1 / 30

File System Analysis

File System Analysis. What is a File System?. Computers need a way to store data and then to retrieve the said data in simple but quick ways. File systems provide a way for computers to store data in a hierarchy of files and directories. . What is a File System?.

azia
Télécharger la présentation

File System Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. File System Analysis

  2. What is a File System? Computers need a way to store data and then to retrieve the said data in simple but quick ways. File systems provide a way for computers to store data in a hierarchy of files and directories.

  3. What is a File System? A file system defines how and where files are stored and how they are named. Files systems are independent of any type of computer. The file systems we will look at are FAT (File Allocation Table), NTFS, Ext2 and Ext3. However, what they have in common is that they all know how to store data and to retrieve the data in a quick manner.

  4. Essential and Non-Essential Data When looking at data, it is important to differentiate between the essential and non-essential data. We have to trust the essential data, but not necessarily trust the non-essential data. It is also important to know which OS wrote the file system because different OS’s might have different requirements as to what is essential and what is not.

  5. Essential and Non-Essential Data Essential data is that data that is needed to save and retrieve files. Some essential data: • Content storage location. • Name of the file. • Pointer from name to metadata. Non-essential data is there for convenience but not needed for the basic functionality of storing and retrieving files. • Access Times • Security Permissions

  6. Data Categories In order to understand different analysis techniques, we divide the data on a computer into several categories. • File System • Content • Metadata • File Name • Application The tools in The Sleuth Kit (TSK) are based on these same categories.

  7. Data Categories - File System Each instance of a file system is unique because it has a unique size. It contains the general file system information such as where to find certain data (which cluster or block does this reside in) and how big the data unit is. It works like a map.

  8. Data Categories - Content This category is made up of the actual content of a file. Most of the information in a computer is made up of this data category. It is typically organized into data units. Some file systems call these clusters, and some call them blocks.

  9. Data Categories - Metadata This category consists of the data that describes the files such as: • Where the file content is stored • Size of the file • Creation time • Modification time • Access control information This category does not contain the content of the file and the name of the file. e.g.: inodes and Master File Table (MFT) entries

  10. Data Categories - File Name The file name category is also known as the Human Interface category. In this category, a name is assigned to each file, to make data access more convenient and easier for humans. In most systems, these are contents in a directory with corresponding metadata addresses.

  11. Data Categories - Application This category provides special features. However, these data are not necessary for normal reading and writing of data. Instead they provide features such as user quota information and file system journals. These data can be more easily forged than other data.

  12. Interaction Between Categories File System Category Application Category Layout and Size Information Quota Data File Name Category Metadata Category Content Category file1.txt Times and Addresses Content Data #1 Content Data #2 file2.txt Time and Addresses Content Data #1 Carrier, Figure 8.1

  13. Analysis Different categories of data require different methods for analysis. • File system data typically consists of single and independent values, so analysis is conducted by looking at the values and interpreting them. For instance, if we are searching for files with ‘jpg’ extensions, we would have to focus on file name category analysis techniques.

  14. Analysis – File System Category The file system category of data includes the data that describes the layout and general information about a file system. The File system category might be analyzed to find out on which computer a file system was created, or TSK has a tool called fsstat which will read the boot sector or superblock and other data structures that are specific to the different types of file systems. The type of data in the output of fsstat is different for each file system because different types of data are available.

  15. Analysis – Content Category Typically, the content category includes equal sized data units that are allocated for files and directories. There is also a data structure that keeps track of the allocation unit of the data units that store this data. This category contains a lot of data, a 40 Mb volume contains > 80000, 512 byte sectors. The content category is analyzed to recover deleted data and conduct low-level searches. All TSK tools in this category start with the letter d.

  16. Addressing Data Units • A sector can have multiple addresses • Physical: Address relative to the start of the drive • Logical: Address relative to the start of the volume • File systems use the Logical volume address, but also group sectors into clusters or blocks and assign them addresses. VolumeAddress 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 File SystemAddress 0 1 2 3 4 5 Carrier, Figure 8.2

  17. Allocation Strategies File systems may use several strategies to allocate data units. Data units are generally allocated contiguously. However, this is not always possible, in which case, the file is considered to be fragmented. The used allocation strategy affects the probability of recovering deleted (unallocated) content.

  18. Allocation Strategies (cont.) • First available strategy: • Clusters or blocks are assigned from the beginning of the file system as needed. Most likely to become fragmented. • File systems using this strategy are more likely to overwrite free space containing deleted files. • Next Available Strategy: • Similar to the first available, but looks for subsequent clusters for a file starting from next cluster to end of file system. • Best fit strategy: • OS looks for contiguous clusters sufficient to store entire file. • Less likely to be fragmented, but if file size changes, then fragmentation can still happen.

  19. Allocation Strategies (cont.)

  20. Damaged Data Units • Some file systems have ability to mark clusters as damaged, so that they are not used again to store data. This was useful for older disks that did not have the capability to handle errors. • Modern disks have ability to handle errors, so this capability is not needed. • If this capability exists, it can be used to hide data, because consistency checking tools do not verify a data unit that is marked as damaged.

  21. Content Analysis The Data Unit Viewing technique can be used when you know the address where evidence might be located. For example: In FAT 32 volumes, logical sector 3 is not allocated, so it contains all zeroes. Looking at this sector can easily tell the examiner if data is hidden there. (dcat in TSK) The Logical File System-Level Searching technique you look for contents, without knowing where it might be. Search for the word ‘password’ in each data unit

  22. Content Analysis 2,048 bytes in one data unit 20,480 bytes 0 1 2 3 4 5 6 7 8 9 10 11 Content of data unit 10 in ASCII Data Unit Viewing: The investigator knows the address of evidence, so uses the logical file system address ... a tool calculates the byte or sector address Is the string ‘password’ in this data unit? 0 1 2 3 4 5 6 7 8 9 10 11 Logical File System Search: Looks in each data unit for a known value. 22

  23. Content AnalysisUsing Bitmaps If we want to look in unallocated space, we can use tools to extract all unallocated data units or we can restrict analysis to only the unallocated space. We can see how a bitmap data structure can tell us whether a data unit is allocated or not. 0 1 2 3 4 5 6 7 8 9 10 11 Data units … 1 0 0 1 0 0 0 Bitmap: 0 unallocated 1 allocated 23

  24. Content Analysis (cont.) The Data Unit Allocation Status technique shows all the unallocated data units to find hidden or ‘deleted’ data. The dls tool in TSK shows the unallocated data units. The Consistency Check technique allows you to determine if the file system is in a suspicious state. Orphan data units (allocated data units that do not have a corresponding metadata structure) and be found in this manner. See Figure 8.7

  25. Content Analysis (cont.) • Wiping Techniques • Zeroes or random data are written into the data units allocated by a file or to all unused data units • Secure Deletion is becoming more common for many operating systems • An investigator may check to see if a wiping tool is available on a system, then determine when it was last accessed • There may also be temporary copies of files that were wiped 25

  26. Analysis – Metadata Category The metadata category includes the data that describe a file. Here you will find the data unit addresses that a file has allocated, the size of the file, and temporal information. The types of data in this category vary depending on the file system type. There are four TSK tools in this category, and the names all start with i such as the istat command.

  27. Metadata Analysis Analyzing metadata can • Provide corroborating information about the document data itself. • Reveal information that someone tried to hide, delete, or obscure. • Automatically correlate documents from different sources. Since metadata is fundamentally data, it suffers all of the data quality issues as any other form of data. Nevertheless, because metadata isn't generally visible unless you use a special tool, more skill is required to alter or otherwise manipulate it.

  28. Metadata Analysis • Slack space occurs when the file size is not a multiple of the data unit size • It appears between the end of the file and the end of the sector in which the file ends • Or it can be in sectors that contain no file content • A new file may not completely overwrite all data that was previously in a memory location

  29. Analysis – File Name Category The file name category of data includes the data that associates a name with a metadata entry. Most file systems separate the name and metadata, and the name is located inside of the data units allocated to a directory. There are two TSK tools that operate at the file name layer, and their names start with f. flswill list the file names in a given directory. If we want to know which file name corresponds to a given metadata address, the ffind tool can be used.

  30. File Name Analysis One of the most common investigation techniques is to list the names of the files and directories. Many file systems do not clear the file name of a deleted file, so deleted file names may be shown in a listing. Another technique is to search for file names. For example, we might know a filename’s extension, but not know its name or full path. As long as the pointer to metadata is intact, we can potentially recover data even if both the filename and metadata are unallocated.

More Related