2. 2
Outline
●
File Systems
– File Systems Overview
– Windows File System (for Forensics)
●
Tools and Standards
– Forensics Tools
– Standards
– Revisiting File Systems
– http://www.cftt.nist.gov/NISTIR_7490.pdf
3. 3
Windows File System
●
Overview of File Systems
●
Microsoft File Structures
●
NTFS Disks (New Technology File System)
– Partitions, disks, etc.
●
Other concepts (Registries, startup tasks)
●
Virtual Machines
4. 4
File Systems
●
What is it?
– Structure of the data that is stored
– Linear file system, Hierarchical file system, etc.
●
Type of file system determines how the data is
stored on disk
●
File system is part of the OS; a file system is a
way for storing and organizing computer files
and the data they contain to make it easy to find
and access them.
●
Key aspects of file system include
– Boot sequence
– Disk drives
– File name, metadata, security access
5. 5
File Systems - 2
●
Boot sequence
– When a suspect’s computer starts, make sure it boots
to a forensic floppy disk/CD and not to the hard disk
– Booting to the hard disk may overwrite evidence
– Make modifications to CMOS setup
●
Disk drives
– Geometry, Head, Tracks, Cylinders, Sectors
●
Every file has a file name; metadata consists of
information about a file, access control policies may be
defined on a file
●
Types of file systems include disk file system, flash file
systems, database file systems, network file systems, - - -
6. 6
File Systems - 3
●
File systems typically have directories which associate file names
with files, usually by connecting the file name to an index in a file
allocation table (FAT in Windows, Inode in Unix)
●
Directory structures may be flat, or allow hierarchies where
directories may contain subdirectories.
●
In some file systems, file names are structured, with special
syntax for filename extensions and version numbers. In others, file
names are simple strings
●
Metadata
– The length of the data contained in a file may be stored as the
number of blocks allocated for the file or as an exact byte
count.
– The time that the file was last modified may be stored as the
file's timestamp; also file creation time, the time it was last
accessed
7. 7
Microsoft File Structures
●
Sectors
– Sectors are groped to for clusters which are the storage
allocations units.
– Cluster numbers are logical addresses and section numbers are
physical addresses.
●
Disk Partitions
●
Hard drive is partitioned. A partition is a logical drive.
●
Master Boot Record (MBR)
– Stores information about the partitions in a disk and their
locations, sizes etc.
●
FAT (File Allocation Table) Disks
– Original Microsoft file structure database
●
NTFS
– New Technology File System
8. 8
NTFS Disks
●
Overview of NTFS Disks
– Newer Microsoft products are based on new
Technology File System
– Everything written to a disk is considered s file
– First data set is the Partition Boot Sector
– Next is the Master File Table (similar to FAT)
– Uses Unicode
●
NTFS System Files
– The first file MFT ahs information in all the files
– Records in MFT are called metadata
9. 9
NTFS Disks - 2
●
NTFS Data Streams
– Ways data can be appended to existing files
– Can obscure evidence
●
NTFS Compressed Files
– Provides compression to improve data storage
●
Encryption
– Implements public key/private key method
– Whole disk encryption (Chapter 4) for extra protection for
certain information such as personal identity numbers.
●
Performance
– tune some of global NTFS parameters to achieve significant
increase of disk performance. Other techniques like disk
defragmentation could help
10. 10
NTFS Disks – 3 (Summary)
●
File Storage Hardware and Disk Organization
●
Hard Disk Drive Basics
– Making Tracks
– Sectors and Clusters
●
Master Boot Record (MBR)
– Viruses Can Infect the Master Boot Record
●
Partition Table
– Boot Indicator Field
– System ID Field
– Starting and Ending Head, Sector, and Cylinder Field
– Relative Sectors and Number of Sectors Fields
– Logical Drives and Extended Partitions
11. 11
NTFS Recovery
●
Why id Partition recovery needed
– MBR (Master Boot Record) is damaged
– Partition is deleted or Partition Table is damaged
– Partition Boot Sector is damaged
– Missing or Corrupted System Files
●
Partition/Drive Recovery
– "Physical partition recovery". The goal is to find out the
problem and write some information to the proper place on
HDD and after that partition becomes visible to OS again.
– "Virtual partition recovery". The goal is to determine the
critical parameters of the deleted/damaged/overwritten
partition and after that enable to scan it and display its
content.
12. 12
NTFS Recovery - 2
●
NTFS File Recovery
– Disk Scan for deleted entries
●
Disk Scan is a process of low-level enumeration of all entries
in the Root Folders; The goal is to find and
display deleted entries.
– Defining clusters chain for the deleted entry
●
To define clusters chain scan drive, going through one by
one all allocated and free clusters belonging to the file until
the file size equals to the total size of the selected clusters. If
the file is fragmented, clusters chain will be composed of
several extents.
– Clusters chain recovery
●
After clusters chain is defined read and save contents of the
defined clusters to another place verifying their contents.
13. 13
Other Concepts
●
Registry
– Registry is a database that stores initialization files
such as hardware/software configuration, network
connections, user preferences, setup information
– Set of tools (e.g., Registry editor) to view and modify
the data
●
Start-up tasks
– Forensics examiner must have a very good
understanding of what happens to the data during
start-up.
– E.g., What is the process, what are the files involved,
etc.
14. 14
Virtual Machines
●
An examiner may need lot more space than he has on
the machine he is using. The concept of Virtual machine
is used it overcome this limitation.
●
Virtual machine addresses the need for having a variety
of resources by creating the representation of another
computer on an existing physical computer.
●
A few files from the other computer is on the examiner’s
machine and space has to be allocated for this.
●
Also useful when one upgrades computer, but still has
some old applications. Therefore virtual machine of the
old OS is created.
15. 15
Forensics Tools
●
Hardware Forensics Tools
– Range from single purpose components (e.g.,
devices) to complete systems (forensics workstations)
●
Software Forensics Tools
– Analysis tools such ProDiscover and EnCase
16. 16
Functions of Forensics Tools
●
Acquisition
●
Validation and Discrimination
●
Extraction
●
Reconstruction
●
Reporting
●
Some forensics tools are (ProDiscover,
AccessData, EnCase)
17. 17
Functions of Forensics Tools - 2
●
Acquisition
– Tools for data acquisition
– Physical data copy, logical data copy, data acquiring
format, GUI acquisition
●
Validation and Discrimination
– Integrity of the data, Also includes hashing, filtering,
analyzing file headers
●
Extraction
– Recovery task
– Data viewing, Keyword searching, Decompressing
●
Reconstruction
●
Reporting
18. 18
Functions of Forensics Tools - 3
●
Reconstruction
– Recreate the crime scene (suspect drive)
– Disk to disk copy, Image to disk copy, etc.
●
Reporting
– Reporting generation tools help the examiner the
prepare report
– Also helps to log reports
19. 19
Software Tools
●
Command line forensics tools
●
Unix/Linux forensics tools
– SMART, Helix, Autopsy and Sleuth Kit
●
GUI Forensics Tools
– Visualizing the data is important to understand the
data
20. 20
Hardware Tools
●
Forensics workstations
– How to build a workstation
– What are the components
– How are the workstations connected in a lab
– How can distributed forensics be carried out
●
Write Blockers
– Write blocker devoices to protect evidence disks
21. 21
Validating Forensics Tools
●
NIST (National Institute of Standards and
Technology) is coming up with standards for
validation Establish categories for forensics tools,
Identify forensics category requirements,
Develop test assertions
– Identify test cases
– Establish test method
– Report test results
22. 22
NIST Standards
●
There are three digital forensics projects at the National
Institute of Standards and Technology (NIST).
●
These projects are supported by the U.S. Department of
Justice's National Institute of Justice (NIJ), federal, state, and
local law enforcement, and the National Institute of
Standards and Technology Office of Law Enforcement
Standards (OLES) to promote efficient and effective use of
computer technology in the investigation of crimes involving
computers.
●
These projects are the following:
– • National Software Reference Library (NSRL)
– • Computer Forensic Tool Testing (CFTT)
– • Computer Forensic Reference Data Sets (CFReDS)
23. 23
NSRL
●
The NSRL is designed to collect software from various sources
and incorporate file profiles computed from this software into a
Reference Data Set (RDS) including hashes of known files created
when software is installed on a computer. The law enforcement
community approached NIST requesting a software library and
signature database that meets four criteria:
– • The organizations involved in the implementation of the file
profiles must be unbiased and neutral.
– • Control over the quality of data provided by the database
must be maintained.
– • A repository of original software must be made available from
which data can be reproduced.
– • The database must provide a wide range of capabilities with
respect to the information that can be obtained from file
systems under investigation.
24. 24
NSRL
●
The primary focus of the NSRL is to aid computer
forensics examiners in their investigations of
computer systems.
●
The majority of stakeholders are in federal, state and
local law enforcement in the United States and
internationally.
●
These organizations typically use the NSRL data to
aid in criminal investigations.
25. 25
CFTT
●
The goal of the CFTT project at NIST is to establish a
methodology for testing computer forensic software tools
through the development of general tool specifications, test
procedures, test criteria, test sets, and test hardware. The
results provide the information necessary for toolmakers to
improve tools, for users to make informed choices about
acquiring and using computer forensics tools, and for
interested parties to understand the tools capabilities.
●
The testing methodology developed by NIST is functionality
driven. The activities of forensic investigations are separated
into discrete functions, such as hard disk write protection,
disk imaging, string searching, etc. A test methodology is then
developed for each category. After a test methodology is
developed it is posted to the web.
26. 26
CFReDS
●
The Computer Forensic Reference Data Sets (CFReDS)
provide to an investigator documented sets of simulated
digital evidence for examination.
●
Since CFReDS has documented contents, such as target
search strings seeded in known locations, investigators can
compare the results of searches for the target strings with the
known placement of the strings.
●
Investigators can use CFReDS in several ways including
validating the software tools used in their investigations,
equipment check out, training investigators, and proficiency
testing of investigators as part of laboratory accreditation.
●
The CFReDS site is a repository of images. Some images are
produced by NIST, often from the CFTT (tool testing)
project, and some are contributed by other organizations.
27. 27
CFReDS
●
In addition to test images, the CFReDS site contains
resources to aid in creating test images.
●
These creation aids are in the form of interesting data
files, useful software tools and procedures for specific
tasks.
●
The CFReDS web site is http://www.cfreds.nist.gov.
28. 28
International Standards
●
The Scientific Working Group on Digital Evidence (SWGDE) was established
in February 1998 through a collaborative effort of the Federal Crime Laboratory
Directors. SWGDE, as the U.S.-based component of standardization efforts
conducted by the International Organization on Computer Evidence (IOCE),
was charged with the development of cross-disciplinary guidelines and
standards for the recovery, preservation, and examination of digital evidence,
including audio, imaging, and electronic devices.
●
The following document was drafted by SWGDE and presented at the
International Hi-Tech Crime and Forensics Conference (IHCFC) held in
London, United Kingdom, October 4-7, 1999. It proposes the establishment of
standards for the exchange of digital evidence between sovereign nations and
is intended to elicit constructive discussion regarding digital evidence. This
document has been adopted as the draft standard for U.S. law enforcement
agencies.
●
http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.
29. 29
Macintosh Operating System
(MAC OS X)
●
Early MAC OS used HFS (Hierarchical file
system) OS X uses HFS+ (optional) and also
supports Unix File System
●
OS 9 supports Volumes. Volume can be all or
part of the storage media for hard disks
●
Newer MACs can be booted from CD, DVD,
Firewire drive. Older systems booted from hard
drive
●
Some forensics tools special for OS X. Some
other Windows tools can also be used
30. 30
Unix/Linux Operating System
●
Everything is a file including disk drives, monitors, tape
drives, network interface cards, etc.
●
Unix has four components for its file system
– Boot block, superblock, Inode, data block
– Block is smallest disk allocation
– Boot clock has bootstrap code, superblock has system
information, Inode is assignee to every file allocation unit.,
data blocks store directories and files
●
Forensic examiner must understand the boot process of
the operating system
●
Disk partitions in Unix/Linus is very different from
Windows. In Unix/Linux partitions are labeled as paths.