1 / 24

System Forensics Applied Computing Yr 3

File System Analysis. System Forensics Applied Computing Yr 3. Steven Davy. Where are we ?. File System Analysis. What is a File System? Why we need to analyse File Systems? Categories of File System Data File System Analysis Concerns. What is it?.

meira
Télécharger la présentation

System Forensics Applied Computing Yr 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. File System Analysis System Forensics Applied Computing Yr 3 Steven Davy

  2. Where are we ? System Forensics : Applied Computing Year 3

  3. File System Analysis • What is a File System? • Why we need to analyse File Systems? • Categories of File System Data • File System Analysis Concerns System Forensics : Applied Computing Year 3

  4. What is it? • Used to provide users access to storage for saving and retrieving files. • Stores files in a hierarchical structure. • There are many file system formats • Ext2/3, typically used by Linux OS • FAT, older versions of Windows and portable memory devices • NTFS, most common format for new Window OSs • UFS, another Linux OS favourite System Forensics : Applied Computing Year 3

  5. File System Components System Forensics : Applied Computing Year 3

  6. File System Components • File System Description Data • Describes the type of file system and where to find the other file system components • File System Names Data • Describe all file names, and where to discover the file data • File Metadata • Describes information about a file, file size, where the data of the file is • File Contents • The actual data associated to a file System Forensics : Applied Computing Year 3

  7. Analysing File System Description Data • Usually maintained in the first sectors occupied by the file system • If this information is corrupt, if may be very difficult to recover evidence from the file system. • It gives the file system size on the volume. • Be aware of Volume Slack • If the file system is smaller than the volume there may be data hidden in the volume slack System Forensics : Applied Computing Year 3

  8. Analysing Content Data • The file system allocates files to data units • A data unit is a group of disk sectors. • Example: 1 Data unit = 4 sectors • 2048 = 4 * 512 • 1 Data Unit = 2048 bytes System Forensics : Applied Computing Year 3

  9. Allocating Data Units • The OS allocates data units when files are modified, or created. • If a file grows beyond the size of a data unit it can be fragmented and stored in another data unit • Therefore a single file may not be stored on consecutive sectors on the disk. System Forensics : Applied Computing Year 3

  10. Allocating Data Units • There are several popular data unit allocation strategies. • First Available: • The file is allocated to the first available data unit, counting from 0. • Next Available: • The file is allocated to the next available data unit counting from the last allocated address. • Best Fit: • The file is allocated to the best fit data unit to minimise file fragmentation, but reverts to the previous two strategies if unsuccessful System Forensics : Applied Computing Year 3

  11. Allocating Data Units • Caution is required when there are damaged sectors. • Modern hard-drives mask bad sectors so that the file system does not need to be concerned. • Otherwise the file system keeps track of bad sectors • A criminal may manually modify the File System to treat a set of sectors as damaged to file evidence System Forensics : Applied Computing Year 3

  12. Data Unit Viewing • We can use the tool dcat to examine the contents of individual data units. • Alternatively we can search all data units for a specific keyword, more commonly known as a keyword search. System Forensics : Applied Computing Year 3

  13. Data Unit Allocation Status • Not all data units are allocated; as files are deleted and created, data units are being allocated and unallocated. • A Bitmap of the data units allocation status is maintained and is used by the file system to determine which data units are being used System Forensics : Applied Computing Year 3

  14. Data Unit Wiping • When a data unit is deleted it is up to the OS to either wipe the data from the data unit or not. • Depending on the OS they may only to the minimum amount of work required, i.e. just unallocate the data unit in the bitmap. • Whereas other OSs may wipe the data from the data unit and all traces of the file. This is a more secure way of deleting your files. System Forensics : Applied Computing Year 3

  15. Data Unit Wiping • If the OS does not wipe the data unit we may use third party tools to wipe the data for us, however there may be problems with this. • Example: We design a tool that • Writes Zeros to the file • Then deletes the file • Problem A: The OS may perform the operation in the opposite order, in a measure to optimise the operations. The outcome is that the file is first deleted and the write operation is ignored as the file is already deleted • Problem B: The OS may decide to allocate the modified file to a new data unit, then write the zeros, then delete the file. In this circumstance the zeros did not overwrite the data and it still exists System Forensics : Applied Computing Year 3

  16. Data Unit Slack Space • There are two types of data unit slack space • Type 1: System Forensics : Applied Computing Year 3

  17. Data Unit Slack Space • There are two types of data unit slack space • Type 2: System Forensics : Applied Computing Year 3

  18. Data Unit Slack Space • Type 1: Usually the OS will write Zeros to the slack space when the size is below that of a sector. • Type 2: The OS may not write Zeros to the slack space equal to a sector size, to reduce the number of write cycles. • Data from the previous file can remain untouched, even though the sector is allocated System Forensics : Applied Computing Year 3

  19. Meta Data File Recovers • We can restore deleted files using the files metadata only if • The meta data has not been over written by another entry • The meta data has not been wiped by the OS. • If the above conditions hold, then we may be able to recover the file, simply by reading the referenced data units. System Forensics : Applied Computing Year 3

  20. File Meta Data • The meta data describes which data units a file is using. • Files may not use consecutive data units. • A file may leave some slack space at the end of a data unit. System Forensics : Applied Computing Year 3

  21. More Meta Data Analysis • File meta data also contains information on when the file was last access, modified or created. • This information can be used to establish a chain of events and can be considered as evidence. System Forensics : Applied Computing Year 3

  22. Compressed and Encrypted Data • The OS may decide to compress or encrypt data at three levels • Application level, where the appropriate application creating the file performs the operation to encrypt or compress • File Level, where a separate tool can compress or encrypt the file, e.g. winzip • System Level, where the OS can compress or encrypt files per data unit. System Forensics : Applied Computing Year 3

  23. Compressed and Encrypted Data • All levels of encryption or compression can cause trouble for the file system analyser, as they may not know the encryption key or compression algorithm being used. System Forensics : Applied Computing Year 3

  24. Next Week • FAT and NTFS file system concepts System Forensics : Applied Computing Year 3

More Related