Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX."— Presentation transcript:

1 Digital Forensics Module 11 CS 996

2 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX file systems (Kulesh) ProDiscover workshop (remaining time)

3 4/26/2004Module 113 Reminder InfraGard Chapter meeting on Counterintelligence Bear Stearns, 383 Madison Avenue 9-4, April 28 RSVP: www.nym-infragard.uswww.nym-infragard.us

4 4/26/2004Module 114 Hard Drive Data Hiding Places Low Level Format Redundant sectors Bad sectors Partition Interpartition gaps Unallocated space “Hidden” partitions Boot records and partition tables Deleted partitions

5 4/26/2004Module 115 Physical Disk Geometry (CHS) One head for each surface (H) All tracks at r = d n form “cylinder” (C) Each sector has 512 bytes of user data (S) One disk surface devoted to positioning and synchronization Not all parts of the disk are addressable by the OS Disk capacity = C x H x S x 512 bytes

6 4/26/2004Module 116 Lifecycle of Disk Drive Blank media Low level format Performed at the factory Partition High level file system format Operating system install System operations

7 4/26/2004Module 117 Low Level Format Low level formatting creates sectors Each sector holds 512 bytes + overhead bytes Overhead provides error correction and timing recovery Bad sectors remapped to redundant sectors by the HDD controller.

8 4/26/2004Module 118 Low Level Format SECTOR OVERHEAD 512 BYTES REDUNDANT SECTOR

9 4/26/2004Module 119 Partitioning INTER-PARTITION GAP PARTITION #2 PARTITION #1 VOLUME BOOT RECORD MASTER BOOT RECORD VOLUME BOOT RECORD

10 4/26/2004Module 1110 Partitioning Drive Master Boot Record = Master Boot Code + Master Partition Table (MPT) Always at sector #1 Volume Boot Record = Volume Boot Code + Disk Parameter Block Each partition

11 4/26/2004Module 1111 FAT File System Four parts Volume boot record File allocation tables Root directory User data area Types FAT 12, 16, 32 bits; cluster address size FAT1 and FAT2; first and second copy of FAT Floppy: FAT12

12 4/26/2004Module 1112 FAT12/16 Structure DOS BOOT SECTOR FAT #1 FAT #2 ROOT DIRECTORY USER DATA AREA

13 4/26/2004Module 1113 FAT32 Structure DOS BOOT RECORD (3) RESERVED SECTORS COPY OF DOS BOOT RECORD RESERVED SECTORS 32 SECTORS FAT #1FAT #2 USER DATA

14 4/26/2004Module 1114 File Allocation Table TEST217 DIRECTORY ENTRY 0 217 339 618 339 EOF

15 4/26/2004Module 1115 WinHex: Forensic Hex Editor www.x-ways.net Disk cloning DOS version Windows version (use write blocker) Disk editor API for scripting tasks

16 4/26/2004Module 1116

17 4/26/2004Module 1117

18 4/26/2004Module 1118 Navigating to FAT12 Directory Start at boot sector #1 Add 2 x 9 sectors Directory at sector #20 Offset is: 19 x 512 = 9728 bytes = 2600H

19 4/26/2004Module 1119

20 4/26/2004Module 1120 Navigating to FAT32 Allocation Table Start at boot sector Go to sector #33, offset of 32 x 512 bytes 32 x 512 = 16384 = 4000H

21 4/26/2004Module 1121

22 4/26/2004Module 1122 WinHex NTFS Partition Analysis

23 4/26/2004Module 1123 ProDiscover Forensic Software www.techpathways.com Disk imaging: meets NIST Specification 3.1.6 Works with FAT, NTFS, Sun Solaris UFS Displays Windows ADS! File signature analysis Search capability Recover deleted files and slack space Reasonable price!

24 4/26/2004Module 1124

25 4/26/2004Module 1125 Capture Evidence Files

26 4/26/2004Module 1126 Image Evidence: Windows Laptop PRODISCOVER USB TO IDE ADAPTER EVIDENCE DRIVE IDE CABLE

27 4/26/2004Module 1127 KeyWord Search

28 4/26/2004Module 1128 Reporting (View=>Report)

29 4/26/2004Module 1129 References for Module #11 Bill Nelson, Guide to Computer Investigations, 2004. Warren Kruse, Computer Forensics, 2002. Kevin Mandia, Incident Response, 2003. EnCase Legal Journal (course web site) www.cs.nmt.edu (cs491_02) www.cs.nmt.edu NTFS:

Download ppt "Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX."

Similar presentations

Hard Disks Low-level format- organizes both sides of each platter into tracks and sectors to define where items will be stored on the disk. Partitioning:

Hard Disks Low-level format- organizes both sides of each platter into tracks and sectors to define where items will be stored on the disk. Partitioning:
Chapter 12: File System Implementation

Chapter 12: File System Implementation
Chapter 4 : File Systems What is a file system?

Chapter 4 : File Systems What is a file system?
BSD Partitions COEN 152/252 Computer Forensics. BSD Partitions Some BSD systems use IA32 hardware  Designed to co-exists with MS partitions.  Use DOS.

BSD Partitions COEN 152/252 Computer Forensics. BSD Partitions Some BSD systems use IA32 hardware  Designed to co-exists with MS partitions.  Use DOS.
Computer System Basics 2 Hard Drive Storage & File Partitions Computer Forensics BACS 371.

Computer System Basics 2 Hard Drive Storage & File Partitions Computer Forensics BACS 371.
SEMINAR ON FILE SLACK AND DISK SLACK

SEMINAR ON FILE SLACK AND DISK SLACK
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)

FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Managing Your Hard Disk and Operating System 23,26 March 2004 2:30pm - 4:00pm.

Managing Your Hard Disk and Operating System 23,26 March :30pm - 4:00pm.
COS/PSA 413 Day 3. Guide to Computer Forensics and Investigations, 2e2 Agenda Questions? Assignment 1 due Lab Write-ups (project 2-1 and 2-2) due next.

COS/PSA 413 Day 3. Guide to Computer Forensics and Investigations, 2e2 Agenda Questions? Assignment 1 due Lab Write-ups (project 2-1 and 2-2) due next.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Connecting with Computer Science, 2e

Connecting with Computer Science, 2e
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
Guide to Computer Forensics and Investigations Fourth Edition Chapter 8 Macintosh and Linux Boot Processes and File Systems.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 8 Macintosh and Linux Boot Processes and File Systems.
1 CSCD 496 Computer Forensics Lecture 7 File Systems – Windows Winter 2010.

1 CSCD 496 Computer Forensics Lecture 7 File Systems – Windows Winter 2010.
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.

Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Implementing Hard Drives Chapter 10

Implementing Hard Drives Chapter 10

Similar presentations

Ads by Google