Understanding FAT12. Introduction to Computer Forensics. Kessler/Schirling

Transcription

1 Understanding FAT12 Introduction to Computer Forensics Kessler/Schirling Fall 2002

2 EXP 248 Project #3 You have a floppy disk image file Examine floppy to find an address and a password, and verify MD5 hash Meta-project This project is based on a forensic challenge posted on the Internet, October 2002 That problem was to find, examine, and open three files on a floppy disk Gary C. Kessler,

3 Hexadecimal Dec. Hex 0 0x0 1 0x1 2 0x2 3 0x3 4 0x4 5 0x5 6 0x6 7 0x7 8 0x8 9 0x9 10 0xa 11 0xb 12 0xc 13 0xd 14 0xe 15 0xf 16 0x10 To convert a hex (base 16) number to decimal (base 10), multiply each column by the appropriate power of E.g., convert 0x1ab5 to decimal... 0x1ab5 = = = = 6837 Gary C. Kessler,

4 Disk Geometry Terms Byte - Basic unit of storage (8 bits) Sector - Organizational grouping of bytes on the media 512B/sector on a floppy Cluster - Smallest read/write unit for efficient operation 1 cluster = 1 sector on a floppy Gary C. Kessler,

5 Basic Disk Layout Sector 0 is the Boot Sector B/S points to FAT1, FAT2, Root Directory Boot Sector followed by FAT1 and FAT2 FATs contain linked lists indicating clusters assigned to files FAT2 followed by Root Directory RootDir contains names of files (and directories), starting cluster, length The starting cluster points to a cluster of data on the medium and an entry in the FATs Gary C. Kessler,

6 B/S, FAT, Root Directory, & Files Boot Sector -FAT type -FAT size - Root Directory size Root Directory tyui.jpg - start cluster = 3 - length = 3 mes.doc - start cluster = 5 - length = 2 Sector 0 FAT1/FAT2 0: <unused> 1: <unused> 2: <end> 3: 4 4: 2 5: 6 6: <end> 7: <unused> B/S FAT1 FAT2 RootDir File tyui.jpg occupies clusters 3, 4, and 2; it has a physical size of 1,536 bytes. File mes.doc occupies clusters 5 and 6; it has a physical size of 1,024 bytes. Gary C. Kessler,

7 Copy Image to Floppy Note that we see only two files... although we've been told that there are three! Gary C. Kessler,

8 Sector Assignments I Sector(s) Address Function 0 0x0000-0x01ff Boot Sector 1-? 0x0200-0x???? File Allocation Table (primary)? File Allocation Table (secondary)? Root Directory? File storage space The basic format of media is well defined. The Boot Sector is always at the first sector (0) and it is followed by the primary FAT. The Boot Sector will identify the file system, FAT tables size, cluster size, etc. Gary C. Kessler,

9 Boot Sector Gary C. Kessler,

10 No. of FATS (2) Boot Sector Interpretation Maximum No. of Root Directory Entries (0x00e0 = 224) Name string (MSDOS5.0) Bytes/sector (0x0200 = 512) Sectors/cluster (1) 0000 eb 3c 90 4d f e ë<.msdos e b f à.@.ð cf cd b1 c4 4e 4f 20 4e 41...)ÏͱÄNO NA d c9 ME FAT12 3É e d1 bc f0 7b 8e d9 b e c0 fc bd 00 7c.Ѽð{.Ù..Àü½ e 24 7d 24 8b c1 99 e8 3c c 83 eb 3a 8N$}$.Á.è<.r..ë: a1 1c 7c b a 57 fc ca f. &f;.&.wüu..ê Total sectors (0x0b40 = 2880, or 1.44MB) Media Descriptor (0xf0 = removable) Volume Label ("NO NAME ") FAT Id. ("FAT12 ") No. of Sectors/FAT (0x0009= 9) Gary C. Kessler,

11 Capacity of this Medium FAT12 allocates 12 bits per FAT entry Limits addressing to 4,096 (2 12 ) clusters This floppy is configured so that: 1 cluster = 1 sector 1 sector = 512B This FAT12 table is limited in capacity to 2,097,152 bytes (2MB) The device itself is only 2880 sectors (1.44MB) Gary C. Kessler,

12 Sector Assignments II Sector(s) Address Function 0 0x0000-0x01ff Boot Sector 1-9 0x0200-0x13ff File Allocation Table (primary) x1400-0x25ff File Allocation Table (secondary) x2600-0x41ff Root Directory x4200- File storage space 0x167fff NOTES: Boot Sector is 1 sector (0x200 bytes) There are two FATs, each 9 sectors (0x1200 bytes) The Root Directory can contain 224 entries, each 32 bytes (7168, or 0x1c00, bytes; 14 sectors) File storage starts at sector #33 ( ), byte #0x4200 (0x200+0x1200+0x1200+0x1c00) Gary C. Kessler,

13 Root Directory The Root Directory starts at sector 19, byte offset 0x2600, and is a series of entries describing files. Each file requires three 32B entries; the first two contain the file's long filename and the last entry contains the short (8.3) filename, attributes, timestamp, start cluster, and size. The first byte of the entry is the usage indicator: 0x00 - entry never been used 0xe5 - file has been deleted The start cluster in the directory entry points to the first cluster of the data on the medium and acts as a pointer to the cluster linked list in the FAT. Gary C. Kessler,

14 Sample Root Directory Entry Filename (COVERP~1) Extension (JPG) Attributes (0x20=Archive-bit) 26a0 43 4f e 31 4a d 4d 46 COVERP~1JPG.mMF 26b0 2b 2d 2b 2d da 43 2b 2d a4 01 e1 3c ÚC+-.á<.. Time (0x43da = = 08:30:52) hour* minute*32 + seconds/2 Date (0x2d2b = = 9/11/2002) (year-1980)*512 + month*32 + day Start Cluster (0x01a4 = 420) Cluster linked list starts at 0x277 (631) bytes offset into the FAT File Size (0x00003ce1 = 15,585 bytes) 15,585B = byte sectors Gary C. Kessler,

15 Root Directory Summary File Name Starting Cluster Length Offset into FAT?IMMYJ~1.DOC 0x0002 (2) 20,480 (40 sectors) 0x4 (4) COVERP~1.JPG 0x01a4 (420) 15,585 (31 sectors) 0x277 (631) SCHEDU~1.EXE 0x0049 (73) 1,000 (2 sectors) 0x6e (110) Offset into FAT is (starting_cluster*3/2 + 1). This is where the link to the next cluster in the file is located. Gary C. Kessler,

16 File Allocation Tables FAT table entries are "packed" so that two cluster entries occupy three bytes with the following general format: yz Zx XY where xyz is the one pointer entry and XYZ is the second pointer entry. E.g., bytes : 2d e0 02 refer to clusters 0x02d (45) and 0x02e (46) Primary FAT starts at sector 1, byte 0x200 (shown here) Secondary FAT starts at sector 10, byte offset 0x1400 The starting cluster in the directory is also a pointer into the FATs linking to the next cluster in the file Gary C. Kessler,

17 Interpreting the FAT ff af 04 4b 0270 c0 04 4d f0 ff À.Mðÿ... The Primary FAT starts at Sector 1, byte #0x0200. Suppose a file has a starting cluster of 0x49 (73). The file starts on the media at cluster #73 The FAT entry pointing to the next cluster is in the FAT at byte #(73* ) = 110 (0x6e) Since the FAT starts at 0x0200, the FAT entry for this file is at 0x026e Example: 1. 1st cluster is 0x49 (73). FAT entry starts at high-order nibble of 0x026e (110) = 0x04a (74) 2. 2nd cluster is 0x4a (74). FAT entry starts at low-order nibble of 0x0270 (112) = 0x04b (75) 3. 3rd cluster is 0x04b (75). FAT entry starts at high-order nibble of 0x0271 (113) = 0x04c (76) 4. 4th cluster is 0x04c (76). FAT entry starts at low-order nibble of 0x0273 (115) = 0x04d (77) 5. 5th cluster is 0x04d (77). FAT entry starts at high-order nibble of 0x0274 (116) = 0xfff (end of list) The physical size of this file is five clusters (2560 bytes), and occupies clusters 73, 74, 75, 76, and 77 on the medium. (It is merely a coincidence that the clusters are contiguous.) Gary C. Kessler,

18 Actually Finding the Data! To find the actual location on the medium, the logical cluster number has to be converted to a physical sector number Subtract 2 from the logical cluster number Multiply by the number of sectors per cluster (1) Add to first data sector (33) Bottom line: Figure out the cluster number and add 31 to get physical location! Gary C. Kessler,

19 The Actual Analysis We know that there are at least three files on the floppy. How do we get to them??immyj~1.doc COVERP~1.JPG SCHEDU~1.EXE Gary C. Kessler,

20 Recover?IMMYJ~1.DOC We know that the file is deleted because the first byte in the directory entry is 0xe5 Offset into FAT is 0x4 Cluster list starts at 0x f0 ff ff ðÿÿ... These FAT locations are 0x000 (unused) Need to recover this file using undelete tool or examination with a hex editor Gary C. Kessler,

21 Hex Dump of?immyj~1.doc We find the signature of an Office file (0xd0-cf-11-eo-a1-b1-1a-e1) at sector 33 (0x4200) and continuing through sector 72 (0x91ff). This corresponds to the 40 sectors advertised as the length in the directory entry for the deleted file. If we extract that information and open as a file in Word we find... Gary C. Kessler,

22 The Incriminating Letter Gary C. Kessler,

23 Examine COVERP~1.JPG Starting cluster is given as 0x01a4 (420) FAT table is empty at offset 0x277 (631) Note that there is an unknown entry for cluster 0x02b (43) starting at byte 0x0240 in the FAT b c0 02 2d e0 02 2f a0 03 3b c0 03 3d e0 03 3f ;À.=à.? ff af 04 4b This is an offset of 0x40 (64) bytes into the FAT and would correspond to a starting cluster value of 0x2a (42)!! Gary C. Kessler,

24 Finding COVERP~1.JPG Length given by DIR command and directory entry is 15,585 bytes (31 sectors) We will assume that The starting cluster value has been altered, and is really 0x2a (42) The cluster linked list starts at 0x0240 (value 0x02b) b c0 02 2d e0 02 2f a0 03 3b c0 03 3d e0 03 3f ;À.=à.? ff af 04 4b We find that the file is in 31 contiguous sectors 0x02a (42) through 0x048 (72) Gary C. Kessler,

25 Hex Dump of COVERP~1.JPG File starts at sector 73, as guessed -- we calculated the start at sector 42 but remember to add 31! Note that the file signature FF D8 FF E A (particularly the string JFIF) is a sign that this is a JPEG file. Gary C. Kessler,

26 The Incriminating Graphic Gary C. Kessler,

27 Examine SCHEDU~1.EXE Starting cluster is given as 0x0049 (73); valid FAT entries are found at 0x026e ff af 04 4b 0270 c0 04 4d f0 ff À.Mðÿ... Following the linked list in the FAT shows that this file is located at clusters 0x49 thru 0x4d (73-77) True location is clusters The directory entry for this file shows a length of 1000 bytes (2 sectors); true length appears to be 5 sectors (2560 bytes) Gary C. Kessler,

28 Hex Dump of SCHEDU~1.EXE File starts, as expected, at sector 104. Note the file signature at the beginning: 50 4B (the string PK), indicative of a ZIP file. Note also the file name shown in the header, Scheduled Visits.xls, suggesting that this archive contains an Excel spreadsheet. But why is there a.exe extension? Remember that the file extension is not a definitive indicator of file type! Gary C. Kessler,

29 Definitely Not Executable... Gary C. Kessler,

30 Opening With WinZIP Opening with WinZIP shows the name of the compressed file Scheduled visits.xls... but the "+" indicates that the file is password protected. The recovered letter alludes to a previously used password: "I ed you the schedule... To open it, use the same password that you sent me before with that file." Gary C. Kessler,

31 Searching for Hidden Text Search for hints or clues to the password. Looking for meaningful text strings by scrolling through media is one approach, as is specific text searches. Search on keyword password returned nothing, as did keyword pass. The string pw, however, had a hit! This is located in unused space in the sector preceding SCHEDU~1.EXE. Gary C. Kessler,

32 Applying the Password goodtimes Gary C. Kessler,

33 The Incriminating Spreadsheet Gary C. Kessler,

34 Sector Assignments III Sector(s) Address Function 0 0x0000-0x01ff Boot Sector 1-9 0x0200-0x13ff File Allocation Table (primary) x1400-0x25ff File Allocation Table (secondary) x2600-0x41ff Root Directory x4200-0x91ff DATA:?IMMYJ~1.DOC x9200-0xcfff DATA: COVERP~1.JPG xd000-0xd9ff DATA: SCHEDU~1.EXE xda00-0x167dff DATA: All bytes set to 0xf x167e00-0x167fff DATA: All bytes set to 0x00 Gary C. Kessler,

35 Summary Three files found on the medium JIMMYJ~1.DOC (Word file) Deleted COVERP~1.JPG (JPEG graphics file) Starting cluster altered in Root Directory SCHEDU~1.EXE (ZIP archive with Excel file) File extension changed Password-protected File size altered in Root Directory Gary C. Kessler,

36 Conclusion In-depth analysis of a floppy can be done manually... just barely Analysis of a large hard drive requires automated tools Gary C. Kessler,