Digital Forensics Lecture 3 0011 0010 1010 1101 0001 0100 1011 Hard Disk Drive (HDD) Media Forensics Current, Relevant Topics
• …defendants should not use disk-cleaning utilities to wipe portions of 0011 0010their 1010 hard 1101 drives 0001 before 0100 turning 1011 them over to plaintiffs in the course of discovery… • …RIAA asked the judge for a mirrored copy of Tschirhart's hard drive… •…data was removed from the hard drive before it was turned over… • …we found a number of file deletion programs and their log files… • …Tschirhart's own expert …"consistent with defragmentation of the hard drive.“… • …Even though the hard drive had been altered, the investigators found evidence that P2P software had been installed …music files had been downloaded …the wiping utilities had been removed as well
– arstechnica.com Research Topics Presentation Rules
0011 0010• The 1010 goal 1101 is 0001to pass 0100 on 1011 information that might be of value to a forensic investigator • Fine to sit or stand • Fine to use viewgraphs or not – Any viewgraphs must be in PowerPoint format and must be emailed by 7:00 AM the day of the presentation • Each presentation is limited to 5 minutes • Depending on the material and level of interest, we may explore a topic further • Write up is due at presentation This Week’s Presentations
0011 00101. 1010 CD-R/RW 1101 0001 0100 and 1011 DVD+-R/RW media analysis
2. File carving
3. Tools for MAC digital forensics Lecture Overview
0011 0010 1010 1101 0001 0100Legal/Policy 1011
Findings/ Reporting/ Preparation Collection Analysis Evidence Action
• Very Brief Overview of Lecture 2 • Isolation through virtualization • Analysis and relevant tools • High-level format (File System) • Digital Forensic Tools Brief Summary of Last Lecture
0011 0010• Physical-layer 1010 1101 0001 0100 forensic 1011 issues for HDDs • Materials, geometry, and low-level structure • HDD function and operation • Data recovery using physical-layer techniques • The first level of abstraction (Volumes)
Volume 1 Volume 2 Unallocated
Primary Storage Media 1 P G R Module 1 0011 0010 1010 1101 0001 0100 1011 Isolation Through Virtualization (e.g., VMWare) The Goal is to Maintain Integrity of the Investigation
Unauthorized Investigator New Tools Testing Users and Change Networks ACCESS ACCESS 0011 0010 1010Process 1101 0001 0100 1011
MODIFY Investigation “Evidence” Environment Data READ Investigator T VERIFY OOL Verify S Evidence Consumer MODIFY Reports GENERATE
GENERATE MODIFY READ GENERATE Incremental Reports Analysis Data VMWare Will Serve as Our Investigation Environment
0011 0010 1010 1101 0001 0100 1011 VMware Device Specifics • Provides a variety of virtual hardware 0011 0010– HDD 1010 (IDE 1101 or 0001 SCSI) 0100 1011 – USB 1.1 and 2.0 • Stored as a binary – Floppy file on the host OS • Can use ISO • Can add or remove image on host OS HDD very easily as floppy – CD and DVD drives – NIC (Ethernet) (IDE or SCSI) • Can use ISO image – Audio Adapter on host OS as CD or – Serial port DVD – Parallel port – Memory (RAM) – – Generic SCSI device limited by physical RAM • Can save and revert to snapshots of system state • Virtual hardware is very stable Important Information About Our Analysis Virtual Machine
0011 0010• We 1010 will 1101 use0001 0100a Fedora 1011 Core VM for our Analysis • User = “root” • Password = “letmein” • Do not modify the analysis VM unless specified in lab instructions Module 2 0011 0010 1010 1101 0001 0100 1011 Analysis and Relevant Tools Analysis of Volumes
• Generally the first step in media analysis 0011 0010– 1010Should 1101 0001occur 0100 after 1011 preservation of evidence – Media imaging or cloning are the generally accepted methods of preserving evidence • Account for all storage space • Create a partition map and understand the resulting volumes – Requires careful accounting for each sector • Guide analysis of other constructs, including higher-layer abstractions – File systems – Databases – Other logical containers, etc. The Sleuth Kit Tools (learn through hands-on labs) • File system layer (partitions, file systems) 0011 0010– 1010fsstat 1101– first 0001 used 0100 in lab 1011 3 to determine block size • File name layer (file name structures) – ffind – fls • Meta-data layer (inodes, directory entries, file attributes) – icat – ifind – ils – istat • Data unit layer (disk blocks) – dcat – first used in lab 3 to extract disk blocks – dls – first used in lab 2 to copy unallocated space and slack space – dstat – dcalc – first used in lab 3 to compute absolute block to recover Module 3 0011 0010 1010 1101 0001 0100 1011 High Level Format (File Systems) Our approach to understanding HDD DF
0011 0010• We 1010 will 1101 begin0001 0100 at 1011 the physical-layer and work toward increasing abstraction using a data driven approach
Understanding and Evidence
You Are Here ?
File
File System
Volume 1 Volume n Specific to Abstract Physical Media HDD Structure (just prior to adding file system)
0011• 0010 Blank 1010 1101media 0001 0100 1011
• Low-level format Sectors (512+ B) Redundant Sectors (512+ B)
VBC DPB VBC DPB • Partition 1 1 2 2
MBR = master boot record VBR VBR MBR 1 2 MBC = master boot code MPT = master partition table
VBR = volume boot record MBC MPT VBC = volume boot code DPB = disk parameter block High-Level Format (Creating Disk Blocks)
0011 0010 1010 1101 0001 0100 1011
MBC MPT
Blocks Clusters, Blocks, Fragments, etc. (different names for the same thing) Sectors • High-level format creates the file system • Sectors are too small for most HDDs (address space is too large) • Sectors are grouped into groups of N to form clusters, N is a positive integer – This becomes the indivisible data size for the installed operating system High-Level Format (Creating File Systems) Master Boot Record File System Structures 0011 0010 1010(MBR) 1101 0001 0100 1011 MBC MPT Allocated/Unallocat
Clusters, ed Blocks, Space Fragments, etc. (differen • MPT now contains file system type and cluster size – Cluster (fragment, segment) sizes are multiples oft names 512 octetsfor th (one sector) – This becomes the indivisible file size for the operating system e same thing) • A file system structure is created – FAT creates a file allocation table (simple table) – NTFS creates a master file table (database) – Linux EXT2/3 creates a virtual file system – Each file system behaves differently What is Slack Space? (space between end of file and end of cluster) Sector Cluster 0011 0010 1010(512 octets)1101 0001 0100 (21011 x 512 octets)
File of length 4628 octets
slack space • Consider a file containing 4628 octets – 4628 = (1024 x 4) + 532 • 4 full clusters and part of a fifth cluster • There will be (5 x 1024) – 4628 = 492 unused octets • This unused space is called “slack space” Why is Slack Space Important?
0011 0010 1010 1101 0001 0100 1011 Unallocated Space (New Drive)
Allocated Space
Unallocated Space (After File deletion)
Allocated Space (Reallocated, new file)
Slack Space
Why isn’t this also slack space? Blank Media
Low-Level Format Redundant Sector overhead 0011 0010 1010 1101 0001 0100 1011 Sectors Individual Sector 512 octets (Only visible to HDD controller)
Partition #2 Inter-partition gap Master Boot Record Volume Boot Record Partition #1 Unused sectors (VBR) (MBR) Partitioning MBC MPT VBC DPB VBC DPB
Master Boot Record File System Structures (MBR) High-level MBC MPT Format Free Space Clusters
Master Boot Record File System Structures OS Install (MBR) OS Code/Data MBC MPT
Free Space Page File What is the Role of a File System?
0011 0010• Provides 1010 1101 0001 data 0100 storage 1011 and retrieval • Associates names with data files • Organizes files into parent directories • Stores file attributes – Modify, Access, Creation (MAC) times – Disk blocks used for file storage – Others depending on specific file system • Maintains lists of unallocated disk blocks What Do Most File Systems Have in Common?
0011 0010• Unique 1010 1101 file 0001 (or 0100 directory) 1011 identifiers – inodes (Linux terminology, Windows is unknown) • Data structure that associates file names and inodes • Indivisible storage units formed of disk clusters – e.g., blocks, clusters, fragments, etc. • Pointers to blocks where file is stored • File attributes, e.g., times, parent directories, deleted flag, ownership, permissions, etc. • Unallocated block list Files Systems Have Significant Structural and Functional Differences
0011 0010• Journaling 1010 1101 0001 0100 1011 • Meta-data storage • Variable length allocation units • Fragments • Distributed file system data structures • inode allocation algorithms • Search efficient data structures – trees •… What File System Attributes/Behaviors are of Interest to a DF investigator?
0011 0010• File 1010 deletion1101 0001 0100 1011 • File growth • File shrinkage • File replacement • Resource reuse – directory blocks, inodes, blocks, etc. • Time stamp behavior •What else? NTFS File System
0011• 0010 NTFS 1010 1101uses 0001 a master 0100 1011 file table (MFT) – More of a database than a table – Each entry is referenced by a unique number – Stores file/directory attributes • $Data is just one attribute and multiple $Data attributes are allowed • MAC times – Stores up to 1500 octets of data directly – Larger files are stored indirectly – IN_USE flag is cleared when a file is deleted • All attributes are maintained until MFT entry is reused • Indirect storage may persist even after entry is reused Ext2 File System
0011• 0010 Linux 1010 1101uses 0001 data 0100 structures 1011 called inodes to represent a file or directory – Each inode has a unique number – Contains a description of the file • Size, MAC Times, file type, access rights, owners, etc. – Contains pointers to blocks where data is stored – Files names are stored in a separate data structure • Referenced by inode number • Allows multiple names for the same file – Character and block are special files types that do not store data • Point to a device driver – Larger files are stored through up to three levels of indirection – “deleted” flag is set when a file is deleted Example of Indirection
0011 0010 1010 1101 0001 0100 1011 Module 4 0011 0010 1010 1101 0001 0100 1011 Digital Forensic Tools Disk Imaging and Cloning
0011 0010• Disk 1010 1101imaging 0001 0100 and 1011 cloning is a standard and necessary step to preserve evidence • We will use dd to perform our clone and imaging • Cloning – Disk/Volume to disk • Imaging – Disk/Volume to file Hash Functions
0011 0010• Used 1010 1101 for 0001 integrity 0100 1011 function • Common hash functions – MD5, SHA-1, SHA-256
FileHash Function Hash
– dccidd – will compute MD5, SHA-1, and SHA- 256 concurrent with imaging operation The Sleuth Kit
0011 0010• Forensics 1010 1101 0001 analysis 0100 1011 tools – Written by Brian Carrier – Based on The Coroner’s Tool Kit by Dan Farmer • Based on a layered model of analysis • Tested on multiple systems – Linux, Mac OS X, CYGWIN, FreeBSD, OpenBSD, Solaris • Supports NTFS, FAT, FFS, EXT2FS, and EXT3FS • Autopsy is a web-based tool that uses The Sleuth Kit MBR File System Structures
name, inode, MBC MPT allocated space unallocated space inode attributes 0011 0010 1010 1101 0001 0100 1011
File system layer fsstat MPT
ffind, fls name, File name layer inode
Meta-data layer icat, ifind, ils, istat inode, attributes
Data unit layer dcat, dls, dstat, dcalc allocated unallocated space space The Sleuth Kit Tools (learn through hands-on labs)
0011 0010• File 1010 system 1101 0001layer 0100 (partitions, 1011 file systems) – fsstat – first used in lab 3 to determine block size • File name layer (file name structures) – ffind – fls • Meta-data layer (inodes, directory entries, file attributes) – icat – ifind – ils – istat • Data unit layer (disk blocks) – dcat – first used in lab 3 to extract disk blocks – dls – first used in lab 2 to copy unallocated space and slack space – dstat – dcalc – first used in lab 3 to compute absolute block to recover Questions? 0011 0010 1010 1101 0001 0100 1011 After all, you are an investigator