Digital Forensics Lecture 2 0011 0010 1010 1101 0001 0100 1011 Hard Disk Drive (HDD) Media Forensics Quiz Number 1 0011 0010 1010 1101 0001 0100 1011 10 minutes to complete Current, Relevant Topics
• --Study Turns Up Problems with eVoting System in Ohio 0011 0010(21 1010 August 1101 2006) 0001 0100 1011 A report based on a study of a May 2006 primary election in Cuyahoga County, Ohio indicates that the electronic voting system used in the election presents significant concerns about accuracy. Close to ten percent of the paper versions of the votes, or the voter-verifiable paper audit trail, generated by Diebold Election System's AccuVote TSx touch-screen voting equipment were "either destroyed, blank, illegible, missing, taped together or otherwise compromised."
– http://www.computerworld.com Research Topics Presentation (Due Next Week)
0011 0010We 1010 are 1101 counting 0001 0100 1011 on you for the specifics 1. CD-R/RW and DVD+-R/RW media analysis 2. File carving 3. Tools for Mac digital forensics • With emphasis on HFS File System Lecture Overview
0011 0010 1010 1101 0001 0100Legal/Policy 1011
Findings/ Reporting/ Preparation Collection Analysis Evidence Action
• The role of a HDD in DF • Our approach to understanding HDD DF • Physical-layer storage and operations • Volumes • Very brief file system overview • The boot process • Isolation through virtualization • Relevant DF tools The role of a HDD in DF
0011 0010 1010 1101 0001 0100 1011 Stored Physics Physical Process Data Transmitted Intelligence Automated Process Processed
• HDDs are the most significant method of data storage • Relatively low internal data transfer rates and immature optimization algorithms extend the lifetime of data written to HDDs Our approach to understanding HDD DF
0011 0010• We 1010 will 1101 begin0001 0100 at 1011 the physical-layer and work toward increasing abstraction using a data driven approach
Understanding and Evidence
?
File
File System
Volume 1 Volume n Specific to Abstract Physical Media Module 1 0011 0010 1010 1101 0001 0100 1011 HDD Physical-Layer Types of Magnetic Storage
0011 0010• There 1010 are1101 a 0001variety 0100 of 1011magnetic storage devices that a DF investigator might encounter
Zip Drive Video Cassette Tape Drive
Floppy Drive Drum Memory
Hard Drive Major Components of a HDD
0011 0010 1010 1101 0001 0100 1011
Platter Controller
Read Write Head The Basic Unit of HDD Storage is a Platter
0011 0010 1010 1101 0001 0100 1011 Physical Disk Geometry
0011• 0010 One 1010 head 1101 for 0001 each 0100 1011 surface
• All tracks at r = dn form a cylinder • The number of sectors varies with the cylinder • Each sector has 512+ octets of information • One surface is dedicated for positioning and synchronization • Not all portions of the disk are addressable by the OS A Linear Model For Magnetic Media
• For simplicity, we will use a 0011 0010 1010Storage 1101 0001Platters 0100 1011 linear model of the magnetic media • Unless we are performing electron microscopy, the exact media geometry is not significant • The blank magnetic media has only geometric structure and End raw magnetic storage capacity Beginning
Linear Model
Beginning End Read/Write Process (simplified) 0011 0010 1010 1101 0001 0100 1011
Linear Model
Read/Write Head
Beginning End
• Write Process – Digital signals are encoded (for timing recovery) and transformed into analog signals that drive the magnetic field on the write head • Read Process – Analog magnetic field is sensed, timing is recovered, and sampled signals are converted into digital data Disk Wiping Programs
0011 0010• Why 1010 1101isn’t 0001 a single0100 1011 pass adequate?
• How many passes are necessary?
• What influences each write pass?
• What disk areas must be wiped to ensure destruction of data? – You should be able to answer this question at the end of the next lecture Physical Layer Forensics
0011 0010• Magnetic 1010 1101 0001 Force 0100 1011Microscopy (MFM)
• can map the spatial distribution of magnetism by measuring the magnetic interaction between a sample and a tip. As magnetic devices have become smaller and smaller, an evaluation technique with nanoscale spatial resolution has become necessary. To meet this need, the MFM was developed. Magnetic Media Data Recovery
0011 0010 1010 1101 0001 0100 1011
Sense Magnetization Magnetic Force Microscope
Transform Two Dimensional Signal Processing To Tracks
One Sector Signal Processing Channel Data
512B Sector Timing Recover / Decode 100110…
Does This Yield Useful Data? HDD User Storage, Administrative Storage, and Redundancy
0011 0010 1010 1101 0001 0100 1011
User Storage R HPA DCO Bad
Beginning End
• User Storage = Usable Capacity • R = Redundant Sectors • HPA = Host Protected Area • DCO = Device Configuration Overlay • Bad = Determined to be Bad At Manufacture or During Operation NOTE: These Sectors Are Distributed Throughout the Storage Media Low Level Format
0011 0010 1010 1101 0001 0100 1011
Sectors (512 octe Redundant ts plus Individualoverhead) Sector 512 Sectors octets (Only visible to HDD controller) Sector overhead • Low-level formatting adds indivisible units of storage called sectors • Most modern HDDs use 512+ octet sectors – The + accounts for sector overhead bytes (differs by manufacturer) • Overhead bytes provide error correction and timing recovery functions • Bad sectors are automatically remapped to redundant sectors by the HDD controller HDD Interfaces •SCSI 0011 0010– Primarily 1010 1101 workstation 0001 0100 and1011 • IDE/EIDE/ATA/ATAPI/ server class machines PATA/SATA – Might be a good topic for a – Uses ATA commands research paper • E.g., Read Sector, Write – It’s possible to low-level Sector, format some SCSI drives Identify Device, etc. – Can be accessed directly – Basics are the same or through BIOS – There are write blockers to provide hardware protection against corrupted “evidence” Overview of Some Key Physical- Layer DF Issues with HDDs
0011 0010• Overwritten 1010 1101 0001 data 0100 can potentially1011 be recovered • Not all areas of a HDD can be accessed through standard ATA commands – Sector overhead, P-Lists, G-Lists, Administrative Storage, Excluded Storage… • Bad sectors are remapped to redundant sectors and no longer addressable (i.e., through ATA commands) • It is possible to replace failed controllers and interface circuitry • It is standard practice to use a hardware write-blocker when collecting data from a HDD • New physical interfaces on micro-disks •What else? Module 2 0011 0010 1010 1101 0001 0100 1011 HDD Volumes Volumes Are Logical Storage Containers On HDDs
0011 0010 1010 1101 0001 0100 1011 Volume 3 Volume 1 Volume 2 Unallocated
Primary Storage Media 1 P G R PSM 2 • Volumes can contain most any data structure – File systems – Databases –Swap space – Hidden backups – Other containers P = P-List Sectors G = G-List Sectors R = Redundant Sectors Partitioning
Inter-partition gap Unused sectors 0011 0010 1010 1101 0001 0100 1011 Partition #2 Master Boot Record Volume Boot Record Partition #1 (VBR) (MBR) MBC MPT VBC DPB VBC DPB
On each partition a VBR contains • The Master Boot Record is created and includes the Master Boot Code (MBC) and the Master Partition Table (MPT) – always at sector 1 on any bootable media • The MBC is executed at boot if the HDDVolume is Bootdesignated Code andas the a Disk boot Pa device • The MPT contains information about logical volumes (partitions), including the active partition, the partition whose Volume Boot Code (VBC) will be executed • Each partition has a Disk Parameter Block that stores information aboutrameter extended Block partitions, file system type, date and time last mounted, etc. • Inter-partition gaps are a collection of unused sectors • Some sectors are unused due to addressing issues Module 3 0011 0010 1010 1101 0001 0100 1011 The Boot Process The Boot Process
0011 0010• Begin 1010 1101execution 0001 0100from 1011 ROM (address 0xFFF0) • Jump to BIOS power on self test (POST) • System initialization from CMOS and device BIOS • Transfer execution to master boot record (MBR) at cylinder 0, head 0, sector 1 of boot media (if it exists) • Transfer execution to boot code on “active” partition indicated by the master partition table in the MBR – Hundreds of files are modified/touched • Constant memory and HDD modification during system operation Module 4 0011 0010 1010 1101 0001 0100 1011 Isolation Through Virtualization (e.g., VMWare) The Goal is to Maintain Integrity of the Investigation
Unauthorized Investigator New Tools Testing Users and Change Networks ACCESS ACCESS Process
MODIFY Investigation “Evidence” Environment Data READ Investigator T VERIFY OOL Verify S Evidence Consumer MODIFY Reports GENERATE
GENERATE MODIFY READ GENERATE Incremental Reports Analysis Data VMWare Will Serve as Our Investigation Environment
0011 0010 1010 1101 0001 0100 1011 VMware Device Specifics
• Provides a variety of virtual hardware 0011 0010– HDD1010 (IDE 1101 or 0001 SCSI) 0100 1011 • Stored as a binary file on the host OS • Can add or remove HDD very easily – CD and DVD drives (IDE or SCSI) • Can use ISO image on host OS as CD or DVD – Memory (RAM) – limited by physical RAM – USB 1.1 and 2.0 – Floppy • Can use ISO image on host OS as floppy – NIC (Ethernet) – Audio Adapter – Serial port – Parallel port – Generic SCSI device • Can save and revert to snapshots of system state • Virtual hardware is very stable Module 5 0011 0010 1010 1101 0001 0100 1011 Relevant Tools The Sleuth Kit Tools (learn through hands-on labs)
• File system layer (partitions, file systems) 0011 0010 1010 1101 0001 0100 1011 – fsstat – first used in lab 3 to determine block size • File name layer (file name structures) – ffind –fls • Meta-data layer (inodes, directory entries, file attributes) – icat –ifind – ils –istat • Data unit layer (disk blocks) – dcat – first used in lab 3 to extract disk blocks – dls – first used in lab 2 to copy unallocated space and slack space –dstat – dcalc – first used in lab 3 to compute absolute block to recover Questions? 0011 0010 1010 1101 0001 0100 1011 After all, you are an investigator