forensics comp
TRANSCRIPT
-
7/31/2019 Forensics Comp
1/25
Digital Forensics(File System Forensic Analysis)
1. Background
Sogang University Distributed Computing & Communication Lab.
SungyongSungyong Park, Ph.D.Park, Ph.D.
Distributed Computing & Communication Lab.Distributed Computing & Communication Lab.
(URL: http://dcclab.sogang.ac.kr)(URL: http://dcclab.sogang.ac.kr)Dept. of Computer Science and EngineeringDept. of Computer Science and Engineering
SogangSogang UniversityUniversitySeoul, KoreaSeoul, Korea
Tel : +82Tel : +82--22--705705--89298929
Email : [email protected] : [email protected]
-
7/31/2019 Forensics Comp
2/25
Data Analysis
DatabaseAnalysis
App / OSAnalysis
Swap SpaceAnalysis
File systemanalysis
Sogang University Distributed Computing & Communication Lab.
MemoryAnalysis
Network
Analysis
PHYStorage
Analysis
Volumeanalysis
-
7/31/2019 Forensics Comp
3/25
Process of Analyzing Data
HardDisk
Physical MediaAnalysis
VolumeAnalysis
Sectors of Data
Sogang University Distributed Computing & Communication Lab.
File SystemAnalysis
Application
Analysis
Vo ume
File
-
7/31/2019 Forensics Comp
4/25
Booting Process
n Booting Process
n When power initialized on system, execution starts at a fixedmemory location (ROM) where initial bootstrap program islocated.
n Sometimes two-step processn Simple bootstrap loader fetches a more complex boot program
Sogang University Distributed Computing & Communication Lab.
rom s
n Boot program loads the kernel
n For large OS (e.g. Windows, Mac OS X, UNIX)n Bootstrap loader (from ROM) runs diagnostics and has a bit of
code that can read a single block (boot sector or boot block;
e.g. MBR) at a fixed location from disk and execute the code.n The program in boot block loads either entire OS or reads
remainder of the bootstrap program from disk based on theaddress and length info.
-
7/31/2019 Forensics Comp
5/25
n
Hard disks
n Most common source of digital evidence
Hard Disk Technology
Cylinder (C) (0~(n-1))
Sogang University Distributed Computing & Communication Lab.
n
Performance = seek time + rotational latency + transfer time
Sector (S) (1~n)(typically 512 bytes)
Platters
Head 0 : Head # starting from bottomPlatter 0 : Platter # starting from bottom
-
7/31/2019 Forensics Comp
6/25
Access of Hard Disk
n Using BIOSn BIOS already knows the component of hardware
n Details of installed disks
n Loads the interrupt table
n INT13h (and extended INT13h) supports many diskfunctions
Sogang University Distributed Computing & Communication Lab.
n BIOS may not view the entire disk
n Using direct access
n Require some knowledge about the hardware
n Fastest to access the data
-
7/31/2019 Forensics Comp
7/25
n CHS (Cylinder/Head/Sector) Addressingn Physical address = C * H * S * 512 bytes
n E.g., Cylinder 1024, Head 256, Sector 64 => 1024 * 256 * 64* 512 bytes = 210 * 28 * 26 * 29 bytes = 233 bytes = ~ 8 GB
n Assume that each track has the same number of sectors (viastandard recording) old disk drives
CHS Addressing (1)
Sogang University Distributed Computing & Communication Lab.
n Cannot be applied to new hard drives which use zoned-bitrecording
n Zoned-bit recording outer track has more sectors andtransfer speed is much faster in outer track
n Normal/ Large / LBA setting
n Capacity Barriern In order to access hard drives, we can use BIOS Int 13h and
it uses CHS addressing to find a sector (old BIOS)
-
7/31/2019 Forensics Comp
8/25
n Capacity Barrier (continued)
nValues used in old BIOS (total 24 bits)
CHS Addressing (2)
Bits Max value Range
Cylinder 10 bits 210 = 1024 0 ~ 1023
Head 8 bits 28 = 256 0 ~ 255
Sector 6 bits 26 = 64 1 ~ 63
Sogang University Distributed Computing & Communication Lab.
n Maximum size = 1024 * 256 * 63 * 512 bytes = 8,455,716,864 bytes (~8.4 GB)
nValues used in ATA-1 standard (total 28 bits)
n Maximum size = 65536 * 16 * 255 * 512 bytes = 136,902,082,560 bytes (~137 GB)
Bits Max value Range
Cylinder 16 bits 216 = 65,536 0 ~ 65,535
Head 4 bits 24 = 16 0 ~ 15
Sector 8 bits 28 = 256 1 ~ 255
-
7/31/2019 Forensics Comp
9/25
n Capacity Barrier (continued)
n 528 MB Barrier
CHS Addressing (3)
CHS BIOS ATA Limit
Cylinder 1024 65,536 1024
Head 256 16 16
Sector 63 255 63
Sogang University Distributed Computing & Communication Lab.
n When using ATA disks via CHS BIOS, the smallest size for each value should be used
n Maximum size = 1024 * 16 * 63 * 512 bytes = 528,432,304 bytes (~528 MB)
n CHS Parameter Translation
n Translate CHS values of hard disks into possible values while maintainingthe total number of sectors
n E.g., CHS value : 2048, 16, 63 => translated values : 1024, 32, 63
n Can break the 528 MB barrier
n Applied to hard drives manufactured around 1993~1994 or after
n Normal / Large/ LBA setting
n Still limited to 8.4 GB barrier
-
7/31/2019 Forensics Comp
10/25
n LBA (Logical Block Address) Addressing
n Uses a single number, starting at 0, to address each sector (28 bits)
n Software does not need to know anything about the geometry; it onlyneeds to know a single number
n Some file systems still use CHS address, so need to translate
n E.g. 1, CHS address 0,0,1 => LBA 0
n E.g. 2, CHS address 0,0,2 => LBA 2 etc.
LBA Addressing
Sogang University Distributed Computing & Communication Lab.
n When all sectors in the track have been used, the first sector at the nexthead in the same cylinder is used (i.e., CHS 0/1/1)
n LBA = (((C * heads_per_cylinder) + H) * sectors_per_track) + S - 1
n Normal / Large / LBA setting
n Still limited to 137 GB barrier (due to 28 bit addressing)
n
ATA-6 standardn Up to ATA-5 (Ultra-ATA/66), still has same problems as above
nATA-6 (Ultra-ATA/100) standard extends the 28 bit addressingto 48 bits addressing (144,115,188,075,855,872 bytes = 144 PB)
-
7/31/2019 Forensics Comp
11/25
n What is the problem ?
n The problem is on the BIOS
n Pheonix BIOS proposed a new BIOS standard, EDD (Enhanced DiskDrive Specification), to NCITS (National Committee on InformationTechnology Standard)
n EDD extends LBA so that it can use 64 bit addressing
n Can support any hard drives supporting ATA-6
EDD Standard
Sogang University Distributed Computing & Communication Lab.
-
7/31/2019 Forensics Comp
12/25
Host Protected Area (HPA)
n Host Protected Access (HPA)n Location where computer vendors could store data that
would not be erased when a user formats and erases thehard disk contents (not normally visible to OS)
n Can be used to save (and hide) data (default size 0)
nVarious booting and diagnostic utilities
Sogang University Distributed Computing & Communication Lab.
n Preloaded OS or system restore software
n Theft recovery and monitoring service
n Some rootkits hide in the HPA
n Can access HPA via ATA commands
0 m n
HPAATA command
IDENTIFY_DEVICE READ_NATIVE_MAX_ADDRESS
SET_MAX_ADDRESS
-
7/31/2019 Forensics Comp
13/25
Device Configuration Overlay (DCO)
n Device Configuration Overlay (DCO)n Added in ATA-6
n Not visible to BIOS and OS
n Can make 80G HDD as a 60G HDD
Sogang University Distributed Computing & Communication Lab.
0 m n
HPA
ATA command
DCO
p
DEVICE_CONFIGURATION_IDENTIFYIDENTIFY_DEVICE
READ_NATIVE_MAX_ADDRESS
-
7/31/2019 Forensics Comp
14/25
File System Framework
Directory ServiceDirectory Service
Directory APIDirectory API File Operations APIFile Operations API
File System
InterfaceUser
Kernel
System Call InterfaceSystem Call InterfaceText nameText name File idFile id
Sogang University Distributed Computing & Communication Lab.
Device Driver
File Storage ServiceFile Storage ServiceFile System
Implementation
Hard DiskHard Disk Floppy DiskFloppy Disk CDCD--ROMROM
-
7/31/2019 Forensics Comp
15/25
A Typical File System Organizationdevice directory or volume table of contents
Sogang University Distributed Computing & Communication Lab.
minidisk or volume
=> Every partition has a file system, which consists of directory and files.
-
7/31/2019 Forensics Comp
16/25
File System Layout (System V Case)
n File system resides on a single logical disk or partition, and eachlogical disk may hold one file system at the most.
n A artition is viewed as a linear arra of blocks. The size a block is
< Layout of a disk partition >
B S Inode List Data Blocks
0 10 1
Sogang University Distributed Computing & Communication Lab.
multiple of 512 bytes (e.g., 512/1024/2048). This represents thegranularity of space allocation for a file.
n Physical block # is an index into this array, which is translated intocylinder, track, and sector # via device driver.
n B (Boot Area): Only one partition needs to contain.
n S (Super Block): Contains metadata about the file system.n Inode List : Has a fixed size which limits the max number of files.
The size of an inode is 64 bytes in System V UNIX.
-
7/31/2019 Forensics Comp
17/25
Partitions and Mounting
n
A disk can be sliced into multiple partitions, or a partition canspan multiple disks.
n Each partition can either be raw, containing no file system, orcooked, containing a file system.
n Raw disk can be used where no file system is appropriate;
n Swap space
Sogang University Distributed Computing & Communication Lab.
n s s s r w s r s rneeds.
n The root partition, which contains the OS kernel, is mounted atboot time. Other partitions can be automatically mounted atboot time or manually mounted later.
n Own directory structure (Unix)
n Different name space (Windows - i.e., different drive such as C, D,etc)
-
7/31/2019 Forensics Comp
18/25
File System Mounting
n Just as a file must be opened before it is used, a file system must
be mounted before it can be accessed.
n Procedure
n The operating system is given the name of the device, and the location
within the file structure at which to attach the file system (or mount
Sogang University Distributed Computing & Communication Lab.
.n Typically, a mount point is an empty directory.
n The operating system verifies that the device contains a valid file
system by asking the device driver to read the directory.
n Finally, the operating system notes in its directory structure that a file
system is mounted at the specified mount point. This scheme enables
the operating system to traverse its directory structure, switchingamong file systems as appropriate.
-
7/31/2019 Forensics Comp
19/25
Example of File System Mounting
mount point
Sogang University Distributed Computing & Communication Lab.
Existing Unmounted
-
7/31/2019 Forensics Comp
20/25
Partition and Mounting (Example)
Sogang University Distributed Computing & Communication Lab.
-
7/31/2019 Forensics Comp
21/25
Remote Mounting on an NFS Client
Server 1
Client
Server 2
The file system mounted at/usr/studentsin the client is actually the subtree located at /export/people in Server1 ; the file system mounted at
/usr/staffin the client is actually the sub tree located at /nfs/users inServer2.
Sogang University Distributed Computing & Communication Lab.
export
people
big jon bob .
. vmunix usr
student x staff
nfs
users
jim ann jane joe
RemoteRemotemountmount RemoteRemotemountmount
-
7/31/2019 Forensics Comp
22/25
Remote Mounting (Example)
Sogang University Distributed Computing & Communication Lab.
-
7/31/2019 Forensics Comp
23/25
File System Structure (1)
n File system resides on secondary storage (disks).
n For the implementation, file system has both on-disk
structures and in-memory structures.
n On-disk structures
n Boot Control Block contains information needed by the system
to boot from the partition; Typically the first block of a partition;
Sogang University Distributed Computing & Communication Lab.
A so ca e oot oc (UF ) or partition oot sector(NTF )
n Partition Control Block contains partition details, such as the #
and size of blocks in partition, free block count and pointers, and
free FCB (File Control Block) count, etc; Also called super-block
(UFS) or master file table(NTFS).
n Directory structure
n File Control Block (FCB) contains many of the files details; Also
called inode(UFS).
-
7/31/2019 Forensics Comp
24/25
File System Structure (2)
n
In-memory structures used for both file-system managementand performance improvement via caching.
n In-memory partition table contains information about each
mounted partition.
n In-memory directory structure holds the directory information of
Sogang University Distributed Computing & Communication Lab.
n System-wide open-file table contains a copy of the FCB of each
open file.
n Per-process open-file table contains a pointer to the appropriate
entry in the system-wide open-file table.
-
7/31/2019 Forensics Comp
25/25
In Memory File System Structure
copy
locate
(1) (2)
search
Sogang University Distributed Computing & Communication Lab.
copy
(3)
pointer
(4)
file descriptor or file handle has current location
(5)
(6)
(7)
In reality, the open system call first searches the system-wide open-file table.