forensics comp

7/31/2019 Forensics Comp

1/25

Digital Forensics(File System Forensic Analysis)

1. Background

Sogang University Distributed Computing & Communication Lab.

SungyongSungyong Park, Ph.D.Park, Ph.D.

Distributed Computing & Communication Lab.Distributed Computing & Communication Lab.

(URL: http://dcclab.sogang.ac.kr)(URL: http://dcclab.sogang.ac.kr)Dept. of Computer Science and EngineeringDept. of Computer Science and Engineering

SogangSogang UniversityUniversitySeoul, KoreaSeoul, Korea

Tel : +82Tel : +82--22--705705--89298929

Email : [email protected] : [email protected]


2/25

Data Analysis

DatabaseAnalysis

App / OSAnalysis

Swap SpaceAnalysis

File systemanalysis


MemoryAnalysis

Network

Analysis

PHYStorage

Analysis

Volumeanalysis


3/25

Process of Analyzing Data

HardDisk

Physical MediaAnalysis

VolumeAnalysis

Sectors of Data


File SystemAnalysis

Application

Analysis

Vo ume

File


4/25

Booting Process

n Booting Process

n When power initialized on system, execution starts at a fixedmemory location (ROM) where initial bootstrap program islocated.

n Sometimes two-step processn Simple bootstrap loader fetches a more complex boot program


rom s

n Boot program loads the kernel

n For large OS (e.g. Windows, Mac OS X, UNIX)n Bootstrap loader (from ROM) runs diagnostics and has a bit of

code that can read a single block (boot sector or boot block;

e.g. MBR) at a fixed location from disk and execute the code.n The program in boot block loads either entire OS or reads

remainder of the bootstrap program from disk based on theaddress and length info.


5/25

n

Hard disks

n Most common source of digital evidence

Hard Disk Technology

Cylinder (C) (0~(n-1))


n

Performance = seek time + rotational latency + transfer time

Sector (S) (1~n)(typically 512 bytes)

Platters

Head 0 : Head # starting from bottomPlatter 0 : Platter # starting from bottom


6/25

Access of Hard Disk

n Using BIOSn BIOS already knows the component of hardware

n Details of installed disks

n Loads the interrupt table

n INT13h (and extended INT13h) supports many diskfunctions


n BIOS may not view the entire disk

n Using direct access

n Require some knowledge about the hardware

n Fastest to access the data


7/25

n CHS (Cylinder/Head/Sector) Addressingn Physical address = C * H * S * 512 bytes

n E.g., Cylinder 1024, Head 256, Sector 64 => 1024 * 256 * 64* 512 bytes = 210 * 28 * 26 * 29 bytes = 233 bytes = ~ 8 GB

n Assume that each track has the same number of sectors (viastandard recording) old disk drives

CHS Addressing (1)


n Cannot be applied to new hard drives which use zoned-bitrecording

n Zoned-bit recording outer track has more sectors andtransfer speed is much faster in outer track

n Normal/ Large / LBA setting

n Capacity Barriern In order to access hard drives, we can use BIOS Int 13h and

it uses CHS addressing to find a sector (old BIOS)


8/25

n Capacity Barrier (continued)

nValues used in old BIOS (total 24 bits)

CHS Addressing (2)

Bits Max value Range

Cylinder 10 bits 210 = 1024 0 ~ 1023

Head 8 bits 28 = 256 0 ~ 255

Sector 6 bits 26 = 64 1 ~ 63


n Maximum size = 1024 * 256 * 63 * 512 bytes = 8,455,716,864 bytes (~8.4 GB)

nValues used in ATA-1 standard (total 28 bits)

n Maximum size = 65536 * 16 * 255 * 512 bytes = 136,902,082,560 bytes (~137 GB)

Bits Max value Range

Cylinder 16 bits 216 = 65,536 0 ~ 65,535

Head 4 bits 24 = 16 0 ~ 15

Sector 8 bits 28 = 256 1 ~ 255


9/25

n Capacity Barrier (continued)

n 528 MB Barrier

CHS Addressing (3)

CHS BIOS ATA Limit

Cylinder 1024 65,536 1024

Head 256 16 16

Sector 63 255 63


n When using ATA disks via CHS BIOS, the smallest size for each value should be used

n Maximum size = 1024 * 16 * 63 * 512 bytes = 528,432,304 bytes (~528 MB)

n CHS Parameter Translation

n Translate CHS values of hard disks into possible values while maintainingthe total number of sectors

n E.g., CHS value : 2048, 16, 63 => translated values : 1024, 32, 63

n Can break the 528 MB barrier

n Applied to hard drives manufactured around 1993~1994 or after

n Normal / Large/ LBA setting

n Still limited to 8.4 GB barrier


10/25

n LBA (Logical Block Address) Addressing

n Uses a single number, starting at 0, to address each sector (28 bits)

n Software does not need to know anything about the geometry; it onlyneeds to know a single number

n Some file systems still use CHS address, so need to translate

n E.g. 1, CHS address 0,0,1 => LBA 0

n E.g. 2, CHS address 0,0,2 => LBA 2 etc.

LBA Addressing


n When all sectors in the track have been used, the first sector at the nexthead in the same cylinder is used (i.e., CHS 0/1/1)

n LBA = (((C * heads_per_cylinder) + H) * sectors_per_track) + S - 1

n Normal / Large / LBA setting

n Still limited to 137 GB barrier (due to 28 bit addressing)

n

ATA-6 standardn Up to ATA-5 (Ultra-ATA/66), still has same problems as above

nATA-6 (Ultra-ATA/100) standard extends the 28 bit addressingto 48 bits addressing (144,115,188,075,855,872 bytes = 144 PB)


11/25

n What is the problem ?

n The problem is on the BIOS

n Pheonix BIOS proposed a new BIOS standard, EDD (Enhanced DiskDrive Specification), to NCITS (National Committee on InformationTechnology Standard)

n EDD extends LBA so that it can use 64 bit addressing

n Can support any hard drives supporting ATA-6

EDD Standard



12/25

Host Protected Area (HPA)

n Host Protected Access (HPA)n Location where computer vendors could store data that

would not be erased when a user formats and erases thehard disk contents (not normally visible to OS)

n Can be used to save (and hide) data (default size 0)

nVarious booting and diagnostic utilities


n Preloaded OS or system restore software

n Theft recovery and monitoring service

n Some rootkits hide in the HPA

n Can access HPA via ATA commands

0 m n

HPAATA command

IDENTIFY_DEVICE READ_NATIVE_MAX_ADDRESS

SET_MAX_ADDRESS


13/25

Device Configuration Overlay (DCO)

n Device Configuration Overlay (DCO)n Added in ATA-6

n Not visible to BIOS and OS

n Can make 80G HDD as a 60G HDD


0 m n

HPA

ATA command

DCO

p

DEVICE_CONFIGURATION_IDENTIFYIDENTIFY_DEVICE

READ_NATIVE_MAX_ADDRESS


14/25

File System Framework

Directory ServiceDirectory Service

Directory APIDirectory API File Operations APIFile Operations API

File System

InterfaceUser

Kernel

System Call InterfaceSystem Call InterfaceText nameText name File idFile id


Device Driver

File Storage ServiceFile Storage ServiceFile System

Implementation

Hard DiskHard Disk Floppy DiskFloppy Disk CDCD--ROMROM


15/25

A Typical File System Organizationdevice directory or volume table of contents


minidisk or volume

=> Every partition has a file system, which consists of directory and files.


16/25

File System Layout (System V Case)

n File system resides on a single logical disk or partition, and eachlogical disk may hold one file system at the most.

n A artition is viewed as a linear arra of blocks. The size a block is

< Layout of a disk partition >

B S Inode List Data Blocks

0 10 1


multiple of 512 bytes (e.g., 512/1024/2048). This represents thegranularity of space allocation for a file.

n Physical block # is an index into this array, which is translated intocylinder, track, and sector # via device driver.

n B (Boot Area): Only one partition needs to contain.

n S (Super Block): Contains metadata about the file system.n Inode List : Has a fixed size which limits the max number of files.

The size of an inode is 64 bytes in System V UNIX.


17/25

Partitions and Mounting

n

A disk can be sliced into multiple partitions, or a partition canspan multiple disks.

n Each partition can either be raw, containing no file system, orcooked, containing a file system.

n Raw disk can be used where no file system is appropriate;

n Swap space


n s s s r w s r s rneeds.

n The root partition, which contains the OS kernel, is mounted atboot time. Other partitions can be automatically mounted atboot time or manually mounted later.

n Own directory structure (Unix)

n Different name space (Windows - i.e., different drive such as C, D,etc)


18/25

File System Mounting

n Just as a file must be opened before it is used, a file system must

be mounted before it can be accessed.

n Procedure

n The operating system is given the name of the device, and the location

within the file structure at which to attach the file system (or mount


.n Typically, a mount point is an empty directory.

n The operating system verifies that the device contains a valid file

system by asking the device driver to read the directory.

n Finally, the operating system notes in its directory structure that a file

system is mounted at the specified mount point. This scheme enables

the operating system to traverse its directory structure, switchingamong file systems as appropriate.


19/25

Example of File System Mounting

mount point


Existing Unmounted


20/25

Partition and Mounting (Example)



21/25

Remote Mounting on an NFS Client

Server 1

Client

Server 2

The file system mounted at/usr/studentsin the client is actually the subtree located at /export/people in Server1 ; the file system mounted at

/usr/staffin the client is actually the sub tree located at /nfs/users inServer2.


export

people

big jon bob .

. vmunix usr

student x staff

nfs

users

jim ann jane joe

RemoteRemotemountmount RemoteRemotemountmount


22/25

Remote Mounting (Example)



23/25

File System Structure (1)

n File system resides on secondary storage (disks).

n For the implementation, file system has both on-disk

structures and in-memory structures.

n On-disk structures

n Boot Control Block contains information needed by the system

to boot from the partition; Typically the first block of a partition;


A so ca e oot oc (UF ) or partition oot sector(NTF )

n Partition Control Block contains partition details, such as the #

and size of blocks in partition, free block count and pointers, and

free FCB (File Control Block) count, etc; Also called super-block

(UFS) or master file table(NTFS).

n Directory structure

n File Control Block (FCB) contains many of the files details; Also

called inode(UFS).


24/25

File System Structure (2)

n

In-memory structures used for both file-system managementand performance improvement via caching.

n In-memory partition table contains information about each

mounted partition.

n In-memory directory structure holds the directory information of


n System-wide open-file table contains a copy of the FCB of each

open file.

n Per-process open-file table contains a pointer to the appropriate

entry in the system-wide open-file table.


25/25

In Memory File System Structure

copy

locate

(1) (2)

search


copy

(3)

pointer

(4)

file descriptor or file handle has current location

(5)

(6)

(7)

In reality, the open system call first searches the system-wide open-file table.

forensics comp

Documents