Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics: Basics Media Analysis. Agenda Common Data Hiding Techniques Windows Registry Writing files Deleting and Reformatting Recycle Bin.

Published bySonia Starkie Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Forensics: Basics Media Analysis. Agenda Common Data Hiding Techniques Windows Registry Writing files Deleting and Reformatting Recycle Bin."— Presentation transcript:

1 Computer Forensics: Basics Media Analysis

2 Agenda Common Data Hiding Techniques Windows Registry Writing files Deleting and Reformatting Recycle Bin

3 Learning Objectives At the end of this module you will be able to: – Describe the forensic mind set – Discuss organizing the investigation – Describe various data hiding techniques – Hide data using NTFS ADS

4 Data Hiding Review Look out David Copperfield!

5 Common Techniques Rename files/directories Delete files/directories Copy files/directories Print files Format a disk

6 Rename Files Rename files and/or file extensions Example: Rename extortion_letter.doc to fuzzy_bunny.jpg People looking for incriminating evidence probably won’t check a picture file called fuzzy_bunny.jpg

7 Copying Files Scenario #1: Copying a file to a floppy disk or hard disk. If you run out of space, the pointer to the file is removed, but the data that was copied to the sectors is left in place Scenario #2: Computer crashes while copying a file. Again, the file contents copied to the unallocated sectors will exists, but the pointer to the data will not have been created.

8 Printing a File When printing a file, it is spooled to the hard disk before it is printed. Spooling involves copying the file to a temporary location, printing it, then deleting it. After the temporary file is deleted, the data still exists on disk

9 Formatting a Disk When a disk is quick formatted, the file table on the disk is cleared, but the data on the disk is left in place. Again, similar to deleting all the files on a disk.

10 Hiding Folders (Win) Create files or directories with non-printable characters Example: At a DOS prompt, type the character Alt-255 using the numeric keypad. This will insert a “blank space” character, but it is not an actual space. If you show a directory listing, you can see the file/directory exists, but you might not know exactly how many “non- printing” characters exist, or their location within the file name. You can still access the directory via the Windows Explorer and similar graphical tools.

11 Attributes In Windows, set the “hidden” attribute on a file or directory. Can still view files if the “Show hidden files and folders” option is checked in Windows Explorer. Other tools may or may not display hidden files.

12 Folders In Unix, rename a file or directory starting with a “.” Example: mv important.doc.important.doc Can still be viewed by listing all files “ls –a” Other methods??? –., …,.,.., etc. – Root kits love making these kind of hidden folders

13 FS UNIX In Unix it is possible to hide files and directories “under” a filesystem Example: mkdir /temp Create files/directories in /temp Mount a filesystem at /temp The files are not visible, and cannot be read/written The files are accessible again after the filesystem has been unmounted This might be detectable, but not always. Example: / is 10 GB, space used is 2 GB, but only 4 GB are free. This could indicate the presence of files hidden under a filesystem

14 Swap Space Swap Space (also called a page file) is used to increase the amount of memory available to the system The total memory available (real RAM and the swap space) is called virtual memory. Information is constantly being written to memory, and therefore to the hard disk. Information can then be extracted from this file

15 Core Dumps Core dumps are created on Unix systems when a process or program generates a fault The core dump will contain all the data from CPU registers and memory at the time of the fault Information can then be extracted from core dump

16 Slack Space When files are deleted, both the deleted data and the data in slack space still exists When a file is wiped from the system (permanently removed), any data in the slack space still exists The data in the slack space will only be removed when it is overwritten, or it is explicitly removed

17 Cluster 2 What are the two types of slack? RAM Slack RAM Slack is the area from the end of the file to the end of that sector. - Comes from RAM File Slack Space

18 Cluster 2 RAM Slack Residual Slack Residual data slack is the area from the end of RAM slack to the end of the cluster – whatever was on the media before. File Slack Space

19 Alternate Data Streams “Proof of a parallel Universe!”

20 Alternate Data Streams Microsoft introduced the Alternate Data Stream (ADS) into NTFS in the early 1990’s Created so Microsoft Windows NT could be a file server for Macintosh files Mac’s Hierarchical File System (HFS) uses alternate streams called Resource Forks to store additional file information, such as icons

21 ADS Unlike FAT (and other filesystems) which only have one data stream, NTFS allows the creation of multiple data streams (see Fig. 1) ADSs in NTFS can be used to store summary information about files (see Fig. 2) This information is not transportable to other filesystem types (eg. FAT, ext2)

22 ADS Figure 1 ADS Figure 2

23 ADS Most file system utilities (such as Windows Explorer) will only report on the default data stream The reported file size will remain the same, regardless of the number of ADSs attached to a file

24 ADS Microsoft does not provide any tools to detect ADSs LADS, created by Frank Heyne, is a command-line tool that will search a NTFS filesystem for ADSs LADS is available from http://www.heysoft.de http://www.heysoft.de

25 ADS (cont’d) Creating an ADS echo text in default stream > myfile.txt echo extra text in ADS > myfile.txt:hidden.txt

26 ADS C:\temp>echo some text > myfile.txt C:\temp>dir myfile.txt Volume in drive C has no label. Volume Serial Number is 40AB-8351 Directory of C:\temp 2003-03-04 03:11p 12 myfile.txt 1 File(s) 12 bytes 0 Dir(s) 3,227,021,312 bytes free C:\temp>type bigfile.tgz > myfile.txt:hidden C:\temp>dir myfile.txt Volume in drive C has no label. Volume Serial Number is 40AB-8351 Directory of C:\temp 2003-03-04 03:12p 12 myfile.txt 1 File(s) 12 bytes 0 Dir(s) 3,183,009,792 bytes free C:\temp>

27 ADS C:\temp>lads LADS - Freeware version 3.10 (C) Copyright 1998-2002 Frank Heyne Software (http://www.heysoft.de) This program lists files with alternate data streams (ADS) Use LADS on your own risk! Scanning directory C:\temp\ size ADS in file ---------- --------------------------------- 44010926 C:\temp\myfile.txt:hidden 44010926 bytes in 1 ADS listed C:\temp>

28 ADS Running a hidden command in ADS (try this on a NTFS file system): C:\>echo some text > c:\temp\file.txt C:\>type c:\winnt\system32\calc.exe > c:\temp\file.txt:hidden.exe C:\>type c:\temp\file.txt C:\>start /b c:\temp\file.txt:hidden.exe This will start the Windows calculator program from a 12 byte file!

29 Steganography The hiding of information within a more obvious kind of communication Quite often the “obvious communication” is a picture The data is hidden is such a way as to minimally impact the original image

30 Summary There are various areas that can be used to conceal data. Start simple then work to the more complex. Understanding common hiding techniques and where artifacts can be found is crucial.

31 Delete, Reformat & Recycle Bin

32 Outline Deleting & Reformatting – FAT Drives – NTFS Drives Recycle-Bin (NTFS)

33 Learning Objectives At the end of this module you will be able to: – Describe the changes that take place on a FAT drive when a file is deleted – Describe the changes that take place on a FAT drive when the drive is reformatted – Describe the changes that take place on an NTFS drive when a file is deleted – Explain the changes that take place when a file is moved to the recycle bin – Recover deleted files and files placed in the recycle bin

34 What areas change when a FILE is written? MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Writing a file

35 What areas change when a FILE is written? MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Filename Start Cluster Size FILE 2 1024 Unused Directory Entry Directory entry is created Writing a file

36 What areas change when a FILE is written? MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Filename Start Cluster Size FILE 2 1024 Unused Directory Entry Directory entry is created 2 E 6 0 10 0 3 0 7 0 11 0 4 0 8 0 12 0 5 0 9 0 13 0 FATs are updated Writing a file

37 What areas change when a FILE is written? MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Filename Start Cluster Size FILE 2 1024 Unused Directory Entry Directory entry is created 2 E 6 0 10 0 3 0 7 0 11 0 4 0 8 0 12 0 5 0 9 0 13 0 FATs are updated FILE contents written to data area Writing a file

38 MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area What areas change when a FILE is deleted? Deleting a file

39 MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Filename Start Cluster Size  ILE 2 1024 Unused Directory Entry First character of the Directory entry is changed to  Deleting a file

40 MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area FAT entries are  ed Filename Start Cluster Size  ILE 2 1024 Unused Directory Entry First character of the Directory entry is changed to  0 6 0 10 0 3 0 7 0 11 0 4 0 8 0 12 0 5 0 9 0 13 0 2 Deleting a file

41 MBR FAT1 BR FAT1 FAT2 Root D FAT2 Root D FILE Reserved Area FAT entries are  ed Filename Start Cluster Size  ILE 2 1024 Unused Directory Entry First character of the Directory entry is changed to  Data area is not changed ! 0 6 0 10 0 3 0 7 0 11 0 4 0 8 0 12 0 5 0 9 0 13 0 2 Deleting a file

42 MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area What areas change when a partition is reformatted? Reformatting

43 MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Three areas change when a partition is reformatted Filename Start Cluster Size Unused Directory Entry Root Directory entries are  ed Reformatting

44 MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Three areas change when a partition is reformatted Filename Start Cluster Size Unused Directory Entry Root Directory entries are  ed 2 0 6 0 10 0 3 0 7 0 11 0 4 0 8 0 12 0 5 0 9 0 13 0 FAT entries are  ed Reformatting

45 MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Three areas change when a partition is reformatted Filename Start Cluster Size Unused Directory Entry Root Directory entries are  ed Boot Record is written 2 0 6 0 10 0 3 0 7 0 11 0 4 0 8 0 12 0 5 0 9 0 13 0 FAT entries are  ed

46 MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Three areas change when a partition is reformatted Filename Start Cluster Size Unused Directory Entry Root Directory entries are  ed Boot Record is written 2 0 6 0 10 0 3 0 7 0 11 0 4 0 8 0 12 0 5 0 9 0 13 0 FAT entries are  ed Data area is not changed

47 NTFS NTFS is different! Reiser and some others will cause different problems in the future.

48 Storing Files in NTFS $LogFile metadata file is updated – Transaction steps are logged – Used to “roll back” if necessary

49 Deleted File Parent directory – Index entry removed – $BITMAP attribute updated* MFT file record marked available MFT $BITMAP attribute Updated $Bitmap Metadata file updated – If non-resident clusters

50 Deleted File Index entry removed 215 216 217 218 219 221 File Record (MYFILE.HLP) File Record (SYSTEM.DLL) File Record (README.TXT) Directory Record (Recycler) Index Entry (S-1-5-21-3xxxxxx) Directory Record (S-1-5-21-3xxxxxx) [214] [218] 213 214 File Record Directory Record (MYFILES) Index Entry (README.TXT) Index Entry (SYSTEM.DLL) File RecordEntry 6File Record($BITMAP) [Parent] Index Entry (MYFILE.HLP)

51 Deleted File MFT record marked available 215 217 218 219 221 File Record (SYSTEM.DLL) File Record (README.TXT) Directory Record (Recycler) Index Entry (S-1-5-21-3xxxxxx) Directory Record (S-1-5-21-3xxxxxx) [214] [218] File RecordEntry 213 214 File Record Directory Record (MYFILES) Index Entry (README.TXT) Index Entry (MYFILE.HLP) Index Entry (SYSTEM.DLL) [Parent] File RecordEntry 6File Record($BITMAP) [Parent] File Record (MYFILE.HLP) [214] 216

52 $MFT Attribute Updated File Record Header $MFT $STANDARD_ INFORMATION $DATA$BITMAP 11111111 11111111 00000000 11100111 00000001 00000000 00000000 00000000 00000000

53 File Deleted $Bitmap updated 215 216 217 218 219 221 File Record (MYFILE.HLP) File Record (SYSTEM.DLL) File Record (README.TXT) Directory Record (Recycler) Index Entry (S-1-5-21-3xxxxxx) Directory Record (S-1-5-21-3xxxxxx) [214] [218] File RecordEntry 213 214 File Record Directory Record (MYFILES) Index Entry (README.TXT) Index Entry (MYFILE.HLP) Index Entry (SYSTEM.DLL) [Parent] [214] File RecordEntry 6File Record ($Bitmap) [Parent]

54 Directory Deleted/Recycled Recycled: Same as file, but NOTHING happens to the contents Deleted: Same as file except all contents are deleted as well

55 Recovering Deleted Files Software Tools – GetDataback (Runtime) – R-studio – CIA Unerase – Etc

56 Review What happens to deleted FAT files What about formatting? What happens to deleted NTFS files Recovering deleted files

57 Deleted vs “Recycled” Deleted or “Recycled” – Sent to Recycle Bin – Deleted from the Recycle Bin – Deleted bypassing the Recycle Bin

58 Win2K/XP Recycle Bin “Recycled” Folder for FAT: INFO2 Place holder(s) Desktop.ini – See notes for NT4 differences in Recycle Bin Structure

59 Win2K/XP Recycle Bin “Recycler” Folder for NTFS – SID named subdirectory contains: Place holder(s) INFO2 Desktop.ini – See notes for NT4 differences in Recycle Bin Structure

60 NTFS Recycle Bin

61 Placeholder(s) Entry for each deleted item: – Hidden from view in GUI environment – Date & time unchanged from original file If a subdirectory is deleted only one placeholder is made

62 Placeholder(s) D. DC1.TXT DC2.JPG DC3.BMP

63 INFO2 file 800 Byte Entry is made for each Recycled object – Recycled date – Original path and filename – Place holder drive letter and #

64 INFO2 file Counter Drive Letter Recycled Date and Time (GMT) Offset 260 – 275 of an INFO2 entry

65 INFO2 File Recycled date and time issue – The date and time are stored in GMT in hexadecimal format – Recycle Bin tools (IEHistory, Datalifter) will convert the time for you! – Something wrong here? Hint! HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation

66 Desktop.ini Created when Recycle Bin is created Only modified if recycle bin is EMPTIED – All Date / Time information updated when bin is emptied

67 Recovering From Recycle Bin Copy placeholders to separate drive Copy INFO2 file; use utility to parse out date / time data – Datalifter – IE History

68 Summary Deleting and formatting on a Hard Drive does not touch the data area. Often evidence can be found in deleted files, and the recycle bin. Systems clocks and default timezone settings are very important.

Download ppt "Computer Forensics: Basics Media Analysis. Agenda Common Data Hiding Techniques Windows Registry Writing files Deleting and Reformatting Recycle Bin."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Computer Data Forensics Drive Slack and Format – Lab 2 Concept Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,

Computer Data Forensics Drive Slack and Format – Lab 2 Concept Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
Computer Forensics BACS 371

Computer Forensics BACS 371
Computer Forensics NTFS File System.

Computer Forensics NTFS File System.
File Systems Examples.

File Systems Examples.
Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.

Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.
File System Analysis.

File System Analysis.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)

FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
Introduction to Unix (CA263) File System

Introduction to Unix (CA263) File System
File Management Systems

File Management Systems
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
Computer & Network Forensics

Computer & Network Forensics
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.

Similar presentations

Ads by Google