The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics by John Sammons; ISBN-10: 1597496618
There is a serious error in this book, unfortunately.
I will update this page as the semester proceeds with any further corrections, and any response I get from the author.
The idea is that a 1024-byte file was saved on the drive and then deleted.
After that, a new 780-byte file was saved over it. The textbook claims that the leftover data between the 780-byte mark and the 1024-byte end of sector can be recovered.
This statement is completely false. What really happens is that every write operation always writes 512 bytes. So the area marked "slack space" in the figure is overwritten by zeroes in modern operating systems.
In very old operating systems, that space was overwritten with data from RAM, so this region is technically known as "RAM Slack".
In both cases, that data is overwritten and cannot be recovered.
My students should know this is true, because they did it in this hands-on project:
Project 2: Viewing Segments and Clusters with a Hex Editor
In this project, students saved a group of 10,002-byte files containing "SPAM" to a disk, deleted the files, and then re-filled the disk with 1002-byte files containing "EGGS".
Here's the result, seen in a hex editor:
As you can see, the leftover space at the end of the sector contains zeroes, not leftover "SPAM" data.
The latent "SPAM" appears only in later sectors, not in the sector to which the "EGGS" data were written.
Here's a diagram of the pattern of data produced by the overwritten file:
This is incorrect. Items from HTTPS are cached, as explained by Microsoft here:
This is trivial to verify this by visiting some HTTPS pages in Internet Explorer and viewing the Temporary Internet Files.
The items from HTTPS pages are easy to see:
This is incorrect. Outlook Express uses DBX files, but Windows Live Mail does not. In fact, this is a technical support issue, as Outlook Express DBX files must be run through an import process to convert them to the EML files used by Windows Live Mail:
It stores emails as individual EML files, as explained on this page:
I verified this by testing it on Windows 7:
http://www.marshall.edu/isat/directory.asp
I sent a Cc: to info (at) syngress.com
Hi Sam,Thanks so much for bringing this to my attention. I think your page is correct. My apologies for the error. I'll make sure that gets fixed in the second edition. Have you been using the power point slides for the book? I know some folks were having a tough time finding them. I'll get those slides fixed as well if they are indeed out there.
Best,
--john
We Are....Marshall