1 / 29

Digital Forensics

Module 11 CS 996. Digital Forensics. Outline of Module #11. Overview of Windows file systems Overview of ProDiscover Overview of UNIX file systems (Kulesh) ProDiscover workshop (remaining time). Reminder. InfraGard Chapter meeting on Counterintelligence Bear Stearns, 383 Madison Avenue

kim
Download Presentation

Digital Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 11 CS 996 Digital Forensics

  2. Outline of Module #11 • Overview of Windows file systems • Overview of ProDiscover • Overview of UNIX file systems (Kulesh) • ProDiscover workshop (remaining time) Module 11

  3. Reminder • InfraGard Chapter meeting on Counterintelligence • Bear Stearns, 383 Madison Avenue • 9-4, April 28 • RSVP: www.nym-infragard.us Module 11

  4. Hard Drive Data Hiding Places • Low Level Format • Redundant sectors • Bad sectors • Partition • Interpartition gaps • Unallocated space • “Hidden” partitions • Boot records and partition tables • Deleted partitions Module 11

  5. Physical Disk Geometry (CHS) • One head for each surface (H) • All tracks at r = dn form “cylinder” (C) • Each sector has 512 bytes of user data (S) • One disk surface devoted to positioning and synchronization • Not all parts of the disk are addressable by the OS • Disk capacity = C x H x S x 512 bytes Module 11

  6. Lifecycle of Disk Drive • Blank media • Low level format • Performed at the factory • Partition • High level file system format • Operating system install • System operations Module 11

  7. Low Level Format • Low level formatting creates sectors • Each sector holds 512 bytes + overhead bytes • Overhead provides error correction and timing recovery • Bad sectors remapped to redundant sectors by the HDD controller. Module 11

  8. Low Level Format REDUNDANT SECTOR 512 BYTES SECTOR OVERHEAD Module 11

  9. Partitioning PARTITION #2 PARTITION #1 MASTER BOOT RECORD INTER-PARTITION GAP VOLUME BOOT RECORD VOLUME BOOT RECORD Module 11

  10. Partitioning Drive • Master Boot Record = Master Boot Code + Master Partition Table (MPT) • Always at sector #1 • Volume Boot Record = Volume Boot Code + Disk Parameter Block • Each partition Module 11

  11. FAT File System • Four parts • Volume boot record • File allocation tables • Root directory • User data area • Types • FAT 12, 16, 32 bits; cluster address size • FAT1 and FAT2; first and second copy of FAT • Floppy: FAT12 Module 11

  12. FAT12/16 Structure DOS BOOT SECTOR ROOT DIRECTORY USER DATA AREA FAT #1 FAT #2 Module 11

  13. FAT32 Structure DOS BOOT RECORD (3) COPY OF DOS BOOT RECORD FAT #1 FAT #2 USER DATA RESERVED SECTORS RESERVED SECTORS 32 SECTORS Module 11

  14. File Allocation Table 0 TEST 217 DIRECTORY ENTRY 217 618 339 EOF 618 339 Module 11

  15. WinHex: Forensic Hex Editor • www.x-ways.net • Disk cloning • DOS version • Windows version (use write blocker) • Disk editor • API for scripting tasks Module 11

  16. Module 11

  17. Module 11

  18. Navigating to FAT12 Directory • Start at boot sector #1 • Add 2 x 9 sectors • Directory at sector #20 • Offset is: 19 x 512 = 9728 bytes = 2600H Module 11

  19. Module 11

  20. Navigating to FAT32 Allocation Table • Start at boot sector • Go to sector #33, offset of 32 x 512 bytes • 32 x 512 = 16384 = 4000H Module 11

  21. Module 11

  22. WinHex NTFS Partition Analysis Module 11

  23. ProDiscover Forensic Software • www.techpathways.com • Disk imaging: meets NIST Specification 3.1.6 • Works with FAT, NTFS, Sun Solaris UFS • Displays Windows ADS! • File signature analysis • Search capability • Recover deleted files and slack space • Reasonable price! Module 11

  24. Module 11

  25. Capture Evidence Files Module 11

  26. Image Evidence: Windows Laptop USB TO IDE ADAPTER IDE CABLE PRODISCOVER EVIDENCE DRIVE Module 11

  27. KeyWord Search Module 11

  28. Reporting (View=>Report) Module 11

  29. References for Module #11 • Bill Nelson, Guide to Computer Investigations, 2004. • Warren Kruse, Computer Forensics, 2002. • Kevin Mandia, Incident Response, 2003. • EnCase Legal Journal (course web site) • www.cs.nmt.edu (cs491_02) • NTFS: Module 11

More Related