BACS 371 Computer Forensics File System “Layers” & the Sleuthkit

Introduction One approach to analyzing a disk image begins by logically dividing it into 5 file system layers. Each of the upper layers is an abstraction above the physical disk platter. These layers serve different tasks and, when analyzed, provide different information.

5 File System Layers Physical Layer – The physical disk itself File System Layer – Partition Information Data Layer – Blocks and clusters (where the data are actually stored). Metadata Layer – Structural information for the file system (FAT32, NTFS, EXT2, …) File Name Layer – The directory information that holds the files external name.

Physical Layer

File System Layer Holds the data that describes the structural details of the file system. The boot sector (or superblock in Unix) is where much of this data is stored. The Master Boot Record (MBR) holds information related to this layer. The Partition Boot Record (PBR) also contains file system layer information.

Data Layer The main purpose of a disk drive is to store data; consequently, this layer holds the key information related to this task (that is, the data). This layer organizes the physical drive into 512 byte sectors. On Windows systems, these sectors are further organized into clusters. Sectors in the data layer will either be “allocated” or “unallocated”. Another way of thinking of this is that sectors are either being used in a file or waiting to be used.

Allocated vs. Unallocated Allocated data: Is being actively used by a file Exist in a file on the system Is not currently deleted Unallocated data: Is not currently being used by a file Can have previously deleted or unused data Can hold pieces of old data (called “fragments”)

MetaData Layer This layer contains all the structures that describe the file. Similar to the table of contents page of a book. It has pointers to the data layer and the file name layer so that starting address and MAC times can be determined. In FAT files systems it is stored in the FAT table. In NTFS systems, it is found in the Master File Table (MFT). Linux stores it in the iNode entries. Metadata is also either allocated or unallocated.

MetaData Layer Metadata contains: Pointers to the data layer (either a starting sector, or list of sectors depending upon file system) The file type The MAC times and permissions The file size and/or total links

File Name Layer Generally a separate structure that gives the names of files. The metadata layer can actually describe everything about the file, but it is easier to have the name information listed without all the extra, low- level detail. Is stored in 2 places: MFT or FAT directory entries Directory file – list of files in that directory structure

Directory to FAT interaction

The Sleuthkit (TSK) A collection of Unix tools that allow for forensic analysis of disk images. Written by Brian Carrier based on an older set of tools called The Coroner’s Toolkit (TCT) The tools are fairly low-level, so they are normally used with a front-end browser component. The “Autopsy” browser is the normal front-end for this tool set.

Sleuthkit Tool Layers The Sleuthkit Tools are divide into 5 categories which, loosely, map to the 5 file system layers. File system layer tools – prefixed by ‘fs’ Data layer tools – prefixed by ‘blk’ Metadata layer tools – prefixed by ‘i’ (for inode) File Name layer tools – prefixed by ‘f’ Misc. tools – no standard prefix, but relate to lower level sort and find operations in file system structure.

The Sleuth Kit (TSK)