Computer Forensics: Disk Data Recovery

1
Computer Forensics Disk Data Recovery

• Presenter Swapna Gupta

2
Some Disk Basics

• Platters, Tracks, Cylinders, Sectors
• Clusters File Allocation Units
• Usually 512 Bytes
• Master Boot Record (MBR)
• First sector on every disk
• Location - Track (Cylinder) 0, Side (Head) 0,
  Sector 1
• Contains Master Boot Code (MBC) and Partition
  Table

3
Partition Table

• Information about Disk Partitions
• Four 16 Byte Entries
• Fields Include
• Boot Indicator
• Starting - Head, Sector, Cylinder
• System ID
• Specifies File System (FAT, NTFS..), Extended
  Partition
• Ending - Head, Sector, Cylinder
• Relative Sectors
• Total Sectors

4
Partition Table
5
MBC

• Master Boot Code
• Used at Boot time (When Disk Selected for
  Booting)
• Examines Partition Table
• Identifies System (Active, Primary) Partition,
  finds partitions starting location
• Loads copy of Partition Boot Sector in memory
• Transfers execution

6
File Systems FAT

• FAT Partition Boot Sector
• Information on how to access the Volume (Bytes
  Per Sector, Sectors Per Cluster)
• MBR uses it to load kernel files
• File Allocation Table
• Two copies
• Stores information about each cluster
• Unused (0x0000), In Use, Bad (0xFFF7), LAST
  Cluster in a File (0xFFFF)

7
FAT Root Folder

• An entry for each file or folder in root
• Entry points to Starting Cluster
• For each file or subfolder following information
• Name, Attribute, Create Time, Create Date, Last
  Access Date, Last Modified Date/Time, Starting
  Cluster Number, File Size

8
Flavors of FAT

• FAT16
• FAT32
• Other File Systems
• NTFS, Linux

9
File Systems NTFS

• Windows NT File System
• Improves performance, reliability and
  compatibility
• Partition Boot Sector FAT Partition Boot
  Sector
• Master File Table FAT Root Folder
• Entry for each file on the disk

10
File Deletion What Happens?

• The first letter of file name (in Directory
  Entry) replaced by hex byte code E5h
• Corresponding clusters in FAT marked Unused
• Index field in MFT Entry marked with special code
  (NTFS)
• Data not erased

11
File Recovery Concepts

• In Brief
• Scan drive to find deleted entries in Root Folder
  (FAT) or Master File Table (NTFS)
• Define Cluster Chain
• Copy to a newly created file

12
File Recovery Process

• Assumptions
• File Entry still exists
• The less the files created on the drive, greater
  chances the entry hasnt been reused
• File Data Clusters are safe
• The less the write operations performed on the
  drive, greater the chances the clusters are not
  overwritten
• For FAT, User can provide first character of the
  filename

13
File Recovery Process

• Disk Scan
• Low level enumeration of entries in Root Folders
  (MFT)
• Detect Files marked Deleted
• FAT file name begins with E5h
• NTFS Special attribute in file header
• Define Cluster Chain
• Scan drive going through all file clusters (NTFS)
  or free clusters (FAT) belonging to the file
  until we reach to total file size
• Read and save contents of the defined clusters to
  another place

14
File Recovery Example
Directory Entry for MyFile.txt
File Allocation Table
15
Partition Recovery

• Two Requirements for machine to start properly
• MBR exists and is safe
• Partition Table exists and contains at least one
  active partition
• MBC Damaged
• Partition Table Damaged
• Partition Boot Sector damaged
• Missing or Corrupted System Files

16
MBC Damaged

• Partition Table is safe
• Partition Tables conform to standard layout,
  independent of OS
• Some of MBC is corrupted (Ex by a virus)
• Boot from another drive (a floppy), and on
  accessing the damaged drive all files and folders
  will be visible
• Sector signature removed (a disk signature 0x55AA
  marks end of boot sector)
• A\gt FDISK.EXE /MBR
• Windows NT/2000/XPboot from floppy or CD-ROM,
  choose repair option
• FIXMBR command
• First sector is bad/unreachable
• Recovery software fails
• Scan disks using disk editors and try and save
  important data to another location

17
Partition Table Damaged

• No partition set to active
• Recovery software (even FDISK) lets you specify a
  partition to be made active partition
• Partition set to Active, but no system files
• Recovery software discovers this and suggests you
  to choose another partition as active partition
• A partition entry deleted
• Perform disk space scan to look for remaining
  deleted partition information and reconstruct the
  entry
• A partition entry damaged
• Perform disk scan and try to reconstruct the
  entry

18
Partition Boot Sector Damaged

• In case of NTFS, try and locate duplicate
  Partition Boot Sector
• Stored in middle or at end of volume
• Boot from CD, choose repair option, FIXBOOT
  command

19
Points To Remember

• Do not write onto drives from which data has been
  deleted
• Can overwrite FAT directory entries
• Can overwrite clusters
• Thus, affect file recovery procedures

20
Tools For Undelete

• DOS Undelete
• Norton Unerase
• Active_at_ File Recovery (49, 29)
• Ontrack EasyRecovery (89, 199)

21
Physical Damage

• Caused by fire, flood
• Disk architecture two main components
• Electronic Board
• Head Assembly
• Rotating Platters (data)
• Read/Write Heads
• A small hole in head assembly, to compensate for
  atmospheric changes

22
Fire Damage

• Water used by fire fighters if enters the hole in
  assembly head
• More damage if water dries
• Leaves residues (minerals, dirt etc) on platters
• Chance of recovery less
• Intense heat melts platters
• No chance of recovering
• Usually, however, even blackened drives have
  undamaged assemblies
• Challenge to rebuild the electronics
• Companies keep repositories of drives of
  different (old) makes and models

23
Water Damage

• Damage caused if water enters head assembly
• In such case, important to keep drive wet
• Drives shipped to data recovery labs in distilled
  water

24
Other means of Recovering Data from Disk

• Image magnetization patterns
• Magnetic Force Microscopy (MFM)
• Scanning Tunneling Microscopy (STM)
• When a 1 is recorded, actual effect is
• Obtaining a 0.85, if a 0 is overwritten
• Obtaining 1.05 if a 1 is overwritten
• Normal circuitry reads both as 1
• Specialized circuitry can be used to work out
  previous layers contained

25
Other Means of Recovering

• Read signals from analog head electronics
• Download waveform to PC
• Generate an ideal read signal
• Subtract from what was actually read
• Difference previous signal
• The more times you overwrite, lesser chance an
  electronic microscope can recover it
• For example, data overwritten seven times (DoD
  standard) would take lot of expense, time and
  special techniques

26
Traces of Deleted History Files

• Deleting history (IE, Tools-gtInternet
  Options-gtDelete History) doesnt delete all
  traces
• Index.dat file in Temporary Internet Files folder
• Present in Cache, Cookies, History folders
• Acts as an index for this folder
• Information contained
• URL - this contain an URL and a reference to a
  local file where it is stored
• pages that were not saved in the temporary
  internet files. Usually they are dynamic files.
  These are the most dangerous records, may contain
  sensitive information like passwords.
• On deletion (ex cookies, day-by-day IE history
  etc.), entries from index.dat not deleted
• Growing size of index.dat recognized as a problem
  by Microsoft
• Restarting Windows, recreates index.dat (check)

27
Traces of Deleted Histories

• Index.dat viewers available
• PurgeIE
• Displays deleted cookies, urls (even after
  clearing history)
• Displays Temp folder files
• Lots of deleted files present in Temp folder
• Lets you really delete these

28
RAM recovery?

• Data can be recovered even from RAM
• Semiconductor memory does not entirely lose data
  on power-off
• Older SRAMs could remember previously held states
  for several days
• Properties of oxide formed on capacitors indicate
  state of data

29
Other Places Where Data is Hidden

• Windows Swap/Page files
• Temporary Files
• Printer Spool Files
• Metadata
• Slack Space

30
Tools for ensuring Delete or Erase

• DoD Method
• Overwrite with 0s and 1s and once pseudorandom
  data
• Guttman Method
• Data overwritten 35 times
• Disk Wiping Utilities

31
Questions or Comments
32
References and Tools

• References
• Paper by Peter Gutmann Secure Deletion of Data
  from Magnetic and Solid-State Memory
  http//www.usenix.org/publications/library/proceed
  ings/sec96/full_papers/gutmann/
• Paper? Secure File Deletion, Fact or Fiction?
  http//www.sans.org/rr/papers/27/631.pdf
• Help Contents of Active_at_ FileRecovery
  http//www.file-recovery.net/
• The MIT students buying hard disks article
  http//www.cbronline.
  com/content/COMP/magazine/Articles/Storage/Dataden
  ied.asp
• Tools
• A list of tools http//www.e-evidence.info/ot
  her.html
• Active_at_ FileRecovery http//www.file-recovery.n
  et/
• Ontrack http//www.ontrack.com/
• PurgeIE (index.dat viewer) http//www.purgeie.com
  /dlpurg.htm
• PowerQuest Partition Table Editor
  http//www.goodells.net/multiboot/tools.htm