Digital ForensicsOutlineReviewWindows File SystemFile SystemsFile Systems - 2File Systems - 3Microsoft File StructuresNTFS DisksNTFS Disks - 2NTFS Disks – 3 (Summary)NTFS RecoveryNTFS Recovery - 2Other ConceptsVirtual MachinesReferences and ReviewDigital ForensicsDr. Bhavani ThuraisinghamThe University of Texas at DallasLecture #8File SystemsSeptember 22, 2008OutlineReviewFile Systems OverviewWindows File System (for Forensics)References and Review QuestionReviewPart 1:-Lecture 1: Overview of Digital Forensics (Chapter 1 of textbook)-Lecture 2: Information Security Review-Lecture 3: Data Recovery, Verification, Lab Tour (Chapter 3 of textbook – constructing a forensics lab)-Lecture 4: Data Acquisition: Chapter 4 of textbook-Lecture 5: Malicious Code Detection (e.g., Computer is the Victim of the Crime; applying data mining techniques)-Lecture 6: Digital Forensics Analysis – Part 1-Lecture 7: Processing crime and incident scenesPart 2:-Lecture 8: Windows File System and ForensicsWindows File SystemOverview of File SystemsMicrosoft File StructuresNTFS Disks (New Technology File System)-Partitions, disks, etc.Other concepts (Registries, startup tasks)Virtual MachinesFile SystemsWhat is it?-Structure of the data that is stored-Linear file system, Hierarchical file system, etc. Type of file system determines how the data is stored on diskFile system is part of the OS; a file system is a way for storing and organizing computer files and the data they contain to make it easy to find and access them. Key aspects of file system include -Boot sequence -Disk drives-File name, metadata, security access-Different types of file systemsFile Systems - 2Boot sequence-When a suspect’s computer starts, make sure it boots to a forensic floppy disk/CD and not to the hard disk-Booting to the hard disk may overwrite evidence-Make modifications to CMOS setupDisk drives-Geometry, Head, Tracks, Cylinders, SectorsEvery file has a file name; metadata consists of information about a file, access control policies may be defined on a fileTypes of file systems include disk file system, flash file systems, database file systems, network file systems, - - -File Systems - 3File systems typically have directories which associate file names with files, usually by connecting the file name to an index in a file allocation table (FAT in Windows, Inode in Unix)Directory structures may be flat, or allow hierarchies where directories may contain subdirectories. In some file systems, file names are structured, with special syntax for filename extensions and version numbers. In others, file names are simple stringsMetadata-The length of the data contained in a file may be stored as the number of blocks allocated for the file or as an exact byte count. -The time that the file was last modified may be stored as the file's timestamp; also file creation time, the time it was last accessedMicrosoft File StructuresSectors-Sectors are groped to for clusters which are the storage allocations units. -Cluster numbers are logical addresses and section numbers are physical addresses. Disk PartitionsHard drive is partitioned. A partition is a logical drive. Master Boot Record (MBR)-Stores information about the partitions in a disk and their locations, sizes etc. FAT (File Allocation Table) Disks-Original Microsoft file structure databaseNTFS -New Technology File SystemNTFS DisksOverview of NTFS Disks-Newer Microsoft products are based on new Technology File System-Everything written to a disk is considered s file-First data set is the Partition Boot Sector-Next is the Master File Table (similar to FAT)-Uses UnicodeNTFS System Files-The first file MFT ahs information in all the files-Records in MFT are called metadataNTFS Disks - 2NTFS Data Streams-Ways data can be appended to existing files-Can obscure evidence; only way to know there is a data stream is by looking at MFTNTFS Compressed Files-Provides compression to improve data storageEncryption-Implements public key/private key method-Whole disk encryption (Chapter 4) for extra protection for certain information such as personal identity numbers.Performance-tune some of global NTFS parameters to achieve significant increase of disk performance. Other techniques like disk defragmentation could helpNTFS Disks – 3 (Summary)File Storage Hardware and Disk Organization Hard Disk Drive Basics -Making Tracks -Sectors and ClustersMaster Boot Record (MBR) -Viruses Can Infect the Master Boot RecordPartition Table -Boot Indicator Field -System ID Field -Starting and Ending Head, Sector, and Cylinder Field -Relative Sectors and Number of Sectors Fields -Logical Drives and Extended PartitionsNTFS RecoveryWhy id Partition recovery needed-MBR (Master Boot Record) is damaged -Partition is deleted or Partition Table is damaged -Partition Boot Sector is damaged -Missing or Corrupted System FilesPartition/Drive Recovery -"Physical partition recovery". The goal is to find out the problem and write some information to the proper place on HDD and after that partition becomes visible to OS again. -"Virtual partition recovery". The goal is to determine the critical parameters of the deleted/damaged/overwritten partition and after that enable to scan it and display its content.NTFS Recovery - 2NTFS File Recovery -Disk Scan for deleted entries Disk Scan is a process of low-level enumeration of all entries in the Root Folders; The goal is to find and display deleted entries. -Defining clusters chain for the deleted entry To define clusters chain scan drive, going through one by one all allocated and free clusters belonging to the file until the file size equals to the total size of the selected clusters. If the file is fragmented, clusters chain will be composed of several extents. -Clusters chain recoveryAfter clusters chain is defined read and save contents of the defined clusters to another place verifying their contents.Other ConceptsRegistry-Registry is a database that stores initialization files such as hardware/software configuration, network connections, user preferences, setup information-Set of tools (e.g., Registry editor) to view and modify the dataStart-up tasks-Forensics examiner must have a very good understanding of what happens to the data during start-up. -E.g., What is the process, what are the files involved, etc.Virtual MachinesAn
View Full Document
Unlocking...