csn11121/csn11122 system administration and forensics introduction to digital forensic 20/10/2011...
TRANSCRIPT
![Page 1: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/1.jpg)
CSN11121/CSN11122System Administration and Forensics
Introduction to Digital Forensic20/10/2011
![Page 2: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/2.jpg)
Lecture Objectives
1. History and definition of Digital Forensics2. Context for an investigation3. An overview of the main theoretical concepts 4. Storage Devices5. Partitions
![Page 3: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/3.jpg)
Recommended Reading1. B Carrier, File System Forensic Analysis, March 27 2005,
Addison-Wesley Professional2. H Carvey, Windows Forensic Analysis DVD Toolkit, 11th
June 2009, Syngress3. C Pogue, Unix and Linux Forensic Analysis DVD Toolkit,
30th June 2008, Syngress4. M.E. Russinovich and D.A. Solomonm, Windows Internals
5th Edition , 7th January 2009, Microsoft Press (chapter 1 to chapter 3)
5. K.J. Jones, Real Digital Forensics, 3rd October 2005, Addison-Wesley Professional
![Page 4: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/4.jpg)
Online Resources• Digital Forensic Research Workshop (DFRWS)
– http://www.dfrws.org– Challenges– Projects
• National institute of Standards and technology (NIST)– http://www.nist.gov
• Journal - Digital Investigation– http://www.sciencedirect.com
• Forensics Wiki– http://www.forensicswiki.org
![Page 5: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/5.jpg)
![Page 6: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/6.jpg)
DIGITAL FORENSICS
![Page 7: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/7.jpg)
It is impossible for the criminal to act, especially
considering the intensity of a crime, without
leaving traces of his presence.
- Edmond Locard
![Page 8: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/8.jpg)
With contact between two items, there will be an
exchange- Locard’s exchange principle
![Page 9: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/9.jpg)
Computer Forensics
• 1984 – Scotland Yard: Computer Crime Unit – FBI computer forensics departments
• 1990 – Computer Misuse Act (CMA)
![Page 10: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/10.jpg)
![Page 11: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/11.jpg)
![Page 12: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/12.jpg)
![Page 13: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/13.jpg)
![Page 14: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/14.jpg)
Digital Forensics
The use of scientifically derived and proven methods towards the
preservation, collection, validation, identification, analysis, interpretation,
documentation, and presentation of digital evidence derived from the
digital sources for the purpose of facilitation or furthering the
reconstruction of events found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to planned operations.
- Digital Forensics Research Workshop
![Page 15: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/15.jpg)
Investigative Context
Primary Objectives
Secondary Objectives
Environment
Law Enforcement Prosecution Post-Mortem
Military IW Ops Continuity of Operations Prosecution Real-Time/Post-
MortemBusiness and Industry
Continuity of Service Prosecution Real-Time/Post-
Mortem
![Page 16: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/16.jpg)
Digital Investigation
A digital investigation is a process where we develop and test hypotheses
that answer questions about digital events. This is done using the
scientific method where we develop a hypothesis using evidence that we
find and then test the hypothesis by looking for additional evidence that
shows the hypothesis is impossible.
Digital Evidence is a digital object that contains reliable information that
supports or refutes a hypothesis. - B. Carrier, 2006 File System Forensic Analysis,
![Page 17: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/17.jpg)
Static vs. Live
• Traditional Static Investigations– Hard disk or some other form of static resource– Data at a resting state– Able to image, return to original source and
conduct further analysis• Live investigation– Occurs when the machine is running
![Page 18: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/18.jpg)
Volatile Investigations
• Has impact on device under investigation• Not repeatable• Does not fit in with classic forensic
investigative models• OS must be trusted• New questions cannot be asked later
![Page 19: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/19.jpg)
Investigation Process• Acquisition
– Preservation– Collection– Verification
• Analysis– Search for evidence– Hypothesis Creation– Confirm or refute hypothesis with evidence
• Presentation– Report the findings of the investigation– Objective manner
![Page 20: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/20.jpg)
Characteristics of Evidence
1. Data can be viewed at different levels of abstraction
2. Data requires interpretation3. Data is Fragile4. Data is Voluminous5. Data is difficult to associate with reality
![Page 21: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/21.jpg)
Characteristics of Evidence
1. Data can be viewed at different levels of abstraction
2. Data requires interpretation3. Data is Fragile4. Data is Voluminous5. Data is difficult to associate with reality
![Page 22: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/22.jpg)
Characteristics of Evidence
1. Data can be viewed at different levels of abstraction
2. Data requires interpretation3. Data is Fragile4. Data is Voluminous5. Data is difficult to associate with reality
![Page 23: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/23.jpg)
Characteristics of Evidence
1. Data can be viewed at different levels of abstraction
2. Data requires interpretation3. Data is Fragile4. Data is Voluminous5. Data is difficult to associate with reality
![Page 24: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/24.jpg)
Characteristics of Evidence
1. Data can be viewed at different levels of abstraction
2. Data requires interpretation3. Data is Fragile4. Data is Voluminous5. Data is difficult to associate with reality
![Page 25: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/25.jpg)
Best Practice• ACPO– Principle 1 - No action taken by law enforcement or their
agents should change data held on an electronic device or media which may subsequently be relied upon in Court.
– Principle 2 - In exceptional circumstances where a person finds it necessary to access original data held on an electronic device or media, that person must be competent to do so, and be able to give evidence explaining the relevance and the implications of their actions.
![Page 26: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/26.jpg)
Best Practice
• ACPO– Principle 3: An audit trail or other record of all
processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
![Page 27: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/27.jpg)
Best Practice
• ACPO– Principle 4: The person in charge of the
investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
![Page 28: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/28.jpg)
Tools
• 1st Generation– Command Line, Task oriented, Act on original data
• 2nd Generation– GUI interface, capable of making copies, multi-
functional• 3rd Generation– Work on distributed systems and live systems– Live… ?
![Page 29: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/29.jpg)
Tool Characteristics• Verifiable - Can it be shown to behave within certain bounds
of behaviour?• Reproducibility - Can a tool produce results which are
reproducible?• Non-interference - Are the results obtained with a tool that
has open source code, and thus does not contain obfuscated code?
• Usability - Can the tool help the investigator review and make decisions about the layer of abstraction being viewed?
• Comprehensive - Can the tool allow the investigator access the data output of the tool at any given level of abstraction?
![Page 30: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/30.jpg)
Future
• Research Challenges facing the investigation community– S.L. Garfinkel, Digital forensics research: The next
10 years, Digital Investigation, vol. 1, no. 7, pp. 64-73, 2010
– “The coming Digital Forensics Crisis”
![Page 31: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/31.jpg)
Challenges• Size of storage devices• Embedded flash devices• Proliferation of operating systems and file formats• Multi-device analysis• Pervasive Encryption• Cloud computing• RAM-only Malware• Legal Challenges decreasing the scope of forensic
investigations
![Page 32: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/32.jpg)
STORAGE DEVICES & PARTITIONS
![Page 33: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/33.jpg)
Required ReadingD. Byers, N. Shahmehri, “Contagious errors: Understanding and
avoiding issues with imaging drives containing faulty sectors”, Digital Investigation, no. 5, pp. 29 – 33, 2008
A. Jones, C. Meyler, “What Evidence is left after disk cleaners?”, Digital Investigation, no. 1, pp. 183 – 188, 2004
B.J. Nikkel, “Forensic Analysis of GPT disks and GUID partition tables”, Digital Investigation, no.6, pp. 39-47, 2009
![Page 34: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/34.jpg)
Required ReadingM. Belford, “Methods of discovery and exploration of Host
Protected Ares on IDE storage devices that conform the ATAPI-5”, Digital Investigation, no.2, pp. 268-275, 2006
K. MacDonald, “To Image a Macintosh”, Digital Investigation, no. 2, pp. 175 -179, 2006
J. R. Lyle, “A strategy for testing hardware write block devices”, Digital Investigation, no. 3, pp. 3-9, 2006
![Page 35: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/35.jpg)
Storage Media• Hard disks, floppy disk, thumb drives etc.• Hard disks are the richest in digital evidence• Integrated Disk Electronics (IDE) or Advanced
Technology Attachment (ATA) • Higher performance SCSI drives• Fireware is an adaptation of SCSI standards that
provides high speed access to a chain of devices• All hard drives contain platters made of light, rig-hid
material such aluminum, ceramic or glass
![Page 36: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/36.jpg)
More on Hard Drives– Platters have a magnetic coating on both sides and spin
between a pair of read/write heads– These heads move like a needle on top of the old LP
records but on a cushion of air created by the disk above the surface
– The heads can align particles of magnetic media called writing, and can detect how the magnetic particles are assigned – called reading
– Particles aligned one way are considered “0” and aligned another way “1”
![Page 37: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/37.jpg)
Hard Disks
cc by-sa, Cambridge Cat/Anna, flickr.com
Platters
Spindle
Head
Actuator Arm
![Page 38: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/38.jpg)
Storage• Cylinders are the data tracks that the data is being
recorded on• Each track/cylinder is divided into sectors that
contain 512 bytes of information– 512*8 bits of information
• Location of data can be determined by which cylinder they are on which head can access them and which sector contains them or CHS addressing
• Capacity of a hard drive # of C*H*S*512
![Page 39: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/39.jpg)
Hard Disk Platters
![Page 40: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/40.jpg)
Tracks and Sectors
Track
Sector (512bytes)
![Page 41: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/41.jpg)
Tracks and Sectors
1
23
4
5
6 7
8
Track #0
Track #1,Sector #7
![Page 42: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/42.jpg)
Storage Characteristics• Volatility
– Non-Volatile– Volatile
• Mutability– Read/Write– Read Only– Slow Write, Fast Read Storage
• Accessibility– Random Access– Sequential Access
• Addressability– Location– File– Content
![Page 43: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/43.jpg)
CHS Values
• 16-bit Cylinder value (C)• 4-bit Head Value (H)• 8-bit Sector Value (S)• Old BIOS:– 10-bit C– 8-bit H– 6-bit S– Limited to 528MB disk
![Page 44: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/44.jpg)
Logical Block Address (LBA)• LBA address may not be related to physical location of data• Overcomes the 8.1 GB Limitation of CHS• Plug old CHS values into:
LBA = (((CYLINDER * heads_per_cylinder) * HEAD) * sectors_per_track) + SECTOR -1
E.g.
CHS 0,0,1 = LBA 0
![Page 45: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/45.jpg)
Storage Volume
![Page 46: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/46.jpg)
Partition 1 Partition 2
Storage Volume
![Page 47: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/47.jpg)
Partition 1 Partition 2
Partition 1 Partition 2
Storage Volume
![Page 48: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/48.jpg)
Volume vs Partition
• Volume– A selection of addressable sectors that can be
used by an OS or application. These sectors do not have to be consecutive
• Partition– A selection of addressable sectors that are
consecutive. By definition, a partition is a volume
![Page 49: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/49.jpg)
Partition 1
Partition3
Partition 2Disk 1
Disk 2Partition 4
C: Volume D: Volume
![Page 50: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/50.jpg)
Partition Analysis
• A Partition organises the layout of a volume• Sector Addressing– Physical Address (LBA or CHS)– Logical Disk Volume Address– Logical Partition Volume Address
![Page 51: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/51.jpg)
Sector Addressing
Physical Address: 100Logical Disk Volume Address: 100
Logical Partition Volume Address: 100
Partition 1Starting Address: 0
Partition 2Starting Address: 864
Physical Address: 569Logical Disk Volume Address: 569
Logical Partition Volume Address: N/A
Physical Address: 964Logical Disk Volume Address: 964
Logical Partition Volume Address: 100
B Carrier, File System Forensic Analysis, pp75
![Page 52: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/52.jpg)
Partition Analysis
• Analyse Partition Tables– Process them to identify the layout– Can then be used to process partition accordingly– Determine the type of data inside the partition
• Perform a sanity check to ensure that the partition table is telling the truth
• This is important when imaging
![Page 53: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/53.jpg)
Sanity CheckPartition 1
Partition 2
Partition 1
Partition 2
Partition 1
Partition 2
Partition 1
Partition 2
Partition 1
Partition 2
B Carrier, File System Forensic Analysis, pp76
![Page 54: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/54.jpg)
DOS Partitions
• Most commonly found with i386/x86 systems• No standard reference• Master Boot Record in first sector (1st 512
byte)– Boot Code– Partition Table– Signature Value
• MBR Supports a maximum of 4 partitions
![Page 55: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/55.jpg)
Partition 1 Partition 2
B Carrier, File System Forensic Analysis, pp 83
![Page 56: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/56.jpg)
Partition Table• Starting CHS Address• Ending CHS Address• Starting LBA Address• Number of Sectors in Partition• Type of Partition• Flags
• Limitation– 2 Terabyte Disk Partition Limitation
• MBR Partition size field is 32 bits
![Page 57: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/57.jpg)
Extended Partitions
• Limitation of 4 Primary Partitions• Creation of 3 Primary Partitions and 1 primary
extended partition• Primary Extended partition uses a similar MBR
layout in order to create a linked list of records, showing where each new extended partitions exists in relation to the start of the last
![Page 58: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/58.jpg)
2GB 4GB
6GB 8GB 10GB 12GB
B Carrier, File System Forensic Analysis, pp 94
![Page 59: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/59.jpg)
B Carrier, File System Forensic Analysis, pp 94
![Page 60: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/60.jpg)
Primary Partition #1 Primary Extended PartitionPrimary Partition
#2Primary Partition
#3
Secondary Partition #1
2GB 4GB
6GB 8GB 10GB 12GB
B Carrier, File System Forensic Analysis, pp 94
![Page 61: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/61.jpg)
Primary Partition #1 Primary Extended PartitionPrimary Partition
#2Primary Partition
#3
Secondary Partition #1
Secondary Extended #1
2GB 4GB
6GB 8GB 10GB 12GB
B Carrier, File System Forensic Analysis, pp 94
![Page 62: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/62.jpg)
B Carrier, File System Forensic Analysis, pp 94
![Page 63: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/63.jpg)
B Carrier, File System Forensic Analysis, pp 94
![Page 64: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/64.jpg)
B Carrier, File System Forensic Analysis, pp 94
![Page 65: CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e0c5503460f94af5b22/html5/thumbnails/65.jpg)
ANY QUESTIONS?