FCM 760 | Fall 2014 | Lecture 4fcm760.andriulli.com › files › FCM760_Fall2014_Lecture04.pdfMBR...

10/6/2014

1

FCM 760 | Fall 2014 | Lecture 4Disk Drives, FAT File Systems, FAT Data Recovery

October 6, 2014

File System Forensic Analysisby Brian Carrier

10/6/2014

2

Suggested Reading

Reading Assignment:

File System Forensic Analysis by Brian Carrier (ISBN: 978-0321268174)

Chapters 4, 5, 8, 9, 10

This is not a requirement but I would HIGHLY recommend purchasing this book; it will become a very important reference for you as a professional in the field.

Let’s talk about data!

We need to build our understanding of storage media from the ground up:

Disk Types

Partitions and Volumes

Bits, Sectors, Clusters

File Systems

Operating Systems

10/6/2014

3

Content vs Metadata

Metadata is data about data.

Examples:

File System Metadata: MAC Times (Modified, Accessed, Created)

Operating System Metadata: File Security Settings, Created By, log files, etc…

File Metadata:

Image files: EXIF data (Exchangeable Image File Format)

Office Documents

Music Files

Back On Topic: Disk Types

SATA

IDE

SAS

SCSI

10/6/2014

4

Disk Drives

Data is stored on platters

The arm moves the head

The head reads and writes data

Data is written by changing the direction of magnetization for a bit

Disk Drives

Platters can store data on both their sides

Platters are segmented into tracks

A track is a circular ring that goes around the platter

Tracks are numbered from the outside inward

A cylinder refers to all tracks at a given address

10/6/2014

5

Disk Drives

Each track is divided into sectors

A sector is the smallest addressable storage unit and is typically 512 bytes

Sectors are numbered

You can address a specific sector using the CHS method (Cylinder, Head, Sector)

Disk Drives

CHS addressing only works for disks less than 8 GB in size.

LBA (Logical Block Addressing) has replaced CHS.

LBA is a linear scheme: the first sector is LBA 0, the second is LBA 1, and so on…

LBA used because in modern disks, platters may have different numbers of tracks per side and different numbers of sectors per track.

10/6/2014

6

Volumes & Partitions

How is data segmented?

Partition: a collection of consecutive sectors

Volume: a collection of addressable sectors used by OSs and applications to store and access data

Volumes don’t have to be consecutive, they just have to appear that way to whatever is addressing it, i.e. spanning

Partitions

Know that each operating system and hardware platform typically uses a different partition scheme/method.

Today we’re going to focus on DOS partitions which are typically used with DOS, Windows, and Linux systems

DOS partitions employ a MBR (Master Boot Record)

Newer partition schemes:

GPT – GUID Partition Table

EFI – Extensible Firmware Interface

10/6/2014

7

Master Boot Record (MBR)

The MBR is ALWAYS stored in sector 0, the first 512 bytes of the drive.

Contains:

Partition Table – Describes how the disk is split up

Boot Code – tells the computer how to read the partition table and find the operating system

MBR – Partition Tables

The Partition Table stores the following information for each partition:

Starting CHS address

Ending CHS address

Starting LBA address

Number of sectors in the partition

Type of partition: FAT, NTFS, EXT3, etc…

Flags for the partition: tells you which partition is bootable

Partition Tables are legacy structures and only had 4 partition slots

Newer spec: 3 slots and the 4th is used for Extended partitions

10/6/2014

8

MBR – Partition Tables

Partition Tables are legacy structures and only had 4 primary partition entries

Newer drives are much bigger so the Extended partition was created

3 Primary Partition Entries, 1 Extended Entry – takes up the rest of the drive

File Systems

File Systems provides a way to organize raw data (sectors) into meaningful structures, and assign them to items such as folders and files.

Provide tracking information for files and users (metadata)

File Systems are not tied to disk types but Operating Systems are typically dependent on specific File Systems.

10/6/2014

9

File Systems: Allocation Strategies

At any moment, a File System must know which data units are unallocated (available for use), which data units are allocated (assigned to a structure), and which data units are bad

Assigned data can be contiguous or it can be fragmented

Some Allocation Strategies:

First Available – Always uses the first available data unit

Next Available – Keeps track of where it last left off

Best Fit – Searches for consecutive data units

The OS chooses which allocation strategy it will use

File Systems: FAT

File Allocation Table (FAT)

Different flavors of FAT: FAT12, FAT16, FAT32, ExFAT

Great file system to use if you’re switching between PCs and Macs

A simple file system type that has two main data structures:

FAT Table

Directory Entries

10/6/2014

10

File Systems: FAT – Reserved Area

Specific information about the file system is stored in the Volume Boot Record (VBR) which is stored in the first sector of the volume

Tells you how many FAT structures there are and how big they are

Volume Name

May tell you what tool created the file system (MSWIN4.0, MSDOS5.0, etc…)

Cluster Size

Clusters are the lowest addressable data object to an OS

Clusters are made up of groups of sectors

Cluster number starts at 2 and begins in the Data Area


10/6/2014

11


File Systems: FAT – FAT Structures

There can be 1 or more FAT Structures (Tables)

There are typically two copies

The FAT tables contain one entry for every cluster available to the file system

Entry 50 corresponds to cluster 50

An entry can have one of several values:

0 – the cluster is not allocated

0xff7 – cluster marked as BAD

<EOF> - End Of File

Other non-zero values – contains the address of the next cluster in the file or directory

10/6/2014

12

File Systems: FAT – FAT Structures

File Systems: FAT – Directory Entries

A directory entry is a data structure that is created for every file and directory.

Directory entries are 32 bytes in size and contain the file’s attributes, size, starting cluster, and date/timestamps.

When a new file or directory is created, a directory entry in the parent directory is allocated for it.

A directory is basically a table of directory entries.

Directory entries DO NOT have unique identifiers. You use the file/directory name to address a directory entry

10/6/2014

13



Sector Offset 32 Byte Directory Entry ASCII Representation

10/6/2014

14


File Names:

Short File Name (SFN): 8.3 – name is 8 characters, file extension is 3

Long File Name (LFN): 255 characters including the file extension

LFNs always precede the SFN

Each entry can store 13 characters

Increase in sequence from the bottom up


Size:

Directories always have a size of 0

4 Byte field = maximum file size of 4 GB (2^32 bits)

Cluster:

Starting cluster entry is provided

If a sector is 512 bytes, then Size/512 = how many clusters are assigned to this file

830/512 = 1.6210… Always round up – this file takes up 2 clusters

10/6/2014

15


Attributes:

A – the Archive attribute tells you this file was created or written to

R – this entry is read only

S – this entry pertains to a system file

H – this is a hidden file/directory

D – is this entry a Directory?

V – is this the Volume Name?


10/6/2014

16

File Systems: FAT – Deletion

FAT file systems conduct minimal cleanup actions during deletion

File Deletion

The first character of the directory entry is changed to 0xE5

Allocated FAT clusters are set to zero

Directory Deletion

The first character of the directory entry is changed to 0xE5

Associated FAT cluster entry is set to zero

All sub-items are deleted according to the above steps

What are the implications with contiguous vs fragmented cluster allocation?


How do we recover a file?

1. Change the first character of the directory entry to anything acceptable character other than 0xE5. Typically we use an underscore (0x5F).

2. Determine how many clusters were allocated to the file using the cluster size from the MBR and the file size from the directory entry: 20,583/512 = 41 clusters.

Attempt to re-chain the FAT table entries using the file’s starting cluster value.

The first cluster entry’s value will be the next cluster allocated to the file. E.G.: cluster entry 530 will have a value of 531.

Enter a value of <EOF> in the last cluster allocated to the file.

10/6/2014

17


How do we recover a directory?

1. Change the first character of the directory entry to anything acceptable character other than 0xE5. Typically we use an underscore (0x5F).

2. Enter the value <EOF> in the cluster allocated to the directory.

3. Attempt to recover any files that were contained in the recovered directory using the discussed file recovery method.


10/6/2014

18


What are the implications with contiguous vs fragmented cluster allocation?

DISKEDIT Demonstration

Questions?Start thinking about project topics!

10/6/2014

19

Homework 04

Create a DOS virtual machine with the provided virtual hard drive image

Install floppy disk mounter for Windows

Mount the provided floppy disk image

Report on contents of the floppy disk using Windows and then DOS

Use DISKEDIT.EXE to recover the following:

A deleted text file from the root of the drive

A deleted directory and its contents

A deleted picture

Show recovery steps with screenshots

Report on contents of the floppy disk according to Dos and Windows

Homework 04: ImDisk

imdiskinst.exe

10/6/2014

20

Homework 04: ImDisk

Homework 04: VirtualBox

DOS_6.22.vdi

10/6/2014

21

Homework 04: VirtualBox

Start the VM

Mount the floppy

Homework 04: DISKEDIT.EXE

diskedit.exe a:

10/6/2014

22

Homework 04: DISKEDIT.EXE

diskedit.exe a:

FCM 760 | Fall 2014 | Lecture 4fcm760.andriulli.com › files › FCM760_Fall2014_Lecture04.pdfMBR...

Documents

Transcript of FCM 760 | Fall 2014 | Lecture 4fcm760.andriulli.com › files › FCM760_Fall2014_Lecture04.pdfMBR...