Exam 3 Flashcards
NTFS
New Technology File System
Allows for multiple filenames for same data.
Differentiates between upper and lower case.
NTFS Structure
No system area, all data area.
Everything is a file.
Max number of files unlimited (only limited by drive size).
NTFS System Files
Boot record, root directory, and system area all files.
Normally start with $.
When formatted, system files created on drive.
Clusters in NTFS
Start counting at 0.
Cluster size usually 4096.
$MFT
Master File Table.
Most important.
Takes the place of root directory and file allocation table.
Can take up to 12.5% of drive.
$MFT Structure
Composed of records.
Includes $MFT itself.
First 16 records reserved for metadata files.
Every file and directory has at least one record here.
$MFTMIRR
Backup Files. First four records of $MFT. $MFT (0) $MFTMIRR (1) $Logfile (2) $Volume (3)
$Logfile
Records operations affecting file structure.
Records file system changes.
Used for Recovery.
$Volume
Information about the volume. Volume name. NTFS version. State of volume. Dirty Flag: requires checkdisk to run). Checks for errors.
$Logfile: Forensic Significance
Can contain information on creating, moving, or deleting files.
$AttrDef
Info about all attributes defined on a volume.
Not the same as FAT Directory attributes.
List of attributes can be extended or change by modifying this file.
.-Root Directory
Does not have $.
Listing of all files and folders.
\
$Bitmap
Like file allocation table.
Tracks cluster usage.
Allocation state of each cluster in volume.
Each bit indicates if a cluster is free or not.
1 if occupied, 0 if empty.
Does not point to cluster.
$Boot
Volume Boot Record. Located in sector 0 of volume. Up to 16 sectors in length. # of sectors per cluster. Location of MFT. Total sectors in volume. Serial number. Back-up of first sector of $Boot at end of volume.
Resident Files
Files under 1024 are contained completely within $MFT.
Non-Resident Files
Files over 1024 will be stored somewhere other than $MFT.
Metadata Files
File system files that are created during formatting process.
Not create by Windows.
Some can be used to recover deleted partitions ($Boot).
$BadClus
File consisting of all bad clusters on volume.
If one cluster (sector?) entire cluster is marked bad.
1 for bad, 0 or good.
$Secure
Contains all security descriptors used on volume and their hash.
File’s “security ID” is an index into $Secure.
$UpCase
Translates upper and lower case letters.
Used to assist in sorting and searching file names.
Files
Series of attributes. Every file will have: Standard Information Attribute (SIA). Filename Attribute. Data Attribute.
Attributes
Anything that describe the file.
Name, Dates, Data.
Folders
Every folder will have:
Standard Information Attribute (SIA).
Filename Attribute.
Index Root Attributes.
$MFT Records
Records are 1024 bytes in length.
Each record begins with 56 byte record header.
Offsets start at beginning of record.
Standard Information Attribute
SIA. Present in every record. 96 bytes in length. Contains dates and times associated with file. 0x10 00 00 00. SIA always resident.
Update Sequence Array
If information goes over a sector (?) this keeps track of overflow data so it doesn’t get rewritten.
Has code so can find the rest elsewhere.
“fix-up” array.
Record Header
Offsets 0-4 signature (FILE is good to search for in records in unallocated space).
Update Sequence Array.
Sequence Count: Number of times $MFT has reused this record.
Filename Attribute
FNA.
Every file and folder has one.
Dates not updated as frequently as SIA so unreliable.
0x30 00 00 00
Data Attribute
Every file has one.
0x80 00 00 00.
Can be Resident or Non-Resident.
Folders do not have a Data Attribute.
Record Slack
Data from the End of Record Marker to end of 1024 record is Record Slack.
Data Attribute: Non-Resident
If data exceeds $MFT record (1024) it is placed in next available cluster.
A runlist of clusters will point to their location.
Runlist
Has number of clusters and starting location.
If file is fragmented, there will be multiple run lists.
If multiple lists, location can be a negative value.
Location is a signed integer.
UTC
Grenich Mean Time.
Paris, France.
We are UTC-6.
Triage Rules
#1: If the computer is off, leave it off! #2: If the computer is on, it depends!
Triage Documentation
Make, model, serial number.
What state is it in?
On? Off? Disconnected? Damaged?
Photograph.
Triage: Live Computer First Steps
Wake computer (mouse, shift key). Document and photograph all open windows. Check task tray for open applications. Check for encryption. Do as little as possible.
Triage: Live Computer: Things to Check
Check task tray for open applications.
Check for encryption or encryption programs that are running.
Triage: Live Computer: Things to Get
Make image. Check online/cloud storage. Try to get encryption passwords and codes. Consider logical acquisition/RAM dump. Capture RAM.
Triage: Online/Cloud Storage
When machine is off, access to these are gone.
Make sure warrant covers looking at this.
May need new/additional warrant.
Triage: Encryption
Save encryption keys or get from IT if applicable/possible
OR Create forensic image of encrypted volume while accessible
OR Disable encryption if possible (this will change info, document everything!).
Triage: Destructive Processes
Pull the plug!
Observe time from authoritative source.
Triage: Client OS
Destructive processes: pull plug!
Observe time from authoritative source.
Document!
If client hosts network services, especially databases, shutdown normally.
Triage: Server OS
Shutdown normally.
Observe time from authoritative source.
Document!
Triage: Pull the Plug (Desktop)
Unplug power directly from the back of the computer.
NOT from the wall, because they can power runs through surge protectors and power filters.
Triage: Pull the Plug (Laptop)
Laptops have more than one power source. Power Supply. Battery. Disconnet both to shut down. It can be easier to do battery first. Be sure to take power supply!
Computer Boot Process in Lab
Need to boot computer without changing evidence.
BIOS
Basic Input Output System.
Small code segment generally stored in ROM.
Includes information for a computer interact with different I/O devices.
Boot
The startup process of a computer.
Allegedly from the word “bootstrap”.
Bootable Media
Media that contains startup software.
Can be a CDROM, diskette, USB device, etc.
Newer computers are set to boot from CD/USB but older computer generally are not.
CMOS
Complimentary Metal Oxide Semiconductor.
Contains system date/time and initial startup info.
Powered by a “button” battery on motherboard.
KERNAL
The core that provides basic services to all other parts of the operating system.
POST
Power On Self Test. CPU checks itself and POST program by comparing code against identical permanent records. Checks system timer. Pathways are available and functioning. Verifies RTC. Beeps tell you what's broken.
RAM
Random Access Memory.
Volatile, lost when power is lost.
ROM
Read Only Memory.
Does not rely on power for storage.
BIOS: Booting
Typically try to disconnect hard drive first.
F2 usually boots into BIOS.
Hit boot sequence.
Change what you want to boot it to (Forensic tools, DVD, flashdrive, etc).
May do this right at scene if needed (missing child, etc).
BIOS: Forensic Importance
Retrieve date and time that computer was seized.
Can show how many hard drives are connected.
Forensic Examinations
These need to be done in every examination.
Document BIOS information.
Once recorded, make image.
Extensible Firmware Interface
Much like BIOS except:
Has built-in boot manager.
Helps if there are multiple OS’s.
Specification that defines a software interface between an OS and platform firmware.
BIOS Access
BIOS type.
System information (serial number, memory installed, model).
Date/time.
Boot sequence.
RTC
Real Time Clock.
Formats for Storing Digital Evidence.
Raw format.
Proprietary formats.
Advanced Forensics Format (AFF).
Raw Format
Makes it possible to write bit-stream data to files.
Raw Format: Advantages
Fast data transfers.
Can ignore minor data read errors on source drive.
Most computer forensics tools can read raw format.
Raw Format: Disadvantages
Requires as much storage as original disk or data.
Tools might collect marginal (bad) sectors.
Proprietary Formats
RAW, .dd, .001, .e01.
Option to compress or not compress image files.
Can split image into smaller segmented files.
Can integrate metadata into image file.
Proprietary Formats: Disadvantages
Inability to share an image between different tools.
File size limitation on each segmented volume.
AFF
Advanced Forensics Format.
Don’t see very often.
Provide compressed or uncompressed image files.
No size restriction for disk-to-image files.
Provide space in the image file or segmented files for metadata.
Open source for multiple platforms and OS’s.
Types of Acquisitions
Static acquisitions.
Live acquisitions.
Data Acquisition Methods
Bit-stream disk-to-image file.
Bit-stream disk-to-disk.
Logical disk-to-disk or disk-to-disk data.
Sparse data copy of a file or folder.
Bit-stream Bit-to-image File
Most common method.
Can make more than one copy.
Copies are bit-for-bit replications of original drive.
ProDiscover, Encase, FTK.
Bit-stream Disk-to-disk
When disk-to-image copy is not possible.
Consider disk’s geometry configuration.
Encase, SafeBack, SnapCopy.
Logical Acquisition or Sparse Acquistion
When your time is limited.
Captures only specific files of interest to case.
Sparse also collects fragments of unallocated (deleted) data.
For large disks.
PST or OST mail files, RAID servers.
Forensic Duplicate
Bit-for-bit copy of original media.
Copies all info and sectors on drive (deleted, slack, unallocated, etc.)
File Copy
Only copies data files.
Does not include deleted or hidden files, file slack space, or unallocated or bad clusters.
Physical Copy
Gets everything.
Want to do this unless not possible.
Logical Copy
Only gets data area.
Duplicate Imaging
Because computer evidence can be easily altered, destroyed, or hidden.
All data areas will be imaged.
Duplicate Imaging: Advantages
Preservation of original evidence.
Prevention of inadvertently altering the original evidence during examination.
Can recreate perfect duplicate from duplicate and does not degrade.
Sterilized Media
Start with this.
The media is wiped clean using software to write all zeroes to the media.
Ensures there is no residual data from previous investigations.
Sterile Media
Media on which every byte has been overwritten by a known hex value or random hex value.
Also known as “wiping” or “sterilizing”.
Forensic Sterilization
Forensic wiping.
0x00 is written over everything.
Allows for verification with checksum64 equals to 0.
Non-Forensic Sterilization
Non 0x00 known characer or random character wipes.
Wiping
Wiping resets to all 0’s.
Deleting
Normal logical file removal operations:
Simple file deletion leaves data intact.
HDD format can leave data intact.
Removing a partition can leave data intact.
When to Use Sterile Media
Whenever restoring suspect data to a drive.
Whenever someone brings you media (new or used) to place data or files onto.
Make them aware you will wipe it prior to placing the requested data on it.
Validation of Sterile Media
Use PALADIN.
Does not matter if the media is recognizable by the OS.
If software requires that the OS recognize the media a successful wipe can never be validated.
Validation
Not knowing = Not doing = DISASTER!
If you don’t know how to test and validate, should you really be a qualified forensic computer examiner?
Write Blockers
Software or hardware process that will “block” all writes to the original media.
Windows Based Imaging Tool
When using, media must be write protected.
Two methods:
Hardware.
Software.
Hardware Write Blocker
Media is physically attached to write blocker before being attached to motherboard.
Software Write Blocker
Is inserted between the OS and the disk/device drivers.
Jumper Settings
Master to slave drive (IDE drives, SATAs do not have them).
Hash
Check these to make sure they are duplicated properly (MD5 and SHA-1).
MD5 is 128 bit (16 byte) value.
Orphan File
File where parent folder is overwritten.
EnCase calls them Lost Files/
$MFT record for the folder is overwritten by a new file entry.
Files in the original folder are now orphans.
No method to determine what original folder name was exists.
Exam Stage
Check CMOS and BIOS for date/time.
Index Root
Found in folders.
Can only hold a few filenames.
When additional names are added the attribute becomes non-resident.
When that happens, two additional attributes are incorporated.
Index Allocation Attribute.
Bitmap Attribute.