0011 0010 1010 1101 0001 0100 1011

Digital ForensicsLecture 3

Hard Disk Drive (HDD)Media Forensics

0011 0010 1010 1101 0001 0100 1011

Current, Relevant Topics• …defendants should not use disk-cleaning utilities to wipe portions of

their hard drives before turning them over to plaintiffs in the course of discovery…

• …RIAA asked the judge for a mirrored copy of Tschirhart's hard drive…

• …data was removed from the hard drive before it was turned over…• …we found a number of file deletion programs and their log files…• …Tschirhart's own expert …"consistent with defragmentation of the

hard drive.“…• …Even though the hard drive had been altered, the investigators

found evidence that P2P software had been installed …music files had been downloaded …the wiping utilities had been removed as well

– arstechnica.com

0011 0010 1010 1101 0001 0100 1011

Research Topics PresentationRules

• The goal is to pass on information that might be of value to a forensic investigator

• Fine to sit or stand• Fine to use viewgraphs or not

– Any viewgraphs must be in PowerPoint format and must be emailed by 7:00 AM the day of the presentation

• Each presentation is limited to 5 minutes• Depending on the material and level of interest, we may

explore a topic further• Write up is due at presentation

0011 0010 1010 1101 0001 0100 1011

This Week’s Presentations

1. CD-R/RW and DVD+-R/RW media analysis

2. File carving

3. Tools for MAC digital forensics

0011 0010 1010 1101 0001 0100 1011

Lecture Overview

• Very Brief Overview of Lecture 2 • Isolation through virtualization• Analysis and relevant tools• High-level format (File System)• Digital Forensic Tools

Legal/Policy

Preparation Collection Analysis Findings/Evidence

Reporting/Action

0011 0010 1010 1101 0001 0100 1011

Brief Summary of Last Lecture

• Physical-layer forensic issues for HDDs• Materials, geometry, and low-level structure• HDD function and operation• Data recovery using physical-layer

techniques• The first level of abstraction (Volumes)

Primary Storage Media 1 P G R

Volume 1 Volume 2 Unallocated

0011 0010 1010 1101 0001 0100 1011

Module 1

Isolation Through Virtualization(e.g., VMWare)

0011 0010 1010 1101 0001 0100 1011

The Goal is to Maintain Integrity of the Investigation

InvestigationEnvironment

New Tools TestingChangeProcess

Verify

Investigator

EvidenceConsumer

Analysis Data

“Evidence”Data

Investigator

Reports

IncrementalReports

MODIFY

UnauthorizedUsers andNetworks

ACCESS

MODIFY

MODIFY

GENERATE

GENERATE

READ

VERIFY

ACCESS

GENERATE

READ

TOOLS

0011 0010 1010 1101 0001 0100 1011

VMWare Will Serve as Our Investigation Environment

0011 0010 1010 1101 0001 0100 1011

VMware Device Specifics

• Can save and revert to snapshots of system state• Virtual hardware is very stable

• Provides a variety of virtual hardware– USB 1.1 and 2.0– Floppy

• Can use ISO image on host OS as floppy

– NIC (Ethernet)– Audio Adapter– Serial port– Parallel port– Generic SCSI device

– HDD (IDE or SCSI)• Stored as a binary

file on the host OS• Can add or remove

HDD very easily – CD and DVD drives

(IDE or SCSI)• Can use ISO image

on host OS as CD or DVD

– Memory (RAM) –limited by physical RAM

0011 0010 1010 1101 0001 0100 1011

Important Information About Our Analysis Virtual Machine

• We will use a Fedora Core VM for our Analysis

• User = “root”• Password = “letmein”• Do not modify the analysis VM unless

specified in lab instructions

0011 0010 1010 1101 0001 0100 1011

Module 2

Analysis and Relevant Tools

0011 0010 1010 1101 0001 0100 1011

Analysis of Volumes• Generally the first step in media analysis

– Should occur after preservation of evidence– Media imaging or cloning are the generally

accepted methods of preserving evidence• Account for all storage space• Create a partition map and understand the resulting volumes

– Requires careful accounting for each sector• Guide analysis of other constructs, including higher-layer

abstractions– File systems– Databases– Other logical containers, etc.

0011 0010 1010 1101 0001 0100 1011

The Sleuth Kit Tools(learn through hands-on labs)

• File system layer (partitions, file systems)– fsstat – first used in lab 3 to determine block size

• File name layer (file name structures) – ffind– fls

• Meta-data layer (inodes, directory entries, file attributes)– icat– ifind– ils– istat

• Data unit layer (disk blocks)– dcat – first used in lab 3 to extract disk blocks– dls – first used in lab 2 to copy unallocated space and slack space– dstat– dcalc – first used in lab 3 to compute absolute block to recover

0011 0010 1010 1101 0001 0100 1011

Module 3

High Level Format(File Systems)

0011 0010 1010 1101 0001 0100 1011

Our approach to understandingHDD DF

• We will begin at the physical-layer and work toward increasing abstraction using a data driven approach

Physical Media

Volume 1 Volume n

File System

File

?

Spe

cific

to A

bstra

ct

Understanding and Evidence

You Are Here

0011 0010 1010 1101 0001 0100 1011

HDD Structure(just prior to adding file system)

• Blank media

• Low-level format

• Partition

Sectors(512+ B) Redundant

Sectors(512+ B)

MBR VBR1

VBR2

MBC MPT

VBC1

DPB1

VBC2

DPB2

MBR = master boot recordMBC = master boot codeMPT = master partition table

VBR = volume boot recordVBC = volume boot codeDPB = disk parameter block

0011 0010 1010 1101 0001 0100 1011

High-Level Format(Creating Disk Blocks)

Clusters, Blocks, Fragments, etc.(different names for the same thing)

MBC MPT

• High-level format creates the file system• Sectors are too small for most HDDs (address space is too large)• Sectors are grouped into groups of N to form clusters, N is a

positive integer– This becomes the indivisible data size for the installed operating system

Sectors

Blocks

0011 0010 1010 1101 0001 0100 1011

High-Level Format(Creating File Systems)

• MPT now contains file system type and cluster size– Cluster (fragment, segment) sizes are multiples of 512 octets (one sector)– This becomes the indivisible file size for the operating system

• A file system structure is created– FAT creates a file allocation table (simple table)– NTFS creates a master file table (database)– Linux EXT2/3 creates a virtual file system– Each file system behaves differently

MBC MPT

Master Boot Record(MBR)

Clusters,Blocks,Fragments, etc. (different names for the same thing)

File SystemStructures

Allocated/Unallocated

Space

0011 0010 1010 1101 0001 0100 1011

What is Slack Space?(space between end of file and end of cluster)

• Consider a file containing 4628 octets– 4628 = (1024 x 4) + 532

• 4 full clusters and part of a fifth cluster• There will be (5 x 1024) – 4628 = 492 unused octets

• This unused space is called “slack space”

Sector(512 octets)

Cluster(2 x 512 octets)

File of length 4628 octets

slack space

0011 0010 1010 1101 0001 0100 1011

Why is Slack Space Important?

Unallocated Space(New Drive)

Allocated Space

Unallocated Space(After File deletion)

Allocated Space(Reallocated, new file)

Slack Space

Why isn’t this also slack space?

0011 0010 1010 1101 0001 0100 1011

Blank Media

512octets

RedundantSectors

(Only visible to HDD controller)Individual Sector

Sector overhead

Low-Level Format

Partition #1

MBC MPT VBC DPB VBC DPB

Master Boot Record(MBR)

Partition #2Volume Boot Record

(VBR)

Inter-partition gap

Unused sectors

Partitioning

MBC MPT

Master Boot Record(MBR)

Clusters

File SystemStructures Free Space

High-levelFormat

MBC MPT

Master Boot Record(MBR)

File SystemStructures Free Space Page File

OS Code/Data

OS Install

0011 0010 1010 1101 0001 0100 1011

What is the Role of a File System?

• Provides data storage and retrieval• Associates names with data files• Organizes files into parent directories• Stores file attributes

– Modify, Access, Creation (MAC) times– Disk blocks used for file storage– Others depending on specific file system

• Maintains lists of unallocated disk blocks

0011 0010 1010 1101 0001 0100 1011

What Do Most File Systems Have in Common?

• Unique file (or directory) identifiers– inodes (Linux terminology, Windows is unknown)

• Data structure that associates file names and inodes

• Indivisible storage units formed of disk clusters– e.g., blocks, clusters, fragments, etc.

• Pointers to blocks where file is stored• File attributes, e.g., times, parent directories,

deleted flag, ownership, permissions, etc.• Unallocated block list

0011 0010 1010 1101 0001 0100 1011

Files Systems Have Significant Structural and Functional Differences

• Journaling• Meta-data storage• Variable length allocation units• Fragments• Distributed file system data structures• inode allocation algorithms• Search efficient data structures

– trees• …

0011 0010 1010 1101 0001 0100 1011

What File System Attributes/Behaviors are of Interest to a DF investigator?• File deletion• File growth• File shrinkage• File replacement• Resource reuse

– directory blocks, inodes, blocks, etc.• Time stamp behavior• What else?

0011 0010 1010 1101 0001 0100 1011

NTFS File System• NTFS uses a master file table (MFT)

– More of a database than a table– Each entry is referenced by a unique number– Stores file/directory attributes

• $Data is just one attribute and multiple $Data attributes are allowed

• MAC times– Stores up to 1500 octets of data directly– Larger files are stored indirectly– IN_USE flag is cleared when a file is deleted

• All attributes are maintained until MFT entry is reused• Indirect storage may persist even after entry is reused

0011 0010 1010 1101 0001 0100 1011

Ext2 File System• Linux uses data structures called inodes to

represent a file or directory– Each inode has a unique number– Contains a description of the file

• Size, MAC Times, file type, access rights, owners, etc.– Contains pointers to blocks where data is stored– Files names are stored in a separate data structure

• Referenced by inode number• Allows multiple names for the same file

– Character and block are special files types that do not store data• Point to a device driver

– Larger files are stored through up to three levels of indirection– “deleted” flag is set when a file is deleted

0011 0010 1010 1101 0001 0100 1011

Example of Indirection

0011 0010 1010 1101 0001 0100 1011

Module 4

Digital Forensic Tools

0011 0010 1010 1101 0001 0100 1011

Disk Imaging and Cloning

• Disk imaging and cloning is a standard and necessary step to preserve evidence

• We will use dd to perform our clone and imaging

• Cloning– Disk/Volume to disk

• Imaging– Disk/Volume to file

0011 0010 1010 1101 0001 0100 1011

Hash Functions

• Used for integrity function • Common hash functions

– MD5, SHA-1, SHA-256

– dccidd – will compute MD5, SHA-1, and SHA-256 concurrent with imaging operation

Hash FunctionFile Hash

0011 0010 1010 1101 0001 0100 1011

The Sleuth Kit

• Forensics analysis tools– Written by Brian Carrier– Based on The Coroner’s Tool Kit by Dan Farmer

• Based on a layered model of analysis• Tested on multiple systems

– Linux, Mac OS X, CYGWIN, FreeBSD, OpenBSD, Solaris

• Supports NTFS, FAT, FFS, EXT2FS, and EXT3FS

• Autopsy is a web-based tool that uses The Sleuth Kit

0011 0010 1010 1101 0001 0100 1011MPT name,

inode

unallocatedspace

inode,attributes

MBR File System Structures

allocated spaceMBC

File system layer MPTfsstat

File name layer

Meta-data layer

Data unit layer

name,inode

ffind, fls

dcat, dls, dstat, dcalc

icat, ifind, ils, istat inode,attributes

allocatedspace

unallocated space

0011 0010 1010 1101 0001 0100 1011

The Sleuth Kit Tools(learn through hands-on labs)

• File system layer (partitions, file systems)– fsstat – first used in lab 3 to determine block size

• File name layer (file name structures) – ffind– fls

• Meta-data layer (inodes, directory entries, file attributes)– icat– ifind– ils– istat

• Data unit layer (disk blocks)– dcat – first used in lab 3 to extract disk blocks– dls – first used in lab 2 to copy unallocated space and slack space– dstat– dcalc – first used in lab 3 to compute absolute block to recover

0011 0010 1010 1101 0001 0100 1011

Questions?

After all, you are an investigator