Digital Forensics Lecture 02- Disk Forensics

Similar documents
Introduction to Volume Analysis, Part I: Foundations, The Sleuth Kit and Autopsy. Digital Forensics Course* Leonardo A. Martucci *based on the book:

Digital Forensics Lecture 01- Disk Forensics

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

Ed Ferrara, MSIA, CISSP

The Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration. Anthony Dowling

CIS Project 1 February 13, 2017 Jerad Godsave

Disk Geometry and Layout

Digital Forensics Practicum CAINE 8.0. Review and User s Guide

NIST CFTT: Testing Disk Imaging Tools

Introduction to Computer Forensics

A Study on Linux. Forensics By: Gustavo Amarchand, Keanu. Munn, and Samantha Renicker 11/1/2018

ANALYSIS AND VALIDATION

INSTITUTO SUPERIOR TÉCNICO

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations

File Systems and Volumes

Computer Hacking Forensic Investigator. Module X Data Acquisition and Duplication

Post Mortem an Introduction to Filesystem Forensics and Data Recovery Dr. Oliver Tennert, Head of Technology

UC Santa Barbara. Operating Systems. Christopher Kruegel Department of Computer Science UC Santa Barbara

Chapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.

A Formal Logic for Digital Investigations: A Case Study Using BPB Modifications.

Test Results for Disk Imaging Tools: EnCase 3.20

S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group

Chapter 7 Forensic Duplication

Time Left. sec(s) Quiz Start Time: 12:13 AM. Question # 5 of 10 ( Start time: 12:18:29 AM ) Total Marks: 1

10/13/11. Objectives. Live Acquisition. When do we consider doing it? What is Live Acquisition? The Order of Volatility. When do we consider doing it?

Testing the Date Maintenance of the File Allocation Table File System

Backup, File Backup copies of individual files made in order to replace the original file(s) in case it is damaged or lost.

Chapter 7 Forensic Duplication

A+ Guide to Managing and Maintaining your PC, 6e. Chapter 8 Hard Drives

A+ Guide to Hardware, 4e. Chapter 7 Hard Drives

Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 6 Linux Forensics

OPERATING SYSTEMS CS136

Chapter 11: Implementing File Systems. Operating System Concepts 8 th Edition,

File Systems Forensics

Source:

Microsoft File Allocation Table

Forensics for Cybersecurity. Pete Dedes, CCE, GCFA, GCIH

Computer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase

Incident Response Data Acquisition Guidelines for Investigation Purposes 1

Hitachi Gloabal Storage Products. Hints and tips. BIOS 33.8GB limitation

NIST SP Notes Guide to Integrating Forensic Techniques into Incident Response

Data rate - The data rate is the number of bytes per second that the drive can deliver to the CPU.

Tupelo Whole Disk Acquisition, Storage and Search

GJU IT-forensics course. Storage medium analysis

AccessData Imager Release Notes

AccessData Imager Release Notes

Using Linux VMware and SMART to Create a Virtual Computer to Recreate a Suspect's Computer. By:

makes floppy bootable o next comes root directory file information ATTRIB command used to modify name

Digital Cameras. An evaluation of the collection, preservation and evaluation of data collected from digital

CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.

File System Interpretation

Hard Drive Technologies

CS330: Operating System and Lab. (Spring 2006) I/O Systems

AccessData Imager Release Notes

CS609 Final Term Solved MCQs with References Without Repetitions 14/02/2013

Financial CISM. Certified Information Security Manager (CISM) Download Full Version :

OS Security IV: Virtualization and Trusted Computing

CS3600 SYSTEMS AND NETWORKS

Running head: FTK IMAGER 1

21/02/2012. BIOS and boot process Storage devices Partitions. CSN08101 Digital Forensics Lecture 5A: PC Boot Sequence and Storage Devices.

UNIT 4 Device Management

Windows Forensics Advanced

File System: Interface and Implmentation

AccessData Imager Release Notes

Macintosh Forensic Survival Course

Segmentation with Paging. Review. Segmentation with Page (MULTICS) Segmentation with Page (MULTICS) Segmentation with Page (MULTICS)

Magic Card User Manual

Chapter 5 Live Data Collection Windows Systems

COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9

White Paper Western Digital Comments on Sector Sizes Larger than 512 Bytes

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

Windows Memory Analysis. Jesse Kornblum

TECHNICAL BRIEF. Data Integrity During a File Copy TECHNICAL BRIEF

Operating Systems. Mass-Storage Structure Based on Ch of OS Concepts by SGG

Frequently Asked Questions

Test Results for Disk Imaging Tools: SafeBack 2.18

Windows 2000/XP History, and Data Management

F-RESPONSE NOW/UNIVERSAL VALIDATION TESTING REPORT

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems

CS370 Operating Systems

Storage and File Hierarchy

Capturing RAM. Alex Applegate. Mississippi State University Digital Forensics 1

COS 318: Operating Systems

MFP: The Mobile Forensic Platform

Boot Engineering Extension Record (B.E.E.R.) By Curtis E. Stevens

OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE

CSE 4482 Computer Security Management: Assessment and Forensics. Computer Forensics: Working with Windows and DOS Systems

KNOPPIX Bootable CD Validation Study for Live Forensic Preview of Suspects Computer

Using VMware Player 3.0 with USB Pocket Hard Drive For IT Curriculum

File system internals Tanenbaum, Chapter 4. COMP3231 Operating Systems

Exam Number/Code: Exam Name: Computer Hacking. Version: Demo. Forensic Investigator.

File System Internals. Jo, Heeseung

Boot Process in details for (X86) Computers

Operating Systems. Lecture File system implementation. Master of Computer Science PUF - Hồ Chí Minh 2016/2017

I/O Hardwares. Some typical device, network, and data base rates

File system internals Tanenbaum, Chapter 4. COMP3231 Operating Systems

ABSTRACT. Forensic analysis is the process of searching for evidence and preserving it for further

FarStone. DriveClone System Recovery User s Guide. For OEMs and System builders

Booting, Partitioning and File Systems. Part I. Booting and hard disks. Booting. Table of Contents. Nothing is what it seems.

Advanced Operating Systems and Virtualization. Alessandro Pellegrini A.Y. 2017/2018

Transcription:

Digital Forensics Lecture 02- Disk Forensics Hard Disk Data Acquisition Akbar S. Namin Texas Tech University Spring 2017

Analysis of data found on a storage device It is more common to do dead analysis instead of live analysis General acquisition procedure Copy one byte from the original storage device to a destination storage device and repeat The chunks of data are transferred each time are typical a multiple 512 bytes (the size of most disk sectors) Every byte may contain evidence Acquire the files at the disk level: Reason: if we acquire at the volume level and we made a copy of every sector in each partition, this would allow us to recover deleted files in each partition, but we would not be able to analyze the sectors that are not allocated to partitions. E.g., a disk that has DOS partitions may not use sectors 1 62, and they could contain hidden data. If we acquire at the volume level, the hidden data would be lost.

Acquisition tool testing The National Institute of Standards and Technology (NIST) has conducted tests on common acquisition tools The Computer Forensics Tool Testing (CFTT) project at NIST has developed requirements and test cases for disk-imaging tools Results are on (http://www.cftt.nist.gov/disk_imaging.htm)

Reading the source data There are two major parts of the process First, read data from a source (we focus on a typical IA32 system, x86/i386) Then, write it to the destination Direct versus BIOS access Two methods in which data on a disk can be accessed 1) the operating system or acquisition software accesses the hard disk directly, which requires that the software know the hardware details 2) the operating system or acquisition software accesses the hard disk through the Basic Input/Output System (BIOS), which should know all the hardware details The is a difference between these two: Two applications are trying to determine the size of a disk. The BIOS is not properly configured and says that the 12GB disk is only 8GB

When the BIOS is used, there is a risk that it may return incorrect information about the disk. The INT13h function will give access to only the first 8GB, but the disk is really 12GB We will not get access to the final 4GB Possible scenarios 1) BIOS is configured for a specific hard disk geometry that is different from the one installed 2) An acquisition tool uses a legacy method of requesting the size of the disk Two ways that an application can ask the BIOS for a disk size 1) through the original INT13h function that suffers from the 8GB limit and returns the size using the disk s geometry in CHS format 2) through the use of the extended INT13h functions. Make sure that you know how your acquisition tools access the disk, and if the tools use the BIOS, it reports the full disk

Dead vs. live acquisition A dead acquisition occurs when the data from a suspect system is being copied without the assistance of the suspect operating system A dead acquisition can use the hardware from the suspect system as long as it is booted from a trusted CD A live acquisition is one where the suspect operating system is still running and being used to copy data The risk: the attacker may have modified the operating system or other software to provide false data during the acquisition Attackers may install tools called rootkits into systems that they compromise and they return false information to a user The rootkits hide certain files in a directory or hide running processes Attackers may hide the files that they installed after compromising the system Or modify the OS to replace data in certain sectors of the disk Live acquisition should be avoided

Error handling When reading data from a disk, the acquisition tool should be capable of handling errors. errors could be caused by a physical problem Dealing with a bad sector: log its address and write 0s for the data that could not be read Writing 0s keeps the other data in its correct location If the sector were ignored instead of writing 0s, the resulting copy would be too small and most analysis tools would not work

Hardware write blockers Modify the original data as little as possible A hardware write protector is a device that sits in the connection between a computer and a storage device It monitors the commands that are being issued and prevents the computer from writing data to the storage device E.g., the read request for sector 5 is passed through the write blocker, but the write command for the same is blocked before it reaches the disk

Software write blockers In addition to hardware write blockers, there are also software write blockers They work by modifying the interrupt table They are used to locate the code for a given BIOS service The interrupt table has an entry for every service that the BIOS provides Each entry contains the address where the service code can be found E.g., the entry for INT13h will point to the code that will write or read data or from the disk These blockers modify the interrupt table for interrupt 0x13 contains the address of the write blocker code instead of the BIOS code When the OS calls INT13h, the writer blocker code is executed and examines which function is being requested The CFIT group at NIST has developed requirements and has tested software write block devices http://www.cftt.nist.gov/software_write_block.htm

Software write blockers An example.

Writing the Output Data Once the data re read, must be written somewhere Destination location Write the data either directly to a disk or to a file (an image) Image file format We have a choice of in what format the image will be A raw image contains only the data from the source device (easy to compare with the original one) An embedded image contains data from the source device and additional descriptive data about the acquisition, such as hash values, dates, and times

A case study using dd (the linux version) One of the most simple and flexible acquisition tools It copies a chunk of data from one file and writes it to another It reads data from an input source, which is specified with the if= flag It writes the data to an output file, which is specified with the of= flag E.g., copy the contents of file1.dat, which is 1024 bytes, to file2.dat in 512-byte blocks: (two complete blocks read and written to the output) If a full block was not used, the final two lines would ended with +1 instead of +0 E.g., if file1.dat were 1500 bytes instead of 1024 bytes: (the resulting file will be the full 1500 bytes. )

An Example on HPA (Host Protected Area disk) ( A 57GB disk with 120,103,200 sectors. We have placed the string here I am in sector 15,000, as seen here: dd can read 1 byte at a time, it can also read 1GB at a time (performance varies) We then create an HPA in the final 120,091,200 sectors. There are only 12,000 sectors that the OS or an application can access. This is shown below, since we cannot see the string in sector 15,000 No records were copied because it could not read the data

Detecting an HPA in Linux: Newer versions of Linux display a message in the dmesg log Use the hdparm tool in Linux

Detecting an HPA in Linux: Use the diskstat tool from the Sleuth Kit It displays the maximum native address and the maximum user address We can use a tool called setmax in Linux and set the maximum number of sectors in the drive, which is 120,103,200

Output destinations The output from dd can be either a new file or another storage device Eg. The first example copies the master ATA disk on the primary channel to a file The second one copies the master ATA disk on the primary channel to the slave ATA disk on the second channel If the output file is not specified, the data will be written to the display Useful to calculate the MD5 hash, to extract the ASCII strings, or to send the data to a remote system using a network E.g,

Cryptographic hashes Used for later to prove an image s integrity The md5sum utility can be used to compute a cryptographic hash of a file in accordance with dd There is a tool called dcfldd, a variation of dd http://sourceforge.net/projects/biatchux/ http://www.dc3.gov

Disk Forensics Reference File System Forensic Analysis (Brian Carrier)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback