Digital Forensics
advertisement
Digital Forensics Module 11 CS 996 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX file systems (Kulesh) ProDiscover workshop (remaining time) 4/26/2004 Module 11 2 Reminder InfraGard Chapter meeting on Counterintelligence Bear Stearns, 383 Madison Avenue 9-4, April 28 RSVP: www.nym-infragard.us 4/26/2004 Module 11 3 Hard Drive Data Hiding Places Low Level Format Redundant sectors Bad sectors Partition Interpartition gaps Unallocated space “Hidden” partitions Boot records and partition tables Deleted partitions 4/26/2004 Module 11 4 Physical Disk Geometry (CHS) One head for each surface (H) All tracks at r = dn form “cylinder” (C) Each sector has 512 bytes of user data (S) One disk surface devoted to positioning and synchronization Not all parts of the disk are addressable by the OS Disk capacity = C x H x S x 512 bytes 4/26/2004 Module 11 5 Lifecycle of Disk Drive Blank media Low level format Performed at the factory Partition High level file system format Operating system install System operations 4/26/2004 Module 11 6 Low Level Format Low level formatting creates sectors Each sector holds 512 bytes + overhead bytes Overhead provides error correction and timing recovery Bad sectors remapped to redundant sectors by the HDD controller. 4/26/2004 Module 11 7 Low Level Format REDUNDANT SECTOR 512 BYTES SECTOR OVERHEAD 4/26/2004 Module 11 8 Partitioning PARTITION #2 PARTITION #1 MASTER BOOT RECORD INTER-PARTITION GAP VOLUME BOOT RECORD 4/26/2004 Module 11 VOLUME BOOT RECORD 9 Partitioning Drive Master Boot Record = Master Boot Code + Master Partition Table (MPT) Always at sector #1 Volume Boot Record = Volume Boot Code + Disk Parameter Block Each partition 4/26/2004 Module 11 10 FAT File System Four parts Volume boot record File allocation tables Root directory User data area Types FAT 12, 16, 32 bits; cluster address size FAT1 and FAT2; first and second copy of FAT Floppy: FAT12 4/26/2004 Module 11 11 FAT12/16 Structure DOS BOOT SECTOR ROOT DIRECTORY USER DATA AREA FAT #1 4/26/2004 FAT #2 Module 11 12 FAT32 Structure DOS BOOT RECORD (3) COPY OF DOS BOOT RECORD FAT #1 FAT #2 USER DATA RESERVED SECTORS RESERVED SECTORS 32 SECTORS 4/26/2004 Module 11 13 File Allocation Table 0 TEST 217 DIRECTORY ENTRY 217 339 618 4/26/2004 Module 11 618 EOF 339 14 WinHex: Forensic Hex Editor www.x-ways.net Disk cloning DOS version Windows version (use write blocker) Disk editor API for scripting tasks 4/26/2004 Module 11 15 4/26/2004 Module 11 16 4/26/2004 Module 11 17 Navigating to FAT12 Directory Start at boot sector #1 Add 2 x 9 sectors Directory at sector #20 Offset is: 19 x 512 = 9728 bytes = 2600H 4/26/2004 Module 11 18 4/26/2004 Module 11 19 Navigating to FAT32 Allocation Table Start at boot sector Go to sector #33, offset of 32 x 512 bytes 32 x 512 = 16384 = 4000H 4/26/2004 Module 11 20 4/26/2004 Module 11 21 WinHex NTFS Partition Analysis 4/26/2004 Module 11 22 ProDiscover Forensic Software www.techpathways.com Disk imaging: meets NIST Specification 3.1.6 Works with FAT, NTFS, Sun Solaris UFS Displays Windows ADS! File signature analysis Search capability Recover deleted files and slack space Reasonable price! 4/26/2004 Module 11 23 4/26/2004 Module 11 24 Capture Evidence Files 4/26/2004 Module 11 25 Image Evidence: Windows Laptop USB TO IDE ADAPTER IDE CABLE PRODISCOVER EVIDENCE DRIVE 4/26/2004 Module 11 26 KeyWord Search 4/26/2004 Module 11 27 Reporting (View=>Report) 4/26/2004 Module 11 28 References for Module #11 Bill Nelson, Guide to Computer Investigations, 2004. Warren Kruse, Computer Forensics, 2002. Kevin Mandia, Incident Response, 2003. EnCase Legal Journal (course web site) www.cs.nmt.edu (cs491_02) NTFS: 4/26/2004 Module 11 29
