CS550203: Cyber Forensics

(Unit 2)
Introduction
In this networked world organizations need to manage systems,
network, and applications running over them, which can enable
effective data and resource sharing
No operating system can guarantee 100% security to the available
resources and data. There are several shortcomings in their designs
This situation, if exploited well by hackers can lead to end of any
organization’s business !!
The pitiable thing is that, end users are unaware of the vulnerabilities.
Disk Drive Overview - I
● There are two types of Disk drives:
○ Fixed storage drives
○ External storage drives
● Few of removable storage drives are:
○ Floppy disks
○ Compact Disks
○ Digital Versatile Disk (DVD)
○ ZIP Disks
○ r/m Drives
Disk Drive Overview - II
● Hard disk drive is a good example for permanent storage device

● The data is recorded magnetically onto the hard disk

● Main components of hard disk are:

○ Cylinders
○ Head
○ Platter
● The data is stored on the tracks of the sectors
Hard Disk
Disk Drive Overview - III
● The data is recorded onto the hard disk using the zoned bit
recording
● Zoned Bit Recording:
○ It is the task of grouping the tracks by zones to ensure
the same size of all the tracks
● The densities of the data on the disk drive are of two types
namely:
○ Track density: It is the space between tracks on a disk
○ Areal density:It is defined as the number of bits per square inch on a

platter

○ Bit density: It is bits per unit length of track

Hard Disk
● A hard disk is a sealed unit
containing a number of
platters in a stack. Hard
disks may be mounted in a
horizontal or a vertical
position
● Electromagnetic read/write
heads are positioned above
and below each platter
● As the platters spin, the
drive heads move in toward
the center surface and out
toward the edge
Disk Platter
● An aluminum alloy is
used to make disk
platter
● Glass and ceramic is
used for modern day
platters
● Magnetic media coating
is done on the part
where data resides
● Coating is done by iron
oxide substance or
cobalt alloy
Disk Platter

● Data is written on both sides of a hard disk platter

● Numbering is done on both the sides as side 0 andside 1
Tracks
● A circular ring on one side of
the platter is known as track
● Drive head can access this
circular ring in one position
at a time
● Track are numbered for
their identification
● Data exists in thin
concentric bands on a hard
disk
● A 3.5-inch hard disk consists
of more than a thousand
tracks
Tracks Numbering

● Tracks numbering begins from 0 at outer edge and moves

towards center reaching the value of typically 1023
● A cylinder is formed when tracks are lined up
Sector
● Smallest physical storage unit on
the disk
● Normally 512 bytes in size
● Factory track-positioning data
determines labeling of disk sector
● Data is stored on the disk in
contiguous series
● For example, if the file size is 600
bytes, two 512 k sectors are
allocated for the file
Sector Addressing
● Cylinders, heads and sectors determine address of
individual sectors on the disk
● For example, on formatting a disk have 50 tracks
divided into 10sectors each
● Track and sector numbers are used by operating
system and disk drive to identify the stored
information
Cluster
● Smallest allocation unit of a hard disk
● Relevant formatting scheme determines range of tracks and
sectors from 2 to 32
● Minimum size can be of one sector (1 sector / cluster)
● Allocation unit can be made of two or more sectors (2 sectors
/ cluster)
● Any read or write operation consumes space of at least 1
cluster
● Lot of slack space or unused space is wasted in the cluster
beyond the data size in the sector
Cluster Size
● For optimum disk storage cluster size can be altered
● Larger cluster size(greater than one sector) will encounter the
following points :
○ minimize fragmentation problem
○ greatly increases the probability for unused space in the cluster
○ reduces disk storage area to save information
○ also reduces unused area on the disk
Slack Space
Hello World - - - - - - - - - - - - - - - - - - - - - - - - - - - -

File Contents Slack space

● Slack space is the free space on the cluster after writing data on that cluster
● Dos and Windows utilizes fixed size clusters for file system
● If the size of stored data is less than the cluster size, the unused area remains
reserved for the file resulting in slack space
● DOS and FAT 16(file allocation table) file system in the Windows utilizes very
large sized clusters
● For example, if the partition size is 4 GB, each cluster will be 32 K. Even if a file
needs only 10 K, the entire 32 K will be allocated, resulting in 22 K of slack space.
Lost Clusters
● Operating system marks cluster as used but not allocate them
to any file such clusters are known a lost cluster
● Lost clusters can be reassigned data making disk space free
● ScanDisk utility has the capability to identify lost clusters in
DOS and Windows operating system
Bad Sector

● A damaged portion of a disk on which no read/write operation

can be performed
● Formatting a disk enables operating system to identify
unusable sector and marks them as bad
● Special software is used to recover the data on a bad sector
Understanding File Systems
● File system is a set of data types,
which is employed for storage,
hierarchical categorization,
management, navigation, access,
and recovering the data
● File system can use storage
devices like hard disks, CD-ROM
or floppy disk
● Command line or graphical user
interface can be used to access the
files
● File systems are arranged into
tree-structured directories and
directories require access
authorization
List of Disk File Systems
❖ ADFS – Acorn filing system, successor to DFS.
❖ BFS – the Be File System used on BeOS
❖ EFS – Encrypted filesystem, An extension of NTFS
❖ EFS (IRIX) – an older block filing system under IRIX.
❖ Ext – Extended filesystem, designed for Linux systems
❖ Ext2 – Extended filesystem 2, designed for Linux systems
❖ Ext3 – Extended filesystem 3, designed for Linux systems,
(ext2+journalling)
❖ FAT – Used on DOS and Microsoft Windows, 12 and 16 bit table depths
❖ FAT32 – FAT with 32 bit table depth
❖ FFS (Amiga) – Fast File System, used on Amiga systems. Nice for
floppies, but fairly useless on hard drives.
❖ FFS – Fast File System, used on *BSD systems
❖ Files-11 – OpenVMS filesystem
❖ HFS – Hierarchical File System, used on older Mac OS systems
List of Disk File Systems
❖ HFS Plus – Updated version of HFS used on newer Mac OS systems
❖ HFSX – Updated version of HFS Plus to remove some backward
compatibility limitations.
❖ HPFS – High Performance Filesystem, used on OS/2
❖ ISO 9660 – Used on CD-ROM and DVD-ROM discs (Rock Ridge and
Joliet are extensions to this)
❖ JFS – IBM Journaling Filesystem, provided in Linux, OS/2, and AIX
❖ kfs
❖ LFS – Log-structured filesystem
❖ MFS – Macintosh File System, used on early Mac OS systems
❖ Minix file system – Used on Minix systems
❖ NTFS – Used on Windows NT based systems
❖ OFS – Old File System, on Amiga.
List of Network File Systems
❖ AFS (Andrew File System)
❖ AppleShare
❖ CIFS (Microsoft's documented version of SMB)
❖ Coda
❖ GFS
❖ InterMezzo
❖ Lustre
❖ NFS
❖ OpenAFS
❖ SMB (sometimes also called Samba filesystem)
Special Purpose File Systems
❖ acme (Plan 9) (text windows)
❖ archfs (archive)
❖ cdfs (reading and writing of CDs)
❖ cfs (caching)
❖ Davfs2 (WebDAV)
❖ DEVFS
❖ ftpfs (ftp access)
❖ lnfs (long names)
❖ LUFS ( replace ftpfs, ftp ssh ... access)
❖ nntpfs (netnews)
❖ plumber (Plan 9) (interprocess communication – pipes)
❖ PROCFS
❖ ROMFS
❖ TMPFS
❖ wikifs (wiki wiki)
Windows File Systems
● FAT (File Allocation Table)
○ 16 bit file system developed for MS-DOS
○ Used in consumer versions of Microsoft Windows till Windows Me
○ Considered relatively uncomplicated and became popular format for devices like floppy
disks, USB devices, Digital cameras, flash disks
● FAT32
○ 32 bit version of FAT file system with storage capacity up to 2 GB
● NTFS (New Technology File System)
○ NTFS has three versions
■ v1.2 (v4.0) found in NT 3.51 and NT 4
■ v3.0 (v5.0 ) found in Windows 2000 and
■ v3.1 (v5.1) found in Windows XP and Windows Server 2003
○ Newer versions added extra features like quotas introduced by Windows 2000. In NTFS,
anything such as file name, creation date, access permissions and even contents is written
down as metadata
Mac OS X File Systems
● HFS (Hierarchical File System)
○ Developed by Apple Computer to support Mac Operating System
○ Traditionally used by floppy and hard disks but now also used by
CD-ROMs
● UFS (UNIX file system)
○ Derived from the Berkeley Fast File System (FFS) that was originally
developed at Bell Laboratories from first version of UNIX FS
○ All BSD UNIX derivatives including FreeBSD, NetBSD, OpenBSD,
NeXTStep, and Solaris use a variant of UFS
○ Acts as a substitute for HFS in Mac OS X
File Systems Comparison
Boot Sector
● Boot Sector is the first sector (512
bytes) of a FAT file system
● Unix-like terminology defines it as
superblock
Exploring Microsoft File Structures
● Filesystems:
○ File Allocation Tables (FAT)
○ New technology File system(NTFS)
○ High Performance File system

● Windows supports two types of file systems on CD- ROM

and Digital Versatile Disk (DVD ):
○ Compact Disc File System (CDFS)
○ Universal File System (UDF)
● A file system can be chosen as per the storage needs of the
organization and the type of operating system used
Exploring Microsoft File Structures
FAT vs. NTFS:

File Allocation Table(FAT) New Technology File System(NTFS)

A table, which tracks all the system storage A latest file system developed specially for Windows 2000.
changes.

Versions available are NTFS is the only version.

FAT12,FAT16,FAT32

Supported in all versions of windows Supports all the operating systems after windows 2000
operating system

Doesn’t support large file names. Supports large file names.

Doesn’t support extremely large storage media. Supports extremely large storage media.

Doesn’t support file system recovery. Supports file system recovery.

Exploring Microsoft File Structures
● Cluster is defined as the smallest amount of space
allocated by the operating system to hold a file
● Cluster is more efficient if size of the cluster is small
● There is no default size for the cluster
● The cluster address allocated by the operating system is
called logical address
● The physical addresses are the addresses that exists at
firmware or hardware level
Disk Partition Concerns
● Partitioning of hard disk drive is done for effective
storage management of data
● Partition is logical part of the disk that holds data
● It can be divided into
○ Primary Partition
○ Extended Partition
● A basic disk can have one primary partition and any
number of extended partition
● Windows look for primary partition to start the
computer. This active partition contains the boot files
used to start an operating system
● Inter-partition gap is unused or void space between the
primary and first logical partition
Boot Partition Concerns
● The information regarding the files on the
disk, their location, size and other important
data is stored in the Master Boot Record file
● Every disk has Master Boot Record that
contains the information about partitions on
the disk
● User can choose the operating system by
using the third party boot utilities, which
change the Master Boot record
Examining FAT
● When a file is deleted from the operating
system it replaces the first word of the file
name by a lower case Greek letter. The space
is made available for new files
● These files can be recovered using forensic
tools
● Few tools which can be used for forensics are:
○ WINHEX
○ UNDELETE
○ FILE SCAVENGER
NTFS
● New Technology File System was introduced
by Microsoft
● In NTFS every data written on the disk is
considered as the file
● Partition Boot Sector is the first data set on
the disk
● After the PBS, the first file set is Master File
Table, which occupies space 12.5% to 50% of
disk space
● NTFS uses UNICODE data format
NTFS System File
File System Description

$attrdef Contains definitions of all system and user- defined

attributes of the volume

$badclus Contains all the bad clusters

$bitmap Contains bitmap for the entire volume

$boot Contains the volume's bootstrap

$logfile Used for recovery purposes

$mft Contains a record for every file

$mftmirr Mirror of the MFT used for recovering files

$quota Indicates disk quota for each user

$upcase Converts characters into uppercase Unicode

$volume Contains volume name and version number

NTFS Partition Boot Sector
● When you format an NTFS
volume, the format program
allocates the first 16 sectors for
the boot sector and the
bootstrap code.
NTFS Master File Table (MFT)
● Each file on an NTFS volume is represented
by a record in a special file called the master
file table (MFT).
● NTFS reserves the first 16 records of the
table for special information.
● The first record of this table describes the
master file table itself, followed by a MFT
mirror record.
● If the first MFT record is corrupted, NTFS
reads the second record to find the MFT
mirror file, whose first record is identical to
the first record of the MFT.
● The locations of the data segments for both
the MFT and MFT mirror file are recorded
in the boot sector. A duplicate of the boot
sector is located at the logical center of the
disk.
● The third record of the MFT is the log file,
used for file recovery. The seventeenth and
following records of the master file table are
for each file and directory (also viewed as a
file by NTFS) on the volume.
NTFS Attribute-I
● Every file has a unique identities like
○ Name
○ Security information and
○ It can also contain metadata of file system in the file.
● Every attribute is identified by an attribute type code.
● There are two categories of attributes:
○ Resident attributes : These are the attributes that are contained in the
MFT.
○ Non-resident attributes: These are the attributes that are allocated
one or more clusters of disk space.
NTFS Attribute-II
NTFS Data Stream-I
● A sequence of bytes is called data stream
● Data can be added to the stream when examining the
attributes of the file
● Data streams can create obscure data intentionally or by
coincidence
● In this file system data stream becomes an data attribute of
the a file
● Data stream can be created by using the following
command
C:\ECHO text_message > myfile.txt
:stream1
NTFS Data Stream-II
NTFS Data Stream-III
NTFS Encrypted File Systems (EFS)
● Main file encryption technology used to
store encrypted files in the NTFS
● Encryption of the file or folder can be read
or modified, just like any other file or folder
● EFS uses public and private keys to encrypt the
files, folders, and disk volumes
● Encrypted files can be accessed only if the user
has the private key and the operating system
has the public key
● If an intruder tries to modify, copy or rename
the files then the intruder receives an
access denied message
EFS File Structure
Metadata File Table (MFT)
● MFT is a relational database, which consists of information
regarding the files and the file attributes
● The rows consists of file records and the columns consists of
file attributes
● It has information of every file on the NTFS volume including
information about itself
● MFT has 16 records reserved for system files
● MFT for small folder is represented as follows

File or
Standard Unused
Directory Data or Index
Information Space
Name
EFS Recovery Key Agent-I
● A recovery policy is always associated with a
encryption policy. A recovery agent decrypts the file if
encryption certificate of an encrypted file is lost
● The recovery agent is used in following conditions:
○ When a user loses a private key
○ When a user leaves the company
○ Whenever a law enforcement agency makes a request
EFS Recovery Key Agent-II
● The Windows administrator can recover key from the
Windows or from the MS-DOS command prompt
● The keys can be recovered from command prompt using the
following commands:
○ CIPHER
○ COPY
○ EFSRECVR
● Recovery agent information of an encrypted file can be viewed
using the efsinfo tool
Understanding Microsoft Boot Tasks
These are the steps that are followed by NTFS during the
startup:
● Power-on self test (POST)
● Initial startup
● Boot loader
● Hardware detection and configuration
● Kernel loading
● User logon
Understanding Boot Sequence DOS
● Boot sequence steps are as ○ Volume boot sector is loaded and
follows: tested
○ Computer waits for power good ○ Loads and executes IO.SYS
signal ○ IO.SYS searches for MSDOS.SYS
○ Processor executes the BIOS loads it and executes the file
○ COMMAND.COM is loaded and
boot program executed for interpreting and
○ BIOS performs Power on self reading CONFIG.SYS and
test(POST) AUTOXEC.BAT
○ BIOS initializes the system
settings from CMOS settings After this point the operating system
○ PCI initializes and displays the takes control of the computer
configuration and status of
devices
○ BIOS locates and loads Disk
operating system(DOS)
○ •BIOS then loads the Master
Boot Record(MBR)
Understanding MS-DOS Startup Tasks
● IO.SYS – It contains all instructions
used by the operating system to
interact with the hardware.It is the
first file loaded after bootstrap
detects the operating system
● MSDOS.SYS –It is the kernel in
MS-DOS and loads COMMAND.COM
and AUTOEXEC.BAT
● COMMAND.COM- It provides
internal DOS commands
● CONFIG.SYS – It contains the
commands that are required during
the startup
● AUTOEXEC.BAT- It contains
customized settings for the MS-DOS
Other DOS Operating Systems
Following are the useful disk operating system other than
Microsoft’s DOS:
● 4DOS: It has more commands, better editor, online help and flow
control commands like; DO WHILE, RERURN, IFF..THEN...ELSE
● Dr- DOS: It is DOS compatible and offers pre-emptive multitasking
and 32-bit protected mode etc
● Caldera OpenDOS: It’s a MS-DOS compatible OS. It is the
descendant of DR DOS and Novell DOS
● Novell DOS: A full feature DOS built for workstations on Novell
networks
● PTS-DOS: Simple graphical user interface DOS; which supports
FAT32, big hard drives, and CD- ROMs. Partition Manager Easy makes
it easy to partition the hard drives;
● QDOS: A 16MB OS created for CP/M operating system
● FreeDOS: It is cheaper than IBM’s and Microsoft’s and is being used
in China on HP PC’s
Registry Data-I
● Registry is the hierarchical database
● Used to store the information regarding the users,
applications, and the hardware devices
● Windows continuously refers the registry for the
information during the execution of the application
● The data in the registry is saved in the form of
binary files
Registry Data-II
Registry Data-III
Examining Registry Data
● Registry has predefined set of keys for every folder
● A registry hive is defined as a set of keys, sub keys, and
values in the used in the windows registry, which has a
group of supporting files that contain backups of its data
● Registry can be examined manually using the register
editor
● Registry can be examined using the tools like:
○ Registry Monitor
○ Registry Checker
Examining Registry Data
● Registry has predefined set of keys for every folder
● A registry hive is defined as a set of keys, sub keys, and
values in the used in the windows registry, which has a
group of supporting files that contain backups of its data
● Registry can be examined manually using the register
editor
● Registry can be examined using the tools like:
○ Registry Monitor
○ Registry Checker
Determining the Best Acquisition Methods
● Forensic investigators acquire digital evidence using the
following methods
○ Creating a bit-stream disk-to-image file
○ Making a bit-stream disk-to-disk copy
○ Creating a sparse data copy of a folder or file
Data Recovery Contigencies
● Investigators must make contingency plans when data acquisition
failure occurs
● To preserve digital evidence investigators need to create a duplicate
copy of the evidence files
● In case the original data recovered is corrupted investigators can
make use of the second copy
● Use of at least two data acquisition tools are preferred to create copy
of evidence incase the investigator’s preferred tool does not properly
recover data
MS-DOS Data Acquisition Tool: DriveSpy
● DriveSpy enables the investigator to direct data from one
particular sector range to another sector
● DriveSpy provides two methods in accessing disk sector
ranges:
○ Defining the absolute starting sector after a comma and
the total number of sectors to be read on the drive
○ Listing the absolute starting and ending sectors
DriveSpy Data Manipulation Commands
● There are two commands in
DriveSpy that is used for
Data Manipulation:
○ The “SaveSect” command-
■ Used to copy particular sectors
on a disk to a file
■ It copies the sectors as a bit-
stream image so that the file
is a duplicate of the original
sectors
○ The “WriteSect” command-
■ Used to regenerate the
information acquired
through the SaveSect
command
DriveSpy Data Preservation Commands
● The data preservation
commands in the DriveSpy
application are :
○ The “SavePart” command-
■ Used to create an image file of
the specified disk partition of
the suspect’s drive
○ The “WritePart” command-
■ Counterpart of the “savePart”
command
■ Used to recreate the saved
partition image file that is
created with the “savePart”
command
Using Windows Data Acquisition Tools
● Windows data acquisition tools allow the investigator to easily
acquire evidence from a disk with the help of removable media
such as USB storage devices
● These tools also can use Firewire to connect hard disks to the
forensic lab systems
● Data acquisition tools in Windows cannot acquire data from
the host protected area of the disk
Data Acquisition Tool : Access Data FTK Explorer
● FTK Explorer acquires data that
can help the investigator
understand how other forensic
tools in Windows work
● This tool was first designed to
examine disks and bit-stream
disk- to-image files created by
using other forensic software
● FTK Explorer can make bit-stream
disk-to-image copies of evidence
disks
● This tool allows the investigator to
acquire the evidence disk from a
logical partition level or a physical
drive level
FTK
Acquiring Data on Linux
● Forensic Investigators use the built- in Linux command “dd” to copy data
from a disk drive
● This command can make a bit-stream disk-to- disk file, disk-to-image file,
block-to-block copy/ block-to-file copy
● The “dd” command can copy data from any disk that Linux can mount and
access
● Other forensic tools such as AccessData FTK and Ilook can read dd image
files
Data Acquisition Tool : Encase
● The Encase tool delivers advanced features for compute
forensics and investigations
● It is the primary data acquisition tool that is used by forensic
investigators
● Provides tools to conduct investigations with accuracy and
efficiency
● Data can be acquired by:
○ Disk to disk
○ Disk to network server drive
○ Parallel port with a laplink cable to the forensics
workstation disk drive
Encase