Digital Forensics Overview

Questions and Answers

Which of the following file systems can page to swap?

• ramfs
• shmfs
• tmpfs (correct)
• none of the above

The device file associated with hardware remains constant across all boots.

False (B)

What is the purpose of the /dev/ directory?

/dev/ holds device 'files' for each device on the system.

The device naming pattern for storage devices is represented as xx[a,b,c,d..][1,2,3,4..], where xx identifies the ______ type.

device

Match the following device identifiers with their descriptions:

hd = Classic IDE driver sd = Mass-storage driver hda = Master device on the first ATA channel sda = First registered device

What is the purpose of the $MFTMirr?

Provides a backup of the first few records of the MFT (C)

$LogFile is important for recovery from inconsistencies in the NTFS file system.

True (A)

What information does the $Volume record contain?

$Volume contains information about the volume, such as name and version.

The _______ tracks used and free clusters on the volume in bitmap format.

$Bitmap

Which record number corresponds to the $Boot file?

7 (C)

The $AttrDef file is responsible for providing volume information such as the volume label.

False (B)

What does the $Root Directory represent?

The $Root Directory represents the root directory of the volume.

Match the following MFT entries with their purposes:

$MFT = Maintains information about files and directories $LogFile = Stores transaction records for journaling $Bitmap = Tracks used and free clusters $AttrDef = Defines attribute types and names

What is the purpose of the Log Sequence Number (LSN) in the MFT Record Header?

Tracks changes for NTFS journaling (D)

The Update Sequence Number is used to identify the file's status as live or deleted.

False (B)

What does the $STANDARD_INFORMATION attribute store?

$STANDARD_INFORMATION stores basic file information, including timestamps for creation, modification, and access, as well as DOS file attributes.

The __________ contains a globally unique identifier for the file.

$OBJECT_ID

What information does the Link Count maintain in an MFT record?

The number of hard links pointing to the file (D)

What is the purpose of the $SECURITY_DESCRIPTOR attribute?

$SECURITY_DESCRIPTOR defines security permissions for the file, including access control lists (ACLs).

Match the following attributes to their primary function:

$STANDARD_INFORMATION = Stores basic metadata about the file $FILE_NAME = Holds information about the naming of the file $ATTRIBUTE_LIST = Points to additional MFT records for file attributes $SECURITY_DESCRIPTOR = Defines access permissions for the file

The ________ Offset indicates where the attribute list starts in the MFT entry.

Attributes

Which of the following is NOT a common hive file in the Windows Registry?

USER (C)

HKEY_CURRENT_USER stores settings that are common to all users on the system.

False (B)

What file extension represents a backup copy of the HKEY_LOCAL_MACHINE\System hive?

.alt

Each hive file is stored in the directory [%SYSTEMROOT%]\System32\config and user-specific hives are found under each user's profile, typically at C:\Users______.

username

Which root key contains information about file associations and OLE data?

HKEY_CLASSES_ROOT (A)

The .regtrans-ms file extension is related to the transaction log tracking changes to keys.

True (A)

Name one of the primary root keys that contains hardware and system settings.

HKEY_LOCAL_MACHINE

Match the following root keys with their descriptions:

HKEY_LOCAL_MACHINE = Contains hardware and system settings HKEY_CURRENT_USER = User-specific settings for the logged-in user HKEY_CLASSES_ROOT = Information on file associations HKEY_USERS = Profile information for all user accounts

Which type of device is represented by 'nvme0n1p1'?

Block device (B)

EXT4 file systems do not support the creation of unlimited subdirectories.

False (B)

What major improvement does EXT4 offer over its predecessors?

Improved performance and larger file system size support.

The _____ allows pages to be moved from a separate partition in the event of page faults.

Swap File

Match the EXT versions with their features:

EXT = Introduced in 1993 EXT2 = No journaling support, file size up to 2TB EXT3 = Introduced journaling EXT4 = Improved performance and file size up to 16TB

What feature of EXT4 helps in reducing fragmentation?

Extents (B)

Inodes store the filename associated with the files and directories.

False (B)

What does 'fb' stand for in registered devices?

Frame buffer

What is slack space in the context of file storage?

Unused space at the end of a file (A)

Drive slack only occurs in SSDs.

False (B)

What types of configuration information is stored in /Users//Library?

User specific configuration information

/Applications folder contains all the installed __________.

applications

Match the following folders with their descriptions:

/System = Contains items reserved for use by Apple /Library = Stores configuration information from 3rd party add-ons /Users = Holds individual user directories /Network = Contains information about Open Directory and Active Directory

Which type of slack refers to unused space at the end of a sector?

RAM Slack (C)

CUPS print spool is stored in /private/var/log.

False (B)

Where are system-wide log files stored in macOS?

/private/var/log

Flashcards

$MFT

Master File Table; stores information about files and directories on the NTFS volume.

$MFTMirr

A mirror of the first few entries in the $MFT, crucial for data recovery.

$LogFile

Tracks changes to the NTFS file system. Essential for recovery.

$Volume

Contains volume metadata, like the name and version.

$AttrDef

Defines attribute types for files (e.g., name, size).

$Root Directory

The top-level directory on an NTFS volume.

$Bitmap

Tracks free and used clusters on the volume.

$Boot

Contains the boot sector and bootstrap code.

MFT Record Header

Holds basic file information in NTFS.

File Attributes

Describe a file's properties and data in the MFT.

$STANDARD_INFORMATION

File metadata like timestamps and DOS attributes.

$ATTRIBUTE_LIST

Links to other MFT records for large files' attributes.

$FILE_NAME

Stores filename information, including long and short names.

$OBJECT_ID

Unique identifier for a file, useful for tracking across systems.

Link Count

Number of hard links to the file.

Update Sequence Offset

Keeps track of record modifications and consistency.

Automounted Devices

Devices automatically mounted on boot, with evidence potentially deleted if ramdisks are present

Device Files

Represent hardware devices as files in the file system, typically located in /dev/

Device Naming Convention

A pattern (e.g., /dev/sda1), where xx identifies the device type, letters identify devices (e.g., sda), and numbers identify partitions.

Ramdisk types

Older ramdisk types like tmpfs, ramfs, and shmfs, with tmpfs having the ability to page to swap, unlike Ramfs.

Device File Types (hd, sd)

hd : older IDE device driver; sd: mass-storage driver; devices like hda and sda are examples of such files; The naming conventions of the devices follow a pattern (e.g. hda[x])

Registry Hive

A file that stores settings and data, loaded into memory when Windows starts.

Registry Key

A container within a hive, organizing related settings and values.

Subkey

A nested key within a parent key, further categorizing settings.

Registry Value

A specific setting or data point within a key, with a name and type.

HKEY_LOCAL_MACHINE

Root key containing system-wide hardware and software settings.

HKEY_CURRENT_USER

Root key containing settings for the currently logged-in user.

Registry physical storage

Registry data stored in hive files, primarily in %SYSTEMROOT%\System32\config.

User-specific hive

Hive such as NTUSER.DAT, specific to each user's profile.

Registered Device

A device recognized by the system, like a hard drive or network card, with a unique path.

EXT File System

A family of journaling file systems, commonly used in Linux.

EXT4 Features

EXT4 is an advanced file system offering features for better performance and larger files.

Inode

Data structure that stores metadata about a file or directory, not the file itself.

Swap File

A file used as temporary storage (swap space), used when RAM is full.

Nvme Driver

A hardware driver for NVMe (Non-Volatile Memory Express) storage devices.

Block Device

A storage device that stores data in blocks (or sectors), like a hard drive.

File Descriptor

An integer that represents a file or resource in programming.

Sparse Files

Files that only allocate space for the data they contain, leaving gaps. Deleted data remnants can be hidden in the allocated but unused part of the file.

Slack Space

Leftover space within a block or cluster after a file’s data is stored .

/System Folder

MacOS folder reserved for Apple's system files and components.

/Library Folder

MacOS folder for configuration information from third-party applications.

/Users Folder

MacOS folder containing individual user directories. Usually contains documents and application settings related to each user.

/Applications Folder

MacOS folder where installed application files are stored.

/private/var/log

MacOS folder containing system-wide log files for diagnostics and troubleshooting in macOS.

/Volumes Folder

MacOS standard mount point for external media.

Study Notes

Forensics Overview

• Digital forensics is the process of using scientifically proven methods to recover, analyze, and present data for legal use. It ensures evidence integrity and reliability.
• Primary Objectives:
  • Preservation: Safeguarding data against tampering or loss.
  • Collection: Acquiring data from various sources, maintaining chain of custody.
  • Examination: Employing tools and techniques to analyze relevant data.
  • Analysis: Interpreting findings to reconstruct events or answer questions.
  • Reporting: Summarizing findings in a clear, organized, and legally acceptable format.
• Locard's Exchange Principle: Emphasizes that every interaction leaves a trace. Applied to digital forensics, this means evidence can be found in log files, metadata, or deleted files.
• Acquisitions methods:
  • Traditional methods include removing the hard drive, imaging it elsewhere, or using the suspect machine. Other methods include live system analysis (RAM/network).
  • Techniques for acquiring evidence include writing block, image acquisition tools, and analysis tools.
• Integrity:
  • Robust findings are essential in legal proceedings
  • ACPO Principles guide the collection and preservation of evidence.
  • Key considerations include scientific approach, sound tools, chain of custody, and evidence tampering prevention.
  • Hashing and fingerprinting methods are used to verify evidence integrity.

Hashing-Fingerprint

• Hashing creates a unique fingerprint of data.
• Different hash functions (SHA1, MD5, SHA256) produce unique values.
• Hash values are helpful for comparison and verification.
• Caveats and potential problems needing consideration.

ACPO Principles

• No actions should alter original evidence.
• Established policies and procedures should be followed.

Evidence-Based Arguments

• Scientific and technical endeavors rely on evidence.
• Evidence pieces are linked together to form larger assertions.

Types of Investigation

• Context, investigative questions, evidence types vary with investigation.
• May involve a single machine or multiple devices.
• Artefact analysis includes files, logs, network traces, and logical or physical data.

Investigative Approach

• Data reduction is crucial in forensics and involves narrowing the scope.
• General approaches used, but pivot based on specific needs of investigation.
• Data search and analysis methods include text search, hash lookups (known files/images), and recently/most used files.

FAT Overview

• FAT (File Allocation Table) was developed in 1970s.
• Used in smaller storage systems (USB drives, SD cards).
• Various FAT versions (FAT12, FAT16, FAT32) exist to handle increasing volume sizes.

FAT Disk Structure

• Partition Boot Sector: Contains basic volume information.
• Reserved Sectors: Reserved sectors.
• FAT Table 1 and n: Hold cluster information; FAT1 is primary table, FAT2 (n) can be backups.
• Root Directory: Holds the root folder of the volume.
• Data Area: Contains all file data.

Calculations for Cluster Identification

• Calculations to find the location of specific data clusters (FAT table, boot sector, root directory).

File Allocation Table (FAT)

• Tracks cluster allocation statuses (free, in use, or with damage).

FAT 32 Overview

• Root directory: Holds metadata about files and folders in the disk.
• Data area: Contains actual file data and folders to the disk.
• FAT 32 disk structure: Partition Boot Sector, Reserved Sectors, FAT table(s), Root Directory, Data Area.
• Calculation cluster to locate specific data.
• FAT tables help to trace clusters to locate file data.

FAT32 and 12/16 Disk Structures

• Contain important information like bytes per sector, cluster size, and root directory space.
• Used by Windows for logical structures like the boot sector and FAT tables.

Key Components for FAT File System

• Key parameters for understanding FAT are needed for interpreting filesystem data, including bytes per sector, sectors per cluster, reserved sectors, and number of FAT tables.

FAT 12/16 Partition Boot Record

-Defines parameters essential in understanding the structure of the file system including bytes per sector, sectors per cluster.

Timestamps

• Timestamps stored in local time, and might fluctuate depending on how/where the files are accessed.

NTFS File System

• NTFS is the standard file system for Windows.
• Offers advanced features like large file support, security, and data recovery.
• Implements a journaling system to prevent errors.
• Uses 64-bit clusters for handling large files, compression, and encryption.
• Includes features like Alternative Data Streams for storing additional data, sparse files for empty space management, and more.

NTFS Boot Record

• Contains crucial parameters for interpreting the file system structure.

Master File Table (MFT)

• The central database for file records in NTFS. Contains metadata about files and directories on the volume, including filenames, timestamps, and permissions.

NTFS Filesystem

• Includes metadata files (e.g., $MFT, $MFTMirr) for file management.

###File and Folder Deletion in NTFS

• File deletion in NTFS involves marking MFT entries as unused, but the data remains in clusters until overwritten.

Windows Registry and Artefacts

• The Windows Registry is a hierarchical database containing settings and operating system options.
• Contains configuration settings, hardware configurations, software installations, user profiles, etc.
• Hive files (e.g., SYSTEM, SOFTWARE, NTUSER.DAT) are physically stored on the disk and essential to system operation
• Registry keys are similar to folders, organizing related settings.
• Registry values hold specific data.

Web Browser Forensics

• Web browsers save browsing history, cache (temporary files like images, HTML, and scripts), cookies (session data, login tokens, tracking data), downloads, and more.
• Examining artifacts like browser cache and history reveals user activity information.
• Browser artifacts provide valuable data including browsing history, cookies, and cached files.

Unix System Forensics

• Unix systems store data differently than Windows systems, lacking a centralized registry and organizing data in files and folders instead.

• Log files are stored in /var/log, and other important folders are /etc (config), /home (user profiles), and /proc (live system information).

• Timestamping varies based on epoch time, whereas Windows often uses local time.

• Common Unix filesystems (e.g., EXT2, EXT3, EXT4) include metadata like extent trees, inodes, and block groups are crucial for understanding and analyzing file structures and locations.

• Unix file systems are decentralized with key locations typically in /proc, /etc, /var, /home, essential for forensic analysis.

• Unix file system data is primarily stored in files, whereas Windows uses a centralized registry.

• Understanding Unix file systems structure, key directories, logs, and permissions is crucial for the analysis.

Description

Explore the fundamental principles of digital forensics, including data preservation, collection, examination, analysis, and reporting. Learn about Locard's Exchange Principle and various acquisition methods for evidence recovery. This overview serves as a foundation for understanding the importance of integrity and reliability in forensic data analysis.