SlideShare a Scribd company logo

Lecture 8 comp forensics 03 10-18 file system

Download as PPT, PDF
A
Alchemist095

Forensics

Education
1 of 31
1 COMPUTER FORENSICS ISC541 (LECTURE 8) 03-10-2018
2 Outline ● File Systems – File Systems Overview – Windows File System (for Forensics) ● Tools and Standards – Forensics Tools – Standards – Revisiting File Systems – http://www.cftt.nist.gov/NISTIR_7490.pdf
3 Windows File System ● Overview of File Systems ● Microsoft File Structures ● NTFS Disks (New Technology File System) – Partitions, disks, etc. ● Other concepts (Registries, startup tasks) ● Virtual Machines
4 File Systems ● What is it? – Structure of the data that is stored – Linear file system, Hierarchical file system, etc. ● Type of file system determines how the data is stored on disk ● File system is part of the OS; a file system is a way for storing and organizing computer files and the data they contain to make it easy to find and access them. ● Key aspects of file system include – Boot sequence – Disk drives – File name, metadata, security access
5 File Systems - 2 ● Boot sequence – When a suspect’s computer starts, make sure it boots to a forensic floppy disk/CD and not to the hard disk – Booting to the hard disk may overwrite evidence – Make modifications to CMOS setup ● Disk drives – Geometry, Head, Tracks, Cylinders, Sectors ● Every file has a file name; metadata consists of information about a file, access control policies may be defined on a file ● Types of file systems include disk file system, flash file systems, database file systems, network file systems, - - -
6 File Systems - 3 ● File systems typically have directories which associate file names with files, usually by connecting the file name to an index in a file allocation table (FAT in Windows, Inode in Unix) ● Directory structures may be flat, or allow hierarchies where directories may contain subdirectories. ● In some file systems, file names are structured, with special syntax for filename extensions and version numbers. In others, file names are simple strings ● Metadata – The length of the data contained in a file may be stored as the number of blocks allocated for the file or as an exact byte count. – The time that the file was last modified may be stored as the file's timestamp; also file creation time, the time it was last accessed
7 Microsoft File Structures ● Sectors – Sectors are groped to for clusters which are the storage allocations units. – Cluster numbers are logical addresses and section numbers are physical addresses. ● Disk Partitions ● Hard drive is partitioned. A partition is a logical drive. ● Master Boot Record (MBR) – Stores information about the partitions in a disk and their locations, sizes etc. ● FAT (File Allocation Table) Disks – Original Microsoft file structure database ● NTFS – New Technology File System
8 NTFS Disks ● Overview of NTFS Disks – Newer Microsoft products are based on new Technology File System – Everything written to a disk is considered s file – First data set is the Partition Boot Sector – Next is the Master File Table (similar to FAT) – Uses Unicode ● NTFS System Files – The first file MFT ahs information in all the files – Records in MFT are called metadata
9 NTFS Disks - 2 ● NTFS Data Streams – Ways data can be appended to existing files – Can obscure evidence ● NTFS Compressed Files – Provides compression to improve data storage ● Encryption – Implements public key/private key method – Whole disk encryption (Chapter 4) for extra protection for certain information such as personal identity numbers. ● Performance – tune some of global NTFS parameters to achieve significant increase of disk performance. Other techniques like disk defragmentation could help
10 NTFS Disks – 3 (Summary) ● File Storage Hardware and Disk Organization ● Hard Disk Drive Basics – Making Tracks – Sectors and Clusters ● Master Boot Record (MBR) – Viruses Can Infect the Master Boot Record ● Partition Table – Boot Indicator Field – System ID Field – Starting and Ending Head, Sector, and Cylinder Field – Relative Sectors and Number of Sectors Fields – Logical Drives and Extended Partitions
11 NTFS Recovery ● Why id Partition recovery needed – MBR (Master Boot Record) is damaged – Partition is deleted or Partition Table is damaged – Partition Boot Sector is damaged – Missing or Corrupted System Files ● Partition/Drive Recovery – "Physical partition recovery". The goal is to find out the problem and write some information to the proper place on HDD and after that partition becomes visible to OS again. – "Virtual partition recovery". The goal is to determine the critical parameters of the deleted/damaged/overwritten partition and after that enable to scan it and display its content.
12 NTFS Recovery - 2 ● NTFS File Recovery – Disk Scan for deleted entries ● Disk Scan is a process of low-level enumeration of all entries in the Root Folders; The goal is to find and display deleted entries. – Defining clusters chain for the deleted entry ● To define clusters chain scan drive, going through one by one all allocated and free clusters belonging to the file until the file size equals to the total size of the selected clusters. If the file is fragmented, clusters chain will be composed of several extents. – Clusters chain recovery ● After clusters chain is defined read and save contents of the defined clusters to another place verifying their contents.
13 Other Concepts ● Registry – Registry is a database that stores initialization files such as hardware/software configuration, network connections, user preferences, setup information – Set of tools (e.g., Registry editor) to view and modify the data ● Start-up tasks – Forensics examiner must have a very good understanding of what happens to the data during start-up. – E.g., What is the process, what are the files involved, etc.
14 Virtual Machines ● An examiner may need lot more space than he has on the machine he is using. The concept of Virtual machine is used it overcome this limitation. ● Virtual machine addresses the need for having a variety of resources by creating the representation of another computer on an existing physical computer. ● A few files from the other computer is on the examiner’s machine and space has to be allocated for this. ● Also useful when one upgrades computer, but still has some old applications. Therefore virtual machine of the old OS is created.
15 Forensics Tools ● Hardware Forensics Tools – Range from single purpose components (e.g., devices) to complete systems (forensics workstations) ● Software Forensics Tools – Analysis tools such ProDiscover and EnCase
16 Functions of Forensics Tools ● Acquisition ● Validation and Discrimination ● Extraction ● Reconstruction ● Reporting ● Some forensics tools are (ProDiscover, AccessData, EnCase)
17 Functions of Forensics Tools - 2 ● Acquisition – Tools for data acquisition – Physical data copy, logical data copy, data acquiring format, GUI acquisition ● Validation and Discrimination – Integrity of the data, Also includes hashing, filtering, analyzing file headers ● Extraction – Recovery task – Data viewing, Keyword searching, Decompressing ● Reconstruction ● Reporting
18 Functions of Forensics Tools - 3 ● Reconstruction – Recreate the crime scene (suspect drive) – Disk to disk copy, Image to disk copy, etc. ● Reporting – Reporting generation tools help the examiner the prepare report – Also helps to log reports
19 Software Tools ● Command line forensics tools ● Unix/Linux forensics tools – SMART, Helix, Autopsy and Sleuth Kit ● GUI Forensics Tools – Visualizing the data is important to understand the data
20 Hardware Tools ● Forensics workstations – How to build a workstation – What are the components – How are the workstations connected in a lab – How can distributed forensics be carried out ● Write Blockers – Write blocker devoices to protect evidence disks
21 Validating Forensics Tools ● NIST (National Institute of Standards and Technology) is coming up with standards for validation Establish categories for forensics tools, Identify forensics category requirements, Develop test assertions – Identify test cases – Establish test method – Report test results
22 NIST Standards ● There are three digital forensics projects at the National Institute of Standards and Technology (NIST). ● These projects are supported by the U.S. Department of Justice's National Institute of Justice (NIJ), federal, state, and local law enforcement, and the National Institute of Standards and Technology Office of Law Enforcement Standards (OLES) to promote efficient and effective use of computer technology in the investigation of crimes involving computers. ● These projects are the following: – • National Software Reference Library (NSRL) – • Computer Forensic Tool Testing (CFTT) – • Computer Forensic Reference Data Sets (CFReDS)
23 NSRL ● The NSRL is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) including hashes of known files created when software is installed on a computer. The law enforcement community approached NIST requesting a software library and signature database that meets four criteria: – • The organizations involved in the implementation of the file profiles must be unbiased and neutral. – • Control over the quality of data provided by the database must be maintained. – • A repository of original software must be made available from which data can be reproduced. – • The database must provide a wide range of capabilities with respect to the information that can be obtained from file systems under investigation.
24 NSRL ● The primary focus of the NSRL is to aid computer forensics examiners in their investigations of computer systems. ● The majority of stakeholders are in federal, state and local law enforcement in the United States and internationally. ● These organizations typically use the NSRL data to aid in criminal investigations.
25 CFTT ● The goal of the CFTT project at NIST is to establish a methodology for testing computer forensic software tools through the development of general tool specifications, test procedures, test criteria, test sets, and test hardware. The results provide the information necessary for toolmakers to improve tools, for users to make informed choices about acquiring and using computer forensics tools, and for interested parties to understand the tools capabilities. ● The testing methodology developed by NIST is functionality driven. The activities of forensic investigations are separated into discrete functions, such as hard disk write protection, disk imaging, string searching, etc. A test methodology is then developed for each category. After a test methodology is developed it is posted to the web.
26 CFReDS ● The Computer Forensic Reference Data Sets (CFReDS) provide to an investigator documented sets of simulated digital evidence for examination. ● Since CFReDS has documented contents, such as target search strings seeded in known locations, investigators can compare the results of searches for the target strings with the known placement of the strings. ● Investigators can use CFReDS in several ways including validating the software tools used in their investigations, equipment check out, training investigators, and proficiency testing of investigators as part of laboratory accreditation. ● The CFReDS site is a repository of images. Some images are produced by NIST, often from the CFTT (tool testing) project, and some are contributed by other organizations.
27 CFReDS ● In addition to test images, the CFReDS site contains resources to aid in creating test images. ● These creation aids are in the form of interesting data files, useful software tools and procedures for specific tasks. ● The CFReDS web site is http://www.cfreds.nist.gov.
28 International Standards ● The Scientific Working Group on Digital Evidence (SWGDE) was established in February 1998 through a collaborative effort of the Federal Crime Laboratory Directors. SWGDE, as the U.S.-based component of standardization efforts conducted by the International Organization on Computer Evidence (IOCE), was charged with the development of cross-disciplinary guidelines and standards for the recovery, preservation, and examination of digital evidence, including audio, imaging, and electronic devices. ● The following document was drafted by SWGDE and presented at the International Hi-Tech Crime and Forensics Conference (IHCFC) held in London, United Kingdom, October 4-7, 1999. It proposes the establishment of standards for the exchange of digital evidence between sovereign nations and is intended to elicit constructive discussion regarding digital evidence. This document has been adopted as the draft standard for U.S. law enforcement agencies. ● http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.
29 Macintosh Operating System (MAC OS X) ● Early MAC OS used HFS (Hierarchical file system) OS X uses HFS+ (optional) and also supports Unix File System ● OS 9 supports Volumes. Volume can be all or part of the storage media for hard disks ● Newer MACs can be booted from CD, DVD, Firewire drive. Older systems booted from hard drive ● Some forensics tools special for OS X. Some other Windows tools can also be used
30 Unix/Linux Operating System ● Everything is a file including disk drives, monitors, tape drives, network interface cards, etc. ● Unix has four components for its file system – Boot block, superblock, Inode, data block – Block is smallest disk allocation – Boot clock has bootstrap code, superblock has system information, Inode is assignee to every file allocation unit., data blocks store directories and files ● Forensic examiner must understand the boot process of the operating system ● Disk partitions in Unix/Linus is very different from Windows. In Unix/Linux partitions are labeled as paths.
31 Reference https://www.utdallas.edu/~bxt043000/Teach ing/CS-4398/F2014/ 31

Recommended

Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
Alchemist095
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityLecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Alchemist095
 
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
AltheimPrivacy
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Nicholas Davis
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Resilient Systems
 
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...
GarethKnight
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
Online
 

Recommended

Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
Alchemist095
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file system
Alchemist095
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityLecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Alchemist095
 
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
AltheimPrivacy
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Nicholas Davis
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Resilient Systems
 
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...
GarethKnight
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
Online
 
cyber forensics
cyber forensicscyber forensics
cyber forensics
Ambuj Kumar
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Dr Raghu Khimani
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
primeteacher32
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
vishnuv43
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic Opportunity
Aung Thu Rha Hein
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
Priya Manik
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes
Kranthi
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
Teja Bheemanapally
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
Introduction To Forensic Methodologies
Introduction To Forensic MethodologiesIntroduction To Forensic Methodologies
Introduction To Forensic Methodologies
Ledjit
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
Jyothishmathi Institute of Technology and Science Karimnagar
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
deaneal
 
Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collection
gagan deep
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.
Vishal Tandel
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic Softwares
Dhruv Seth
 
Operations Security
Operations SecurityOperations Security
Operations Security
Mauro Alberto
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
Adriana Backman
 
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVCS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IV
ArthyR3
 
CS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT VCS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT V
ArthyR3
 
Computer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsComputer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS Systems
Jyothishmathi Institute of Technology and Science Karimnagar
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 

More Related Content

What's hot

06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes
Kranthi
 

What's hot (20)

cyber forensics
cyber forensicscyber forensics
cyber forensics
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic Opportunity
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes
 
Computer forencis
Computer forencisComputer forencis
Computer forencis
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
 
Introduction To Forensic Methodologies
Introduction To Forensic MethodologiesIntroduction To Forensic Methodologies
Introduction To Forensic Methodologies
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collection
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic Softwares
 
Operations Security
Operations SecurityOperations Security
Operations Security
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVCS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IV
 
CS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT VCS6004 Cyber Forensics - UNIT V
CS6004 Cyber Forensics - UNIT V
 

Similar to Lecture 8 comp forensics 03 10-18 file system

AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdf
ekobelasting
 
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
ijsrd.com
 
TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File Systems
Shu-Yu Fu
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
Sudeshna Basak
 

Similar to Lecture 8 comp forensics 03 10-18 file system (20)

Computer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS SystemsComputer Forensics Working with Windows and DOS Systems
Computer Forensics Working with Windows and DOS Systems
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdf
 
Storage system architecture
Storage system architectureStorage system architecture
Storage system architecture
 
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
File systems for Embedded Linux
File systems for Embedded LinuxFile systems for Embedded Linux
File systems for Embedded Linux
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profit
 
Os
OsOs
Os
 
TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File Systems
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
 
Linux kernel architecture
Linux kernel architectureLinux kernel architecture
Linux kernel architecture
 
Ch 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.pptCh 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.ppt
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
File Carving
File CarvingFile Carving
File Carving
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
 
Case study of BtrFS: A fault tolerant File system
Case study of BtrFS: A fault tolerant File systemCase study of BtrFS: A fault tolerant File system
Case study of BtrFS: A fault tolerant File system
 
UNIT 4-UNDERSTANDING VIRTUAL MEMORY.pptx
UNIT 4-UNDERSTANDING VIRTUAL MEMORY.pptxUNIT 4-UNDERSTANDING VIRTUAL MEMORY.pptx
UNIT 4-UNDERSTANDING VIRTUAL MEMORY.pptx
 
9781111306366 ppt ch11
9781111306366 ppt ch119781111306366 ppt ch11
9781111306366 ppt ch11
 

Recently uploaded

Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
ssuserdda66b
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 

Recently uploaded (20)

How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 

Lecture 8 comp forensics 03 10-18 file system

  • 2. 2 Outline ● File Systems – File Systems Overview – Windows File System (for Forensics) ● Tools and Standards – Forensics Tools – Standards – Revisiting File Systems – http://www.cftt.nist.gov/NISTIR_7490.pdf
  • 3. 3 Windows File System ● Overview of File Systems ● Microsoft File Structures ● NTFS Disks (New Technology File System) – Partitions, disks, etc. ● Other concepts (Registries, startup tasks) ● Virtual Machines
  • 4. 4 File Systems ● What is it? – Structure of the data that is stored – Linear file system, Hierarchical file system, etc. ● Type of file system determines how the data is stored on disk ● File system is part of the OS; a file system is a way for storing and organizing computer files and the data they contain to make it easy to find and access them. ● Key aspects of file system include – Boot sequence – Disk drives – File name, metadata, security access
  • 5. 5 File Systems - 2 ● Boot sequence – When a suspect’s computer starts, make sure it boots to a forensic floppy disk/CD and not to the hard disk – Booting to the hard disk may overwrite evidence – Make modifications to CMOS setup ● Disk drives – Geometry, Head, Tracks, Cylinders, Sectors ● Every file has a file name; metadata consists of information about a file, access control policies may be defined on a file ● Types of file systems include disk file system, flash file systems, database file systems, network file systems, - - -
  • 6. 6 File Systems - 3 ● File systems typically have directories which associate file names with files, usually by connecting the file name to an index in a file allocation table (FAT in Windows, Inode in Unix) ● Directory structures may be flat, or allow hierarchies where directories may contain subdirectories. ● In some file systems, file names are structured, with special syntax for filename extensions and version numbers. In others, file names are simple strings ● Metadata – The length of the data contained in a file may be stored as the number of blocks allocated for the file or as an exact byte count. – The time that the file was last modified may be stored as the file's timestamp; also file creation time, the time it was last accessed
  • 7. 7 Microsoft File Structures ● Sectors – Sectors are groped to for clusters which are the storage allocations units. – Cluster numbers are logical addresses and section numbers are physical addresses. ● Disk Partitions ● Hard drive is partitioned. A partition is a logical drive. ● Master Boot Record (MBR) – Stores information about the partitions in a disk and their locations, sizes etc. ● FAT (File Allocation Table) Disks – Original Microsoft file structure database ● NTFS – New Technology File System
  • 8. 8 NTFS Disks ● Overview of NTFS Disks – Newer Microsoft products are based on new Technology File System – Everything written to a disk is considered s file – First data set is the Partition Boot Sector – Next is the Master File Table (similar to FAT) – Uses Unicode ● NTFS System Files – The first file MFT ahs information in all the files – Records in MFT are called metadata
  • 9. 9 NTFS Disks - 2 ● NTFS Data Streams – Ways data can be appended to existing files – Can obscure evidence ● NTFS Compressed Files – Provides compression to improve data storage ● Encryption – Implements public key/private key method – Whole disk encryption (Chapter 4) for extra protection for certain information such as personal identity numbers. ● Performance – tune some of global NTFS parameters to achieve significant increase of disk performance. Other techniques like disk defragmentation could help
  • 10. 10 NTFS Disks – 3 (Summary) ● File Storage Hardware and Disk Organization ● Hard Disk Drive Basics – Making Tracks – Sectors and Clusters ● Master Boot Record (MBR) – Viruses Can Infect the Master Boot Record ● Partition Table – Boot Indicator Field – System ID Field – Starting and Ending Head, Sector, and Cylinder Field – Relative Sectors and Number of Sectors Fields – Logical Drives and Extended Partitions
  • 11. 11 NTFS Recovery ● Why id Partition recovery needed – MBR (Master Boot Record) is damaged – Partition is deleted or Partition Table is damaged – Partition Boot Sector is damaged – Missing or Corrupted System Files ● Partition/Drive Recovery – "Physical partition recovery". The goal is to find out the problem and write some information to the proper place on HDD and after that partition becomes visible to OS again. – "Virtual partition recovery". The goal is to determine the critical parameters of the deleted/damaged/overwritten partition and after that enable to scan it and display its content.
  • 12. 12 NTFS Recovery - 2 ● NTFS File Recovery – Disk Scan for deleted entries ● Disk Scan is a process of low-level enumeration of all entries in the Root Folders; The goal is to find and display deleted entries. – Defining clusters chain for the deleted entry ● To define clusters chain scan drive, going through one by one all allocated and free clusters belonging to the file until the file size equals to the total size of the selected clusters. If the file is fragmented, clusters chain will be composed of several extents. – Clusters chain recovery ● After clusters chain is defined read and save contents of the defined clusters to another place verifying their contents.
  • 13. 13 Other Concepts ● Registry – Registry is a database that stores initialization files such as hardware/software configuration, network connections, user preferences, setup information – Set of tools (e.g., Registry editor) to view and modify the data ● Start-up tasks – Forensics examiner must have a very good understanding of what happens to the data during start-up. – E.g., What is the process, what are the files involved, etc.
  • 14. 14 Virtual Machines ● An examiner may need lot more space than he has on the machine he is using. The concept of Virtual machine is used it overcome this limitation. ● Virtual machine addresses the need for having a variety of resources by creating the representation of another computer on an existing physical computer. ● A few files from the other computer is on the examiner’s machine and space has to be allocated for this. ● Also useful when one upgrades computer, but still has some old applications. Therefore virtual machine of the old OS is created.
  • 15. 15 Forensics Tools ● Hardware Forensics Tools – Range from single purpose components (e.g., devices) to complete systems (forensics workstations) ● Software Forensics Tools – Analysis tools such ProDiscover and EnCase
  • 16. 16 Functions of Forensics Tools ● Acquisition ● Validation and Discrimination ● Extraction ● Reconstruction ● Reporting ● Some forensics tools are (ProDiscover, AccessData, EnCase)
  • 17. 17 Functions of Forensics Tools - 2 ● Acquisition – Tools for data acquisition – Physical data copy, logical data copy, data acquiring format, GUI acquisition ● Validation and Discrimination – Integrity of the data, Also includes hashing, filtering, analyzing file headers ● Extraction – Recovery task – Data viewing, Keyword searching, Decompressing ● Reconstruction ● Reporting
  • 18. 18 Functions of Forensics Tools - 3 ● Reconstruction – Recreate the crime scene (suspect drive) – Disk to disk copy, Image to disk copy, etc. ● Reporting – Reporting generation tools help the examiner the prepare report – Also helps to log reports
  • 19. 19 Software Tools ● Command line forensics tools ● Unix/Linux forensics tools – SMART, Helix, Autopsy and Sleuth Kit ● GUI Forensics Tools – Visualizing the data is important to understand the data
  • 20. 20 Hardware Tools ● Forensics workstations – How to build a workstation – What are the components – How are the workstations connected in a lab – How can distributed forensics be carried out ● Write Blockers – Write blocker devoices to protect evidence disks
  • 21. 21 Validating Forensics Tools ● NIST (National Institute of Standards and Technology) is coming up with standards for validation Establish categories for forensics tools, Identify forensics category requirements, Develop test assertions – Identify test cases – Establish test method – Report test results
  • 22. 22 NIST Standards ● There are three digital forensics projects at the National Institute of Standards and Technology (NIST). ● These projects are supported by the U.S. Department of Justice's National Institute of Justice (NIJ), federal, state, and local law enforcement, and the National Institute of Standards and Technology Office of Law Enforcement Standards (OLES) to promote efficient and effective use of computer technology in the investigation of crimes involving computers. ● These projects are the following: – • National Software Reference Library (NSRL) – • Computer Forensic Tool Testing (CFTT) – • Computer Forensic Reference Data Sets (CFReDS)
  • 23. 23 NSRL ● The NSRL is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) including hashes of known files created when software is installed on a computer. The law enforcement community approached NIST requesting a software library and signature database that meets four criteria: – • The organizations involved in the implementation of the file profiles must be unbiased and neutral. – • Control over the quality of data provided by the database must be maintained. – • A repository of original software must be made available from which data can be reproduced. – • The database must provide a wide range of capabilities with respect to the information that can be obtained from file systems under investigation.
  • 24. 24 NSRL ● The primary focus of the NSRL is to aid computer forensics examiners in their investigations of computer systems. ● The majority of stakeholders are in federal, state and local law enforcement in the United States and internationally. ● These organizations typically use the NSRL data to aid in criminal investigations.
  • 25. 25 CFTT ● The goal of the CFTT project at NIST is to establish a methodology for testing computer forensic software tools through the development of general tool specifications, test procedures, test criteria, test sets, and test hardware. The results provide the information necessary for toolmakers to improve tools, for users to make informed choices about acquiring and using computer forensics tools, and for interested parties to understand the tools capabilities. ● The testing methodology developed by NIST is functionality driven. The activities of forensic investigations are separated into discrete functions, such as hard disk write protection, disk imaging, string searching, etc. A test methodology is then developed for each category. After a test methodology is developed it is posted to the web.
  • 26. 26 CFReDS ● The Computer Forensic Reference Data Sets (CFReDS) provide to an investigator documented sets of simulated digital evidence for examination. ● Since CFReDS has documented contents, such as target search strings seeded in known locations, investigators can compare the results of searches for the target strings with the known placement of the strings. ● Investigators can use CFReDS in several ways including validating the software tools used in their investigations, equipment check out, training investigators, and proficiency testing of investigators as part of laboratory accreditation. ● The CFReDS site is a repository of images. Some images are produced by NIST, often from the CFTT (tool testing) project, and some are contributed by other organizations.
  • 27. 27 CFReDS ● In addition to test images, the CFReDS site contains resources to aid in creating test images. ● These creation aids are in the form of interesting data files, useful software tools and procedures for specific tasks. ● The CFReDS web site is http://www.cfreds.nist.gov.
  • 28. 28 International Standards ● The Scientific Working Group on Digital Evidence (SWGDE) was established in February 1998 through a collaborative effort of the Federal Crime Laboratory Directors. SWGDE, as the U.S.-based component of standardization efforts conducted by the International Organization on Computer Evidence (IOCE), was charged with the development of cross-disciplinary guidelines and standards for the recovery, preservation, and examination of digital evidence, including audio, imaging, and electronic devices. ● The following document was drafted by SWGDE and presented at the International Hi-Tech Crime and Forensics Conference (IHCFC) held in London, United Kingdom, October 4-7, 1999. It proposes the establishment of standards for the exchange of digital evidence between sovereign nations and is intended to elicit constructive discussion regarding digital evidence. This document has been adopted as the draft standard for U.S. law enforcement agencies. ● http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.
  • 29. 29 Macintosh Operating System (MAC OS X) ● Early MAC OS used HFS (Hierarchical file system) OS X uses HFS+ (optional) and also supports Unix File System ● OS 9 supports Volumes. Volume can be all or part of the storage media for hard disks ● Newer MACs can be booted from CD, DVD, Firewire drive. Older systems booted from hard drive ● Some forensics tools special for OS X. Some other Windows tools can also be used
  • 30. 30 Unix/Linux Operating System ● Everything is a file including disk drives, monitors, tape drives, network interface cards, etc. ● Unix has four components for its file system – Boot block, superblock, Inode, data block – Block is smallest disk allocation – Boot clock has bootstrap code, superblock has system information, Inode is assignee to every file allocation unit., data blocks store directories and files ● Forensic examiner must understand the boot process of the operating system ● Disk partitions in Unix/Linus is very different from Windows. In Unix/Linux partitions are labeled as paths.