*CNS 450: COMPUTER FORENSICS & INCIDENT RESPONSEWeek 2 LectureCopyright 2011, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Overview of Todays MaterialEvidence Terminology & Courtroom UsageTool SelectionData Formatting TerminologyDisk Layout & PartitioningWindows FilesystemsFATNTFSMaster File TableAttributesFolder StructuresTimestampsDigital Evidence Analysis (Generally)

*

Courtroom Treatment of Digital EvidenceBest Evidence RuleHearsay RuleExpert Witness TestimonyE-Discovery*

Other Federal Rules of Evidence Applying to Digital EvidenceRelevant (FRE 401)Authentic (FRE 901(a) Chain of CustodyHearsay (FRE 801)Original (FRE 1001-1008)Unfair prejudice (FRE 403)*

Additional Evidence TerminologyReliabilityDemonstrative EvidenceReal EvidenceTestimonial EvidenceCircumstantial EvidenceDirect Evidence

*

*Evidence terminologyReliabilityEvidence may be given different weight or credibility by the fact finder (judge, jury, arbitrator)Evidence that is corroborated (fact is evidenced from an independent source) may be given added weight. Reliability is related to how you go about collecting and preserving evidence.

*Evidence terminologyDemonstrative evidenceGenerally a visual aid to help further the understanding of the trier of factCharts, Maps and ModelsPhotographs, sound recordings

*Evidence terminologyReal evidenceAn object that had a direct part in the incident or eventTangible object (bullet, weapon, document, clothing, defective bolt)

*Evidence terminologyCircumstantial evidence An inference in addition to the truth of the matter stated needs to be made.Inference: User A (person) modified the database:the log entry shows the username and password of User A were used to access the database, andthe IP address of the connection to the database matches the IP address of User As computer, as verified by log at the time.Therefore User A must have been performing the action, since no one else should have had access to his account

*Evidence terminologyTestimonial evidenceWitness with personal knowledgeExpert or opinion witness

*Evidence terminologyDirect evidenceThe sole inference that must be made to establish a fact of consequence is the truth of the matter asserted.Log entry shows that a database was accessed on May 19, 2004 and the Customers table was changed.

SpoliationThe destruction or significant alteration of evidence, or the failure to preserve property for anothers use as evidence in pending or reasonably foreseeable litigationA party claiming Spoliation must demonstrate:The party having control of the evidence had an obligation to preserve it at the time it was destroyedThe evidence was destroyed with a culpable state of mindThe destroyed evidence was relevant to the partys claim or defense such that reasonable trier of fact could find that it would support that claim or defense*

Selecting Forensic ToolsRequirementsReliability (Repeatability)EfficacyTransparency*

Reliability of Forensic ToolsTesting: Can and has the procedure been tested?Errors: Is there a known failure condition for the procedure?Publication: Has the procedure been published and subject to peer review?Acceptance: Is the procedure generally accepted in the relevant scientific community?

*

Reliability of Forensic ToolsResources:NIST Computer Forensics Tool Testing (CFTT) Project Web Site at http://www.cftt.nist.gov/ Brian Carriers Article, Open Source Digital Forensics Tools The Legal Argument http://www.digital-evidence.org/papers/opensrc_legal.pdf

*

Empty Space Terms (used inconsistently)*Unallocated SpaceUnused SpaceSlack Space

Unallocated Space: typical usageCan be within any structure for example:DiskVolume (term not used consistently)Filesystem (most used)Database FileRegistry HiveDirectoryPhysical Memory (Heap)Any location which does not currently hold referenced data*

Slack SpaceSpace at the end of a record, allocated but not used, typically because of a fixed allocation unit size. May contain remnants of previously allocated record. RAM Slack Space in the last sector of a file after the end of the file.File Slack Any remaining sectors in the last cluster of a file following the RAM Slack. Typical usage may include the RAM slack.Volume/Partition Slack (inconsistent usage) Space between the end of a volume/filesystem, and the end of the disk partition it occupies *

Data Storage: Big-Endian vs. Little-EndianBig-Endian: Most significant byte stored first (lowest address) Used by mainframes & UNIX systemsLittle-Endian: Least significant byte stored first Used by PCsValue: 258Hex: 0102Big-Endian: 01 02Little-Endian: 02 01Mnemonic: LLL Little Least Left*

UnicodeMulti-byte charactersBecause of various localization initiatives, much Windows internal storage, especially including memory, is in 2-byte unicodeIf your search tool doesnt directly support unicode, this means you must manually convert your search stringsAdd a null (0x00) before each characterThere are 3-byte and multi-byte unicode formats as well, but theyre less used *

TimestampsWindows uses a variety of timestamp formats in different areasWindows Filetime: 64bit little-endian quantity representing the number of 100 nanosecond periods since 1/1/1601 00:00:00 UTCTypically found in filesystem metadata in sets of four (MACB times)2 Last [M]odified time4 Last [A]ccessed time3 MFT entry modified ([C]hanged) time1 Creation ([B]orn) time

*

Drive Geometry Terms Sectors, and Tracks, and Clusters (Oh My!)Disk Drives are physically divided up into platters, each of which has one or more heads. Contiguous chunks of data are variously referenced as sectors, clusters, blocks, or cylindersPhysical arrangement can be important when attempting to recover data from damaged mediaFor our current purposes, a disk is simply a long sequence of sectors (the smallest directly accessible chunk of disk typically 512 bytes), which are grouped into clusters, the size of which vary by filesystemDisks are then divided up using a partitioning scheme into partitions/volumes, which are in turn typically formatted as filesystemsNote: Drives with 4K sectors are becoming more popular & typically are partitioned using GPT (GUID Partition Table) rather than MBR*

MBR PartitioningMost Windows partitions are MBRMaster Boot Record lives in first 512-byte sector on disk & contains:Boot record4 Primary Partition Table Entries (not all need be valid)Signature Value (0xAA55)Partition Table Entry Contains:Starting CHS addressEnding CHS addressStarting LBA addressNumber of sectors in partitionType of partitionFlagsPrimary Partition may be an Extended Partition, which references a linked list of Secondary Extended Partition TablesFirst partition usually starts 63 sectors after partition table due to legacy cylinder boundary requirement*

MBR Partition Structure*

File SystemsA filesystem is a method of mapping file data and metadata onto a storage volume in such a way that it can be stored and retrieved efficientlyFilesystem Data Categories:File System Data pertaining to the filesystem as a wholeContent Data contained within the bodies of filesMetadata Data about filesFile Name Human interface reference for a file identifierApplication Data implementing special filesystem features such as journaling or quotas*

Locations for potential data hidingHost Protected Area (HPA)/Device Configuration Overlay (DCO) 62 sectors after MBRVolume/Partition SlackUnpartitioned Space Disk blocks not assigned to a partitionNon-bootable Partition Boot SectorUnallocated space within a filesystem or within files/directoriesFile Slack

*

FAT FilesystemsFAT12: 512B-8KB clusters, 2^12 addressable, 32MB max vol size (floppy disks only)FAT16: 512B-64KB clusters, 2^16 addressable, 4GB max vol sizeFAT32: 512B-32KB clusters, 2^32 addressable, 8TB max vol size (but Windows only allows formatting of 32GB partition and MBR limitations only allow partitions up to 2TB)All FAT filesystems have no ACLs*

NTFS64 bit cluster numbersFile size maxTheoretically up to 16 exabytes minus 1024 (264 1024)Actually 16 terabytes minus 64KB (244 1024)Volume size maxTheoretically 256 terabytes minus 64KBActually 16 terabytesMBR partitions only support up to 2TBMax number of files 4,294,967,295 (232 1)

*

NTFS Data Structure - Master File Table (MFT)*Heart of NTFS. Has an entry for every file and directory, including itselfMFT entries are 1024 bytes in length, & start with FILE (typically) or BAAD A single file can (rarely) require multiple MTF entries to store all its attributesIts sometimes possible to find complete MFT entries in unallocated space that reference remnant file data also in unallocated

MFT Structure*

The first 42 bytes of the data structure contain specialized fields, and the remaining 982 bytes are unstructured and can be filled with attributes and fixup values.

Fields in first 42 MFT bytesOffsetValue

0Signature - 4 bytes (FILE or BAAD)4Offset to fixup array, relative to start of MFT entry 2 bytes6Number of entries in fixup array 2 bytes8$Logfile Sequence Number 8 bytes (part of journaling file system)16Sequence value 2 bytes (counter indicating the number of times this MFT entry has been unallocated, minus one)18Link Count 2 bytes (number of directories that have entries for this file)20Offset to first attribute 2 bytes22Flags 2 bytes24Used size of MFT entry 4 bytes28Allocated size of MFT entry - 4 bytes32File reference to base record 8 bytes40Next attribute ID 2 bytes42Attributes and fixup values 982 bytes

*

Attribute Header StructureByte RangeDescription03Attribute type identifier47Length of attribute88Non-resident flag99Length of name1011Offset to name1213Flags1415Attribute identifier*

Resident Attribute StructureByte RangeDescription015General header1619Size of content2021Offset to content*

MFT Attribute Types

Type IDNameDescription16$STANDARD_INFORMATION General information, such as flags; the last accessed, written, and created times; and the owner and security ID32$ATTRIBUTE_LISTList where other attributes for file can be found. 48$FILE_NAME File name, in Unicode, and the last accessed, written, and created times64$VOLUME_VERSION Volume information. Exists only in version 1.2 (Windows NT)64$OBJECT_ID A 16-byte unique identifier for the file or directory. Exists only in versions 3.0+ and after (Windows 2000+)80$SECURITY_ DESCRIPTOR The access control and security properties of the file96$VOLUME_NAME Volume name112$VOLUME_ INFORMATION File system version and other flags128$DATA File contents144$INDEX_ROOT Root node of an index tree160$INDEX_ALLOCATION Nodes of an index tree rooted in $INDEX_ROOT attribute176$BITMAP A bitmap for the $MFT file and for indexes192$SYMBOLIC_LINK Soft link information. Exists only in version 1.2 (Windows NT)192$REPARSE_POINTContains data about a reparse point, which is used as a soft link in version 3.0+ (Windows 2000+)208$EA_INFORMATION Used for backward compatibility with OS/2 applications (HPFS)224$EAUsed for backward compatibility with OS/2 applications (HPFS)256$LOGGED_UTILITY_STREAM Contains keys and information about encrypted attributes in version 3.0+ (Windows 2000+)

Standard NTFS file system metadata filesEntry File NameDescription0 $MFTThe entry for the MFT itself1 $MFTMirrBackup of the first entries in the MFT2 $LogFileFilesystem Journal that records metadata transactions3 $VolumeVolume information - label, identifier, version, etc.4 $AttrDefAttribute information, such as the identifier values, name, and sizes. 5 .Root directory of the file system.6 $BitmapAllocation status of each cluster in the file system.7 $BootBoot sector and boot code for the file system.8 $BadClusList of clusters that have bad sectors.9 $SecureInformation about security and access control for the files (Windows 2000 and XP version only)10 $UpcaseUppercase version of every Unicode character.11 $ExtendDirectory that contains files for optional extensions. Microsoft does not typically place the files in this directory into the reserved MFT entries.*

Example MFT Entry*

Timestamps in NTFSNTFS files can have several associated attributes that contain timestamps:$STANDARD_INFORMATION$FILE_NAME (SHORT & POSSIBLY LONG)$INDEX_ROOT (contains $FILE_NAME entries)$INDEX_ALLOCATION (contains $FILE_NAME entries)Four file system timestamps (MACB times) will be contained in each entry2 Last [M]odified time4 Last [A]ccessed time3 MFT entry modified ([C]hanged) time1 creation ([B]orn) time*

Windows Usage of NTFS TimestampsWindows itself generally uses only $STANDARD_INFORMATION for anything accessed via their API. *

Manual Timestamp AlterationManually changing a timestamp in $STANDARD_INFORMATION is fairly trivialTime Stamp 1.1 - Set a file's time stamp to a precise valueChange File Time stamp - Novell Cool Solutions: Cool ToolAttribute changerVinnie Liu's timestomp, one of the anti-forensics tools built into Metasploit*

File Timestamp Changes by Activity *

NTFS directory entries also have timestamps & file sizesThe Index Entry structure of an NTFS directory stores a complete copy of (both) the referenced files filename attributesThis includes all timestamps and file sizes.When a file is deleted, this entry is unlinked from the directorys btree, but is not wiped unless overwritten during ensuing btree rebalancingIf you find a filename in unallocated space, or in the Index_Allocation or Index_Root attribute of a folder which doesnt contain a file of that name, it helps to know what youre looking at*

INDEX_ROOT Attribute Structure*

$INDEX_ROOT Header Structure*

Byte RangeDescriptionEssential0-3Type of attribute in index (0 if entry does not use an attribute) Yes4-7Collation sorting rule Yes8-11Size of each index record in bytes Yes12-12Size of each index record in clustersYes13-15UnusedNo16+Node header Yes

INDEX_ALLOCATION Attribute Structure*

Index Record Header Structure*

Byte RangeDescriptionEssential0-3Signature value (INDX) No4-5Offset to fixup arrayYes6-7Number of entries in fixup arrayYes8-15$LogFile Sequence Number (LSN) No16-23The VCN of this record in the full index streamYes24+Node header Yes

Index Entry Structure*

Byte RangeDescriptionEssential0-7MFT file reference for file name Yes8-9Length of this entry Yes10-11Length of $FILE_NAME attribute No12-15FlagsYes16+$FILE_NAME Attribute (if length is > 0) YesLast 8 bytes of entry, starting on an 8-byte boundary VCN of child node in $INDEX_ALLOCATION (field exists only if flag is set) Yes

Filename Attribute StructureByteRange DescriptionEssential07 File reference of parent directoryNo815 File creation timeNo1623 File modification timeNo2431 MFT modification timeNo3239File access timeNo4047Allocated size of fileNo4855Real size of fileNo5659FlagsNo6063Reparse valueNo6464Length of nameYes / No6565NamespaceYes / No66+NameYes / No*

Things to RememberFocus on the timestampsSets of four (64bit, little-endian, # of 100ns periods since 1/1/1601 00:00:00)Exist in both Std Info Attributes & (long and 8.3) Filename AttributesFilename Attributes are found inside:MFT Records (1024 byte length, FILE or BAAD record signature)INDEX_ROOT Attributes (resident in the MFT, no other signature)INDEX_Allocation Attributes (non-resident, INDX record signature)

*

Detecting timestamp manipulationCompare standard information attribute timestamps with filename timestampsCompare with other timestamps for the same file recovered from directory entries or unallocated spaceUtilities which set timestamps typically will set to either a particular time rounded to the nearest second, or will copy standard info attribute times for some other fileLook for log references to the questionable file*

The Windows Recycle BinUser file recovery mechanism shoehorned in before actual FAT or NTFS file deletion. Applies only to deletion done via the Windows GUI.Hidden folder at top of driveRECYCLED (Win95/98)RECYCLER (Win2K/NT/XP/2k3)$Recycle.bin (WinVista/7)*

WinNT/2K/XP/2K3 Recycle BinSubfolder under RECYCLER named with users SIDWhen a file goes into the trash, its moved to a unique name under this folder such as D__Also under this subfolder will be a hidden binary file named INFO2 containing records which document current name, original full path, & deletion time for each file in the recycle binWhen the recycle bin is emptied, all these files are deleted*

WinVista/7 Recycle BinUser SID folder created under $Recycle.binEach deleted file now gets moved to $R###### under the new SID folder$I###### with the same number in that folder contains the original path and deletion time for that file*

Linux SIFT Kit Registry & MFT ToolsPython scriptsanalyszeMFT.py - parse MFT structure, pulling out all metadata into csv or body file (doesnt do folder data)INDEXParse.py Parse extracted INDEX_Allocation attributes into csv or body fileWell use these in todays lab, and talk more about them in the timelining section

Evidence AnalysisFirst, figure out what youre looking forSearch through all evidence for case-related keywords (in unicode & custom codepages as well as ASCII)Identify data types of search hits, formulate appropriate followup searches, lather, rinse, repeatTimeline case data, and examine artifacts that have timestamps close to those of known case-related events *

The importance of a dirty word listAs you proceed through an investigation, you will discover various bits of information that can be used as search termsKeep a list of these and periodically search through all of the evidence for those that are newOften the search hits will themselves suggest new search terms*

Dirty Word CategoriesWhat (data),Why (motivation)How (procedures)Who (people)Where (location)When (time/date) various formats*

Important MaterialImportant = Relevant to the case youre working onIf you find it in a search even in unallocated space, you need to be able to identify the type of structure it is or was embedded in & know whether other information contained in that structure may be significantSo think carefully about what kinds of things youll be running searches for, your dirty word list

Recognizing Structures In Which Search Results Are FoundExamples of what youre looking for - Dirty Word List for keyword searchesFilenames, Account Names, Registry Key or Value Names (next week)Data from file contents: People, Places, specific chunks of textKeywords relating to specific subjects: crime/drug/hacking terminologyDates/Timestamps in any format, binary or text (may have to convert & run multiple searches)

Recognizing Structures In Which Search Results Are FoundAny time I discuss a specific structure or artifact, look for where within it something might match a dirty word list elementConsider how you would recognize the structure if that happened, and what other useful information you might be able to extract

Recognizing Structures In Which Search Results Are FoundWhen I describe an artifact that can be extracted with a specific tool, consider whether a keyword search might return hits based on that artifact, and how you might recognize that this is what has happenedPlease ask questions, I may not always follow through and draw out all the implications explicitly

Recognizing Structures In Which Search Results Are FoundExamples of structures you should be able to recognize from context if they turn up in search resultsMFT Record (STD Info Attribute, or more likely, Filename Attributes)INDX Record (Filename Attributes)Windows EVT LogRegistry Key or ValueFile Metadata (might need file type for additional context, such as if you see an account name turn up buried in a PDF or Word doc)Once you recognize the structure, the next step is to find associated info from that structure (timestamps, etc.) to add to your case & dirty word list

Reading for Next WeekCERT, Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis (August 2008)Brian Carriers Article, Open Source Digital Forensics Tools The Legal ArgumentChapter 5 of Windows Forensic Analysis Toolkit 3rd Edition Registry AnalysisBy: Harlan CarveyPublisher: SyngressPub. Date: January 15, 2012Print ISBN-13: 978-1-59749-727-5Web ISBN-13: 978-1-59749-728-2Available as an ebook at http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275

*

*Questions?

*Best Evidence Rule excludes degraded duplicates of evidence items where originals or perfect copies are available.

Hearsay Rule excludes testimony of a 3rd party with no knowledge of original event unless so one with direct knowledge is available

Expert Witness Testimony is where an acknowledged expert in a given area may state opinions or draw conclusions from items of evidence based on that expertise.

E-Discovery is frequently part of civil proceedings. Relevant data are identified and requested from the opposing party. They are then placed on Legal Hold and are extracted using forensic techniques. As a part of this process, it is important to avoid any appearance of Spoliation (see next slide).RelevanceEvidence must be relevant (i.e., material to the issues in the case).

AuthenticityProof of authenticity may be made by either direct or circumstantial evidence.For computer-generated evidence, the offering party must present evidence as to the preparation of the data, evidence as to who, when and where the evidence was compiled or retrieved, or as a catch-all, any other evidence sufficient to support a finding the evidence in question is what the proponent claims.

Hearsay Computer-stored statements initiated by a human declarant are excluded unless covered by a hearsay exception. Computer-generated non-hearsay records (e.g. logs) are not admissible unless authenticated by showing that they were generated by a system or process capable of producing a reliable result.

Computer evidence excluded from the Casey Anthony trial because it was Unfairly Prejudicial included nightclub photographs of Casey partying while the search for her daughter was in-progress.

*O.J. Simpson case : DNA evidence not given much weight by the jury owing to the manner in which the blood samples were collected and preserved.

While evidence may not be excluded from a case because of handling or chain of custody issues, a judge may direct a jury to weigh it less heavily than other elements of the case.*****Particularly significant in ediscovery

Definition: West v. Goodyear Tire & Rubber Co., 167 F.3d 776, 779 (2d Cir. 1999)

Demonstrate: Residential Funding Corp. v. DeGeorge Fin. Corp., 306 F. 3d 99,107 (2d Cir. 2002)

Sanctions for spoliation can include bias in the case up to and including summary finding against the spoliator

What I mean by transparency is that you need to be able to understand enough about what the tool is doing to replicate some portion of the results by other methods, thus verifying that it did what you think it did.

Forensic tools are notorious for not explaining exactly from where they obtained a particular piece of data theyre presenting as gospel. There are frequently at least some circumstances that can cause data presented this way to be incorrect in some particular.***Despite not currently holding referenced data, unallocated space frequently holds remnants from the last time it was used. This is because the location was not overwritten when it was last deallocated or when it was reallocated. This most often because of either associated performance penalties or apathy on the part of the programmer.Slack can apply to any record type with a fixed allocation unit size, but is typically used in reference to files.

NTFS & FAT filesystems are allocated in clusters.

Back in old versions of Win95 and previous, RAM Slack got randomly populated with data from memory. Since then it is nulled out when a file is written.

File slack is not overwritten when a file is first written to disk, and will still contain any previous content, unless it was deleted using a secure wipe utility.

Most forensic tools will give you both the logical size of a file and its physical size. Physical size is calculated as # of units allocated times the allocation unit size. File slack is therefore sometimes defined as the difference between a files ogical and physical sizes. Note that this definition explicitly includes any RAM slack.

Know meaning of these terms and the difference between them. Some processors, such as ARM, have configurable endianness.A cluster or block is the smallest unit of data on the disk that can be allocated by a given filesystem. The cluster or block size in sectors is usually specified when the filesystem is generated.

http://en.wikipedia.org/wiki/GUID_Partition_Table

Can discuss MBR & GPT at end of class if theres time using above link and

http://en.wikipedia.org/wiki/Master_Boot_Record

GPT also used by newer Intel-based MacsThe CHS (Cylinder Head Sector) address is redundant, and only valid for disks < 8GB.

First partition usually starts 63 sectors after partition table due to legacy cylinder boundary requirement.

By searching for sectors with 0xAA55 in the last two bytes, we can locate secondary partition tables which might be left after a primary partition tabe was overwritten.

Bottom Line: Its possible to completely recover partitions and their contained filesystems even after the MBR has been completely wiped, of after someone intentionally deletes all partitions on a drive. This gets trickier if more than the first sector has been wiped, but is often still possible, as well see later.Filesystems also typically provide a standardized way for a computer to boot itself from them, such as by providing a boot sector in their first 512 bytes.

Note: In many filesystems, filenames are only stored separately, as part of a directory specification rather than additionally being an intrinsic file metadata element as they are in NTFS.

The Sleuthkit, which is part of the SANS SIFT kit, has a suite of command line tools that can be used to extract, manipulate, and analyze each of these data category elements.

These data categories were devised by Brian Carrier for his book File System Forensic Analysis. Similar to the OSI network model, they map much more directly onto some implementations than others.For legacy reasons, the MBR is limited to a single sector.

For more info on HPA/DCO, see http://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf

HPAs typically used by computer manufacturers to provide a factory reinstall capability

DCOs used by drive OEMs to provide drives with different hardware which appear identical (large drive with manufacturing defects on some platters appears to be non-defective smaller drive)http://en.wikipedia.org/wiki/File_Allocation_Table

FAT filesystems include no access control mechanisms at all.

FAT12 is only used on floppy disksFAT12 12 bit cluster numbers, limited root directory 512 entries, 32 bytes each

FAT16 16 bit cluster numbers, limited root directory 512 entries, 32 bytes each

FAT32 was introduced with Windows 95, and is still typically used as the default format on external hard disks. Its also used as the standard format on SDcards or CFcards for mobile devices such as phones & cameras.FAT32 32 bit cluster numbers, root directory an ordinary cluster chain. No limit on size. Has limited error recovery capabilities.

**OffsetValue

0Signature - 4 bytes (FILE or BAAD)4Offset to fixup array, relative to start of MFT entry 2 bytes6Number of entries in fixup array 2 bytes8$Logfile Sequence Number 8 bytes (part of journaling file system)16Sequence value 2 bytes (counter indicating the number of times this MFT entry has been unallocated, minus one)18Link Count 2 bytes (number of directories that have entries for this file)20Offset to first attribute 2 bytes22Flags 2 bytes24Used size of MFT entry 4 bytes28Allocated size of MFT entry - 4 bytes32File reference to base record 8 bytes40Next attribute ID 2 bytes42Attributes and fixup values 982 bytes

For additional details on NTFS, I would commend you to chapters 12 and 13 of the book File System Forensic Analysis, by Brian CarrierPublisher: Addison-Wesley Professional; 1 edition (March 27, 2005) ISBN-10: 0321268172 ISBN-13: 978-0321268174 http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172These filenames are invisible from within Windows, but are typically visible at the top level of the filesystem when examining it using forensic tools.

The Data attribute location of $Boot is fixed at the first sector of the partition. Its typically about 8K long, but only contains about 4K of data.**All NTFS files have a short name which complies with the old 8.3 format. Up to eight characters, followed by a dot, and up to a three character extension. If a filename doesnt fit within this format, it gets a separate long filename attribute, and for backward compatibility, a unique 8.3 filename is assigned, typically by truncating the filename, and adding an extension beginning with a tilde and a number.***This chart is from the detecting timestamp manipulation article in your reading assignment, derived from research done by Rob Lee on activity performed via the Windows GUI.If you see four plausible NTFS datestamps in a row, followed after 26 more bytes by a unicode filename, youre probably looking at a filename attribute.

If its surrounded by a bunch of other similar data for other filenames, without much interspersed, its probably a directory. Look back a few hundred bytes and see if theres an INDX header.

Alternatively, if there is a significant amount of interspersed data, and the only other filename attribute close by is a long or short filename attribute for the same file, you might be looking at an MFT entry. Look back a few hundred bytes and see if you see a FILE header.

Note: Individual NTFS timestamps are 8-byte little-endian quantities showing the number of 100ns units since Jan 1st, 1601.

Note also that other Windows applications use different time formats

A useful multi-format timestamp converter is dcode.exe, from http://www.digital-detective.co.uk/freetools/decode.aspRemember that there are often 2 filename attributes for a file & why. This is my all time favorite interview question, and youre guaranteed to see it at least twice in different forms on a quiz and the final.*Theres nothing worse than being handed a drive and requested to find the badness on it . Its possible to literally spend weeks on this kind of wild goose chase without actually identifying whatever it was that the submitter was really interested in.

Unicode: 2/3/multi-byte characters used for various foreign languages. Lots of Windows internal data representation is in 2-byte unicode format.

Custom codepages: Notably Outlook Compressible Encryption, which is used in PST files. Examples: Names, filenames, addresses, IP addresses, dates, technical terms, slang, file or record type signaturesThe investigation process is essentially an attempt to completely traverse a inked set of these various data elements.*Anything & everything that might possibly be related to the case, which is at all specific goes in your dirty word list for later searching.Event Logs, The Registry, and File Metadata will all be covered in-depth over the next several weeks. Well also cover some additional specifics on keyword searching, and look at some results in a later lab.***