Chapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.

Similar documents
Guide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems

Machine Language and System Programming

Advanced Operating Systems

makes floppy bootable o next comes root directory file information ATTRIB command used to modify name

File System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT)

File Systems Forensics

Computer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase

Windows File System. File allocation table (FAT) NTFS - New Technology File System. used in Windows 95, and MS-DOS

What does a file system do?

COMP091 Operating Systems 1. File Systems

THOMAS RUSSELL, Information Technology Teacher

Computer System Management - File Systems

Hard facts. Hard disk drives

DOS. 5/1/2006 Computer System Software CS 012 BE 7th Semester 2

Persistent Storage - Datastructures and Algorithms

CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.

NTFS Recoverability. CS 537 Lecture 17 NTFS internals. NTFS On-Disk Structure

COMPARATIVE STUDY OF TWO MODERN FILE SYSTEMS: NTFS AND HFS+

SOFTWARE ARCHITECTURE

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

File Systems. What do we need to know?

Operating Systems. Lecture File system implementation. Master of Computer Science PUF - Hồ Chí Minh 2016/2017

The UNIX file system! A gentle introduction"

FILE SYSTEMS. CS124 Operating Systems Winter , Lecture 23

Introduction to OS. File Management. MOS Ch. 4. Mahmoud El-Gayyar. Mahmoud El-Gayyar / Introduction to OS 1

A+ Guide to Managing and Maintaining Your PC. How Hardware and Software Work Together

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

File System Interpretation

NIST SP Notes Guide to Integrating Forensic Techniques into Incident Response

Practice Test. Guidance Software GD Guidance Software GD0-110 Certification Exam for EnCE Outside North America. Version 1.6

A+ Guide to Managing and Maintaining your PC, 6e. Chapter 2 Introducing Operating Systems

Implementing Hard Drives

Downloaded from various sources on the NET

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

ECE 598 Advanced Operating Systems Lecture 14

File System NTFS. Section Seven. NTFS, EFS, Partitioning, and Navigating Folders

ACCESSDATA SUPPLEMENTAL APPENDIX

Computer Hacking Forensic Investigator. Module X Data Acquisition and Duplication

Digital Forensics. Also known as. General definition: Computer forensics or network forensics

CS333 Intro to Operating Systems. Jonathan Walpole

Windows 2000/XP History, and Data Management

CSE 4482 Computer Security Management: Assessment and Forensics. Computer Forensics: Working with Windows and DOS Systems

UNDELETE User Guide

File Systems and Volumes

Introduction to Network Operating Systems

Hard Disk Organization. Vocabulary

IT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems

3 INSTALLING WINDOWS XP PROFESSIONAL

A file system is a clearly-defined method that the computer's operating system uses to store, catalog, and retrieve files.

EI 338: Computer Systems Engineering (Operating Systems & Computer Architecture)

File system internals Tanenbaum, Chapter 4. COMP3231 Operating Systems

Chapter 12: File System Implementation

Vorlesung Computerforensik. Kapitel 7: NTFS-Analyse

running Recover My Files from the desktop icon (the program will open to the wizard); or,

File System Basics. Farmer & Venema. Mississippi State University Digital Forensics 1

Running head: FTK IMAGER 1

Chapter 11: File System Implementation. Objectives

Manual Format Flash Drive Mac And Pc Disk Utility

OPERATING SYSTEMS CS136

OPERATING SYSTEM. Chapter 12: File System Implementation

Initial Bootloader. On power-up, when a computer is turned on, the following operations are performed:

Da-Wei Chang CSIE.NCKU. Professor Hao-Ren Ke, National Chiao Tung University Professor Hsung-Pin Chang, National Chung Hsing University

Chapter 11: Implementing File Systems

Files & I/O. Today. Comp 104: Operating Systems Concepts. Operating System An Abstract View. Files and Filestore Allocation

Testing the Date Maintenance of the File Allocation Table File System

File Shredders. and, just what is a file?

Microsoft File Allocation Table

Chapter. Chapter. Magnetic and Solid-State Storage Devices

15: Filesystem Examples: Ext3, NTFS, The Future. Mark Handley. Linux Ext3 Filesystem

CS3600 SYSTEMS AND NETWORKS

4/19/2016. The ext2 file system. Case study: ext2 FS. Recap: i-nodes. Recap: i-nodes. Inode Contents. Ext2 i-nodes

Manually Wipe Hard Drive Windows 7 Command Prompt Format

TDDB68 Concurrent Programming and Operating Systems. Lecture: File systems

Boot Process in details for (X86) Computers

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

The FAT File System. 1. FAT Overview. 2. Boot Sector, FAT, Root Directory, and Files The FAT F 䤀耄 le System

H A N D O U T : I D E N T I F Y I N G A N D M I T I G A T I N G H A R D D R I V E I S S U E S

File systems Computer Forensics

Digital Forensics Practicum CAINE 8.0. Review and User s Guide

File System Management

Table 12.2 Information Elements of a File Directory

Acronis Disk Director 11 Home. Quick Start Guide

Computer Systems. Assembly Language for x86 Processors 6th Edition, Kip Irvine

Time Rules for NTFS File System for Digital Investigation

The Host Environment. Module 2.1. Copyright 2006 EMC Corporation. Do not Copy - All Rights Reserved. The Host Environment - 1

File System CS170 Discussion Week 9. *Some slides taken from TextBook Author s Presentation

File Management. Ezio Bartocci.

NCIRC Security Tools NIAPC Submission Summary Encase Enterprise Edition

CSE380 - Operating Systems

Typical File Extensions File Structure

Manual Format Flash Drive Mac And Windows Disk Utility

Chapter 11: Implementing File

Files. File Structure. File Systems. Structure Terms. File Management System. Chapter 12 File Management 12/6/2018

File system internals Tanenbaum, Chapter 4. COMP3231 Operating Systems

Chapter 12: File System Implementation

Chapter 11: Implementing File Systems. Operating System Concepts 9 9h Edition

Chapter 10: File System Implementation

Ed Ferrara, MSIA, CISSP

ELEC 377 Operating Systems. Week 8 Class 1

OPERATING SYSTEMS II DPL. ING. CIPRIAN PUNGILĂ, PHD.

Transcription:

Chapter Two File Systems CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D. 1

Learning Objectives At the end of this section, you will be able to: Explain the purpose and structure of file systems Describe Microsoft file structures Explain the structure of New Technology File System (NTFS) disks List some options for decrypting drives encrypted with whole disk encryption Explain how the Windows Registry works 2

File Systems File system or file management systems are systems that the OS uses to organize and locate data stored on a hard disk. Gives OS a road map to data on a disk File system is a set of data types, which is employed for storage, hierarchical categorization, management, navigation, access, and recovering the data File system can use storage devices like hard disks, CD-ROM or floppy disk Command line or graphical user interface can be used to access the files When you need to access a suspect s computer to acquire or inspect data You should be familiar with the computer s platform 3

Clusters Preliminary Discussion Exploring Microsoft File Structures Cluster is defined as the smallest amount of space allocated by the operating system to hold a file Cluster is more efficient if size of the cluster is small There is no default size for the cluster The cluster address allocated by the operating system is called logical address The physical addresses are the addresses that exists at firmware or hardware level 4

System Partitioning(revisited) A system partition stores files that are used to boot (start) the computer The OS is installed on the system partition A boot partition is a volume of the computer that contains the system files used to start the OS The information regarding the files on the disk, their location, size and other important data is stored in the Master Boot Record (MBR) file Every disk has Master Boot Record that contains the information about partitions on the disk (partition table) 5

Partitioning Concerns Partitioning of hard disk drive is done for effective storage management of data Partition is logical part of the disk that holds data. It can be divided into Primary Partition on which an OS can be installed Used when computer starts to load the OS Extended Partition Can be divided into additional logical drives Windows look for primary partition to start the computer. This active partition contains the boot files used to start an operating system Inter-partition gap is unused or void space between the primary and first logical partition (later) 6

File System Functions Tracks files on across storage Keeps track of allocated/unallocated sectors Keeps track of bad sectors Stores metadata (e.g. date & time stamp) 7 7

File Systems Focus on Microsoft Windows file systems FAT (File Allocation Table) 16 bit file system developed for MS-DOS Used in consumer versions of Microsoft Windows till Windows Me Considered relatively uncomplicated and became popular format for devices like floppy disks, USB devices, Digital cameras, flash disks FAT32 32 bit version of FAT file system with storage capacity up to 2 GB 8

File Allocation Table (FAT) FAT was originally developed for floppy disks (written to the outermost track) Filenames, directory names, date and time stamps, starting cluster, attributes (e.g. hidden, read-only, system) 9 Evolution FAT 12: for floppy disks FAT 16: MS-DOS, Windows 95 (early), WinNT 4.0, maximum capacity = 2.02 GB FAT 32: Windows 95 ~ XP, maximum capacity = 2 terabytes 9

Examining FAT Disks Sectors and Bytes per Cluster 10 10

Boot Sector Boot Sector Boot Sector is the first sector (512 bytes) of a FAT file system 11

Examining FAT Disks File slack space 12 12

Deleting FAT Files Filename in FAT database starts with HEX E5 FAT chain for that file is set to zero Free (unallocated) disk space is incremented Actual data remains on disk Can be recovered with computer forensics tools 13 13

File Systems Focus on Microsoft NTFS (New Technology File System) First introduced with Windows NT Provides improvements over FAT file system Stores more information about a file In NTFS, anything such as file name, creation date, access permissions and even contents is written down as metadata Stored in Master File Table (MFT ) = meta data Reduces slack space 14 NTFS uses Unicode 14

NTFS Partition Boot Sector When you format an NTFS volume, the format program allocates the first 16 sectors for the boot sector and the bootstrap code Used to store information: about the file system On the location of the MFT MFT mirror file is stored in the boot sector 15

NTFS Master File Table (MFT) Each file on an NTFS volume is represented by a record in a special file called the master file table (MFT). NTFS reserves the first 16 records of the table for special information. The first record of this table describes the master file table itself, followed by a MFT mirror record. If the first MFT record is corrupted, NTFS reads the second record to find the MFT mirror file, whose first record is identical to the first record of the MFT. The locations of the data segments for both the MFT and MFT mirror file are recorded in the boot sector. A duplicate of the boot sector is located at the logical center of the disk. The third record of the MFT is the log file, used for file recovery. The seventeenth and following records of the master file table are for each file and directory 16

MFT Structure 17

NTFS Attributes Every file has a unique identities like: Name Security information and It can also contain metadata of file system in the file. 18

NTFS Attributes 19

NTFS Compressed Files Improve data storage File, folders, or an entire volume can be compressed Need to decompress it when analyzing Advanced tools (e.g. EnCase) do it automatically 20 20

Deleting NTFS Files On deletion from Windows Explorer the file is moved into the recycle bin If the file is deleted from command prompt then recycle bin is bypassed. It can be recovered only by using the forensic tools When a file is deleted the following tasks are performed by the operating system in the NTFS: The clusters are made available for the new data File attribute of the MFT is marked available The list of links to the cluster locations is deleted 21

File Systems Exploring Microsoft File Structures: FAT vs. NTFS File Allocation Table (FAT) New Technology File System (NTFS) A table, which tracks all the system storage changes. A latest file system developed specially for Windows 2000. Versions available are FAT12, FAT16, FAT32. Supported in all versions of windows operating system. NTFS is the only version. Supports all the operating systems after windows 2000. Doesn t support large file names. Supports large file names. Doesn t support extremely large storage media. Supports extremely large storage media. 22

File Systems - Other MacOS X file systems HFS (Hierarchical File System) Developed by Apple Computer to support Mac Operating System Traditionally used by floppy and hard disks but now also used by CD-ROMs UFS (UNIX file system) Derived from the Berkeley Fast File System (FFS) that was originally developed at Bell Laboratories from first version of UNIX FS All BSD UNIX derivatives including FreeBSD, NetBSD, OpenBSD, NeXTStep, and Solaris use a variant of UFS Acts as a substitute for HFS in Mac OS X 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback