Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008

Outline l Review l File Systems Overview l Windows File System (for Forensics) l References and Review Question

Review l Part 1: - Lecture 1: Overview of Digital Forensics (Chapter 1 of textbook) - Lecture 2: Information Security Review - Lecture 3: Data Recovery, Verification, Lab Tour (Chapter 3 of textbook – constructing a forensics lab) - Lecture 4: Data Acquisition: Chapter 4 of textbook - Lecture 5: Malicious Code Detection (e.g., Computer is the Victim of the Crime; applying data mining techniques) - Lecture 6: Digital Forensics Analysis – Part 1 - Lecture 7: Processing crime and incident scenes l Part 2: - Lecture 8: Windows File System and Forensics

Windows File System l Overview of File Systems l Microsoft File Structures l NTFS Disks (New Technology File System) - Partitions, disks, etc. l Other concepts (Registries, startup tasks) l Virtual Machines

File Systems l What is it? - Structure of the data that is stored - Linear file system, Hierarchical file system, etc. l Type of file system determines how the data is stored on disk l File system is part of the OS; a file system is a way for storing and organizing computer files and the data they contain to make it easy to find and access them.computer files l Key aspects of file system include - Boot sequence - Disk drives - File name, metadata, security access - Different types of file systems

File Systems - 2 l Boot sequence - When a suspect’s computer starts, make sure it boots to a forensic floppy disk/CD and not to the hard disk - Booting to the hard disk may overwrite evidence - Make modifications to CMOS setup l Disk drives - Geometry, Head, Tracks, Cylinders, Sectors l Every file has a file name; metadata consists of information about a file, access control policies may be defined on a file l Types of file systems include disk file system, flash file systems, database file systems, network file systems, - - -

File Systems - 3 l File systems typically have directories which associate file names with files, usually by connecting the file name to an index in a file allocation table (FAT in Windows, Inode in Unix)file names l Directory structures may be flat, or allow hierarchies where directories may contain subdirectories. l In some file systems, file names are structured, with special syntax for filename extensions and version numbers. In others, file names are simple strings l Metadata - The length of the data contained in a file may be stored as the number of blocks allocated for the file or as an exact byte count.byte - The time that the file was last modified may be stored as the file's timestamp; also file creation time, the time it was last accessed

Microsoft File Structures l Sectors - Sectors are groped to for clusters which are the storage allocations units. - Cluster numbers are logical addresses and section numbers are physical addresses. l Disk Partitions l Hard drive is partitioned. A partition is a logical drive. l Master Boot Record (MBR) - Stores information about the partitions in a disk and their locations, sizes etc. l FAT (File Allocation Table) Disks - Original Microsoft file structure database l NTFS - New Technology File System

NTFS Disks l Overview of NTFS Disks - Newer Microsoft products are based on new Technology File System - Everything written to a disk is considered s file - First data set is the Partition Boot Sector - Next is the Master File Table (similar to FAT) - Uses Unicode l NTFS System Files - The first file MFT ahs information in all the files - Records in MFT are called metadata

NTFS Disks - 2 l NTFS Data Streams - Ways data can be appended to existing files - Can obscure evidence; only way to know there is a data stream is by looking at MFT l NTFS Compressed Files - Provides compression to improve data storage l Encryption - Implements public key/private key method - Whole disk encryption (Chapter 4) for extra protection for certain information such as personal identity numbers. l Performance - tune some of global NTFS parameters to achieve significant increase of disk performance. Other techniques like disk defragmentation could help

NTFS Disks – 3 (Summary) l File Storage Hardware and Disk Organization l Hard Disk Drive Basics - Making Tracks - Sectors and Clusters l Master Boot Record (MBR) - Viruses Can Infect the Master Boot Record l Partition Table - Boot Indicator Field - System ID Field - Starting and Ending Head, Sector, and Cylinder Field - Relative Sectors and Number of Sectors Fields - Logical Drives and Extended Partitions

NTFS Recovery l Why id Partition recovery needed - MBR (Master Boot Record) is damaged - Partition is deleted or Partition Table is damaged - Partition Boot Sector is damaged - Missing or Corrupted System Files l Partition/Drive Recovery - "Physical partition recovery". The goal is to find out the problem and write some information to the proper place on HDD and after that partition becomes visible to OS again. - "Virtual partition recovery". The goal is to determine the critical parameters of the deleted/damaged/overwritten partition and after that enable to scan it and display its content.

NTFS Recovery - 2 l NTFS File Recovery - Disk Scan for deleted entries l Disk Scan is a process of low-level enumeration of all entries in the Root Folders; The goal is to find and display deleted entries. - Defining clusters chain for the deleted entry l To define clusters chain scan drive, going through one by one all allocated and free clusters belonging to the file until the file size equals to the total size of the selected clusters. If the file is fragmented, clusters chain will be composed of several extents. - Clusters chain recovery l After clusters chain is defined read and save contents of the defined clusters to another place verifying their contents.

Other Concepts l Registry - Registry is a database that stores initialization files such as hardware/software configuration, network connections, user preferences, setup information - Set of tools (e.g., Registry editor) to view and modify the data l Start-up tasks - Forensics examiner must have a very good understanding of what happens to the data during start-up. - E.g., What is the process, what are the files involved, etc.

Virtual Machines l An examiner may need lot more space than he has on the machine he is using. The concept of Virtual machine is used it overcome this limitation. l Virtual machine addresses the need for having a variety of resources by creating the representation of another computer on an existing physical computer. l A few files from the other computer is on the examiner’s machine and space ahs to be allocated for this. l Also useful when one upgrades computer, but still has some old applications. Therefore virtual machine of the old OS is created.

References and Review l Chapter 6 of Textbook l l Select an file system of your choice and explain the key concepts that are relevant to a forensics examiner