1 / 32

Computer/Digital Forensics

Computer/Digital Forensics. Hard drive imaging Volume structure & analysis File system structure & analysis Tools Case studies. Computer/Digital Forensics. Computer/Digital Forensics: Acquisition of information on digital devices Rigid recipe

tamas
Download Presentation

Computer/Digital Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer/Digital Forensics • Hard drive imaging • Volume structure & analysis • File system structure & analysis • Tools • Case studies

  2. Computer/Digital Forensics Computer/Digital Forensics: Acquisition of information on digital devices • Rigid recipe Investigation of digital devices and digital data for evidence of • a crime or violation of stated policy committed by the computer • a crime or violation of stated policy against the computer • a crime or violation of stated policy using the computer • accidental or intentional destruction or corruption of data Preparation for trial • Documentation of evidence • Proof the evidence has not been altered

  3. System Preservation Phase Evidence Searching Phase Event Reconstruction Phase Phases of an Investigation courtesy Priscilla

  4. Layers of Analysis Application/OS Analysis Swap Space Analysis Database Analysis File System Analysis Memory Analysis Volume Analysis Network Analysis Physical Storage Media Analysis

  5. Name: miracle.txt Cluster: 345 Finding a File Size: 40 Last Accessed: October 27,2004 Cluster 344 Cluster 345 Today, the Yankees won the World Series. Today, the Red Sox won the World Series.

  6. Computer/Digital Forensics Computer/Digital Forensics • Investigation of block devices that contain digital information • Procedures that will maintain the integrity of the digital evidence • Analysis of the condition and content of the block device that will permit the reconstruction of an incident or use

  7. Computer/Digital Forensics This Part of the Course will cover • Hard disk imaging • dd and NIST standards • Volume Analysis • Disk layout • Partitions • File system analysis • Fat, ntfs • ext2, ext3 • UFS1, USF2

  8. Computer/Digital Forensics Important • Maintain chain of custody • A casual exam request from your boss can result in legal stuff • At first conduct a liturgical exam. You will never regret it. • Written consent to proceed: business plan or policy or memo. Don't go to jail or get sued.

  9. Computer Foundations • bin-to- hex and back again • Big/little endian confusion • Data structures • Allocation of “space” to a data structure • bit, byte, etc. • Size allocated depends on location

  10. Boot Process Many layered (each hw/os system is different) • BIOS – ROM locates HW and initializes some of the hardware, • EPROM – determines boot device and HW configurations • LBA Sector 0/ CHS (0,0,1) more boot code and dereferences kernel code

  11. Boot ProcessLinux • JMP 0xFFFFFFF0 1st instruction after power on is a jump to BIOS (or) • Power-On-Self-Test • HW detect • Load interrupt vector table • Find bootable MBS • Copy MBS to 0x7C00 - RAM

  12. MBS Structure 000 1BD Boot code – Master Boot Record, MBR 1CD 1st Partition Entry 1BE 1DD 2nd Partition Entry 1CE 1ED 3st Partition Entry 1DE 1EE 1FD 4st Partition Entry Sector signature = 0x55 aa 1FE 1FF

  13. Partition Entry Structure 00 00 Bootable flag: 0x80 – bootable, 0x00 – not bootable 03 Starting CHS Address – (C, H, S) 01 04 Partition type – 0x83 = linux, 0x82 = swap 04 07 Ending CHS Address 05 08 0B Starting LBA Address Size in Sectors 0C 0F

  14. Booting Cont'd • Move MBR to 0x9000 and execute • Transfers control to LILO • Loads compressed kernel • Decompresses itself • Log into the blue screen

  15. Hard DisksCurrent Technology - Moore's Law • Rotating platters • Platters: 1 – 12+ • Heads: 1 - 24+ • Organized – Cylinders/Tracks, Heads, Sectors • Track = Cylinder: tpi = 31,200 per inch • Bits per inch of track: bpi = 501,760 • Areal density: 15.655 Gb/sq in (2000) 329 Gb/sq in (2009) projected 1 Tbit/sq max • Cost .50$ per Gbyte • Update 1 Tera Byte == $100 • .10$ per Gbyte

  16. Antiferromagnetically coupled (AFC) media Giant magnetoresistance (GMR)

  17. Hard DisksGeometry • CHS Address ( (Cylinder, Head, Sector) • Cylinder, Head, Sector • Cylinder address is limited to a byte – max = 255 • Lying must take place at tpi = 32K • Most disks – radius = 1.25 inches • Sectors = 793 per track (variable) • Allocated 1 byte • LBA - (Logical Block Address) • LBA = (((C*heads-per-cyl) + H) * sectors-per-track) + S – 1 • LBA = 0 -- CHS = (0, 0, 1) • Physical location – addressing • Sequential sector number

  18. Hard DisksInterfaces • IDE – ATA/ATAPI/etc • SCSI • Floppy • USB • 1394 Many, many flavors of each. Most of the flavors do not affect the forensic analysis of the actual media.

  19. Hard DisksATA/ATAPI • AT Attachment Packet Interface • 1994 Original • Before 1994 was a crap shoot • ATAPI spec issued in 1998 • 2002, ATA/ATAPI-6 allowed 48 bit LBA vs. 32 bit • Permitted another factor of 64K sectors to the disk • Current rev is 7/8 • www.t13.org

  20. ATA/ATAPICommands • Register delivered commands • Write command ID and parameters to HD register • HD loads parameters into appropriate registers • Executes command • Loads error values into register • Host reads error values • Packet delivered commands • Used when the command/parameter structure is larger than the register

  21. ATA/ATAPIFeatures • Passwords • Host Protected Area • Device Configuration Overlay • Serial ATA

  22. ATA/ATAPIPasswords • User password & master password • High security mode • Both user and administrator can access the HD • Maximum security mode • Admin can access HD only after the HD has been wiped • After n password attempts the disk freezes until reboot

  23. ATA/ATAPIHost Protected Area • HPA: Not accessible to the average user • Configurable using ATA commands • HD vendor can store configuration data that won't be overwritten by a format command • BIOS can write to the HPA at power up time • Located at the end of the HD, i.e. highest LBA address

  24. ATA/ATAPIHPA Commands • READ_NATIVE_MAX_ADDRESS • Returns the maximum physical address • IDENTIFY_DEVICE • Returns the max address the user can access • HPA = #1 - #2 • HPA is created with a SET_MAX_ADDRESS

  25. ATA/ATAPIHPA Commands • The HPA may contain • BIOS settings • System files • Vendor information • Hidden information (Oh paranoia) • The HPA can be password protected

  26. ATA/ATAPIDevice Configuration Overlay Another way to hide data from the user Changes the apparent capabilities of the disk to be limited User Addressable Space HPA DCO IDENTIFY_DEVICE READ_NATIVE_MAX_ADDRESS DEVICE_CONFIGURATION_IDENTIFY

  27. ATA/ATAPIDevice Configuration Overlay • A DCO can cause the IDENTIFY_DEVICE command to lie about supported features • A DCO can show a smaller disk size than actually exists • DEVICE_CONFIGURATION_SET changes or creates a DCO • DEVICE_CONFIGURATION_RESET removes a DCO • The DCO remains unchanged through reboots and resets

  28. ATA/ATAPISerial ATA • 7 versus 40+/- connectors • No device chaining • A little more flexible

  29. ATA/ATAPIBIOS vs Direct Access • Direct: the SW must know the geometry and translation equations to access the HD. It is the fast method for disk access and data transfer. • BIOS: services disk commands through software interrupt 0x13 etc.

  30. SCSISCSI vs ATA • More devices per bus • No controller required only a bus controller • Many more flavors: connectors, commands, etc.

  31. SCSIFlavors of SCSI • Mostly transfer speed and connector types • Cable specs have changed

More Related