Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics SEED 2008. Overview Computer Forensics Reconstructs events from digital traces on a device such as Computer Router Switch Cell-phone,

Published byGeoffrey Dawson Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Forensics SEED 2008. Overview Computer Forensics Reconstructs events from digital traces on a device such as Computer Router Switch Cell-phone,"— Presentation transcript:

1 Computer Forensics SEED 2008

2 Overview Computer Forensics Reconstructs events from digital traces on a device such as Computer Router Switch Cell-phone, SIM-card GPS system (car accident investigation) SCADA

3 Overview Goal of Forensics: Reconstruction based on digital traces Criminal: Apprehension and conviction of offenders Computer is instrument of crime: Auction fraud, Check fraud, … Computer is target of crime: intrusion, … Computer contains evidence: emails, printings Commercial: IP protection, Internet abuse, Security breaches, … Prevention

4 Activity: Recover deleted data from USB Drive USB drives are similar to hard-drives, where most evidence would be found USB drives are smaller and can be searched with direct methods

5 Hard Drive Partitioning Boot process starts in ROM. Eventually, loads master boot record from booting device. Master Boot Record located at well- known location.

6 Hard Drive Partitioning (Windows Only) MBR located always in the first sector of booting device. Cylinder 0, Head 0, Sector 1

7 MBR Structure First part bootstrap program. Is loaded into memory, then relocates itself in order to make room for another copy. Starting at offset 0x1be 16B partition table Last two bytes of sector are 0x55 and 0xaa.

8

9 Partition Table Entry Byte 0: active (0x80) or inactive (0x00) Bytes 1-3: Start of Partition Byte 4: Partition Type Bytes 5-7: End of Partition Bytes 8-12: LBA address of start sector relative to start of disk in little endian Bytes 13-16: Number of sectors in the partition

10 Partition Table Example 00 01 01 00 DE FE 3F 04 3F 00 00 00 86 39 01 00 Byte 1: 00 = inactive (not bootable) Only one partitions on a windows system should be bootable.

11 Partition Table Example 00 01 01 00 DE FE 3F 04 3F 00 00 00 86 39 01 00 Bytes 1-3: Split up as | h7-h0 | c9 c8 s5-s0 | c7-c0 | In binary, we have 0000 0001 0000 0001 0000 0000 h7h6h5h4 h3h2h1h0 c9c8s5s4 s3s2s1s0 c7c6c5c4 c3c2c1c0 So: H=1, C = 0, S = 0x1 = 1.

12 Partition Table Example 00 01 01 00 DE FE 3F 04 3F 00 00 00 86 39 01 00 Byte 4: Partition Type 0xDE. Look this one up in a table. It is a Dell PowerEdge Server utilities (FAT fs) 0x0112b FAT Partition 0x0416b FAT Partition 0x05Extended Partition 0x06BIGDOS FAT 0x07NTFS

13 Partition Table Example 00 01 01 00 DE FE 3F 04 3F 00 00 00 86 39 01 00 Bytes 5-7: End of Partition Split up as | h7-h0 | c9 c8 s5-s0 | c7-c0 | 1111 1110 0011 1111 0000 0100 So: h=0xE, c=0x04, s = 0x3f

14 Partition Table Example 00 01 01 00 DE FE 3F 04 3F 00 00 00 86 39 01 00 Bytes 8-12: LBA 3F 00 00 00 in Little Endian That is 00 00 00 3F is the real start LBA Go to Sector 63 and find indeed the FAT boot sector.

15 Partition Table Example 00 01 01 00 DE FE 3F 04 3F 00 00 00 86 39 01 00 Bytes 13-16: Number of Sectors in the partition (in Little Endian). Value is 0X 86 39 01 00. Translate into true value: 0x 00 01 39 86 = 80,262 sectors

16 Partition Table Example We have a Dell partition of size 40MB. This partition is invisible to Windows and could be used to hide data. Dell uses this area to help with recovery from OS disasters.

17 Master Boot Record By creating a partition and then editing the MBR I can create hidden partitions. The data on these hidden partitions is not visible from Windows.

18 Master Boot Record The partitions do not have to fill up the disk completely, there can be unused sectors (which could contain hidden data.)

19 Extended Partitions Overcome the four partition limit.

20 Extended Partitions Marked by a partition code of 0x05 or 0x0f. First sector of an extended partition contains a partition table with up to two entries. Extended partition is a container for secondary extended partition.

21 Extended Partitions First sector contains partition table, structured like MBR Entries are 16B with the same structure First entry is for primary extended partition. Optional second entry is for secondary, extended partition.

22 Extended Partitions Primary extended partition contains the secondary extended partition.

23 Extended Partitions

24 Unassigned sectors Many sectors on a disk are not assigned to a partition. Cannot be seen from OS. Good hiding place for a virus.

25 64b Future Itanium uses 64b. Completely different structure.

26 FAT “File Allocation Table” gives the name. 3 different varieties, FAT12, FAT16, FAT32 in order to accommodate growing disk capacity Tightly packed data structure

27 FAT Boot Sector Occupies the first sector in the partition or on the floppy.

28 FAT Boot Sector Jump instruction (EB 34 90) OEM Manufacturer name BIOS Parameter Block (BPB) Extended BPB Bootstrap code End of Sector Marker (in reality a signature)

29 BPB Learn how to read it. Field Definition in Lecture Notes http://www.ntfs.com/fat-partition-sector.htm

30 BPB There are utilities that translate the data

31 BPB The data allows us to draw a picture of the partition:

32 FAT File System File Allocation Table (FAT) Resides at the beginning of the volume Two copies of the table Three variants FAT12 FAT16 FAT32 Allocation in clusters. Clusters number is a power of two < 2 16

33 FAT File System Root directory Maintains file names, location, characteristics, … File Allocation Table (FAT) Allows files longer than a single cluster

34 FAT Principle Root directory gives first cluster FAT gives subsequent ones in a simple table Use FFFF to mark end of file.

35 Cluster Size Large clusters waste disk space because only a single file can live in a cluster. Small clusters make it hard to allocate clusters to files contiguously and lead to large FAT.

36 FAT Table To save space, limit size of entry. That limits total number of clusters. FAT 12: 12 bit FAT entries FAT 16: 16 bit FAT entries FAT 32: 32 bit FAT entries

37 FAT Table Entry FAT 12FAT 16Meaning 0000000available 0010001not used FF0FFF0-FFF6 reserved FF8-FFFFFF7 bad cluster 0xhhh0xhhhh next cluster used by file

38 Root Directory A fixed length file (in FAT16, FAT32) Entries are 32B long. Subdirectories are files of same format.

39 Root Directory Entries OffsetLengthMeaning 0x008BFile Name 0x083BExtension 0x0b1BFile Attribute 0x0c10BReserved: (Create time, date, access date in FAT 32) 0x162BTime of last change 0x182BDate of last change 0x1a2BFirst cluster 0x1c4BFile size.

40 Root Directory Example This is a deleted file ?wrd0700.tmp Size is 00 08 94 00 First cluster is 00 4E Multiply with the cluster size to find the sector.

41 Root Directory Entries File Name: First character means 0x00:Entry never used, end of directory 0xe5: File deleted 0x2e: Directory

42 Root Directory Entries File Attribute

43 Root Directory Entries Hidden file: not displayed. System file: special treatment for deletion. Volume: Name of the volume if this bit is set. Rest of the name is in the reserved portion. Subdirectory: File is not a file but a directory (looks like the root directory).

44 Root Directory Entries Time and Date of Access

45 FAT Deleted files / directories with entries intact can be easily reconstructed. If entry is overwritten, then pieces might be found in the FAT. Large storage devices make it impossible to do it without a tool.

46 FAT 32 Root Directory Uses 4B to store the files first cluster. Adds access date and modification date and time Modification, Access, Creation (MAC) give important hints during an investigation

47 FAT 32 Root Directory 0x008BFile Name, padded with zeroes 0x083B3 byte extension 0x0b1BFile attribute 0x0c1BReserved 0x0d1BMillisecond stamp at file creation time. 0x0e2BFile creation time. 0x102BFile creation date. 0x122BFile access date. 0x142BHigh word of file’s first cluster 0x162BLast write time. 0x182BLast write date. 0x1a2BLow word of the file’s first cluster 0x1c4BFile size in bytes.

48 Long File Names Support for long file names needs to be backwards compatible. Long file names should be stored next to the corresponding short entry. Disk utilities should not misdiagnose long file name entries as faulty Unicode support

49 Long File Name Entries Encode long file name in several long entries Precede immediately short entry Have entry order number. Last entry order number is or’d with 0x40 to mark it.

50 Long File Name Support Create a 8B short file name from long one. Calculate checksum from short name and store in all long records

51 Long File Name Entries 0x001BEntry order number. 0x0110BCharacters 1-5 of name entry. 0x0b1BFile Attribute. MUST be 0F. 0x0c1BShould be 00. 0x0d1BChecksum of short file name. 0x0e12BCharacters 6-11 of name entry. 0x1a2BMUST be 00 00 to be compatible. 0x1c4cCharacters 12-13 of name entry.

52 Long File Name Entries Entry Order NumberAttribute

53 Subdirectories Are files with the same structure as root directory. Contain two special entries.. Has name “..” and refers to parent directory. Has name “.” and refers to itself.

Download ppt "Computer Forensics SEED 2008. Overview Computer Forensics Reconstructs events from digital traces on a device such as Computer Router Switch Cell-phone,"

Similar presentations

Operating Systems File Management.

Operating Systems File Management.
Chapter 4 : File Systems What is a file system?

Chapter 4 : File Systems What is a file system?
Computer System Basics 2 Hard Drive Storage & File Partitions Computer Forensics BACS 371.

Computer System Basics 2 Hard Drive Storage & File Partitions Computer Forensics BACS 371.
SEMINAR ON FILE SLACK AND DISK SLACK

SEMINAR ON FILE SLACK AND DISK SLACK
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Computer Forensics Hard Drive Format.

Computer Forensics Hard Drive Format.
Computer Forensics NTFS File System.

Computer Forensics NTFS File System.
File Systems Examples.

File Systems Examples.
Chapter 10: File-System Interface

Chapter 10: File-System Interface
File System Analysis.

File System Analysis.
The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.

The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
11/13/01CS-550 Presentation - Overview of Microsoft disk operating system. 1 An Overview of Microsoft Disk Operating System.

11/13/01CS-550 Presentation - Overview of Microsoft disk operating system. 1 An Overview of Microsoft Disk Operating System.
File Management Systems

File Management Systems
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
1 CSCD 496 Computer Forensics Lecture 7 File Systems – Windows Winter 2010.

1 CSCD 496 Computer Forensics Lecture 7 File Systems – Windows Winter 2010.
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.

Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Implementing Hard Drives Chapter 10

Implementing Hard Drives Chapter 10
Objectives Learn what a file system does

Objectives Learn what a file system does

Similar presentations

Ads by Google