Date post: | 17-Dec-2015 |
Category: |
Documents |
Upload: | jodie-garrett |
View: | 216 times |
Download: | 0 times |
What is a File System?
Computers need a way to store data and then to retrieve the said data in simple but quick ways. File systems provide a way for computers to store data in a hierarchy of files and directories.
2
What is a File System?
A file system defines how and where files are stored and how they are named.
Files systems are independent of any type of computer. The file systems we will look at are FAT (File Allocation Table), NTFS, Ext2 and Ext3.
However, what they have in common is that they all know how to store data and to retrieve the data in a quick manner.
3
Essential and Non-Essential Data
When looking at data, it is important to differentiate between the essential and non-essential data. We have to trust the essential data, but not necessarily trust the non-essential data.
It is also important to know which OS wrote the file system because different OS’s might have different requirements as to what is essential and what is not.
4
Essential and Non-Essential Data
Essential data is that data that is needed to save and retrieve files. Some essential data: Content storage location. Name of the file. Pointer from name to metadata.
Non-essential data is there for convenience but not needed for the basic functionality of storing and retrieving files. Access Times Security Permissions
5
Data Categories
In order to understand different analysis techniques, we divide the data on a computer into several categories.
1. File System
2. Content
3. Metadata
4. File Name
5. Application
The tools in The Sleuth Kit (TSK) are based on these same categories.
6
Data Categories - File System
Each instance of a file system is unique because it has a unique size.
It contains the general file system information such as where to find certain data (which cluster or block does this reside in) and how big the data unit is. It works like a map.
7
Data Categories - Content
This category is made up of the actual content of a file. Most of the information in a computer is made up of this data category. It is typically organized into data units. Some file systems call these clusters, and some call them blocks.
8
Data Categories - Metadata
This category consists of the data that describes the files such as:
Where the file content is stored Size of the file Creation time Modification time Access control information
This category does not contain the content of the file and the name of the file. e.g.: inodes and Master File Table (MFT) entries
9
Data Categories - File Name
The file name category is also known as the Human Interface category. In this category, a name is assigned to each file, to make data access more convenient and easier for humans.
In most systems, these are contents in a directory with corresponding metadata addresses.
10
Data Categories - Application
This category provides special features. However, these data are not necessary for normal reading and writing of data. Instead they provide features such as user quota information and file system journals. These data can be more easily forged than other data.
11
Interaction Between Categories
12
Layout and Size Information
Quota Data
Content Data #1
Content Data #2
Content Data #1
Time and Addresses
Times and Addresses
file1.txt
file2.txt
File Name Category Metadata Category
File System Category Application Category
Content Category
Carrier, Figure 8.1
Analysis
Different categories of data require different methods for analysis. File system data typically consists of single and
independent values, so analysis is conducted by looking at the values and interpreting them. For instance, if we are searching for files with ‘jpg’ extensions, we would have to focus on file name category analysis techniques.
13
Analysis – File System Category
The file system category of data includes the data that describes the layout and general information about a file system. The File system category might be analyzed to find out on which computer a file system was created, or
TSK has a tool called fsstat which will read the boot sector or superblock and other data structures that are specific to the different types of file systems. The type of data in the output of fsstat is different for each file system because different types of data are available.
14
Analysis – Content Category
Typically, the content category includes equal sized data units that are allocated for files and directories. There is also a data structure that keeps track of the allocation unit of the data units that store this data. This category contains a lot of data, a 40 Mb volume contains > 80000, 512 byte sectors.
The content category is analyzed to recover deleted data and conduct low-level searches. All TSK tools in this category start with the letter d.
15
Addressing Data Units A sector can have multiple addresses
Physical: Address relative to the start of the drive Logical: Address relative to the start of the volume
File systems use the Logical volume address, but also group sectors into clusters or blocks and assign them addresses.
16
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16VolumeAddress
File SystemAddress
Carrier, Figure 8.2
Allocation Strategies
File systems may use several strategies to allocate data units. Data units are generally allocated contiguously. However, this is not always possible, in which case, the file is considered to be fragmented.
The used allocation strategy affects the probability of recovering deleted (unallocated) content.
17
Allocation Strategies (cont.)
First available strategy: Clusters or blocks are assigned from the beginning of the file
system as needed. Most likely to become fragmented. File systems using this strategy are more likely to overwrite free
space containing deleted files.
Next Available Strategy: Similar to the first available, but looks for subsequent clusters
for a file starting from next cluster to end of file system.
Best fit strategy: OS looks for contiguous clusters sufficient to store entire file. Less likely to be fragmented, but if file size changes, then
fragmentation can still happen.
18
Allocation Strategies (cont.)
Last allocated
19
Unallocated
Allocated
First available
Next available
Best fit
Damaged Data Units
Some file systems have ability to mark clusters as damaged, so that they are not used again to store data. This was useful for older disks that did not have the capability to handle errors. Modern disks have ability to handle errors, so this
capability is not needed. If this capability exists, it can be used to hide
data, because consistency checking tools do not verify a data unit that is marked as damaged.
20
Content Analysis
The Data Unit Viewing technique can be used when you know the address where evidence might be located. For example:
In FAT 32 volumes, logical sector 3 is not allocated, so it contains all zeroes. Looking at this sector can easily tell the examiner if data is hidden there. (dcat in TSK)
The Logical File System-Level Searching technique you look for contents, without knowing where it might be.
Search for the word ‘password’ in each data unit
21
Content Analysis
22
0 1 2 3 4 5 6 7 8 9 10 11
0 1 2 3 4 5 6 7 8 9 10 11
Data Unit Viewing: The investigator knows the address of evidence, so uses the logical file system address ... a tool calculates the byte or sector address
20,480 bytes
2,048 bytes in one data unit
Content of data unit 10
in ASCII
Logical File System Search: Looks in each data unit for a known value.
Is the string ‘password’ in this data unit?
Content AnalysisUsing Bitmaps
23
0 1 2 3 4 5 6 7 8 9 10 11
1 00 1 0 00 …
If we want to look in unallocated space, we can use tools to extract all unallocated data units or we can restrict analysis to only the unallocated space. We can see how a bitmap data structure can tell us whether a data unit is allocated or not.
Data units
Bitmap: 0 unallocated1 allocated
Content Analysis (cont.)
The Data Unit Allocation Status technique shows all the unallocated data units to find hidden or ‘deleted’ data.
The dls tool in TSK shows the unallocated data units.
The Consistency Check technique allows you to determine if the file system is in a suspicious state.
Orphan data units (allocated data units that do not have a corresponding metadata structure) and be found in this manner. See Figure 8.7
24
Content Analysis (cont.)
Wiping Techniques Zeroes or random data are written into the data units
allocated by a file or to all unused data units Secure Deletion is becoming more common for many
operating systems An investigator may check to see if a wiping tool is
available on a system, then determine when it was last accessed
There may also be temporary copies of files that were wiped
25
Analysis – Metadata Category
The metadata category includes the data that describe a file. Here you will find the data unit addresses that a file has allocated, the size of the file, and temporal information. The types of data in this category vary depending on the file system type.
There are four TSK tools in this category, and the names all start with i such as the istat command.
26
Metadata Analysis
Analyzing metadata can Provide corroborating information about the document data
itself. Reveal information that someone tried to hide, delete, or
obscure. Automatically correlate documents from different sources.
Since metadata is fundamentally data, it suffers all of the data quality issues as any other form of data. Nevertheless, because metadata isn't generally visible unless you use a special tool, more skill is required to alter or otherwise manipulate it.
27
Metadata Analysis
Slack space occurs when the file size is not a multiple of the data unit size It appears between the end of the file and the
end of the sector in which the file ends Or it can be in sectors that contain no file
content A new file may not completely overwrite all data that
was previously in a memory location
28
Analysis – File Name Category
The file name category of data includes the data that associates a name with a metadata entry. Most file systems separate the name and metadata, and the name is located inside of the data units allocated to a directory.
There are two TSK tools that operate at the file name layer, and their names start with f. fls will list the file names in a given directory. If we want to know which file name corresponds to a given metadata address, the ffind tool can be used.
29
File Name Analysis
One of the most common investigation techniques is to list the names of the files and directories. Many file systems do not clear the file name of a deleted file, so deleted file names may be shown in a listing.
Another technique is to search for file names. For example, we might know a filename’s extension, but not know its name or full path.
As long as the pointer to metadata is intact, we can potentially recover data even if both the filename and metadata are unallocated.
30