Digital Forensics: Computer Forensics Tools, Encase and Windows Os
Digital Forensics: Computer Forensics Tools, Encase and Windows Os
Module 4
Computer forensics tools, Encase and Windows os
File systems
A file system controls how data is stored and retrieved.
Without a file system, data placed in a storage medium would be one
large body of data with no way to tell where one piece of data stops
and the next begins.
It provides the OS a road map to data on a disk
The types of file systems used by an OS specify how data is stored on
the disk
There are many different kinds of file systems. Each one has
different structure and logic, properties of speed, flexibility, security,
size and more. Some file systems have been designed to be used for
specific applications.
A file system is responsible for arranging storage space. Reliability,
efficiency, and tuning with regard to the physical storage medium
are important design considerations.
Understanding booting
Booting is the process of starting a computer. It can be initiated by
hardware such as a button press, or by a software command.
After it is switched on, a computer's central processing unit (CPU)
has no software in its main memory, so some process must load
software into memory before it can be executed. This may be done
by hardware or firmware in the CPU, or by a separate processor in
the computer system.
The information on the CMOS chip includes the types of disk drives
installed, the current date and time of the system clock, and the
computer's boot sequence.
The CMOS has its own dedicated power source, which is the CMOS
battery
Boot sequence
The boot sequence defines which devices a computer should check
for the operating system's boot files.
It also specifies the order devices are checked. The list can be
changed and re-ordered in the computer's BIOS.
Common devices usually listed in the boot sequence are the disc
drives (CD or DVD), hard drive, USB flash drive, and Solid State
Devices (SSDs).
Originally, the disk capacity was quite low and has been improved in
one of several ways.
Improvements in mechanical design and manufacture allowed
smaller and more precise heads, meaning that more tracks could be
stored on each of the disks.
Advancements in data compression methods permitted more
information to be stored in each of the individual sectors.
Terminology
Disk - Generally refers to magnetic media and devices
Platter – An individual recording disk. A hard disk drive contains a set of
platters.
Track – The circle of recorded data on a single recording surface of a
platter.
Sector – A segment of a track
Head – The device that reads and writes the information—magnetic or
optical—on the disk surface.
Cylinder-head-sector
Cylinder-head-sector (CHS) is an early method for giving addresses to
each physical block of data on a hard disk drive
https://en.wikipedia.org/wiki/Cylinder-head-sector
As the geometry became more complicated (for example, with the
introduction of zone bit recording) and drive sizes grew over time, the
CHS addressing method became restrictive
Solid-State Drive
A solid-state drive (SSD) is a solid-state storage device that
uses integrated circuit assemblies to store data persistently, typically
using flash memory
It acts as a secondary storage in the hierarchy of computer storage.
It is also sometimes called a solid-state device or a solid-state disk
Disk Clusters
In computer file systems, a cluster or allocation unit is a unit of disk
space allocation for files and directories.
A cluster, or allocation unit, is a group of sectors that make up the
smallest unit of disk allocation for a file within a file system
A file system's cluster size is the smallest amount of space a file can
take up on a computer. A common sector size is 512 bytes
For cluster sizes which are small versus the average file size, the
wasted space per file will be statistically about half of the cluster
size; for large cluster sizes, the wasted space will become greater.
A larger cluster size reduces bookkeeping overhead and
fragmentation, which may improve reading and writing speed
overall.
Typical cluster sizes range from 1 sector (512 B) to 128 sectors
(64 KB).
Disk structure
Disk structure:
(A) track
(B) geometrical sector
(C) track sector
(D) cluster
Partition
Disk partitioning or disk slicing is the creation of one or more
regions on secondary storage, so that each region can be managed
separately. These regions are called partitions.
t is typically the first step of preparing a newly installed disk, before
any file system is created. The disk stores the information about the
partitions' locations and sizes in an area known as the partition
table that the operating system reads before any other part of the
disk
The terms partition table and partition map are most commonly
associated with the MBR partition table of a MBR in IBM PC
compatibles
Partitions can be created, resized, or deleted. This is called disk
partitioning. It is usually done during the installation of an operating
system, but it is also possible to make changes to the partitions after
the operating system has been installed.
The partition table is in the Master Boot Record (MBR) and is situated at
sector 0 of the disk drive
The first partition is at offset 0x1BE
The file system’s hexadecimal code is offset 3 bytes from 0x1BE for the
first partition
Partition tables may be viewed using a hex editor
See https://www.codeproject.com/Articles/488296/Partition-Tables-
Explained
FAT disks
File Allocation Table (FAT) is a computer file system architecture.
Originally developed in for use on floppy disks, it was adapted for use
on hard disks and other devices
It is often supported for compatibility reasons by current operating
systems for personal computers and many mobile
devices and embedded systems, allowing interchange of data between
disparate systems.
Fragmentation of files
When the first allotted cluster is full and runs out of space, FAT assigns
the next usable cluster to the file
If the next usable cluster is not adjacent to the current cluster then the
file becomes fragmented
Unallocated disk space gets created when a FAT file is deleted
See http://209.68.14.80/ref/hdd/file/ntfs/archFiles-c.html
File Attributes
In the NTFS MFT, the files and folders are stored in assorted records
of 1024 bytes each
Each record contains file or folder information, which is divided into
record fields containing metadata
A record field is called an attribute ID
Files bigger than 512 bytes are stored outside the MFT
Files whose info are recorded in the MFT are classified as resident or
non-resident
Almost everything in NTFS is a file
Files are implemented as collections of attributes.
Attributes are pieces of information of various kinds
See http://209.68.14.80/ref/hdd/file/ntfs/files_Attr.htm
See
http://www.c-jump.com/bcc/t256t/Week04NtfsReview/W01_0240_
mft_attribute_types.htm
for info about MFT Attribute types
See
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/
windows-server-2003/cc781134(v=ws.10)#ntfs-physical-structure
to know how NTFS works
Cluster numbers
In NTFS, the cluster is the fundamental unit of disk usage.
When a disk is made as an NTFS file structure the OS allots logical
clusters to the entire disk partition
Each cluster in a volume is given a sequential number. This is its
Logical Cluster Number (LCN)
Cluster numbers
Clusters on an NTFS volume are enumerated consecutively from the
start of the partition into logical cluster numbers.
LCN 0 (zero) refers to the first cluster in the volume viz. the boot
sector.
Data Runs
Each conterminous block of LCNs is given a Data Run, which
contains a VCN, an LCN and a length.
When NTFS needs to locate an object on the disk, it looks up the
VCN in the Data Runs to get the LCN.
See https://flatcap.org/linux-ntfs/ntfs/concepts/data_runs.html
Exercise
Create a text ADS and detect it using an open source / free hex
editor
Explore Encrypting File System (EFS)
https://en.wikipedia.org/wiki/Encrypting_File_System
Explore Resilient File System (ReFS)
https://en.wikipedia.org/wiki/ReFS
Exercise
Evaluate software for disk encryption and study features available
https://en.wikipedia.org/wiki/Comparison_of_disk_encryption_so
ftware
Keys may contain values and sub-keys. Keys are referenced with a
syntax similar to Windows' path names, using backslashes to indicate
levels of hierarchy. Keys must have a case insensitive name without
backslashes
More details about the Registry can be got at
https://msdn.microsoft.com/en-us/library/ms724871.aspx
Exercise
Study startup In various versions of Windows OS. Try to identify
difficulties which may be faced by investigators
Virtual machines
A virtual machine (VM) is an emulation of a computer system.
Virtual machines are based on computer architectures and provide
functionality of a physical computer.
Their implementations may involve specialized hardware, software,
or a combination
Exercise
List questions that need to be asked when determining what tools are
needed. Hint: think about the following
Open source / commercial
OS supported
File systems supported
Automation support
Scripting language facility for automation
Vendor esteem
Command line / GUI
Dr.Nagaraj S V & Prof Seshu Babu
Pulagara, VIT Chennai
85
Guidelines
ISO/IEC standard 27037:2012 Information technology — Security
techniques — Guidelines for identification, collection, acquisition
and preservation of digital evidence
https://www.iso.org/standard/44381.html
US National Institute of Standards and Technology (NIST) Computer
Forensics Tool Testing (CFTT) program
https://www.nist.gov/itl/ssd/software-quality-group/computer-
forensics-tool-testing-program-cftt
Acquisition
It is the process of making a copy of the original drive or media
Sub-functions could include
Physical data copy
Logical data copy
Data acquisition format
Command-line acquisition
GUI acquisition
Remote, live, and memory acquisitions
Acquisition
Extraction
Extraction
Sub-functions of extraction include
Viewing data
Searching using keywords
Restoring data to its uncompressed form
File Carving: searching for files in a data stream based on
knowledge of file formats rather than any other metadata.
Decrypting
Bookmarking or tagging
Reconstruction
It is the process of revivifying a suspect drive to demonstrate what
occurred during a crime or an incident
Techniques of reconstruction
Disk-to-disk copy
Partition-to-partition copy
Image-to-disk copy
Image-to-partition copy
reconstructing files from data runs and by carving
Reporting
Exercise
Look up major forensic tools and compare the functions that can
be performed by them such as acquisition, physical data copy,
logical data copy, acquisition formats, filtering, extraction,
reporting, flexibility, reliability etc.
Exercise
Make a list of command line tools and GUI-based forensic tools.
Compare and contrast them
Determine what criteria a forensic lab must meet
SMART
Tool meant for Linux versions
Several file systems can be analyzed
Numerous plug-in utilities available
Other utilities are Helix3, Kali Linux, Autopsy and Sleuth KIt
Hardware Tools
Forensic Workstations options include stationary, light weight,
portable
Budget constraints, obsolescence, vendor support
Write-blockers: can be hardware-based or software-based
Exercise
Visit the CFTT web site and find out the various tool functionalities
See https://toolcatalog.nist.gov/taxonomy/
Visit the following web site and study various tools
https://forensicswiki.xyz/wiki/index.php?title=Tools
References
Nelson, Amelia Philips, Christopher Steuart, “ Guide to Computer
Forensics and Investigations”, Fifth Edition, 2015.
Wikipedia