2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System - - PowerPoint PPT Presentation

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

2 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

„A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders

• n eBay contained personal, private and sensitive

information.”

(Computer World, 2009)

http://www.computerworld.com/article/2530795/data-center/survey--40--of-hard-drives-bought-on-ebay-hold-personal--corporate-data.html

3 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

„Details of test launch procedures for the THAAD (Terminal High Altitude Area Defense) ground-to-air missile defense system were found on a disk bought on eBay.”

(BBC News, 2009)

4

• Goal of this lecture IS NOT

▪ to teach students how to use modern forensic tools and methods

• although they will be mentioned
• The goal is to

▪ show them forensics on the most basic level, ▪ give them an insight into how file systems work, ▪ because that is also the foundation

• f every advanced digital forensic tool
• In the course of this lecture

▪ basic concepts of the most popular file systems will be explained ▪ students will get knowledge needed for continuation of further independent file system research

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

5

• Student must understand the difference

between decimal, hexadecimal and binary number systems and know how to convert numbers from one number system to another

▪ content of Digital Logic course at FER

• Differentiate between:

▪ Big-endian

• “network byte order”
• 201510 = 0x07 0xdf

▪ Little-endian

• microprocessors
• „Intel format”
• 201510 = 0xdf 0x07

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

Picture taken from: geekandpoke.typepad.com/.a/6a00d8341d3df553ef01543533e604970c-pi

6

• In the focus of computer forensics

is computer permanent storage

▪ Permanent storage saves data even after the computer is shut down ▪ and has no power

• typically: disks, memory cards, USB flash drives, etc.
• For computer to manage memory

and understand the meaning of every single bit: ▪ Every permanent memory must be formatted ▪ with/to a FILE SYSTEM

• While analyzing file systems,

the most common goals are:

▪ to find files, ▪ to restore lost or deleted files, ▪ to discover hidden data

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

7

File system is an:

▪ an abstraction, a concept ▪ an organizational schema for permanent memory ▪ it performs functions of

• organizing, managing, storing and fetching data

▪ it enables the computer to work with files/data ▪ it is mostly hierarchically organized

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

8

• Sequential file system
• typical for some (sequential) media:

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

File name File metadata File data File name File metadata File data File name File metadata File data File name File metadata File data

9

• but media is still partially sequential
• however, it allows for

▪ hierarchical filesystem

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

10 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

11 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

Different properties and physical layout

12

• Most common:

▪ Windows: FAT12, FAT16, FAT32, exFAT, NTFS ▪ UNIX: ext, ext2, ext3, ext4

• Other:

▪ Mac OS: HFS, HFS+ ▪ CD/DVD: ISO9660, UDF ▪ JFS, ReiserFS, XFS, UFS ▪ Google File System, Hadoop Distributed File System ▪ etc.

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

13

• When the computer is started,
• typically it is looking for

some kind of permanent memory

▪ usually the hard disk, but it can also be

• CD/DVD, flash drive, …
• from which it reads

further instructions

▪ a computer program

• to load into memory
• and run it
• But, how does the computer know

which file system the memory uses?

• Where does it look for startup instructions?

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

14

• For the purpose of better organization and easier management,

every permanent memory is divided into SECTORS

▪ memory chunks, fixed size of 512 bytes

• On the first physical sector of the memory,

computer expects MASTER BOOT RECORD

▪ MBR for short

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

15 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

MBR is 512 bytes, and consists of three parts:

• 1. Bootstrap code, 446 bytes
• 2. Partition table, 4 * 16 bytes = 64 bytes
• 3. Boot signature, 2 bytes = 0x55 0xAA

1 2 3 1 2 3 This diagram is NOT proportional! 446 bytes 64 bytes 2 bytes

16 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

Bootstrap code Partition table Boot signature

17

• executable code (program) with following tasks:
• 1. find an active partition
• by scanning partition tables,
• 2. read the first sector of the active partition,
• 3. copy the program found there

to the working memory and

• 4. start the program which was loaded

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

1 Stage One

18

• Partition

▪ is one part of the physical disk

• can be viewed as a logical, smaller disk

▪ useful to separate

• system SW from data or
• multiple (different) operating systems,
• area for swapping/paging (for OS) etc.

▪ helps if parts of disk (content) are damaged

• MBR has 4 entries for partition

▪ each one 16 bytes long

• Every partition entry contains

the fields with data that tell us:

▪ is the partition active? ▪ with which file system was partition formatted ▪ on which sector the partition starts ▪ how big is the partition

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

2

19 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

• CHS is short for Cylinder – Head – Sector
• these fields are only relevant

if permanent storage is hard drive

– no cylinders and heads

• n flash memory or SSD disks
• for historical reasons

20

• Primary partitions (max 4)
• Extended partition (max 1)

▪ extended boot record (EBR) ▪ extended partition boot record (EPBR)

• First sector contains EBR

▪ EBR is similar to MBR ▪ but only first two partition table entries are used

• First describes this

logical partition

• Second describes where

next extended partition starts ▫ thus, a linked list of (unlimited #) partitions can be created

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

21

• at the end of MBR
• a field of 2 bytes,

▪ always contains the value 0x55 0xAA

• indicates that MBR ends there
• The way to check whether

▪ MBR is there at all ▪ and is valid

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

3

22

• 1. Only 4 partition entries in partition table

▪ limit the disk to only 4 physical partitions

• it can be somewhat solved by creating extended/logical partitions
• 2. Field for partition size

in partition table is 32 bits long,

▪ which means that maximal partition size is 232 sectors of 512 bytes, or 2 TiB

• To counter these potential problems, an alternative to

Master Boot Record was invented:

▪ GUID Partition Table (GPT)

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

23

• new standard that gradually replaces MBR

▪ Linux, Mac OS X, Windows 8.x & 10

• the name comes from the fact that

▪ every partition has globally unique identifier (GUID)

• unlike MBR

▪ no restrictions on the number or size of partitions

• unlike MBR

▪ which is stored only in one place in the memory, ▪ GPT stores copies

• throughout the whole disk,
• ensuring the disk consistency

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

24

This is where file systems start to differentiate

• Thus, the MDR’s boot code

▪ looks into the partition table ▪ to find the one designated as “active”, bootable ▪ which file system was used to format the partition

• 0x07 = NTFS
• 0x83 = Linux
• many codes = FAT

▪ and where is it located

• which sector it starts at

▫ counting from the beginning of the disk

▪ then again reads the first sector

• and possibly next few
• that program than reads the bootloader

▪ looks for the file in the file system and starts that application- the bootloader

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

http://datarecovery.com/rd/hexadecimal-flags-for-partition-type/

Second stage

25

• bootloader

▪ completely “understands” particular file system

• and looks in it for the operating system kernel
• loads it into RAM
• and starts it

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

26

• multiple partitions CAN BE bootable

▪ but only one partition is marked to be bootable/active

• bootloader is in that active/bootable partition

▪ is so (re)designed that it can boot any OS

• LILO or GRUB or NTLDR

▪ usually in Linux

• comes with distribution
• it detects all bootalbe OSes on the disk
• asks the user which one to load
• then loads bootloader from chosen partition
• and runs it – boots the OS

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

27

• Acronis OS Selector
• AiR-Boot
• AKernelLoader
• Barebox
• Boot Camp
• BootIt Bare Metal

BootKey

• BootManager
• BootX (Apple)
• BootX (Linux)
• Darwin Boot Loader
• Das U-Boot
• FreeLoader
• GAG
• GNU GRUB

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

• GRUB Legacy
• GRUB4DOS
• Gujin [1]
• iBoot
• LILO
• loadlin
• MasterBooter
• NTLDR
• OSL2000 Boot Manager
• PLoP Bootmanager
• RedBoot
• rEFInd
• Smart Boot Manager
• SPFdisk
• SYSLINUX
• systemd-boot / Gummiboot
• Windows Boot Manager
• XOSL

28 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

30

FAT16, FAT32 NTFS ext2 ext3

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

31 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

Full name

16-bit File Allocation System

Affiliation

DOS/Windows

Year of occurence 1984 MBR identificator 0x04, 0x06

Pros:

• Best portability among file systems
• Easy to restore deleted files

Cons:

• Partition size limited to 4 GB
• Largest possible file size 4 GB (minus 1 byte)
• Easy to restore deleted files (?!)
• No control over user file access
• Limited number of root directory entries (512)

Bio: File system developed by Microsoft. Its predecessors were 8-bit i 12-bit version. Its main features are simplicity and

• robustness. It is compatible with almost

every other file system. On FAT16, memory is divided into sector groups called clusters. Name of this file system comes from the table that is used to allocate cluster by files.

32 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

Full name

32-bit File Allocation System

Affiliation

DOS/Windows

Year of occurence 1996 MBR identificator 0x0B, 0x0C

Pros:

• Good portability between platforms
• No 4 GB limit for partition size (like FAT16 version)

Cons:

• Partition size is limited to 2 TB
• Largest possible file size 4 GB (minus 1 byte)
• No control over user file access

Bio: New file system instance from FAT family, created after FAT16 system. Maximum partition size has grown, together with maximum number of entries in the root directory. FAT32 is considered 10-15 % more efficient in memory usage then FAT16 system.

33 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

FAT16 file system consists of:

Boot sector File allocation table (FAT) Root directory Clusters containing data

1 2 3 4 1 2 3 4

34

Jump instruction

▪ Instruction EB, 3C, 90 is translated to:

|JUMP TO| OFFSET 3C | NO OPERATION

▪ processor jumps to the beginning of the executable boot code

OEM name BIOS parameter block

▪ key data about partition

• number of bytes per sector,
• number of sectors per cluster,
• number of reserved sectors
• etc.

Executable boot code Signature

▪ 0xAA55

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

1

35

• sector (or multiple sectors)

which contains 32-bit entries about files stored in the root directory

• entries contain information like:

▪ file name, ▪ file extension

• for example: .txt, .pdf, .rar

▪ time

• of creation,
• of last access,
• of last modification

▪ memory location on the disk and ▪ file size,

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

3

36

• table has entry for every cluster on the disk

that contains data

• every cluster has a pointer to the next cluster in the file

▪ or to the end of the file indicator (0xFFFF mark)

• table can be duplicated (redundancy!),

number of copies is stored in the boot sector

• Example: 3 different files occupying 7 clusters:

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

2

37

• they are located on disk

immediately after root directory

• information is stored in clusters

▪ several consecutive disk sectors

• cluster size is defined in the boot sector (e.g. 64 kB)

▪ at offset 0x0D ▪ in number of disk sectors (512 bytes each)

• 1, 2, 4, 8, 16, 32, 64, 128
• cluster is smallest unit of storage (granulation)

▪ thus, if the file size is only 10 kB, it will still occupy the entire cluster

• for example 64 kB
• creates problem of unused space

▪ the possibility to hide information there!

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

4

38 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

Full name

New Technology File System

Affiliation

Windows

Year of occurence 1993 MBR identificator 0x07

Pros:

• No file size limit like FAT
• More efficient at space management

then FAT32 system

• NTFS implements journaling system

that prevents data corruption Cons:

• Incompatible with some programs and systems
• Some new features are „too much”

for certain disk types

Bio: Another file system created by Microsoft with the intention to fix some deficiencies of FAT file system, like file size limit, lack of security and lack of journaling system. Despite all of that, some of the features of NTFS are redundant on certain disk types (i.e. flash disks) and in those cases are not considered an improvement.

39

• designed to quickly perform read, write and search
• n very large disks
• 1. Partition boot sector
• 2. MFT= Master File Table
• 3. File area

▪ everything in NTFS is a file ▪ NTFS was designed as a database ▪ Microsoft's documentation says: "The MFT is a relational database that consists of rows of file records and columns of file attributes. It contains at least one entry for every file on an NTFS volume, including the MFT itself."

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

1 2 3 1 2 3

40

• 1. Partition boot sector

▪ similar to boot sector in FAT file system ▪ BPB (BIOS parameter block) and extended BPB contain fields that define:

• number of bytes per sector, number of sectors per cluster,

number of reserved sectors, total number of sectors etc.

• But, most importantly, it contains location of Master File Table

(MFT)

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

e.g. Total number of sectors (0x023489 = 144521 bytes = 70 MB) Location of MFT (0x1785 = cluster 6021) All field descriptions available on: http://ntfs.com/ntfs-partition-boot-sector.htm 1

41

Master File Table (MFT)

▪ each file on an NTFS volume is represented by a record

• records are stored in MFT
• record size is variable (usually 1024 bytes)

▪ if the first MFT record is corrupted, NTFS reads the second record to find the MFT mirror file ▪ if file is small enough, it can be stored inside MFT record, under ‘data attribute’ field ▪ large files will have their data stored as external attributes

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

2

42

• when a file is deleted in NTFS, it is marked as deleted

within the MFT record for that file

• example:

▪ file record, before and after the file was deleted:

• 2 bytes at offset 22 show that the file is deleted

▪ i.e. bytes 22 and 23 of the MFT for that entry

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

BEFORE: AFTER:

43 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

Full name

extended file system 2

Affiliation

Unix

Year of occurence 1993 MBR identificator 0x83

Pros:

• Limitations on maximal file and partition size are

much less restrictive then those on FAT systems (up to 2 TB for files and 32 TB for partitions) Cons:

• Windows operation system can’t recognize ext

file systems without additional drivers

• No journaling system

Bio: Created by Remy Card for Linux

• perating system as an improvement
• ver the ext file system.

Ext2 is not natively supported on Windows OS. It is easy to recover deleted files.

44 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

Full name

extended file system 3

Affiliation

Unix

Year of occurence 2001 MBR identificator 0x83

Pros:

• Limitations on maximal file and partition size are

much less restrictive then those on FAT systems (up to 2 TB for files and 32 TB for partitions)

• Journaling system

Cons:

• Windows operation system can’t recognize ext

file systems without additional drivers

• Deleted files are often unrecoverable

Bio: Created by Stehpen Tweedie for Linux

• perating system as an improvement over

ext2 file system. Ext3 structure is very similar to ext2 file system structure. Core differences are file deletion mechanism and jouraling system that ext3 introduces.

45

• structure of all ext file systems is similar

▪ ext, ext2, ext3, ext4

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

46

• concept of all ext file systems is based on:

▪ blocks, ▪ blocks groups and ▪ inodes

• BLOCK =

▪ basic memory storage unit ▪ consisting of certain number of sectors

• can be 1, 2, 4 or 8 kB in size
• BLOCK GROUP – multiple blocks merged in logical unit

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

47

Superblock Block group descriptor Data block bitmap Inode bitmap Inode table Data blocks

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

1 2 3 4 5 6 1 2 3 4 5 6

48

• equivalent to boot sector in FAT systems
• original is stored at the beginning of the partition

in the first block group

▪ and every other block group holds its copy (redundancy!)

• contains basic data about partition like:

▪ total number of inodes, ▪ total number of blocks, ▪ total number of free inodes and free blocks, ▪ block size, ▪ number of blocks in one block group etc.

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

1

49

• first block in block group after the superblock
• it contains fields that define:

▪ location of data block bitmap, ▪ location of inode bitmap, ▪ location of inode table

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

2

50

Data block bitmap

▪ array of bytes where every BIT represents one block:

• if the bit is set to 0, block is free,
• if the bit is set to 1, block is occupied

▪ equivalent to file allocation table in FAT file systems

Inode bitmap

▪ same idea as data block bitmap ▪ instead of blocks, it refers to inodes

Inode table

▪ contains all inodes for a block group

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

3 4 5

51

• main data structure of ext system
• every object in ext file system

is represented with the corresponding index node

• default inode size is 128 bytes
• contains fields that define:

▪ what does this inode represent

• file, directory, device, pipe

▪ size of the object [in bytes] ▪ Last change, access, data modification & deletion time ▪ user and group it belongs to ▪ permission attributes (read, write, execute) ▪ array of pointers to blocks where object content is stored

• index node DOES NOT contain

▪ file content ▪ file name

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

5

52 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

53 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

• this picture illustrates

an index node of the file stored on ext file system

• deleting the files is

very different on ext2 and ext3/4 file systems

• next two slides explain

file deletion process on ext2 and ext3 file systems

54

• after the file is deleted

▪ bits representing

• ccupied blocks in bitmaps

are changed from 1 to 0

• inode content stays intact
• so it is easy to restore

deleted file

• referring to the values

in the inode

• of course, this is only possible if

▪ the file content is not already

• verwritten with new data

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

55

• after the file is deleted,

bits representing

• ccupied blocks in bitmaps

are changed from 1 to 0

• in addition,

data block pointer and file size field are also changed to 0

• file content still exists on the

disk, but it seems impossible to connect it to coherent and meaningful entity

• because of this feature,

files on ext3/ext4 are usually considered unrecoverable

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

56

Despite the facts stated on the last slide, there are ways to restore files deleted on ext3/ext4 file systems:

• 1. Plain text search

▪ method that can be used in any other file system, also ▪ program looks for distinct words in memory ▪ if the file was written to memory in plain text

• e.g. .txt, .html, .cpp, .java

▪ memory analysis program will be able to find file traces using keywords

• words for which user knows that appeared in plain text file

▪ but, if the file is not in plain text (i.e. .rar, .pdf, .doc) or is a picture, plain text search will be useless ▪ also, this method won’t be able to assemble the file if it was spread over multiple blocks

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

57

• 2. Journaling
• feature of ext3/ext4 systems that is used by many

file recovery programs (e.g. extundelete)

• system writes the log

by recording every change that has happened in the inodes, for purpose of protecting the data in the case of system failure

• three journal operation modes:

▪ Journal (both the data and the meta data of altered files are stored) ▪ Write Back (only meta data is stored) ▪ Ordered (compromise between two options, only metadata is stored but changes are first written to the journal and then to the disk)

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

58

• method used to keep disk data consistent
• can be used in forensic analysis
• when the file is deleted

▪ data pointers in index node are set to zero, so file content is unreachable

• however

▪ if we find that exact index node in the journal and read the pointer value ▪ we will know where (in which blocks) file content is stored

• shortages of journaling system:

▪ filling the journal starts from the beginning every time disk is unmounted and mounted ▪ journal works like a circular list

• when it is full, oldest data is rewritten with new data

▪ journal size is limited to 400 MiB (102 400 blocks)

• file recovery using journal has to be done soon after the deletion,

because journal entries will most likely get overwritten soon

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

59

• fast, robust and versatile hex editor for Windows platform
• freeware, download and usage are free
• installation is not necessary,

▪ available as both portable and installable edition

• Features:

▪ disk and memory editing, ▪ memory search, ▪ checksum generator, ▪ file shredding, ▪ file comparison, ▪ data export to separate files etc.

http://mh-nexus.de/en/hxd/

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

60

• one of the most popular tools

for digital forensics

• freeware, open source
• available for:

▪ Windows, UNIX and OS X platform

• Features:

▪ keyword searching, ▪ hash filtering, ▪ web artifact extraction (i.e. cookies), ▪ browser history extraction, ▪ reconstruction and export of deleted files ▪ etc.

http://www.sleuthkit.org/

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

61 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

62

• every system deletes files differently:

▪ FAT, ext2

• data recovery is very simple and easy

▪ ext3, ext4

• low probability of successful file recovery

▪ what about NTFS & other file systems ?

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

63

• disk state

▪ before the format, ▪ after quick format and ▪ after normal format

• Is formatting safe?
• Format vs. zero-fill?
• Data recovery after zero-fill method?
• next few slides display

different formatting types

▪ with USB flash drive 4 GB on Win7

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

64 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

Boot block File allocation table Root directory Random file on the disk

65 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

Boot block File allocation table Root directory Random file on the disk Time required: ~ 3 seconds

Zeros

66 2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

Boot block File allocation table Root directory Random file on the disk Time required: ~ 12 minutes File allocation table Root directory

Zeros

67

• Deleting files, quick format

▪ only metadata is deleted, files can be easily restored, NOT SAFE

• Format, zero-fill

▪ disk is filled with zeros

• Windows format,
• dd on Linux,
• DBAN, KillDisk

▪ this method should be safe enough for the average user ▪ problem of bad sectors

• format will skip them
• but data will remain
• and might be extracted
• by a skilled attacker

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

68

• Work of Peter Gutmann (with new disk types his work is somewhat outdated)

▪ a zero overwritten with a zero ▪ can be distinguished from ▪ a one overwritten with a zero ▪ with a probability higher than 50%

• Disk wipe

▪ the US government standard DoD 5220.22-M (3-pass) recommends the following approach consisting of three passes:

• Overwrite all addressable locations with:

▫ a character (zero) ▫ a character’s complement (one) ▫ a random character

• Physical destruction
• high powered magnets,
• drill,

hammer,

• acid

▪ the most effective way

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

69

• Brian Carrier:

„File system forensic analysis”

▪ One of the best books about file systems

• D. Farmer, W. Venema:

„Forensic discovery”

• D. Poirier:

„The Second Extended File System”

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics

2015-10-17 2015-2017 (c) P.Pale: Computer Forensics – File System Forensics