1 / 21

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 February 22, 2013

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 February 22, 2013. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. Content Analysis.

alaqua
Download Presentation

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 February 22, 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intro to Cyber Crime and Computer Forensics CSE 4273/6273 February 22, 2013 MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

  2. Content Analysis • For FAT 32 volumes, logical sector 3 is not allocated, so it contains all zeroes. Looking at this sector can easily tell the examiner if data is hidden there. • Data in clusters can easily be viewed using something like disk investigator. • Searching is also possible using text or hex values.

  3. Content Analysis (cont.) • The file system map can be used to determine whether files are stored contiguously or are fragmented. • Consistency checking: • Check metadata for each cluster or block to see if any cluster has more than one metadata entry. • Orphan clusters are those with no metadata entries.

  4. Metadata Analysis • Contains data such as: • Location of the file • Size of the file • Creation, Modification, and Access Times • May not contain the file name. • Analysis conducted to retrieve as much of this data as possible. • Tools look for this information, usually stored in some kind of table. • This is where you can determine how much slack space is associated with file.

  5. FAT File Systems • FAT – File Allocation Table • Native to Microsoft DOS and Windows 9X Operating Systems • FAT-12 – Floppy Disks • FAT-16 – Windows 3.1, 95 Release 1 • FAT-32 – Windows 98 • Can also be used with Windows 2000 and XP, if desired.

  6. FAT Data Structures • File Allocation Table • Contains pointers to multiple clusters associated with files. • Directory Entries • Data Structure that is allocated to hold all relevant metadata about a file.

  7. Relationship between FAT and Directory Entries Clusters FAT Structure Directory Entry Structures Cluster 34 file1.dat 4000 bytes Cluster 34 35 EOF Cluster 35 Carrier Figure 9.1

  8. Physical Layout of a FAT File System Reserved Area FAT Area Data Area • Reserved Area starts in sector 0 of the volume. Size is given in the boot sector. • FAT-12/16, size is typically 1 sector. • FAT-32, size is typically bigger. • FAT Area contains one or more FATs. • Data Area contains directory entries and data. Carrier Figure 9.2

  9. File System Category • Describes the general file system. • In FAT system, can be found in the boot sector in sector 0 of the Reserved Area of the Volume. • In FAT 32, there is a backup copy of the boot sector in sector 6 of the Reserved Area.

  10. Location of the Root Directory Root Directory Reserved Area FAT Area Data Area FAT 12/16 Root Directory Reserved Area FAT Area Data Area FAT 32 • In FAT-32, the location of the Root Directory is determined by the OS and is not always at the beginning of the data area. Carrier Figure 9.3

  11. Content Category • Sectors are grouped into clusters. • Clusters are 1, 2, 4, 8, 16, 32, or 64 consecutive sectors big. • Each cluster is given an address and the address of the first cluster is 2. • In FAT 32, this is the first cluster of the data area. • In FAT 12/16, cluster 2 falls after the root directory.

  12. Cluster Allocation • Allocation Status • Unallocated clusters are indicated by a FAT Entry of 000. • FAT-32 has a FSINFO data structure that indicates what clusters are unallocated. • Allocation Algorithm • OS determines the allocation strategy. • Author indicates that in his tests of Windows 98 and XP systems, the next available strategy was being used.

  13. Metadata Category • Directory entries • 32 bytes • Contains • File Name • File Size • Attribute • Hidden, read-only, system, archive, etc. • Starting cluster • Times • Creation, Modification, Access

  14. Directory Entry Data Structure Carrier Table 10.5

  15. Long File Names • Normal file names are 8 characters for the file name and 3 characters for the extension. • Long file names are allowed, but require additional directory entries to hold the extra characters. • Extra entries go before regular entry.

  16. LFN Directory Entry Data Structure Carrier Table 10.7

  17. Attributes • Read-Only 01 • Hidden 02 • System 04 • Volume Label 08 • Long file name 0f • Directory 10 • Archive 20

  18. Dates • Creation Date • The date the file was created on the current media. • Modification Date (Written) • The date that the file was last written to. • Access Date • The last date the file was touched.

  19. Date Format Year (0 – 127) Month (1 – 12) Day (1 – 31) 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 October 10, 2007 0 0 1 1 0 1 1 1 0 1 0 0 1 0 1 0 0 0 1 1 0 1 1 1 0 1 0 0 1 0 1 0 0x374A

  20. FAT 32 FSINFO Carrier Table 10.4

  21. Questions?

More Related