introduction to filesystems and computer forensics
DESCRIPTION
This presentation provides a basic introduction to filesystems and data forensics using FAT32 filesystem.TRANSCRIPT
INTRODUCTION TO FILESYSTEMS AND COMPUTER FORENSICS
BY:
MAYANK CHAUDHARI
DEPARTMENT OF COMPUTER ENGINEERING
COLLEGE OF TECHNOLOGY PANTNAGAR(GBPUAT)
FIRST THING FIRSTDATA
• Facts and statics collected together for reference and analysis.
INFORMATION
• facts provided or learned about something or someone.
FILE
• A computer file is a resource for storing information, which is available to a computer program and is usually
based on some kind of durable storage. A file is "durable" in the sense that it remains available for other
programs to use after the program that created it has finished executing.
WHAT IS A FILE SYSTEM ?
A filesystem is the methods and data structures that an operating system uses to keep track
of files on a disk or partition; that is, the way the files are organized on the disk. The word is also
used to refer to a partition or disk that is used to store the files or the type of the filesystem.
It is responsible for arranging storage space; reliability, efficiency, and tuning with regard to the
physical storage medium are important design considerations.
COMMON FILESYSTEMS
WINDOWS BASED FILESYSTEMS
FAT, NTFS , exFAT.
LINUX BASED FILESYSTEMS
ext, ext2 , ext3, ext4.
MAC BASED FILESYSTEMS
HFS, HFS+, LisaFS.
OTHERS : Reiser-4, ReiserFS, ZFS, HPFS, etc.
ASPECTS OF FILESYSTEM
Space management
The file system is responsible for organizing files and directories, and keeping track of which
areas of the media belong to which file and which are not being used. One common issue
related to it is fragmentation.
Filenames
A filename (or file name) is used to identify a storage location in the file system. Most file
systems have restrictions on the length of filenames.
Directories
File systems typically have directories (also called folders) which allow the user to group files into separate
collections. This may be implemented by associating the file name with an index in a table of contents or
an inode in a Unix-like file system.
Metadata
Other bookkeeping information is typically associated with each file within a file system
FAT (FILE ALLOCATION TABLE)
• File Allocation Table (FAT) is a computer file system architecture and a family of industry-
standard file systems utilizing it.
• The FAT file system is a legacy file system which is simple and robust. It offers good
performance even in light-weight implementations, but cannot deliver the same
performance, reliability and scalability as some modern file systems.
• The name of the file system originates from the file system's prominent usage of an index
table, the File Allocation Table (FAT), statically allocated at the time of formatting.
• The FAT file system is named for its method of organization, the file allocation table, which resides at the
beginning of the volume. To protect the volume, two copies of the table are kept, in case one becomes
damaged.
• In addition, the file allocation tables and the root folder must be stored in a fixed location so that the files
needed to start the system can be correctly located.
• A volume formatted with the FAT file system is allocated in clusters. The default cluster size is determined by
the size of the volume. For the FAT file system, the cluster number must fit in 16 bits and must be a power of
two.
FAT ARCHITECTURE
FAT COMPONENTS
Hard disk: Contains one or more partitions.
Boot sector: Bootable partition that stores information about the layout of the volume and the file
system structures, as well as the boot code that loads Ntdlr.
Master Boot Record: Contains executable code that the system BIOS loads into memory. The code
scans the MBR to find the partition table to determine which partition is the active, or bootable,
partition.
Ntldlr.dll : Switches the CPU to protected mode, starts the file system, and then reads the contents of
the Boot.ini file. This information determines the startup options and initial boot menu selections.
Fastfat.sys : System file driver for FAT16 and FAT32.
Ntoskrnl.exe : Extracts information about which system device drivers to load and the load order.
Kernel Mode : The processing mode that allows code to have direct access to all hardware and
memory in the system.
User Mode : The processing mode in which applications run.
PHYSICAL STRUCTURE OF FAT
Clusters and Sectors on a FAT Volume
A cluster (or allocation unit) is the smallest amount of disk space that can be allocated to hold a file.
Sequence of Clusters on a FAT Volume
Clusters are numbered sequentially from the beginning of the partition into logical cluster numbers.
Because FAT file system data clusters are located after the BIOS Parameter Blocks (BPB), reserved
sectors, and two FAT structures, FAT formatting cannot guarantee that data clusters are aligned on a
cluster boundary.
ORGANIZATION OF FAT
Boot Sector
Contains the BIOS parameter block that stores information about the layout of the volume and the file
system structures, as well as the boot code that loads operating system.
Reserved Sectors
The number of sectors that precede the start of the first FAT, including the boot sector.
FAT 1
Original FAT.
FAT 2 (Duplicate)
Backup copy of the FAT.
Root folder
Describes the files and folders in the root of the partition.
Other folders and all files
Contains the data for the files and folders within the file system.
BOOT SECTORS ON MBR AND GPT DISKS
On MBR disks the boot sector, which is located at the first logical sector of each partition, is a critical
disk structure for starting your computer. It contains executable code and the data required by the
code, including information that the file system uses to access the volume. At the end of the boot
sector is a 2-byte structure called a signature word or end of sector marker, which is always set to
0x55AA.
BOOT SECTOR
A boot sector consists of the following elements:
• An x86-based CPU jump instruction.
• The original equipment manufacturer identification (OEM ID).
• The BIOS parameter block (BPB), a data structure.
• The extended BPB.
• The executable boot code (or bootstrap code) that starts the operating system.
Byte Offset Field Length Field Name
0x00 3 bytes Jump instruction
0x03 8 bytes OEM ID
0x0B 53 bytes BPB
0x40 26 bytes Extended BPB
0x5A 420 bytes Bootstrap code
0x01FE 2 bytes End of sector marker
Boot Sector Sections on a FAT32 Volume
FAT1 AND FAT2
The file allocation table, FAT 1, identifies each cluster in the volume as one of the following:
• Unused
• Cluster in use by a file
• Bad cluster
• Last cluster in a file
FAT PROCESSES AND INTERACTIONS
Mounting a FAT Volume
When mounting a FAT volume, the MBR executes code to start up the boot sector. The boot
sector then executes additional code to mount the volume.
Master Boot Code Startup Process
The MBR contains a small amount of executable code called the master boot code, the disk
signature, and the partition table for the disk. During startup, the master boot code performs
the following activities:
1. Scans the partition table for the active partition.
2. Finds the starting sector of the active partition.
3. Loads a copy of the boot sector from the active partition into memory.
4. Transfers control to the executable code in the boot sector.
Boot Sector Startup Process
Computers use the boot sector to run instructions during startup. The initial startup process is summarized
in the following steps:
1. The system BIOS and the CPU initiate the power-on self test (POST).
2. The BIOS finds the boot device, which is typically the first disk the BIOS finds, unless the controller is
configured to boot from a different disk.
3. The BIOS loads the first physical sector of the boot device into memory and transfers CPU execution to
that memory address.
If the boot device is on a hard disk, the BIOS loads the MBR. The master boot code in the MBR
loads the boot sector of the active partition, and transfers CPU execution to that memory
address. On computers that are running Windows Server 2003, the executable boot code in the
boot sector finds Ntldr, loads it into memory, and transfers execution to that file.
File Processing on FAT Clusters
When a file is saved to a FAT-formatted volume, it stores file information in clusters on the hard disk. If
a file requires space greater than the cluster’s size, FAT continues to store file information in the next
available cluster until all information about the file is stored. The following figure shows an example of
how FAT stores and retrieves file information from clusters.
File Processing on a FAT Volume
In this figure, 10 clusters (0 through 9) contain 3 files. One file occupies clusters 2, 3, 6, and 8; a
second file occupies clusters 4 and 5; and a third file occupies cluster 7. The starting cluster
number is the address of the first cluster used by the file. Each cluster contains a pointer to the
next cluster in the file, or an end-of-file indicator (0xFFFF), which indicates that this cluster is the
end of the file.
Formatting Volumes & Converting Volumes
During volume format, operating system places key file system structures on the volume, including the
boot sector as well as replacing Ntldr. A check of the integrity of all sectors on the volume is
performed, and you have the opportunity to change the cluster size used on the volume. If a volume is
formatted using Quick format, the file system structure on the volume is created, but the integrity of
every sector in the volume is not checked.
COMPUTER FORENSIC
INTRODUCTION
Computer forensics (sometimes known as computer forensic science) is a branch of digital
forensic science pertaining to legal evidence found in computers and digital storage media. The
goal of computer forensics is to examine digital media in a forensically sound manner with the
aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the
digital information.
THE FORENSICS PROCESS MODEL
The U.S. Department of Justice published a process model in the Electronic Crime Scene
Investigation: A guide to first responders[5] that consists of four phases: -
1. Collection; which involves the evidence search, evidence recognition, evidence collection
and documentation.
2. Examination; this is designed to facilitate the visibility of evidence, while explaining its
origin and significance. It involves revealing hidden and obscured information and the
relevant documentation.
3. Analysis; this looks at the product of the examination for its significance and probative value
to the case.
4. Reporting; this entails writing a report outlining the examination process and pertinent data
recovered from the overall investigation.
TECHNIQUES
A number of techniques are used during computer forensics investigations.
Cross-drive analysis
A forensic technique that correlates information found on multiple hard drives. The process, still
being researched, can be used to identify social networks and to perform anomaly detection.
Live analysis
The examination of computers from within the operating system using custom forensics or
existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting
File Systems, for example, where the encryption keys may be collected and, in some instances,
the logical hard drive volume may be imaged (known as a live acquisition) before the computer
is shut down.
Deleted files
A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have
their own tools for recovering or carving out deleted data. Most operating systems and file systems do not always
erase physical file data, allowing investigators to reconstruct it from the physical disk sectors. File carving involves
searching for known file headers within the disk image and reconstructing deleted materials
Link files
Link files are created when files are opened from a removable device or from a share on the network. Link files
contain metadata including the file path, MAC times (last modified date, access date, etc..) and a serial number for
the volume on which the file originated. Forensic investigators can use link files to determine if other computers or
devices should be analyzed.
Volatile data
When seizing evidence, if the machine is still active, any information stored solely in RAM that is not
recovered before powering down may be lost. One application of "live analysis" is to recover RAM data
(for example, using Microsoft's COFEE tool, windd, WindowsSCOPE) prior to removing an exhibit.
CaptureGUARD Gateway bypasses Windows login for locked computers, allowing for the analysis and
acquisition of physical memory on a locked computer.
THANK YOU