Extending The Sleuth Kit and its Underlying Model for Pooled Storage File System Forensic Analysis

Similar documents
Copyright 2016 Ramez Elmasri and Shamkant B. Navathe

CSC 220: Computer Organization Unit 11 Basic Computer Organization and Design

Data Warehousing. Paper

Chapter 9. Pointers and Dynamic Arrays. Copyright 2015 Pearson Education, Ltd.. All rights reserved.

Task scenarios Outline. Scenarios in Knowledge Extraction. Proposed Framework for Scenario to Design Diagram Transformation

Security of Bluetooth: An overview of Bluetooth Security

Chapter 1. Introduction to Computers and C++ Programming. Copyright 2015 Pearson Education, Ltd.. All rights reserved.

Architectural styles for software systems The client-server style

Operating System Concepts. Operating System Concepts

Schema for the DCE Security Registry Server

n Some thoughts on software development n The idea of a calculator n Using a grammar n Expression evaluation n Program organization n Analysis

Chapter 11. Friends, Overloaded Operators, and Arrays in Classes. Copyright 2014 Pearson Addison-Wesley. All rights reserved.

Avid Interplay Bundle

Recursion. Recursion. Mathematical induction: example. Recursion. The sum of the first n odd numbers is n 2 : Informal proof: Principle:

Τεχνολογία Λογισμικού

Morgan Kaufmann Publishers 26 February, COMPUTER ORGANIZATION AND DESIGN The Hardware/Software Interface. Chapter 5.

Chapter 4 Threads. Operating Systems: Internals and Design Principles. Ninth Edition By William Stallings

Goals of the Lecture UML Implementation Diagrams

Chapter 24. Sorting. Objectives. 1. To study and analyze time efficiency of various sorting algorithms

VISUALSLX AN OPEN USER SHELL FOR HIGH-PERFORMANCE MODELING AND SIMULATION. Thomas Wiedemann

A New Morphological 3D Shape Decomposition: Grayscale Interframe Interpolation Method

Protected points in ordered trees

EE123 Digital Signal Processing

Lecture Notes 6 Introduction to algorithm analysis CSS 501 Data Structures and Object-Oriented Programming

Chapter 10. Defining Classes. Copyright 2015 Pearson Education, Ltd.. All rights reserved.

Review: The ACID properties

GE FUNDAMENTALS OF COMPUTING AND PROGRAMMING UNIT III

TUTORIAL Create Playlist Helen Doron Course

Bayesian approach to reliability modelling for a probability of failure on demand parameter

What are we going to learn? CSC Data Structures Analysis of Algorithms. Overview. Algorithm, and Inputs

Morgan Kaufmann Publishers 26 February, COMPUTER ORGANIZATION AND DESIGN The Hardware/Software Interface. Chapter 5

WYSE Academic Challenge Sectional Computer Science 2005 SOLUTION SET

Getting Started. Getting Started - 1

Empirical Validate C&K Suite for Predict Fault-Proneness of Object-Oriented Classes Developed Using Fuzzy Logic.

Appendix D. Controller Implementation

Chapter 4. Procedural Abstraction and Functions That Return a Value. Copyright 2015 Pearson Education, Ltd.. All rights reserved.

Lecture 28: Data Link Layer

CIS 121 Data Structures and Algorithms with Java Spring Stacks and Queues Monday, February 12 / Tuesday, February 13

Lecture 5. Counting Sort / Radix Sort

The Magma Database file formats

Digital Investigation

CMSC Computer Architecture Lecture 12: Virtual Memory. Prof. Yanjing Li University of Chicago

Baan Tools User Management

COP4020 Programming Languages. Functional Programming Prof. Robert van Engelen

Overview. Chapter 18 Vectors and Arrays. Reminder. vector. Bjarne Stroustrup

Polynomial Functions and Models. Learning Objectives. Polynomials. P (x) = a n x n + a n 1 x n a 1 x + a 0, a n 0

Basic allocator mechanisms The course that gives CMU its Zip! Memory Management II: Dynamic Storage Allocation Mar 6, 2000.

l-1 text string ( l characters : 2lbytes) pointer table the i-th word table of coincidence number of prex characters. pointer table the i-th word

Identification of the Swiss Z24 Highway Bridge by Frequency Domain Decomposition Brincker, Rune; Andersen, P.

Using the Keyboard. Using the Wireless Keyboard. > Using the Keyboard

CSE 2320 Notes 8: Sorting. (Last updated 10/3/18 7:16 PM) Idea: Take an unsorted (sub)array and partition into two subarrays such that.

1. SWITCHING FUNDAMENTALS

CAEN Tools for Discovery

A SOFTWARE MODEL FOR THE MULTILAYER PERCEPTRON

Chapter 5. Functions for All Subtasks. Copyright 2015 Pearson Education, Ltd.. All rights reserved.

Message Integrity and Hash Functions. TELE3119: Week4

Software development of components for complex signal analysis on the example of adaptive recursive estimation methods.

Big-O Analysis. Asymptotics

HADOOP: A NEW APPROACH FOR DOCUMENT CLUSTERING

Creating Exact Bezier Representations of CST Shapes. David D. Marshall. California Polytechnic State University, San Luis Obispo, CA , USA

CIS 121. Introduction to Trees

. Written in factored form it is easy to see that the roots are 2, 2, i,

Politecnico di Milano Advanced Network Technologies Laboratory. Internet of Things. Projects

Python Programming: An Introduction to Computer Science

why study sorting? Sorting is a classic subject in computer science. There are three reasons for studying sorting algorithms.

1 Enterprise Modeler

Computers and Scientific Thinking

Graphic Standards for District Identification. September, 2012

Elementary Educational Computer

Oracle Server. What s New in this Release? Release Notes

K-NET bus. When several turrets are connected to the K-Bus, the structure of the system is as showns

CMSC Computer Architecture Lecture 10: Caches. Prof. Yanjing Li University of Chicago

IMP: Superposer Integrated Morphometrics Package Superposition Tool

Heaps. Presentation for use with the textbook Algorithm Design and Applications, by M. T. Goodrich and R. Tamassia, Wiley, 2015

Improving Template Based Spike Detection

BASED ON ITERATIVE ERROR-CORRECTION

Pseudocode ( 1.1) Analysis of Algorithms. Primitive Operations. Pseudocode Details. Running Time ( 1.1) Estimating performance

Copyright 2016 Ramez Elmasri and Shamkant B. Navathe

COSC 1P03. Ch 7 Recursion. Introduction to Data Structures 8.1

A Comparative Study of Positive and Negative Factorials

CIS 121 Data Structures and Algorithms with Java Spring Stacks, Queues, and Heaps Monday, February 18 / Tuesday, February 19

EFFECT OF QUERY FORMATION ON WEB SEARCH ENGINE RESULTS

c-dominating Sets for Families of Graphs

What are Information Systems?

University of Waterloo Department of Electrical and Computer Engineering ECE 250 Algorithms and Data Structures

The isoperimetric problem on the hypercube

CS200: Hash Tables. Prichard Ch CS200 - Hash Tables 1

Pruning and Summarizing the Discovered Time Series Association Rules from Mechanical Sensor Data Qing YANG1,a,*, Shao-Yu WANG1,b, Ting-Ting ZHANG2,c

A Parallel DFA Minimization Algorithm

Transitioning to BGP

On Nonblocking Folded-Clos Networks in Computer Communication Environments

Understanding the Federal IT Security Professional (FITSP) Certification

Floristic Quality Assessment (FQA) Calculator for Colorado User s Guide

WEBSITE STRUCTURE IMPROVEMENT USING ANT COLONY TECHNIQUE

Priority Queues. Binary Heaps

Evaluation scheme for Tracking in AMI

Lazy Type Changes in Object-oriented Database. Shan Ming Woo and Barbara Liskov MIT Lab. for Computer Science December 1999

The CCITT Communication Protocol for Videophone Teleconferencing Equipment

Guide to Applying Online

An Improved Shuffled Frog-Leaping Algorithm for Knapsack Problem

Transcription:

Extedig The Sleuth Kit ad its Uderlyig Model for Pooled File System Foresic Aalysis Frauhofer Istitute for Commuicatio, Iformatio Processig ad Ergoomics Ja-Niclas Hilgert* Marti Lambertz Daiel Plohma ja-iclas.hilgert@fkie.frauhofer.de marti.lambertz@fkie.frauhofer.de daiel.plohma@fkie.frauhofer.de Frauhofer FKIE

Digital Foresic Aalysis Slide 2 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

File Systems Defie how data is read from ad writte to a storage device Utilize metadata to keep order of the data stored File systems differ i may aspects NTFS EXT2FS HFS Extesive backgroud kowledge is required for a foresic aalysis But ot always existet Slide 3 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

File System Foresic Aalysis De-Facto Stadard Model Physical Media Aalysis Sectors of Data Uiversal model for a file system foresic aalysis Aalysis Preseted by Bria Carrier i 2005 Cosists of four iterdepedet steps Implemeted i The Sleuth Kit File System Aalysis File Applicatio Aalysis Slide 4 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

File System Foresic Aalysis De-Facto Stadard Model Physical Media Aalysis Sectors of Data Works great o a lot of established file systems EXT2FS Aalysis NTFS HFS File System Aalysis File Problem: It has t bee reviewed or chaged sice its publicatio Applicatio Aalysis Slide 5 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

File System Foresic Aalysis Tryig TSK o ZFS jhilgert:zpool$ fsstat disk1 Caot determie file system type Slide 6 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Pooled File Systems Old File System Mappig FAT32 NTFS Ext4 Block Block Block devices (hard drives, solid state drives...) are somehow used to create ew block devices Oe file system is assiged to oe of these block devices Slide 7 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Pooled File Systems New Approach Pool s are combied to form a storage pool Its cofiguratio depeds completely o the implemetatio File systems share the available space from the storage pool Slide 8 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Extesio of the Stadard Model Requiremets Detect Pool Members Pool Slide 9 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Extesio of the Stadard Model Requiremets Detect Pool Members Pool Slide 10 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Extesio of the Stadard Model Requiremets Detect Pool Cofiguratios Pool Slide 11 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Extesio of the Stadard Model Requiremets Aalyze a Complete Pool Pool Slide 12 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Extesio of the Stadard Model Requiremets Access Correct Offsets o Physical Disks Pool Slide 13 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Extesio of the Stadard Model Requiremets Access All Data Pool Slide 14 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Extesio of the Stadard Model Requiremets Deal with Icomplete Pools Pool Slide 15 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

File System Foresic Aalysis Phyiscal Media Aalysis Physical Media Aalysis Sectors of Data Acquisitio of data from storage devices Aalysis Data is oly see as a sequece of bytes No chage ecessary File System Aalysis File Applicatio Aalysis Slide 16 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

File System Foresic Aalysis Applicatio Aalysis Physical Media Aalysis Sectors of Data Performs a applicatio-level aalysis of the acquired files Aalysis Works o already recovered ad collected files File System Aalysis File No chage ecessary Applicatio Aalysis Slide 17 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Extesio of the Stadard Model Aalysis Physical Media Aalysis Sectors of Data Data is searched for its uderlyig volume structure Aalysis Returs detected volumes (block devices) File System Aalysis File Applicatio Aalysis Slide 18 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Extesio of the Stadard Model Aalysis Physical Media Aalysis Sectors of Data Pooled storage file systems implemet their ow volume maager Aalysis Established volume maagers are still used s ca also be part of a pool File System Aalysis File aalysis is still ecessary Applicatio Aalysis Slide 19 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Extesio of the Stadard Model Pool Aalysis Physical Media Aalysis Sectors of Data Aalysis Recostructed Pool File Pool System Aalysis File s or data eed to be aalyzed for possible pool membership Usig the file systems volume maager results i a recostructed pool Applicatio File System Aalysis File Oly high-level access No file system aalysis possible Applicatio Aalysis Slide 20 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Extesio of the Stadard Model Pool Aalysis Physical Media Aalysis Sectors of Data Aalysis Recostructed Pool Pool Aalysis Pool (Direct Access) Pool Member File system data ad metadata is essetial for a file system aalysis Direct access to the pool ad its members is required File System Aalysis File Mappig schema of the file system eeds to be kow Applicatio Aalysis Slide 21 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Extesio of the Stadard Model Pool Aalysis Physical Media Aalysis Sectors of Data Aalysis Recostructed Pool Pool Aalysis Pool (Direct Access) Pool Member s do ot eed to be part of a pool Importat: Pool aalysis is file system depedet File System Aalysis File Applicatio Aalysis Slide 22 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Extesio of the Stadard Model File System Aalysis Physical Media Aalysis Sectors of Data Aalysis Recostructed Pool Pool Aalysis Pool (Direct Access) Pool Member Each volume is searched for a file system File system aalysis ca be performed o the pool with direct access File System Aalysis File Applicatio Aalysis Slide 23 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Extesio of the Stadard Model Exteded Model Physical Media Aalysis Sectors of Data Aalysis Recostructed Pool Pool Aalysis Pool (Direct Access) Pool Member Prototypically implemeted for ZFS File System Aalysis File Applicatio Aalysis Slide 24 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Pooled File Systems ZFS Maagemet First preseted i 2003 (more tha a decade ago) Available for major platforms like Solaris, FreeBSD, Liux, MacOS ZFS combies multiple volumes ito a storage pool Pool members are idetified by four vdev-labels L1 L2 Data L3 L4 (Vdev) Slide 25 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Pooled File Systems ZFS Maagemet Pools i ZFS cosist of oe or more top-level virtual devices (vdevs) Data is striped across all of these top-level vdevs Data ZFS Pool Top-Level Vdev Top-Level Vdev Top-Level Vdev Slide 26 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Pooled File Systems ZFS Maagemet Top-level vdevs are made up of childre Differet types of top-level vdevs are supported by ZFS Each top-level vdev is addressed usig its ID ZFS Pool Top-Level Top-Level Top-Level Mirror Disk / File RaidZ Vdev ID: 0 Vdev ID: 1 Vdev ID: 2 Child Child Child Child Child Child Slide 27 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Pooled File Systems ZFS Geeral Structure is represeted i a tree-structure Überblock is the head of this tree Überblock Überblock Utilizes the copy-o-write priciple Metadata Metadata Metadata Data Data Data Data Data Block poiters refer to variable-sized blocks of data Data is addressed by usig Data Virtual Addresses (DVAs) Top-level Vdevs Mappig Offsets Slide 28 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Evaluatio Evaluatio Pool Use multiple umbers of disks i multiple cofiguratios Two simple disks Oe mirror with two childre Oe raidz1 with three childre EvaluatioPool disk disk mirror raidz1 Slide 29 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Cotributio & Future Research Extesio of The Sleuth Kit for pooled storage file systems Digital foresic aalysis of ZFS Accessig older versios of the ZFS copy-o-write tree Dealig with icomplete pools Further ivestigatios o other ZFS structures: ZFS Itet Log (ZIL) L2ARC Implemetatios for other pooled storage file systems BTRFS, ReFS, APFS Slide 30 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

Thaks for your attetio! https://github.com/fkie-cad/sleuthkit Slide 31 Cyber Aalysis & Defese Departmet, Frauhofer FKIE

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback