Digital Evidence Incident Response and Computer ForensicsAPIEPCertificationsFile SystemsGeneric File SystemBrain Carriers TaxonomyContent LayerFile System LayerMetadata LayerName LayerUnix File SystemsSlide 12Slide 13Ext2/3Inode and Block TablesInodes and FilesInode ContentSource of Auxiliary EvidenceLab ActivityMore File SystemsFAT File SystemIntel Boot Record FormatFAT Boot SectorAllocation UnitsFile Allocation TableLong File NamesDeleting FilesNTFSSlide 29Slide 30Slide 31Digital EvidenceIncident Response and Computer Forensics"Any sufficiently advanced technology is indistinguishable from magic." Clark's Third LawArthur C ClarkeAPIEPAcquisition – Initial Response (doc)Preservation – Hash / DocumentationIdentification – Extract Relevant Data Evaluation – Develop / Test HypothesesPresentation – Write Summary ReportCertificationsENCE – EncaseCertified Information Forensics Investigator (CIFI) Certified Forensic Computer Examiner (CFCE) – LEO’sCertified Electronic Evidence Collection Specialist (CEECS) – LEO’sGIAC Certified Forensic Analyst (GCFA)File SystemsOrganize Content from Abstract DataHeaders Describe Layout / ComponentsData Units Store Addressable DataMeta Data – Permissions, Times, etcDirectory – Pairs metadata with filesGeneric File System Directory Entry Node(s)Header Data BlocksBrain Carriers Taxonomy“File System Forensic Analysis”ContentFile SystemMeta DataNameContent Layer Lowest Addressable FS Component Logical File System ObjectSleuthkit – dcat, Data concatenation’FAT / NTFS - Clusters – Sector Multiples EXTx – Blocks – Units of +1024 bytesFragments – FFS and USF FractionsFile System LayerInformation About the File SystemLocations of FS ElementsTracks AllocationExample – FAT (File Allocation Table) and DET (Directory Entry Table)Sleuthkit toolfsstatMetadata Layer Data AttributesContent AttributesMAC TimesAllocation SchemesDynamic, Variable or Fixed AllocationFile System Journals (ext3)Sleuthkit – ils, istat and icatName Layer Links Meta Data to Directory DataSome Improve Search and Retrieval Database Driven File SystemsSleuthkitflsUnix File SystemsRelationship from Directory Entry to Inode to Data BlockDirectories = inodes that list directory entriesMinix FS, UFS, Ext2fs, Ext3fs, etcUnix File SystemsSuperblock Records Partition Metadata Documents File System FeaturesDisk layout designed for performanceFile Data is LocalizedGroups of blocks and inodes form b-treesUnix File SystemsInode StructureMetadata is stored in an i-nodeData in an inode referenced blockLarge Files Require more blocks When link count = 0 block is available for useExt2/3Information Nodes (inodes)Inode Tables – Lists of Allocated InodesBlocks – Data AreaInode and Block TablesEach inode has a positional IDEach block has a positional IDBoth Tables are Fixed SizeGroups Cluster Tables to Provide “Locality of Reference”Multiple Inodes May be stored in blockAttributes determined at initial formatInodes and FilesOne Inode per File Inodes Contain MetadataAttribute dataContent DataMAC TimesSome inodes have special meaning Inode 2 = Root Directory Entry (Can be used to reconstruct the FAT if it is deleted in investigation situations)Inode ContentBlock Count = number of 512 Blocks AllocatedFile Size = BC * BSSource of Auxiliary EvidenceSystem Logs/var/log/messages/var/log/secureOther service logs in /var (httpd, ftp, etc)Anything Recently Added or DeletedStrange /tmp Directory EntriesStrange /proc Directory EntriesUser Home DirectoriesAny Other Ideas?Lab Activity/evidence/hacker.image.ddImage of / (root) File System Taken from a possibly “hacked” systemThe system tells us a storyYour job is to “read” itWas it compromised?If so, what do we know about the culprits?More File SystemsFAT File SystemInvented in 1977Bill Gates and Marc MacDonald12, 16(1987) and 32 bit(1997)VersionsUsed By Many Digital Cameras, PDAs and Mobile PhonesCellular and PDA Forensic SW/HWIntel Boot Record FormatMaster Boot Record446 Bytes of Bootable Code4x16 Partition EntriesAA55 – Boot SignaturePrimary V Extended PartitionExtended Partitions Hold Logical DrivesCarrier has been able to fool some tools by nesting more than 3 layers deepFAT Boot Sector Bytes Per Sector Sectors Per ClusterReserved Sectors # of FATs Root EntriesSmall SectorsMedia Descriptor Sectors Per FAT Sectors Per Track Heads Hidden Sectors Large SectorsAllocation Units“Clusters”One or More SectorsNever Larger than 32K*Tied to File System SizeFile Allocation TableDirectory Entry Table(DET)Stores Name and Starting Cluster Number in FATFAT Stores Allocation Data for Clusters“FAT Chain” = One way linked listMay be Duplicated (2 copies by default) Size of Entry determined by type of FAT12 = 212 Max, 16 = 216 Max, 32 = 228 MaxLong File NamesFAT Natively supports only 8.3 namesLFNs added Via VFAT ExtensionVFAT uses multiple, chained directory entries to store LFNDeleting FilesFile has E5h Written to First Character of File Name, Marking the Entry as Safe to OverwriteRecovery? Search for E5!Fragmented Files May be Partially OverwrittenRecovery Becomes Very DifficultFAT File System Disk Volume StructuresNTFSPartition Boot SectorMFTNTFSFile TypesFile Attributes Data Streams Compressed Files Encrypted Files Sparse FilesData Integrity and RecoverabilityLab ActivityAn employee is suspected of stealing confidential documents related to a project code named “Sick Bird”A PDA was seized and imagedCorporate security officers are not authorized to tell you anything else about the projectLab Activity/evidence/corporate_espionage.ddReview any relevant data in the imageThe company uses Microsoft OfficeRun foremost and recover any data you think appropriateIs there any evidence of IP theft that might warrant further