Lecture 4 Forensic Analysis of Windows Systems Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu http://jjcweb.jjay.cuny.edu/ssengupta/ Fall 2010
What we will cover today Understanding Hard Disk File concept Structure of a file Concept and detecting file types File system traces (Understanding MAC traces) Hands-on Practice.
Understanding Hard Disk Richest source of digital evidence on computers among various storage media Disk drives are made up of one or more platters coated with magnetic material Hard disk drives are organized as a concentric stack of disks (platters)
Understanding Disk Drives Disk drive components Platter or disk Each disk has two surfaces: top and bottom Accessed by two heads Tracks Cylinders Sectors
Data are recorded on a platter in concentric circles called tracks Hard Disk (Continued) Data are recorded on a platter in concentric circles called tracks Tracks are numbered, starting from zero, starting at the outside of the platter and increasing as you go in A modern hard disk has tens of thousands of tracks on each platter Each track broken into smaller units called sectors (typically 512 bytes)
Hard Disk (Continued): Cylinders A hard disk is usually made up of multiple platters Because of this arrangement, often the track location of the heads is not referred to as a track number but rather as a cylinder number A cylinder is basically the set of all tracks that all the heads are currently located at
Hard Disk (Continued) Disk capacity? CHS Multiply the number of cylinders, heads, sectors and 512(block size) Ex) What’s the size of disk which has 12,495 cylinders, 16 heads, 63 sectors? 12,495 cylinders * 16 heads * 63 sectors * 512 bytes = about 6GB CHS Each storage unit on a disk can be identified by a 3-coordinate system identifying Cylinder Head Sector
Zone Bit Recording (ZBR) in Hard Disks The earlier concept of uniform sectoring was not efficient every track had the same number of sectors But the ones on the outside of the platter are much larger than the ones on the inside Outer tracks are underutilized New technique Zoned bit recording (ZBR)
Determines how data is stored on the disk Understanding Files File system Gives OS a road map to data on a disk Determines how data is stored on the disk
File system Basics File File systems Named collection of data objects Typically stored on secondary storage devices, though they can exist exclusively in volatile main memory Operations Open, close, create, destroy, copy, rename, list, etc File systems Organizes files and manages access to data Directory File containing the name and location of other files in the file system
File system Basics: FAT FAT file systems Simplest windows file systems: A FAT basically is an array that keeps track of what clusters belong to which file To locate data on a volume, directories and a FAT are used FAT: Older, for management of smaller disks Compatible with 9X/2000/NT, MS-DOS, OS2, etc The original FAT had many limitations No subdirectories Limited to very small disks Hard to recover the disk if allocation tables were damaged FAT32: enhanced version Available with Win95
Examining FAT Disks (continued) When the OS stores data in a FAT file system, it assigns a starting cluster position to a file Data for the file is written to the first sector of the first assigned cluster When this first assigned cluster is filled and runs out of room FAT assigns the next available cluster to the file If the next available cluster isn’t contiguous to the current cluster File becomes fragmented
FAT-based File system: Schematic
In Microsoft OSs, when a file is deleted Deleting FAT Files In Microsoft OSs, when a file is deleted Directory entry is marked as a deleted file With the HEX E5 (σ) character replacing the first letter of the filename Data in the file remains on the disk drive Area of the disk where the deleted file resides becomes unallocated disk space Available to receive new data from newly created files or other files needing more space
FAT: Characteristics FAT12 FAT16 (MS-DOS, Win95/98/NT/2000/XP) For floppy disks 12-bit fields for each entry in FAT FAT16 (MS-DOS, Win95/98/NT/2000/XP) 16-bit fields to identify a particular cluster in the FAT For hard disks FAT32 (Win95/98/2000/XP) 28-bit fields to identify a particular cluster in the FAT 4 bits of the 32-bit fields are “reserved” For larger hard disks No limit on root directory size Limited time/date information
New Technology File System (NTFS) Examining NTFS Disks New Technology File System (NTFS) Introduced with Windows NT Primary file system for Windows Vista Improvements over FAT file systems NTFS provides more information about a file NTFS gives more control over files and folders Different from FAT file system Storing information in MFT (Master File Table) In NTFS, everything written to the disk is considered a file NTFS was Microsoft’s move toward a journaling file system
File system Basics: NTFS (Continued) NTFS uses several metadata files to keep track of both files and folders on a given volume Virtually everything is a file in NTFS including its component parts NTFS represents all characters using 16-bit Unicode including file and directory name FAT file systems use the 8-bit ASCII/ANSI character set for the most part Long file names are represented with 16-bit Unicode characters
Supported File Systems for MS OS
File Allocation and Deletion in NTFS Master File Table (MFT) System file created during the formatting of an NTFS volume Table that describes files and directories Each file and directory has an entry in MFT Including an entry for itself and other metadata files These metadata files are located in the root folder of a volume Have names beginning with ‘$’ and not generally visible E.g. Windows 2000 metadata file (In earlier versions of NTFS, these files are visible with, e.g., “dir /ah” but invisible in XP) MFT File Record No. File Name Description $MFT Master File Table (MFT) 1 $MFTMIRR Copy of the first 16 records of the MFT 2 $LOGFILE List of file system transactions 3 $VOLUME Information about the volume, including NTFS version, volume name and creation time 4 $ATTRDEF Table of attribute definitions 5 . Root folder 6 $BITMAP Bitmap representation of used and unused clusters on volume 7 $BOOT Boot record with bootstrap loader code if the volume is bootable 8 $BADCLUS List of the bad clusters in the volume 9 $SECURE Stores security descriptions (Windows 2000 only) 10 $UPCASE Conversion table for converting lowercase characters to matching uppercase Unicode characters 11 $EXTEND Enables file system extensions such as volume quotas (Windows 2000 only)
File Allocation and Deletion in NTFS (Continued) MFT records store attributes of files and folder including the name in the $FILENAME MAC times and other file characteristics in the $STANDARD_INFORMATION some or all of the data in a file using the $DATA attribute A small file may exist entirely within its MFT record with no associated data elsewhere on disk E.g. Simplified MFT record for a file Header $FILENAME $STANDARD-INFORMATION $DATA Attribute list
File Allocation and Deletion in NTFS (Continued) $BITMAP file System file created during formatting of NTFS volume to keep track of cluster usage Uses one bit to record the status of each cluster on the volume E.g. If a cluster in an NTFS volume is used, the corresponding bit in the $BITMAP file is changed to 1
File Allocation and Deletion in NTFS (Continued) Steps to allocate a file on an NTFS volume 1) $BITMAP file must be modified to reflect that the used clusters are allocated 2) Allocated MFT record must be created for the file 3) An index entry must be created for the file name in the parent’s folder’s MFT record 4) cluster extent entries must be created in the file’s MFT record if the file is non-resident When a file is deleted 1) Its cluster reference in the $BITMAP file are changed to 0 2) MFT record for that file is marked for deletion 3) Its index entry is deleted
Analyzing the structure of a file: Hands-on investigation Understanding the structure of a file for digital investigation Data are stored on computers as files But files can be corrupted meaningfully to hide data To understand the corruption, we must understand the structure of a file
Analyzing the structure of a file The simplest structure of a file consists of: Filename filename is a unique identifier which allows the computer to correctly identify each file File header information which describes the type of the file Important for file header signature Important for OS to understand which application to be associated File content Actual data files can be corrupted meaningfully to hide data Change or delete the file type (today’s lab) Delete the data!
Case Study: Hiding a pdf There are simple ways to hide a pdf from OS Change the file type Delete the file type Let’s check the file type by looking at Hexadecimal signature values
Fun lab Download the test.zip from the class website and see if there is any corruption done with the files. If yes, can you detect the file types? http://www.garykessler.net/library/file_sigs.html
An individual’s actions on a computer leave traces File System Traces An individual’s actions on a computer leave traces Temporal traces is very important to understand the file’s life When it was created/downloaded When accessed When modified etc. An understanding of the cause-effect relationship in a reverse manner is particularly important for digital investigator What is cause-effect relationship in forward manner? You changed something, you see the changed result You see the changed result, you have to guess what caused it
Windows records the date and time of a file’s MAC Times in NTFS Windows records the date and time of a file’s Creation : created The date and time that a file was created on the current volume Last modification: modified The date and time that a file was last modified Last accessed: accessed The date that a file was last accessed An examination of the MAC times of a file can provide insight into the file’s history on a computer the extent of the user’s knowledge of the file’s existence and contents
MAC Times in NTFS (Continued) Case Example – MAC times In a prosecution for the possession and distribution of “CP”, a Supervising Special Agent for the California Department of Justice charted the MAC times of several files. The defendant asserted at trial that he merely downloaded files of unknown content and then forwarded them to others without having viewed them himself. During a trial recess, the prosecution and defense attorneys held a conference to disclose and discuss the Supervising Special Agent’s scheduled testimony regarding the results of his forensic examination. The agent informed and described how many files had been accessed at times far remote from their dates of creation. As a result of this discussion, the defendant entered a plea of guilty prior to the agent’s testimony
MAC Times in NTFS (Continued) Example – MAC times Can be viewed by dir /TC dir /TA dir /TW MAC times can also be viewed and sorted using Forensic Tools
Understanding the temporal traces File moved within a volume No change in last-modified, last-accessed, last-created File moved/copied across volume Last-accessed and last-created time change NO change in Last-modified! However, for parent directory listing Last-accessed and last-modified updated. WHY? Homework Assignment #1 will be up by tomorrow Next up, more forensic examination of Windows and EnCase