91.580.203%20Computer%20

1
91.580.203 Computer Network Forensics

• Xinwen Fu
• Chapter 7/8
• File Systems - Supplementary Materials

2
Outline

• More on recovering secret data
• Rename files/directories
• Delete files/directories
• Copy files/directories
• Print files
• Format a disk
• FAT file system
• Windows registry
• NTFS file system

3
Renaming Files

• Rename files and/or file extensions
• Example
• Rename extortion_letter.doc to fuzzy_bunny.jpg
• People looking for incriminating evidence
  probably wont check a picture file called
  fuzzy_bunny.jpg

4
Rename Files (Cont.)

• File header implies the file type
• Check the real file type by hex editor WinHex or
  XVI32
• File type
• 424D - .bmp
• D0CF - .doc

5
Copying Files

• Scenario 1 Copying a file to a floppy disk or
  hard disk
• If you run out of space, the pointer to the file
  is removed, but the data that was copied to the
  sectors is left in place
• Scenario 2 Computer crashes while copying a
  file
• Again, the file contents copied to the
  unallocated sectors will exist, but the pointer
  to the data will not have been created

6
Printing a File

• When printing a file, it is spooled to the hard
  disk before it is printed
• Spooling involves copying the file to a temporary
  location, printing it, then deleting it
• After the temporary file is deleted, the data
  still exists on disk
• Windows XP spool folder C\WINNT\System32\spool\
  PRINTERS
• Click Start, and then click Printers and Faxes
• On the File menu, click Server Properties
• Click the Advanced tab

7
Temporary Internet Files

• Internet explorer stores copies of webpages,
  images, and media for faster view later
• Default Windows XP Temporary Internet Files
  folderC\Documents and Settings\fu\Local
  Settings\Temporary Internet Files
• Tools -gt General -gt Browsing history -gt Settings
  -gt View files

8
Formatting a Disk

• When a disk is quick formatted, the file table on
  the disk is cleared, but the data on the disk is
  left in place
• Again, similar to deleting all the files on a disk

9
Hiding Folders (DoS/Windows 95)

• Create files or directories with non-printable
  characters 12
• Example At a DOS prompt, type the character
  Alt-255 using the numeric keypad. This will
  insert a blank space character, but it is not
  an actual space
• If you show a directory listing, you can see the
  file/directory exists, but you might not know
  exactly how many non-printing characters exist,
  or their location within the file name
• You can still access the directory via the
  Windows Explorer and similar graphical tools

10
Attributes

• In Windows, set the hidden attribute on a file
  or directory
• Can still view files if the Show hidden files
  and folders option is checked in Windows
  Explorer
• Other tools may or may not display hidden files

11
Hiding Folders (Unix)

• In Unix, rename a file or directory starting with
  a .
• Example mv important.doc .important.doc
• Can still be viewed by listing all files ls a
• A Linux system for you to play with
• putty mercury.cs.uml.edu
• user ??? passwd ???

12
Swap Space

• Swap Space (also called a page file) is used to
  increase the amount of memory available to the
  system
• The total memory available (real RAM and the swap
  space) is called virtual memory
• Information is constantly being written to
  memory, and therefore to the hard disk
• Information can then be extracted from this file

13
Core Dumps

• Core dumps are created on Unix systems when a
  process or program generates a fault
• The core dump will contain all the data from CPU
  registers and memory at the time of the fault
• Information can then be extracted from core dump

14
RAM Slack
Cluster Size 8 sectors
RAM Slack is the area from the end of the file to
the end of that sector. - Comes from RAM
RAM Slack
http//www.forensics-intl.com/def6.html
15
Residual Data Slack
Cluster Size 8 sectors
RAM Slack
Residual data slack is the area from the end of
RAM slack to the end of the cluster whatever
was on the media before
16
Slack Space

• A cluster is the smallest logical allocation unit
• A sector is the smallest physical allocation unit
• When files are deleted, both the deleted data and
  the data in slack space still exists
• When a file is wiped from the system (permanently
  removed), any data in the slack space still
  exists
• Wipe tool EZ Wipe
• The data in the slack space will only be removed
  when it is overwritten, or it is explicitly
  removed
• A list of tools Eraser, etc.

17
FTK Imager to Check Deleted Files

• File -gt Add Evidence Item -gt Physical Drive
• In class exercise
• Create a file
• Delete the file and empty recycler
• Use FTK imager to load the drive and check the

18
Outline

• More on recovering secret data
• FAT file system
• Write
• Delete
• Reformat
• Windows registry
• NTFS file system

19
Writing a file
What areas change when a FILE is written?
MBR
VBR
FILE






FAT1
FILE


FAT1
FILE


FAT1
FILE


FAT2



FAT2






Reserved Area

FAT2







Root C







Root C







Root C







Root C






VBR Volume Boot Record
20
File Allocation Table (FAT)

• A list of entries that map to each cluster on the
  partition. Each entry records one of five things
• the address of the next cluster in a chain
• a special end of file (EOF) character that
  indicates the end of a chain
• a special character to mark a bad cluster
• a special character to mark a reserved cluster
• a zero to note that that cluster is unused

21
Directory Table

• A special type of file that represents a
  directory (nowadays commonly known as a folder)
• Each file or directory stored within it is
  represented by a 32 byte entry in the table. Each
  entry records
• name, extension, attributes (archive, directory,
  hidden, read-only, system and volume), the date
  and time of creation, the address of the first
  cluster of the file/directory's data and finally
  the size of the file/directory.
• Aside from the Root Directory Table in FAT12 and
  FAT16 file systems which occupies the special
  Root Directory Region location, all Directory
  Tables are stored in the Data Region

22
Writing a file
What areas change when a FILE is written?
MBR
VBR
FILE






FAT1
FILE


FAT1
FILE


FAT1
FILE


FAT2



FAT2






Reserved Area

FAT2







Root C






Directory entry is created

Root C






Filename Start Cluster Size FILE
2 1024 Unused Directory
Entry Unused Directory Entry

Root C







Root C






23
Writing a file
What areas change when a FILE is written?
FATs are updated
MBR
VBR
FILE






FAT1
FILE


FAT1
FILE


FAT1
FILE


FAT2



FAT2






Reserved Area

FAT2







Root C






Directory entry is created

Root C






Filename Start Cluster Size FILE
2 1024 Unused Directory
Entry Unused Directory Entry

Root C







Root C






24
Writing a file
FILE contents written to data area
What areas change when a FILE is written?
FATs are updated
MBR
VBR
FILE






FAT1
FILE


FAT1
FILE


FAT1
FILE


FAT2



FAT2






Reserved Area

FAT2







Root C






Directory entry is created

Root C






Filename Start Cluster Size FILE
2 1024 Unused Directory
Entry Unused Directory Entry

Root C







Root C






25
Deleting a file
What areas change when a FILE is deleted?
MBR
VBR
FILE


FAT1
FILE


FAT1
FILE


FAT1
FILE


FAT2



FAT2


Reserved Area

FAT2







Root C







Root C







Root C







Root C






26
Deleting a file
MBR
VBR
FILE


FAT1
FILE


FAT1
FILE


FAT1
FILE


FAT2



FAT2






First character of the Directory entry is changed
to ? (0xe5)
Reserved Area

FAT2







Root C







Root C






Filename Start Cluster Size ? ILE
2 1024 Unused Directory
Entry Unused Directory Entry

Root C







Root C






27
Deleting a file
FAT entries are ?ed
MBR
VBR
FILE


FAT1
FILE


FAT1
FILE


FAT1
FILE


FAT2



FAT2






Reserved Area

FAT2






First character of the Directory entry is changed
to ?

Root C







Root C






Filename Start Cluster Size ? ILE
2 1024 Unused Directory
Entry Unused Directory Entry

Root C







Root C






28
Deleting a file
Data area is not changed !
FAT entries are ?ed
MBR
VBR
FILE


FAT1
FILE


FAT1
FILE


FAT1
FILE


FAT2



FAT2






Reserved Area

FAT2






First character of the Directory entry is changed
to ?

Root D







Root D






Filename Start Cluster Size ? ILE
2 1024 Unused Directory
Entry Unused Directory Entry

Root D







Root D






29
Reformatting (DOS 6.22)
What areas change when a partition is reformatted?
MBR
VBR
FILE


FAT1
FILE


FAT1
FILE


FAT1
FILE


FAT2



FAT2


Reserved Area

FAT2







Root C







Root C







Root C







Root C






http//www.increa.com/articles/DestroyMagneticData
/index.htm
30
Reformatting
Three areas change when a partition is reformatted
MBR
VBR
FILE

FAT1
FILE

FAT1
FILE

FAT1
FILE

FAT2


FAT2

Reserved Area

FAT2







Root C







Root C







Root C







Root C






31
Reformatting
Three areas change when a partition is reformatted
FAT entries are ?ed
MBR
VBR
FILE
0
0
0
0
2
3
4
5

FAT1
FILE
0
0
0
0

FAT1
FILE
6
7
8
9

FAT1
FILE
0
0
0
0

FAT2

10
11
12
13

FAT2

Reserved Area

FAT2







Root C







Root C







Root C







Root C






32
Reformatting
Three areas change when a partition is reformatted
FAT entries are ?ed
Boot Record is written
MBR
VBR
FILE
0
0
0
0
2
3
4
5

FAT1
FILE
0
0
0
0

FAT1
FILE
6
7
8
9

FAT1
FILE
0
0
0
0

FAT2

10
11
12
13

FAT2

Reserved Area

FAT2







Root C







Root C







Root C







Root C






33
Reformatting
Three areas change when a partition is reformatted
FAT entries are ?ed
Boot Record is written
MBR
VBR
FILE
0
0
0
0
2
3
4
5

FAT1
FILE
0
0
0
0

FAT1
FILE
6
7
8
9

FAT1
FILE
Data area is not changed
0
0
0
0

FAT2

10
11
12
13

FAT2

Reserved Area

FAT2







Root C







Root C







Root C







Root C






34
Outline

• More on recovering secret data
• FAT file system
• Windows registry
• NTFS file system

35
Windows Registry

• What is it
• A central hierarchical database to store
  information necessary to configure the system for
  one or more users, applications and hardware
  devices
• Replaces AUTOEXEC.BAT, CONFIG.SYS and INI files
• First introduced in Windows 3.1 for storing OLE
  Settings (pre 1995)
• View Windows Registry regedit or Ice Sword

36
Windows Registry

• There are five root keys
• HKEY_CLASSES_ROOT (HKCR)
• HKEY_CURRENT_USER (HKCU)
• HKEY_LOCAL_MACHINE (HKLM)
• HKEY_USERS (HKU)
• HKEY_CURRENT_CONFIG (HKCC)

37
Two are Master keys

• HKEY_LOCAL_MACHINE (HKLM)
• Configuration data describing hardware and
  software installed on the computer
• HKEY_USERS (HKU)
• Configuration data for each user that logs into
  the computer

http//www.antirootkit.com/software/IceSword.htm
38
Three are derived from Master keys Architecture

• HKEY_CLASSES_ROOT
• File Associations and OLE
• HKEY_CURRENT_USER
• Currently logged on user
• HKEY_CURRENT_CONFIG
• Current hardware profile

39
HKEY_CLASSES_ROOT

• File Associations and OLE
• From HKLM\Software\Classes

40
HKEY_CURRENT_USER
http//support.microsoft.com/kb/154599

• Currently logged on user
• From HKU\SID (security identifier) of current
  user
• User vs SID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
  \Windows NT\CurrentVersion\ProfileList

http//support.microsoft.com/kb/243330
http//en.wikipedia.org/wiki/Security_Identifier
41
HKEY_CURRENT_CONFIG

• Current hardware profile
• From HKLM\System\CurrentControlSet\Hardware
  Profiles\Current

42
Windows Registry

• Wealth of investigative information
• Registered Owner
• Registered Organization
• Shutdown Time
• Recent DOCs
• Most Recent Used (MRU) List
• Typed URLs
• Previous Devices Mounted
• Software Installed

http//support.microsoft.com/kb/256986/EN-US/
43
Registry Tools

• Registry Reader Access Data
• Encase
• Windows
• Regedit
• Regedt32
• Freeware tools
• Never work on the original
• Make a copy

44
Registry Locations

• See system files file explorer -gt tools -gt
  folder options -gt view
• Windows NT, 2000, XP, and Server 2003
• The following Registry files are stored in
  SystemRoot\System32\Config\
• Sam HKEY_LOCAL_MACHINE\SAM
• Security HKEY_LOCAL_MACHINE\SECURITY
• Software HKEY_LOCAL_MACHINE\SOFTWARE
• System HKEY_LOCAL_MACHINE\SYSTEM
• Default HKEY_USERS\.DEFAULT
• The following files are stored in each user's
  profile folder
• UserProfile\Ntuser.dat HKEY_USERS\ltUser SIDgt
• UserProfile\Local Settings\Application
  Data\Microsoft\Windows\Usrclass.dat (path is
  localized) HKEY_USERS\ltUser SIDgt_Classes
• Windows 95, 98, and Me
• The registry files are named User.dat and
  System.dat and are stored in the C\WINDOWS\
  directory. In Windows ME Classes.dat was added.
• Windows 3.11
• The registry file is called Reg.dat and is stored
  in the C\WINDOWS\ directory.

45
Outline

• More on recovering secret data
• FAT file system
• Windows registry
• NTFS file system

46
NTFS

• Each system component is a file - even system
  information
• The most important file on NTFS is named MFT (
  Master File Table) - the common table of files
• Centralized directory of all remaining disk files
  and itself
• Divided into records of the fixed size (usually 1
  KBytes)
• Each record corresponds to some file
• The first 16 files are housekeeping with a fixed
  position and they are inaccessible to the
  operating system
• They are named metafiles and the very first
  metafile is MFT itself
• The second copy of the first 3 records, for
  reliability is stored exactly in the middle of
  the disk
• The remaining MFT-file can be stored as well as
  any other file at any places of the disk

47
NTFS
MFT is divided into records of the fixed size
(usually 1 Kbytes)
Master Boot Record
Volume Boot record
48
NTFS System Files (Metadata Files)
System File File Name MFT Record Purpose of the File
Master file table Mft 0 Contains one base file record
Master file table 2 MftMirr 1 A duplicate image of the first three records of the MFT
Log file LogFile 2 Contains a list of transaction steps used for NTFS recoverability.
Volume Volume 3 Contains information about the volume
Attribute definitions AttrDef 4 A table of attribute names, numbers, and descriptions
Root file name index 5 The root folder
Cluster bitmap Bitmap 6 A representation of the volume showing which clusters are in use (one bit refers to one cluster)
Boot sector Boot 7 Includes the BIOS Parameter Block (BPB)
Bad cluster file BadClus 8 Contains bad clusters for the volume
Security file Secure 9 Contains unique security descriptors for all files within a volume
Upcase table Upcase 10 Converts lowercase characters to matching Unicode uppercase characters
NTFS extension file Extend 11 Used for various optional extensions
    1215 Reserved for future use
49
NTFS File Attributes
Attribute Type Description
Standard Information Includes information such as timestamp and link count.
Attribute List Lists the location of all attribute records that do not fit in the MFT record.
File Name A repeatable attribute for both long and short file names. The long name of the file can be up to 255 Unicode characters. The short name is the 8.3, case-insensitive name for the file. Additional names, or hard links, required by POSIX can be included as additional file name attributes.
Security Descriptor Describes who owns the file and who can access it.
Data Contains file data. _DATA_ attribute that describes "data runs, clusters used by the file
Object ID A volume-unique file identifier. Used by the distributed link tracking service. Not all files have object identifiers.
Logged Tool Stream Similar to a data stream, but operations are logged to the NTFS log file just like NTFS metadata changes. This is used by EFS.
Reparse Point Used for volume mount points. They are also used by Installable File System (IFS) filter drivers to mark certain files as special to that driver.
Index Root Used to implement folders and other indexes.
Index Allocation Used to implement folders and other indexes.
Bitmap Used to implement folders and other indexes.
Volume Information Used only in the Volume system file. Contains the volume version.
Volume Name Used only in the Volume system file. Contains the volume label.
50
Storing Files in NTFS

• LogFile metadata file is updated

• Transaction steps are logged
• Used to roll back if necessary

51
Deleted File

• Parent directory
• Index entry removed
• BITMAP attribute updated
• MFT file record marked available
• MFT BITMAP attribute Updated
• Bitmap Metadata file updated if non-resident
  clusters
• Resident clusters files can be stored within a
  MFT record
• No-resident clusters files cannot be stored
  within a MFT record

52
Deleted File (Cont.)
213
File Record
214
Directory Record (MYFILES)
Index entry removed
Index Entry (README.TXT)
Index Entry (MYFILE.HLP)
Index Entry (SYSTEM.DLL)
215
File Record (README.TXT)
214
216
File Record (MYFILE.HLP)
214
214
217
File Record (SYSTEM.DLL)
Directory Record (Recycler)
218
Index Entry (S-1-5-21-3xxxxxx)
219
Directory Record (S-1-5-21-3xxxxxx)
218

221
53
Deleted File (Cont.)
Parent
File Record
Entry
213
File Record
214
Directory Record (MYFILES)
MFT record marked available
Index Entry (README.TXT)
Index Entry (MYFILE.HLP)
Index Entry (SYSTEM.DLL)
215
File Record (README.TXT)
214
File Record (MYFILE.HLP)
214
216
214
217
File Record (SYSTEM.DLL)
Directory Record (Recycler)
218
Index Entry (S-1-5-21-3xxxxxx)
219
Directory Record (S-1-5-21-3xxxxxx)
218

221
54
MFT Attribute Updated
File Record Header
MFT
DATA
BITMAP
STANDARD_ INFORMATION
11111111 11111111 00000000 11100111 00000001
00000000 00000000 00000000 00000000 00000000
00000000 00000000
The bytes are read from right to left
55
File Deleted

Parent
Parent
File Record
Entry
File Record
Entry
6
File Record (Bitmap)
213
File Record
214
Directory Record (MYFILES)
Index Entry (README.TXT)
Bitmap updated
Index Entry (MYFILE.HLP)
Index Entry (SYSTEM.DLL)
215
File Record (README.TXT)
214
216
File Record (MYFILE.HLP)
214
214
217
File Record (SYSTEM.DLL)
Directory Record (Recycler)
218
Index Entry (S-1-5-21-3xxxxxx)
219
Directory Record (S-1-5-21-3xxxxxx)
218

221
56
Recovering Deleted Files

• Software Tools
• FTK Toolkits
• GetDataback (Runtime)
• R-studio
• CIA Unerase
• Etc

57
Deleted vs Recycled

• Deleted or Recycled
• Sent to Recycle Bin
• Deleted from the Recycle Bin
• Deleted bypassing the Recycle Bin shiftdel

58
Win2K/XP Recycle Bin

• Recycler Folder for NTFS
• Configure to see hidden and system files from
  explorer
• SID named subdirectory contains
• INFO2
• Desktop.ini
• Place holder(s)
• Use FTK Imager to load the Recycler folder for
  view

59
NTFS Recycle Bin
60
Placeholder(s)

• Entry for each deleted item
• Hidden from view in GUI environment
• Date time unchanged from original file
• If a subdirectory is deleted only one placeholder
  is made

61
Placeholder(s)

• Dltoriginal drive lettergtltgt.ltoriginal
  extensiongt
• DC1.TXT
• DC2.JPG
• DC3.BMP

62
INFO2 File

• 800 Byte Entry is made for each Recycled object
• Recycled date
• Original path and filename
• Place holder drive letter and

63
INFO2 File (Cont.)
ASCII File Name
Drive Letter
Deletion Time
Unicode File Name
File Size
64
Recycled date and time issue

• Windows saves time stamps in FILETIME format.
  FILETIME format is the number of ticks, in 100ns
  increments, since 0000 1 Jan, 1601 (UTC).
• Recycle Bin tools (X-Ways Trace, IEHistory,
  Datalifter) will convert the time for you

65
Desktop.ini

• A folder configuration file
• Created when Recycle Bin is created
• Only modified if recycle bin is EMPTIED
• All Date / Time information updated when bin is
  emptied

http//www.xs4all.nl/hwiegman/desktopini.html
66
Recovering From Recycle Bin

• When an object is sent to the recycle bin, the
  MFT record for the deleted object is simply
  changed. The Filename attribute is changed to
• Change the filename to the placeholder name that
  appears in the recycle bin (placeholder format D
  drive letter )
• Change the record number of the parent directory
  from the old parent directory, to the sid-named
  directory in the recycler directory.
• Copy placeholders to separate drive
• Copy INFO2 file use utility to parse out date /
  time data
• X-Ways Trace - http//www.x-ways.net/trace/index-m
  .html
• Datalifter
• IE History

67
Summary

• Deleting and formatting on a Hard Drive does not
  touch the data area
• Often evidence can be found in deleted files, and
  the recycle bin
• System clocks and default timezone settings are
  very important

68
Review

• What happens to deleted FAT files
• What about formatting?
• What happens to deleted NTFS files?
• Recovering deleted files

69
References

1. Nathan Heald, http//dos.rsvs.net/DOSPAGE/DEBUG.HT
   M, 2008
2. IronGeek, ALTNUMPAD ASCII Key Combos The a and
   O of Creating Obscure Passwords, 2007
3. Description of the Microsoft Windows registry,
   http//support.microsoft.com/kb/256986/EN-US/,
   August 12, 2005
4. Dmitrey Mikhailov, NTFS file system,
   http//www.digit-life.com/articles/ntfs/, 2004
5. NTFS - New Technology File System designed for
   Windows NT, 2000, XP, http//www.ntfs.com/, 2005
6. Brian Mork, Destroying Data on Magnetic Disks -
   Linux or Windows, 2005
7. How the Recycle Bin Stores Files,
   http//support.microsoft.com/kb/136517/en-us,
   December 16, 2004
8. The Mysterious Recycle Bin, http//www.infocellar.
   com/winxp/Recycle-Bin.htm, 2006
9. Anders Svensson, Computer Forensics Applied to
   Windows NTFS Systems, http//www.dsv.su.se/researc
   h/seclab/pages/pdf-files/2005-x-268.pdf, April
   2005
10. Keith J. Jones, Forensic Analysis of Microsoft
    Windows Recycle Bin Records, http//www.e-fense.co
    m/helix/Docs/Recycler_Bin_Record_Reconstruction.pd
    f, 5/6/03