Lab Iv: File Recovery: Meta Data Layer
Total Page:16
File Type:pdf, Size:1020Kb
NEW MEXICO TECH DIGITAL FORENSICS FALL 2006 LAB IV: FILE RECOVERY: META DATA LAYER Objectives - Find meta data information for evidence found in a searchlist - Recover a file based on meta data - Use the Autopsy Forensic Browser at the meta data layer - Observe file deletion behavior at the meta data layer with different file systems Procedures PART 1 Step 1 The same image file you used in Lab III is on /dev/hdb1. You will use this image for the first part of the lab. Four directories, ext2/, ext3/, fat32/ and ntfs/, have been created for you on /dev/hdb1 that you will use for the second part of the lab. You will also be using another disk that has been added to the system on /dev/hdd. Launch your “Linux – Forensics” virtual machine. MOUNT /DEV/HDB1 TO /MNT/RECOVER. THE IMAGE.DD FILE FROM LAB III IS LOCATED IN /MNT/RECOVER/LAB4. QUESTION 1: YOU WISH TO RECOVER FILE05, THE WORD DOCUMENT FROM LAB III. AS A REVIEW, LIST THE STEPS NEEDED TO FIND THE FILE BASED ON THE SEARCH WORD “KEYBOARD.” WHAT BLOCK OF THE ORIGINAL IMAGE FILE Prepared by Regis Cassidy Sandia National Laboratories Page IS THIS SEARCH WORD FOUND? # DLS -F LINUX-EXT2 /MNT/RECOVER/LAB4/IMAGE.DD > /MNT/RECOVER/LAB4/IMAGE.UNALLOC.DLS # STRINGS -A -T D /MNT/RECOVER/LAB4/IMAGE.UNALLOC.DLS > /MNT/RECOVER/LAB4/IMAGE.UNALLOC.STR # GREP “KEYBOARD” /MNT/RECOVER/LAB4/IMAGE.UNALLOC.STR # DCALC -F LINUX-EXT2 -U 625 /MNT/RECOVER/LAB4/IMAGE.DD The search word is found at block 883 in the image.dd file. Finding Meta Data Information STEP 2 THE INFORMATION PROVIDED BY THE INODE IN LINUX IS KNOWN AS META DATA INFORMATION. EACH FILE ON THE SYSTEM (INCLUDING DIRECTORIES) IS ASSOCIATED WITH A UNIQUE INODE. INODES ARE EQUIVALENT TO DIRECTORY ENTRIES IN FAT32 AND MASTER FILE TABLE ENTRIES IN NTFS. THIS META DATA INFORMATION CAN BE VERY USEFUL FOR RECOVERING FILES IF THAT INODE HAS NOT BEEN REALLOCATED TO A NEW FILE. ONE FUNCTION OF THE INODE IS TO PROVIDE A MAPPING TO ALL THE BLOCKS THAT THE FILE USES ON DISK. GIVEN A BLOCK NUMBER THE SLEUTHKIT TOOL IFIND CAN BE USED TO LOCATE THE INODE THAT THE BLOCK IS ASSOCIATED WITH. Prepared by Regis Cassidy Sandia National Laboratories Page # IFIND -F LINUX-EXT2 /MNT/RECOVER/LAB4/IMAGE.DD - D BLOCK NOTE: USE THE BLOCK NUMBER YOU FOUND IN QUESTION 1 FOR BLOCK. NOW YOU SHOULD KNOW THE INODE ASSOCIATED WITH THE WORD DOCUMENT FILE05. THE SLEUTHKIT TOOL ISTAT IS USED TO LIST THE META DATA INFORMATION CONTAINED IN THE INODE. # ISTAT -F LINUX-EXT2 /MNT/RECOVER/LAB4/IMAGE.DD INODE | LESS NOTE: USE THE INODE YOU FOUND WITH IFIND IN THE STEP ABOVE. NOTICE THAT ISTAT REPORTS THAT THE INODE IS NOT ALLOCATED. Question 2: What would it mean if istat showed the inode as being allocated? If it is unallocated, can you be certain you are viewing the inode information for the file you found in a search? The inode information is of no use to you for recovering a deleted file if it has been reallocated. This means that the meta data in the inode is for a new file. If an inode is unallocated you still can not be sure that it contains the right meta data for recovering your file. The inode could have been reallocated to a new file that has been deleted as well. When you use icat, you can verify that the meta data is associated with the file you are Prepared by Regis Cassidy Sandia National Laboratories Page meaning to recover. Question 3: Review the output of istat again. Name three important fields found in the meta data that you think are needed to recover a file and why? The direct blocks and indirect blocks are needed to find all locations on disk belonging to the file. File size is needed as well to determine what fraction of the last block contains valid data for the file. Recovering Files from Meta Data Information STEP 3 BECAUSE THIS META DATA INFORMATION IS AVAILABLE IT IS MUCH EASIER TO RECOVER A DELETED FILE IF IT IS BINARY AND/OR FRAGMENTED. RATHER THEN HAVING TO LOCATE THE DATA BLOCKS YOURSELF AND USING DCAT, YOU CAN USE THE META DATA INFORMATION AS A ROAD MAP TO THE FILE. THE SLEUTHKIT TOOL ICAT WILL USE THE META DATA TO RECOVER A FILE IN A SINGLE STEP. Recover file05 using icat # icat -f linux-ext2 /mnt/recover/lab4/image.dd inode > /mnt/recover/lab4/file05 Verify the file size (22110 bytes) and use the file command to also verify that a Word document was recovered. Compare hashes from fileinfo.txt . Prepared by Regis Cassidy Sandia National Laboratories Page YOU CAN ALSO VIEW THE FILE IN OPENOFFICE WRITER WHICH IS CAPABLE OF OPENING WORD DOCUMENTS. WRITER IS LOCATED IN THE K MENU UNDER OFFICE. Question 4: What are some reasons that would force you to still use dcat to recover a file rather than icat? Icat can only be used if the inode contains valid meta data on the file you wish to recover. That meta data will not be valid if the inode has been reallocated to a new file. It is technically possible for someone to alter the meta data in attempts to hide data or the meta data may become corrupt somehow else. Also newer file systems support security attributes that will erase the meta data when a file is deleted. Using Autopsy at the Meta Data Layer STEP 4 YOU WILL NOW USE THE AUTOPSY FORENSIC BROWSER AGAIN AND LEARN MORE FEATURES OF IT. THESE FEATURES WILL RELATE TO THE METDA DATA LAYER. MAKE AN AUTOPSY WORKING DIRECTORY # MKDIR /MNT/RECOVER/LAB4/AUTOPSY START AUTOPSY # AUTOPSY -D /MNT/RECOVER/LAB4/AUTOPSY From your toolbar, launch the mozilla web browser. From the links bar start autopsy. Prepared by Regis Cassidy Sandia National Laboratories Page Create a new case called Lab4 with your name as the investigator. Add a new host and use 'vmware-forensics' in the host name field. Enter MST for the Timezone. Add an image which is located at /mnt/recover/lab4/image.dd. Keep the Import Method at symlink. Change the file system type to linux-ext2. Mount point should be set to / . Select 'Calculate the hash value for this image' . Click the Keyword Search tab and search image.dd for “keyboard.” THERE SHOULD BE A MATCH AT THE SAME BLOCK (FRAGMENT) NUMBER YOU FIND ON THE COMMAND LINE. CLICK THE LINK FOR THE HEX OR ASCII CONTENT. YOU SHOULD SEE THE CONTENTS OF THE WORD DOCUMENT. THERE IS A PANEL LOCATED DIRECTORY ABOVE THE CONTENT WINDOW. YOU MAY HAVE TO SCROLL TO SEE THE LINK 'FIND META DATA ADDRESS' . CLICK THIS LINK TO FURTHER EXPAND INFORMATION IN THAT PANEL. THERE SHOULD NOW BE AN INODE NUMBER LISTED (SAME AS THE ONE YOU FOUND EARLIER WITH IFIND) AND THAT IS A LINK AS WELL. AFTER CLICKING ON THE INODE NUMBER LINK A NEW WINDOW IS OPENED CONTAINING META DATA INFORMATION YOU SAW WITH ISTAT. NOTICE THAT SOME ADDITIONAL INFORMATION IS PROVIDED AT Prepared by Regis Cassidy Sandia National Laboratories Page THE TOP. HAD THE FILE NOT BEEN DELETED, ITS NAME WOULD BE UNDER THE 'POINTED TO BY FILE' FIELD. THE 'FILE TYPE (RECOVERED)' FIELD IS DETERMINED BY THE FILE COMMAND WHICH YOU HAVE ALREADY USED. CLICK THE 'EXPORT CONTENTS' BUTTON AND SAVE THE FILE AS FILE05.DOC TO /MNT/RECOVER/LAB4/ . VERIFY THE RECOVERED FILE'S HASH. QUESTION 5: HOW COME, WHEN YOU EXPORT THE CONTENTS AT THE META DATA LAYER YOU DO NOT NEED TO MODIFY THE FILE LIKE WHEN YOU EXPORT A FILE AT THE DATA UNIT LAYER? THE META DATA LAYER CONTAINS INFORMATION REGARDING THE FILE SIZE OF THE FILE. THIS CAN BE USED TO EXTRACT THE CORRECT AMOUNT OF BYTES FROM THE LAST BLOCK. AT THE DATA UNIT LAYER NOTHING IS KNOW ABOUT THE FILE SIZE OF THE FILE SO THE WHOLE LAST BLOCK IS EXTRACTED. You can view the information for any inode by clicking on the 'Meta Data' tab. Click the 'Allocation List' button. THIS IS A LISTING OF ALL THE AVALIABLE INODES ON THE FILE SYSTEM AND WHETHER THEY ARE ALLOCATED OR UNALLOCTED. EVEN THOUGH THERE ARE NO FILES ON THE IMAGE, INODES 1 THOUGH 10 APPEAR TO BE ALLOCATED. HOWEVER, WHEN YOU VIEW THEM THEY ARE NOT BEING USED (EXCEPT INODE 2). INODE 1 IS RESERVED FOR A LIST OF BAD BLOCKS ON THE DEVICE. INODE 2 IS RESERVED FOR THE ROOT DIRECTORY. Prepared by Regis Cassidy Sandia National Laboratories Page SOME OF THE INODES BETWEEN 3 AND 10 HAVE SPECIAL PURPOSES AND SOME ARE SIMPLY UNUSED, BEING RESERVED FOR POSSIBLE FUTURE USE. INODE 11 IS THE FIRST INODE AVAILABLE FOR ORDINARY USE AND WILL USUALLY BE ASSIGNED TO THE LOST+FOUND DIRECTORY WHEN A EXT2 FILE SYSTEM IS FIRST MADE. YOU ARE DONE WITH THE FIRST PART OF THIS LAB. CLOSE AUTOPSY. PART 2 Understanding Meta Data on Different File Systems STEP 5 FOR THE SECOND PART OF THE LAB YOU WILL BE LOOKING AT A DISK ON /DEV/HDD THAT HAS BEEN DIVIDED INTO 4 PARTITIONS. EACH PARTITION CONTAINS A DIFFERENT FILE SYSTEM; LINUX EXT2, LINUX EXT3, FAT32 AND NTFS RESPECTIVELY. THE GOAL IS TO OBSERVE HOW THE DIFFERENT FILE SYSTEMS BEHAVE WITH FILE CREATION AND DELETION. QUESTION 6: WHAT IS THE BLOCK (CLUSTER) SIZE FOR EACH OF THE PARTITIONS? (NOTE: YOU'RE USED TO USING THE SLEUTHKIT TOOLS AGAINST A DD IMAGE FILE, BUT YOU CAN ALSO USE THEM AGAINST AN ACTUAL DISK OR PARTITION.