Digital Evidence Incident Response and Computer ForensicsAPIEPCertificationsFile SystemsGeneric File SystemBrain Carriers TaxonomyContent LayerFile System LayerMetadata LayerName LayerUnix File SystemsSlide 12Slide 13Ext2/3Inode and Block TablesInodes and FilesInode ContentSource of Auxiliary EvidenceLab ActivityMore File SystemsFAT File SystemIntel Boot Record FormatFAT Boot SectorAllocation UnitsFile Allocation TableLong File NamesDeleting FilesNTFSSlide 29Slide 30Slide 31Digital EvidenceIncident Response and Computer Forensics"Any sufficiently advanced technology is indistinguishable from magic." Clark's Third LawArthur C ClarkeAPIEPAcquisition – Initial Response (doc)Preservation – Hash / DocumentationIdentification – Extract Relevant Data Evaluation – Develop / Test HypothesesPresentation – Write Summary ReportCertificationsENCE – EncaseCertified Information Forensics Investigator (CIFI) Certified Forensic Computer Examiner (CFCE) – LEO’sCertified Electronic Evidence Collection Specialist (CEECS) – LEO’sGIAC Certified Forensic Analyst (GCFA)File SystemsOrganize Content from Abstract DataHeaders Describe Layout / ComponentsData Units Store Addressable DataMeta Data – Permissions, Times, etcDirectory – Pairs metadata with filesGeneric File System Directory Entry Node(s)Header Data BlocksBrain Carriers Taxonomy“File System Forensic Analysis”ContentFile SystemMeta DataNameContent Layer Lowest Addressable FS Component Logical File System ObjectSleuthkit – dcat, Data concatenation’FAT / NTFS - Clusters – Sector Multiples EXTx – Blocks – Units of +1024 bytesFragments – FFS and USF FractionsFile System LayerInformation About the File SystemLocations of FS ElementsTracks AllocationExample – FAT (File Allocation Table) and DET (Directory Entry Table)Sleuthkit toolfsstatMetadata Layer Data AttributesContent AttributesMAC TimesAllocation SchemesDynamic, Variable or Fixed AllocationFile System Journals (ext3)Sleuthkit – ils, istat and icatName Layer Links Meta Data to Directory DataSome Improve Search and Retrieval Database Driven File SystemsSleuthkitflsUnix File SystemsRelationship from Directory Entry to Inode to Data BlockDirectories = inodes that list directory entriesMinix FS, UFS, Ext2fs, Ext3fs, etcUnix File SystemsSuperblock Records Partition Metadata Documents File System FeaturesDisk layout designed for performanceFile Data is LocalizedGroups of blocks and inodes form b-treesUnix File SystemsInode StructureMetadata is stored in an i-nodeData in an inode referenced blockLarge Files Require more blocks When link count = 0 block is available for useExt2/3Information Nodes (inodes)Inode Tables – Lists of Allocated InodesBlocks – Data AreaInode and Block TablesEach inode has a positional IDEach block has a positional IDBoth Tables are Fixed SizeGroups Cluster Tables to Provide “Locality of Reference”Multiple Inodes May be stored in blockAttributes determined at initial formatInodes and FilesOne Inode per File Inodes Contain MetadataAttribute dataContent DataMAC TimesSome inodes have special meaning Inode 2 = Root Directory Entry (Can be used to reconstruct the FAT if it is deleted in investigation situations)Inode ContentBlock Count = number of 512 Blocks AllocatedFile Size = BC * BSSource of Auxiliary EvidenceSystem Logs/var/log/messages/var/log/secureOther service logs in /var (httpd, ftp, etc)Anything Recently Added or DeletedStrange /tmp Directory EntriesStrange /proc Directory EntriesUser Home DirectoriesAny Other Ideas?Lab Activity/evidence/hacker.image.ddImage of / (root) File System Taken from a possibly “hacked” systemThe system tells us a storyYour job is to “read” itWas it compromised?If so, what do we know about the culprits?More File SystemsFAT File SystemInvented in 1977Bill Gates and Marc MacDonald12, 16(1987) and 32 bit(1997)VersionsUsed By Many Digital Cameras, PDAs and Mobile PhonesCellular and PDA Forensic SW/HWIntel Boot Record FormatMaster Boot Record446 Bytes of Bootable Code4x16 Partition EntriesAA55 – Boot SignaturePrimary V Extended PartitionExtended Partitions Hold Logical DrivesCarrier has been able to fool some tools by nesting more than 3 layers deepFAT Boot Sector Bytes Per Sector Sectors Per ClusterReserved Sectors # of FATs Root EntriesSmall SectorsMedia Descriptor Sectors Per FAT Sectors Per Track Heads Hidden Sectors Large SectorsAllocation Units“Clusters”One or More SectorsNever Larger than 32K*Tied to File System SizeFile Allocation TableDirectory Entry Table(DET)Stores Name and Starting Cluster Number in FATFAT Stores Allocation Data for Clusters“FAT Chain” = One way linked listMay be Duplicated (2 copies by default) Size of Entry determined by type of FAT12 = 212 Max, 16 = 216 Max, 32 = 228 MaxLong File NamesFAT Natively supports only 8.3 namesLFNs added Via VFAT ExtensionVFAT uses multiple, chained directory entries to store LFNDeleting FilesFile has E5h Written to First Character of File Name, Marking the Entry as Safe to OverwriteRecovery? Search for E5!Fragmented Files May be Partially OverwrittenRecovery Becomes Very DifficultFAT File System Disk Volume StructuresNTFSPartition Boot SectorMFTNTFSFile TypesFile Attributes Data Streams Compressed Files Encrypted Files Sparse FilesData Integrity and RecoverabilityLab ActivityAn employee is suspected of stealing confidential documents related to a project code named “Sick Bird”A PDA was seized and imagedCorporate security officers are not authorized to tell you anything else about the projectLab Activity/evidence/corporate_espionage.ddReview any relevant data in the imageThe company uses Microsoft OfficeRun foremost and recover any data you think appropriateIs there any evidence of IP theft that might warrant further
View Full Document