digital forensics module 11 cs 996. 4/26/2004module 112 outline of module #11 overview of windows...
Post on 19-Dec-2015
216 views
TRANSCRIPT
![Page 1: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/1.jpg)
Digital Forensics
Module 11CS 996
![Page 2: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/2.jpg)
4/26/2004 Module 11 2
Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX file systems (Kulesh) ProDiscover workshop (remaining time)
![Page 3: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/3.jpg)
4/26/2004 Module 11 3
Reminder InfraGard Chapter meeting on
Counterintelligence Bear Stearns, 383 Madison Avenue 9-4, April 28 RSVP: www.nym-infragard.us
![Page 4: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/4.jpg)
4/26/2004 Module 11 4
Hard Drive Data Hiding Places Low Level Format
Redundant sectors Bad sectors
Partition Interpartition gaps Unallocated space “Hidden” partitions Boot records and partition tables Deleted partitions
![Page 5: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/5.jpg)
4/26/2004 Module 11 5
Physical Disk Geometry (CHS) One head for each surface (H) All tracks at r = dn form “cylinder” (C) Each sector has 512 bytes of user data
(S) One disk surface devoted to positioning
and synchronization Not all parts of the disk are
addressable by the OS Disk capacity = C x H x S x 512 bytes
![Page 6: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/6.jpg)
4/26/2004 Module 11 6
Lifecycle of Disk Drive Blank media Low level format
Performed at the factory Partition High level file system format Operating system install System operations
![Page 7: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/7.jpg)
4/26/2004 Module 11 7
Low Level Format Low level formatting creates sectors Each sector holds 512 bytes +
overhead bytes Overhead provides error correction and
timing recovery Bad sectors remapped to redundant
sectors by the HDD controller.
![Page 8: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/8.jpg)
4/26/2004 Module 11 8
Low Level Format
SECTOR OVERHEAD
512 BYTES
REDUNDANT SECTOR
![Page 9: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/9.jpg)
4/26/2004 Module 11 9
Partitioning
INTER-PARTITION GAP
PARTITION #2
PARTITION #1
VOLUME BOOT
RECORD
MASTERBOOT
RECORD
VOLUME BOOT
RECORD
![Page 10: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/10.jpg)
4/26/2004 Module 11 10
Partitioning Drive Master Boot Record = Master Boot
Code + Master Partition Table (MPT) Always at sector #1
Volume Boot Record = Volume Boot Code + Disk Parameter Block Each partition
![Page 11: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/11.jpg)
4/26/2004 Module 11 11
FAT File System Four parts
Volume boot record File allocation tables Root directory User data area
Types FAT 12, 16, 32 bits; cluster address size FAT1 and FAT2; first and second copy of
FAT Floppy: FAT12
![Page 12: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/12.jpg)
4/26/2004 Module 11 12
FAT12/16 Structure
DOS BOOT SECTOR
FAT #1 FAT #2
ROOT DIRECTORY
USER DATA AREA
![Page 13: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/13.jpg)
4/26/2004 Module 11 13
FAT32 Structure
DOS BOOTRECORD (3)
RESERVEDSECTORS
COPY OFDOS BOOTRECORD
RESERVEDSECTORS
32 SECTORS
FAT #1 FAT #2
USER DATA
![Page 14: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/14.jpg)
4/26/2004 Module 11 14
File Allocation Table
TEST 217
DIRECTORY ENTRY
0
217
339
618
618
339
EOF
![Page 15: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/15.jpg)
4/26/2004 Module 11 15
WinHex: Forensic Hex Editor www.x-ways.net Disk cloning
DOS version Windows version (use write blocker)
Disk editor API for scripting tasks
![Page 16: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/16.jpg)
4/26/2004 Module 11 16
![Page 17: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/17.jpg)
4/26/2004 Module 11 17
![Page 18: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/18.jpg)
4/26/2004 Module 11 18
Navigating to FAT12 Directory Start at boot sector #1 Add 2 x 9 sectors Directory at sector #20 Offset is: 19 x 512 = 9728 bytes =
2600H
![Page 19: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/19.jpg)
4/26/2004 Module 11 19
![Page 20: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/20.jpg)
4/26/2004 Module 11 20
Navigating to FAT32 Allocation Table Start at boot sector Go to sector #33, offset of 32 x 512
bytes 32 x 512 = 16384 = 4000H
![Page 21: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/21.jpg)
4/26/2004 Module 11 21
![Page 22: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/22.jpg)
4/26/2004 Module 11 22
WinHex NTFS Partition Analysis
![Page 23: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/23.jpg)
4/26/2004 Module 11 23
ProDiscover Forensic Software www.techpathways.com Disk imaging: meets NIST Specification
3.1.6 Works with FAT, NTFS, Sun Solaris UFS Displays Windows ADS! File signature analysis Search capability Recover deleted files and slack space Reasonable price!
![Page 24: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/24.jpg)
4/26/2004 Module 11 24
![Page 25: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/25.jpg)
4/26/2004 Module 11 25
Capture Evidence Files
![Page 26: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/26.jpg)
4/26/2004 Module 11 26
Image Evidence: Windows Laptop
PRODISCOVER
USB TO IDE
ADAPTER
EVIDENCE DRIVE
IDE CABLE
![Page 27: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/27.jpg)
4/26/2004 Module 11 27
KeyWord Search
![Page 28: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/28.jpg)
4/26/2004 Module 11 28
Reporting (View=>Report)
![Page 29: Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX](https://reader035.vdocuments.net/reader035/viewer/2022062714/56649d375503460f94a0fae3/html5/thumbnails/29.jpg)
4/26/2004 Module 11 29
References for Module #11 Bill Nelson, Guide to Computer
Investigations, 2004. Warren Kruse, Computer Forensics,
2002. Kevin Mandia, Incident Response,
2003. EnCase Legal Journal (course web site) www.cs.nmt.edu (cs491_02) NTFS: