File Systems Forensics

Similar documents
File Systems and Volumes

File System Interpretation

Chapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.

Hard Disk Organization. Vocabulary

Chapter. Chapter. Magnetic and Solid-State Storage Devices

IT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems

makes floppy bootable o next comes root directory file information ATTRIB command used to modify name

Initial Bootloader. On power-up, when a computer is turned on, the following operations are performed:

ECE 598 Advanced Operating Systems Lecture 14

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems

Introduction to OS. File Management. MOS Ch. 4. Mahmoud El-Gayyar. Mahmoud El-Gayyar / Introduction to OS 1

Hard facts. Hard disk drives

CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.

Long-term Information Storage Must store large amounts of data Information stored must survive the termination of the process using it Multiple proces

FILE SYSTEMS. CS124 Operating Systems Winter , Lecture 23

Advanced Operating Systems

CS370 Operating Systems

COMP091 Operating Systems 1. File Systems

Disk Geometry and Layout

Operating Systems. Operating Systems Professor Sina Meraji U of T

Segmentation with Paging. Review. Segmentation with Page (MULTICS) Segmentation with Page (MULTICS) Segmentation with Page (MULTICS)

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Computer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Preview. COSC350 System Software, Fall

INSTITUTO SUPERIOR TÉCNICO

Chapter 11: Implementing File Systems

DOS. 5/1/2006 Computer System Software CS 012 BE 7th Semester 2

Computer Systems. Assembly Language for x86 Processors 6th Edition, Kip Irvine

File System Implementation. Sunu Wibirama

File System. Preview. File Name. File Structure. File Types. File Structure. Three essential requirements for long term information storage

Operating Systems CMPSC 473. File System Implementation April 1, Lecture 19 Instructor: Trent Jaeger

Microsoft File Allocation Table

OPERATING SYSTEM. Chapter 12: File System Implementation

A file system is a clearly-defined method that the computer's operating system uses to store, catalog, and retrieve files.

Acronis Disk Director 11 Home. Quick Start Guide

CS333 Intro to Operating Systems. Jonathan Walpole

CS3600 SYSTEMS AND NETWORKS

IST346. Data Storage

Chapter 12: File System Implementation

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

Implementation should be efficient. Provide an abstraction to the user. Abstraction should be useful. Ownership and permissions.

File Systems Ch 4. 1 CS 422 T W Bennet Mississippi College

There is a general need for long-term and shared data storage: Files meet these requirements The file manager or file system within the OS

C13: Files and Directories: System s Perspective

Chapter 12: File System Implementation

File System Implementation

OPERATING SYSTEMS CS136

EI 338: Computer Systems Engineering (Operating Systems & Computer Architecture)

A+ Guide to Managing and Maintaining your PC, 6e. Chapter 2 Introducing Operating Systems

Windows File System. File allocation table (FAT) NTFS - New Technology File System. used in Windows 95, and MS-DOS

Project 3 Help Document

Introduction Disks RAID Tertiary storage. Mass Storage. CMSC 420, York College. November 21, 2006

412 Notes: Filesystem

Files. File Structure. File Systems. Structure Terms. File Management System. Chapter 12 File Management 12/6/2018

Computer System Management - File Systems

CISC 7310X. C11: Mass Storage. Hui Chen Department of Computer & Information Science CUNY Brooklyn College. 4/19/2018 CUNY Brooklyn College

Typical File Extensions File Structure

CS609 Final Term Subjective Paper Solved with references March (2014)

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

COMP 530: Operating Systems File Systems: Fundamentals

File Systems. What do we need to know?

Chapter 10: File System Implementation

THOMAS RUSSELL, Information Technology Teacher

Outlook. File-System Interface Allocation-Methods Free Space Management

CS4500/5500 Operating Systems File Systems and Implementations

File Directories Associated with any file management system and collection of files is a file directories The directory contains information about

OPERATING SYSTEMS II DPL. ING. CIPRIAN PUNGILĂ, PHD.

Chapter 12: File System Implementation. Operating System Concepts 9 th Edition

Operating Systems. Lecture File system implementation. Master of Computer Science PUF - Hồ Chí Minh 2016/2017

FILE SYSTEM IMPLEMENTATION. Sunu Wibirama

White Paper Western Digital Comments on Sector Sizes Larger than 512 Bytes

CompTIA Linux+ Guide to Linux Certification Fourth Edition. Chapter 2 Linux Installation and Usage

Week 12: File System Implementation

Frequently asked questions from the previous class survey

Backup challenge for Home Users

File Systems. ECE 650 Systems Programming & Engineering Duke University, Spring 2018

Older geometric based addressing is called CHS for cylinder-head-sector. This triple value uniquely identifies every sector.

Chapter 4. File Systems. Part 1

What does a file system do?

Ricardo Rocha. Department of Computer Science Faculty of Sciences University of Porto

Project 3: An Introduction to File Systems. COP 4610 / CGS 5765 Principles of Operating Systems

Chapter 11: File System Implementation. Objectives

Chapter 11: Implementing File

Chapter 11: Implementing File Systems. Operating System Concepts 9 9h Edition

Boot Process in details for (X86) Computers

UNIX File Systems. How UNIX Organizes and Accesses Files on Disk

Da-Wei Chang CSIE.NCKU. Professor Hao-Ren Ke, National Chiao Tung University Professor Hsung-Pin Chang, National Chung Hsing University

Digital Forensics. Disk and File System stuff

File Systems. File system interface (logical view) File system implementation (physical view)

Lecture S3: File system data layout, naming

File Systems Part 1. Operating Systems In Depth XIV 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Ricardo Rocha. Department of Computer Science Faculty of Sciences University of Porto

Chapter 12: File System Implementation

CSC 553 Operating Systems

Vorlesung Computerforensik. Kapitel 7: NTFS-Analyse

File System Structure. Kevin Webb Swarthmore College March 29, 2018

A+ Guide to Hardware: Managing, Maintaining, and Troubleshooting, 5e. Chapter 6 Supporting Hard Drives

Main Points. File layout Directory layout

Chapter 12: File System Implementation

Transcription:

File Systems Forensics Section II. Basic Forensic Techniques and Tools CSF: Forensics Cyber-Security MSIDC, Spring 2017 Nuno Santos

Summary! Analysis of file systems! Recovery of deleted files 2

Recall from the last class How do we analyze files contents? 3

What s exactly a disk image?! Disk image is a linearized bit-copy of a given hard disk! Typically stored as a single (large) file Mr. Victor s desktop computer (100GB hard disk) 010101101011110000 Disk image file (100GB size)! A disk image can be stored elsewhere for future analysis 4 2015/16

What do we see if we open a disk image? This is what we see This is what we d expect to see 5 Why this difference? 2015/16

Data is organized on disk in layers of abstraction! Highest level of abstraction is closer to what the user sees:! File is the highest level! Block device is the lowest file file system partition / volume block device disk image! File systems and volumes bridge the gap between layers! Disk images collect a snapshot at the block device level! Contains file data and file system / volume meta-data! Forensic analysts must interpret data bottom up from disk images 6 2015/16

Main challenges in forensic disk analysis! Find visible data! If we collect an image of a disk, how can we make any sense out of it and extract useful data files?! Find deleted data! If data files are deleted, is it still possible to recover them? How? 7

Interpretation of file systems 8

From a disk image, how can we recover its files?! Challenge: abstraction layer is too low level! Disk image files provide snapshot at the disk drive level! How can we interpret the data images in order to view the files and directories in the way we are used to?! For that, we need to understand how the data is organized in storage systems 9

! Most forensic data is stored on hard disc drives! In commercial use since 1956 Hard disks 10

Hard disk basic terminology! Head! Device which reads and writes data on the disk! Track! Individual circles on disk platter where data are located! Cylinder! A column of tracks on a disk drive with 2 or more platters! Sector! An individual section of data on a track the smallest amount of data which can be written to the disk usually 512 bytes! Disk Capacity = #cylinders * #heads * #sectors * sector_size 11

Disk addressing scheme! Arrange every sector of the disk into a sequential array Sector / Block Address: 0 1 209 715 200 Assuming: sector size = 512 bytes, disk size = 100GB! Logical Block Address (LBA)! Independent from the physical geometry of the disk drive! First block on disk numbered 0, next is 1,! Most modern drives use this scheme 12

The disk is the lowest level of abstraction file file system partition / volume disk image block device! Then comes partitions / volumes 13

Partitions! The logical address space of a disk is usually split into collections of consecutive sectors called partitions! Partitions are used in many scenarios, including! Some file systems have max size smaller than hard disks! Many laptops put to sleep store memory on special partition! Separate partitions for booting multiple OSes 14

Partitions from the user s perspective Snapshot of Windows disk management tool 15

Partitioning methods! OS and hardware platform use different partitioning methods! Typical partition systems have tables; entries describe partitions! Table entry has the starting sector, ending sector, and the type of partition! Where is this table actually stored? 16

Partition table is meta-data to be stored on disk! The layout of the partition table on disk is dependent on the partition system employed! The most commonly encountered partition system is the DOS-style partition! DOS partitions are used with: Microsoft Windows, Linux, and IA32-based FreeBSD and OpenBSD systems 17

DOS partitioning scheme! A disk that is organized using DOS partitions has an MBR in the first 512-byte sector! MBR has a partition table with 4 entries, one per partition Master Boot Record A basic DOS disk with two partitions and the MBR 18

Expected layout when opening disk image Address Hex Dec. Description 0x000 0 Bootstrap code area 446 0x1BE 446 Partition Entry #1 16 0x1CE 462 Partition Entry #2 16 0x1DE 478 Partition Entry #3 16 0x1EE 494 Partition Entry #4 16 0x1FE 510 Magic Number 2 Total: 512 Size (Bytes ) Includes the starting LBA and length of the partition Disk 1 MBR Partition 1 (ext3) Partition 2 (swap) Partition 3 (NTFS) Partition 4 (FAT32) 19

We ve covered the partition abstraction layer file file system partition / volume disk image block device! Then comes file systems 20

! How are files stored within a partition?! Problem:! Files are arbitrarily long sequences of bytes! Disks can only write / read fixed-sized sectors File systems! How to map files content to sectors?! Do we require all sectors to be allocated contiguously?! Files must have names. How to associate names to files?! These issues are addressed by file systems 21

The FAT file system! Simple file system popularized by MS-DOS! First introduced in 1977! Most devices today use the FAT32 spec from 1996! FAT12, FAT16, FAT32, etc.! Still quite popular today! Default format for USB sticks and memory cards! Used for EFI boot partitions! Name comes from the index table used to track directories and files named File Allocation Table (FAT) 22

FAT: Where file data is stored! File content is stored in data units named clusters Sectors Clusters 8 Sectors! Sector! Minimum storage size on a hard drive! One pie shaped arc of a platter! Common storage size of 512 Bytes! Established during low-level formatting! Numbered sequentially starting at 1! Cluster! Minimum storage size for a file as determined by file system! Common cluster size is 4096 Bytes (4KB) 8 Sectors 23

FAT: How file data is tracked! The high-level idea is: Clusters! For each file, keep track of:! Its name! The clusters that are allocated to it! The total file size 33& 34& bla bla Name:&file1.dat& Size:&4000&bytes& Clusters:& 8&Cluster&#34& 8&Cluster&#36& 35& 36& bla bla bla. 24

FAT: The directory and FAT data structures Clusters Directory entry structures FAT structure file1.dat& 4000&bytes& cluster&34& & 33& 32& 33& file1.dat& Clusters - Cluster 34 - Cluster 36 34& 35& 36& 37& & 36& EOF& 34& 35& The index in the FAT corresponds to a cluster number 36& 25

FAT: Directory entry points to file s first cluster Clusters Directory entry structures FAT structure file1.dat& 4000&bytes& cluster&34& & 33& 32& 33& 34& 36& 34& 35& file1.dat& - Cluster 34 - Cluster 36 36& 37& & EOF& 35& 36& 26

FAT: FAT entry points to next cluster of the file Clusters Directory entry structures FAT structure file1.dat& 4000&bytes& cluster&34& & 33& 32& 33& 34& 36& 34& 35& file1.dat& - Cluster 34 - Cluster 36 36& 37& & EOF& 35& An EOF in the FAT means that the file ending was reached 36& 27

FAT: Multiple files Clusters Directory entry structures FAT structure file1.dat& 4000&bytes& cluster&34& & 33& 32& 33& 34& EOF& 36& 34& file2.txt& 100&bytes& cluster&33& 35& 36& EOF& 37& 35& & 36& 28

FAT: Directory structure! There is a specific data area for the root directory! Subdirectories are stored in clusters like files are Data$Area Boot$Sector FAT Root$Directory Cluster$90 Cluster$200 dir1 90 File1.txt 200 Cluster$with$the$ new$content$ that$was$just$ created$in$the$ directory 201 EOF This$is$more$ data$that$ couldn t$fit$into$ the$first$cluster 29

Layout of a FAT file system! Layout of FAT16 on a volume! There are two additional variants: FAT12 and FAT32 Region for FAT data structures FAT2 for backup Marks blocks free or in-use Linked-list structure to manage large files Region for the directory entries of the root folder (fixed location) Stores basic info about the file system FAT version, location of boot files Total number of blocks Index of the root directory in the FAT Store file and directory data Each cluster is a fixed size Files may span multiple clusters 30

In forensics, need to understand the boot sector 31

! TSK forensic toolkit! Use the fsstat tool Tools to help interpret the boot sector 32

EnCase! EnCase is a very powerful (comercial) tool! Demo: How to analyze MBR & VBR by using EnCase! https://www.youtube.com/watch?v=xqrksukk7ue 33

Summary: To find visible data from a disk image! Use adequate forensic tools to:! Interpret the partition table! Interpret the boot sector layout! Traverse the root directory! Navigate the subdirectories! Open the files 34

By the way! There s a lot more we can learn from the meta-data! E.g., files access times, partition names, file sizes, access permissions, etc.! There s more (and better) file systems out there! NTFS (Windows), EXT2 (Linux), HFS+ (Mac OS X)! There s important differences in storage technology! Especially between hard disks and SSDs 35

Conclusions! To read the contents of disk images, we must understand who data is organized into several layers of abstraction! Interpreting the meta-data of file systems is the first step toward recovering visible file content 36

References! Primary bibliography! Bryan Carrier, File System Analysis, 2005 37

Next class! Operating systems forensics 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback