Digital Forensics

1
Digital Forensics

• Module 11
• CS 996

2
Outline of Module 11

• Overview of Windows file systems
• Overview of ProDiscover
• Overview of UNIX file systems (Kulesh)
• ProDiscover workshop (remaining time)

3
Reminder

• InfraGard Chapter meeting on Counterintelligence
• Bear Stearns, 383 Madison Avenue
• 9-4, April 28
• RSVP www.nym-infragard.us

4
Hard Drive Data Hiding Places

• Low Level Format
• Redundant sectors
• Bad sectors
• Partition
• Interpartition gaps
• Unallocated space
• Hidden partitions
• Boot records and partition tables
• Deleted partitions

5
Physical Disk Geometry (CHS)

• One head for each surface (H)
• All tracks at r dn form cylinder (C)
• Each sector has 512 bytes of user data (S)
• One disk surface devoted to positioning and
  synchronization
• Not all parts of the disk are addressable by the
  OS
• Disk capacity C x H x S x 512 bytes

6
Lifecycle of Disk Drive

• Blank media
• Low level format
• Performed at the factory
• Partition
• High level file system format
• Operating system install
• System operations

7
Low Level Format

• Low level formatting creates sectors
• Each sector holds 512 bytes overhead bytes
• Overhead provides error correction and timing
  recovery
• Bad sectors remapped to redundant sectors by the
  HDD controller.

8
Low Level Format
REDUNDANT SECTOR
512 BYTES
SECTOR OVERHEAD
9
Partitioning
PARTITION 2
PARTITION 1
MASTER BOOT RECORD
INTER-PARTITION GAP
VOLUME BOOT RECORD
VOLUME BOOT RECORD
10
Partitioning Drive

• Master Boot Record Master Boot Code Master
  Partition Table (MPT)
• Always at sector 1
• Volume Boot Record Volume Boot Code Disk
  Parameter Block
• Each partition

11
FAT File System

• Four parts
• Volume boot record
• File allocation tables
• Root directory
• User data area
• Types
• FAT 12, 16, 32 bits cluster address size
• FAT1 and FAT2 first and second copy of FAT
• Floppy FAT12

12
FAT12/16 Structure
DOS BOOT SECTOR
ROOT DIRECTORY
USER DATA AREA
FAT 1
FAT 2
13
FAT32 Structure
DOS BOOT RECORD (3)
COPY OF DOS BOOT RECORD
FAT 1
FAT 2
USER DATA
RESERVED SECTORS
RESERVED SECTORS
32 SECTORS
14
File Allocation Table
0
TEST
217
DIRECTORY ENTRY
217
618
339
EOF
618
339
15
WinHex Forensic Hex Editor

• www.x-ways.net
• Disk cloning
• DOS version
• Windows version (use write blocker)
• Disk editor
• API for scripting tasks

16
(No Transcript)
17
(No Transcript)
18
Navigating to FAT12 Directory

• Start at boot sector 1
• Add 2 x 9 sectors
• Directory at sector 20
• Offset is 19 x 512 9728 bytes 2600H

19
(No Transcript)
20
Navigating to FAT32 Allocation Table

• Start at boot sector
• Go to sector 33, offset of 32 x 512 bytes
• 32 x 512 16384 4000H

21
(No Transcript)
22
WinHex NTFS Partition Analysis
23
ProDiscover Forensic Software

• www.techpathways.com
• Disk imaging meets NIST Specification 3.1.6
• Works with FAT, NTFS, Sun Solaris UFS
• Displays Windows ADS!
• File signature analysis
• Search capability
• Recover deleted files and slack space
• Reasonable price!

24
(No Transcript)
25
Capture Evidence Files
26
Image Evidence Windows Laptop
USB TO IDE ADAPTER
IDE CABLE
PRODISCOVER
EVIDENCE DRIVE
27
KeyWord Search
28
Reporting (ViewgtReport)
29
References for Module 11

• Bill Nelson, Guide to Computer Investigations,
  2004.
• Warren Kruse, Computer Forensics, 2002.
• Kevin Mandia, Incident Response, 2003.
• EnCase Legal Journal (course web site)
• www.cs.nmt.edu (cs491_02)
• NTFS