Upload File

an introduction to file system forensic...

  • Home
  • Documents
  • An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten
18
(Corso) © Università degli Studi di Pavia, Antonio Barili 1 Antonio Barili Laboratorio di informatica Forense Dipartimento di Ingegneria Industriale e dell’Informazione Università degli Studi di Pavia [email protected] An Introduction to File System Forensic Analysis Università degli Studi di Pavia A. Barili 1 Foreword Università degli Studi di Pavia A. Barili 2 Computer Forensics Incident Response Digital Forensics

Upload: others

Post on 28-Jun-2020

13 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 1

Antonio Barili Laboratorio di informatica Forense Dipartimento di Ingegneria Industriale e dell’Informazione Università degli Studi di Pavia

[email protected]

An Introduction to File System Forensic Analysis

Università degli Studi di Pavia – A. Barili 1

Foreword

Università degli Studi di Pavia – A. Barili 2

Computer Forensics

Incident Response Digital Forensics

Page 2: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 2

An Introduction to File System Forensics

What's in a file? That which we call a file by any other name would smell as sweet

Università degli Studi di Pavia – A. Barili 3

File a record in a public office

or in a court of law

place in a container for keeping records Document

A (digital) representation of information

An Introduction to File System Forensics

What's in a file? That which we call a file by any other name would smell as sweet

Università degli Studi di Pavia – A. Barili 4

File System

A data structure that provides persistent archival services to an operating system

Page 3: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 3

An Introduction to File System Forensics

What's in a file? That which we call a file by any other name would smell as sweet

Università degli Studi di Pavia – A. Barili 5

Visual Metaphores to deal with the File System

Hierarchical tree of folders containing other folders and/or documents

An Introduction to File System Forensics

A drive ! A drive ! My kingdom for a drive !

Università degli Studi di Pavia – A. Barili 6

Persistence

Page 4: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 4

An Introduction to File System Forensics

A drive ! A drive ! My kingdom for a drive !

Università degli Studi di Pavia – A. Barili 7

HPA ...

LBA Space

Available Sectors

(0,5-4KB) Spare

Sectors

An Introduction to File System Forensics

Is this a volume which I see before me?

Università degli Studi di Pavia – A. Barili 8

The file system does not (usually) deals with drives, but to astraction of them

named volumes

Sectors in a volume need not be consecutive on a physical storage device

(but they appear to be so)

Page 5: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 5

An Introduction to File System Forensics

Is this a volume which I see before me?

Università degli Studi di Pavia – A. Barili 9

A volume allocated on a single drive

Two volumes on a single drive

A volume spanning two disks (es. RAID1 )

...

An Introduction to File System Forensics

Though this be madness yet there is method in it

Università degli Studi di Pavia – A. Barili 10

A C B D

FS A FS B FS C-D

Page 6: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 6

An Introduction to File System Forensics

Screw your boot block to the sticking place

Università degli Studi di Pavia – A. Barili 11

MBR/GPT

MBR: Master Boot Record

GPT: GUID Partition Table

An Introduction to File System Forensics

Screw your boot block to the sticking place

Università degli Studi di Pavia – A. Barili 12

MBR (sector 0)

{ Boot Code

PartitionTable [4]

{ Start CHS, End CHS, Start LBA, Nsect, Type, Flags }

Signature

}

Partition # 1

Page 7: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 7

An Introduction to File System Forensics

Screw your boot block to the sticking place

Università degli Studi di Pavia – A. Barili 13

MBR (sector 0)

MBR offset is specified in the CHS/LBA space

File System Data Structure offsets are specified in the partition (volume) space

Partition # 1

An Introduction to File System Forensics

Screw your boot block to the sticking place

Università degli Studi di Pavia – A. Barili 14

[To probe: Frhed – http://frhed.sourceforge.net]

Page 8: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 8

An Introduction to File System Forensics

Screw your boot block to the sticking place

Università degli Studi di Pavia – A. Barili 15

Reserved Area (1 sect)

Master Index (directory) Area

Data Area (Data Clusters)

Housekeeping data

NOT to be confused with “directory” files

An Introduction to File System Forensics

Age cannot wither her (The FAT File System)

Università degli Studi di Pavia – A. Barili 16

FAT is the original file system used in DOS and Windows 9x

Now used in Pendrives and Camera Storage Cards

[To probe: http://dmitrybrant.com/fatwalker]

Reserved Area (1 sect)

FAT Area Data Area

Page 9: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 9

An Introduction to File System Forensics

Age cannot wither her (The FAT File System)

Università degli Studi di Pavia – A. Barili 17

An Introduction to File System Forensics

Age cannot wither her (The FAT File System)

Università degli Studi di Pavia – A. Barili 18

Page 10: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 10

An Introduction to File System Forensics

Age cannot wither her (The FAT File System)

Università degli Studi di Pavia – A. Barili 19

An Introduction to File System Forensics

Age cannot wither her (The FAT File System)

Università degli Studi di Pavia – A. Barili 20

Page 11: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 11

An Introduction to File System Forensics

Something is rotten in the state of Denmark (The NTFS File System)

Università degli Studi di Pavia – A. Barili 21

NTFS is the default file system since Ms Windows NT

“Everything is a file”

NTFS provides better resilience to system crashes (e.g. journaling) ...

... and a huge amount of places to hide information (from users)

[To probe: http://dmitrybrant.com/fatwalker]

Boot Sector (cluster 0)

$MFT f00 f01

An Introduction to File System Forensics

Something is rotten in the state of Denmark (The NTFS File System)

Università degli Studi di Pavia – A. Barili 22

Page 12: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 12

An Introduction to File System Forensics

Something is rotten in the state of Denmark (The NTFS File System)

Università degli Studi di Pavia – A. Barili 23

An Introduction to File System Forensics

Something is rotten in the state of Denmark (The NTFS File System)

Università degli Studi di Pavia – A. Barili 24

Page 13: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 13

An Introduction to File System Forensics

Something is rotten in the state of Denmark (The NTFS File System)

Università degli Studi di Pavia – A. Barili 25

An Introduction to File System Forensics

Something is rotten in the state of Denmark (The NTFS File System)

Università degli Studi di Pavia – A. Barili 26

Page 14: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 14

An Introduction to File System Forensics

Something is rotten in the state of Denmark (The NTFS File System)

Università degli Studi di Pavia – A. Barili 27

An Introduction to File System Forensics

Something is rotten in the state of Denmark (The NTFS File System)

Università degli Studi di Pavia – A. Barili 28

Page 15: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 15

An Introduction to File System Forensics

Men's evil manners live in brass; their virtues we write in water

Università degli Studi di Pavia – A. Barili 29

MBR (sector 0)

Formatting an hard disk overwrites the MBR, but leaves partition content unchanged

Even if both the boot sector and the file system structures are lost or damaged, most files will reside in contiguous clusters an could be carved out by looking at their headers and trailers

Partition # 1

An Introduction to File System Forensics

Men's evil manners live in brass; their virtues we write in water

Università degli Studi di Pavia – A. Barili 30

Page 16: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 16

An Introduction to File System Forensics

Men's evil manners live in brass; their virtues we write in water

Università degli Studi di Pavia – A. Barili 31

An Introduction to File System Forensics

Men's evil manners live in brass; their virtues we write in water

Università degli Studi di Pavia – A. Barili 32

Page 17: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 17

Università degli Studi di Pavia – A. Barili 33

There are more things in heaven and earth, Horatio,

Than are dreamt of in your philosophy.

(William Shakespeare, Hamlet Act 1. Scene V, 1601)

Riferimenti

Università degli Studi di Pavia – A. Barili 34

[Carrier, 2005]

Carrier, Brian, File System Forensic Analysis, Addison-Wesley, 2005

[Sammes, 2007]

Sammes, Tony and Brian jenkinson, Forensic Computing – A Parctitioner’s Guide, 2° Ed, Springer-Verlag, 2007

Page 18: An Introduction to File System Forensic Analysisvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/ForensicAnalysis.pdf · An Introduction to File System Forensics Something is rotten

(Corso)

© Università degli Studi di Pavia, Antonio Barili 18

35

Data Autore Descrizione

06/12/2012 ab

Il contenuto di questo documento riflette esclusivamente le opinioni dell’autore e non impegna in alcun modo l‘Università degli Studi di Pavia.

Il contenuto di questo documento è stato curato al fine di fornire un’informazione accurata sull’argomento trattato, non un parere legale o professionale. Se si necessita di tale parere è necessario rivolgersi ad un professionista competente.


Rotten School #3

Rotten Recruitment

Sincronizzazione con Java - vision.unipv.itvision.unipv.it/corsi/SistemiOperativi/lucidi/SO-08.pdf · Sistemi Operativi 15/16 Sincronizzazione con Java 2 Corse critiche e sincronizzazione

Rotten Fish Games

Sistemioperativi ì - unipi.it

LUCIDI RILEVAMENTO 08

Throwing a rotten

Lucidi informatica base

Evoluzione dei sistemi operativi - vision.unipv.itvision.unipv.it/corsi/SistemiOperativi/lucidi/SO-02.pdf · Sistemi Operativi 16/17 Evoluzione 7 Classificazione dei S. O. L'evoluzione

Lucidi capitolo 14

Apprendimento (lucidi)

Dossier Informativo: Rotten Rain

Robert B. Reich Rotten Apples And Rotten Systems

The Rotten Milk

Sicurezza - crittografiavision.unipv.it/corsi/SistemiOperativi/lucidi/SO-15.pdf · 2016-06-06 · Sistemi Operativi 15/16 Sicurezza 20 Worm di Robert Morris • Fu una delle più

Rotten School #2

Lucidi Intro

Rotten in Riverton R1

Rotten Scrum

CRM Lucidi dispensa.pdf

PROF.SSA PIA LUCIDI

Input Output - vision.unipv.itvision.unipv.it/corsi/SistemiOperativi-mn/lucidi/SO-14.pdf · Sistemi Operativi 12/13 Input Output 4 Dispositivi di I/O • Si distinguono due categorie

Dirty Rotten Imbeciles · 2019. 6. 19. · Dirty Rotten Imbeciles

The Rotten Apple Adventure

Revista Rotten Rain

Tecniche Sogni Lucidi

Dirty Rotten Program:Dirty Rotten Program

“ TRIBE ”[ D ] or “ ROTTEN”

Rotten Fruit, Rotten Faith (James 2:14-26 February 26, 2017) · Rotten fruit, rotten faith. Allowing this teaching to exist in the church is a problem because it permits professing

Gestione della memoria - Computer Vision and …vision.unipv.it/corsi/SistemiOperativi/lucidi/SO-11.pdfSistemi Operativi 15/16 Gestione della memoria 2 Necessità di gestire la memoria

ROTTEN BRAIN REVISTA

Rotten Evaluation Questions

3 eserc. - lucidi

Rotten Food

Sistemi Operativi - Paviavision.unipv.it/corsi/SistemiOperativi/lucidi/SO-05.pdf · Sistemi Operativi 2015/16 Scheduling 2 Scheduling dei processi • Se più processi sono eseguibili