Digital Forensics – Getting Started

with File Systems

GETTING STARTED WITH NEW TECHNOLOGY FILE
SYSTEM (NTFS)

Evan Morgan, CISSP, CISM

@1evanski www.evanski.com
 Prepare your forensic environment

Explain the basics of hard disks

Provide an overview to tracks, sectors, clusters,

and slack space
Overview
Go over timestamps and how important they are

Discuss metadata

Explain journaling

Highlight permission types in NTFS

Go over the Master File Table

Discuss the Change Journal

Provide some methods to help hide things from a

forensic investigator
Preparing Your Environment
for Forensic Analysis
 There are lots of forensic tools available
today
Mixed bag on what they offer
Some exceptional ones have a cost
associated with them
Some free ones are still exceptional
Autopsy®, the tool for this course, is one of
those exceptional, yet still free, ones

Photo from Autopsy® website:

https://www.sleuthkit.org/picts/renzik_sm.jpg
 We’ll be preparing your computer for
Demo forensic analysis during this demo,
including:
- Finding our tool for this course
(Autopsy®)
- Downloading and installing it
- Initial startup and configuration
Basics of Hard Disks
 Hard Disk Basics
Platters

Head

Head
Actuator
Arm
Hard Disk
 Types of “Hard” Disks

Traditional (Platters) Solid State Virtual

Tracks, Sectors, Clusters, and Slack Space
Relation to Each Other

Platter

Track

Sector

Cluster
Tracks, Sectors, and Clusters

Track (aka
cylinder)

Cluster

Sector
 Slack Space

Slack
Space

Cluster

File
Demo
We’ll look at cluster contents from the
native operating system
Timestamps
Timestamps are vitally
important to forensic
investigations
 NTFS Timestamp Types

Created Accessed

Modified Changed
Demo
We’ll take a look at timestamps in more
detail, including looking at the Timeline
feature within Autopsy®
Metadata
Metadata
Data about data
 Common Types of Metadata

Name Type Size

Timestamps Owner Hash Value

Demo
We’ll take a look at some file metadata
natively within the operating system,
followed by viewing metadata from
within Autopsy®
Journaling
 Journaling
Delete is
processed

User’s
Delete is written
File
to Journal
Permissions
 Common NTFS Permissions

Read Write Read & Execute

Modify Full Control

Demo
We’ll take a look at some file permissions
natively within the operating system,
followed by viewing permissions from
within Autopsy®
Master File Table
 Master File Table !=
Master Boot Record
Exists on NTFS file
systems
Like a manifest / map
of file system
 Alternate Data Streams

Hello,
world!
Open with Text
Editor
User’s
File

Alternate Data
Stream Secret plans to take
over the organization!
Mwahaha!
Demo
We’ll take a look at the Master File Table
and some of its aspects
Change Journal
 Comparison

Journaling Change Journaling

Previously covered
Conceptually similar in nature
Records metadata changes
to the volume
Leverages $LogFile for changes
Used mainly by the file system to
prevent data corruption
What we’re covering now
Conceptually similar in nature
Records changes to files, streams,
directories, etc.
Leverages $Extend\$UsnJrnl
for changes
Used mainly by applications to track
changes to the volume
Demo
We’ll take a look at the Change Journal
and some of its aspects
Anti-forensic Methods
Common Anti-forensic Method Types

Hide the evidence Destroy the evidence

 Common Hiding Methods

Encrypt Steganography Obfuscation

 Prepared your forensic environment

Explained the basics of hard disks

Provided an overview to tracks, sectors, clusters,

and slack space
Summary Went over timestamps and how important they
are

Discussed metadata

Explained journaling

Highlighted permission types in NTFS

Went over the Master File Table

Discussed the Change Journal

Provided some methods to help hide things from

a forensic investigator
What’s next?
Working with Extended File System (EXT)
What is it?
What makes it similar to other file systems?
What makes it different from other file
systems?