Presentation on theme: "Computer Data Forensics Drive Slack and Format – Lab 2 Concept Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,"— Presentation transcript:
Computer Data Forensics Drive Slack and Format – Lab 2 Concept Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering, WVU
Slack – Definition The amount of disk space that is wasted by having a large cluster size. For example, if a 300-byte file is stored on a disk with a cluster size of 1,024 bytes - there will be 724 bytes of slack space that can't be used for any other files. You can see how much space is allocated to a file by typing "DIR /v" at the command prompt. Cluster size: This is the smallest amount of hard disk space a file can occupy. Floppies have a cluster size of 512 bytes and hard disks can have a cluster size ranging from 1 kilobyte to 16/32/64 kilobytes (sometimes even more). The larger the partition the larger the cluster size.
RAM Slack Clusters made up of sectors For example, if a 300-byte file is stored on a disk If the file size is not an exact multiple of the sector size, the last sector is padded with bytes from memory – called RAM Slack RAM Slack can contain any information in memory that may have been created, viewed, modified, downloaded or copied during work sessions RAM slack occurs only in the sector of a file immediately after the last file character. RAM slack is produced by the fact the disk is written from a 512-byte memory buffer
Drive Slack Drive slack occurs, in addition to RAM slack, when a file is recorded, if the padding required extends to more than one sector Then the sector containing the last character of the file up to the end of that sector, is entirely RAM slack And the following padding sector(s) contain DRIVE slack Drive slack consists of whatever those extra sectors contained on the disk, prior to being written with this file Hence Drive slack may have pieces of previously deleted files, or the format padding characters (if it was unused since formatting)
Drive Slack example Assume a 2-sector cluster size and a file is written with the characters “Hello” Then the data on disk looks as follows:-- Hello+++++++++++++++++++|------------------------(EOF) RAM Slack is indicated by "+" Drive Slack is indicated by "-"
Slack Persists File slack is created when the data is written to disk When the file is deleted by normal OS utilities the data remains intact But the space it occupied is deallocated from the FAT The data remains intact until that space is allocated to and overwritten by another file created So to the Slack contained in the last cluster (RAM + Drive slack) of the deleted file remains
Significance of Slack File slack contains random data dumped from memory Hence it may have passwords, logon names, phone numbers, and other sensitive information Slack can have traces that indicate past uses to which the computer has been put Slack could be large (hundreds of MB) but it deserves a thorough analysis Fragments of e-mail, word processor text, etc. can show up Slack, an artifact of the OS file system, is a godsend to forensic investigators
References File slack, RAM slack and Drive slack defined http://www.forensics-intl.com/def6.html http://www.whitecanyon.com/library _understanding_terms.htm://www.whitecanyon.com/library _understanding_terms.htm
Slack – Example of a Document Document Slack Temp 1 Slack Timed Backup Slack Printer Slack Temp 2 Slack File SWAP Beginning of file End of file
Slack Notes For a single document you have many places it may be found Judges think you have only one piece of evidence – wrong! If you even take a floppy from a classified computer and print on another, the Print spooling file contains the data.
Format Quick Format vs Complete Format: Quick Format is the high level format. High Level – non- destructive, because it leaves data untouched, but frees all the clusters in the FAT table. Logically creates disk space, i.e., it will create a BOOT Record, FAT table, and Root Directory. e.g. FORMAT C: non-destructive FAT, all clusters are shown as unused, so all pointers are reset, and the root directory is cleared. FORMAT A:/Q also high level Complete Format is the low level format. Low-level – destroys data by writing a pattern all through the sectors of the clusters. Physically creates sectors and tracks. e.g. FORMAT A:/U low-level format (U= unconditional) On HD low-level formatting is done at the factory. There are non-DOS utilities that write only sector IDs to make them readable
Utility for Lab 2 Diskedit NTI GETSLACK Function: Write contents of slack space on drive to a file. Platform: MS-DOS, Windows 3.x, Windows 9x (console mode) Invocation: To estimate output file space needed: GETSLACK drive: [drive:...] To write free space to an output file: GETSLACK filename drive: [drive:...] More than one drive may be specified. In addition: /f may be specified anywhere on the command line to filter non-printable values from the output, and /l may be specified anywhere on the command line to limit the size of the output file from the default size of 2.1 GB. (i.e. /l:xxx would set the size to any size less than 2.1 GB.)
Utility for Lab 2 NTI TXTSRCHP TextSearch Plus is compatible with FAT 12, FAT 16 and FAT 32 systems. The program also identifies graphic files (potential steg) and performs text search of files, file slack, unallocated space and physical sectors. This program has been validated by and is used by numerous Fortune 500 corporations, all of the Big 5 accounting firms and several government agencies that deal with classified data.
Utility for Lab 2 NTI FILTER_I It is used to aid in the identification of ASCII text, word combinations, passwords, network logons and English language text strings. Such identification is made from ambient data, i.e. data found in Windows swap files and files created from file slack and unallocated space. This program is primarily used to identify ‘unknowns’ and thus aid in the creation of keyword lists for use with forensic text search programs. The program is also ideal for identification of security risks and corporate policy violations.
Utility for Lab 2 NTI FILTER_I (continued) FILTER (Option 1) This option is used to filter a specific file and to replace all occurrences of non-ASCII data with spaces. When this option is used the resulting file remains the same as the original. FILTER (Option 2) This option is used to filter a specific file and to replace all occurrences of non-ASCII data with one space per group of non-ASCII data. When this option is used the resulting file is smaller than the original.
Utility for Lab 2 NTI FILTER_I (continued) GRAMMAR (Option 3) This option relies upon a predefined listing of common English words that are embedded into the program. This feature can be useful in the identification of data that may contain fragments of e-mail messages or word processing documents. This option normally results in a smaller output file when compared with the output of the first and second options. INTEL (Option 4) This option relies upon a fuzzy logic technique to identify English Language patterns. This feature can be useful in the identification of data that may contain the logon or password of the computer user involved. This option normally results in a smaller output file when compared with the output of the first option. NAMES (Option 5) This option was created at the request of the Royal Canadian Mounted Police. The option is used to identify names of individuals listed in computer data. Many times criminal associates are involved but their existence or identity is unknown to law enforcement. When this feature is used, it sifts through huge files and identifies individuals who may be associated with the user of the computer. The output from this option normally results in a smaller output file when compared with the output of the first option.