Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics

Transcription

1 Digital Forensics Lecture 3 Hard Disk Drive (HDD) Media Forensics

2 Current, Relevant Topics defendants should not use disk-cleaning utilities to wipe portions of their hard drives before turning them over to plaintiffs in the course of discovery RIAA asked the judge for a mirrored copy of Tschirhart's hard drive data was removed from the hard drive before it was turned over we found a number of file deletion programs and their log files Tschirhart's own expert "consistent with defragmentation of the hard drive. Even though the hard drive had been altered, the investigators found evidence that P2P software had been installed music files had been downloaded the wiping utilities had been removed as well arstechnica.com

3 Research Topics Presentation Rules The goal is to pass on information that might be of value to a forensic investigator Fine to sit or stand Fine to use viewgraphs or not Any viewgraphs must be in PowerPoint format and must be ed by 7:00 AM the day of the presentation Each presentation is limited to 5 minutes Depending on the material and level of interest, we may explore a topic further Write up is due at presentation

4 This Week s Presentations 1. CD-R/RW and DVD+-R/RW media analysis 2. File carving 3. Tools for MAC digital forensics

5 Lecture Overview Legal/Policy Preparation Collection Analysis Findings/ Evidence Reporting/ Action Very Brief Overview of Lecture 2 Isolation through virtualization Analysis and relevant tools High-level format (File System) Digital Forensic Tools

6 Brief Summary of Last Lecture Physical-layer forensic issues for HDDs Materials, geometry, and low-level structure HDD function and operation Data recovery using physical-layer techniques The first level of abstraction (Volumes) Volume 1 Volume 2 Unallocated Primary Storage Media 1 P G R

7 Module 1 Isolation Through Virtualization (e.g., VMWare)

8 The Goal is to Maintain Integrity of the Investigation New Tools Testing Investigator Change ACCESS Process ACCESS Unauthorized Users and Networks Investigation Environment MODIFY READ Evidence Data Investigator Evidence Consumer Verify TOOLS VERIFY MODIFY GENERATE Reports GENERATE READ Analysis Data MODIFY GENERATE Incremental Reports

9 VMWare Will Serve as Our Investigation Environment

10 VMware Device Specifics Provides a variety of virtual hardware HDD (IDE or SCSI) Stored as a binary file on the host OS Can add or remove HDD very easily CD and DVD drives (IDE or SCSI) Can use ISO image on host OS as CD or DVD Memory (RAM) limited by physical RAM USB 1.1 and 2.0 Floppy Can use ISO image on host OS as floppy NIC (Ethernet) Audio Adapter Serial port Parallel port Generic SCSI device Can save and revert to snapshots of system state Virtual hardware is very stable

11 Important Information About Our Analysis Virtual Machine We will use a Fedora Core VM for our Analysis User = root Password = letmein Do not modify the analysis VM unless specified in lab instructions

12 Module 2 Analysis and Relevant Tools

13 Analysis of Volumes Generally the first step in media analysis Should occur after preservation of evidence Media imaging or cloning are the generally accepted methods of preserving evidence Account for all storage space Create a partition map and understand the resulting volumes Requires careful accounting for each sector Guide analysis of other constructs, including higher-layer abstractions File systems Databases Other logical containers, etc.

14 The Sleuth Kit Tools (learn through hands-on labs) File system layer (partitions, file systems) fsstat first used in lab 3 to determine block size File name layer (file name structures) ffind fls Meta-data layer (inodes, directory entries, file attributes) icat ifind ils istat Data unit layer (disk blocks) dcat first used in lab 3 to extract disk blocks dls first used in lab 2 to copy unallocated space and slack space dstat dcalc first used in lab 3 to compute absolute block to recover

15 Module 3 High Level Format (File Systems)

16 Our approach to understanding HDD DF We will begin at the physical-layer and work toward increasing abstraction using a data driven approach Understanding and Evidence Specific to Abstract? File File System Volume 1 Physical Media You Are Here Volume n

17 HDD Structure (just prior to adding file system) Blank media Low-level format Partition VBC 1 DPB 1 Sectors (512+ B) Redundant Sectors (512+ B) VBC 2 DPB 2 MBR VBR 1 MBC MPT VBR 2 MBR = master boot record MBC = master boot code MPT = master partition table VBR = volume boot record VBC = volume boot code DPB = disk parameter block

18 High-Level Format (Creating Disk Blocks) MBC MPT Clusters, Blocks, Fragments, etc. (different names for the same thing) Sectors Blocks High-level format creates the file system Sectors are too small for most HDDs (address space is too large) Sectors are grouped into groups of N to form clusters, N is a positive integer This becomes the indivisible data size for the installed operating system

19 Master Boot Record File System (MBR) Structures MBC MPT High-Level Format (Creating File Systems) Allocated/Unallocat ed Space Clusters, Blocks, Fragments, etc. (different names for the same thing) MPT now contains file system type and cluster size Cluster (fragment, segment) sizes are multiples of 512 octets (one sector) This becomes the indivisible file size for the operating system A file system structure is created FAT creates a file allocation table (simple table) NTFS creates a master file table (database) Linux EXT2/3 creates a virtual file system Each file system behaves differently

20 What is Slack Space? (space between end of file and end of cluster) Sector Cluster (512 octets) ( x 512 octets) File of length 4628 octets slack space Consider a file containing 4628 octets 4628 = (1024 x 4) full clusters and part of a fifth cluster There will be (5 x 1024) 4628 = 492 unused octets This unused space is called slack space

21 Why is Slack Space Important? Unallocated Space (New Drive) Allocated Space Unallocated Space (After File deletion) Allocated Space (Reallocated, new file) Slack Space Why isn t this also slack space?

22 Blank Media Low-Level Format Individual Sector 512 octets Sector overhead Redundant Sectors (Only visible to HDD controller) Partitioning Master Boot Record (MBR) Inter-partition gap Partition #1 MBC MPT VBC DPB VBC DPB Partition #2 Volume Boot Record (VBR) Unused sectors Master Boot Record (MBR) File System Structures Free Space High-level Format MBC MPT Clusters OS Install Master Boot Record (MBR) File System Structures OS Code/Data Free Space Page File MBC MPT

23 What is the Role of a File System? Provides data storage and retrieval Associates names with data files Organizes files into parent directories Stores file attributes Modify, Access, Creation (MAC) times Disk blocks used for file storage Others depending on specific file system Maintains lists of unallocated disk blocks

24 What Do Most File Systems Have in Common? Unique file (or directory) identifiers inodes (Linux terminology, Windows is unknown) Data structure that associates file names and inodes Indivisible storage units formed of disk clusters e.g., blocks, clusters, fragments, etc. Pointers to blocks where file is stored File attributes, e.g., times, parent directories, deleted flag, ownership, permissions, etc. Unallocated block list

25 Files Systems Have Significant Structural and Functional Differences Journaling Meta-data storage Variable length allocation units Fragments Distributed file system data structures inode allocation algorithms Search efficient data structures trees

26 What File System Attributes/Behaviors are of Interest to a DF investigator? File deletion File growth File shrinkage File replacement Resource reuse directory blocks, inodes, blocks, etc. Time stamp behavior What else?

27 NTFS File System NTFS uses a master file table (MFT) More of a database than a table Each entry is referenced by a unique number Stores file/directory attributes $Data is just one attribute and multiple $Data attributes are allowed MAC times Stores up to 1500 octets of data directly Larger files are stored indirectly IN_USE flag is cleared when a file is deleted All attributes are maintained until MFT entry is reused Indirect storage may persist even after entry is reused

28 Ext2 File System Linux uses data structures called inodes to represent a file or directory Each inode has a unique number Contains a description of the file Size, MAC Times, file type, access rights, owners, etc. Contains pointers to blocks where data is stored Files names are stored in a separate data structure Referenced by inode number Allows multiple names for the same file Character and block are special files types that do not store data Point to a device driver Larger files are stored through up to three levels of indirection deleted flag is set when a file is deleted

29 Example of Indirection

30 Module 4 Digital Forensic Tools

31 Disk Imaging and Cloning Disk imaging and cloning is a standard and necessary step to preserve evidence We will use dd to perform our clone and imaging Cloning Disk/Volume to disk Imaging Disk/Volume to file

32 Hash Functions Used for integrity function Common hash functions MD5, SHA-1, SHA-256 File Hash Function Hash dccidd will compute MD5, SHA-1, and SHA- 256 concurrent with imaging operation

33 The Sleuth Kit Forensics analysis tools Written by Brian Carrier Based on The Coroner s Tool Kit by Dan Farmer Based on a layered model of analysis Tested on multiple systems Linux, Mac OS X, CYGWIN, FreeBSD, OpenBSD, Solaris Supports NTFS, FAT, FFS, EXT2FS, and EXT3FS Autopsy is a web-based tool that uses The Sleuth Kit

34 MBR File System Structures MPT name, inode, MBC allocated space inode attributes unallocated space File system layer fsstat MPT File name layer ffind, fls name, inode Meta-data layer icat, ifind, ils, istat inode, attributes Data unit layer dcat, dls, dstat, dcalc allocated space unallocated space

35 The Sleuth Kit Tools (learn through hands-on labs) File system layer (partitions, file systems) fsstat first used in lab 3 to determine block size File name layer (file name structures) ffind fls Meta-data layer (inodes, directory entries, file attributes) icat ifind ils istat Data unit layer (disk blocks) dcat first used in lab 3 to extract disk blocks dls first used in lab 2 to copy unallocated space and slack space dstat dcalc first used in lab 3 to compute absolute block to recover

36 Questions? After all, you are an investigator