Computer Forensics: Disk Data Recovery - PowerPoint PPT Presentation

1 / 32
About This Presentation
Title:

Computer Forensics: Disk Data Recovery

Description:

A: FDISK.EXE /MBR. Windows NT/2000/XP...boot from floppy or CD-ROM, ... Recovery software (even FDISK) lets you specify a partition to be made active partition ... – PowerPoint PPT presentation

Number of Views:279
Avg rating:3.0/5.0
Slides: 33
Provided by: sgu7
Category:

less

Transcript and Presenter's Notes

Title: Computer Forensics: Disk Data Recovery


1
Computer Forensics Disk Data Recovery
  • Presenter Swapna Gupta

2
Some Disk Basics
  • Platters, Tracks, Cylinders, Sectors
  • Clusters File Allocation Units
  • Usually 512 Bytes
  • Master Boot Record (MBR)
  • First sector on every disk
  • Location - Track (Cylinder) 0, Side (Head) 0,
    Sector 1
  • Contains Master Boot Code (MBC) and Partition
    Table

3
Partition Table
  • Information about Disk Partitions
  • Four 16 Byte Entries
  • Fields Include
  • Boot Indicator
  • Starting - Head, Sector, Cylinder
  • System ID
  • Specifies File System (FAT, NTFS..), Extended
    Partition
  • Ending - Head, Sector, Cylinder
  • Relative Sectors
  • Total Sectors

4
Partition Table
5
MBC
  • Master Boot Code
  • Used at Boot time (When Disk Selected for
    Booting)
  • Examines Partition Table
  • Identifies System (Active, Primary) Partition,
    finds partitions starting location
  • Loads copy of Partition Boot Sector in memory
  • Transfers execution

6
File Systems FAT
  • FAT Partition Boot Sector
  • Information on how to access the Volume (Bytes
    Per Sector, Sectors Per Cluster)
  • MBR uses it to load kernel files
  • File Allocation Table
  • Two copies
  • Stores information about each cluster
  • Unused (0x0000), In Use, Bad (0xFFF7), LAST
    Cluster in a File (0xFFFF)

7
FAT Root Folder
  • An entry for each file or folder in root
  • Entry points to Starting Cluster
  • For each file or subfolder following information
  • Name, Attribute, Create Time, Create Date, Last
    Access Date, Last Modified Date/Time, Starting
    Cluster Number, File Size

8
Flavors of FAT
  • FAT16
  • FAT32
  • Other File Systems
  • NTFS, Linux

9
File Systems NTFS
  • Windows NT File System
  • Improves performance, reliability and
    compatibility
  • Partition Boot Sector FAT Partition Boot
    Sector
  • Master File Table FAT Root Folder
  • Entry for each file on the disk

10
File Deletion What Happens?
  • The first letter of file name (in Directory
    Entry) replaced by hex byte code E5h
  • Corresponding clusters in FAT marked Unused
  • Index field in MFT Entry marked with special code
    (NTFS)
  • Data not erased

11
File Recovery Concepts
  • In Brief
  • Scan drive to find deleted entries in Root Folder
    (FAT) or Master File Table (NTFS)
  • Define Cluster Chain
  • Copy to a newly created file

12
File Recovery Process
  • Assumptions
  • File Entry still exists
  • The less the files created on the drive, greater
    chances the entry hasnt been reused
  • File Data Clusters are safe
  • The less the write operations performed on the
    drive, greater the chances the clusters are not
    overwritten
  • For FAT, User can provide first character of the
    filename

13
File Recovery Process
  • Disk Scan
  • Low level enumeration of entries in Root Folders
    (MFT)
  • Detect Files marked Deleted
  • FAT file name begins with E5h
  • NTFS Special attribute in file header
  • Define Cluster Chain
  • Scan drive going through all file clusters (NTFS)
    or free clusters (FAT) belonging to the file
    until we reach to total file size
  • Read and save contents of the defined clusters to
    another place

14
File Recovery Example
Directory Entry for MyFile.txt
File Allocation Table
15
Partition Recovery
  • Two Requirements for machine to start properly
  • MBR exists and is safe
  • Partition Table exists and contains at least one
    active partition
  • MBC Damaged
  • Partition Table Damaged
  • Partition Boot Sector damaged
  • Missing or Corrupted System Files

16
MBC Damaged
  • Partition Table is safe
  • Partition Tables conform to standard layout,
    independent of OS
  • Some of MBC is corrupted (Ex by a virus)
  • Boot from another drive (a floppy), and on
    accessing the damaged drive all files and folders
    will be visible
  • Sector signature removed (a disk signature 0x55AA
    marks end of boot sector)
  • A\gt FDISK.EXE /MBR
  • Windows NT/2000/XPboot from floppy or CD-ROM,
    choose repair option
  • FIXMBR command
  • First sector is bad/unreachable
  • Recovery software fails
  • Scan disks using disk editors and try and save
    important data to another location

17
Partition Table Damaged
  • No partition set to active
  • Recovery software (even FDISK) lets you specify a
    partition to be made active partition
  • Partition set to Active, but no system files
  • Recovery software discovers this and suggests you
    to choose another partition as active partition
  • A partition entry deleted
  • Perform disk space scan to look for remaining
    deleted partition information and reconstruct the
    entry
  • A partition entry damaged
  • Perform disk scan and try to reconstruct the
    entry

18
Partition Boot Sector Damaged
  • In case of NTFS, try and locate duplicate
    Partition Boot Sector
  • Stored in middle or at end of volume
  • Boot from CD, choose repair option, FIXBOOT
    command

19
Points To Remember
  • Do not write onto drives from which data has been
    deleted
  • Can overwrite FAT directory entries
  • Can overwrite clusters
  • Thus, affect file recovery procedures

20
Tools For Undelete
  • DOS Undelete
  • Norton Unerase
  • Active_at_ File Recovery (49, 29)
  • Ontrack EasyRecovery (89, 199)

21
Physical Damage
  • Caused by fire, flood
  • Disk architecture two main components
  • Electronic Board
  • Head Assembly
  • Rotating Platters (data)
  • Read/Write Heads
  • A small hole in head assembly, to compensate for
    atmospheric changes

22
Fire Damage
  • Water used by fire fighters if enters the hole in
    assembly head
  • More damage if water dries
  • Leaves residues (minerals, dirt etc) on platters
  • Chance of recovery less
  • Intense heat melts platters
  • No chance of recovering
  • Usually, however, even blackened drives have
    undamaged assemblies
  • Challenge to rebuild the electronics
  • Companies keep repositories of drives of
    different (old) makes and models

23
Water Damage
  • Damage caused if water enters head assembly
  • In such case, important to keep drive wet
  • Drives shipped to data recovery labs in distilled
    water

24
Other means of Recovering Data from Disk
  • Image magnetization patterns
  • Magnetic Force Microscopy (MFM)
  • Scanning Tunneling Microscopy (STM)
  • When a 1 is recorded, actual effect is
  • Obtaining a 0.85, if a 0 is overwritten
  • Obtaining 1.05 if a 1 is overwritten
  • Normal circuitry reads both as 1
  • Specialized circuitry can be used to work out
    previous layers contained

25
Other Means of Recovering
  • Read signals from analog head electronics
  • Download waveform to PC
  • Generate an ideal read signal
  • Subtract from what was actually read
  • Difference previous signal
  • The more times you overwrite, lesser chance an
    electronic microscope can recover it
  • For example, data overwritten seven times (DoD
    standard) would take lot of expense, time and
    special techniques

26
Traces of Deleted History Files
  • Deleting history (IE, Tools-gtInternet
    Options-gtDelete History) doesnt delete all
    traces
  • Index.dat file in Temporary Internet Files folder
  • Present in Cache, Cookies, History folders
  • Acts as an index for this folder
  • Information contained
  • URL - this contain an URL and a reference to a
    local file where it is stored
  • pages that were not saved in the temporary
    internet files. Usually they are dynamic files.
    These are the most dangerous records, may contain
    sensitive information like passwords.
  • On deletion (ex cookies, day-by-day IE history
    etc.), entries from index.dat not deleted
  • Growing size of index.dat recognized as a problem
    by Microsoft
  • Restarting Windows, recreates index.dat (check)

27
Traces of Deleted Histories
  • Index.dat viewers available
  • PurgeIE
  • Displays deleted cookies, urls (even after
    clearing history)
  • Displays Temp folder files
  • Lots of deleted files present in Temp folder
  • Lets you really delete these

28
RAM recovery?
  • Data can be recovered even from RAM
  • Semiconductor memory does not entirely lose data
    on power-off
  • Older SRAMs could remember previously held states
    for several days
  • Properties of oxide formed on capacitors indicate
    state of data

29
Other Places Where Data is Hidden
  • Windows Swap/Page files
  • Temporary Files
  • Printer Spool Files
  • Metadata
  • Slack Space

30
Tools for ensuring Delete or Erase
  • DoD Method
  • Overwrite with 0s and 1s and once pseudorandom
    data
  • Guttman Method
  • Data overwritten 35 times
  • Disk Wiping Utilities

31
Questions or Comments
32
References and Tools
  • References
  • Paper by Peter Gutmann Secure Deletion of Data
    from Magnetic and Solid-State Memory
    http//www.usenix.org/publications/library/proceed
    ings/sec96/full_papers/gutmann/
  • Paper? Secure File Deletion, Fact or Fiction?
    http//www.sans.org/rr/papers/27/631.pdf
  • Help Contents of Active_at_ FileRecovery
    http//www.file-recovery.net/
  • The MIT students buying hard disks article
    http//www.cbronline.
    com/content/COMP/magazine/Articles/Storage/Dataden
    ied.asp
  • Tools
  • A list of tools http//www.e-evidence.info/ot
    her.html
  • Active_at_ FileRecovery http//www.file-recovery.n
    et/
  • Ontrack http//www.ontrack.com/
  • PurgeIE (index.dat viewer) http//www.purgeie.com
    /dlpurg.htm
  • PowerQuest Partition Table Editor
    http//www.goodells.net/multiboot/tools.htm
Write a Comment
User Comments (0)
About PowerShow.com