Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
0011 0010 1010 1101 0001 0100 1011
Digital ForensicsLecture 3
Hard Disk Drive (HDD)Media Forensics
0011 0010 1010 1101 0001 0100 1011
Current, Relevant Topics• …defendants should not use disk-cleaning utilities to wipe portions of
their hard drives before turning them over to plaintiffs in the course of discovery…
• …RIAA asked the judge for a mirrored copy of Tschirhart's hard drive…
• …data was removed from the hard drive before it was turned over…• …we found a number of file deletion programs and their log files…• …Tschirhart's own expert …"consistent with defragmentation of the
hard drive.“…• …Even though the hard drive had been altered, the investigators
found evidence that P2P software had been installed …music files had been downloaded …the wiping utilities had been removed as well
– arstechnica.com
0011 0010 1010 1101 0001 0100 1011
Research Topics PresentationRules
• The goal is to pass on information that might be of value to a forensic investigator
• Fine to sit or stand• Fine to use viewgraphs or not
– Any viewgraphs must be in PowerPoint format and must be emailed by 7:00 AM the day of the presentation
• Each presentation is limited to 5 minutes• Depending on the material and level of interest, we may
explore a topic further• Write up is due at presentation
0011 0010 1010 1101 0001 0100 1011
This Week’s Presentations
1. CD-R/RW and DVD+-R/RW media analysis
2. File carving
3. Tools for MAC digital forensics
0011 0010 1010 1101 0001 0100 1011
Lecture Overview
• Very Brief Overview of Lecture 2 • Isolation through virtualization• Analysis and relevant tools• High-level format (File System)• Digital Forensic Tools
Legal/Policy
Preparation Collection Analysis Findings/Evidence
Reporting/Action
0011 0010 1010 1101 0001 0100 1011
Brief Summary of Last Lecture
• Physical-layer forensic issues for HDDs• Materials, geometry, and low-level structure• HDD function and operation• Data recovery using physical-layer
techniques• The first level of abstraction (Volumes)
Primary Storage Media 1 P G R
Volume 1 Volume 2 Unallocated
0011 0010 1010 1101 0001 0100 1011
Module 1
Isolation Through Virtualization(e.g., VMWare)
0011 0010 1010 1101 0001 0100 1011
The Goal is to Maintain Integrity of the Investigation
InvestigationEnvironment
New Tools TestingChangeProcess
Verify
Investigator
EvidenceConsumer
Analysis Data
“Evidence”Data
Investigator
Reports
IncrementalReports
MODIFY
UnauthorizedUsers andNetworks
ACCESS
MODIFY
MODIFY
GENERATE
GENERATE
READ
VERIFY
ACCESS
GENERATE
READ
TOOLS
0011 0010 1010 1101 0001 0100 1011
VMWare Will Serve as Our Investigation Environment
0011 0010 1010 1101 0001 0100 1011
VMware Device Specifics
• Can save and revert to snapshots of system state• Virtual hardware is very stable
• Provides a variety of virtual hardware– USB 1.1 and 2.0– Floppy
• Can use ISO image on host OS as floppy
– NIC (Ethernet)– Audio Adapter– Serial port– Parallel port– Generic SCSI device
– HDD (IDE or SCSI)• Stored as a binary
file on the host OS• Can add or remove
HDD very easily – CD and DVD drives
(IDE or SCSI)• Can use ISO image
on host OS as CD or DVD
– Memory (RAM) –limited by physical RAM
0011 0010 1010 1101 0001 0100 1011
Important Information About Our Analysis Virtual Machine
• We will use a Fedora Core VM for our Analysis
• User = “root”• Password = “letmein”• Do not modify the analysis VM unless
specified in lab instructions
0011 0010 1010 1101 0001 0100 1011
Module 2
Analysis and Relevant Tools
0011 0010 1010 1101 0001 0100 1011
Analysis of Volumes• Generally the first step in media analysis
– Should occur after preservation of evidence– Media imaging or cloning are the generally
accepted methods of preserving evidence• Account for all storage space• Create a partition map and understand the resulting volumes
– Requires careful accounting for each sector• Guide analysis of other constructs, including higher-layer
abstractions– File systems– Databases– Other logical containers, etc.
0011 0010 1010 1101 0001 0100 1011
The Sleuth Kit Tools(learn through hands-on labs)
• File system layer (partitions, file systems)– fsstat – first used in lab 3 to determine block size
• File name layer (file name structures) – ffind– fls
• Meta-data layer (inodes, directory entries, file attributes)– icat– ifind– ils– istat
• Data unit layer (disk blocks)– dcat – first used in lab 3 to extract disk blocks– dls – first used in lab 2 to copy unallocated space and slack space– dstat– dcalc – first used in lab 3 to compute absolute block to recover
0011 0010 1010 1101 0001 0100 1011
Module 3
High Level Format(File Systems)
0011 0010 1010 1101 0001 0100 1011
Our approach to understandingHDD DF
• We will begin at the physical-layer and work toward increasing abstraction using a data driven approach
Physical Media
Volume 1 Volume n
File System
File
?
Spe
cific
to A
bstra
ct
Understanding and Evidence
You Are Here
0011 0010 1010 1101 0001 0100 1011
HDD Structure(just prior to adding file system)
• Blank media
• Low-level format
• Partition
Sectors(512+ B) Redundant
Sectors(512+ B)
MBR VBR1
VBR2
MBC MPT
VBC1
DPB1
VBC2
DPB2
MBR = master boot recordMBC = master boot codeMPT = master partition table
VBR = volume boot recordVBC = volume boot codeDPB = disk parameter block
0011 0010 1010 1101 0001 0100 1011
High-Level Format(Creating Disk Blocks)
Clusters, Blocks, Fragments, etc.(different names for the same thing)
MBC MPT
• High-level format creates the file system• Sectors are too small for most HDDs (address space is too large)• Sectors are grouped into groups of N to form clusters, N is a
positive integer– This becomes the indivisible data size for the installed operating system
Sectors
Blocks
0011 0010 1010 1101 0001 0100 1011
High-Level Format(Creating File Systems)
• MPT now contains file system type and cluster size– Cluster (fragment, segment) sizes are multiples of 512 octets (one sector)– This becomes the indivisible file size for the operating system
• A file system structure is created– FAT creates a file allocation table (simple table)– NTFS creates a master file table (database)– Linux EXT2/3 creates a virtual file system– Each file system behaves differently
MBC MPT
Master Boot Record(MBR)
Clusters,Blocks,Fragments, etc. (different names for the same thing)
File SystemStructures
Allocated/Unallocated
Space
0011 0010 1010 1101 0001 0100 1011
What is Slack Space?(space between end of file and end of cluster)
• Consider a file containing 4628 octets– 4628 = (1024 x 4) + 532
• 4 full clusters and part of a fifth cluster• There will be (5 x 1024) – 4628 = 492 unused octets
• This unused space is called “slack space”
Sector(512 octets)
Cluster(2 x 512 octets)
File of length 4628 octets
slack space
0011 0010 1010 1101 0001 0100 1011
Why is Slack Space Important?
Unallocated Space(New Drive)
Allocated Space
Unallocated Space(After File deletion)
Allocated Space(Reallocated, new file)
Slack Space
Why isn’t this also slack space?
0011 0010 1010 1101 0001 0100 1011
Blank Media
512octets
RedundantSectors
(Only visible to HDD controller)Individual Sector
Sector overhead
Low-Level Format
Partition #1
MBC MPT VBC DPB VBC DPB
Master Boot Record(MBR)
Partition #2Volume Boot Record
(VBR)
Inter-partition gap
Unused sectors
Partitioning
MBC MPT
Master Boot Record(MBR)
Clusters
File SystemStructures Free Space
High-levelFormat
MBC MPT
Master Boot Record(MBR)
File SystemStructures Free Space Page File
OS Code/Data
OS Install
0011 0010 1010 1101 0001 0100 1011
What is the Role of a File System?
• Provides data storage and retrieval• Associates names with data files• Organizes files into parent directories• Stores file attributes
– Modify, Access, Creation (MAC) times– Disk blocks used for file storage– Others depending on specific file system
• Maintains lists of unallocated disk blocks
0011 0010 1010 1101 0001 0100 1011
What Do Most File Systems Have in Common?
• Unique file (or directory) identifiers– inodes (Linux terminology, Windows is unknown)
• Data structure that associates file names and inodes
• Indivisible storage units formed of disk clusters– e.g., blocks, clusters, fragments, etc.
• Pointers to blocks where file is stored• File attributes, e.g., times, parent directories,
deleted flag, ownership, permissions, etc.• Unallocated block list
0011 0010 1010 1101 0001 0100 1011
Files Systems Have Significant Structural and Functional Differences
• Journaling• Meta-data storage• Variable length allocation units• Fragments• Distributed file system data structures• inode allocation algorithms• Search efficient data structures
– trees• …
0011 0010 1010 1101 0001 0100 1011
What File System Attributes/Behaviors are of Interest to a DF investigator?• File deletion• File growth• File shrinkage• File replacement• Resource reuse
– directory blocks, inodes, blocks, etc.• Time stamp behavior• What else?
0011 0010 1010 1101 0001 0100 1011
NTFS File System• NTFS uses a master file table (MFT)
– More of a database than a table– Each entry is referenced by a unique number– Stores file/directory attributes
• $Data is just one attribute and multiple $Data attributes are allowed
• MAC times– Stores up to 1500 octets of data directly– Larger files are stored indirectly– IN_USE flag is cleared when a file is deleted
• All attributes are maintained until MFT entry is reused• Indirect storage may persist even after entry is reused
0011 0010 1010 1101 0001 0100 1011
Ext2 File System• Linux uses data structures called inodes to
represent a file or directory– Each inode has a unique number– Contains a description of the file
• Size, MAC Times, file type, access rights, owners, etc.– Contains pointers to blocks where data is stored– Files names are stored in a separate data structure
• Referenced by inode number• Allows multiple names for the same file
– Character and block are special files types that do not store data• Point to a device driver
– Larger files are stored through up to three levels of indirection– “deleted” flag is set when a file is deleted
0011 0010 1010 1101 0001 0100 1011
Example of Indirection
0011 0010 1010 1101 0001 0100 1011
Module 4
Digital Forensic Tools
0011 0010 1010 1101 0001 0100 1011
Disk Imaging and Cloning
• Disk imaging and cloning is a standard and necessary step to preserve evidence
• We will use dd to perform our clone and imaging
• Cloning– Disk/Volume to disk
• Imaging– Disk/Volume to file
0011 0010 1010 1101 0001 0100 1011
Hash Functions
• Used for integrity function • Common hash functions
– MD5, SHA-1, SHA-256
– dccidd – will compute MD5, SHA-1, and SHA-256 concurrent with imaging operation
Hash FunctionFile Hash
0011 0010 1010 1101 0001 0100 1011
The Sleuth Kit
• Forensics analysis tools– Written by Brian Carrier– Based on The Coroner’s Tool Kit by Dan Farmer
• Based on a layered model of analysis• Tested on multiple systems
– Linux, Mac OS X, CYGWIN, FreeBSD, OpenBSD, Solaris
• Supports NTFS, FAT, FFS, EXT2FS, and EXT3FS
• Autopsy is a web-based tool that uses The Sleuth Kit
0011 0010 1010 1101 0001 0100 1011MPT name,
inode
unallocatedspace
inode,attributes
MBR File System Structures
allocated spaceMBC
File system layer MPTfsstat
File name layer
Meta-data layer
Data unit layer
name,inode
ffind, fls
dcat, dls, dstat, dcalc
icat, ifind, ils, istat inode,attributes
allocatedspace
unallocated space
0011 0010 1010 1101 0001 0100 1011
The Sleuth Kit Tools(learn through hands-on labs)
• File system layer (partitions, file systems)– fsstat – first used in lab 3 to determine block size
• File name layer (file name structures) – ffind– fls
• Meta-data layer (inodes, directory entries, file attributes)– icat– ifind– ils– istat
• Data unit layer (disk blocks)– dcat – first used in lab 3 to extract disk blocks– dls – first used in lab 2 to copy unallocated space and slack space– dstat– dcalc – first used in lab 3 to compute absolute block to recover
0011 0010 1010 1101 0001 0100 1011
Questions?
After all, you are an investigator