1

Hard Drives, Storage Media and File Systems

2

Interface

• Two most common types of interfaces– SCSI: Small Computer Systems Interface (servers

and high-performance desktops)– IDE/ATA: Integrated Drive Electronics (PC

workstation)

3

Physical Hard Drive

4

Computer Disk

• Track– Each platter is divided into concentric rings called

tracks• Sector

– Track are further divided to sectors• Cluster

– A combination of one or more sectors

5

Basic concepts

• Clusters– The basic storage unit of a disk– The piece of storage that an operating system can actually place

data into– Different disk formats have different cluster sizes

• Slack space– If they are not filled up-which, the last one almost never is –this

excess capacity in the last cluster

Old Data Old New Data Overwrites

6

Partition

• One hard drive can be logically divided into more than one partition– e.g., one partition has Windows 2000, one partition has

windows 2000 data, one partition has Linux .• Partition table

– Maintain partition information• Check Table 3.1 for different partition types• Check at the partition table on the drive

– fdisk– PowerQuest’s partitionMagic– Partinfo (cannot change any of the partitions, it is free)

7

Partition

8

Unix/Linux - Partitions and file systems

• Every partition has an associated file system. The file system is actually created by the mkfs command. In DOS systems, it is customary to devote the entire file system to the FAT (File Allocation Table) based file system.

• In UNIX, it is normal to use multiple partitions in the file system structure, and for the file system structure to spread over many partitions and devices from different type of file systems.

• UNIX recognizes many types of file systems including minix, ext, ext2, umsdos, msdos, proc, nfs, phfs etc.

9

Partitions

• In Unix, every disk must be partitioned. Partitions divide up the disk, and each segment acts as a complete disk by itself. Once a partition is full, it cannot (without special software) automatically flow into another partition.

• Under Linux, each disk is given its own device name. IDE disks start with the name /dev/hdX, where X can range from a through z. When partitions are created, new devices are created. They take the form /dev/hdXY, where now Y is the partition number.

• When installing the OS, it created partitions for you. A command that exists that can create partitions for you is, the fdisk command. fdisk can be used at anytime by root to partition the hard-drives.– fdisk -l

10

Partitions and Blocks

• The smallest unit of information that can be read from or written to a disk is a block.

• When partitions are created, the first block of every partition is reserved as the boot block. However, only one partition may act as a boot partition. BIOS checks the partition table of the first hard disk at boot time to determine which is the boot partition. In the boot block of the boot partition there exists a small program called the bootstrap loader. On Linux, this is called the lilo.

11

Partitions and Blocks

• The second block on the partition is called the superblock. It contains all the information about the partition, including–size of the partition–physical address of the first data block–number and list of free blocks–info about the file system–when the partition was last modified.

• The remaining blocks are data blocks.• In order to use these partitions and file systems, they are

logically attached (mounted) to the directory structure.

12

Format

• The process of turning a partition into a recognizable filesystem

• Windows– format command

• Unix/Linux– mkfs

13

File System

• It is a set of data objects that can be referenced and manipulated externally.

• It is the place where an operating system stores files, making it easy for you to access them by name, location, date, or other characteristic.

• File System Format– The process of turning a partition into a recognizable

file system.

14

File System

15

Data Structures used in File System

16

File System

• File Allocation Table (FAT)– Simplest file system– FAT 12– FAT 16– FAT 32– VFAT

• NTFS, a file system for Windows NT/2K

17

Things to remember about FAT

• A sector is the smallest addressable unit of a hard disk. • A cluster is a fixed number of contiguous sectors (but not

necessarily physically contiguous).• To a certain extent, you can decide how many sectors are in a

cluster. • All files are allocated space in clusters of sectors using a file

allocation table (FAT). • As you use files, increase and decrease their size and create new

files, formerly contiguous clusters are now scattered randomly across your hard disk, which is referred to as fragmentation.

• Most operating systems, including Windows, have their own defragmentation utilities.

• Periodic defragmentation of your hard disk will reduce the risk of data loss and improve overall system performance.

18

FAT32 File System Layout

19

NTFS

• Supported by WinNT, Win2000, and WinXP• Also commonly supported by most

distributions of Linux• No published specification from Microsoft• MFT

– Master File Table: the heart of NTFS – contains information about all files and directories

– Every file and directory have at least one entry in the table

20

Layout of a Freshly Formatted NTFS Volume

From page 4 of http://data.linux-ntfs.org/ntfsdoc.pdf

21

NTFS Volume Boot Sector• The first block of information created on the partition• Begins in the first sector of the partition, can use up

to 16 sectors• Contains

– Information of volume label and size, the location of the key metadata files

– Program code to load the OS (It will generally load NTLDR)

22

Master File Table

• A system file created during the formatting of an NTFS volume.

• Record every files on the volume, including an entry for itself.

• Record 16 metadata files.

23

Master File Table (Con’t)

• Each file record store attributes– $FILENAME-Up to 255 characters– $STANDARD_INFORMATION

• MAC time, file characteristics

– $DATA– Attribute list– A flag for allocation statusIf the MFT grows too large, it can point to other locations for

additional MFT info.

24

MetaFiles

• The first 16 files are system files• Are inaccessible to the operating system• They are the only part of the disk having the fixed

position• The first file is MTF itself• Responsible for some aspect of system operation• Start with a name character “$”• Locate in the NTFS disk root directory

25

BITMAP File

• Keeps track of cluster usage• It uses one bit to record the status of each

cluster on the volume– If a cluster is used, the corresponding bit is

changed to one– Else, the bit is zero

26

MAC TIMES

• Windows records the date and time of a file’s – creation (Created) – last modification (Modification)– the date that a file was last accessed (Accessed)

27

Where is the Data?

• Files– May contain stray data as well

• Slack space– In last cluster of file– File slack– RAM slack

• Unallocated blocks– Contain deleted data

• Unused partitions• Boot track

28

Swapping

Image for pj

Image for pi

Swap pi outSwap pi out

Swap pj in

Primary Memory Secondary Memory

29

Swap Files in Windows

• Window 2000 & WinXP– c:\pagefile.sys– To see it:

• Folder Options | View set to ‘Show Hidden and System files’

• not to ‘Hide Protected mode System files’

• Win98– C:\win386.swp

30

Virtual Memory

Virtual Address Space for piVirtual Address Space for pj

Virtual Address Space for pk

Secondary Memory

• Complete virtual address space is stored in secondary memory

Primary Memory

0

n-1

Physical Address Space

• Fragments of the virtual address space are dynamically loaded into primary memory at any given time

• Each address space is fragmented

31

Configure Virtual Memory

Control Panel -> System -> Advanced -> Performance ->

Setting -> Advanced

32

Windows Investigation (Before Looking for Deleted Files!)

• Check Application Logs (WinXP)– C:\WINDOWS\system32\config\AppEvent.evt

• Programs from start > run menu HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\RunMRU

• Windows Temp Files– C:\Documents and Settings\User\Local

Settings\Temp

33

Windows Registry• Contains information on every Windows-compatible

program• Central hierarchical, configuration database• Operating system relies on it• Contains information about

– Hardware including plug and play devices– Users information, preferences

• Support multiple users– Applications– Network information

34

Registry• How to view:

– Regedit• Root key

– HKEY_CLASSES_ROOT– HKEY_CURRENT_USER– HKEY_LOCAL_MACHINE– HKEY_USERS– HKEY_CURRENT_CONFIG

• Key– Is a folder that contains subkeys– Contains zero or more settings (values)

35

Registry Values• Contain Three Parts

– Name– Type– Data

• Registry Type– REG_BINARY

• Raw binary data• Must contain even number of bytes

– REG_DWORD• 32-word, double-word value• For example, 0x01ACDE01

– REG_SZ• String Values• The most common and simplest type

36

Glean evidence from registry• Make sure your registry is backed up• On Win95/98, registry is comprised of

– Windows\System.dat– Windows\User.dat

• On WinNT/XP, registry is comprised of– Several hive files in %systemroot%\system32\config

• SYSTEM• SAM• SECURITY• SOFTWARE

– NTUSER.dat files related to each user account• Located in C:\Documents and Settings\%USER%

37

What can you find from the registry?

• The recently run programs• The recently used (open or save) files• Recently accessed networks

38

How to view or modify the Registry

• regedit or regedt32• EnCase parses the registry files and presents

them in a familiar tree-structured view.

39

Information from the registry

• Product Name– HKEY_LOCAL_MACHINE\SOFTWARE\Micro

soft\Windows NT\CurrentVersion• Typed URLs contain a list of all the URLs the user

typed into the address field– HKEY_CURRENT_USER\Software\Microsoft\Int

ernet Explorer\TypedURLs– It can be cleared through Internet option

40

Information from the registry

• Autocomplete– Internet Explorer save data that users type into

Web logons with their browsers in the registry with the AutoComplete feature turned on• Passwords,• Name, address, phone number,…

– HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms

– Clear passwd autocomplete

41

Information from the registry• Run, RunOnce, RunOnceEx

– Run: List all the programs that start every time when window starts

– RunOnce: List all the programs that start only once and are deleted after that

– RunOnceEx is similar to RunOnce, it is used by application for setup and config

– Trojan Horses will use them– HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run (RunOnce, RunOnceEx)

42

Information from the registry

• RecentDocs– HKEY_CURRENT_USER\Software\Microsoft\W

indows\CurrentVersion\Explorer\RecentDocs– It can be cleared through taskbar menu

43

Information from the registry

• Open or save files, last visited files– HKEY_CURRENT_USER\Software\Microsoft\W

indows\CurrentVersion\Explorer\Comdlg32\OpenSaveMRU

– HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\LastVisitedMRU

44

Information from the Registry

• Tell the system how to behave when a file with the .exe extension is launched:– HKEY_CLASS_ROOT\exefile\shell\open\command– Malware such as Backdoor.Beasty modify this key, so that

they are launched whenever an executable file is launched

• Other Registry keys provide similar functionality– HKEY_CLASS_ROOT\batfile\shell\open\command– HKEY_CLASS_ROOT\comfile\shell\open\command

45

Acquisition Steps with EnCase

• Create EnCase Boot Disk• Start subject computer with boot disk• Acquire data to storage computer

46

EnCase Acqusition

47

Brief Introduction of EnCase• How to organize the case files and evidence files• Evidence File

– Header– Checksum

• EnCase computes a CRC for every block of 64 sectors (32KB)– Data Blocks– MD5 hash value

• Sector-by-sector copy

48

Brief Introduction of EnCase

• When evidence file is added to a case, EnCaseverifies the integrity of the entire disk image

• Case File

49

Filter, Query and Scripts

• Filters– Use built-in capabilities– Create queries when filter is run

• Queries– Combine more than one filter in semi-custom

query• Scripts

– Create your own search function using C++ like language

50

String Search

• Adding keywords• Choose files/folders to be searched• Configure search

51

File Signatures

• Stated extension on evidence file• Header information in the file itself• Matches?

52

Access Registry

C:\windows\user.dat

53

Viewing Registry Files in EnCase

• Registry files of Windows 95, 98, ME, NT 4.0, 2000, and XP computers can be mounted within EnCase

54

View Email Folder

• Email is often a rich source of information• Locate .dbx or .pst file• View file structure

55

Email searches

• Outlook Express / Outlook– Stores email messages and folders in files with a dbx / pst

extension– Copy dbx or pst file to a Windows machine– EnCase– Outport from outport.sourceforge.net (free)

• Web-based Email– Stored in html format with the extension html or htm

56

57

58

GUID

• Globally Unique Identifier– A unique 128-bit number to identify a particular

component• Imagine a case:

– A theft of intellectual property case, in which proprietary information was copied to a Word document, the document was saved to a floppy disk

– Given the floppy disk, prove that the defendant created the disk.

59

Collect volatile data in Windows

• System Info– date /t– time /t– Uptime

• How long the machine is up

– psinfo – You can download it from www.sysinternals.com

.

60

psinfo

• Provide System Info– Type of installation– Install date– Kernel version– Service pack– Processors information– Registered organization ad owner

61

Process Monitor

www.sysinternals.com

62

psinfo

63

The Forensic Acquisition Utilities

• A collection of utilities and libraries in Windows environment

• http://users.erols.com/gmgarner/forensics/– Sterilize media for forensic duplication

• Wipe.exe– Collect the evidence form a running system

• dd.exe for Windows– Check data integrity

• Md5sum.exe– netcat

64

Windows’ dd

• Perform bit-by-bit copy• MD5 sums• Compare the MD5sum from the data and the

MD5sum from the image• Obtain physical memory

65

Recycle Bin

• The Recycle Bin is a hidden system folder• This special folder is named

– Recycled in Windows 95 and 98– Recycler in WinNT/2K– Subfolder is created with user’s SID

• Every file sent to the Recycle Bin is renamed in the following format:– D[original drive letter of file][index no].[original

extension].

66

INFO2 Files• When a file is deleted, a copy of the file is moved to

the Recycle Bin directory on the hard drive.

• INFO2: binary format• INFO Record (dir/ah and dir under command line)

– Deletion Date and Time– File’s original name and path– Index number --Its order in the recycle bin (0 assigns to the

first file)• Use rifiuti to parse INFO2

67

How can INFO file help for investigation?

• An INFO file record is often effective in confirming or refuting users’ explanations

• INFO file record indicated that a user intentionally deleted the file.

68

How can INFO file help for investigation?

• If a user’s explanation for the presence of a file in the Recycle Bin is that it was inadvertently downloaded during Internet activity– The file’s original location when it was deleted may tend to

support or refute that contention• If the file was originally located in a default download folder…• If the file was originally located in C:\My Documents\My Favorite

Things….

69

Several possibilities:

The INFO file has been deleted and additionally the file’s folder entry has been overwritten in the parent folder

– The INFO file may still be intact in unallocated or slack space.

– The examiner can search the entire driver for unique characteristics of the INFO file’s contents

– If the examiner identifies an INFO file record for a file and there are no indications that the file’s path existed on the seized media• It is an indication that there may have been another piece of media

attached to the computer and there may therefore be more undiscovered evidence.

70

Reading what the subject threw away from EnCase

• Check Recycler• Recover INFO2 from both allocated and unallocated

cluster– Sorted by file name and look for files named INFO2

• Recover deleted INFO2 files– When a user empties a Recycle Bin, the INFO2 file is

deleted– Run the info Record Finder EnScript

• Go through the unallocated clusters of the media and file slack and recover all Recycle Bin records

71

Websites cache

• Internet Explorer caches websites that a user visits• It stores cached files in the folder

– Documents and Settings\yxp\Local Settings\Temporary Internet Files

– Documents and Settings\yxp\Local Settings\History\History.IE5\index.dat

• It stores– Internet Address– Type– Size– Last Modified– Last Accessed

72

Track Websites in EnCase

• Through File Extension– Check HTML and HTM files

• Run the Internet History EnScript– Extract every web-page that Subject visited that is

still available via the cache– The script reports the last time the site was visited

from a user and the last time the site itself was updated

73

Event Log files

• Event logs for the system– SECEVENT.EVT– SYSEVENT.EVT– APPEVENT.EVT

• In WinXP, they are stored in C:\WINDOWS\system32\config\

• These files are written with a binary format• Use Event Viewer to read the log files.

– Control Panel -> Performance and Maintenance -> Administrative Tools -> Event Viewer

• EnScript: Windows Event Log parser

74

.EVT files

• SECEVENT.EVT– Stores security-related events, including failed login

attempts and attempts to access files without proper permissions.

• SYSEVENT.EVT– Stores events associated with the system’s functioning,

including the failure of a driver or the inability of a service to start.

• APPEVENT.EVT– Stores events associated with applications, such as

databases, Web servers, User applications.