Presentation is loading. Please wait.

Presentation is loading. Please wait.

File System Analysis.

Similar presentations


Presentation on theme: "File System Analysis."— Presentation transcript:

1 File System Analysis

2 What is a File System? Computers need a way to store data and then to retrieve the said data in simple but quick ways. File systems provide a way for computers to store data in a hierarchy of files and directories.

3 What is a File System? A file system defines how and where files are stored and how they are named. Files systems are independent of any type of computer. The file systems we will look at are FAT (File Allocation Table), NTFS, Ext2 and Ext3. However, what they have in common is that they all know how to store data and to retrieve the data in a quick manner.

4 Essential and Non-Essential Data
When looking at data, it is important to differentiate between the essential and non-essential data. We have to trust the essential data, but not necessarily trust the non-essential data. It is also important to know which OS wrote the file system because different OS’s might have different requirements as to what is essential and what is not.

5 Essential and Non-Essential Data
Essential data is that data that is needed to save and retrieve files. Some essential data: Content storage location. Name of the file. Pointer from name to metadata. Non-essential data is there for convenience but not needed for the basic functionality of storing and retrieving files. Access Times Security Permissions

6 Data Categories In order to understand different analysis techniques, we divide the data on a computer into several categories. File System Content Metadata File Name Application The tools in The Sleuth Kit (TSK) are based on these same categories.

7 Data Categories - File System
Each instance of a file system is unique because it has a unique size. It contains the general file system information such as where to find certain data (which cluster or block does this reside in) and how big the data unit is. It works like a map.

8 Data Categories - Content
This category is made up of the actual content of a file. Most of the information in a computer is made up of this data category. It is typically organized into data units. Some file systems call these clusters, and some call them blocks.

9 Data Categories - Metadata
This category consists of the data that describes the files such as: Where the file content is stored Size of the file Creation time Modification time Access control information This category does not contain the content of the file and the name of the file. e.g.: inodes and Master File Table (MFT) entries

10 Data Categories - File Name
The file name category is also known as the Human Interface category. In this category, a name is assigned to each file, to make data access more convenient and easier for humans. In most systems, these are contents in a directory with corresponding metadata addresses.

11 Data Categories - Application
This category provides special features. However, these data are not necessary for normal reading and writing of data. Instead they provide features such as user quota information and file system journals. These data can be more easily forged than other data.

12 Interaction Between Categories
File System Category Application Category Layout and Size Information Quota Data File Name Category Metadata Category Content Category file1.txt Times and Addresses Content Data #1 Content Data #2 file2.txt Time and Addresses Content Data #1 Carrier, Figure 8.1

13 Analysis Different categories of data require different methods for analysis. File system data typically consists of single and independent values, so analysis is conducted by looking at the values and interpreting them. For instance, if we are searching for files with ‘jpg’ extensions, we would have to focus on file name category analysis techniques.

14 Analysis – File System Category
The file system category of data includes the data that describes the layout and general information about a file system. The File system category might be analyzed to find out on which computer a file system was created, or TSK has a tool called fsstat which will read the boot sector or superblock and other data structures that are specific to the different types of file systems. The type of data in the output of fsstat is different for each file system because different types of data are available.

15 Analysis – Content Category
Typically, the content category includes equal sized data units that are allocated for files and directories. There is also a data structure that keeps track of the allocation unit of the data units that store this data. This category contains a lot of data, a 40 Mb volume contains > 80000, 512 byte sectors. The content category is analyzed to recover deleted data and conduct low-level searches. All TSK tools in this category start with the letter d.

16 Addressing Data Units A sector can have multiple addresses
Physical: Address relative to the start of the drive Logical: Address relative to the start of the volume File systems use the Logical volume address, but also group sectors into clusters or blocks and assign them addresses. Volume Address 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 File System Address 1 2 3 4 5 Carrier, Figure 8.2

17 Allocation Strategies
File systems may use several strategies to allocate data units. Data units are generally allocated contiguously. However, this is not always possible, in which case, the file is considered to be fragmented. The used allocation strategy affects the probability of recovering deleted (unallocated) content.

18 Allocation Strategies (cont.)
First available strategy: Clusters or blocks are assigned from the beginning of the file system as needed. Most likely to become fragmented. File systems using this strategy are more likely to overwrite free space containing deleted files. Next Available Strategy: Similar to the first available, but looks for subsequent clusters for a file starting from next cluster to end of file system. Best fit strategy: OS looks for contiguous clusters sufficient to store entire file. Less likely to be fragmented, but if file size changes, then fragmentation can still happen.

19 Allocation Strategies (cont.)
Last allocated First available Unallocated Allocated Next available Best fit

20 Damaged Data Units Some file systems have ability to mark clusters as damaged, so that they are not used again to store data. This was useful for older disks that did not have the capability to handle errors. Modern disks have ability to handle errors, so this capability is not needed. If this capability exists, it can be used to hide data, because consistency checking tools do not verify a data unit that is marked as damaged.

21 Content Analysis The Data Unit Viewing technique can be used when you know the address where evidence might be located. For example: In FAT 32 volumes, logical sector 3 is not allocated, so it contains all zeroes. Looking at this sector can easily tell the examiner if data is hidden there. (dcat in TSK) The Logical File System-Level Searching technique you look for contents, without knowing where it might be. Search for the word ‘password’ in each data unit

22 Content Analysis 2,048 bytes in one data unit 20,480 bytes 1 2 3 4 5 6 7 8 9 10 11 Content of data unit 10 in ASCII Data Unit Viewing: The investigator knows the address of evidence, so uses the logical file system address ... a tool calculates the byte or sector address Is the string ‘password’ in this data unit? 1 2 3 4 5 6 7 8 9 10 11 Logical File System Search: Looks in each data unit for a known value. 22

23 Content Analysis Using Bitmaps
If we want to look in unallocated space, we can use tools to extract all unallocated data units or we can restrict analysis to only the unallocated space. We can see how a bitmap data structure can tell us whether a data unit is allocated or not. 1 2 3 4 5 6 7 8 9 10 11 Data units 1 1 Bitmap: 0 unallocated 1 allocated 23

24 Content Analysis (cont.)
The Data Unit Allocation Status technique shows all the unallocated data units to find hidden or ‘deleted’ data. The dls tool in TSK shows the unallocated data units. The Consistency Check technique allows you to determine if the file system is in a suspicious state. Orphan data units (allocated data units that do not have a corresponding metadata structure) and be found in this manner. See Figure 8.7

25 Content Analysis (cont.)
Wiping Techniques Zeroes or random data are written into the data units allocated by a file or to all unused data units Secure Deletion is becoming more common for many operating systems An investigator may check to see if a wiping tool is available on a system, then determine when it was last accessed There may also be temporary copies of files that were wiped 25

26 Analysis – Metadata Category
The metadata category includes the data that describe a file. Here you will find the data unit addresses that a file has allocated, the size of the file, and temporal information. The types of data in this category vary depending on the file system type. There are four TSK tools in this category, and the names all start with i such as the istat command.

27 Metadata Analysis Analyzing metadata can
Provide corroborating information about the document data itself. Reveal information that someone tried to hide, delete, or obscure. Automatically correlate documents from different sources. Since metadata is fundamentally data, it suffers all of the data quality issues as any other form of data. Nevertheless, because metadata isn't generally visible unless you use a special tool, more skill is required to alter or otherwise manipulate it.

28 Metadata Analysis Slack space occurs when the file size is not a multiple of the data unit size It appears between the end of the file and the end of the sector in which the file ends Or it can be in sectors that contain no file content A new file may not completely overwrite all data that was previously in a memory location

29 Analysis – File Name Category
The file name category of data includes the data that associates a name with a metadata entry. Most file systems separate the name and metadata, and the name is located inside of the data units allocated to a directory. There are two TSK tools that operate at the file name layer, and their names start with f. fls will list the file names in a given directory. If we want to know which file name corresponds to a given metadata address, the ffind tool can be used.

30 File Name Analysis One of the most common investigation techniques is to list the names of the files and directories. Many file systems do not clear the file name of a deleted file, so deleted file names may be shown in a listing. Another technique is to search for file names. For example, we might know a filename’s extension, but not know its name or full path. As long as the pointer to metadata is intact, we can potentially recover data even if both the filename and metadata are unallocated.


Download ppt "File System Analysis."

Similar presentations


Ads by Google