1 lecture 4 forensic analysis of windows systems prof. shamik sengupta office 4210n...
TRANSCRIPT
![Page 1: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/1.jpg)
1
Lecture 4Lecture 4
Forensic Analysis of Windows SystemsForensic Analysis of Windows Systems
Prof. Shamik Sengupta
Office 4210N
http://jjcweb.jjay.cuny.edu/ssengupta/
Fall 2010
![Page 2: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/2.jpg)
What we will cover today
Understanding Hard Disk File concept Structure of a file Concept and detecting file types File system traces (Understanding MAC traces)
Hands-on Practice.
2
![Page 3: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/3.jpg)
3
Understanding Hard Disk
Richest source of digital evidence on computers among various storage media
Disk drives are made up of one or more platters coated with magnetic material
Hard disk drives are organized as a concentric stack of disks (platters)
![Page 4: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/4.jpg)
4
Understanding Disk Drives
Disk drive components
– Platter or disk– Each disk has two surfaces: top and bottom
– Accessed by two heads
– Tracks
– Cylinders
– Sectors
![Page 5: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/5.jpg)
5
Hard Disk (Continued)
Data are recorded on a platter in concentric circles called tracks– Tracks are numbered, starting from zero, starting at the outside of
the platter and increasing as you go in
– A modern hard disk has tens of thousands of tracks on each platter
– Each track broken into smaller units called sectors (typically 512 bytes)
![Page 6: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/6.jpg)
6
![Page 7: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/7.jpg)
7
Hard Disk (Continued): Cylinders
A hard disk is usually made up of multiple platters– Because of this arrangement, often the track location of the
heads is not referred to as a track number but rather as a cylinder number
A cylinder is basically the set of all tracks that all the heads are currently located at
![Page 8: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/8.jpg)
8
![Page 9: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/9.jpg)
9
Hard Disk (Continued)
Disk capacity?– Multiply the number of cylinders, heads, sectors and
512(block size)– Ex) What’s the size of disk which has 12,495 cylinders, 16 heads,
63 sectors?
12,495 cylinders * 16 heads * 63 sectors * 512 bytes = about 6GB
CHS– Each storage unit on a disk can be identified by a 3-
coordinate system identifying – Cylinder
– Head
– Sector
![Page 10: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/10.jpg)
Zone Bit Recording (ZBR) in Hard Disks
The earlier concept of uniform sectoring was not efficient– every track had the same number of sectors
– But the ones on the outside of the platter are much larger than the ones on the inside
– Outer tracks are underutilized
New technique Zoned bit recording (ZBR)
10
![Page 11: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/11.jpg)
11
Understanding Files
File system– Gives OS a road map to data on a disk
Determines how data is stored on the disk
![Page 12: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/12.jpg)
12
File system Basics
File– Named collection of data objects
– Typically stored on secondary storage devices, though they can exist exclusively in volatile main memory
– Operations– Open, close, create, destroy, copy, rename, list, etc
File systems– Organizes files and manages access to data
– Directory– File containing the name and location of other files in the file
system
![Page 13: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/13.jpg)
13
File system Basics: FAT
FAT file systems– Simplest windows file systems:
– A FAT basically is an array that keeps track of what clusters belong to which file
– To locate data on a volume, directories and a FAT are used
– FAT: Older, for management of smaller disks– Compatible with 9X/2000/NT, MS-DOS, OS2, etc
– The original FAT had many limitations– No subdirectories
– Limited to very small disks
– Hard to recover the disk if allocation tables were damaged
– FAT32: enhanced version– Available with Win95
![Page 14: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/14.jpg)
14
Examining FAT Disks (continued)
When the OS stores data in a FAT file system, it assigns a starting cluster position to a file– Data for the file is written to the first sector of the first assigned
cluster
When this first assigned cluster is filled and runs out of room– FAT assigns the next available cluster to the file
If the next available cluster isn’t contiguous to the current cluster– File becomes fragmented
![Page 15: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/15.jpg)
15
FAT-based File system: Schematic
![Page 16: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/16.jpg)
16
Deleting FAT Files
In Microsoft OSs, when a file is deleted– Directory entry is marked as a deleted file
– With the HEX E5 (σ) character replacing the first letter of the filename
Data in the file remains on the disk drive
Area of the disk where the deleted file resides becomes unallocated disk space– Available to receive new data from newly created files or other
files needing more space
![Page 17: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/17.jpg)
17
FAT: Characteristics
FAT12– For floppy disks– 12-bit fields for each entry in FAT
FAT16 (MS-DOS, Win95/98/NT/2000/XP)– 16-bit fields to identify a particular cluster in the FAT– For hard disks
FAT32 (Win95/98/2000/XP)– 28-bit fields to identify a particular cluster in the FAT
– 4 bits of the 32-bit fields are “reserved”
– For larger hard disks– No limit on root directory size– Limited time/date information
![Page 18: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/18.jpg)
18
Examining NTFS Disks
New Technology File System (NTFS)– Introduced with Windows NT
– Primary file system for Windows Vista
Improvements over FAT file systems– NTFS provides more information about a file
– NTFS gives more control over files and folders
Different from FAT file system– Storing information in MFT (Master File Table)
– In NTFS, everything written to the disk is considered a file
NTFS was Microsoft’s move toward a journaling file system
![Page 19: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/19.jpg)
19
File system Basics: NTFS (Continued)
NTFS uses several metadata files to keep track of both files and folders on a given volume– Virtually everything is a file in NTFS including its
component parts
NTFS represents all characters using 16-bit Unicode including file and directory name– FAT file systems use the 8-bit ASCII/ANSI character set
for the most part– Long file names are represented with 16-bit Unicode characters
![Page 20: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/20.jpg)
20
Supported File Systems for MS OS
![Page 21: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/21.jpg)
21
File Allocation and Deletion in NTFS
Master File Table (MFT)– System file created during the formatting of an NTFS volume– Table that describes files and directories– Each file and directory has an entry in MFT
– Including an entry for itself and other metadata files– These metadata files are located in the root folder of a volume– Have names beginning with ‘$’ and not generally visible– E.g. Windows 2000 metadata file (In earlier versions of NTFS, these files are visible with,
e.g., “dir /ah” but invisible in XP)MFT File Record No.
File Name Description
0 $MFT Master File Table (MFT)
1 $MFTMIRR Copy of the first 16 records of the MFT
2 $LOGFILE List of file system transactions
3 $VOLUME Information about the volume, including NTFS version, volume name and creation time
4 $ATTRDEF Table of attribute definitions
5 . Root folder
6 $BITMAP Bitmap representation of used and unused clusters on volume
7 $BOOT Boot record with bootstrap loader code if the volume is bootable
8 $BADCLUS List of the bad clusters in the volume
9 $SECURE Stores security descriptions (Windows 2000 only)
10 $UPCASE Conversion table for converting lowercase characters to matching uppercase Unicode characters
11 $EXTEND Enables file system extensions such as volume quotas (Windows 2000 only)
![Page 22: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/22.jpg)
22File Allocation and Deletion in NTFS (Continued)
MFT records store attributes of files and folder including– the name in the $FILENAME
– MAC times and other file characteristics in the $STANDARD_INFORMATION
– some or all of the data in a file using the $DATA attribute– A small file may exist entirely within its MFT record with no associated data
elsewhere on disk
E.g. Simplified MFT record for a file
Header $FILENAME $STANDARD-INFORMATION
$DATA Attribute list
![Page 23: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/23.jpg)
23File Allocation and Deletion in NTFS (Continued)
$BITMAP file– System file created during formatting of NTFS volume to keep track
of cluster usage
– Uses one bit to record the status of each cluster on the volume– E.g. If a cluster in an NTFS volume is used, the corresponding bit in the
$BITMAP file is changed to 1
![Page 24: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/24.jpg)
24File Allocation and Deletion in NTFS (Continued)
Steps to allocate a file on an NTFS volume– 1) $BITMAP file must be modified to reflect that the used
clusters are allocated
– 2) Allocated MFT record must be created for the file
– 3) An index entry must be created for the file name in the parent’s folder’s MFT record
– 4) cluster extent entries must be created in the file’s MFT record if the file is non-resident
When a file is deleted– 1) Its cluster reference in the $BITMAP file are changed to 0
– 2) MFT record for that file is marked for deletion
– 3) Its index entry is deleted
![Page 25: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/25.jpg)
Analyzing the structure of a file: Hands-on investigation
Understanding the structure of a file for digital investigation
Data are stored on computers as files
But files can be corrupted meaningfully to hide data
To understand the corruption, we must understand the structure of a file
25
![Page 26: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/26.jpg)
Analyzing the structure of a file
The simplest structure of a file consists of:– Filename
– filename is a unique identifier which allows the computer to correctly identify each file
– File header– information which describes the type of the file
– Important for file header signature
– Important for OS to understand which application to be associated
– File content– Actual data
files can be corrupted meaningfully to hide data– Change or delete the file type (today’s lab)
– Delete the data!
26
![Page 27: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/27.jpg)
Case Study: Hiding a pdf
There are simple ways to hide a pdf from OS
– Change the file type
– Delete the file type
– Let’s check the file type by looking at Hexadecimal signature values
27
![Page 28: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/28.jpg)
Fun lab
Download the test.zip from the class website and see if there is any corruption done with the files. If yes, can you detect the file types?
http://www.garykessler.net/library/file_sigs.html
28
![Page 29: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/29.jpg)
29
File System Traces
An individual’s actions on a computer leave traces– Temporal traces is very important to understand the file’s
life– When it was created/downloaded
– When accessed
– When modified etc.
– An understanding of the cause-effect relationship in a reverse manner is particularly important for digital investigator
– What is cause-effect relationship in forward manner?– You changed something, you see the changed result
– What is cause-effect relationship in forward manner?– You see the changed result, you have to guess what caused it
![Page 30: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/30.jpg)
30
MAC Times in NTFS
Windows records the date and time of a file’s– Creation : created
– The date and time that a file was created on the current volume
– Last modification: modified– The date and time that a file was last modified
– Last accessed: accessed– The date that a file was last accessed
An examination of the MAC times of a file can provide insight into – the file’s history on a computer
– the extent of the user’s knowledge of the file’s existence and contents
![Page 31: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/31.jpg)
31
MAC Times in NTFS (Continued)
Case Example – MAC times
In a prosecution for the possession and distribution of “CP”, a Supervising Special Agent for the California Department of Justice charted the MAC times of several files.
The defendant asserted at trial that he merely downloaded files of unknown content and then forwarded them to others without having viewed them himself.
During a trial recess, the prosecution and defense attorneys held a conference to disclose and discuss the Supervising Special Agent’s scheduled testimony regarding the results of his forensic examination.
The agent informed and described how many files had been accessed at times far remote from their dates of creation.
As a result of this discussion, the defendant entered a plea of guilty prior to the agent’s testimony
In a prosecution for the possession and distribution of “CP”, a Supervising Special Agent for the California Department of Justice charted the MAC times of several files.
The defendant asserted at trial that he merely downloaded files of unknown content and then forwarded them to others without having viewed them himself.
During a trial recess, the prosecution and defense attorneys held a conference to disclose and discuss the Supervising Special Agent’s scheduled testimony regarding the results of his forensic examination.
The agent informed and described how many files had been accessed at times far remote from their dates of creation.
As a result of this discussion, the defendant entered a plea of guilty prior to the agent’s testimony
![Page 32: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/32.jpg)
32
MAC Times in NTFS (Continued)
Example – MAC times
Can be viewed by– dir /TC
– dir /TA
– dir /TW
MAC times can also be– viewed and sorted using
Forensic Tools
![Page 33: 1 Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu Fall](https://reader035.vdocuments.net/reader035/viewer/2022062321/56649ef35503460f94c05643/html5/thumbnails/33.jpg)
Understanding the temporal traces
File moved within a volume– No change in last-modified, last-accessed, last-created
File moved/copied across volume– Last-accessed and last-created time change
– NO change in Last-modified!
– However, for parent directory listing– Last-accessed and last-modified updated. WHY?
Homework Assignment #1 will be up by tomorrow
Next up, more forensic examination of Windows and EnCase
33