Post on 05-Jul-2020
10/6/2014
1
FCM 760 | Fall 2014 | Lecture 4Disk Drives, FAT File Systems, FAT Data Recovery
October 6, 2014
File System Forensic Analysisby Brian Carrier
10/6/2014
2
Suggested Reading
Reading Assignment:
File System Forensic Analysis by Brian Carrier (ISBN: 978-0321268174)
Chapters 4, 5, 8, 9, 10
This is not a requirement but I would HIGHLY recommend purchasing this book; it will become a very important reference for you as a professional in the field.
Let’s talk about data!
We need to build our understanding of storage media from the ground up:
Disk Types
Partitions and Volumes
Bits, Sectors, Clusters
File Systems
Operating Systems
10/6/2014
3
Content vs Metadata
Metadata is data about data.
Examples:
File System Metadata: MAC Times (Modified, Accessed, Created)
Operating System Metadata: File Security Settings, Created By, log files, etc…
File Metadata:
Image files: EXIF data (Exchangeable Image File Format)
Office Documents
Music Files
Back On Topic: Disk Types
SATA
IDE
SAS
SCSI
10/6/2014
4
Disk Drives
Data is stored on platters
The arm moves the head
The head reads and writes data
Data is written by changing the direction of magnetization for a bit
Disk Drives
Platters can store data on both their sides
Platters are segmented into tracks
A track is a circular ring that goes around the platter
Tracks are numbered from the outside inward
A cylinder refers to all tracks at a given address
10/6/2014
5
Disk Drives
Each track is divided into sectors
A sector is the smallest addressable storage unit and is typically 512 bytes
Sectors are numbered
You can address a specific sector using the CHS method (Cylinder, Head, Sector)
Disk Drives
CHS addressing only works for disks less than 8 GB in size.
LBA (Logical Block Addressing) has replaced CHS.
LBA is a linear scheme: the first sector is LBA 0, the second is LBA 1, and so on…
LBA used because in modern disks, platters may have different numbers of tracks per side and different numbers of sectors per track.
10/6/2014
6
Volumes & Partitions
How is data segmented?
Partition: a collection of consecutive sectors
Volume: a collection of addressable sectors used by OSs and applications to store and access data
Volumes don’t have to be consecutive, they just have to appear that way to whatever is addressing it, i.e. spanning
Partitions
Know that each operating system and hardware platform typically uses a different partition scheme/method.
Today we’re going to focus on DOS partitions which are typically used with DOS, Windows, and Linux systems
DOS partitions employ a MBR (Master Boot Record)
Newer partition schemes:
GPT – GUID Partition Table
EFI – Extensible Firmware Interface
10/6/2014
7
Master Boot Record (MBR)
The MBR is ALWAYS stored in sector 0, the first 512 bytes of the drive.
Contains:
Partition Table – Describes how the disk is split up
Boot Code – tells the computer how to read the partition table and find the operating system
MBR – Partition Tables
The Partition Table stores the following information for each partition:
Starting CHS address
Ending CHS address
Starting LBA address
Number of sectors in the partition
Type of partition: FAT, NTFS, EXT3, etc…
Flags for the partition: tells you which partition is bootable
Partition Tables are legacy structures and only had 4 partition slots
Newer spec: 3 slots and the 4th is used for Extended partitions
10/6/2014
8
MBR – Partition Tables
Partition Tables are legacy structures and only had 4 primary partition entries
Newer drives are much bigger so the Extended partition was created
3 Primary Partition Entries, 1 Extended Entry – takes up the rest of the drive
File Systems
File Systems provides a way to organize raw data (sectors) into meaningful structures, and assign them to items such as folders and files.
Provide tracking information for files and users (metadata)
File Systems are not tied to disk types but Operating Systems are typically dependent on specific File Systems.
10/6/2014
9
File Systems: Allocation Strategies
At any moment, a File System must know which data units are unallocated (available for use), which data units are allocated (assigned to a structure), and which data units are bad
Assigned data can be contiguous or it can be fragmented
Some Allocation Strategies:
First Available – Always uses the first available data unit
Next Available – Keeps track of where it last left off
Best Fit – Searches for consecutive data units
The OS chooses which allocation strategy it will use
File Systems: FAT
File Allocation Table (FAT)
Different flavors of FAT: FAT12, FAT16, FAT32, ExFAT
Great file system to use if you’re switching between PCs and Macs
A simple file system type that has two main data structures:
FAT Table
Directory Entries
10/6/2014
10
File Systems: FAT – Reserved Area
Specific information about the file system is stored in the Volume Boot Record (VBR) which is stored in the first sector of the volume
Tells you how many FAT structures there are and how big they are
Volume Name
May tell you what tool created the file system (MSWIN4.0, MSDOS5.0, etc…)
Cluster Size
Clusters are the lowest addressable data object to an OS
Clusters are made up of groups of sectors
Cluster number starts at 2 and begins in the Data Area
File Systems: FAT – Reserved Area
10/6/2014
11
File Systems: FAT – Reserved Area
File Systems: FAT – FAT Structures
There can be 1 or more FAT Structures (Tables)
There are typically two copies
The FAT tables contain one entry for every cluster available to the file system
Entry 50 corresponds to cluster 50
An entry can have one of several values:
0 – the cluster is not allocated
0xff7 – cluster marked as BAD
<EOF> - End Of File
Other non-zero values – contains the address of the next cluster in the file or directory
10/6/2014
12
File Systems: FAT – FAT Structures
File Systems: FAT – Directory Entries
A directory entry is a data structure that is created for every file and directory.
Directory entries are 32 bytes in size and contain the file’s attributes, size, starting cluster, and date/timestamps.
When a new file or directory is created, a directory entry in the parent directory is allocated for it.
A directory is basically a table of directory entries.
Directory entries DO NOT have unique identifiers. You use the file/directory name to address a directory entry
10/6/2014
13
File Systems: FAT – Directory Entries
File Systems: FAT – Directory Entries
Sector Offset 32 Byte Directory Entry ASCII Representation
10/6/2014
14
File Systems: FAT – Directory Entries
File Names:
Short File Name (SFN): 8.3 – name is 8 characters, file extension is 3
Long File Name (LFN): 255 characters including the file extension
LFNs always precede the SFN
Each entry can store 13 characters
Increase in sequence from the bottom up
File Systems: FAT – Directory Entries
Size:
Directories always have a size of 0
4 Byte field = maximum file size of 4 GB (2^32 bits)
Cluster:
Starting cluster entry is provided
If a sector is 512 bytes, then Size/512 = how many clusters are assigned to this file
830/512 = 1.6210… Always round up – this file takes up 2 clusters
10/6/2014
15
File Systems: FAT – Directory Entries
Attributes:
A – the Archive attribute tells you this file was created or written to
R – this entry is read only
S – this entry pertains to a system file
H – this is a hidden file/directory
D – is this entry a Directory?
V – is this the Volume Name?
File Systems: FAT – Directory Entries
10/6/2014
16
File Systems: FAT – Deletion
FAT file systems conduct minimal cleanup actions during deletion
File Deletion
The first character of the directory entry is changed to 0xE5
Allocated FAT clusters are set to zero
Directory Deletion
The first character of the directory entry is changed to 0xE5
Associated FAT cluster entry is set to zero
All sub-items are deleted according to the above steps
What are the implications with contiguous vs fragmented cluster allocation?
File Systems: FAT – Deletion
How do we recover a file?
1. Change the first character of the directory entry to anything acceptable character other than 0xE5. Typically we use an underscore (0x5F).
2. Determine how many clusters were allocated to the file using the cluster size from the MBR and the file size from the directory entry: 20,583/512 = 41 clusters.
Attempt to re-chain the FAT table entries using the file’s starting cluster value.
The first cluster entry’s value will be the next cluster allocated to the file. E.G.: cluster entry 530 will have a value of 531.
Enter a value of <EOF> in the last cluster allocated to the file.
10/6/2014
17
File Systems: FAT – Deletion
How do we recover a directory?
1. Change the first character of the directory entry to anything acceptable character other than 0xE5. Typically we use an underscore (0x5F).
2. Enter the value <EOF> in the cluster allocated to the directory.
3. Attempt to recover any files that were contained in the recovered directory using the discussed file recovery method.
File Systems: FAT – Deletion
10/6/2014
18
File Systems: FAT – Deletion
What are the implications with contiguous vs fragmented cluster allocation?
DISKEDIT Demonstration
Questions?Start thinking about project topics!
10/6/2014
19
Homework 04
Create a DOS virtual machine with the provided virtual hard drive image
Install floppy disk mounter for Windows
Mount the provided floppy disk image
Report on contents of the floppy disk using Windows and then DOS
Use DISKEDIT.EXE to recover the following:
A deleted text file from the root of the drive
A deleted directory and its contents
A deleted picture
Show recovery steps with screenshots
Report on contents of the floppy disk according to Dos and Windows
Homework 04: ImDisk
imdiskinst.exe
10/6/2014
20
Homework 04: ImDisk
Homework 04: VirtualBox
DOS_6.22.vdi
10/6/2014
21
Homework 04: VirtualBox
Start the VM
Mount the floppy
Homework 04: DISKEDIT.EXE
diskedit.exe a:
10/6/2014
22
Homework 04: DISKEDIT.EXE
diskedit.exe a: