Digital Forensics Overview

Questions and Answers

Which of the following file systems can page to swap?

ramfs

shmfs

tmpfs (correct)

none of the above

The device file associated with hardware remains constant across all boots.

False

What is the purpose of the /dev/ directory?

/dev/ holds device 'files' for each device on the system.

The device naming pattern for storage devices is represented as xx[a,b,c,d..][1,2,3,4..], where xx identifies the ______ type.

device

Match the following device identifiers with their descriptions:

hd = Classic IDE driver sd = Mass-storage driver hda = Master device on the first ATA channel sda = First registered device

What is the purpose of the $MFTMirr?

Provides a backup of the first few records of the MFT

$LogFile is important for recovery from inconsistencies in the NTFS file system.

True

What information does the $Volume record contain?

$Volume contains information about the volume, such as name and version.

The _______ tracks used and free clusters on the volume in bitmap format.

$Bitmap

Which record number corresponds to the $Boot file?

7

The $AttrDef file is responsible for providing volume information such as the volume label.

False

What does the $Root Directory represent?

The $Root Directory represents the root directory of the volume.

Match the following MFT entries with their purposes:

$MFT = Maintains information about files and directories $LogFile = Stores transaction records for journaling $Bitmap = Tracks used and free clusters $AttrDef = Defines attribute types and names

What is the purpose of the Log Sequence Number (LSN) in the MFT Record Header?

Tracks changes for NTFS journaling

The Update Sequence Number is used to identify the file's status as live or deleted.

False

What does the $STANDARD_INFORMATION attribute store?

$STANDARD_INFORMATION stores basic file information, including timestamps for creation, modification, and access, as well as DOS file attributes.

The __________ contains a globally unique identifier for the file.

$OBJECT_ID

What information does the Link Count maintain in an MFT record?

The number of hard links pointing to the file

What is the purpose of the $SECURITY_DESCRIPTOR attribute?

$SECURITY_DESCRIPTOR defines security permissions for the file, including access control lists (ACLs).

Match the following attributes to their primary function:

$STANDARD_INFORMATION = Stores basic metadata about the file $FILE_NAME = Holds information about the naming of the file $ATTRIBUTE_LIST = Points to additional MFT records for file attributes $SECURITY_DESCRIPTOR = Defines access permissions for the file

The ________ Offset indicates where the attribute list starts in the MFT entry.

Attributes

Which of the following is NOT a common hive file in the Windows Registry?

USER

HKEY_CURRENT_USER stores settings that are common to all users on the system.

False

What file extension represents a backup copy of the HKEY_LOCAL_MACHINE\System hive?

.alt

Each hive file is stored in the directory [%SYSTEMROOT%]\System32\config and user-specific hives are found under each user's profile, typically at C:\Users______.

username

Which root key contains information about file associations and OLE data?

HKEY_CLASSES_ROOT

The .regtrans-ms file extension is related to the transaction log tracking changes to keys.

True

Name one of the primary root keys that contains hardware and system settings.

HKEY_LOCAL_MACHINE

Match the following root keys with their descriptions:

HKEY_LOCAL_MACHINE = Contains hardware and system settings HKEY_CURRENT_USER = User-specific settings for the logged-in user HKEY_CLASSES_ROOT = Information on file associations HKEY_USERS = Profile information for all user accounts

Which type of device is represented by 'nvme0n1p1'?

Block device

EXT4 file systems do not support the creation of unlimited subdirectories.

False

What major improvement does EXT4 offer over its predecessors?

Improved performance and larger file system size support.

The _____ allows pages to be moved from a separate partition in the event of page faults.

Swap File

Match the EXT versions with their features:

EXT = Introduced in 1993 EXT2 = No journaling support, file size up to 2TB EXT3 = Introduced journaling EXT4 = Improved performance and file size up to 16TB

What feature of EXT4 helps in reducing fragmentation?

Extents

Inodes store the filename associated with the files and directories.

False

What does 'fb' stand for in registered devices?

Frame buffer

What is slack space in the context of file storage?

Unused space at the end of a file

Drive slack only occurs in SSDs.

False

What types of configuration information is stored in /Users//Library?

User specific configuration information

/Applications folder contains all the installed __________.

applications

Match the following folders with their descriptions:

/System = Contains items reserved for use by Apple /Library = Stores configuration information from 3rd party add-ons /Users = Holds individual user directories /Network = Contains information about Open Directory and Active Directory

Which type of slack refers to unused space at the end of a sector?

RAM Slack

CUPS print spool is stored in /private/var/log.

False

Where are system-wide log files stored in macOS?

/private/var/log

Study Notes

Forensics Overview

• Digital forensics is the process of using scientifically proven methods to recover, analyze, and present data for legal use. It ensures evidence integrity and reliability.
• Primary Objectives:
  • Preservation: Safeguarding data against tampering or loss.
  • Collection: Acquiring data from various sources, maintaining chain of custody.
  • Examination: Employing tools and techniques to analyze relevant data.
  • Analysis: Interpreting findings to reconstruct events or answer questions.
  • Reporting: Summarizing findings in a clear, organized, and legally acceptable format.
• Locard's Exchange Principle: Emphasizes that every interaction leaves a trace. Applied to digital forensics, this means evidence can be found in log files, metadata, or deleted files.
• Acquisitions methods:
  • Traditional methods include removing the hard drive, imaging it elsewhere, or using the suspect machine. Other methods include live system analysis (RAM/network).
  • Techniques for acquiring evidence include writing block, image acquisition tools, and analysis tools.
• Integrity:
  • Robust findings are essential in legal proceedings
  • ACPO Principles guide the collection and preservation of evidence.
  • Key considerations include scientific approach, sound tools, chain of custody, and evidence tampering prevention.
  • Hashing and fingerprinting methods are used to verify evidence integrity.

Hashing-Fingerprint

• Hashing creates a unique fingerprint of data.
• Different hash functions (SHA1, MD5, SHA256) produce unique values.
• Hash values are helpful for comparison and verification.
• Caveats and potential problems needing consideration.

ACPO Principles

• No actions should alter original evidence.
• Established policies and procedures should be followed.

Evidence-Based Arguments

• Scientific and technical endeavors rely on evidence.
• Evidence pieces are linked together to form larger assertions.

Types of Investigation

• Context, investigative questions, evidence types vary with investigation.
• May involve a single machine or multiple devices.
• Artefact analysis includes files, logs, network traces, and logical or physical data.

Investigative Approach

• Data reduction is crucial in forensics and involves narrowing the scope.
• General approaches used, but pivot based on specific needs of investigation.
• Data search and analysis methods include text search, hash lookups (known files/images), and recently/most used files.

FAT Overview

• FAT (File Allocation Table) was developed in 1970s.
• Used in smaller storage systems (USB drives, SD cards).
• Various FAT versions (FAT12, FAT16, FAT32) exist to handle increasing volume sizes.

FAT Disk Structure

• Partition Boot Sector: Contains basic volume information.
• Reserved Sectors: Reserved sectors.
• FAT Table 1 and n: Hold cluster information; FAT1 is primary table, FAT2 (n) can be backups.
• Root Directory: Holds the root folder of the volume.
• Data Area: Contains all file data.

Calculations for Cluster Identification

• Calculations to find the location of specific data clusters (FAT table, boot sector, root directory).

File Allocation Table (FAT)

• Tracks cluster allocation statuses (free, in use, or with damage).

FAT 32 Overview

• Root directory: Holds metadata about files and folders in the disk.
• Data area: Contains actual file data and folders to the disk.
• FAT 32 disk structure: Partition Boot Sector, Reserved Sectors, FAT table(s), Root Directory, Data Area.
• Calculation cluster to locate specific data.
• FAT tables help to trace clusters to locate file data.

FAT32 and 12/16 Disk Structures

• Contain important information like bytes per sector, cluster size, and root directory space.
• Used by Windows for logical structures like the boot sector and FAT tables.

Key Components for FAT File System

• Key parameters for understanding FAT are needed for interpreting filesystem data, including bytes per sector, sectors per cluster, reserved sectors, and number of FAT tables.

FAT 12/16 Partition Boot Record

-Defines parameters essential in understanding the structure of the file system including bytes per sector, sectors per cluster.

Timestamps

• Timestamps stored in local time, and might fluctuate depending on how/where the files are accessed.

NTFS File System

• NTFS is the standard file system for Windows.
• Offers advanced features like large file support, security, and data recovery.
• Implements a journaling system to prevent errors.
• Uses 64-bit clusters for handling large files, compression, and encryption.
• Includes features like Alternative Data Streams for storing additional data, sparse files for empty space management, and more.

NTFS Boot Record

• Contains crucial parameters for interpreting the file system structure.

Master File Table (MFT)

• The central database for file records in NTFS. Contains metadata about files and directories on the volume, including filenames, timestamps, and permissions.

NTFS Filesystem

• Includes metadata files (e.g., $MFT, $MFTMirr) for file management.

###File and Folder Deletion in NTFS

• File deletion in NTFS involves marking MFT entries as unused, but the data remains in clusters until overwritten.

Windows Registry and Artefacts

• The Windows Registry is a hierarchical database containing settings and operating system options.
• Contains configuration settings, hardware configurations, software installations, user profiles, etc.
• Hive files (e.g., SYSTEM, SOFTWARE, NTUSER.DAT) are physically stored on the disk and essential to system operation
• Registry keys are similar to folders, organizing related settings.
• Registry values hold specific data.

Web Browser Forensics

• Web browsers save browsing history, cache (temporary files like images, HTML, and scripts), cookies (session data, login tokens, tracking data), downloads, and more.
• Examining artifacts like browser cache and history reveals user activity information.
• Browser artifacts provide valuable data including browsing history, cookies, and cached files.

Unix System Forensics

• Unix systems store data differently than Windows systems, lacking a centralized registry and organizing data in files and folders instead.

• Log files are stored in /var/log, and other important folders are /etc (config), /home (user profiles), and /proc (live system information).

• Timestamping varies based on epoch time, whereas Windows often uses local time.

• Common Unix filesystems (e.g., EXT2, EXT3, EXT4) include metadata like extent trees, inodes, and block groups are crucial for understanding and analyzing file structures and locations.

• Unix file systems are decentralized with key locations typically in /proc, /etc, /var, /home, essential for forensic analysis.

• Unix file system data is primarily stored in files, whereas Windows uses a centralized registry.

• Understanding Unix file systems structure, key directories, logs, and permissions is crucial for the analysis.

Description

Explore the fundamental principles of digital forensics, including data preservation, collection, examination, analysis, and reporting. Learn about Locard's Exchange Principle and various acquisition methods for evidence recovery. This overview serves as a foundation for understanding the importance of integrity and reliability in forensic data analysis.