91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7/8 File Systems - Supplementary Materials.

91.580.203 Computer & Network

Forensics

Xinwen Fu

Chapter 7/8File Systems - Supplementary Materials

2CS@UML

Outline More on recovering secret data

Rename files/directories Delete files/directories Copy files/directories Print files Format a disk

FAT file system Windows registry NTFS file system

3CS@UML

Renaming Files Rename files and/or file extensions Example:

Rename extortion_letter.doc to fuzzy_bunny.jpg People looking for incriminating evidence

probably won’t check a picture file called fuzzy_bunny.jpg

4CS@UML

Rename Files (Cont.) File header implies the file type Check the real file type by hex editor

WinHex or XVI32 File type

424D - .bmp D0CF - .doc

5CS@UML

Copying Files Scenario #1: Copying a file to a floppy

disk or hard disk If you run out of space, the pointer to the file is

removed, but the data that was copied to the sectors is left in place

Scenario #2: Computer crashes while copying a file Again, the file contents copied to the

unallocated sectors will exist, but the pointer to the data will not have been created

6CS@UML

Printing a File When printing a file, it is spooled to the hard disk

before it is printed Spooling involves copying the file to a temporary

location, printing it, then deleting it After the temporary file is deleted, the data still

exists on disk

Windows XP spool folder: C:\WINNT\System32\spool\PRINTERS

1. Click Start, and then click Printers and Faxes2. On the File menu, click Server Properties3. Click the Advanced tab

7CS@UML

Temporary Internet Files Internet explorer stores copies of

webpages, images, and media for faster view later

Default Windows XP Temporary Internet Files folderC:\Documents and Settings\fu\Local Settings\Temporary Internet Files Tools -> General -> Browsing history ->

Settings -> View files

8CS@UML

Formatting a Disk When a disk is quick formatted, the file

table on the disk is cleared, but the data on the disk is left in place

Again, similar to deleting all the files on a disk

9CS@UML

Hiding Folders (DoS/Windows 95) Create files or directories with non-printable

characters [1][2] Example: At a DOS prompt, type the character Alt-255

using the numeric keypad. This will insert a “blank space” character, but it is not an actual space

If you show a directory listing, you can see the file/directory exists, but you might not know exactly how many “non-printing” characters exist, or their location within the file name

You can still access the directory via the Windows Explorer and similar graphical tools

10CS@UML

Attributes In Windows, set the “hidden” attribute on

a file or directory Can still view files if the “Show hidden

files and folders” option is checked in Windows Explorer

Other tools may or may not display hidden files

11CS@UML

Hiding Folders (Unix) In Unix, rename a file or directory starting with a

“.” Example: mv important.doc .important.doc Can still be viewed by listing all files “ls –a” A Linux system for you to play with

putty – mercury.cs.uml.edu user ???; passwd ???

12CS@UML

Swap Space Swap Space (also called a page file) is used to

increase the amount of memory available to the system

The total memory available (real RAM and the swap space) is called virtual memory

Information is constantly being written to memory, and therefore to the hard disk

Information can then be extracted from this file

13CS@UML

Core Dumps Core dumps are created on Unix systems

when a process or program generates a fault

The core dump will contain all the data from CPU registers and memory at the time of the fault

Information can then be extracted from core dump

14CS@UML

RAM Slack is the area from the end of the file to the end of that sector.

- Comes from RAM

RAM Slack

Cluster 2 Cluster 2

Cluster 2 Cluster 2

Cluster 2 Cluster 2

Cluster 2RAM Slack

File File

File File

http://www.forensics-intl.com/def6.html

Cluster Size = 8 sectors

15CS@UML

Cluster 2 Cluster 2

Cluster 2 Cluster 2

Cluster 2 Cluster 2 Cluster 2RAM Slack

Residual Slack

Residual Slack

Residual Slack

Residual data slack is the area from the end of RAM slack to the end of the cluster – whatever was on the media before

File File

File File

Residual Data Slack

Cluster Size = 8 sectors

16CS@UML

Slack Space A cluster is the smallest logical allocation unit A sector is the smallest physical allocation unit

When files are deleted, both the deleted data and the data in slack space still exists

When a file is wiped from the system (permanently removed), any data in the slack space still exists Wipe tool: EZ Wipe

The data in the slack space will only be removed when it is overwritten, or it is explicitly removed A list of tools: Eraser, etc.

17CS@UML

FTK Imager to Check Deleted Files File -> Add Evidence Item -> Physical

Drive In class exercise

Create a file Delete the file and empty recycler Use FTK imager to load the drive and check the

18CS@UML

Outline More on recovering secret data FAT file system

Write Delete Reformat

Windows registry NTFS file system

19CS@UML

What areas change when a FILE is written?

MBR

FAT1

VBR

FAT1

FAT1

FAT2

FAT2

Root C

FAT2

Root C

Root C

Root C

FILE

FILE

FILE

FILE

Reserved

Area

Writing a file

VBR: Volume Boot Record

20CS@UML

File Allocation Table (FAT) A list of entries that map to each cluster

on the partition. Each entry records one of five things: the address of the next cluster in a chain a special end of file (EOF) character that

indicates the end of a chain a special character to mark a bad cluster a special character to mark a reserved cluster a zero to note that that cluster is unused

21CS@UML

Directory Table A special type of file that represents a directory

(nowadays commonly known as a folder) Each file or directory stored within it is

represented by a 32 byte entry in the table. Each entry records name, extension, attributes (archive, directory, hidden,

read-only, system and volume), the date and time of creation, the address of the first cluster of the the address of the first cluster of the file/directory's data and finally the size of the file/directory's data and finally the size of the file/directory.file/directory.

Aside from the Root Directory Table in FAT12 and FAT16 file systems which occupies the special Root Directory Region location, all Directory Tables are stored in the Data Region

22CS@UML


MBR

FAT1

VBR

FAT1

FAT1

FAT2

FAT2

Root C

FAT2

Root C

Root C

Root C

FILE

FILE

FILE

FILE

Reserved

Area

Filename Start Cluster SizeFILE 2 1024 Unused Directory Entry Unused Directory Entry

Directory entry is created

Writing a file

23CS@UML


MBR

FAT1

VBR

FAT1

FAT1

FAT2

FAT2

Root C

FAT2

Root C

Root C

Root C

FILE

FILE

FILE

FILE

Reserved

Area



2

E

6

0

10

0

3

0

7

0

11

0

4

0

8

0

12

0

5

0

9

0

13

0

FATs are updated

Writing a file

24CS@UML


MBR

FAT1

VBR

FAT1

FAT1

FAT2

FAT2

Root C

FAT2

Root C

Root C

Root C

FILE

FILE

FILE

FILE

Reserved

Area



2

E

6

0

10

0

3

0

7

0

11

0

4

0

8

0

12

0

5

0

9

0

13

0

FATs are updated

FILE contents written to data area

Writing a file

25CS@UML

MBR

FAT1

VBR

FAT1

FAT1

FAT2

FAT2

Root C

FAT2

Root C

Root C

Root C

FILE

FILE

FILE

FILE

Reserved

Area

What areas change when a FILE is deleted?

Deleting a file

26CS@UML

MBR

FAT1

VBR

FAT1

FAT1

FAT2

FAT2

Root C

FAT2

Root C

Root C

Root C

FILE

FILE

FILE

FILE

Reserved

Area

Filename Start Cluster Size ILE 2 1024 Unused Directory Entry Unused Directory Entry

First character of the Directory

entry is changed to (0xe5)

Deleting a file

27CS@UML

MBR

FAT1

VBR

FAT1

FAT1

FAT2

FAT2

Root C

FAT2

Root C

Root C

Root C

FILE

FILE

FILE

FILE

Reserved

Area

FAT entries are ed



entry is changed to

0

6

0

10

0

3

0

7

0

11

0

4

0

8

0

12

0

5

0

9

0

13

0

2

Deleting a file

28CS@UML

MBR

FAT1

VBR

FAT1

FAT1

FAT2

FAT2

Root D

FAT2

Root D

Root D

Root D

FILE

FILE

FILE

FILE

Reserved

Area

FAT entries are ed



entry is changed to

Data area is not changed !

0

6

0

10

0

3

0

7

0

11

0

4

0

8

0

12

0

5

0

9

0

13

0

2

Deleting a file

29CS@UML

MBR

FAT1

VBR

FAT1

FAT1

FAT2

FAT2

Root C

FAT2

Root C

Root C

Root C

FILE

FILE

FILE

FILE

Reserved

Area

What areas change when a partition is reformatted?

Reformatting (DOS 6.22)

http://www.increa.com/articles/DestroyMagneticData/index.htm

30CS@UML

MBR

FAT1

VBR

FAT1

FAT1

FAT2

FAT2

Root C

FAT2

Root C

Root C

Root C

FILE

FILE

FILE

FILE

Reserved

Area

Three areas change when a partition is reformatted

Filename Start Cluster SizeUnused Directory Entry Unused Directory Entry Unused Directory Entry

Root Directory entries are ed

Reformatting

31CS@UML

MBR

FAT1

VBR

FAT1

FAT1

FAT2

FAT2

Root C

FAT2

Root C

Root C

Root C

FILE

FILE

FILE

FILE

Reserved

Area




2

0

6

0

10

0

3

0

7

0

11

0

4

0

8

0

12

0

5

0

9

0

13

0

FAT entries are ed

Reformatting

32CS@UML

MBR

FAT1

VBR

FAT1

FAT1

FAT2

FAT2

Root C

FAT2

Root C

Root C

Root C

FILE

FILE

FILE

FILE

Reserved

Area




Boot Record is written

2

0

6

0

10

0

3

0

7

0

11

0

4

0

8

0

12

0

5

0

9

0

13

0

FAT entries are ed

Reformatting

33CS@UML

MBR

FAT1

VBR

FAT1

FAT1

FAT2

FAT2

Root C

FAT2

Root C

Root C

Root C

FILE

FILE

FILE

FILE

Reserved

Area




Boot Record is written

2

0

6

0

10

0

3

0

7

0

11

0

4

0

8

0

12

0

5

0

9

0

13

0

FAT entries are ed

Data area is not changed

Reformatting

34CS@UML

Outline More on recovering secret data FAT file system Windows registry NTFS file system

35CS@UML

Windows Registry What is it:

A central hierarchical database to store information necessary to configure the system for one or more users, applications and hardware devices

Replaces AUTOEXEC.BAT, CONFIG.SYS and INI files

First introduced in Windows 3.1 for storing OLE Settings (pre 1995)

View Windows Registry: regedit or Ice Sword

36CS@UML

Windows Registry There are five root keys

HKEY_CLASSES_ROOT (HKCR) HKEY_CURRENT_USER (HKCU) HKEY_LOCAL_MACHINE (HKLM) HKEY_USERS (HKU) HKEY_CURRENT_CONFIG (HKCC)

37CS@UML

Two are “Master” keys HKEY_LOCAL_MACHINE

(HKLM) Configuration data

describing hardware and software installed on the computer

HKEY_USERS (HKU) Configuration data for

each user that logs into the computer

http://www.antirootkit.com/software/IceSword.htm

38CS@UML

Three are derived from “Master” keys Architecture HKEY_CLASSES_ROOT

File Associations and OLE HKEY_CURRENT_USER

Currently logged on user HKEY_CURRENT_CONFIG

Current hardware profile

39CS@UML

HKEY_CLASSES_ROOT File Associations and OLE From HKLM\Software\Classes

40CS@UML

HKEY_CURRENT_USER Currently logged on user From HKU\SID (security identifier) of current user User vs SID: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\

CurrentVersion\ProfileList

http://support.microsoft.com/kb/243330http://en.wikipedia.org/wiki/Security_Identifier

http://support.microsoft.com/kb/154599

41CS@UML

HKEY_CURRENT_CONFIG Current hardware profile From HKLM\System\CurrentControlSet\Hardware Profiles\

Current

42CS@UML

Windows Registry Wealth of investigative information

Registered Owner Registered Organization Shutdown Time Recent DOCs Most Recent Used (MRU) List Typed URLs Previous Devices Mounted Software Installed

http://support.microsoft.com/kb/256986/EN-US/

43CS@UML

Registry Tools Registry Reader: Access Data Encase Windows

Regedit Regedt32

Freeware tools Never work on the original Make a copy

44CS@UML

Registry Locations See system files: file explorer -> tools -> folder options -> view Windows NT, 2000, XP, and Server 2003 The following Registry files are stored in %SystemRoot%\System32\Config\:

Sam – HKEY_LOCAL_MACHINE\SAM Security – HKEY_LOCAL_MACHINE\SECURITY Software – HKEY_LOCAL_MACHINE\SOFTWARE System – HKEY_LOCAL_MACHINE\SYSTEM Default – HKEY_USERS\.DEFAULT

The following files are stored in each user's profile folder: %UserProfile%\Ntuser.dat – HKEY_USERS\<User SID> %UserProfile%\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat (path

is localized) – HKEY_USERS\<User SID>_Classes Windows 95, 98, and Me The registry files are named User.dat and System.dat and are stored in the C:\

WINDOWS\ directory. In Windows ME Classes.dat was added. Windows 3.11 The registry file is called Reg.dat and is stored in the C:\WINDOWS\ directory.

45CS@UML

Outline More on recovering secret data FAT file system Windows registry NTFS file system

46CS@UML

NTFS Each system component is a file - even system

information The most important file on NTFS is named MFT

( Master File Table) - the common table of files Centralized directory of all remaining disk files and itself Divided into records of the fixed size (usually 1 KBytes) Each record corresponds to some file The first 16 files are housekeeping with a fixed position;

and they are inaccessible to the operating system; They are named metafiles and the very first metafile is

MFT itself The second copy of the first 3 records, for reliability is

stored exactly in the middle of the disk The remaining MFT-file can be stored as well as any other

file at any places of the disk

47CS@UML

NTFSMaster Boot Record

Volume Boot record

MFT is divided into records of the fixed size (usually 1 Kbytes)

48CS@UML

System FileFile Name

MFT Record

Purpose of the File

Master file table $Mft 0 Contains one base file record

Master file table 2 $MftMirr 1 A duplicate image of the first three records of the MFT

Log file $LogFile 2 Contains a list of transaction steps used for NTFS recoverability.

Volume $Volume 3 Contains information about the volume

Attribute definitions

$AttrDef 4 A table of attribute names, numbers, and descriptions

Root file name index

$ 5 The root folder

Cluster bitmap $Bitmap 6 A representation of the volume showing which clusters are in use (one bit refers to one cluster)

Boot sector $Boot 7 Includes the BIOS Parameter Block (BPB)

Bad cluster file $BadClus 8 Contains bad clusters for the volume

Security file $Secure 9 Contains unique security descriptors for all files within a volume

Upcase table $Upcase 10 Converts lowercase characters to matching Unicode uppercase characters

NTFS extension file

$Extend 11 Used for various optional extensions

12–15 Reserved for future use

NTFS System Files (Metadata Files)

49CS@UML

Attribute Type Description

Standard Information

Includes information such as timestamp and link count.

Attribute List Lists the location of all attribute records that do not fit in the MFT record.

File Name A repeatable attribute for both long and short file names. The long name of the file can be up to 255 Unicode characters. The short name is the 8.3, case-insensitive name for the file. Additional names, or hard links, required by POSIX can be included as additional file name attributes.

Security Descriptor

Describes who owns the file and who can access it.

Data Contains file data. _DATA_ attribute that describes "data runs“, clusters used by the file

Object ID A volume-unique file identifier. Used by the distributed link tracking service. Not all files have object identifiers.

Logged Tool Stream

Similar to a data stream, but operations are logged to the NTFS log file just like NTFS metadata changes. This is used by EFS.

Reparse Point Used for volume mount points. They are also used by Installable File System (IFS) filter drivers to mark certain files as special to that driver.

Index Root Used to implement folders and other indexes.

Index Allocation Used to implement folders and other indexes.

Bitmap Used to implement folders and other indexes.

Volume Information

Used only in the $Volume system file. Contains the volume version.

Volume Name Used only in the $Volume system file. Contains the volume label.

NTFS File Attributes

50CS@UML

Storing Files in NTFS $LogFile metadata file is updated

–Transaction steps are logged

–Used to “roll back” if necessary

51CS@UML

Deleted File Parent directory

Index entry removed $BITMAP attribute updated*

MFT file record marked available MFT $BITMAP attribute Updated $Bitmap Metadata file updated if non-resident

clusters Resident clusters: files can be stored within a MFT

record No-resident clusters: files cannot be stored within a

MFT record

52CS@UML

Deleted File (Cont.)

Index entry removed

215

216

217

218

219

221

File Record (MYFILE.HLP)

File Record (SYSTEM.DLL)

File Record (README.TXT)

Directory Record (Recycler)

Index Entry (S-1-5-21-3xxxxxx)

Directory Record (S-1-5-21-3xxxxxx)

[214]

[214]

[214]

[218]

213

214

File Record

Directory Record (MYFILES)

Index Entry (README.TXT)

Index Entry (SYSTEM.DLL)

File Record Entry

6 File Record($BITMAP)

[Parent]

Index Entry (MYFILE.HLP)

53CS@UML

Deleted File (Cont.)

MFT record marked available 215

217

218

219

221






[214]

[214]

[218]

File Record Entry

213

214

File Record





[Parent]File Record Entry

6 File Record($BITMAP)

[Parent]

File Record (MYFILE.HLP) [214]216

54CS@UML

$MFT Attribute Updated

File RecordHeader

$MFT$STANDARD_INFORMATION

$DATA $BITMAP

11111111 11111111 0000000011100111 00000001 0000000000000000 00000000 0000000000000000 00000000 00000000The bytes are read from right to left

55CS@UML

File Deleted

$Bitmap updated215

216

217

218

219

221

File Record (MYFILE.HLP)






[214]

[214]

[218]

File Record Entry

213

214

File Record





[Parent]

[214]

File Record Entry

6 File Record ($Bitmap)

[Parent]

56CS@UML

Recovering Deleted Files Software Tools

FTK Toolkits GetDataback (Runtime) R-studio CIA Unerase Etc

57CS@UML

Deleted vs “Recycled” Deleted or “Recycled”

Sent to Recycle Bin Deleted from the Recycle Bin Deleted bypassing the Recycle Bin – shift+del

58CS@UML

Win2K/XP Recycle Bin “Recycler” Folder for NTFS

Configure to see hidden and system files from explorer

SID named subdirectory contains: INFO2 Desktop.ini Place holder(s)

Use FTK Imager to load the Recycler folder for view

59CS@UML

NTFS Recycle Bin

60CS@UML

Placeholder(s)

Entry for each deleted item: Hidden from view in GUI environment Date & time unchanged from original file

If a subdirectory is deleted only one placeholder is made

61CS@UML

Placeholder(s)

D<original drive letter><#>.<original extension>

DC1.TXTDC2.JPGDC3.BMP

62CS@UML

INFO2 File 800 Byte Entry is made for each

Recycled object Recycled date Original path and filename Place holder drive letter and #

63CS@UML

INFO2 File (Cont.)

ASCII File

Name

Drive Letter

Deletion Time

File SizeUnicode

File Name

Record Size

Record ID

Start of the Record

64CS@UML

Recycled date and time issue Windows saves time stamps in “FILETIME”

format. FILETIME format is the number of ticks, in 100ns increments, since 00:00 1 Jan, 1601 (UTC).

Recycle Bin tools (X-Ways Trace, IEHistory, Datalifter) will convert the time for you

65CS@UML

Desktop.ini A folder configuration file

Created when Recycle Bin is created

Only modified if recycle bin is EMPTIED All Date / Time information updated when bin

is emptied

http://www.xs4all.nl/~hwiegman/desktopini.html

66CS@UML

Recovering From Recycle Bin When an object is sent to the recycle bin, the MFT record

for the deleted object is simply changed. The $Filename attribute is changed to: Change the filename to the placeholder name that appears in

the recycle bin (placeholder format: D + drive letter + #) Change the record number of the parent directory from the old

parent directory, to the sid-named directory in the recycler directory.

Copy placeholders to separate drive Copy INFO2 file; use utility to parse out date /

time data X-Ways Trace - http://www.x-ways.net/trace/index-m.html Datalifter IE History

67CS@UML

Summary Deleting and formatting on a Hard Drive

does not touch the data area Often evidence can be found in deleted

files, and the recycle bin System clocks and default timezone

settings are very important

68CS@UML

Review What happens to deleted FAT files What about formatting? What happens to deleted NTFS files? Recovering deleted files

69CS@UML

References1. Nathan Heald, http://dos.rsvs.net/DOSPAGE/DEBUG.HTM, 20082. IronGeek, ALT+NUMPAD ASCII Key Combos: The α and Ω of Creating

Obscure Passwords, 20073. Description of the Microsoft Windows registry,

http://support.microsoft.com/kb/256986/EN-US/, August 12, 2005 4. Dmitrey Mikhailov, NTFS file system, http://www.digit-life.com/articles/ntfs/,

2004 5. NTFS - New Technology File System designed for Windows NT, 2000, XP,

http://www.ntfs.com/, 20056. Brian Mork, Destroying Data on Magnetic Disks - Linux or Windows, 20057. How the Recycle Bin Stores Files,

http://support.microsoft.com/kb/136517/en-us, December 16, 2004 8. The Mysterious Recycle Bin,

http://www.infocellar.com/winxp/Recycle-Bin.htm, 20069. Anders Svensson, Computer Forensics Applied to Windows NTFS Systems,

http://www.dsv.su.se/research/seclab/pages/pdf-files/2005-x-268.pdf, April 2005

10. Keith J. Jones, Forensic Analysis of Microsoft Windows Recycle Bin Records, http://www.e-fense.com/helix/Docs/Recycler_Bin_Record_Reconstruction.pdf, 5/6/03

91.580.203 Computer & Network Forensics Xinwen Fu Chapter 7/8 File Systems - Supplementary Materials.

Documents

temporary file

picture file

file header

file menu

file table

file contents

page file

disk slide