Reconstructing FAT File System Structures Flashcards
Photographic documentation must be used to…
Place material and to avoid claims of mistaken identity or mis-configuration
Storage comes in arbitrary forms:
- Tiny USB mass storage devices
- Gaming consoles
- Smart watches
- Phones
- Digital photo frames
- Local surveillance camera storage
- Photo frames
- Backup media
Forensic Duplication:
The ability to produce an identical byte stream from the duplicate as from the original
A forensic duplicate as a file (or artefact) containing…
Every bit of information from the source, typically in a raw format
A qualified duplicate provides…
The same information as a forensic duplicate, but contains further embedded meta-data or employs certain kinds of compression
A restored image is a…
Forensic or qualified forensic duplicate restored to another storage medium
A mirror image provides a…
Bit-wise copy from one medium to another
Device must ensure that no write occurs on the original device but…
Recall that even during the read-only operation, the device may alter its internal state
Imaging device must…
Perform sector-by-sector copying
Error conditions must be…
Identified clearly, detailed logging
Integrity of duplicated data must be…
Traceable, typically using cryptographic hash information
Creating Forensic Duplicates - Addition information which should be recorded:
- Time and location of duplication session
* Diagnostic information from device
Any mechanism providing imaging or write blocking must provide assurance of maintaining the objectives:
- Manufacturers may need to provide expert testimony when challenged
- Forensic laboratories may provide test results
- The NIST CFTT provides detailed test plans for imaging and write blocking devices
- Hardware-based systems are simple to implement and particularly to validate
Volume systems may be used to…
Combine multiple sub-volumes into a single volume
All components required for duplication must be…
Identified and recorded clearly
In the case of files, disks and partitions may contain un-allocated as well as slack space, can be used by…
Arbitrary file systems and must be analysed separately
Reconstruction of on-disk data depends on a number of factors including:
- Has the medium been used in some way after the incident
- Has any deletion occurred
- Is the use of wiping tools suspected
- Is the presence of anti-forensic or malware components suspected
- Is the file system complete
- Is knowledge of file content or file format available
- Is sought-after information replicated
Establishing that a volume holds a FAT file system:
- Finding the 0x55AA boot sector signature or in the reserved area is quickest approach
- Even for file systems, the structure of FAT can often be hypothesised
Identify the first cluster:
Easy only if the exact FAT type and cluster size is known
Knowledge of the OS version which created or used the file system is important which means…
Cluster allocation strategy may vary
Once a directory entry has been located, the base entry must be identified:
- For long file names, multiple entries may exist
- Recall that the allocation status is set by the first byte of the base entry
- The base directory entry will also hold the starting cluster of the file
- On creating a new directory, the OS will generally zero/wipe the cluster, the first two entries are for “.” and “..” entries
The FAT structure will contain a chained list of entries for all data clusters and the last block will contain…
An End-of-File (EOF) marker
Deleted/De-allocated files will result in…
Deletion of first byte of directory entry
Deletion of first byte of directory entry can cause…
Ambiguity in file names
Long file name entries can be used to…
Reconstruct original file name
If a directory entry is zeroed out…
Files are now orphaned
Recovery requires use of heuristics for file or directory structures:
- This may sometimes find files of earlier generations
* Time values in entries are not always reliable, but can provide circumstantial evidence
Processes for reconstructing files are similar as for directories:
- Where cluster information is available, simply following the chain is straightforward
- Otherwise content-specific heuristics may be needed
As data is allocated on a cluster basis, on average half of the last cluster will be un-used, but for re-sed clusters…
This means that data in this slack space may remain for some time until its overwritten
