1
Hard Drives, Storage Media and File Systems
2
Interface
• Two most common types of interfaces– SCSI: Small Computer Systems Interface (servers
and high-performance desktops)– IDE/ATA: Integrated Drive Electronics (PC
workstation)
3
Physical Hard Drive
4
Computer Disk
• Track– Each platter is divided into concentric rings called
tracks• Sector
– Track are further divided to sectors• Cluster
– A combination of one or more sectors
5
Basic concepts
• Clusters– The basic storage unit of a disk– The piece of storage that an operating system can actually place
data into– Different disk formats have different cluster sizes
• Slack space– If they are not filled up-which, the last one almost never is –this
excess capacity in the last cluster
Old Data Old New Data Overwrites
6
Partition
• One hard drive can be logically divided into more than one partition– e.g., one partition has Windows 2000, one partition has
windows 2000 data, one partition has Linux .• Partition table
– Maintain partition information• Check Table 3.1 for different partition types• Check at the partition table on the drive
– fdisk– PowerQuest’s partitionMagic– Partinfo (cannot change any of the partitions, it is free)
7
Partition
8
Unix/Linux - Partitions and file systems
• Every partition has an associated file system. The file system is actually created by the mkfs command. In DOS systems, it is customary to devote the entire file system to the FAT (File Allocation Table) based file system.
• In UNIX, it is normal to use multiple partitions in the file system structure, and for the file system structure to spread over many partitions and devices from different type of file systems.
• UNIX recognizes many types of file systems including minix, ext, ext2, umsdos, msdos, proc, nfs, phfs etc.
9
Partitions
• In Unix, every disk must be partitioned. Partitions divide up the disk, and each segment acts as a complete disk by itself. Once a partition is full, it cannot (without special software) automatically flow into another partition.
• Under Linux, each disk is given its own device name. IDE disks start with the name /dev/hdX, where X can range from a through z. When partitions are created, new devices are created. They take the form /dev/hdXY, where now Y is the partition number.
• When installing the OS, it created partitions for you. A command that exists that can create partitions for you is, the fdisk command. fdisk can be used at anytime by root to partition the hard-drives.– fdisk -l
10
Partitions and Blocks
• The smallest unit of information that can be read from or written to a disk is a block.
• When partitions are created, the first block of every partition is reserved as the boot block. However, only one partition may act as a boot partition. BIOS checks the partition table of the first hard disk at boot time to determine which is the boot partition. In the boot block of the boot partition there exists a small program called the bootstrap loader. On Linux, this is called the lilo.
11
Partitions and Blocks
• The second block on the partition is called the superblock. It contains all the information about the partition, including–size of the partition–physical address of the first data block–number and list of free blocks–info about the file system–when the partition was last modified.
• The remaining blocks are data blocks.• In order to use these partitions and file systems, they are
logically attached (mounted) to the directory structure.
12
Format
• The process of turning a partition into a recognizable filesystem
• Windows– format command
• Unix/Linux– mkfs
13
File System
• It is a set of data objects that can be referenced and manipulated externally.
• It is the place where an operating system stores files, making it easy for you to access them by name, location, date, or other characteristic.
• File System Format– The process of turning a partition into a recognizable
file system.
14
File System
15
Data Structures used in File System
16
File System
• File Allocation Table (FAT)– Simplest file system– FAT 12– FAT 16– FAT 32– VFAT
• NTFS, a file system for Windows NT/2K
17
Things to remember about FAT
• A sector is the smallest addressable unit of a hard disk. • A cluster is a fixed number of contiguous sectors (but not
necessarily physically contiguous).• To a certain extent, you can decide how many sectors are in a
cluster. • All files are allocated space in clusters of sectors using a file
allocation table (FAT). • As you use files, increase and decrease their size and create new
files, formerly contiguous clusters are now scattered randomly across your hard disk, which is referred to as fragmentation.
• Most operating systems, including Windows, have their own defragmentation utilities.
• Periodic defragmentation of your hard disk will reduce the risk of data loss and improve overall system performance.
18
FAT32 File System Layout
19
NTFS
• Supported by WinNT, Win2000, and WinXP• Also commonly supported by most
distributions of Linux• No published specification from Microsoft• MFT
– Master File Table: the heart of NTFS – contains information about all files and directories
– Every file and directory have at least one entry in the table
20
Layout of a Freshly Formatted NTFS Volume
From page 4 of http://data.linux-ntfs.org/ntfsdoc.pdf
21
NTFS Volume Boot Sector• The first block of information created on the partition• Begins in the first sector of the partition, can use up
to 16 sectors• Contains
– Information of volume label and size, the location of the key metadata files
– Program code to load the OS (It will generally load NTLDR)
22
Master File Table
• A system file created during the formatting of an NTFS volume.
• Record every files on the volume, including an entry for itself.
• Record 16 metadata files.
23
Master File Table (Con’t)
• Each file record store attributes– $FILENAME-Up to 255 characters– $STANDARD_INFORMATION
• MAC time, file characteristics
– $DATA– Attribute list– A flag for allocation statusIf the MFT grows too large, it can point to other locations for
additional MFT info.
24
MetaFiles
• The first 16 files are system files• Are inaccessible to the operating system• They are the only part of the disk having the fixed
position• The first file is MTF itself• Responsible for some aspect of system operation• Start with a name character “$”• Locate in the NTFS disk root directory
25
BITMAP File
• Keeps track of cluster usage• It uses one bit to record the status of each
cluster on the volume– If a cluster is used, the corresponding bit is
changed to one– Else, the bit is zero
26
MAC TIMES
• Windows records the date and time of a file’s – creation (Created) – last modification (Modification)– the date that a file was last accessed (Accessed)
27
Where is the Data?
• Files– May contain stray data as well
• Slack space– In last cluster of file– File slack– RAM slack
• Unallocated blocks– Contain deleted data
• Unused partitions• Boot track
28
Swapping
Image for pj
Image for pi
Swap pi outSwap pi out
Swap pj in
Primary Memory Secondary Memory
29
Swap Files in Windows
• Window 2000 & WinXP– c:\pagefile.sys– To see it:
• Folder Options | View set to ‘Show Hidden and System files’
• not to ‘Hide Protected mode System files’
• Win98– C:\win386.swp
30
Virtual Memory
Virtual Address Space for piVirtual Address Space for pj
Virtual Address Space for pk
Secondary Memory
• Complete virtual address space is stored in secondary memory
Primary Memory
0
n-1
Physical Address Space
• Fragments of the virtual address space are dynamically loaded into primary memory at any given time
• Each address space is fragmented
31
Configure Virtual Memory
Control Panel -> System -> Advanced -> Performance ->
Setting -> Advanced
32
Windows Investigation (Before Looking for Deleted Files!)
• Check Application Logs (WinXP)– C:\WINDOWS\system32\config\AppEvent.evt
• Programs from start > run menu HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\RunMRU
• Windows Temp Files– C:\Documents and Settings\User\Local
Settings\Temp
33
Windows Registry• Contains information on every Windows-compatible
program• Central hierarchical, configuration database• Operating system relies on it• Contains information about
– Hardware including plug and play devices– Users information, preferences
• Support multiple users– Applications– Network information
34
Registry• How to view:
– Regedit• Root key
– HKEY_CLASSES_ROOT– HKEY_CURRENT_USER– HKEY_LOCAL_MACHINE– HKEY_USERS– HKEY_CURRENT_CONFIG
• Key– Is a folder that contains subkeys– Contains zero or more settings (values)
35
Registry Values• Contain Three Parts
– Name– Type– Data
• Registry Type– REG_BINARY
• Raw binary data• Must contain even number of bytes
– REG_DWORD• 32-word, double-word value• For example, 0x01ACDE01
– REG_SZ• String Values• The most common and simplest type
36
Glean evidence from registry• Make sure your registry is backed up• On Win95/98, registry is comprised of
– Windows\System.dat– Windows\User.dat
• On WinNT/XP, registry is comprised of– Several hive files in %systemroot%\system32\config
• SYSTEM• SAM• SECURITY• SOFTWARE
– NTUSER.dat files related to each user account• Located in C:\Documents and Settings\%USER%
37
What can you find from the registry?
• The recently run programs• The recently used (open or save) files• Recently accessed networks
38
How to view or modify the Registry
• regedit or regedt32• EnCase parses the registry files and presents
them in a familiar tree-structured view.
39
Information from the registry
• Product Name– HKEY_LOCAL_MACHINE\SOFTWARE\Micro
soft\Windows NT\CurrentVersion• Typed URLs contain a list of all the URLs the user
typed into the address field– HKEY_CURRENT_USER\Software\Microsoft\Int
ernet Explorer\TypedURLs– It can be cleared through Internet option
40
Information from the registry
• Autocomplete– Internet Explorer save data that users type into
Web logons with their browsers in the registry with the AutoComplete feature turned on• Passwords,• Name, address, phone number,…
– HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms
– Clear passwd autocomplete
41
Information from the registry• Run, RunOnce, RunOnceEx
– Run: List all the programs that start every time when window starts
– RunOnce: List all the programs that start only once and are deleted after that
– RunOnceEx is similar to RunOnce, it is used by application for setup and config
– Trojan Horses will use them– HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run (RunOnce, RunOnceEx)
42
Information from the registry
• RecentDocs– HKEY_CURRENT_USER\Software\Microsoft\W
indows\CurrentVersion\Explorer\RecentDocs– It can be cleared through taskbar menu
43
Information from the registry
• Open or save files, last visited files– HKEY_CURRENT_USER\Software\Microsoft\W
indows\CurrentVersion\Explorer\Comdlg32\OpenSaveMRU
– HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\LastVisitedMRU
44
Information from the Registry
• Tell the system how to behave when a file with the .exe extension is launched:– HKEY_CLASS_ROOT\exefile\shell\open\command– Malware such as Backdoor.Beasty modify this key, so that
they are launched whenever an executable file is launched
• Other Registry keys provide similar functionality– HKEY_CLASS_ROOT\batfile\shell\open\command– HKEY_CLASS_ROOT\comfile\shell\open\command
45
Acquisition Steps with EnCase
• Create EnCase Boot Disk• Start subject computer with boot disk• Acquire data to storage computer
46
EnCase Acqusition
47
Brief Introduction of EnCase• How to organize the case files and evidence files• Evidence File
– Header– Checksum
• EnCase computes a CRC for every block of 64 sectors (32KB)– Data Blocks– MD5 hash value
• Sector-by-sector copy
48
Brief Introduction of EnCase
• When evidence file is added to a case, EnCaseverifies the integrity of the entire disk image
• Case File
49
Filter, Query and Scripts
• Filters– Use built-in capabilities– Create queries when filter is run
• Queries– Combine more than one filter in semi-custom
query• Scripts
– Create your own search function using C++ like language
50
String Search
• Adding keywords• Choose files/folders to be searched• Configure search
51
File Signatures
• Stated extension on evidence file• Header information in the file itself• Matches?
52
Access Registry
C:\windows\user.dat
53
Viewing Registry Files in EnCase
• Registry files of Windows 95, 98, ME, NT 4.0, 2000, and XP computers can be mounted within EnCase
54
View Email Folder
• Email is often a rich source of information• Locate .dbx or .pst file• View file structure
55
Email searches
• Outlook Express / Outlook– Stores email messages and folders in files with a dbx / pst
extension– Copy dbx or pst file to a Windows machine– EnCase– Outport from outport.sourceforge.net (free)
• Web-based Email– Stored in html format with the extension html or htm
56
57
58
GUID
• Globally Unique Identifier– A unique 128-bit number to identify a particular
component• Imagine a case:
– A theft of intellectual property case, in which proprietary information was copied to a Word document, the document was saved to a floppy disk
– Given the floppy disk, prove that the defendant created the disk.
59
Collect volatile data in Windows
• System Info– date /t– time /t– Uptime
• How long the machine is up
– psinfo – You can download it from www.sysinternals.com
.
60
psinfo
• Provide System Info– Type of installation– Install date– Kernel version– Service pack– Processors information– Registered organization ad owner
61
Process Monitor
www.sysinternals.com
62
psinfo
63
The Forensic Acquisition Utilities
• A collection of utilities and libraries in Windows environment
• http://users.erols.com/gmgarner/forensics/– Sterilize media for forensic duplication
• Wipe.exe– Collect the evidence form a running system
• dd.exe for Windows– Check data integrity
• Md5sum.exe– netcat
64
Windows’ dd
• Perform bit-by-bit copy• MD5 sums• Compare the MD5sum from the data and the
MD5sum from the image• Obtain physical memory
65
Recycle Bin
• The Recycle Bin is a hidden system folder• This special folder is named
– Recycled in Windows 95 and 98– Recycler in WinNT/2K– Subfolder is created with user’s SID
• Every file sent to the Recycle Bin is renamed in the following format:– D[original drive letter of file][index no].[original
extension].
66
INFO2 Files• When a file is deleted, a copy of the file is moved to
the Recycle Bin directory on the hard drive.
• INFO2: binary format• INFO Record (dir/ah and dir under command line)
– Deletion Date and Time– File’s original name and path– Index number --Its order in the recycle bin (0 assigns to the
first file)• Use rifiuti to parse INFO2
67
How can INFO file help for investigation?
• An INFO file record is often effective in confirming or refuting users’ explanations
• INFO file record indicated that a user intentionally deleted the file.
68
How can INFO file help for investigation?
• If a user’s explanation for the presence of a file in the Recycle Bin is that it was inadvertently downloaded during Internet activity– The file’s original location when it was deleted may tend to
support or refute that contention• If the file was originally located in a default download folder…• If the file was originally located in C:\My Documents\My Favorite
Things….
69
Several possibilities:
The INFO file has been deleted and additionally the file’s folder entry has been overwritten in the parent folder
– The INFO file may still be intact in unallocated or slack space.
– The examiner can search the entire driver for unique characteristics of the INFO file’s contents
– If the examiner identifies an INFO file record for a file and there are no indications that the file’s path existed on the seized media• It is an indication that there may have been another piece of media
attached to the computer and there may therefore be more undiscovered evidence.
70
Reading what the subject threw away from EnCase
• Check Recycler• Recover INFO2 from both allocated and unallocated
cluster– Sorted by file name and look for files named INFO2
• Recover deleted INFO2 files– When a user empties a Recycle Bin, the INFO2 file is
deleted– Run the info Record Finder EnScript
• Go through the unallocated clusters of the media and file slack and recover all Recycle Bin records
71
Websites cache
• Internet Explorer caches websites that a user visits• It stores cached files in the folder
– Documents and Settings\yxp\Local Settings\Temporary Internet Files
– Documents and Settings\yxp\Local Settings\History\History.IE5\index.dat
• It stores– Internet Address– Type– Size– Last Modified– Last Accessed
72
Track Websites in EnCase
• Through File Extension– Check HTML and HTM files
• Run the Internet History EnScript– Extract every web-page that Subject visited that is
still available via the cache– The script reports the last time the site was visited
from a user and the last time the site itself was updated
73
Event Log files
• Event logs for the system– SECEVENT.EVT– SYSEVENT.EVT– APPEVENT.EVT
• In WinXP, they are stored in C:\WINDOWS\system32\config\
• These files are written with a binary format• Use Event Viewer to read the log files.
– Control Panel -> Performance and Maintenance -> Administrative Tools -> Event Viewer
• EnScript: Windows Event Log parser
74
.EVT files
• SECEVENT.EVT– Stores security-related events, including failed login
attempts and attempts to access files without proper permissions.
• SYSEVENT.EVT– Stores events associated with the system’s functioning,
including the failure of a driver or the inability of a service to start.
• APPEVENT.EVT– Stores events associated with applications, such as
databases, Web servers, User applications.