BACS 371
Computer Forensics
File System “Layers” & the Sleuthkit
Introduction



One approach to analyzing a disk image begins by
logically dividing it into 5 file system layers.
Each of the upper layers is an abstraction above
the physical disk platter.
These layers serve different tasks and, when
analyzed, provide different information.
5 File System Layers
1.
2.
3.
4.
5.
Physical Layer – The physical disk itself
File System Layer – Partition Information
Data Layer – Blocks and clusters (where the data
are actually stored).
Metadata Layer – Structural information for the
file system (FAT32, NTFS, EXT2, …)
File Name Layer – The directory information that
holds the files external name.
Physical Layer
File System Layer




Holds the data that describes the structural details
of the file system.
The boot sector (or superblock in Unix) is where
much of this data is stored.
The Master Boot Record (MBR) holds information
related to this layer.
The Partition Boot Record (PBR) also contains file
system layer information.
Data Layer





The main purpose of a disk drive is to store data;
consequently, this layer holds the key information
related to this task (that is, the data).
This layer organizes the physical drive into 512 byte
sectors.
On Windows systems, these sectors are further
organized into clusters.
Sectors in the data layer will either be “allocated” or
“unallocated”.
Another way of thinking of this is that sectors are either
being used in a file or waiting to be used.
Allocated vs. Unallocated

Allocated data:
 Is
being actively used by a file
 Exist in a file on the system
 Is not currently deleted

Unallocated data:
 Is
not currently being used by a file
 Can have previously deleted or unused data
 Can hold pieces of old data (called “fragments”)
MetaData Layer





This layer contains all the structures that describe
the file.
Similar to the table of contents page of a book.
It has pointers to the data layer and the file name
layer so that starting address and MAC times can
be determined.
In FAT files systems it is stored in the FAT table. In
NTFS systems, it is found in the Master File Table
(MFT). Linux stores it in the iNode entries.
Metadata is also either allocated or unallocated.
MetaData Layer

Metadata contains:
 Pointers
to the data layer (either a starting sector, or list
of sectors depending upon file system)
 The file type
 The MAC times and permissions
 The file size and/or total links
File Name Layer



Generally a separate structure that gives the names
of files.
The metadata layer can actually describe
everything about the file, but it is easier to have the
name information listed without all the extra, lowlevel detail.
Is stored in 2 places:
 MFT
or FAT directory entries
 Directory file – list of files in that directory structure
Directory to FAT interaction
The Sleuthkit (TSK)




A collection of Unix tools that allow for forensic
analysis of disk images.
Written by Brian Carrier based on an older set of
tools called The Coroner’s Toolkit (TCT)
The tools are fairly low-level, so they are normally
used with a front-end browser component.
The “Autopsy” browser is the normal front-end for
this tool set.
Sleuthkit Tool Layers






The Sleuthkit Tools are divide into 5 categories
which, loosely, map to the 5 file system layers.
File system layer tools – prefixed by ‘fs’
Data layer tools – prefixed by ‘blk’
Metadata layer tools – prefixed by ‘i’ (for inode)
File Name layer tools – prefixed by ‘f’
Misc. tools – no standard prefix, but relate to lower
level sort and find operations in file system
structure.
The Sleuth Kit (TSK)