SEC524 Computer and Network Forensics Lectures PDF

Document Details

EnthralledMossAgate9244

Uploaded by EnthralledMossAgate9244

King Fahd University of Petroleum and Minerals

Mike Mabey

Tags

computer forensics file system analysis disk analysis digital evidence

Summary

These lecture notes cover computer forensics concepts, including disk and file system analysis. The document provides an outline of the course, covering topics such as disk geometry, file systems, and the boot process in Windows OS.

Full Transcript

King Fahd University of Petroleum & Minerals College of Computer Sciences & Engineering SEC524 Computer and Network Forensics Lectures 19 – 21 Disk and File System Analysis These slides are based on: Guide to Computer Forensics and Investigation...

King Fahd University of Petroleum & Minerals College of Computer Sciences & Engineering SEC524 Computer and Network Forensics Lectures 19 – 21 Disk and File System Analysis These slides are based on: Guide to Computer Forensics and Investigations: Processing Digital Evidence, Bill Nelson et al. (Ch. 5) File System Forensic Analysis, Brian Carrier (Ch. 11) Mike Mabey Class Notes Outline Introduction Layers of Forensic Analysis Understanding File Systems Exploring Microsoft File Structures Understanding Microsoft Startup Tasks 2 Introduction Relative to the disk and file system analysis, an investigator needs to understand the following: Purpose and structure of file systems Microsoft file structures Microsoft startup tasks So, we will: Review how data is stored and managed in Microsoft OS, including legacy and modern Windows Understand file systems in Windows OS Briefly consider what controls the OS startup, to avoid altering evidence when you examine data on a drive But first we start by looking at the layers of forensic analysis as they relate to the disk and file system analysis 3 Layers of Forensic Analysis 4 Layers of Forensic Analysis (Cntd) Storage media analysis: Non-volatile storage such as hard disks and flash drives Organized into partitions / volumes: Collection of storage locations that a user or application can write to/read from Contents are file system, a database, or a temporary swap space Volume analysis: Analyze data at the volume level Determine where the file system or other data are located Determine where we may find hidden data 5 Layers of Forensic Analysis (Cntd) File system analysis: A collection of data structures that allow an application to create, read, and write files Purpose: To find files, to recover deleted files, and to find hidden data The result could be file content, data fragments, and metadata associated with files Application layer analysis: The structure of each file is based on the application or OS that created the file Purpose: To analyze files and to determine what program we should use 6 Understanding File Systems To investigate digital evidence effectively, an investigator must understand how an OS works and how it stores files A file system gives an OS a road map to data on a disk The type of file system an OS uses determines how data is stored on the disk We will focus only on Windows OS Understanding the Boot Sequence To understand how an OS works, an investigator must first understand the boot sequence That is, an investigator must know how to access and modify CMOS, BIOS, EFI, and UEFI settings, to ensure that he doesn’t contaminate or alter data on a suspect’s system 7 Understanding File Systems (Cntd) A computer stores system configuration and date/time info in the CMOS when power to the system is off System BIOS or EFI contains programs that perform input and output at the hardware level BIOS is designed for x86 computers and used on disk drives with Master Boot Records (MBR) EFI is designed for x64 computers and uses GUID Partition Table (GPT) formatted disks BIOS and EFI are designed for specific firmware, and to reduce the relationship with firmware, Intel developed UEFI, which defines the interface between a computer’s firmware and the OS When a subject’s computer starts, make sure it boots to a forensically configured CD/DVD/USB drive because booting to the hard disk overwrites and changes evidentiary data 8 Understanding File Systems (Cntd) To do this, access the CMOS setup during the bootstrap process by using the correct key(s) A safe method for verifying the BIOS date/time without accessing the disk drive is to remove all hard drives from the computer Understanding Disk Drives An investigator should be familiar with disk drives and how data is organized on a disk so that you can find data effectively A review of the hard disk geometry and related concepts are provided in the next few slides 9 Understanding File Systems (Cntd) Hard Disk Geometry Head: The device that reads and writes data to a drive Track: Concentric circles on a disk platter Cylinder: A column of tracks on disk platters Sector: A section on a track 10 Understanding File Systems (Cntd) Tracks, Sectors, Clusters, Cylinders Platters are divided into concentric rings called tracks (A) Tracks are divided into wedge-shaped areas called sectors (C) A sector typically holds 512 bytes of data A collection of sectors is called a cluster or block (D) (B) is apparently called a geometrical sector (uncommon) A cylinder is a three-dimensional concept consisting of all tracks in the same position vertically 11 Understanding File Systems (Cntd) CHS Addressing: Process of identifying sectors (i.e., physical block of data) on a disk by their position in a track Tracks/Cylinders: Numbered from the outside in, starting at 0 All sectors of all tracks in cylinder 0 will be filled up before using cylinder 1 Heads: Numbered from the bottom up, starting at 0 All platters are double-sided, one head per side Sectors: Each sector is numbered, starting at 1 Typically holds 512 bytes of data First sector has CHS address: 0,0,1 Limited to 8.1 GB Not enough bits allocated to store values in the Master Boot Record of disks Solution: Logical Block Addresses (LBA) 12 Understanding File Systems (Cntd) Logical Block Addresses (LBA) – Singe address instead of 3 Starts at 0, so LBA 0 == CHS 0,0,1 To convert from CHS, need to know: CHS address Number of heads per cylinder Number of sectors per track LBA = (((CYLINDER * heads_per_cylinder) + HEAD) * sectors_per_track) + SECTOR -1 Example: Given a disk with 16 heads per cylinder and 63 sectors per track, if we had a CHS address of cylinder 2, head 3, and sector 4 (i.e., CHS 2,3,4), what would be the LBA? Answer: LBA = (((2*16)+3)*63)+4-1=2208 13 Understanding File Systems (Cntd) Solid-State Storage Devices Flash memory storage devices pose a challenge to investigators because if deleted data isn’t recovered immediately, it might be lost forever due to the wear-leveling feature When data is deleted on a hard drive, only the references to it are removed, which leaves the original data in unallocated disk space With forensics recovery tools, recovering data from magnetic media can be done easily by copying the unallocated space In solid-state drive systems, memory cells continuously shift data at the physical level to other cells that had fewer reads and writes Purpose of shifting data is to ensure all memory cells on the drive wear evenly as memory cells are designed to have  100,000 reads/writes (formally called program – erase, P/E, cycle) Newer technologies have higher numbers When a memory cell reach its r/w limit, it can no longer retain data 14 Understanding File Systems (Cntd) Solid-State Storage Devices (Cntd) Also, when data is shifted to another memory cell, the old cell addresses are added to a firmware file called a “garbage collector” At some point, the firmware erases data in unallocated cells by overwriting a value of 1 in all cells listed in the garbage collector file When dealing with solid-state devices, making a full forensic copy as soon as possible is crucial in case you need to recover data from unallocated disk space For mobile device forensics, this feature is extremely important, especially if a suspect deleted relevant messages, for example, just before the device was seized and taken into evidence 15 Exploring Microsoft File Structures As most PCs use Microsoft (MS) software products, an investigator should understand MS file systems so that he knows how Windows and DOS computers store files Investigator needs to understand clusters, File Allocation Table (FAT), and NT File System (NTFS), and method used to store files which decides where data can be hidden When examining a computer for evidence, an investigator needs to explore these hiding places to determine whether they contain files or parts of files that might be evidence of a crime or policy violation In MS file structures, sectors are grouped to form clusters, with clusters range from 512 bytes up to 32,000 bytes each Number of sectors in a cluster varies according to the disk size For example, a double-sided floppy disk has one sector per cluster while a hard disk has four or more sectors per cluster 16 Exploring Microsoft File Structures (Cntd) Clusters are numbered sequentially, starting at 0 in NTFS and 2 in FAT First sector of all disks contains a system area, the boot record, and a file structure database OS assigns cluster numbers, called logical addresses They point to relative cluster positions; for example, cluster address 100 is 98 clusters from cluster address 2 Sector numbers are called physical addresses as they reside at the hardware or firmware level and go from address 0 (first sector on disk) to the last sector on the disk Clusters and their addresses are specific to a logical disk drive known as a disk partition 17 Exploring Microsoft File Structures (Cntd) Disk Partitions Hard disks are partitioned into two or more sections of a group of clusters, with each partition (aka volume) forming a logical drive Common partition systems have one or more tables and each table describes a partition (starting and ending sectors, type of partition) Windows OS can have 3 primary partitions followed by an extended partition that can contain one or more logical drives Someone can hide data on a hard disk by creating hidden partitions or voids—large unused gaps between partitions (aka partition gap) For example, partitions containing unused space can be created between the primary partitions or logical partitions 18 Exploring Microsoft File Structures (Cntd) Disk Partitions (Cntd) It is possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows Can be accessed using a disk editor utility Another technique to hide incriminating evidence is to use end of a disk by declaring a smaller number of bytes than actual drive size With disk-editing tools, you can access disk’s hidden or empty areas A disk editor (e.g., WinHex,...) can be used to examine a partition’s physical level, and to view file headers & other critical parts of a file Involves analyzing key hex codes OS uses to identify & maintain the file system A list of hex codes in a partition table which identifies some common file system structures is provided in the next slide Examining a partition is referred to as partition/volume analysis and involves looking at data structures & partition tables used for 19 partitioning & assembling bytes in storage devices Exploring Microsoft File Structures (Cntd) 20 Exploring Microsoft File Structures (Cntd) Partition Tables The partition table is in the Master Boot Record (MBR), located at sector 0 of the disk drive, which is a special type of boot sector and is intended for use with legacy PCs First sector (CHS 0,0,1) stores the disk layout Using a hex editor such as WinHex (shown below, right), you can find the partitions according the table shown below (left) 21 Exploring Microsoft File Structures (Cntd) Partition Tables (Cntd) For the extended part of the drive, all partitions are logical partitions, and in the first logical partition’s boot sector, there’s a partition table similar to the MBR Each partition entry has the structure shown below Maximum addressable storage space with MBR is 1 TiB (240 bytes) For larger storage, GUID Partition Table (GPT) is used Little more complicated, not explained here (see Wikipedia for info on GPT) 22 Exploring Microsoft File Structures (Cntd) Partition Analysis Steps 1. Locate the partition tables 2. Process the data structures to identify the layout since the offset of a partition needs to be known It is important to discover the partition layout of the volume because not all sectors need to be assigned to a partition and they may contain data from a previous file system or that the suspect was trying to hide 3. Conduct the consistency checks: To determine where else evidence could be located besides in each partition, look at the last partition and compare its starting location with the end of its parent partition Note: An investigator can identify the OS on an unknown disk using a hex editor (e.g., WinHex) The steps on how to determine a disk’s OS using WinHex are shown in the next slide 23 Exploring Microsoft File Structures (Cntd) Partition Analysis Steps (Cntd) 1. Launch WinHex, and click Tools, Open Disk from the menu to see a list of logical drives 2. Click the C drive (or the working drive), and click OK (Figure shows a typical hard disk in the WinHex window) We will quickly examine the FAT-based disks and the NTFS-based disks 24 Exploring Microsoft File Structures (Cntd) FAT-based Disks: FAT is the file structure database used to organize files on a disk so that the OS can find the files it needs Found on disk’s outermost track and contains filenames, directory names, date & time stamps, starting cluster number, and file attributes (archive, hidden,...) FAT has three current versions: FAT16, FAT32, and exFAT FAT16: Used on older Microsoft OSs, such as Windows 95, and Windows NT 3.5 and 4.0, and it supports disk partitions with a maximum storage capacity of 4 GB FAT32: Can access larger capacity drives exFAT: Developed for mobile personal storage devices, such as flash memory devices, and memory sticks, and its file system can store very large files, such as digital images, video, and audio files Cluster sizes vary according to the hard disk size and file system For FAT32 file systems, cluster sizes are determined by the OS, and can range from 1 sector consisting of 512 bytes to 128 sectors of 64 KB 25 Exploring Microsoft File Structures (Cntd) FAT-based Disks (Cntd): Microsoft OS allocates disk space for files by clusters, and this results in drive slack (unused space in a cluster between the end of an active file’s content and the end of the cluster) Drive slack includes RAM slack (found mainly in older Microsoft OS) and file slack In newer Windows OS, when data is written to disk, the remaining RAM slack is zeroed out and contains no RAM data When you run out of room for an allocated cluster, the OS allocates another cluster for your file, and as files grow and require more disk space, assigned clusters are chained together Typically, chained clusters are contiguous on the disk, but as some files are created and deleted and other files are expanded, the chain can be broken or fragmented With a tool such as WinHex, you can view the cluster-chaining sequence and see how FAT addresses linking clusters to one another 26 Exploring Microsoft File Structures (Cntd) FAT-based Disks (Cntd): In FAT file system, when a file is deleted, the only modification made is that the directory entry is marked as a deleted file by having (0xE5) replacing the first letter of the filename, and the FAT chain for that file is set to 0 (i.e., file data remains on the disk drive) The area of the disk where the deleted file resides becomes unallocated disk space (aka “free disk space”) The unallocated disk space is now available to hold new data from newly created files or other files needing more space as they grow Most forensics tools can recover data still residing in this area 27 Exploring Microsoft File Structures (Cntd) NTFS-based Disks: NTFS was introduced with Windows NT and is still the main file system in Windows 10 Each generation of Windows since NT has included minor changes in NTFS configuration and features NTFS offers substantial improvements over FAT file systems as it provides more information about a file, including security features, file ownership, and other file attributes NTFS is an attempt to have a journaling file system; System keeps track of transactions such as file deleting or saving This journaling feature is helpful because it records a transaction before the system carries it out, and in a case of power failure or other interruption, the system can complete the transaction or go back to the last good setting In NTFS, everything written to the disk is considered a file 28 Exploring Microsoft File Structures (Cntd) NTFS-based Disks (Cntd): On an NTFS disk, the first data set is the Partition Boot Sector, which starts at sector 0 of the disk and can expand to 16 sectors Immediately after the Partition Boot Sector is the Master File Table (MFT) which is the first file on the disk An MFT file is created at the same time a disk partition is formatted as an NTFS volume and consumes about 12.5% of the disk when it’s created As data is added, the MFT can expand to take up 50% of the disk An important advantage of NTFS over FAT is that it results in much less file slack space 29 Exploring Microsoft File Structures (Cntd) NTFS-based Disks “System Files”: Because everything on an NTFS disk is a file, the first file, the MFT, contains information about all files on the disk, including the system files the OS uses In the MFT, the first 15 records are reserved for system files Records in the MFT are called metadata (see table for first 16 metadata records in MFT) 30 Exploring Microsoft File Structures (Cntd) NTFS-based Disks – MFT and File Attributes: In the NTFS MFT, all files and folders are stored in separate records of 1024 bytes each with each record containing file or folder info The info is divided into record fields containing metadata about the file or folder and the file’s data or links to the file’s data A record field is referred to as an attribute ID File or folder info is stored in one of two ways in MFT record: resident and nonresident For files of 512 bytes or less, all file metadata and data are stored in the MFT record and such type of record is called resident file For files larger than 512 bytes, file or folder’s MFT record provides cluster addresses (called data runs) where the file is stored on the drive’s partition, and this type of record is referred to as nonresident 31 Exploring Microsoft File Structures (Cntd) NTFS-based Disks – MFT and File Attributes (Cntd): Each MFT record starts with a header identifying it as a resident or nonresident attribute with the first 4 bytes for all MFT records are FILE The header info contains additional data specifying where the first attribute ID starts, which is typically at offset 0x14 from the beginning of the record Each attribute ID has a length value in hex defining where it ends and where the next attribute starts The length value is located 4 bytes from the attribute ID 32 Exploring Microsoft File Structures (Cntd) 33 Exploring Microsoft File Structures (Cntd) NTFS Alternate Data Streams: Allow appending of data to existing files, and they can obscure valuable evidentiary data, intentionally or by coincidence An alternate data stream becomes an additional file attribute and allows the file to be associated with different applications As a result, it remains one data unit, and you can also store info about a file in an alternate data stream For example, a graphics program can store a thumbnail image of a bitmap in a named data stream within the NTFS file containing the image At a command prompt in Windows NT and later, you can create an alternate data stream using the following commands: C:\echo text_string > myfile.txt:stream_name You can display the alternate data stream’s content using notepad However, the contents will not be the same as text_string! Alternate data streams are important from forensics point of view Read chapter 11 of “File System Forensic Analysis” by Brian Carrier for more info 34 Exploring Microsoft File Structures (Cntd) NTFS Encrypting File System (EFS): Optional built-in encryption feature is included with NTFS EFS uses public-key cryptography to encrypt files, folders, or disk volumes (partitions), and only the owner or user who encrypted the data can access encrypted files When EFS is used in Windows 2000 and later, a recovery certificate is generated and sent to the local Windows administrator account Purpose of the recovery certificate is to provide a mechanism for recovering files encrypted with EFS if there’s a problem with the user’s original private key The recovery key is stored in one of two places: When a network user initiates EFS, it is sent to local domain server’s administrator account On a stand-alone workstation, it is sent to local admin account which can be an issue if suspect machine’s local admin account is the same as suspect’s account Users can apply EFS to files stored on their local workstations or a remote server 35 Exploring Microsoft File Structures (Cntd) EFS Recovery Key Agent: The Recovery Key Agent implements the recovery certificate, which is in the Windows administrator account Windows administrators can recover a key in two ways: through Windows, or from a command prompt using either of the following two commands: cipher and copy For information on how to use these commands, type “copy /?” or “cipher /?” To recover an encrypted EFS file, a user can e-mail it or copy the file to the administrator, who can then run the Recovery Key Agent function to restore the file 36 Understanding Microsoft Startup Tasks Windows 10 boot processes are designed to run on multiple devices such as desktops, laptops, tablets, smartphones Boot process uses a boot configuration data (BCD) store, where for desktops and laptops a BCD Registry file in the \Boot\Bcd folder is maintained to control the boot process An investigator must learn what files are accessed when Windows starts as it helps him determine when a suspect’s computer was last accessed Particularly important with computers that might have been used after an incident was reported For additional information on Windows boot processes, refer to Insight of Operating System booting process – Windows 10 by Vinit Pandey 37 Final thoughts! Additional topics of interest that you should be aware of: Understanding Whole Disk Encryption Understanding the Windows Registry For these topics, refer to chapter 5 of “Guide to Computer Forensics and Investigations: Processing Digital Evidence,” by Bill Nelson et al. 38

Use Quizgecko on...
Browser
Browser