StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Changing the BIOS Clock - Essay Example

Cite this document
Summary
The paper “Changing the BIOS Clock” examines different ways of planting evidence, one of them being through changing the BIOS clock. Various methods can also be used to determine whether an individual has altered the BIOS clock and placed a new file on the system…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER93.6% of users find it useful
Changing the BIOS Clock
Read Text Preview

Extract of sample "Changing the BIOS Clock"

Changing the BIOS Clock There are different ways of planting evidence, one of them being through changing the BIOS clock. Various methods can also be used to determine whether an individual has altered the BIOS clock and placed a new file on the system. This type of activity may have side effects as it entails planting evidence which will ultimately lead to someone being falsely accused. The system has to be examined thoroughly for one to obtain evidence regarding BIOS clock alteration. A smart approach would be to focus on the time stamps for entries in the computer. It may be possible to detect changed time by analyzing cached files and internet history records on a computer. Event logs in Windows 7 and Vista have a total default size of 20Mb while in Windows XP the total default size on event logs is 512 KB. The event logs work in the same way in Windows XP, Windows 7 and Vista as they tend to fill up according to the order of events. The log will go back to the beginning when it is filled up with events. In such a case, it implements an overwriting process based on the old events. In instances where the BIOS clock has been changed, discrepancies in the order of events will be evident. Logs are recorded according to the time they occurred. Ordering entries of event logs by file set and parsing the event logs is a practice that will determine whether system clock has been altered. When the dates jump backwards and forward again, it provides evidence that the system clock has been altered. On the other hand, if no activity is recorded when parsing and ordering the events log entries, it indicates the system clock has not been altered. If the BIOS clock has been altered in Windows 7 or Windows Vista, the altered time will also be recorded in the event log as event ID 1. Evidence regarding creation or accessing files during changing of the BIOS clock can be found in a computer within the link files. Link files usually contain recorded dates and time when files had been accessed. The values are recorded when the operating system starts to operate at the beginning of a session. All link files from the same session will have a similar sequence value (Whitfield 2012 p.4). Sequence numbers within object IDs will enable arranging of files in a chronological order. In cases where the computer clock has been altered, the times as well as the dates will be anomalous. In Windows XP, the sequence number will be recorded when the system is booted so in instances where the clock has been tampered with and moved forward and backwards, evidence may be obtained from the sequence value as the system would have recorded the order in which specific files had been accessed originally. The system records dates and times when a computer is booted in the beginning of the session. An object ID will be created, and a similar date will be recorded for all object IDs created in the boot session. The sequence value will also be the same in that booting session. In cases where the clock has been changed to an earlier time period, an increment will occur in the sequence value in the next booting session while the date in the object ID will appear out of synchronization (Parsonage, 2008 p 15). References Parsonage, H. 2008. The Meaning of Link Files in Forensic Examinations. Retrieved from http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf Whitfield, L. 2012. Detecting CMOS Clock Changes. Retrieved from http://www.forensic4cast.com/category/tech/ DQ 2: Honey Net Challenge Question 1: Who is Joe Jacob’s supplier of marijuana and what is the address listed for the supplier? Joe Jacob’s supplier of marijuana is a person named Jimmy Jungle and his address is identified as 626 Jungle Avenue #2 Jungle, New York 11111. Evidence regarding the name of Joe Jacob’s supplier can be obtained from a letter in the floppy disk. The letter is a deleted word document from Joe Jacob to his supplier of marijuana. In the letter, the address and the name of the supplier can be clearly seen. Joe Jacob complements Jimmy Jungle for the high quality of marijuana he provides and the advice he gave him of targeting high school students. Question 2: What crucial data is available within the coverage .jpg file and why is this data crucial? The cover page .jpg file contains the name of grower and seller of marijuana, and this is regarded as crucial data. The image could be presented in court as evidence against both Jimmy Jungle and Joe Jacob. The cover page file also contains a hidden password, which is pw=goodtimes, which would enable extraction of XLS from other files. This password made it possible to identify other schools that Joe Jacobs visited. Question 3: What (if any) other high schools besides Smith Hill does Joe Jacob frequent? A list of other high schools which Joe Jacob frequents is contained in a Microsoft excel spreadsheet in a file named ‘Scheduled Visits’. The list contains names of six high schools which are Birard, Leetch, Key, Richter, Hull and Smith Hill. The file contains the frequencies with which these schools are visited. Joe Jacob visits one high school each day from Monday to Friday. The schedule covers the months of April, May and June. Question 4: For each file, what processes were taken by the suspect to mask them from others? Three files were present in the floppy disk image. The files had been altered, and, therefore could not be read without first recovering the information using recovery techniques. In Jimmy Jungle.doc, the file was deleted to prevent anyone from accessing contained information. Evidence that the file had been deleted can be seen in the corresponding entries within the root directory. The character Oxa5 is present which shows that the word document had been deleted. However, the disk still contains data in the file and can, therefore, be recovered. In the cover page .jpg, the root directory entry had been partially destroyed causing the file to be renamed to a .jpgc extension. The starting cluster was also overwritten with useless information, so the file appeared as though it did not have any valuable information. FAT entries to this file had also been destroyed, making it impossible to view information in the file even if the root directory was reconstructed. The scheduled visits.xls, which is a Microsoft Excel spreadsheet, was also modified. It was compressed and encrypted with a zip utility. FAT entries in this file were, therefore, destroyed. The file was also renamed from .zip to .exe, and this made it appear as a useless file. This file was also protected by a password, thereby preventing anyone from accessing it. Question 5: What processes did you (the investigator) use to successfully examine the entire contents of each file? Different processes were used to examine the contents of each file to obtain results and more precise answers. First of all, I determined the type of file system present on the floppy disk. The file command revealed it was a MS-DOS file system containing a FAT with 12 bits in each entry. A binary editor was then used to open the disk image. The binary editor makes it possible to move to different sections in the disk (Mc Laughlin, 2002 p.2). It was necessary to determine the number of files stored in the disk. In this case, the files had been stored in consecutive clusters, and it was possible to retrieve each file just by looking at where they begin and end. This showed there were three files. The first file, Jimmy Jungle.doc, had been erased. The second file, Cover page.jpgc, showed that it was a JPEG image. The third file, Scheduled Visits.exe, appeared to be executable. The .doc extension on the first file showed it was a Microsoft Word Document. Using the binary editor to scroll through the files enables one to identify where each file starts (Paris, 2002 p 7). AbiWord was used to open Jimmy Jungle.doc and was able to obtain information regarding the name and address of the supplier of marijuana. The file cover page.jpg was opened in the GIMP and obtained the image. The third file was a zipped file, and it required to be unzipped. The unzip UNIX command was used to unzip the file. After entering the password, I opened the file using Gnumeric and obtained vital information regarding the case. It was possible to obtain information from the floppy disk using the quick analysis as the files had been stored in consecutive clusters and fragmentation had not occurred. If any of the file had been fragmented, it would have been extremely difficult to recovery information using a quick analysis. References Mc Laughlin, P. 2002. Analysis of Scan of the Month Challenge. Retrieved from http://old.honeynet.org/scans/scan24/sol/peter/Scan%20of%20the%20month%20challenge%20Analysis%20by%20Pmcl.htm Paris, E. 2002. Honey net Project Scan of the Month – Scan 24. Retrieved from http://old.honeynet.org/scans/scan24/sol/eloy/ Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(“Changing the BIOS Clock Essay Example | Topics and Well Written Essays - 1000 words”, n.d.)
Retrieved from https://studentshare.org/social-science/1457150-week3dq
(Changing the BIOS Clock Essay Example | Topics and Well Written Essays - 1000 Words)
https://studentshare.org/social-science/1457150-week3dq.
“Changing the BIOS Clock Essay Example | Topics and Well Written Essays - 1000 Words”, n.d. https://studentshare.org/social-science/1457150-week3dq.
  • Cited: 0 times

CHECK THESE SAMPLES OF Changing the BIOS Clock

Fast Software Encryption

This report "Fast Software Encryption" demonstartes information system security is becoming a dominant and challenging factor for organizations.... Every now and then, there are new security breaches resulting in massive losses in terms of customer confidence.... hellip; information technology is now considered as the fundamental function, every organization acquires information systems for business automation....
7 Pages (1750 words) Report

Nextguard Technologies

On 32 bit microprocessor architecture, data encryption is supported at a rate of 18 clock cycles on every byte that is much quicker than DES and IDEA encryption.... As per the scenario, the district offices incorporate employees connecting remotely via mobile devices and smart phones....
9 Pages (2250 words) Research Proposal

The Difference between Softcore Processors and Hardcore Processors

Apart from the LE/LC block, FPGAs also include clock management, multiplication blocks, memory, and input/output (I/O).... The paper "The Difference between Softcore Processors and Hardcore Processors" examines a  distinction between softcore and hardcore processors in terms of design and functionality....
10 Pages (2500 words) Essay

Windows XP: A System Solution to Zsoft Limited

Presently Zsoft's has more than 250 machines (computer systems) networked via a number of different operating system.... After some recent disastrous events of the computer systems, the… of Zsoft has decided to consider moving to a single operating system for all of the desktop computers to allow for simpler management of the network and reduce the costs of support over different platforms....
24 Pages (6000 words) Essay

Digital Encryption Standard

Moreover it encrypts data on a 32-bit processor at the rate of 18 clock cycles/byte and can run in less than 5K of memory.... In DES, the main algorithm is repeated 16 times to produce the ciphertext.... This increase in the number of rounds ensures high level of security… Due to its short key length (56) 3DES was developed....
12 Pages (3000 words) Research Paper

Computer Studies

The paper "Computer Studies" presents that the meaning of the term Computer is a system that performs the calculation on data & processes it to give the desired output.... The calculator also has the same purpose, but, here the computer is not only used for performing small arithmetic operations....
22 Pages (5500 words) Research Paper

Virtual Private Network as an Appropriate Control

The paper "Virtual Private Network as an Appropriate Control" for establishing a secure channel recommends defining the scope i.... .... the phoenix site should be ISO /IEC 27001 certified.... A warm or hot site is recommended for ensuring business continuity in case of a disaster.... nbsp;  … VPN will encrypt the data before sending and it establishes a secure channel protected from hackers of cybercriminals....
8 Pages (2000 words) Case Study

The Difference between the Watt and Volt-Amp Measures for AC Electric Power

hellip; After changing an analog value into a digital one, the outcome of 10-bit A/D conversion will be recorded in these two registers.... This case study "The Difference between the Watt and Volt-Amp Measures for AC Electric Power" presents the difference between the watt and volt-amp (VA) measures for AC electric power, and also concerning power factor....
24 Pages (6000 words) Case Study
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us