D2_2 Vid Flashcards
Volume Boot Record
Block size is the minimum file size I can use on a computer system
The volume boot record is defined in the MBR. So I go into where the MBR tells me, and I go to the 4th character. I extract that data, and I find that I’ve got 0002. I check to confirm that’s the area where it defines what the block size is.
A block size of 2? Has anybody heard of such a thing? That’s madness. Either I’ve made a mistake or something funky is going on.
A block of memory accesses the CPU??
The smallest number is on the left and the biggest is on the left
Little Endian because we read the smallest part first i.e start from the RHS
Big Endian because we read the biggest part first.
UTF-8 is Unicode. And it’s basically an extension of ASCII
UTF-8 takes the ASCII table as it is and just adds another byte
File System
We’ve got 4 main issues we need to do for a file system:
- track the name of an object
- track the starting point of the object
- track the whole parts of the object i.e chaining
- track how much space we’ve got available i.e volume allocation
File System 2
Back then, we had a VHS system. So I went out and got 10-pack cassettes.
I then labeled the cassettes 1-10, with the label stickers that came with the cassettes.
We had a shelf near the TV where we’d put cassettes that are in use while we put blank tapes in a basket
We had a book where we record the number and title of movies. We might even give a date, a time and who owns it, in addition to the number and title (Indiana Jones movie). And then I record Indiana Jones. I then put that onto the shelf.
Now if i want to play it, I go to the put and look for Indiana Jones. And it is on number 6
Let’s imagine that Indiana Jones film is now illegal. So on a tip-off, the police storm my house. They go through the book….now they know who owns it, when it was recorded and it even matches my handwriting.
Another scenario: After watching my india jones movie, I rewind it, take it out and now put it in the basket and remove the entry from the book.
The police come in, check the book and there is no india jones entry. And the entries in the book match what’s on the shelf.
Now the officers look through the basket and watch every tape from the beginning and find india Jones. Am i guilty of possessing the film?
I can claim that I didn’t buy the cassette new, that it was already there when I bought it. Who recorded it? Maybe it was even recorded before it became illegal.
The level of evidence is much lower than the first scenario because I’ve lost my metadata and all my referencing. So now, i’ve got enough wiggle room to suggest that it was done by someone else and not me.
What we are talking about her is an unallocated piece of data i.e there is no connection to it.
Another scenario…..let’s assume I recorded 90 mins of England vs Iceland in 2016. After watching it, I am pissed, so i unallocate it and put it in the basket in disgust.
My cousin then comes visiting on Holiday and records 30 mins of Dr Who on it. And that gets put in the book and then puts it on the shelf.
In the meantime, the England match has now been declared illegal and possession of it now attracts a mandatory custodial sentence.
Now the police arrive on a tip-off and search the book and there’s no mention of football. And every entry matches what it says in the book.
They go through the slack space of the tapes in the basket and find nothing.
So a particular tenacious officer starts to watch Dr Who and then after 30 mins, he gets into the English match, and I’ve got 60 mins of that match left fully intact. Now there’s a bit of a problem, isn’t it.
That’s what we call slack space. Slack space occurs where a small piece of data can supposedly delete a piece of data, a line on my file system. Although it might be corrupt or slightly damaged, if it’s a picture, i might lose some part of the top of it while the rest of it might be clear.
So this is a bit of a problem for the suspect, particularly if it’s picture taken at a murder scene and holding the axe.
However, if it’s just a simple illegal image, can i prove that that person had that image? when was it deleted? it is just indicative. It is still difficult to prove.
So the value of that is evidentially much lower, except the picture has some intrinsic evidential value
File System 3
For modern file systems, the smallest allocation (block size) is 4k bytes.
He creates a notepad file, types in “Hello World!” and saves it on his desktop. When he hovers over the file with his mouse, it says 0 bytes….but you see it’s size as 1KB on the right side under “size”.
But when he right clicks and goes to “properties”, we see that the size is 12bytes (hello world!) while it says “size on disk” is 0 bytes.
size on disk is 0 bytes because minimum allocation is 4K bytes.
The book is an equivalent of the file system.
So imagine I needed to record a 15 second information like the number of an X factor contestant I wanted to vote for. So instead of record a 15-second information on a tape that takes 3 hours, what I could do is get an entry for tape X and I could write the number down. So all I have done now is to waste a page on the book. And that’s actually more efficient than wasting a 3 hour tape.
And that’s why the file is representing itself as 0 bytes on disk, because it’s not on disk. It’s stored in the file system. It is what we call a resident file.
With our analogy, tapes on the shelf, with full metadata are allocated.
Tapes in the basket without metadata are unallocated, even though they may have full recordings on them.
Unallocated is similar to a ship whose string has been cut off from the mother ship
This is same for files.
FAT
The original file system that came with the PC was FAT. Technically it was FAT12 i.e 12 bytes.
Then we got bigger hard drives and started using DOS. And then we went to what’s technically called FAT32.
Then we got Windows 2.1 and our hard drives got bigger and FAT16 wasn’t good enough, so we increased it to FAT32.
FAT32 is now even being extended further and now we’ve got Extended FAT (ExFAT), used on the Xbox
There is a glaring problem with the FAT file system - security.
How much security is there in the FAT system. It’s got no real concept of security.
Things like removable memory such as flash drives, memory in our cameras, etc, still use FAT file systems.
So FAT is still with us. It is completely open source and there is no license fees to be paid for it. And it’s really easy to do things like “undelete data”. So a lot of people of people love FAT.
However, Microsoft got together with IBM and created NTFS.
The success of any OS is the amount of applications developed and available for it. And that’s why OS2 by IBM pretty much died out while Microsoft prevailed with its Windows OS.
For Linux, it’s the ext family: ext3, ext4
And for Apple, we have the APFS, which took over from HFS+
The FAT system is simpler. In every folder, we get a directory and it’s a small file and it looks like this. Each of these lines is an entry placed on disk. Notice that we’ve color-coded it for good visuals. And that’s the entire directory entry for a single file.
So in our FAT system, the book is basically stored within each directory. Each directory then also has sort of a book below it and acts sort of as a tree.
So we start up with the root directory and that would be the C:/ drive. And from there, we’d have folders. When you go into that folder, you’ll find another entry in there which would define its.
So in a file system, all we have is a file name, the status of the file; whether it’s deleted, whether it’s a directory, the timestamp and the location of where the actual data resides.
So effectively in FAT, we have a record and that record points to the disk itself and that will tell you the starting point of the data. And one of the things we use in there is what is called File Allocation Table (FAT). Now the FAT matches the hard drive and chops it up into little sections.
So when I come in here and say I’ve got a file, I’ll point to it and say it starts here. That will then map onto a location on the hard drive and I can then go to that location and pull the data out. 55:18
File systems organize files on storage devices. This means if we use file systems, we don’t have to constantly re-invent the wheel
NTFS
NTFS is a file system developed jointly by Microsoft and IBM
NTFS is broken into these 4 main areas:
- Boot Sector
- Master File Table ($MFT)
- System Files
- Data Area
MFT is the equipment of the book from our VCR analogy and we find our file system in there.
Then we have our system files which help support it.
And then we’ve got the expansive disk where the data gets put into. That is the equivalent of our cassettes.
MFT
At the moment, it’s got a standard 1024 bytes of data and each of those bytes has a specific meaning that we can look up.
If we look at one of these records, we’ll see that we’ve got a starting point and attribute ID.
$Standard_Information we would always get
$Attribute_List we would always get
$File_Name we would always get
and then we’d have so many optional stuffs such as whether it’s encrypted or whether it’s compressed.
So when I want to write a file in Windows NT. I ask for the file to be written and an entrant is now put into the Master File Table (MFT).
The MFT is usually a big lump, about 20% of your hard drive and then these entrants are already allocated, so i might have 1000 slots (1024 bytes). If i’ve got one available, then I’ll just add it.
And then if Windows decides that is not what it wants to do, it might look for the first available one, and that might contain data that was used for a file that’s now deleted.
In that case, I would override that entry and I would have my data there. It would then have a pointer from the file system to the disk
Access Control Lists
In the MFT would be a link to the file permissions and our user ID will be compared to the information stored on the file, and we’ll be given permission to view it or denied permission as it depends
Saving File Data - Small File Example
55:22 So here’s an entrance for a file and it tells you where it is.
The FAT entry states that it starts at Cluster 10 and it’s allocated
File Chaining Using FAT
55:38 So here’s our file1.
File 1 has got it’s file name, its timestamp, etc. And it’s also got an entry in the FAT Table which says ‘I start at 2’. So we move over to the FAT Table; File 1 starts at 2. And I see that the next one in the FAT Table is 3
Page 124 is really important to understanding FAT Tables (56:50)
FAT system is really quite simple….it’s just simply a file name, some simple attributes and a link into this FAT table which maps the hard drive and allows us to see where data is.
So what happens when we delete a file in FAT?
Deleting Files in FAT
what happens when you delete a file in FAT?
58:27 We don’t actually remove a record….we leave it there……we’ll reuse it in a bit…..but at the moment what we do is to change the first letter of the file name to E5 in hex. We then remove the entry to the FAT table which makes it blank but the data itself is not overwritten.
So basically, we’re just taking the file off the shelf. It’s completely in the basket with complete full data.
Now if I was to go back to that system and use the “undelete” command, it would replace that E5 with underscore and my file would automatically re-appear as if nothing had happened. The only problem is that I have lost the first letter. it is gone. And this is why FAT was so popular, because if I accidentally delete a file, I can very easily undelete it.
1:00;56 So all we do with FAT is literally change 1 byte. We change the byte to be instead of 1 to be 0. And that is now ignored by the file system. The file system then says we’re not gonna do that anymore, the FAT file is gone. The record stays in the MFT, the book. The allocation of that file gets removed but that data doesn’t get touched.
So if I was to run a utility, I would be able to get both metadata back and the file back in an FAT system if I get it soon enough.
However, on a busy file system, the record that was in the MFT would become overwritten equivalent of the wiping of the entry in the book and writing a new one with a water soluble pen, and I’ve lost my connection. However, the data is still there and will be there until the upgrade system decides to re-use those allocations.
There’s another problem we’ve got; How can I know how big my hard drive system is and how much data has been written.
At the moment with FAT system, I can look at the FAT table and wherever there are blanks, I know that block is available.
So, very quickly, it might be defragging but I can easily see where I’ve got available information.
At the moment, the way we’re looking at this, we haven’t got can do with the MFT apart from opening every record and the allocation and that is very efficient.
1:02:54 So what Windows does is to make an equivalent FAT file system and this FAT system is a bitmap and you can imagine the bitmap file as sort of a graph…..that’s allocated, that’s allocated, that bit there isn’t allocated, and then all this is available.
So the file system can look at bitmap and say…..oh I can put this file there, oh it’s a big file so i’m gonna have to put it there instead.
That may all all sound useful but from a Forensic standpoint, it isn’t very useful. It’s just a way of keeping track of our drives
1:06:38 I am just gonna show you an MFT record. I am just gonna load up an FTK Imager. He’s actually looking at his computer’s hard disk’s main partition. And under the root directory, we see all the files that belong to the Windows file system. And somewhere there, we see the $MFT file itself. There, we also see the $Bitmap file.
He then exports the MFT file to his desktop.
1:09:03He then opens the export MFT file using hxd tool.
So the first entry into MFT is an entry to itself.
An MFT record starts off with the word ‘file’.
1:11:37 I’ve got another disk editor…..another 3-in-one, same sort of idea. And he uses this tool to open the exported MFT file on the desktop.
hxd is very lightweight compared to the Active Disk Editor