digital forensics module 11 cs 996. 4/26/2004module 112 outline of module #11 overview of windows...
Post on 19-Dec-2015
216 views
TRANSCRIPT
Digital Forensics
Module 11CS 996
4/26/2004 Module 11 2
Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX file systems (Kulesh) ProDiscover workshop (remaining time)
4/26/2004 Module 11 3
Reminder InfraGard Chapter meeting on
Counterintelligence Bear Stearns, 383 Madison Avenue 9-4, April 28 RSVP: www.nym-infragard.us
4/26/2004 Module 11 4
Hard Drive Data Hiding Places Low Level Format
Redundant sectors Bad sectors
Partition Interpartition gaps Unallocated space “Hidden” partitions Boot records and partition tables Deleted partitions
4/26/2004 Module 11 5
Physical Disk Geometry (CHS) One head for each surface (H) All tracks at r = dn form “cylinder” (C) Each sector has 512 bytes of user data
(S) One disk surface devoted to positioning
and synchronization Not all parts of the disk are
addressable by the OS Disk capacity = C x H x S x 512 bytes
4/26/2004 Module 11 6
Lifecycle of Disk Drive Blank media Low level format
Performed at the factory Partition High level file system format Operating system install System operations
4/26/2004 Module 11 7
Low Level Format Low level formatting creates sectors Each sector holds 512 bytes +
overhead bytes Overhead provides error correction and
timing recovery Bad sectors remapped to redundant
sectors by the HDD controller.
4/26/2004 Module 11 8
Low Level Format
SECTOR OVERHEAD
512 BYTES
REDUNDANT SECTOR
4/26/2004 Module 11 9
Partitioning
INTER-PARTITION GAP
PARTITION #2
PARTITION #1
VOLUME BOOT
RECORD
MASTERBOOT
RECORD
VOLUME BOOT
RECORD
4/26/2004 Module 11 10
Partitioning Drive Master Boot Record = Master Boot
Code + Master Partition Table (MPT) Always at sector #1
Volume Boot Record = Volume Boot Code + Disk Parameter Block Each partition
4/26/2004 Module 11 11
FAT File System Four parts
Volume boot record File allocation tables Root directory User data area
Types FAT 12, 16, 32 bits; cluster address size FAT1 and FAT2; first and second copy of
FAT Floppy: FAT12
4/26/2004 Module 11 12
FAT12/16 Structure
DOS BOOT SECTOR
FAT #1 FAT #2
ROOT DIRECTORY
USER DATA AREA
4/26/2004 Module 11 13
FAT32 Structure
DOS BOOTRECORD (3)
RESERVEDSECTORS
COPY OFDOS BOOTRECORD
RESERVEDSECTORS
32 SECTORS
FAT #1 FAT #2
USER DATA
4/26/2004 Module 11 14
File Allocation Table
TEST 217
DIRECTORY ENTRY
0
217
339
618
618
339
EOF
4/26/2004 Module 11 15
WinHex: Forensic Hex Editor www.x-ways.net Disk cloning
DOS version Windows version (use write blocker)
Disk editor API for scripting tasks
4/26/2004 Module 11 16
4/26/2004 Module 11 17
4/26/2004 Module 11 18
Navigating to FAT12 Directory Start at boot sector #1 Add 2 x 9 sectors Directory at sector #20 Offset is: 19 x 512 = 9728 bytes =
2600H
4/26/2004 Module 11 19
4/26/2004 Module 11 20
Navigating to FAT32 Allocation Table Start at boot sector Go to sector #33, offset of 32 x 512
bytes 32 x 512 = 16384 = 4000H
4/26/2004 Module 11 21
4/26/2004 Module 11 22
WinHex NTFS Partition Analysis
4/26/2004 Module 11 23
ProDiscover Forensic Software www.techpathways.com Disk imaging: meets NIST Specification
3.1.6 Works with FAT, NTFS, Sun Solaris UFS Displays Windows ADS! File signature analysis Search capability Recover deleted files and slack space Reasonable price!
4/26/2004 Module 11 24
4/26/2004 Module 11 25
Capture Evidence Files
4/26/2004 Module 11 26
Image Evidence: Windows Laptop
PRODISCOVER
USB TO IDE
ADAPTER
EVIDENCE DRIVE
IDE CABLE
4/26/2004 Module 11 27
KeyWord Search
4/26/2004 Module 11 28
Reporting (View=>Report)
4/26/2004 Module 11 29
References for Module #11 Bill Nelson, Guide to Computer
Investigations, 2004. Warren Kruse, Computer Forensics,
2002. Kevin Mandia, Incident Response,
2003. EnCase Legal Journal (course web site) www.cs.nmt.edu (cs491_02) NTFS: