ricostruzione forense di ntfs con metadati parzialmente ... · pdf filericostruzione forense...
Post on 07-Feb-2018
222 Views
Preview:
TRANSCRIPT
Ricostruzione forense di NTFS con metadati parzialmente danneggiati
Andrea Lazzarotto — andrealazzarotto.com
Metadati
— Brian Carrier
“There is unfortunately very little published in terms of the procedures used to perform recovery when metadata is missing”
NTFS
Struttura variabileMolto diffuso
Elementi principali
Index recordFile recordBoot sector
Ricostruzione
29 30 31 100 101 102 35 104
Root RootLost
Risultato
File System Structure
5 Root
0 $MFT
1 $MFTMirr
2 $LogFile
3 $Volume
4 $AttrDef
6 $Bitmap
7 $Boot
8 $BadClus
8:$Bad $BadClus:$Bad
9:$SDS $Secure:$SDS
9 $Secure
10 $UpCase
11 $Extend
25 $ObjId
24 $Quota
26 $Reparse
66 bbb.txt64 interesting
65 aaa.txt
−1 LostFiles
67 Dir_67
68 another
Geometria
SPC(sectors per cluster)
CB(cluster base) File system (in cluster)
Disco (in settori)
Pattern
A: INDX al cluster 0
B: INDX al cluster 1
C: INDX al cluster 3
Matching
SPC = 1
Disco
Matching
SPC = 2
Disco
CB
Testdisk — No partition found
Autopsy — Failed to add data source
RecuperaBit — 517 oggetti (239,1 MB)
In futuro...
FAT, EXT,HFS+, ...
CAINEAltri moduliGUI
top related