Fig. 2.2.5 MISD

Local Local Local
Examples include the space shuttle flight control computer.
memory1 memory 2 memory N
2.2.4 Multiple Instructions and Multiple Data Streams
Data Data Data
Multiple-instruction multiple-datastreams parallel architectures are made of
multiple processors and multiple memory modules connected together via
High speed internetwork
Some interconnection network.
Multiple autonomous processors simultaneously
Fig. 2.2.4 SIMD executing different instructions on different data. Processors are asynchronous.

TECHNICAL PUBLICATIONS an up-thrust for knowledge TECHNICAL PUBLICATIONS an up-thrust for knowledge
 2-8
Understanding of he
Technical Concepts
- -

Digital Forensics Digitel Forensics Understanding of the Technical Concepts

include the most 2-9

have been considered

researchers
by most researd
to
owerful
MIMD's Shared Memory MIMDs
and least restricted computers.
shared memory
or by use of , message
use of All processors have access to all memory locations. Two types: UMA and NUMA
either through
are handled
Communications
1. UMA (Uniform Memory Access)
passing. Fig. 2.2.6 shows MIMD. . I t is also called symmetric multiprocessors. Each processor has equal access to

memory and do that any other procesor can do. Fig. 22.7 shows
Interconnection network
can anything
UMA.

CPU
Interconnection network

CPU

Interconnection network Memory

MiMD
(a) Shared memory MiMD organization (b) Message passing organization
c CPU
Fig. 2.2.6 MIMD Organization

A shared memory system typically accomplishes inter-processor coordination

Because accesS to shared
through a global memory shared by all processors. CPU
are also called SMP (Symmetric
memory is balanced, these systems
Fig. 2.2.7 UMA
Multiprocessor) systems.
A message passing system typically combines the local memory and For these systems the time to access a work in memory is constant for
processor at each node of the interconnection network. It is also called all processors. Such a parallel computer is said to have a Uniform Memory
distributed memory. There is no global memory, so it is necessary to move data Access (UMA).
from one local memory to another by means of message passing. This is 2. Non Unifom Memory Access (NUMA)
typically done by a Send/Receive pair of commands, which must be written
I n a distributed shared memory computer system, each processormay its
into the application software by a programmer. own local memory and may or may not share a common memory. For
A message is defined as a block of related information that travels
among these systems, the time taken to access a word in local memory smaller
processors over direct links. Examples of message passing systems include the than the time taken to access a word stored in memory of other computer
cosmic cube, workstation cluster etc. or common shared memory. Thus this systems said to have Non Uniform
MIMD's have been considered Memory Access (NUMA).
by most researchers to include the most powertul
and least restricted
computers. Access time to a given memory location varies considerably for different CPUs.
One method for
programming MIMDs is for all processors to execute the Normally, fast cache is used with NUMA systems to reduce the problem of
program.
same different memory access time for PEs.
1. Execution of tasks by processors SMP. Not
is still Possibly effective performance at higher levels of parallelism than one
asynchronous
2. Called single program, multiple very supportive of softwarechanges. Performance can breakdown if too much
data method
access to remote memory.
3. Usual method when numbers of
processors are large. Not transparent: Page allocation, process allocation and load balancing changes
4. Considered to be a "data parallel
programming" style for MIMDs. can be difficult.
TECHNICAL PUBLICATIONS an
up-thrust for knowledge TECHNICAL PUBLICATIONS an up-thrust for knowledge
 Digital Forensics
2-11 Understanding of the Technicel Concepts
Understanding of the Technicel Concepts
Digital Forensics 2-10
The dataflow model incurs more
overhead in the execution of an instruction cycle
2.2.5 Single Program, Multiple Data compared to its control-flow counterpart due to its fine-grained approach to
parallelism.
four architectural definitions. Very
covers only
Flynn's classifications traditionally In dataflow achines each instruction is considered to be a
few people would argue that this fifth definition truly belongs under the banner of separate
It is almost a process. To facilitate data-driven execution each instruction that produces a
Classification. This is more a model for parallel processing.
Flynn's value contains
hybrid between SIMD and MIMD pointers to all its consumers. Since an instruction in such a
dataflow program contains
its own data. Each PE uses only references to other instructions, it can be
A l l PE's execute the same program in parallel, but has viewed as a node in a graph.
ID to its data. Differer.t PE can follow different paths
portion of
a unique access
Dataflow program is
thro h the same code. Fig. 2.2.8 shows SPMD. represented as a directed graph, G =
GN, A), where nodes
in N represent instructions and in A data
arcs represent dependencies between the
nodes. The operands are conveyed from one node to another in data packets
called tokens.
task 1 task 2 task 3 task n I n dataflow computers, the machine level language is represented dataflow
by
Flg. 2.2.8 SPMD graphs. Fig. 2.2.9 shows basic primitives of the dataflow
graph.
.SPMD is by far the most ommonly used pattern for structuring parallel programs.
Main advantage : Tasks and their interactions visible in one piece of source code,
no need to correlated multiple sources.

.Typical SPMD Program Phases:

a. Initialize: Establish localized data structure and communication channels
b. Obtain a unique identifier: Each thread acquires a unique identifier, typically
and (a) Operator (b) Predicate (c) Copy
range from 0 to N=1, where N is the number of threads. Both OpenMP
CUDA have built-in support for this.
c. Distribute Data : Decompose global data into chunks and localize them, or
Sharing/replicating major data structure using thread ID to associate subset of
the data to threads
d. Run the core computation
e. Finalize: Reconcile global data structure, prepare for the next major iteration

(d) Switch (e) Merge

2.2.6 Dataflow Models
.The basic concept is to enable the execution of an instruction whenever its Fig. 2.2.9 Basic primitives of the dataflow graph.
required operands become available. . For example:
Programs for data driven computations can be represented by data flow graphs. x = a *b
Each instruction in a data flow computer is implemented as a template, which y 3 *c
consists of the operator, operand receivers and result destinations. Operands are
marked on the incoming arcs and results are on outgoing arcs.
then(x+Y)*(x-y)/c
Dataflow model of execution is asynchronous, i.e., the execution of an instruction
is based on the availability of its operands Acyclic dataflow graph is used for representing arithmetic and logical expression.
Instructions in the dataflow model do not impose any constraints
Following is the acyclic dsataflow graph for given expression.
on sequencing
except the data dependencies in the program.
TECHNICAL PUBLICATIONS -

an up-thrust fo. knowledge

TECHNICAL PUBLICATIONS an up-thrust for knowiedge
 Understanding of the
Technical Concepts
2-12 Digital Forensics
Digital Forensics 2-13 Understanding of the Technical Concepts

a D

Update unit

Data
Tokens

Processor Instruction | Address

Memory

s5: Operation
Packets
Fetch unit

Fig. 2.2.11 Static dataflow mode

Memory contains instruction templates which represent the nodes in a dataflow

graph. Fach instruction template contains an operation code, slots for the operands
Fig. 2.2.10 Acyclic flow graph
and destination addresses.
soon as tokens are Presence Bits (PBs) is used to determine the availability of the
Nodes s1 and s2 in the figure are both enabled for execution as the executable of instructions is done
operands. Detecting
the b and c. They all execute simultaneously or one by by update unit. After verifying this
placed on input ares a,
condition, the update unit sends the address of the enabled instruction to the fetch
one.
false unit.
to the output arc on the true side or side,
Switch routes its data input
of tokens is directed Fetch unit fetches and sends a complete
according to the value of the control input. The wave input operation packet containing the
to the true or false arm of the conditional. corresponding op-code, data and destination list to the processor. The processor
performs the operation and sends the result of the update unit.
instruction execution.
Dataflow graphs exhibits two kinds of parallelism in Update unit stores each result in the appropriate operand slot and checks the
a. Spatial parallelism: Any two nodes can be potentially executed concurrently
presence bits to determine whether the activity is enabled.
if there is no data dependence between them.
Advantage of static model : Simple model
results from pipelining
b.Temporal parallelism: This type of parallelism Limitation of static model
independent waves of computation through the graph. 1. Consecutive iterations of a
loop can only be pipelined.
The dataflow is similar to dependence graph used in intermediate
graph a
2. Due to
representations of compilers. acknowledgment tokens, the token traffic is doubled.
3. Lack of support for programming constructs that
Dataflow models are classified as static and dynamic. are essential to modern
programming language.
Static Model
The static model allows at mostone instance of a node to be enabled for firing. A Dynamic Model
dataflow actor can be executed only when all of the tokens are available on its I n the dynamic model, it permits activation of several instances of a node at the
same time during run-time. To
input arcs and no tokens exist on any of its output arcs. distinguish between different instances of a node, a
tag is associated with each token that identifies the context in which a
Fig. 2.2.11 shows basic organization of the static dataflow mode. token was generated.
particular

TECHNICAL PUBLICATIONS an up-thrust for knowledge TECHNICAL PUBLICATIONS an up-thr:st for knowledge
 of the Technical
2-14
Understanding oncepts
Digital Forensics Digital Forensics 2- 15 Understanding of the Technical Concepts

when its input

arcs
contain a set
withtokens
of toker

of the dynamic«dataflow model The demand-driven approach matches naturally with functional programming8
executable
A n actor is considered
rganization
2.2.12 shows basic
identical tags. Fig. languages
.Operations are executed only when their results required by another instruction in
Matching unit
demand driven model. So because of this reason it is called lazy evaluation.

Data
Tokens 2.2.8 Difference between SIMD and MIMD
www.wwmwaroenmaaewenwwwww.wwweeoeno
*** **

Memory SIMD MIMD

Matched token set
Processor
SIMD stands for single instruction multiple MIMD stands for multiple instruction multiple
datä. data.

Architecture is simple. Architecture is complex.

Enable
instructions Low cost Medium cost.
Fetch unit
Size and pertormance is scalable. Complex size and good performance.
dataflow model
Fig. 2.2.12 Dynamic Automatic synchronization of all send and Explicit synchronization and identification
protocols needed.
tokens with identical tags. If a receive operationis.
Operation of the matching unit is to bring together
wwww.wwwwwwwwwwwwwwwwwww.wwwwww..wwwwww.wwwwwwwwwwwwwwwww.wwwwwwwwwwwwwww.wwwwwwwww

the token is extracted from the matching unit and the

match exists, corresponding
If no match is found, the token is University Question
matched token set is passed on to the fetch unit.
stored in the matching unit to await a partner.
1. Explain Flynn's classification of computers. GTU: Winter-21, Marks 4
and Limitation of Dynamic Dataflow
Advantages
Advantage : Better performance as it allows multiple tokens on each arc
thereby 2.3 File System
unfolding more parallelism.
File systems are abstraction that enables users to read, manipulate and organize
Limitations: data. Typically the data is stored in units known as files in a hierarchical tree
1. Efficient implementation of the matching unit that collects tokens with matching
where the nodes are known as directories.
tags. The file system enables a uniform view, independent of the underlying storage
2. Associative memory would be ideal.
devices which can range between anything from floppy drives to hard drives and
3. It is not cost-effective. flash memory cards. Since file systems evolved from stand-alone computers the
4. All existing machines use some form of hashing techniques that are typically connection between the logical file system and the storage device was typically a
not as fast as associative memory. one-to-one mapping.

2.2.7 Demand-driven Computation The DOS and Windows file systems use fixed-size clusters. Even if the actual data

I n demand-driven computation, each processor assigns a task to perform and is being stored requires less storage than the cluster size, an entire cluster is reserved
for the file. This unused space is called the slack space.
responsible for all computaions related to those tasks. Demand-driven machines
also known as reduction machines. A cluster, also knouwn as an allocation unit, consists of one or more sectors of storage

It space and represents the minimum amount of space that an operating system
top-down approach for instruction execution. In a reduction machine, the
uses

computation is triggered by the demand for an operation's result. allocates when saving the contents of a file to a disk.

TECHNICAL PUBLICATIONS TECHNICAL PUBLICATIONS - an up-thrust for knowledge

an
up-thrust for knowledge
 Technical Concepts Understanding of the Technical Concepts
Understanding of the Digitlal Forenslcs 2-17
-16
Digital Forensics
on the system. Start of file
be available to processes
mounted before it
can

Fle system must be follows.

file system is as
Procedure for mounting
which the mounted file system will be
at
an empty directory
1. Mount point is
attached.
structure at which to attach the
within the file
device and location
2. Name of the
file system is required.
contains a valid file system.
verifies that the device
3. Operating system verifications.
for these
4. Device driver is
used by operating system
at a specified mount point.
mounts the file system
5. Finally operating system

2.3.1 File Allocation Table

a disk. Due to
uses to locate files on
End of filee Start of a WordPerfect
A table that the operating system scattered around document
sections that are

fragmentation, a file may be divided into many

Flg. 2.3.2
track of all these pieces.
the disk. The FAT keeps and the one for
FAT16 The FAT shows only a list with one entry for each cluster in a volume. Each entry
of Windows 95 is called
versions
.The system for older and Windows 98 is called FAT32.
FAT in the FAT indicates what the associated cluster is being used for the following
versions of Windows 95
new
cards, digital Fig 2.3.2 shows output from norton disk editor on file allocation table.
on disks, flash memory
found floppy
FAT file systems are commonly relative simplicity. Free allocation is marked by zero in the cluster. If it contains some value (i.e.
portable devices because of their
cameras and many other Greater than zero) then that number is given to the next cluster for a given file or
FAT fornmatted volume
which uses directory and
File and folders are organized
on
location on folder. EOF means end of file. Where file end, FAT marked it as EOF.
or D:\) is the root
folder at per defined
a
file allocation table. The (C:\ and.subdirectories. Fig.
2.3.1 shows the Subdirectories are a special type of file. It contains information such as names,
a list of file
the volume. Folder contains attributes, dates, times, sizes and the first cluster of each file on the system.
folder view of the file system.
www.wwww
ce k Rer 7 oK y e Ubjeci Edit Link Uiew info vo ls ielp ure>
Caste
w enowwwww. vaboow wwwiwawwovoivewbevwvovwN oww*
pa
19 92 40
dutilneof

SLO 13081 1 15-03 27

Contents of selected folders
Tree view of folders
0ld html urEN
1334is-0
curcaebl N
LCURE 1 HTMF 8204
99 115 09 01 p
ansgir
enion
ster631 Seutorb2
ar iiganseait LP
LP
ERIS
Fig. 2.3.1 Folder vlew
P
file. FAT file
time associated with each 18378 15 082z
Folder view contains starting cluster, date,
system shows only last accessed date not time. At command line, "dir" command
is used to gate the information about files and directory. Fig. 2.3.3
TECHNICAL PUBLICATIONS - an up-thrust for knowledge
TECHNICAL PUBLICATIONS- an up-thrust for knowledge
 Understanding of tho
Technical Concepta
18
Digital Forensics
Digital Foronsics
19 Understanding of the Tochnicel Concepts
will perform one of
two tasks on the
When file is deleted, the file system
a
as "free space"
allocation table marked
allocation table. The file's entry on the file
is marked as free.
MFT entries are marked
Thus, space used
as free and
may be reused, but the MFT does not shrink
or the file's entry on the list
is erased and then the space by these entries is not reclaimed from the disk.
will put the
l f a file needs to be placed on
the storage unit, the operating systemn
file is written to the "empty
marked as
the space
After the newempty. MBR
file in
to be recovered,
VBR SMt Directories and files
When a deleted file is
space", the deleted file is now gone forever.
is used, then
the must not manipulate any files because
if the "empty space
user Measured in Measured in clusters
the file can never be retrieved.
Directory formt Fig. 2.3.5 NTFS partition
Hoot dir D r f s e t O, hx
Sector 7 in root directory Attr ibutes

Time
Cluster Arc R/0 Sys Hid Dir ol Directories are treated in NTFS as index entries and store folder entries in a B-Tree
F i l e n a e Ext Sie Date
to access and facilitate
dge
12-05-90
12-0390
11:19
2 z pm
am
accelerate
encoding scheme called unicode.
resorting when entries are deleted. NTFS uses an

1516 12-01-90 1256 pm

SHELL EX 10025
16 11-28-90 2:20 Pn The attribute
N L SHL 1391 12:06 a places INDX records in a B+ tree, where the key is the file name. A
S53512-es 0 2:34 p B+ tree is a data structure where arbitrary records are
CATHCU 2330 12-0390 2:34 pm organized by a sortable key
DaTOR
DTTOR
3779
914
12-01-90
12-01-D0
2:11
2:41 P
Pa
value, such as a number or a string. For a forensic investigator, the effect of the
5517 12-05-90 11:14 am 6
B+ tree is that INDX records associated with node stored chunk in
NFO 36 11-21-90 9:11 am arc
Arc
a are as a
24
STAS
1930 12e5-90
12-0S-90
11:14
11:21
am
am 76
Dir
alphanumeric order.
Dir
CATACOMB 12-05-90 11:21 am Dir
DDAU 9-0691 250 The size of a B+ node is 4096 bytes. When a file is added to a directory, a new
ATDAUE 132 Arc
EUEL11 CK2 2792 11-20-90 1:301
record is added to the INDX attribute of the
' i n d icate erased e n t r i e s directory. Within the B+ tree, NTFS
Filenanes beginning with
Filenames beg
Enter to continu finds the appropriate node and inserts the new record,
10ir 5FAT 6Partn7 L8Choos 9Udo10u1t shifting records down, if
2He lp 2Hex 3 f e x t necessary.
Fig. 2.3.4
Fig. 2.3.6 shows the file with a
logical size that is larger than its valid data length,
contains 12 bits in the FAT. leaving un-initialized space.
Floppy diskette uses FAT12 file system. Each entry
disk FAT32 and 28 bits
identify a cluster. Hard
uses
FAT16 uses 16 bit fields to

plus 4 bit reserved field used to identify the cluster. File content Un-initialized space File slack
Valid data length
2.3.2 Network File System

Master file table is the heart of NTFS. The MFT is an array of file records. Each
is for the MFT itself. The name of
Logical size
record is 1024 bytes. The first record in the MFT
MFT are reserved for metadata files.
the MFT is $MFT. The first 16 records in the Physical size

A n MFT big
can volume used to have lots of files that were deleted.
be too if a
in the MFT. These holes are
The files that were deleted cause internal holes Fig. 2.3.6 File with logical size
reclaim this space.
that are unused by files. It is impossible to
significant regions
live NTFS volume.
Fig. 2.3.7 shows the behavior of the Microsoft NTFS driver as an INDX record is
This is at least true on a
deleted. When the driver removes INDX record "F", it shifts the records "G" and
Fig. 2.3.5 shows NTFS Partition. "H" to fill the space. As the contents of record "H" shift, a recoverable
added to the MFT and so copy
A s files are added to an NTFS volume, more entries are (inactive record "H ") remains in the newly expanded slack space.
the MFT increases in size. When files are deleted from an NTFS volume, their
TECHNICAL PUBLICATIONS an up-thrust for knowledge
TECHNICAL PUBLICATIONS an up-thrust for knowledge
 Understanding of the Technical Concepts
2- 20 Digitel Forenslcs 2-21 Understanding of the Technical Concepts
Digital Forensics

Slack space 2.4.1 Memory Management Function

INDX node Active INDX record
header
1. Allocate primary memory
space to processes.
Slack 2. Minimize access time.
INDX
ADEF| 3. Determining allocation policy for
INDX record "F" deleted memory
4. Deallocation technique and policy.
Slack
INDX
from slack 2.4.2 Basic Hardware of Memory
a
"H" is recoverable
Active INDX records shift to fill space; copy of record
Slack
CPU can access content of main memory and register directly. If the data is not
INDX available into the memory, it load into memory from disk
Registers are built on the processor. Using one cycle of the CPU clock, processor
Fig. 2.3.7 Behavior of NTFS driver
access data from register.

logical file size and valid data length in two between

NTFS captures the difference between Accessing memory may take many CPU clock cycle. Mismatch of speed
MFT fields. CPU and memory is overcome by using cache memory.
When a file is deleted, NTFS simply
NTFS creates MFT entries whenever required. T h e use of base and bound (limit) registers are restrict a process memory
a n e w file. It is
marks the associated MFT entry as deleted and available for references upto a certain limit. Hardware is used to protect user address space.
about a deleted file from the MFT entry,
possible to recover all of the information Each process requires its own address space operating system define legal address
of data on disk for
including the data for resident files and the location for each process. Maximum and minimum limit is also decided so that process can
non-resident files. access only these legal address.
when a file is deleted, the
Recovery of deleted files in the NTFS is complicated. Fig. 24.1 shows the protection User
next file that is created may overwrite the
MFT entry for the deleted file.
of process by using registers. process 6

GTU: Winter-21 A n address space is the set of Free space

2.4 Memory Organization Concept
addresses that a process
is long term Free space
Memory is used to store information. Secondary storage memory program can use to address
is held in device such as disk drive. User
persistent memory that storage main memory. Each process has
Limit process 1
memory is faster than secondary memory. Memory manager is its own address space. User
Primary base Allocated space
responsible for allocating primary memory to processes process 4 for process
User programs are loaded into
is performed by both software and special purpose consecutive memory locations Base Free space
Memory management
hardware. The memory manager is an operating system component. Managing the by using base and limit
sharing of primary memory and minimizing memory access time are the basic is
Operating
register. When process system
goals of the memory manager. executing, the base register is kernel
loaded with the physical Pnimary
Primary memory requirements memory
address where its program
1. Access time :
It should be as small as possible. This need influences both Flg. 2.4.1 Address space and memory
software begins in memory and the limit
and hardware design.
register is loaded with the
2. Size: Size must be as large as possible. It can accomodate many programs into length of the program.
memory.
3. Cost:Cost of the memory is less than the total cost of the computer.
TECHNICAL PUBLICATIONS an up-thrust for knowledge
TECHNICAL PUBLICATIONS an up-thrust for knowledge
 the Technical Conce
Understanding of ncepts
2-22 Digital Forensics 2-23 Understanding of the Technical Concepts
Digital Forensics

interference
existing
between programs
used to avoid program. Normally all operating system uses execution time binding Special
Memory protection is hardware compares
every memory addrese
protection hardware is used for execution time
main memory. The memory
of two registers
(base a n a limit) to ensur binding
used by the program with the
contents

that it lies with the allocated memory

area.
Source
Memory
address space.
Compiler Inkage
editor -Loader image
provide larger
a program of program
Multiple hardware memories are used to
is adding two registers to the CPU
The simplest method of memory protection Load
allocated contiguously. Non-contiguous Compile Execution
This works good for all memory is
me
time time
memory is harder to protect.
adds on the
decoder
Fig. 2.4.2 Processing of user program
address, the memory
process reads from or writes
When a to
of read or write to address = base
1se
value of the base register. The actual operation and deallocation is done using run-time support of the
register + limit register.
.Memory allocation
programming in which a program is coded. Allocation and deallocation
language
lower than zero, then the
memory
fthe input address is higher than limit or requests are made by calling appropriate routines of the run time library.
hardware generates error. This is informed to the operating system by using
these limits.
Kernel is not involved in this kind of memory management.
interrupt. Processes can memory within
only access
Each process has its own pair of base register and limit register. 2.4.4 Concept of Memory Addresss

2.4.3 Address Space Mapping .Logical address is generated by the CPU. This address is also called virtual
address.
Secondary storage device stores program in binary executable format. Before
executing, the program is loaded into the main memory.
Main memory address uses physical address. This address also called real
address.
Most of the operating systems allow a user process to store in any section of the
main memory. Source program uses symbolic addresses. .Logical address space: Set of all logical addresses generated by a program.
Binding of instruction and data to main memory address is following ways .Logical address and physical address is iderntical when load time and compile time
1. Compile time address binding is performed. The execution time address binding generates
2. Load time different physical and logical address.

3. Execution time Memory Management Unit (MMU) is responsible for run time address mapping
Compile time
Source program is translated at compile time to produce
: from vitual to physical address.
a
relocatable object module. At compile time, the translator
generates code to Dynamic Relocation
allocate storage for the variable. This storage address is used for code
reference. Base register is sometimes called as a relocation register. The value of the
Target address is unknown at compile time, it cannot be bound at compile time. relocation register is added to every address generated by a user process at the
Example of compile time binding is MS DOS.com programs. time it is sent to main memory.
Load time : Compiler
generates relocatable code if compile time binding is not User can load a process with only absolute addresses for instructions and data,
performed. The loader modifies the addresses in the load module at load time to
only when those specific addresses are free in main memory. Program's
produce the executable image stored in main memory. Final
until program load time. binding is delayed instruction, data and any other data structure required by the process can be

.Execution time: Memory address of the accesssed easily if the addresses are relative.
then execution time binding is used.
program is changed at execution time
is Binding delayed until the run time of the

TECHNICAL PUBLICATIONS a n up-thrust TECHNICAL PUBLICATIONS up-thrust for knowiedge

for knowledge an
 Understanding ofthe Technical Concepts
2-24 Digital Forensics Understanding of the Technicel Concepts
Digital Forensics 2- 25
the main men

relocation. User programs

never
reads

emory When the processor makes a memory request, the request first passes to the
2.4.3 shows dynamic
8 primary cache. If the data item is found in this cache, we have a cache hit.
physical address.
Main memory I f the data item is not found in the primary cache, we have a cache miss and the
Relocation

register Kernel memory request is forwarded to the L2 cache. If the data item is found in this
cache, we have an L2 cache hit and the data is passed back to the primary cache.
free

.Ifthe data is not found in the L2 cache, the request is finally forwarded to the
Physical main memory. When the main memory responds to the memory request, the data
Logical
addresS
Processor TaddresSRelocation free item is passed back to the L2 cache and then the primary cache.
x* Y)
Data Virtual address cache When cache is indexed with virtual address then it is
Memory
called virtual address.
management
unit
2.5.1 Direct Mapping
relocation
Fig. 2.4.3 Dynamic
.In direct mapping, the cache consists of normal high speed random access
It is mapping
ot the virtual addresa
extra hardware.
Dynamic relocation requires memory and each location in the cache holds the data, at an address in the cache
time.
address space at run
given by the lower significant bits of the main memory address. This enables the
space to the physical
move a partially
executed process from block to be selected directly from the lower significant bits of the memory address.
Dynamic relocation makes it possible to
another without affecting other process. The remaining higher significant bits of the address are stored in the cache with
one area of main memory into
it is necessary to pertorm an addition and a the data to complete the identification of the cached data.
Problem with relocation is that,
Each block maps to one and only one ine of cache always. The mapping is
comparison on every memory reference.
logical address space is bound
with a separate expressed as
F o r good memory management, i=j mod m
physical address space.
where, j is main memory block
no., i is cache line no., m is Memory address
University Question from processor
number of lines in cache.
Tag ndexag and Index
1. Explain main memory with example. GTU Winter-21, Marks 4 The address from the
processor is divided into Main
2.5 Cache Memory GTU: Winter-21 two fields, a tag and an memory
Main
accessedmemory
Cache is small, fast storage used to improve average access time to slow memory index. The tag consists of Cache if tags do
the higher significant bits of Index not matcCn
It applied whenever buffering is employed to reuse commonly occurring items, ie
the address, which are
file caches, name caches, and so on. Tag Data
stored with the data. The
.Caches are introduced into a system to bufer the mismatch between main index is the lower significant Read
memory and processor speeds. A cache is a relatively smal, fast memory placed bits of the address used to Compare
between the processor and the main memory. The cache is designed so that its address the cache.
access time matches the processor cycle time.
Same -Different-f-
Fig. 2.5.1 shows direct
Physical address cache : When the cache is accessed with a physical memory
mapping. Access location
address, it is called physical address cache.
Fig. 2.5.1 Direct mappling

TECHNICAL PUBLICATIONS - an up-thrust for knowledge

TECHNICAL PUBLICATIONS -
an up-thrust for knowledge
 -26 Understanding of the Technicel Concepts Digital Forensics
Digital Forensics 2-27 Understanding of the Technical Concepts

When the memory is referenced, the index is first used to access

the
a word in .
Fig 2.5.2 shows
memory address filed.
with the
cache. Then the tag stored in the accessed word is read and compared +W
tag in the address. If the two tags are the same, then the required memory block
is already in the cache and it is h1t. The required word is selected from the cache
Cache
using the word field of the address. Memory address Main memory
Tag Data
I f the two tag bits do not match, the required memory block is not
in the cache Tag Set Word
B
and it is a miss. Hence a main memory read has to be initiated.
-
Set 0
For a memory read operation, the word is then transferred into the cache whereit

is accesed. It is possible to pass the information to the cache and the processor
i
simultaneously, ie., to read-through the cache, on a miss. The cache location is
altered for a write operation. The main memory may be altered at the same time
or later. Compare Set 1

.If the direct mapped cache with a line consisting than one word then
of more -(hit in cache)
main memory address is composed of a tag, an index, and a word within a line. All
the words within a line in the cache have the same stored tag.
The index part to the address is used to access the cache and the stored tag is

compared with required tag address. For a read operation, if the tags are the same (Miss in cache)
the word within the block is selected for transfer to the processor. If the tags are
not the same, the block containing the required word is first transferred to the Fig. 2.5.2 Set associative cache memory
organization
cache.
Block Address Block Offset (w bits)
Advantage: No need of expensive associative search.
Tag (s u bits) Index (u bits)
Disadvantages: wwwwww.wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
**wwww wwwww
1. Miss rate may increases.
The cache is divided into "sets" of blocks. A
2. Mapping conflicts. four-way set associative cache would
have four blocks in each set. The number of blocks in a set is known as the

2.5.2 Set Associative Mapping associativity or set size. Each block in each set has a stored tag which, together
with the index, completes the identification of the block.
A set-associative scheme is a hybrid between a fully associative cache, and direct If set is represented by u-bits in address field, then set no. can be found by index
mapped cache. It's considered a reasonable compromise between the complex of u bits. The tag filed of each row is then s -
u bits.
hardware needed for fully associative caches and the simple direct-mapped
Algorithm to find cache hit ls:
scheme, which may cause collisions of addresses to the same slot.
1. Pick up the u bits out of total (s u) + u bits out of
It allows a limited number of blocks, with the same index and different tags, in
-

block address, use the

u bits as index to reach to 2" set in the cache.
the cache and can therefore be considered as a compromise between a fully
associative cache and a direct mapped cache. Fig. 2.5.2 shows set associative cache 2. Next, compare the s -

u bits from address field with tag fields of all the 25u
lines in that set.
memory organization.

TECHNICAL PUBLICATIONS up-thrust for

TECHNICAL PUBLICATIONS an up-thrust for knowledge
an
knowledge
 Underslandng o ical (concepts
Ue 9cnnical
2-28

Digital Forensics Digital Forensics

matched, has the 2-29 Understending of the Technical Concepts
and line
whose tag is
it is
requir
it is hit to CPU, else mie
any
match occurs,

from that
word is
transferred
and Auxiliary memory also referred to as secondary storage is the non-volatile
block. And, the byte memory lowest-cost, highest-capacity and slowest-access storage in a
the block replaced from RAM. to access the set, computer
iincoming Then,
Usea
is
the processor
1s
system.
address from with the
First, the index of the selected set

used to
all of the tags accessed, other wise, tag 2.6.1 Types of Storage Devices
omparators
f a
are

match is found, the

corresponding
compare
location is before,
an access to the main memory is
made. Physical components or materials on which data is stored are called
storage
media. Hardware
components that read/write to storage media are called storage
Mapping devices. A floppy disk drive is a storage device.
2.5.3 Fully Associative of associative mem
composed Two main
cache requires the
cache to be
line. The incom
memory categories of storage technology used today are magnetic storage and
A
fully associative and the data
for each cached
ming optical storage. Storage devices hold data, even when the computer is tumed off.
holding both the memory address
all stored addresses usine The physical material that
compared with he actually holds data is called storage medium. The
memory address is simultaneously surface of a floppy disk is storage medium.
internal logic of the associative memory.
The two primary storage
in the cache. When a memory techrnologies are magnetic and optical.
stored in any line
Allow any address to be be compared Primary magnetic storage are as follows
the address of the request must to 1. Diskettes
operation is sent to the cache,
determine whether the data referenced by tho
the
each entry in the tag array to 2. Hard disks (both fixed and removable)
operation is contained in the cache. 3. High capacity floppy disks
t a match is found, the corresponding
data is read out. Single words form 4. Disk cartridges
if the associative
could be held in the cache,
anywhere within the main memory 5. Magnetic tape
a full address.
part of the cache is capable of holding Primary optical storage are as follows
of holdine
T h e fully associate mapping cache gives the greatest flexibility
1. Compact Disk Read Only Menory (CD ROM)
conflict for a given sized cache
combinations of blocks in the cache and minimum 2. Digital Video Disk Read Only Memory (DVD ROM)
but is also the most expensive, due to the cost of the associative memory.
3. CD Recordable (CD R)
Disadvantages: All tags must be searched in order to determine
a hit or miss.f 4. CD Rewritable (CD RW)
number of tags are large, then this search can be time consuming 5. Photo CD

University Question 2.6.1.1 Magnetic Disk

Magnetic disks provide bulk of secondary storage of modern computers.
1. What is cache memory ? Explain direct mapping of cache memory with example.
Bits of data (0's and 1's) stored circular
GTU: Winter-21, Marks 7
are on
magnetic platters called disks. A
disk rotates rapidly.
2.6 Data Storage Concepts GTU: Winter-21 A disk head reads and writes bits of data as they
pass under the head. Often,
several platters are organized into a disk pack or disk drive.
Data storage refers to magnetic, optical or mechanical media that records and 1. Disk contains concentric tracks.
preserves digital information for ongoing or future operations 2. Tracks are divided into sectors.
Data storage makes it easy to back up files for safekeeping and quick recovery in
3. A sector is the smallest addressable unit in a disk.
the event of an unexpected computing crash or
cyberattack. Data storage can occur
on physical hard drives, disk drives, USB drives.

TECHNICAL TECHNICAL PUBLICATIONS - an up-thruat for knowledge

PUBLICATIONS an up-thrust for knowledge
 Understanding
of he TechnicAl Concepts
2-30

Digital Forensics Digital Forensics 2-331 Understanding of the Technical Concepts

sectors
and
showing
tracks
2.6.1 shows surface of disk The bottleneck of a disk access is moving the read/write arm
8
A cylinder is the set of tracks at a given radius of a disk pack. A cylinder is the
set of tracks that can be accessed without moving the disk arm. Al the
Tracks information on a cylinder can be accessed without moving the read/write arm.

.Fig 2.6.2 shows moving-head disk mechanism.

The arm assembly is moved in or out to position a head on a desired track. Tracks
under heads make a cylinder. Only one head reads/writes at any one time. Block

size is a multiple of sector size.

Sector
sectors
.Disks can be removable. Drive attached to computer via 1/O bus. Busses vary,
Fig. 2.6.1 Tracks and

second.
including EIDE, ATA, SATA, USB, Fibre Channel, SCSI etc.
Drives rotate at 60 to 200 times per .Host controller in computer uses bus to talk to disk controller built into drive or
drive and computer.
Transfer rate is rate at which
data flow between
storage array.
is time to move
disk arm to desired
Positioning time (random-access time) disk head. Disk controllers typically embedded in the disk drive, which acts as an interface
rotate under the
for desired sector to between the CPU and the disk hardware. The controller has an internal cache that
cylinder (seek time) and time
surface.
contact with the disk it to buffer data for
Head crash results from disk head making uses read/write requests.
is coated with magnetic material on both surfaces. All
Each platter (disc-shaped) 2.6.1.2 Magnetic Tape
fixed position. Tip of the
arm
contains
platter surfaces has arm extended from .Magnetic tape is a medium for magnetic recording generally consisting of a thin
for writing data.
read/write head reading or
magnetically coating on a long and narrow strip of plastic. Nearly all recording
to the edge of the disc.
T h e arm moves the heads from the spindle edge tape is of this type, whether used for recording audio or video or for computer
the operating system locates the data storage.
When a program reads a byte from the disk,
byte, and reads the entire sector into a Devices that record and playback audio and video using magnetic tape are
surface, track and sector containing that
special area in main memory called buffer. generally called tape recorders and video tape recorders respectively. A device that
stores computer data on magnetic tape can be called a tape drive, a tape unit, or a
Track t Spindle
streamer.
.The purpose of any magnetic tape unit is to write data on and read data from the
tape used by the device. Tape is moved from a supply reel or hub to a take-up
reel or hub on the magnetic tape transport section of the unit The magnetic oxide
Sector S -Arm assembly coated side of the tape passes in close proximity of a read/write.

Relatively permanent and holds large quantities of data. Magnetic tape access time
is slow.

Cylinder c Read-write Mainly used for backup, storage of infrequently-used data, transfer medium
head between systems.
I t is kept in spool and wound or rewound past read-write head. Once data under
head, transfer rates comparable to disk.
Platter
Arm Typical storage is 20 GB to 200 GB. Common technologies are 4 mm, 8 mm,
Rotation 19 mm, LTO-2 and SDLT.
Fig.2.6.2 Moving-head dlsk mechanlsm
TECHNICAL PUBLICATIONS an up-thrust for knowledge TECHNICAL PUBLIGATIONS- an up-thnustfor knowledge
 Understanding of
the Technícel Concept
2-332
Digital Forensics

2.6.1.3 Optical Devices drive reflecteduses

medium. An optical
disk is high-capacity storage covered with tiny
An optical

3
metal surface is
disk's
data. To store data, the
ght to read to be reflected diferently.
dents (pits) and flat spots (lands),
which cause light
be reflected back.
Digital Forensics Process Model
the light cannot
drive shines light into a pit,
wnen an optical bit value of 0 (off). A land reflects light back to its source,
This represents a
a bit value of 1 (on).
representing
CD-ROM
technology is called Compact Syllabus
in PCs, the commonly used optical storage
most
A standard CD-ROM disk can store up to niroduction to cybercrime scene, documenting the scene and evidence, maintaining the chain f
Disk Read-Only Memory (CD-ROM).
written to a standard CuStody, forensic cloning of evidence, Iive and dead system.forensic, hashing concepts to maintai
650 MB of data, or about 70 minutes of
audio. Once data is
the integrity ofevidence, report drafting
CD-ROM disk, the data cannot be altered or overwritten.
and read data at a rate of
Early CD-ROM drives were called single speed,
of up to 7800 kbps.
Contents
150 CD-ROM drives now can transfer data at speeds
kbps. 3.1
Data transfer speeds are getting faster. It is typically
used to store software Introductionto Cybercrime Scene........ Winter-21, . .

Marks 3
3.2
programs. CDs can store audio and video data, as well as text
and program
Documenting the Scene and Evidence.. Winter-21, *** Marks 33
3.3 Maintaining the Chain of Custody
instructions.
continuous spiral that starts at the 3.4 Forensic Cloning
Data is laid outon a CD-ROM disk in a long, of Evidenoe. Winter-21, Marks 7
and winds inwards towards the centre. Data is stored in the form of 3.5 Live and Dead System Forensic. ...
outer edge
which are depressions
Winter-21, Marks 4
lands, which are flat areas on the metals surface, and pits, 3.6 Hashing Concepts to Maintain the Integrity of Evidence
or hollows. A land reflects the laser light into the sensor (a data bit of 1) and a pit
scatters the light (a data bit of 0). Winter-21, ..Marks 7
A standard CD 3.7 Report Drafting
.On a full CD-ROM the spiral of data stretches almost 3 miles long.
can store 650 MB of data or about 70 mins of audio.

DVD-ROM
.Digital video disk read only memory, is a high-density medium capable of storing
a ful-length movie on a single disk the size of a CD. Achieves such high storage
capacities by using both sides of the disk and special data compression
technologies.
The latest generation of DVD-ROM use layers of data tracks; the laser beam reads
data from the first layer and then looks through it to read data from the second
layer. Each side of a standard DVD-ROM can hold up to 4.7 GB. Dual layer
DVD-ROM can hold 17 GB of data.

University Question

1. Explain auxriliary memory with example. GTU Winter-21, Marks 3

TECHNICAL PUBLICATIONS -
an up-thrust for knowledge (3-1)
 Process Model
Digital Forensics
Digital Forensics
3-2 Digital Forensics 3-3 Digital Forensics Process Model
GTU: Winter-21
Scene Until
3.1 Introduction to Cybercrime recently, malware, spam emails, hacking
computers and
networks. The cyber artacks of this nature
into corporate sites ana ouier

is any criminal activity involving Internet. LAN and their talent.

were mostly the work of computer 'geniuses showcasing
yber crime computer
networks and
space inchudes computer systems,
WAN is also part of cyber space.
music files to stealing 3.1.1 Elements of
Cyber Crime
from downloading illegal
Cyber crime incorporate anything 1. Location / Place : Where offender
millions of rupees from online bank
accounts. is in relation to crime.
object of the crime 2. Victim:
Cyber crime is defined as a crime in
which a computer is the
offense (child
Target of offense Government, corporation, organization, individual.
or is used as a tool
to commit an 3. Offender: Who the offender is in terms of
(hacking phishing, spamming) as vulnerable
to crime. demographics, motivation, level or
Internet connected
pornography, hate crimes).
activities are
sophistication.
that is perpetrated through
the use
of a 4. Action: What is
Computer crime is any illegal activity necessary to eliminate threat.
computer.
other person in charge ot a 3.1.2 Types of Cyber Crime
a person without the permission of owner or any
accessto
accesses or secures
or computer network, h e r e are
computer, computer system torts and many types of cyber crimes and the most common
network, the said acts
are ones are explained
such computer, computer system or computer below
crimes under the Indian cyber law. 1.
used to describe the
Hacking : This is a type of crime wherein a person's computer is broken so
standard definition for "CYBER".
This word is that his
There is no
a block of data
personal or sensitive information can be accessed.
refers to
virtual world of an
computers e.g. object in cyberspace 2. Theft: This crime occurs when a
person violates copyrights and downloads
or network.
floating around a computer system music, movies, games and software.
in his book,
credited to William Gibson, who used it
T h e word "cyberspace" is 3. Cyber stalking: This is a kind of online harassment wherein the victim is
neuromancer, writtern in 1984 subjected to a barrage of online messages and emails.
and community by computers, formed
Cyberspace : The impression of space 4. Identify theft: This has become a major problem with people using the
Internet users inhabit
the virtual "world" that
computer networks and their users; Internet for cash transactions and banking services. In
thi_ cyber crime, a
when they are online. criminal accesses data about a person's bank account, credit cards, debit card
which means science of
T h e term 'cyber' is derived from the word 'cybernetics' and other sensitive information to or to siphon money
online in the buy things
man. Cyberspace is the new horizon
communication and control over machine and victim's name.
machine for information and communication between
which is controlled by 5. Malicious software: These are Intermet-based software or
human beings across the world.
programs that are
used to disrupt a network. The software is used to
crimes. In
gain access to a system to
Therefore, crimes committed in cyberspace are
to be treated as cyber steal sensitive information or data or
causing damage to software present in
wide sense, cyber crime is a crime on hacking,
the Internet which includes the system.
terrorism, fraud, gambling, cyber stalking, cyber theft, cyber pornography, flowing 6. Child soliciting and abuse : This is also a
type of cyber crime wherein
of viruses etc. criminals solicit minors via chat rooms for the purpose of child
Over the past few years, the global cyber crime landscape has changed pornography.
with criminals employing more sophisticated technology and greater
dramatically, 3.1.3 Examples of Cyber Crime
knowledge of cyber security.
Cyber crime example : Child pornography, which includes the creation,
distribution or accessing of materials that sexually exploit
underage children.
Contraband to include transferring illegal items via the Internet.

TECHNICAL PUBLICATIONS an up-thrust for knowledge TECHNICAL PUBLICATIONS an up-thrust for knowledge
 Proc9ss Model
Digitel Forensics Digital Forensics
3-4 3-5 Digital Forensics Process Model
Digital Forensics
of computer-related Example :
some examples
attacks are just Launching the denial-of-service attacks on commercial web sites.
Unline fraud and hacking
crimes that are committed on a large scale every day.
3.1.5 Traditlonal Problems Associated with Cyber Crime
a. Online banking fraud
Individuals seeking a crime have
b. Fake antivirus always displayed a remarkable ability to adapt
to cnanging technologies, environments and lifestyles. Computer crime poses a
c. Standed traveler scams daunting task for law enforcement agencies because they are highly techrical
d. Fake escrow' scams crimes.
e. Advanced fraud Law enforcement agencies must have individuals trained in computer forensics in
order to
f. Infringing pharmaceuticals prToperly investigate computer crimes. Additionally, countries must update
and create
& Copyright-infringing software legislation, which prohibits computer crimes and outlines appropriate
punishments for those crimes.
h. Copyright-infringing music and video
Computer crimes will likely become more frequent with the advent of further
i. Online payment card fraud technologies. It is important that civilians, law enforcement officials and other
j. In-person payment card fraud members of the criminal justice system are
knowledgeable about computer crimes
in order to reduce the threat
k. Industrial cyber-espionage and extortion they pose.
1. Welfare fraud. The eariest computer crimes were characterized as non-technological speific.
material
The and dissemination of obscene het of computer components and software piracy were particular favorites.
trafficking, distribution, posting constitutes one
and child pornography, Hacking and technologically complicated computer crime came later.
ncluding pornography, indecent exposure
of the most important Cybercrimes known today. Stealing the significant
transmit the data from one 3.1.6 Issues and Challenges in Cyber Crime
information, data, account number, credit card number
place to another. and
Hacking are amongst the gravestybercrimes
cracking Investigation is a process that develops and tests hypotheses to answer questions
known till date. about events that occurred. In general, computer forensics investigates data that
can be retrieved from a computer's hard disk or other storage media.
3.1.4 Three Categories of Cyber Crime is the task of recovering data that users have hidden or
a. Cyberpiracy: Using cyber-technology in unauthorized ways to reproduce copies
Computer forensics
deleted, with the goal of ensuring that the recovered data is valid so that it can be
of proprietary software and proprietary information or distribute proprietary used as evidence.
information (in digital form) across a computer network.
The computer investigations group manages investigations and conducts forensic
Example: Distributing proprietary MP3 files on the Internet via peer-to-peer analysis of systems suspected of containing evidence related to an incident or a
(P2P) technology. crime.
b. Cybertrespass: Using cyber-technology to gain or to exceed unauthorized access Challenges of cyber-crime are as follows:
to an individual's or an organization's computer system or a password-protected 1. Lack of awareness and the culture of cyber security, at individual as well as
website organizational level.
oExample : Unleashing the ILOVEYOU computer virus. 2. Lack of trained and qualified
manpower to implement the counter measures
c. Cybervandalism: Using cyber-technology to unleash one or more programs that 3. No email account policy especially for the defense forces, police and the
disrupt the transmission of electronic information across one or more computer
security agency personnel.
networks, including the Internet or destroy data resident in a computer or damage
a computer system's resources or both. 4. Cyber-attacks have come not only from terrorists but also from neighboring
contries contrary to our National interests.
TECHNICAL PUBLICATIONS an
TECHNICAL PUBLICATIONS an up-thrust for knowledge up-thrust for knowledge
 Process Modef
Digltal Forensics Digitel Forensics
Digital Forensics 3-6 3-7 Digital Forensics Process Model
doesn't include any Storin8 media or digital evidence
join the police
he minimum necessary eligibility to
almost illiterate to
fire, water, jet fuel and can deteriorate over time or when exposea
that they are toxic
knowledge of the computers
sector so
chemicals.
Evidence dynamics
cyber-crime. of the create investigative and legal challenges and are more difficult
beats the progress to prove that the evidence
.1he speed of cyber technology changes always ot these
is authentic and reliable.
identify the origin
government sector so that they are not able to m n a l s use mobile phones, laptop computers and network servers in the course
of committing their crimes
cyber-crimes.
personnel; are not equipped to address Two
.Security forces and law enforcement
in
terms cybercrime and digital forensics are defined to address developments
high-tech crimes. criminal activities
investigative
involving computers and in
legislation and investigative
8. Fresent protocols are not self-sufficient, which identifies
the technologies to address them.
responsibility for crimes that stretch internationally. Digital evidence as a form of physical evidence creates several challenges for
for the training of digital forensic analysis
Budgets for security purpose by the government especially to
are less as compare 1. Messy or
law entorcement, security personnel's and investigators slippery form of evidence that is very difficult to handle.
other crimes. 2. Digital evidence is
generally an abstraction of some digital object or event
3. Digital evidence is
University Question usually circumstantial, making it difficult to attribute
computer activity to an individual.
?
1. What are the main challenges of investigating computer-related crime 4. Digital evidence can be manipulated or destroyed so easily arises new
GTU: Winter-21, Marks 3 challenges for digital investigators.

3.2 Documenting the Scene and Evidence GTU: Winter-21

3.2.1 Order of Volatility
as such
evidence is useful inwide range of criminal investigations
Digital a

homicides, sex offenses, missing persons, child abuse, fraud and theft.
The order of volatility is the sequence order which the digital evidence is
or in
collected. The order is maintained from highly volatile to less volatile data.
Digital evidence helps in tracking how a crime was committed, provide
investigativeleads, ordisprove witness statements and identify likely
support Highly volatile data resides in the memory, cache, or CPU registers and it will be
suspects. lost as soon as the power to the computer is turmed off. Less volatile data cannot
is defined as information stored transmitted in binary form be lost easily and is relatively permanent because it may be stored on disk drives
Digital evidence or

that may be relied upon in court. or other permanent storage media, such as floppy disks and CD-ROM discs.
.For considering multiple sources of digital evidence, computer systems can be The crime scene technicians should collect evidence beginning with the most
categorised into three groups volatile and then movingg towards a least volatile. The order of volatility for data
1. Open computer systems from most volatile to least volatile is
2. Communication systems a) Cache memory, b) Regular RAM,
3. Embedded computer systems c)Swap or paging file, d) Hard drive data,
A digital crime scene in its original state can never exists as some evidence e) Logs stored on remote systems, Archived media.
dynamics is expected.
Any influence that changes, relocates, obscures or obliterates evidence, regardless University Question
of intent between the time evidence is transferred and the time the case is
1. Explain onder of volatility in brief GTU Winter-21, Marks 3
resolved. Ofenders,
anyone else who had
victims, first responders,
digital evidence examinaters and
access to digital evidence prior to its preservation can cause
evidence dynamics.

TECHNICAL PUBLICATIONS an up-thrust for knowledge TECHNICAL PUBLICATIONsan up-thrust for knowledge