2015 2017 c p pale computer forensics 2015 10 17
play

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System - PowerPoint PPT Presentation

Feb 12, 2024 •172 likes •884 views

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive

  1. 2015-2017 (c) P.Pale: Computer Forensics – 2015-10-17 File System Forensics

  2. „ A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive information. ” (Computer World, 2009) http://www.computerworld.com/article/2530795/data-center/survey--40--of-hard-drives-bought-on-ebay-hold-personal--corporate-data.html 2 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  3. „ Details of test launch procedures for the THAAD (Terminal High Altitude Area Defense) ground-to-air missile defense system were found on a disk bought on eBay. ” (BBC News, 2009) 3 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  4. • Goal of this lecture IS NOT ▪ to teach students how to use modern forensic tools and methods ◦ although they will be mentioned • The goal is to ▪ show them forensics on the most basic level , ▪ give them an insight into how file systems work , ▪ because that is also the foundation of every advanced digital forensic tool • In the course of this lecture ▪ basic concepts of the most popular file systems will be explained ▪ students will get knowledge needed for continuation of further independent file system research 4 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  5. • Student must understand the difference between decimal , hexadecimal and binary number systems and know how to convert numbers from one number system to another ▪ content of Digital Logic course at FER • Differentiate between: ▪ Big-endian ◦ “network byte order” ◦ 2015 10 = 0x07 0xdf ▪ Little-endian ◦ microprocessors ◦ „Intel format” ◦ 2015 10 = 0xdf 0x07 Picture taken from: geekandpoke.typepad.com/.a/6a00d8341d3df553ef01543533e604970c-pi 5 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  6. • In the focus of computer forensics is computer permanent storage ▪ Permanent storage saves data even after the computer is shut down ▪ and has no power ◦ typically: disks , memory cards, USB flash drives, etc. • For computer to manage memory and understand the meaning of every single bit: ▪ Every permanent memory must be formatted ▪ with/to a FILE SYSTEM • While analyzing file systems, the most common goals are: ▪ to find files, ▪ to restore lost or deleted files, ▪ to discover hidden data 6 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  7. File system is an: ▪ an abstraction , a concept ▪ an organizational schema for permanent memory ▪ it performs functions of ◦ organizing, managing, storing and fetching data ▪ it enables the computer to work with files/data ▪ it is mostly hierarchically organized 7 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  8. File name File metadata File metadata File metadata File metadata File name File name File name File data File data File data File data • Sequential file system • typical for some (sequential) media: 8 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  9. • but media is still partially sequential • however, it allows for ▪ hierarchical filesystem 9 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  10. 10 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  11. Different properties and physical layout 11 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  12. • Most common: ▪ Windows: FAT12, FAT16, FAT32, exFAT, NTFS ▪ UNIX: ext, ext2, ext3, ext4 • Other: ▪ Mac OS: HFS, HFS+ ▪ CD/DVD: ISO9660, UDF ▪ JFS, ReiserFS, XFS, UFS ▪ Google File System, Hadoop Distributed File System ▪ etc . 12 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  13. • When the computer is started , • typically it is looking for some kind of permanent memory ▪ usually the hard disk , but it can also be ◦ CD/DVD, flash drive, … • from which it reads further instructions ▪ a computer program ◦ to load into memory ◦ and run it • But, how does the computer know which file system the memory uses? • Where does it look for startup instructions ? 13 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  14. • For the purpose of better organization and easier management, every permanent memory is divided into SECTORS ▪ memory chunks, fixed size of 512 bytes • On the first physical sector of the memory, computer expects MASTER BOOT RECORD ▪ MBR for short 14 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  15. MBR is 512 bytes, and consists of three parts: 1. Bootstrap code , 446 bytes 1 2. Partition table, 4 * 16 bytes = 64 bytes 2 3. Boot signature , 2 bytes = 0x 55 0x AA 3 64 bytes 2 bytes 446 bytes 1 2 3 This diagram is NOT proportional! 15 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  16. Bootstrap code Partition table Boot signature 16 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  17. 1 Stage One • executable code (program) with following tasks: 1. find an active partition ◦ by scanning partition tables, 2. read the first sector of the active partition, 3. copy the program found there to the working memory and 4. start the program which was loaded 17 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  18. 2 • Partition ▪ is one part of the physical disk ◦ can be viewed as a logical, smaller disk ▪ useful to separate ◦ system SW from data or ◦ multiple (different) operating systems, ◦ area for swapping/paging (for OS) etc. ▪ helps if parts of disk (content) are damaged • MBR has 4 entries for partition ▪ each one 16 bytes long • Every partition entry contains the fields with data that tell us: ▪ is the partition active? ▪ with which file system was partition formatted ▪ on which sector the partition starts ▪ how big is the partition 18 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  19. • CHS is short for Cylinder – Head – Sector • these fields are only relevant if permanent storage is hard drive – no cylinders and heads on flash memory or SSD disks • for historical reasons 19 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  20. • Primary partitions (max 4) • Extended partition (max 1) ▪ extended boot record (EBR) ▪ extended partition boot record (EPBR) • First sector contains EBR ▪ EBR is similar to MBR ▪ but only first two partition table entries are used ◦ First describes this logical partition ◦ Second describes where next extended partition starts ▫ thus, a linked list of (unlimited #) partitions can be created 20 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  21. 3 • at the end of MBR • a field of 2 bytes , ▪ always contains the value 0x 55 0x AA • indicates that MBR ends there • The way to check whether ▪ MBR is there at all ▪ and is valid 21 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  22. 1. Only 4 partition entries in partition table ▪ limit the disk to only 4 physical partitions ◦ it can be somewhat solved by creating extended/logical partitions 2. Field for partition size in partition table is 32 bits long, which means that maximal partition size is 2 32 sectors of 512 ▪ bytes , or 2 TiB • To counter these potential problems, an alternative to Master Boot Record was invented: ▪ GUID Partition Table (GPT) 22 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  23. • new standard that gradually replaces MBR ▪ Linux, Mac OS X, Windows 8.x & 10 • the name comes from the fact that ▪ every partition has globally unique identifier (GUID) • unlike MBR ▪ no restrictions on the number or size of partitions • unlike MBR ▪ which is stored only in one place in the memory, ▪ GPT stores copies ◦ throughout the whole disk, ◦ ensuring the disk consistency 23 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  24. Second stage • Thus, the MDR’s boot code ▪ looks into the partition table ▪ to find the one designated as “active”, bootable ▪ which file system was used to format the partition ◦ 0x07 = NTFS ◦ 0x83 = Linux http://datarecovery.com/rd/hexadecimal-flags-for-partition-type/ ◦ many codes = FAT ▪ and where is it located ◦ which sector it starts at ▫ counting from the beginning of the disk ▪ then again reads the first sector ◦ and possibly next few • that program than reads the bootloader This is where file systems ▪ looks for the file in the file system start to differentiate and starts that application- the bootloader 24 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

  25. • bootloader ▪ completely “understands” particular file system • and looks in it for the operating system kernel • loads it into RAM • and starts it 25 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

Recommend

Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

FloCon 2015 Conference January 15, 2015 Portland, Oregon Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively Resolve Computer Security Incidents in Organizations JESUS RAMIREZ PICHARDO (PMP, GCFA,

333 views • 30 slides
Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 12 June 2015 Dr Kim-Kwang Raymond

Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 12 June 2015 Dr Kim-Kwang Raymond

Cloud Forensics ASEAN CSA Summit 2015 Bangkok, Thailand 11 12 June 2015 Dr Kim-Kwang Raymond Choo The role of digital forensics in incident handling Sources of digital evidence: Any computing devices capable of storing electronic

527 views • 16 slides
CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Forensics for Graphics Files Types of graphics file formats Type of data compression How to locate

362 views • 25 slides
CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Overview of Mobile Forensics Originated in Europe and focused on the GSM SIM card. Roaming of Devices

694 views • 17 slides
When We Need Audit Logs Computer forensics in courts Recovering from an attack

When We Need Audit Logs Computer forensics in courts Recovering from an attack

Systematic and Practical Methods for Computer Attack Analysis and Forensics Dr. Sean Peisert UC Davis Computer Science Dept. NSF I/UCRC Meeting ~ Davis, CA June 17, 2008 1 When We Need Audit Logs Computer forensics in courts

524 views • 11 slides
CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Email System Components User agents / Webmail: Composing, editing, and reading mail messages. Mail

687 views • 49 slides
Nuix Workshop Introduction to Forensics W HAT IS C OMPUTER F ORENSICS ? Computer

Nuix Workshop Introduction to Forensics W HAT IS C OMPUTER F ORENSICS ? Computer

Nuix Workshop Introduction to Forensics W HAT IS C OMPUTER F ORENSICS ? Computer forensics, also called cyber forensics, is the applica6on of scien6fic method to computer

464 views • 33 slides
CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics What is The Cloud? A computing storage system that provides on-demand network access for

613 views • 25 slides
SYSTEM BASIC INFORMATION TSO GAS PROMET AD PALE PRESENTATION Termag Hotel Jahorina, Pale

SYSTEM BASIC INFORMATION TSO GAS PROMET AD PALE PRESENTATION Termag Hotel Jahorina, Pale

USAID Energy Investment Activity (EIA) Project Security of Gas Supply in Bosnia and Herzegovina Conference COMPANY AND NG TRANSPORTATION SYSTEM BASIC INFORMATION TSO GAS PROMET AD PALE PRESENTATION Termag Hotel Jahorina, Pale July 2,3

482 views • 24 slides
CSE 469: Computer and Network Forensics Topic 1: Forensics Intro Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 1: Forensics Intro Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 1: Forensics Intro Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics General Forensic Science CSE 469: Computer and Network Forensics Definition Forensic Science is the

1.32k views • 90 slides
Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer

Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer

Introduction to Digital Forensics Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer Forensics? What do you Need for a Careers in Computer Digital Forensics? Educational Background

509 views • 29 slides
CSE 469: Computer and Network Forensics Topic 3: Drives, Volumes, and Files Dr. Mike Mabey |

CSE 469: Computer and Network Forensics Topic 3: Drives, Volumes, and Files Dr. Mike Mabey |

CSE 469: Computer and Network Forensics Topic 3: Drives, Volumes, and Files Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Review: Base Conversion, Endianness, and Data Structures 2 CSE 469: Computer and Network

974 views • 84 slides
General-Purpose Image Forensics Using Patch Likelihood under Image Statistical Models The 7th

General-Purpose Image Forensics Using Patch Likelihood under Image Statistical Models The 7th

General-Purpose Image Forensics Using Patch Likelihood under Image Statistical Models The 7th IEEE International Workshop on Information Forensics and Security Wei Fan, Kai Wang, and Franc ois Cayre GIPSA-lab, Grenoble, France 18-11-2015

513 views • 19 slides
TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA

TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA

TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA DFRWS 2015 DUBLIN, 24 MARCH 2015 REAL CASE Management salaries of a private company were published on a Blog Through an analysis of the

228 views • 21 slides
Hviz: HTTP(S) Traffic Aggregation and Visualization for Network Forensics David Gugelmann, Fabian

Hviz: HTTP(S) Traffic Aggregation and Visualization for Network Forensics David Gugelmann, Fabian

DFRWS EU 2015 Hviz: HTTP(S) Traffic Aggregation and Visualization for Network Forensics David Gugelmann, Fabian Gasser, Bernhard Ager (ETH Zurich, Switzerland) Vincent Lenders (armasuisse, Thun, Switzerland) Date: 24. March 2015 Location:

378 views • 25 slides
CSE 469: Computer and Network Forensics Topic 2: Evidence Acquisition Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 2: Evidence Acquisition Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 2: Evidence Acquisition Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Acquisition First step in the forensic process: Copy the evidence/data without altering or

629 views • 26 slides
CSE 469: Computer and Network Forensics Topic 0: Course Overview Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 0: Course Overview Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 0: Course Overview Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Instructor Dr. Mike Mabey Alumnus of ASU (MS & PhD) Adjunct / Faculty Associate Full time

585 views • 25 slides
Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate

Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate

Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate School What is Anti-Forensics? Computer Forensics: Scientific Knowledge for collecting, analyzing, and presenting evidence to the courts

322 views • 15 slides
About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
VAST: Interactive Network Forensics Matthias Vallentin matthias@bro.org BroCon August 5, 2015

VAST: Interactive Network Forensics Matthias Vallentin matthias@bro.org BroCon August 5, 2015

VAST: Interactive Network Forensics Matthias Vallentin matthias@bro.org BroCon August 5, 2015 Demo I 2 / 26 Data Pyramid Low Filtered Fidelity Data Aggregated Data Data Volume Structured Data High Raw Data Fidelity 3 / 26 Data

1.14k views • 41 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
2015 OUTLOOK Q1 2015 21 May 2015 Copenhagen CONTENTS Overview Q1 2015 Outlook 2015

2015 OUTLOOK Q1 2015 21 May 2015 Copenhagen CONTENTS Overview Q1 2015 Outlook 2015

1 DFDS RAISES 2015 OUTLOOK Q1 2015 21 May 2015 Copenhagen CONTENTS Overview Q1 2015 Outlook 2015 MGO transition Channel judgment Capital structure and distribution Strategy, goals and priorities The statements

340 views • 12 slides
Distributed Storage Networks and Computer Forensics 1. Organization & Overview Christian

Distributed Storage Networks and Computer Forensics 1. Organization & Overview Christian

Distributed Storage Networks and Computer Forensics 1. Organization & Overview Christian Schindelhauer Amir Alsbih University of Freiburg Technical Faculty Computer Networks and Telematics Winter Semester 2011/12 Organization

412 views • 20 slides
CSE 469: Computer and Network Forensics Topic 9: Semester Review Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 9: Semester Review Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 9: Semester Review Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Review: Topic 1: Forensics Intro Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics

1.75k views • 142 slides

More recommend