Digital Forensics

Module 11CS 996

4/26/2004 Module 11 2

Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX file systems (Kulesh) ProDiscover workshop (remaining time)

4/26/2004 Module 11 3

Reminder InfraGard Chapter meeting on

Counterintelligence Bear Stearns, 383 Madison Avenue 9-4, April 28 RSVP: www.nym-infragard.us

4/26/2004 Module 11 4

Hard Drive Data Hiding Places Low Level Format

Redundant sectors Bad sectors

Partition Interpartition gaps Unallocated space “Hidden” partitions Boot records and partition tables Deleted partitions

4/26/2004 Module 11 5

Physical Disk Geometry (CHS) One head for each surface (H) All tracks at r = dn form “cylinder” (C) Each sector has 512 bytes of user data

(S) One disk surface devoted to positioning

and synchronization Not all parts of the disk are

addressable by the OS Disk capacity = C x H x S x 512 bytes

4/26/2004 Module 11 6

Lifecycle of Disk Drive Blank media Low level format

Performed at the factory Partition High level file system format Operating system install System operations

4/26/2004 Module 11 7

Low Level Format Low level formatting creates sectors Each sector holds 512 bytes +

overhead bytes Overhead provides error correction and

timing recovery Bad sectors remapped to redundant

sectors by the HDD controller.

4/26/2004 Module 11 8

Low Level Format

SECTOR OVERHEAD

512 BYTES

REDUNDANT SECTOR

4/26/2004 Module 11 9

Partitioning

INTER-PARTITION GAP

PARTITION #2

PARTITION #1

VOLUME BOOT

RECORD

MASTERBOOT

RECORD

VOLUME BOOT

RECORD

4/26/2004 Module 11 10

Partitioning Drive Master Boot Record = Master Boot

Code + Master Partition Table (MPT) Always at sector #1

Volume Boot Record = Volume Boot Code + Disk Parameter Block Each partition

4/26/2004 Module 11 11

FAT File System Four parts

Volume boot record File allocation tables Root directory User data area

Types FAT 12, 16, 32 bits; cluster address size FAT1 and FAT2; first and second copy of

FAT Floppy: FAT12

4/26/2004 Module 11 12

FAT12/16 Structure

DOS BOOT SECTOR

FAT #1 FAT #2

ROOT DIRECTORY

USER DATA AREA

4/26/2004 Module 11 13

FAT32 Structure

DOS BOOTRECORD (3)

RESERVEDSECTORS

COPY OFDOS BOOTRECORD

RESERVEDSECTORS

32 SECTORS

FAT #1 FAT #2

USER DATA

4/26/2004 Module 11 14

File Allocation Table

TEST 217

DIRECTORY ENTRY

0

217

339

618

618

339

EOF

4/26/2004 Module 11 15

WinHex: Forensic Hex Editor www.x-ways.net Disk cloning

DOS version Windows version (use write blocker)

Disk editor API for scripting tasks

4/26/2004 Module 11 16

4/26/2004 Module 11 17

4/26/2004 Module 11 18

Navigating to FAT12 Directory Start at boot sector #1 Add 2 x 9 sectors Directory at sector #20 Offset is: 19 x 512 = 9728 bytes =

2600H

4/26/2004 Module 11 19

4/26/2004 Module 11 20

Navigating to FAT32 Allocation Table Start at boot sector Go to sector #33, offset of 32 x 512

bytes 32 x 512 = 16384 = 4000H

4/26/2004 Module 11 21

4/26/2004 Module 11 22

WinHex NTFS Partition Analysis

4/26/2004 Module 11 23

ProDiscover Forensic Software www.techpathways.com Disk imaging: meets NIST Specification

3.1.6 Works with FAT, NTFS, Sun Solaris UFS Displays Windows ADS! File signature analysis Search capability Recover deleted files and slack space Reasonable price!

4/26/2004 Module 11 24

4/26/2004 Module 11 25

Capture Evidence Files

4/26/2004 Module 11 26

Image Evidence: Windows Laptop

PRODISCOVER

USB TO IDE

ADAPTER

EVIDENCE DRIVE

IDE CABLE

4/26/2004 Module 11 27

KeyWord Search

4/26/2004 Module 11 28

Reporting (View=>Report)

4/26/2004 Module 11 29

References for Module #11 Bill Nelson, Guide to Computer

Investigations, 2004. Warren Kruse, Computer Forensics,

2002. Kevin Mandia, Incident Response,

2003. EnCase Legal Journal (course web site) www.cs.nmt.edu (cs491_02) NTFS: