Fundamentals of Cyber Security and Digital Forensics - Module 4 PDF

Fundementals of Cyber security and Digital Forensics Module: 4 Dr. Gautam M Borkar Contents Lecture28-Digital Forensics: Dead Forensics-File system 4 Lecture 29-Digital Forensics: Dead Forensics-Metadata and Registry 14 Lecture 30-Digital Forensics: Dead Forensic-Recycle bin and Shadow copies 21 2 Module 4: Lecture 28:File System Analysis File System Analysis A file system in a computer is the manner in which files are named and logically placed for storage and retrieval. For storing and retrieving files, file systems make use of metadata, which includes the date the file was created, data modified, file size, and so on. They can also restrict users from accessing a particular file by using encryption or a password. Files are stored on a storage media in “sectors”. Unused sectors can be utilized for storing data, typically done in sector groups known as blocks. 4 Lecture 28: File System FAT File system FAT or File Allocation Table is a file system used by operating systems for locating files on a disk. Due to fragmentation, files may be scattered around and divided into sections. FAT system keeps a track of all parts of the file. FAT has existed as a file system since the advent of personal computers. Features File Name FAT system in MS DOS allows file names of 8 characters only FAT file system in Windows supports long file name, with full file path being as long as 255 characters File name should start with alphanumeric characters File names can have any character except “/ = [],? ^“” File names can have more than one period and spaces. Characters that come after the last period in full file name are considered as the file extension. FAT file system does not support folder and local security. This means users logged into a computer locally will gain complete access to folders and files that lie in FAT partitions. 5It provides fastFile Lecture 28: access Systemto files. The rate depends upon the size of partition, file size, type of file and number of files in the folder. FAT 32 File system FAT 32 File System This is an advanced version of the FAT File system and can be used on drives ranging from 512 MB to 2 TB. Features It is more storage-efficient and supports up to 2TB of size Provides a better usage of disk space Easier access of files in partitions less than 500 MB or greater than 2GB in size 6 Lecture 28: File System NTFS File System The NTFS File System stands for New Technology File System. Features Naming File name can be as long as 255 characters File names can have any character other than / “ :* They are not case sensitive It provides folder and file security. This is done by passing on NTFS permission to files and folders. Every file and folder in the list has an Access Control List that includes the users, security identifier, and the access privileges that are granted to the users. An NTFS partition can be of a size as large as 16 Exabytes, but practically it is limited to 2TB. File size can range from 4GB to 64 GB. It provides up to 50% file compression. It is a reliable and recoverable file system which makes use of transaction logs for updating files and folders automatically. It provides bad-cluster mapping. This means that it can detect bad clusters or erroneous space in the disk, retrieve the data in those clusters, and then store it in another space. To avoid further data storage in those areas, bad clusters are marked for errors. 7 Lecture 28: File System EXT File Systems Extended file system (EXT), Second Extended file system (EXT2) and Third Extended file system (EXT3) are designed and implemented on Linux. The EXT is an old file system that was used in pioneer Linux systems. EXT2 is probably one of the most widely used Linux file systems. EXT 3 also includes same features as EXT 2, but also includes journaling. Features(EXT2) Supports standard file types in Unix i.e. regular files, device special files, directories, symbolic links Can manage file systems created on huge partitions. Originally, file system size was restricted to 2 GB, but with recent work in VFS layer, this limit has now increased to 4 TB. Reserves about 5 percent of blocks for administrator usage, thus allowing the admins to recover from situations of overfilled processes. Allows for secure deletion of files. Once data is deleted, the space is overwritten with random data to prevent malicious users from gaining access to the previous data. 8 Lecture 28: File System Windows File System 9 Lecture 28: File System Linux/Unix File System 10 Lecture 28: File System Linux/Unix File Hierarchy 11 Lecture 28: File System File Formats File Signature: analyze files with unusual extensions or files with known extensions with the help of file signature. First 20 bytes of the file denotes the file signature. 12 Lecture 28: File System File Formats 13 Lecture 28: File System Module 5: Lecture 29: Metadata and Registry Analysis Metadata Analysis Metadata: Refers data abut data. How, when and by whom the particular data is created and formatted. 15 Lecture 29: Metadata Registry Analysis An administrator can interact with the registry through intermediate program Five main folders are there in a registry HKEY_USERS: It contains all the active loaded user profiles in the system HKEY_CURRENT_USER: It contains the actively loaded profile of current user HKEY_LOCAL_MACHINE: Contains array of information for the system including the hardware settings and software settings HKEY_CURRENT_CONFIG: Contain hardware information of the system used during startup HKEY_CLASSES_ROOT: Contain various information regarding which application is used to open files on the system. 16 Lecture 29: Registry Registry Analysis 17 Lecture 29: Registry Registry Analysis computer name : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\ComputerName\ActiveComputerName when the system was last shutdown: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows Productname,current builder name etc: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion Time zone information: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ TimeZoneInformation 18 Lecture 29: Registry Registry Analysis Malware Detection : HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ Services User login: 19 Lecture 29: Registry Registry Analysis USB Removable storage : HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Enum\USBSTOR\ Disk&Ven_JetFlash&Prod_Transcend_8GB&Rev_8.07\8LQZDCW8&0s Mounted Devices: HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices 20 Lecture 29: Registry Module 5: Lecture 30: Recycle Bin, Restore points, Shadow copies Recycle Bin Analysis Recycle bin artifacts retain valuable information related to the deleted item such as the name of the deleted item, the original location of the item before deletion, the size of the deleted item and the date and time when the item was deleted. Windows recycle bin artifacts are maintained within a hidden system folder. For Windows 2000, NT, XP and 2003, recycle bin artifacts are stored in "INFO2" file which is located within the user's SID sub-folder at C:\RECYCLER\{SID}\INFO2 For Windows Vista, 7, 8, 10 and 11, recycle bin artifacts are stored in "$I" file which is also located within the user's SID sub-folder; however, the folder name has been changed to "$Recycle.bin". C:\ $Recycle.Bin\{SID}\$I######. Windows 2000, NT, XP and 2003, recycle bin artifacts are stored in "INFO2" file which is located within the user's SID sub-folder at C:\ RECYCLER\{SID}\INFO2 22 Lecture 30: Recycle Bin Recycle Bin Analysis The structure of recycle bin artifacts differs slightly between Windows operating systems. on Windows 2000, NT, XP and 2003, the deleted items are renamed using a specific scheme and stored within the SID sub-folder which corresponds to the user who deleted the item. The file INFO2 contains the metadata (file deletion date, original file path and file size) for the deleted items. On the other hand, for each deleted file on Windows Vista, 7, 8, 10 and 11, two new files are created "$R" and "$I" (each letter is followed by a random six-character string). The deleted item content will be stored within $R###### file while the metadata (file deletion date, original file path and file size) for that item will be stored within $I###### file. Windows Recycler/ Windows Recycle Bin Artifact Both artifacts contain information related to the items that have been deleted by the user but for different Windows versions. The details you can view include: File Deletion Date - The date and time when the item was 23 deleted. Lecture 30: Recycle Bin Volume Shadow Copies Analysis Shadow copies provide a glimpse of the volume at a point in time in the past. This will allow for discovery of changes to files and even view possible deleted files. Microsoft Windows allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use. It is implemented as a Windows service called the Volume Shadow Copy service and requires the file system to be NTFS in order to create and store shadow copies: Shadow Copies can be created on local and external volumes by any Windows component that uses this technology. They can allow a forensic investigator to recover deleted files, and to learn what was taking place on a system before he/she began the investigation. Volume Shadow Copies in the Registry 24 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS Lecture 30: Recycle Bin Restore points System Restore Point settings are found in the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\ CurrentVersion\SystemRestore Rp.log is the restore point log file located within the restore point (RPxx) directory. This restore point log contains a value indicating the type of the restore point, a descriptive name for the restore point creation event. The purpose of these restore points is to allow the user to recover to a specific point in time on which a restore point was created. If software is installed, a restore point is often created. The name of the software installed is the name of the restore point and can be see in the user interface above. 25 Lecture 30: Recycle Bin Restore points A user can manually create restore points and the user provided name is stored in this same location. The last 8 bytes of the rp.log file is a Windows 64 bit timestamp indicating when the restore point was created. Restore points are also created prior to the installation of any Windows Automatic Updates. Restore points are also created prior to the installation of software or unsigned device drivers and will be so named. 26 Lecture 30: Recycle Bin Thank You

Fundamentals of Cyber Security and Digital Forensics - Module 4 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue