240 likes | 382 Vues
File System Analysis. System Forensics Applied Computing Yr 3. Steven Davy. Where are we ?. File System Analysis. What is a File System? Why we need to analyse File Systems? Categories of File System Data File System Analysis Concerns. What is it?.
E N D
File System Analysis System Forensics Applied Computing Yr 3 Steven Davy
Where are we ? System Forensics : Applied Computing Year 3
File System Analysis • What is a File System? • Why we need to analyse File Systems? • Categories of File System Data • File System Analysis Concerns System Forensics : Applied Computing Year 3
What is it? • Used to provide users access to storage for saving and retrieving files. • Stores files in a hierarchical structure. • There are many file system formats • Ext2/3, typically used by Linux OS • FAT, older versions of Windows and portable memory devices • NTFS, most common format for new Window OSs • UFS, another Linux OS favourite System Forensics : Applied Computing Year 3
File System Components System Forensics : Applied Computing Year 3
File System Components • File System Description Data • Describes the type of file system and where to find the other file system components • File System Names Data • Describe all file names, and where to discover the file data • File Metadata • Describes information about a file, file size, where the data of the file is • File Contents • The actual data associated to a file System Forensics : Applied Computing Year 3
Analysing File System Description Data • Usually maintained in the first sectors occupied by the file system • If this information is corrupt, if may be very difficult to recover evidence from the file system. • It gives the file system size on the volume. • Be aware of Volume Slack • If the file system is smaller than the volume there may be data hidden in the volume slack System Forensics : Applied Computing Year 3
Analysing Content Data • The file system allocates files to data units • A data unit is a group of disk sectors. • Example: 1 Data unit = 4 sectors • 2048 = 4 * 512 • 1 Data Unit = 2048 bytes System Forensics : Applied Computing Year 3
Allocating Data Units • The OS allocates data units when files are modified, or created. • If a file grows beyond the size of a data unit it can be fragmented and stored in another data unit • Therefore a single file may not be stored on consecutive sectors on the disk. System Forensics : Applied Computing Year 3
Allocating Data Units • There are several popular data unit allocation strategies. • First Available: • The file is allocated to the first available data unit, counting from 0. • Next Available: • The file is allocated to the next available data unit counting from the last allocated address. • Best Fit: • The file is allocated to the best fit data unit to minimise file fragmentation, but reverts to the previous two strategies if unsuccessful System Forensics : Applied Computing Year 3
Allocating Data Units • Caution is required when there are damaged sectors. • Modern hard-drives mask bad sectors so that the file system does not need to be concerned. • Otherwise the file system keeps track of bad sectors • A criminal may manually modify the File System to treat a set of sectors as damaged to file evidence System Forensics : Applied Computing Year 3
Data Unit Viewing • We can use the tool dcat to examine the contents of individual data units. • Alternatively we can search all data units for a specific keyword, more commonly known as a keyword search. System Forensics : Applied Computing Year 3
Data Unit Allocation Status • Not all data units are allocated; as files are deleted and created, data units are being allocated and unallocated. • A Bitmap of the data units allocation status is maintained and is used by the file system to determine which data units are being used System Forensics : Applied Computing Year 3
Data Unit Wiping • When a data unit is deleted it is up to the OS to either wipe the data from the data unit or not. • Depending on the OS they may only to the minimum amount of work required, i.e. just unallocate the data unit in the bitmap. • Whereas other OSs may wipe the data from the data unit and all traces of the file. This is a more secure way of deleting your files. System Forensics : Applied Computing Year 3
Data Unit Wiping • If the OS does not wipe the data unit we may use third party tools to wipe the data for us, however there may be problems with this. • Example: We design a tool that • Writes Zeros to the file • Then deletes the file • Problem A: The OS may perform the operation in the opposite order, in a measure to optimise the operations. The outcome is that the file is first deleted and the write operation is ignored as the file is already deleted • Problem B: The OS may decide to allocate the modified file to a new data unit, then write the zeros, then delete the file. In this circumstance the zeros did not overwrite the data and it still exists System Forensics : Applied Computing Year 3
Data Unit Slack Space • There are two types of data unit slack space • Type 1: System Forensics : Applied Computing Year 3
Data Unit Slack Space • There are two types of data unit slack space • Type 2: System Forensics : Applied Computing Year 3
Data Unit Slack Space • Type 1: Usually the OS will write Zeros to the slack space when the size is below that of a sector. • Type 2: The OS may not write Zeros to the slack space equal to a sector size, to reduce the number of write cycles. • Data from the previous file can remain untouched, even though the sector is allocated System Forensics : Applied Computing Year 3
Meta Data File Recovers • We can restore deleted files using the files metadata only if • The meta data has not been over written by another entry • The meta data has not been wiped by the OS. • If the above conditions hold, then we may be able to recover the file, simply by reading the referenced data units. System Forensics : Applied Computing Year 3
File Meta Data • The meta data describes which data units a file is using. • Files may not use consecutive data units. • A file may leave some slack space at the end of a data unit. System Forensics : Applied Computing Year 3
More Meta Data Analysis • File meta data also contains information on when the file was last access, modified or created. • This information can be used to establish a chain of events and can be considered as evidence. System Forensics : Applied Computing Year 3
Compressed and Encrypted Data • The OS may decide to compress or encrypt data at three levels • Application level, where the appropriate application creating the file performs the operation to encrypt or compress • File Level, where a separate tool can compress or encrypt the file, e.g. winzip • System Level, where the OS can compress or encrypt files per data unit. System Forensics : Applied Computing Year 3
Compressed and Encrypted Data • All levels of encryption or compression can cause trouble for the file system analyser, as they may not know the encryption key or compression algorithm being used. System Forensics : Applied Computing Year 3
Next Week • FAT and NTFS file system concepts System Forensics : Applied Computing Year 3