SEC524-L19-L21-Disk and File System Analysis.pdf

Full Transcript

King Fahd University of Petroleum & Minerals
College of Computer Sciences & Engineering

SEC524 Computer and Network
Forensics

Lectures 19 – 21
Disk and File System Analysis

These slides are based on:
Guide to Computer Forensics and Investigations: Processing Digital Evidence, Bill Nelson et al. (Ch. 5)

File System Forensic Analysis, Brian Carrier (Ch. 11)

Mike Mabey Class Notes
 Outline

Introduction
Layers of Forensic Analysis
Understanding File Systems
Exploring Microsoft File Structures
Understanding Microsoft Startup Tasks

2
 Introduction

Relative to the disk and file system analysis, an investigator
needs to understand the following:
Purpose and structure of file systems
Microsoft file structures
Microsoft startup tasks
So, we will:
Review how data is stored and managed in Microsoft OS, including
legacy and modern Windows
Understand file systems in Windows OS
Briefly consider what controls the OS startup, to avoid altering
evidence when you examine data on a drive
But first we start by looking at the layers of forensic
analysis as they relate to the disk and file system analysis

3
 Layers of Forensic Analysis

4
 Layers of Forensic Analysis (Cntd)

Storage media analysis:
Non-volatile storage such as hard disks and flash drives
Organized into partitions / volumes:
Collection of storage locations that a user or application can write to/read from
Contents are file system, a database, or a temporary swap space

Volume analysis:
Analyze data at the volume level
Determine where the file system or other data are located
Determine where we may find hidden data

5
 Layers of Forensic Analysis (Cntd)

File system analysis:
A collection of data structures that allow an application to create,
read, and write files
Purpose: To find files, to recover deleted files, and to find hidden
data
The result could be file content, data fragments, and metadata
associated with files

Application layer analysis:
The structure of each file is based on the application or OS that
created the file
Purpose: To analyze files and to determine what program we
should use

6
 Understanding File Systems

To investigate digital evidence effectively, an investigator
must understand how an OS works and how it stores files
A file system gives an OS a road map to data on a disk
The type of file system an OS uses determines how data is stored
on the disk
We will focus only on Windows OS
Understanding the Boot Sequence
To understand how an OS works, an investigator must first
understand the boot sequence
That is, an investigator must know how to access and modify CMOS,
BIOS, EFI, and UEFI settings, to ensure that he doesn’t contaminate
or alter data on a suspect’s system

7
 Understanding File Systems (Cntd)

A computer stores system configuration and date/time info
in the CMOS when power to the system is off
System BIOS or EFI contains programs that perform input
and output at the hardware level
BIOS is designed for x86 computers and used on disk drives with
Master Boot Records (MBR)
EFI is designed for x64 computers and uses GUID Partition Table
(GPT) formatted disks
BIOS and EFI are designed for specific firmware, and to reduce the
relationship with firmware, Intel developed UEFI, which defines the
interface between a computer’s firmware and the OS
When a subject’s computer starts, make sure it boots to a
forensically configured CD/DVD/USB drive because booting
to the hard disk overwrites and changes evidentiary data
8
 Understanding File Systems (Cntd)

To do this, access the CMOS setup during the bootstrap
process by using the correct key(s)
A safe method for verifying the BIOS date/time without
accessing the disk drive is to remove all hard drives from
the computer
Understanding Disk Drives
An investigator should be familiar with disk drives and how data is
organized on a disk so that you can find data effectively
A review of the hard disk geometry and related concepts are
provided in the next few slides

9
 Understanding File Systems (Cntd)

Hard Disk Geometry
Head: The device that reads and writes data to a drive
Track: Concentric circles on a disk platter
Cylinder: A column of tracks on disk platters
Sector: A section on a track

10
 Understanding File Systems (Cntd)

Tracks, Sectors, Clusters, Cylinders
Platters are divided into concentric rings
called tracks (A)
Tracks are divided into wedge-shaped
areas called sectors (C)
A sector typically holds 512 bytes of data
A collection of sectors is called a cluster or
block (D)
(B) is apparently called a geometrical
sector (uncommon)
A cylinder is a three-dimensional concept
consisting of all tracks in the same position
vertically

11
 Understanding File Systems (Cntd)

CHS Addressing: Process of identifying sectors (i.e.,
physical block of data) on a disk by their position in a track
Tracks/Cylinders: Numbered from the outside in, starting at 0
All sectors of all tracks in cylinder 0 will be filled up before using cylinder 1
Heads: Numbered from the bottom up, starting at 0
All platters are double-sided, one head per side
Sectors: Each sector is numbered, starting at 1
Typically holds 512 bytes of data
First sector has CHS address: 0,0,1
Limited to 8.1 GB
Not enough bits allocated to store values in
the Master Boot Record of disks
Solution: Logical Block Addresses (LBA)

12
 Understanding File Systems (Cntd)

Logical Block Addresses (LBA) – Singe address instead of 3
Starts at 0, so LBA 0 == CHS 0,0,1
To convert from CHS, need to know:
CHS address
Number of heads per cylinder
Number of sectors per track
LBA = (((CYLINDER * heads_per_cylinder) + HEAD) *
sectors_per_track) + SECTOR -1
Example: Given a disk with 16 heads per cylinder and 63 sectors per track, if
we had a CHS address of cylinder 2, head 3, and sector 4 (i.e., CHS 2,3,4), what
would be the LBA? Answer: LBA = (((2*16)+3)*63)+4-1=2208

13
 Understanding File Systems (Cntd)

Solid-State Storage Devices
Flash memory storage devices pose a challenge to investigators
because if deleted data isn’t recovered immediately, it might be lost
forever due to the wear-leveling feature
When data is deleted on a hard drive, only the references to it are
removed, which leaves the original data in unallocated disk space
With forensics recovery tools, recovering data from magnetic media
can be done easily by copying the unallocated space
In solid-state drive systems, memory cells continuously shift data at
the physical level to other cells that had fewer reads and writes
Purpose of shifting data is to ensure all memory cells on the drive
wear evenly as memory cells are designed to have  100,000
reads/writes (formally called program – erase, P/E, cycle)
Newer technologies have higher numbers
When a memory cell reach its r/w limit, it can no longer retain data
14
 Understanding File Systems (Cntd)

Solid-State Storage Devices (Cntd)
Also, when data is shifted to another memory cell, the old cell
addresses are added to a firmware file called a “garbage collector”
At some point, the firmware erases data in unallocated cells by
overwriting a value of 1 in all cells listed in the garbage collector file
When dealing with solid-state devices, making a full forensic copy as
soon as possible is crucial in case you need to recover data from
unallocated disk space
For mobile device forensics, this feature is extremely important,
especially if a suspect deleted relevant messages, for example, just
before the device was seized and taken into evidence

15
 Exploring Microsoft File Structures

As most PCs use Microsoft (MS) software products, an
investigator should understand MS file systems so that he
knows how Windows and DOS computers store files
Investigator needs to understand clusters, File Allocation
Table (FAT), and NT File System (NTFS), and method used
to store files which decides where data can be hidden
When examining a computer for evidence, an investigator needs to
explore these hiding places to determine whether they contain files
or parts of files that might be evidence of a crime or policy violation
In MS file structures, sectors are grouped to form clusters,
with clusters range from 512 bytes up to 32,000 bytes each
Number of sectors in a cluster varies according to the disk size
For example, a double-sided floppy disk has one sector per cluster
while a hard disk has four or more sectors per cluster
16
 Exploring Microsoft File Structures (Cntd)

Clusters are numbered sequentially, starting at 0 in NTFS
and 2 in FAT
First sector of all disks contains a system area, the boot
record, and a file structure database
OS assigns cluster numbers, called logical addresses
They point to relative cluster positions; for example, cluster address
100 is 98 clusters from cluster address 2
Sector numbers are called physical addresses as they
reside at the hardware or firmware level and go from
address 0 (first sector on disk) to the last sector on the disk
Clusters and their addresses are specific to a logical disk
drive known as a disk partition

17
 Exploring Microsoft File Structures (Cntd)

Disk Partitions
Hard disks are partitioned into two or more sections of a group of
clusters, with each partition (aka volume) forming a logical drive

Common partition systems have one or more tables and each table
describes a partition (starting and ending sectors, type of partition)
Windows OS can have 3 primary partitions followed by an extended
partition that can contain one or more logical drives
Someone can hide data on a hard disk by creating hidden partitions
or voids—large unused gaps between partitions (aka partition gap)
For example, partitions containing unused space can be created between the
primary partitions or logical partitions
18
 Exploring Microsoft File Structures (Cntd)

Disk Partitions (Cntd)
It is possible to create a partition, add data to it, and then remove
references to the partition so that it can be hidden in Windows
Can be accessed using a disk editor utility
Another technique to hide incriminating evidence is to use end of a
disk by declaring a smaller number of bytes than actual drive size
With disk-editing tools, you can access disk’s hidden or empty areas
A disk editor (e.g., WinHex,...) can be used to examine a partition’s
physical level, and to view file headers & other critical parts of a file
Involves analyzing key hex codes OS uses to identify & maintain the file system
A list of hex codes in a partition table which identifies some common file system
structures is provided in the next slide
Examining a partition is referred to as
partition/volume analysis and involves looking
at data structures & partition tables used for
19 partitioning & assembling bytes in storage devices
 Exploring Microsoft File Structures (Cntd)

20
 Exploring Microsoft File Structures (Cntd)

Partition Tables
The partition table is in the Master Boot Record (MBR), located at
sector 0 of the disk drive, which is a special type of boot sector and
is intended for use with legacy PCs
First sector (CHS 0,0,1) stores the disk layout
Using a hex editor such as WinHex
(shown below, right), you can find
the partitions according the table
shown below (left)

21
 Exploring Microsoft File Structures (Cntd)

Partition Tables (Cntd)
For the extended part of the drive, all partitions are logical
partitions, and in the first logical partition’s boot sector, there’s a
partition table similar to the MBR
Each partition entry has the structure shown below
Maximum addressable storage space with MBR is 1 TiB (240 bytes)
For larger storage, GUID Partition Table (GPT) is used
Little more complicated, not explained here (see Wikipedia for info on GPT)

22
 Exploring Microsoft File Structures (Cntd)

Partition Analysis Steps
1. Locate the partition tables
2. Process the data structures to identify the layout since the offset of
a partition needs to be known
It is important to discover the partition layout of the volume because not all
sectors need to be assigned to a partition and they may contain data from a
previous file system or that the suspect was trying to hide
3. Conduct the consistency checks:
To determine where else evidence could be located besides in each partition,
look at the last partition and compare its starting location with the end of its
parent partition
Note: An investigator can identify the OS on an unknown disk using
a hex editor (e.g., WinHex)
The steps on how to determine a disk’s OS using WinHex are shown in the next
slide

23
 Exploring Microsoft File Structures (Cntd)

Partition Analysis Steps (Cntd)
1. Launch WinHex, and click Tools, Open Disk from the menu to
see a list of logical drives
2. Click the C drive (or the
working drive), and click OK
(Figure shows a typical hard
disk in the WinHex window)
We will quickly examine the
FAT-based disks and the
NTFS-based disks

24
 Exploring Microsoft File Structures (Cntd)

FAT-based Disks:
FAT is the file structure database used to organize files on a disk so
that the OS can find the files it needs
Found on disk’s outermost track and contains filenames, directory names, date &
time stamps, starting cluster number, and file attributes (archive, hidden,...)
FAT has three current versions: FAT16, FAT32, and exFAT
FAT16: Used on older Microsoft OSs, such as Windows 95, and
Windows NT 3.5 and 4.0, and it supports disk partitions with a
maximum storage capacity of 4 GB
FAT32: Can access larger capacity drives
exFAT: Developed for mobile personal storage devices, such as flash
memory devices, and memory sticks, and its file system can store
very large files, such as digital images, video, and audio files
Cluster sizes vary according to the hard disk size and file system
For FAT32 file systems, cluster sizes are determined by the OS, and can range
from 1 sector consisting of 512 bytes to 128 sectors of 64 KB
25
 Exploring Microsoft File Structures (Cntd)

FAT-based Disks (Cntd):
Microsoft OS allocates disk space for files by clusters, and this
results in drive slack (unused space in a cluster between the end
of an active file’s content and the end of the cluster)
Drive slack includes RAM slack (found mainly in older Microsoft
OS) and file slack
In newer Windows OS, when data is written to disk, the remaining RAM slack is
zeroed out and contains no RAM data
When you run out of room for an allocated cluster, the OS allocates
another cluster for your file, and as files grow and require more disk
space, assigned clusters are chained together
Typically, chained clusters are contiguous on the disk, but as some
files are created and deleted and other files are expanded, the chain
can be broken or fragmented
With a tool such as WinHex, you can view the cluster-chaining sequence and see
how FAT addresses linking clusters to one another
26
 Exploring Microsoft File Structures (Cntd)

FAT-based Disks (Cntd):
In FAT file system, when a file is deleted, the only modification
made is that the directory entry is marked as a deleted file by
having (0xE5) replacing the first letter of the filename, and the FAT
chain for that file is set to 0 (i.e., file data remains on the disk drive)
The area of the disk where the deleted file resides becomes
unallocated disk space (aka “free disk space”)
The unallocated disk space is now available to hold new data from
newly created files or other files needing more space as they grow
Most forensics tools can recover data still residing in this area

27
 Exploring Microsoft File Structures (Cntd)

NTFS-based Disks:
NTFS was introduced with Windows NT and is still the main file
system in Windows 10
Each generation of Windows since NT has included minor changes in NTFS
configuration and features
NTFS offers substantial improvements over FAT file systems as it
provides more information about a file, including security features,
file ownership, and other file attributes
NTFS is an attempt to have a journaling file system; System keeps
track of transactions such as file deleting or saving
This journaling feature is helpful because it records a transaction
before the system carries it out, and in a case of power failure or
other interruption, the system can complete the transaction or go
back to the last good setting
In NTFS, everything written to the disk is considered a file

28
 Exploring Microsoft File Structures (Cntd)

NTFS-based Disks (Cntd):
On an NTFS disk, the first data set is the Partition Boot Sector,
which starts at sector 0 of the disk and can expand to 16 sectors
Immediately after the Partition Boot Sector is the Master File
Table (MFT) which is the first file on the disk
An MFT file is created at the same time a disk partition is formatted as an NTFS
volume and consumes about 12.5% of the disk when it’s created
As data is added, the MFT can expand to take up 50% of the disk
An important advantage of NTFS over FAT is that it results in much
less file slack space

29
 Exploring Microsoft File Structures (Cntd)

NTFS-based Disks “System
Files”:
Because everything on an
NTFS disk is a file, the first
file, the MFT, contains
information about all files on
the disk, including the system
files the OS uses
In the MFT, the first 15
records are reserved for
system files
Records in the MFT are called
metadata (see table for first
16 metadata records in MFT)

30
 Exploring Microsoft File Structures (Cntd)

NTFS-based Disks – MFT and File Attributes:
In the NTFS MFT, all files and folders are stored in separate records
of 1024 bytes each with each record containing file or folder info
The info is divided into record fields containing metadata about the
file or folder and the file’s data or links to the file’s data
A record field is referred to as an attribute ID
File or folder info is stored in one of two ways in MFT record:
resident and nonresident
For files of 512 bytes or less, all file metadata and data are stored in
the MFT record and such type of record is called resident file
For files larger than 512 bytes, file or folder’s MFT record provides
cluster addresses (called data runs) where the file is stored on the
drive’s partition, and this type of record is referred to as nonresident

31
 Exploring Microsoft File Structures (Cntd)

NTFS-based Disks – MFT and File Attributes (Cntd):
Each MFT record starts with a header identifying it as a resident or
nonresident attribute with the first 4 bytes for all MFT records are
FILE
The header info contains additional data specifying where the first
attribute ID starts, which is typically at offset 0x14 from the
beginning of the record
Each attribute ID has a length value in hex defining where it ends
and where the next attribute starts
The length value is located 4 bytes from the attribute ID

32
 Exploring Microsoft File Structures (Cntd)

33
 Exploring Microsoft File Structures (Cntd)

NTFS Alternate Data Streams:
Allow appending of data to existing files, and they can obscure
valuable evidentiary data, intentionally or by coincidence
An alternate data stream becomes an additional file attribute and allows the file
to be associated with different applications
As a result, it remains one data unit, and you can also store info
about a file in an alternate data stream
For example, a graphics program can store a thumbnail image of a bitmap in a
named data stream within the NTFS file containing the image
At a command prompt in Windows NT and later, you can create an
alternate data stream using the following commands:
C:\echo text_string > myfile.txt:stream_name
You can display the alternate data stream’s content using notepad
However, the contents will not be the same as text_string!
Alternate data streams are important from forensics point of view
Read chapter 11 of “File System Forensic Analysis” by Brian Carrier for more info
34
 Exploring Microsoft File Structures (Cntd)

NTFS Encrypting File System (EFS):
Optional built-in encryption feature is included with NTFS
EFS uses public-key cryptography to encrypt files, folders, or disk
volumes (partitions), and only the owner or user who encrypted the
data can access encrypted files
When EFS is used in Windows 2000 and later, a recovery certificate
is generated and sent to the local Windows administrator account
Purpose of the recovery certificate is to provide a mechanism for recovering files
encrypted with EFS if there’s a problem with the user’s original private key
The recovery key is stored in one of two places:
When a network user initiates EFS, it is sent to local domain server’s
administrator account
On a stand-alone workstation, it is sent to local admin account which can be an
issue if suspect machine’s local admin account is the same as suspect’s account
Users can apply EFS to files stored on their local workstations or a
remote server
35
 Exploring Microsoft File Structures (Cntd)

EFS Recovery Key Agent:
The Recovery Key Agent implements the recovery certificate, which
is in the Windows administrator account
Windows administrators can recover a key in two ways: through
Windows, or from a command prompt using either of the following
two commands: cipher and copy
For information on how to use these commands, type “copy /?” or “cipher /?”
To recover an encrypted EFS file, a user can e-mail it or copy the
file to the administrator, who can then run the Recovery Key Agent
function to restore the file

36
 Understanding Microsoft Startup Tasks

Windows 10 boot processes are designed to run on multiple
devices such as desktops, laptops, tablets, smartphones
Boot process uses a boot configuration data (BCD) store,
where for desktops and laptops a BCD Registry file in the
\Boot\Bcd folder is maintained to control the boot process
An investigator must learn what files are accessed when
Windows starts as it helps him determine when a suspect’s
computer was last accessed
Particularly important with computers that might have been used
after an incident was reported
For additional information on Windows boot processes,
refer to Insight of Operating System booting process –
Windows 10 by Vinit Pandey
37
 Final thoughts!

Additional topics of interest that you should be aware of:
Understanding Whole Disk Encryption
Understanding the Windows Registry
For these topics, refer to chapter 5 of “Guide to Computer
Forensics and Investigations: Processing Digital Evidence,”
by Bill Nelson et al.

38