Download presentation
1
Computer/Digital Forensics
Hard drive imaging Volume structure & analysis File system structure & analysis Tools Case studies
2
Computer/Digital Forensics
Acquisition of information on digital devices Rigid recipe Investigation of digital devices and digital data for evidence of a crime or violation of stated policy committed by the computer a crime or violation of stated policy against the computer a crime or violation of stated policy using the computer accidental or intentional destruction or corruption of data Preparation for trial Documentation of evidence Proof the evidence has not been altered
3
Phases of an Investigation
System Preservation Phase Evidence Searching Phase Event Reconstruction Phase courtesy Priscilla
4
Layers of Analysis Application/OS Analysis Swap Space Analysis
Database Analysis File System Analysis Memory Analysis Volume Analysis Network Analysis Physical Storage Media Analysis
5
Finding a File Name: miracle.txt Cluster: 345 Size: 40
Last Accessed: October 27,2004 Cluster 344 Cluster 345 Today, the Yankees won the World Series. Today, the Red Sox won the World Series.
6
Computer/Digital Forensics
Investigation of block devices that contain digital information Procedures that will maintain the integrity of the digital evidence Analysis of the condition and content of the block device that will permit the reconstruction of an incident or use
7
Computer/Digital Forensics
This Part of the Course will cover Hard disk imaging dd and NIST standards Volume Analysis Disk layout Partitions File system analysis Fat, ntfs ext2, ext3 UFS1, USF2
8
Computer/Digital Forensics
Important Maintain chain of custody A casual exam request from your boss can result in legal stuff At first conduct a liturgical exam. You will never regret it. Written consent to proceed: business plan or policy or memo. Don't go to jail or get sued.
9
Computer Foundations bin-to- hex and back again
Big/little endian confusion Data structures Allocation of “space” to a data structure bit, byte, etc. Size allocated depends on location
10
Boot Process Many layered (each hw/os system is different)
BIOS – ROM locates HW and initializes some of the hardware, EPROM – determines boot device and HW configurations LBA Sector 0/ CHS (0,0,1) more boot code and dereferences kernel code
11
Boot Process Linux JMP 0xFFFFFFF0 Power-On-Self-Test HW detect
1st instruction after power on is a jump to BIOS (or) Power-On-Self-Test HW detect Load interrupt vector table Find bootable MBS Copy MBS to 0x7C00 - RAM
12
MBS Structure 1st Partition Entry 2nd Partition Entry
000 1BD Boot code – Master Boot Record, MBR 1BE 1CD 1st Partition Entry 1CE 1DD 2nd Partition Entry 1DE 1ED 3st Partition Entry 1EE 1FD 4st Partition Entry 1FE 1FF Sector signature = 0x55 aa
13
Partition Entry Structure
00 00 Bootable flag: 0x80 – bootable, 0x00 – not bootable 01 03 Starting CHS Address – (C, H, S) 04 04 Partition type – 0x83 = linux, 0x82 = swap 05 07 Ending CHS Address 08 0B Starting LBA Address 0C 0F Size in Sectors
14
Booting Cont'd Move MBR to 0x9000 and execute
Transfers control to LILO Loads compressed kernel Decompresses itself Log into the blue screen
15
Hard Disks Current Technology - Moore's Law
Rotating platters Platters: 1 – 12+ Heads: Organized – Cylinders/Tracks, Heads, Sectors Track = Cylinder: tpi = 31,200 per inch Bits per inch of track: bpi = 501,760 Areal density: Gb/sq in (2000) 329 Gb/sq in (2009) projected 1 Tbit/sq max Cost .50$ per Gbyte Update 1 Tera Byte == $100 .10$ per Gbyte
16
2005 Antiferromagnetically coupled (AFC) media
Giant magnetoresistance (GMR)
17
Areal Density of Tbit/in2
2013
19
Hard Disks Geometry CHS Address ( (Cylinder, Head, Sector)
Cylinder address is limited to a byte – max = 255 Lying must take place at tpi = 32K Most disks – radius = 1.25 inches Sectors = 793 per track (variable) Allocated 1 byte LBA - (Logical Block Address) LBA = (((C*heads-per-cyl) + H) * sectors-per-track) + S – 1 LBA = CHS = (0, 0, 1) Physical location – addressing Sequential sector number
20
Hard Disks Interfaces IDE – ATA/ATAPI/etc SCSI Floppy USB 1394
Many, many flavors of each. Most of the flavors do not affect the forensic analysis of the actual media.
21
Hard Disks ATA/ATAPI AT Attachment Packet Interface
1994 Original Before 1994 was a crap shoot ATAPI spec issued in 1998 2002, ATA/ATAPI-6 allowed 48 bit LBA vs. 32 bit Permitted another factor of 64K sectors to the disk Current rev is 7/8
22
ATA/ATAPI Commands Register delivered commands
Write command ID and parameters to HD register HD loads parameters into appropriate registers Executes command Loads error values into register Host reads error values Packet delivered commands Used when the command/parameter structure is larger than the register
23
ATA/ATAPI Features Passwords Host Protected Area
Device Configuration Overlay Serial ATA
24
ATA/ATAPI Passwords User password & master password High security mode
Both user and administrator can access the HD Maximum security mode Admin can access HD only after the HD has been wiped After n password attempts the disk freezes until reboot
25
ATA/ATAPI Host Protected Area
HPA: Not accessible to the average user Configurable using ATA commands HD vendor can store configuration data that won't be overwritten by a format command BIOS can write to the HPA at power up time Located at the end of the HD, i.e. highest LBA address
26
ATA/ATAPI HPA Commands
READ_NATIVE_MAX_ADDRESS Returns the maximum physical address IDENTIFY_DEVICE Returns the max address the user can access HPA = #1 - #2 HPA is created with a SET_MAX_ADDRESS
27
ATA/ATAPI HPA Commands
The HPA may contain BIOS settings System files Vendor information Hidden information (Oh paranoia) The HPA can be password protected
28
ATA/ATAPI Device Configuration Overlay
Another way to hide data from the user Changes the apparent capabilities of the disk to be limited User Addressable Space HPA DCO IDENTIFY_DEVICE READ_NATIVE_MAX_ADDRESS DEVICE_CONFIGURATION_IDENTIFY
29
ATA/ATAPI Device Configuration Overlay
A DCO can cause the IDENTIFY_DEVICE command to lie about supported features A DCO can show a smaller disk size than actually exists DEVICE_CONFIGURATION_SET changes or creates a DCO DEVICE_CONFIGURATION_RESET removes a DCO The DCO remains unchanged through reboots and resets
30
ATA/ATAPI Serial ATA 7 versus 40+/- connectors No device chaining
A little more flexible
31
ATA/ATAPI BIOS vs Direct Access
Direct: the SW must know the geometry and translation equations to access the HD. It is the fast method for disk access and data transfer. BIOS: services disk commands through software interrupt 0x13 etc.
32
SCSI SCSI vs ATA More devices per bus
No controller required only a bus controller Many more flavors: connectors, commands, etc.
33
SCSI Flavors of SCSI Mostly transfer speed and connector types
Cable specs have changed
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.