Lab Iv: File Recovery: Meta Data Layer

NEW MEXICO TECH DIGITAL FORENSICS FALL 2006

LAB IV: FILE RECOVERY: META DATA LAYER

Objectives

- Find meta data information for evidence found in a searchlist - Recover a file based on meta data - Use the Autopsy Forensic Browser at the meta data layer - Observe file deletion behavior at the meta data layer with different file systems

Procedures

PART 1

Step 1 The same image file you used in Lab III is on /dev/hdb1. You will use this image for the first part of the lab. Four directories, ext2/, ext3/, fat32/ and ntfs/, have been created for you on /dev/hdb1 that you will use for the second part of the lab. You will also be using another disk that has been added to the system on /dev/hdd.

Launch your “Linux – Forensics” virtual machine.

MOUNT /DEV/HDB1 TO /MNT/RECOVER.

THE IMAGE.DD FILE FROM LAB III IS LOCATED IN /MNT/RECOVER/LAB4.

QUESTION 1: YOU WISH TO RECOVER FILE05, THE WORD DOCUMENT FROM LAB III. AS A REVIEW, LIST THE STEPS NEEDED TO FIND THE FILE BASED ON THE SEARCH WORD “KEYBOARD.” WHAT BLOCK OF THE ORIGINAL IMAGE FILE Prepared by Regis Cassidy Sandia National Laboratories Page IS THIS SEARCH WORD FOUND?

# DLS -F LINUX-EXT2 /MNT/RECOVER/LAB4/IMAGE.DD > /MNT/RECOVER/LAB4/IMAGE.UNALLOC.DLS

# STRINGS -A -T D /MNT/RECOVER/LAB4/IMAGE.UNALLOC.DLS > /MNT/RECOVER/LAB4/IMAGE.UNALLOC.STR

# GREP “KEYBOARD” /MNT/RECOVER/LAB4/IMAGE.UNALLOC.STR

# DCALC -F LINUX-EXT2 -U 625 /MNT/RECOVER/LAB4/IMAGE.DD

The search word is found at block 883 in the image.dd file.

Finding Meta Data Information

STEP 2 THE INFORMATION PROVIDED BY THE INODE IN LINUX IS KNOWN AS META DATA INFORMATION. EACH FILE ON THE SYSTEM (INCLUDING DIRECTORIES) IS ASSOCIATED WITH A UNIQUE INODE. INODES ARE EQUIVALENT TO DIRECTORY ENTRIES IN FAT32 AND MASTER FILE TABLE ENTRIES IN NTFS. THIS META DATA INFORMATION CAN BE VERY USEFUL FOR RECOVERING FILES IF THAT INODE HAS NOT BEEN REALLOCATED TO A NEW FILE. ONE FUNCTION OF THE INODE IS TO PROVIDE A MAPPING TO ALL THE BLOCKS THAT THE FILE USES ON DISK.

GIVEN A BLOCK NUMBER THE SLEUTHKIT TOOL IFIND CAN BE USED TO LOCATE THE INODE THAT THE BLOCK IS ASSOCIATED WITH. Prepared by Regis Cassidy Sandia National Laboratories Page

# IFIND -F LINUX-EXT2 /MNT/RECOVER/LAB4/IMAGE.DD - D BLOCK

NOTE: USE THE BLOCK NUMBER YOU FOUND IN QUESTION 1 FOR BLOCK.

NOW YOU SHOULD KNOW THE INODE ASSOCIATED WITH THE WORD DOCUMENT FILE05.

THE SLEUTHKIT TOOL ISTAT IS USED TO LIST THE META DATA INFORMATION CONTAINED IN THE INODE.

# ISTAT -F LINUX-EXT2 /MNT/RECOVER/LAB4/IMAGE.DD INODE | LESS

NOTE: USE THE INODE YOU FOUND WITH IFIND IN THE STEP ABOVE.

NOTICE THAT ISTAT REPORTS THAT THE INODE IS NOT ALLOCATED.

Question 2: What would it mean if istat showed the inode as being allocated? If it is unallocated, can you be certain you are viewing the inode information for the file you found in a search?

The inode information is of no use to you for recovering a deleted file if it has been reallocated. This means that the meta data in the inode is for a new file. If an inode is unallocated you still can not be sure that it contains the right meta data for recovering your file. The inode could have been reallocated to a new file that has been deleted as well. When you use icat, you can verify that the meta data is associated with the file you are Prepared by Regis Cassidy Sandia National Laboratories Page meaning to recover.

Question 3: Review the output of istat again. Name three important fields found in the meta data that you think are needed to recover a file and why?

The direct blocks and indirect blocks are needed to find all locations on disk belonging to the file. File size is needed as well to determine what fraction of the last block contains valid data for the file.

Recovering Files from Meta Data Information

STEP 3 BECAUSE THIS META DATA INFORMATION IS AVAILABLE IT IS MUCH EASIER TO RECOVER A DELETED FILE IF IT IS BINARY AND/OR FRAGMENTED. RATHER THEN HAVING TO LOCATE THE DATA BLOCKS YOURSELF AND USING DCAT, YOU CAN USE THE META DATA INFORMATION AS A ROAD MAP TO THE FILE.

THE SLEUTHKIT TOOL ICAT WILL USE THE META DATA TO RECOVER A FILE IN A SINGLE STEP.

Recover file05 using icat

# icat -f linux-ext2 /mnt/recover/lab4/image.dd inode > /mnt/recover/lab4/file05

Verify the file size (22110 bytes) and use the file command to also verify that a Word document was recovered. Compare hashes from fileinfo.txt .

Prepared by Regis Cassidy Sandia National Laboratories Page

YOU CAN ALSO VIEW THE FILE IN OPENOFFICE WRITER WHICH IS CAPABLE OF OPENING WORD DOCUMENTS. WRITER IS LOCATED IN THE K MENU UNDER OFFICE.

Question 4: What are some reasons that would force you to still use dcat to recover a file rather than icat?

Icat can only be used if the inode contains valid meta data on the file you wish to recover. That meta data will not be valid if the inode has been reallocated to a new file. It is technically possible for someone to alter the meta data in attempts to hide data or the meta data may become corrupt somehow else. Also newer file systems support security attributes that will erase the meta data when a file is deleted.

Using Autopsy at the Meta Data Layer

STEP 4 YOU WILL NOW USE THE AUTOPSY FORENSIC BROWSER AGAIN AND LEARN MORE FEATURES OF IT. THESE FEATURES WILL RELATE TO THE METDA DATA LAYER.

MAKE AN AUTOPSY WORKING DIRECTORY

# MKDIR /MNT/RECOVER/LAB4/AUTOPSY

START AUTOPSY

# AUTOPSY -D /MNT/RECOVER/LAB4/AUTOPSY

From your toolbar, launch the mozilla web browser. From the links bar start autopsy.

Prepared by Regis Cassidy Sandia National Laboratories Page Create a new case called Lab4 with your name as the investigator.

Add a new host and use 'vmware-forensics' in the host name field. Enter MST for the Timezone.

Add an image which is located at /mnt/recover/lab4/image.dd. Keep the Import Method at symlink. Change the file system type to linux-ext2. Mount point should be set to / . Select 'Calculate the hash value for this image' .

Click the Keyword Search tab and search image.dd for “keyboard.”

THERE SHOULD BE A MATCH AT THE SAME BLOCK (FRAGMENT) NUMBER YOU FIND ON THE COMMAND LINE.

CLICK THE LINK FOR THE HEX OR ASCII CONTENT. YOU SHOULD SEE THE CONTENTS OF THE WORD DOCUMENT.

THERE IS A PANEL LOCATED DIRECTORY ABOVE THE CONTENT WINDOW. YOU MAY HAVE TO SCROLL TO SEE THE LINK 'FIND META DATA ADDRESS' .

CLICK THIS LINK TO FURTHER EXPAND INFORMATION IN THAT PANEL.

THERE SHOULD NOW BE AN INODE NUMBER LISTED (SAME AS THE ONE YOU FOUND EARLIER WITH IFIND) AND THAT IS A LINK AS WELL.

AFTER CLICKING ON THE INODE NUMBER LINK A NEW WINDOW IS OPENED CONTAINING META DATA INFORMATION YOU SAW WITH ISTAT.

NOTICE THAT SOME ADDITIONAL INFORMATION IS PROVIDED AT

Prepared by Regis Cassidy Sandia National Laboratories Page THE TOP. HAD THE FILE NOT BEEN DELETED, ITS NAME WOULD BE UNDER THE 'POINTED TO BY FILE' FIELD. THE 'FILE TYPE (RECOVERED)' FIELD IS DETERMINED BY THE FILE COMMAND WHICH YOU HAVE ALREADY USED.

CLICK THE 'EXPORT CONTENTS' BUTTON AND SAVE THE FILE AS FILE05.DOC TO /MNT/RECOVER/LAB4/ .

VERIFY THE RECOVERED FILE'S HASH.

QUESTION 5: HOW COME, WHEN YOU EXPORT THE CONTENTS AT THE META DATA LAYER YOU DO NOT NEED TO MODIFY THE FILE LIKE WHEN YOU EXPORT A FILE AT THE DATA UNIT LAYER?

THE META DATA LAYER CONTAINS INFORMATION REGARDING THE FILE SIZE OF THE FILE. THIS CAN BE USED TO EXTRACT THE CORRECT AMOUNT OF BYTES FROM THE LAST BLOCK. AT THE DATA UNIT LAYER NOTHING IS KNOW ABOUT THE FILE SIZE OF THE FILE SO THE WHOLE LAST BLOCK IS EXTRACTED.

You can view the information for any inode by clicking on the 'Meta Data' tab. Click the 'Allocation List' button.

THIS IS A LISTING OF ALL THE AVALIABLE INODES ON THE FILE SYSTEM AND WHETHER THEY ARE ALLOCATED OR UNALLOCTED. EVEN THOUGH THERE ARE NO FILES ON THE IMAGE, INODES 1 THOUGH 10 APPEAR TO BE ALLOCATED. HOWEVER, WHEN YOU VIEW THEM THEY ARE NOT BEING USED (EXCEPT INODE 2).

INODE 1 IS RESERVED FOR A LIST OF BAD BLOCKS ON THE DEVICE. INODE 2 IS RESERVED FOR THE ROOT DIRECTORY.

Prepared by Regis Cassidy Sandia National Laboratories Page SOME OF THE INODES BETWEEN 3 AND 10 HAVE SPECIAL PURPOSES AND SOME ARE SIMPLY UNUSED, BEING RESERVED FOR POSSIBLE FUTURE USE. INODE 11 IS THE FIRST INODE AVAILABLE FOR ORDINARY USE AND WILL USUALLY BE ASSIGNED TO THE LOST+FOUND DIRECTORY WHEN A EXT2 FILE SYSTEM IS FIRST MADE.

YOU ARE DONE WITH THE FIRST PART OF THIS LAB.

CLOSE AUTOPSY.

PART 2

Understanding Meta Data on Different File Systems

STEP 5 FOR THE SECOND PART OF THE LAB YOU WILL BE LOOKING AT A DISK ON /DEV/HDD THAT HAS BEEN DIVIDED INTO 4 PARTITIONS. EACH PARTITION CONTAINS A DIFFERENT FILE SYSTEM; LINUX EXT2, LINUX EXT3, FAT32 AND NTFS RESPECTIVELY. THE GOAL IS TO OBSERVE HOW THE DIFFERENT FILE SYSTEMS BEHAVE WITH FILE CREATION AND DELETION.

QUESTION 6: WHAT IS THE BLOCK (CLUSTER) SIZE FOR EACH OF THE PARTITIONS? (NOTE: YOU'RE USED TO USING THE SLEUTHKIT TOOLS AGAINST A DD IMAGE FILE, BUT YOU CAN ALSO USE THEM AGAINST AN ACTUAL DISK OR PARTITION. IE /DEV/HDD1 )

# FSSTAT -F LINUX-EXT2 /DEV/HDD1 | LESS BLOCK SIZE: 1024

# FSSTAT -F LINUX-EXT3 /DEV/HDD2 | LESS BLOCK SIZE: 1024

# FSSTAT -F FAT32 /DEV/HDD3 | LESS BLOCK SIZE: 1024

Prepared by Regis Cassidy Sandia National Laboratories Page # FSSTAT -F NTFS /DEV/HDD4 | LESS BLOCK SIZE: 512

The sizes you found are the default for a 100 MB partition, using Win XP to format the FAT32 and NTFS partitions and Linux to format the Ext2 and Ext3 partitions. The block size can actually be specified by the user when initially formatting the partitions. The default block size is small because the partitions are small.

View the block size of your main linux partition running the OS, /dev/hda2. It is much larger.

CREATE MOUNT POINTS IN /MNT WITH THE NAMES EXT2, EXT3, FAT32, AND NTFS. MOUNT THE PARTITIONS ON /DEV/HDD TO EACH APPROPRIATE MOINT POINT.

STEP 6 YOU WILL BE CREATING A 1 MB FILE ON EACH OF THE PARTITIONS (WITH THE EXCEPTION OF THE NTFS PARTITION DO TO READ ONLY SUPPORT) AND WILL OBSERVE THE META DATA INFORMATION BEFORE AND AFTER DELETING THE FILE.

A SIMPLE PERL SCRIPT CAN BE RUN FROM THE COMMAND LINE TO CREATE A FILE CONTAINING 1024 1 BYTE CHARACTERS.

# perl -e 'print “a” x 1024' > /mnt/ext2/file

# perl -e 'print “a” x 1024' > /mnt/ext3/file

# perl -e 'print “a” x 1024' > /mnt/fat32/file

NOTE: You do not do anything with the NTFS partition yet.

The file, /mnt/recover/lab4/part2.sha1.txt contains the hashes for the two files from the NTFS partition.

ADD THE HASHES FOR THE FILES YOU JUST CREATED.

Prepared by Regis Cassidy Sandia National Laboratories Page

# SHA1SUM /MNT/EXT2/FILE /MNT/EXT3/FILE /MNT/FAT32/FILE >> /MNT/RECOVER/LAB4/PART2.SHA1.TXT

TO FIND WHAT INODE NUMBERS HAVE BEEN ASSOCIATED WITH THE FILES YOU JUST CREATED, YOU CAN USE THE -I OPTION FOR LS.

# LS -I /MNT/EXT2 /MNT/EXT3

NOTE: LS -I DOES NOT SEEM TO REPORT THE CORRECT DIRECTORY ENTRY ON A FAT32 FILE SYSTEM. YOU WILL USE A DIFFERENT METHOD FOR FINDING THE INODE EQUIVALENT ON FAT32.

TO FIND WHAT DIRECTORY ENTRY HAS BEEN ASSOCIATED WITH THE FILE ON FAT32 YOU WILL LEARN A NEW SLEUTHKIT TOOL. THE ILS TOOL WILL LIST INODE INFORMATION OF A FILE SYSTEM. THE -A OPTION WILL ONLY LIST ALLOCATED INODES AND THE -M (MACHINE FORMAT) WILL PRINT THE OUTPUT IN A MORE READABLE FORMAT.

Run ils on the FAT32 partition

# ILS -F FAT32 -A -M /DEV/HDD3

THIS IS HOW YOU INTERPRET THE INFORMATION BETWEEN THE ARROW BRACKETS. HDD3 IS THE DEVICE, FILE IS THE FILENAME, ALIVE MEANS THE FILE IS NOT DELETED, AND THE FOLLOWING NUMBER IS THE DIRECTORY ENTRY.

STEP 7

ONCE YOU KNOW THE INODE OR DIRECTORY ENTRY FOR THE THREE FILES YOU CREATED, USE ISTAT TO LIST THE META DATA INFORMATION. SAVE THE OUTPUT TO THE CORRESPONDING DIRECTORIES IN /MNT/RECOVER/LAB4.

# ISTAT -F LINUX-EXT2 /DEV/HDD1 INODE > /MNT/RECOVER/LAB4/EXT2/FILE-META-BEFORE

# ISTAT -F LINUX-EXT3 /DEV/HDD2 INODE > Prepared by Regis Cassidy Sandia National Laboratories Page /MNT/RECOVER/LAB4/EXT3/FILE-META-BEFORE

# ISTAT -F FAT32 /DEV/HDD3 INODE > /MNT/RECOVER/LAB4/FAT32/FILE-META-BEFORE

Two identical files, file1 and file2 at one time existed on the ntfs partition. Their meta data (Master File Table Entry) has been saved for you in the /mnt/recover/lab4/ntfs directory.

Question 7: Analyze the meta data for the files you created and the files from the ntfs partition. List some of the main differences on what kind of information is stored in the meta data on the different file systems.

The meta data format seems to be identical for ext2 and ext3. A directory entry for FAT32 contains the filename as part of the meta data. Also the meta data provides a mapping to the sectors on disk rather than blocks. The MFT entry for the NTFS partition looks very different from the others. NTFS stores many additional file attributes.

Step 8 You are now going to delete the files and analyze what happens to the inodes.

# rm -f /mnt/ext2/file /mnt/ext3/file /mnt/fat32/file

NOTE: The two files on the NTFS partitions have already been deleted. File1 was deleted by directly deleting the file (shit + del). File2 was deleted by first sending the file to the Recyle Bin and then empting it.

Use istat again to view the meta data of these now deleted files. Save the output in their appropriate directories in /mnt/recover/lab4/ as file-meta-after (file1-meta-after and file2- meta-after for the NTFS partition).

Compare the before and afters for each file system (Hint: Try Prepared by Regis Cassidy Sandia National Laboratories Page using the diff command # diff file1 file2).

Question 8: What changes were made to the inode when you deleted the file on the ext2 file system? Recover the file and explain how?

The inode was marked as unallocated and the number of links was changed to 0. the Inode Modified timestamp was changed to the deletion time and a Deleted timestamp was added.

Icat can be used to recover the file.

# ICAT -F LINUX-EXT2 /DEV/HDD1 12 > /MNT/RECOVER/LAB4/EXT2/FILE

QUESTION 9: WHAT CHANGES WERE MADE TO THE INODE WHEN YOU DELETED THE FILE ON THE EXT3 FILE SYSTEM? RECOVER THE FILE AND EXPLAIN HOW?

THE SAME CHANGES HAPPENED THAT OCCURRED WITH EXT2. HOWEVER, THE FILESIZE WAS CHANGED TO 0 AND DIRECT BLOCKS FIELD WAS ERASED.

ICAT CANNOT BE USED BECAUSE OF THE SECURITY FEATURES BUILT INTO THE EXT3 FILE SYSTEM BY DEFAULT. WHEN A FILE IS DELETED THE INODE IS MODIFIED TO ERASE INFORMATION REGARDING THE FILESIZE AND DIRECT BLOCKS. THE MORE TEDIOUS PROCESS OF USING DCAT CAN BE USED INSTEAD TO RECOVER THE FILE.

Question 10: What changes were made to the inode when you deleted the file on the FAT32 file system? Recover the file and explain how?

Again, the inode is marked as unallocated and the number of links is changed to 0. The first character in the filename is changed to an underscore. An explicit field for Recovery is created to save the sector locations.

Prepared by Regis Cassidy Sandia National Laboratories Page Icat can be used to recover the file.

# ICAT -F FAT32 /DEV/HDD3 5 > /MNT/RECOVER/LAB4/FAT32/FILE

QUESTION 11: WHAT CHANGES WERE MADE TO THE INODE WHEN THE FILES ON THE NTFS FILE SYSTEM WERE DELETED? WHAT IS YOU EXPLANATION FOR THE DIFFERENT BEHAVIOR OF FILE2? EXPLAIN THE CHANGE FOR THE FILENAME AND PARENT MFT ENTRY. RECOVER THE FILE AND EXPLAIN HOW?

FOR FILE1, THE INODE WAS MARKED UNALLOCATED AND THE SEQUENCE NUMBER CHANGED. THE SAME ATTRIBUTES CHANGED FOR FILE2, BUT THE FILENAME ALSO CHANGED TO DF2, THE TIMESTAMPS WERE MODIFIED AND THE PARENT MFT CHANGED. THE INODE MODIFICATIONS WERE DIFFERENT FOR FILE2 BECAUSE THE FILE WAS NOT ACTUALLY DELETED RIGHT AWAY. IT WAS FIRST SENT TO THE RECYCLE BIN. THE NTFS MUST HANDLE A FILE BEING SENT TO THE RECYLCE BY CHANGING THE FILE'S NAME AND PARENT DIRECTORY. THE PARENT DIRECTORY BECOMES THE RECYCLER. IN THE PROCESS OF THIS THE TIMESTAMPS ARE BEING MODIFIED.

BOTH FILES CAN BE RECOVERED WITH ICAT AS WELL.

# ICAT -F NTFS /DEV/HDD4 34 > /MNT/RECOVER/LAB4/NTFS/FILE1

# ICAT -F NTFS /DEV/HDD4 35 > /MNT/RECOVER/LAB4/NTFS/FILE2

STEP 9 It is very important to do these next steps so that the lab is properly set up for the person who uses the computer after you.

Unmount any drives you mounted and shutdown the VMWare system.

In VMWare, revert 'Linux - Forensics' back to the snapshot by clicking the 'Revert' button.

From the c:\vmware-images\Linux - Forensics\ directory remove all files beginning with 'Linux – Forensics-Image' and 'Linux – Forensics-FS'.

Prepared by Regis Cassidy Sandia National Laboratories Page

QUESTION 12: WHAT ARE YOUR COMMENTS AND SUGGESTIONS FOR THIS LAB?

Prepared by Regis Cassidy Sandia National Laboratories Page