Transcript COM4027 Module 5 Windows Forensics

COMP 4027
Windows and Forensics
MS File structures
• Need to understand MS file structures to know
where files are stored in Windows
• Need to understand clusters, File Allocation
Table (FAT) and NTFS
• Need to know how the OS stores data to know
where files and parts of files may be hidden
Exploring Microsoft File Structures
1 - 4 Sectors grouped in Clusters –
Storage allocation units of 512, 1024,
2048, 4096, or more bytes.
Logical Address – Clusters are
numbered sequentially and number
assigned by the operating system.
Sectors are Physical Address –
Addresses that reside at the hardware or
firmware level.
Exploring Microsoft File Structures
Many hard disks are partitioned
Partition – A logical drive on a disk. It
can be the entire disk or a portion thereof.
Inner-Partition Gap – Partitions created
with unused space or voids between the
primary partition and the first logical
partition.
Can use an editor and edit partition table
to hide this gap
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Exploring Microsoft File Structures
Master Boot Record (MBR) – On
Windows and DOS computer systems,
the boot disk file, which contains
information regarding the files on a disk
and their locations, size, and other critical
items.
Exploring Microsoft File Structures
File Allocation Table (FAT) – The
original file structure database that
Microsoft originally designed for floppy
disks.
Prior to Windows NT and 2000
It is written to the outermost track of a
disk and contains information about each
file stored on the drive. The variations
are FAT12, FAT16, and FAT32.
Exploring Microsoft File Structures
Cluster sizes vary according to size of disk and file
system
Exploring Microsoft File Structures
• Disk space is allocated by cluster
• Results in drive slack
• If you create a 5000 byte Word file then on a
FAT 16 1.6 GB disk then the OS reserves 1
cluster
• However in FAT 16 32,000 bytes allocated to
your file = 27,000 file slack
• 5000 byte file uses 10 sectors = 5120 bytes so
120 bytes spare as RAM slack where any info in
RAM is put such as login ID, password etc
Exploring Microsoft File Structures
Exploring Microsoft File Structures
• Space provided to reduce fragmentation of file
• If file fills up the reserved 27000 bytes then
another cluster is allocated producing more slack
space
• As file grows clusters are chained together
usually contiguous
• As files created, deleted etc then chain can be
broken, fragmented lost
Exploring Microsoft File Structures
Exploring Microsoft File Structures
End-of-File Marker – 0x0FFFFFFF. This
code is typically used with FAT file
systems to show where the file ends.
When file is deleted only reference to it is
removed – this area can receive new data
Unallocated Disk Space –The area of
disk where the deleted file resides.
Examining NTFS Disks
New Technology File System –
Introduced when Microsoft created
Windows NT. NTFS is the primary file
system for Windows XP. NTFS uses
security features, allows for smaller
cluster sizes, and uses Unicode, which
makes it a much more versatile operating
system.
Much less slack space
Everything on the disk is a file
Examining NTFS Disks
Partition Boot Sector – The first data
set of an NTFS disk. It starts at sector [0]
of the disk drive and it can be expanded
up to 16 sectors.
Master File Table – Used by NTFS to
track files. Like FAT. It contains
information about the access rights, date
and time stamps, system attributes, and
parts of the file. 12.5% of disk on creation
and can be up to 50%
Examining NTFS Disks
Examining NTFS Disks
Unicode – A 16-bit character code
representation that is replacing ASCII. It
is capable of representing over 64,000
characters.
American Standard Code for
Information Interchange (ASCII) – A
coding scheme using 7 or 8 bits that
assigns numeric values up to 256
characters, including letters, numerals,
punctuation marks, control characters,
and other symbols.
Examining NTFS Disks
Meta-Data – In NTFS, this refers to
information stored in the MFT.
Examining NTFS Disks
Examining NTFS Disks
Examining NTFS Disks
All files and folders have attributes (eg.
Name, security, data). Each attribute has
a code
Resident Attributes – When referring to
MFT, all attributes that are stored in the
MFT of the NTFS.
Nonresident Attributes – When
referring to MFT of the NTFS, all data
that is stored in a location separate from
the MFT.
Examining NTFS Disks
Examining NTFS Disks
Logical Cluster Numbers (LCNs) –
Used by the MFT of NTFS. It refers to a
specific physical location on the drive.
Virtual Cluster Number (VCN) – When a
file is saved in the NTFS, it is assigned
both a logical cluster number and a virtual
cluster number. The logical cluster is a
physical location, while the virtual cluster
consists of chained clusters.
Examining NTFS Disks
Examining NTFS Disks
Multiple Data Streams – Ways in which
data can be appended to a file
intentionally or not. In NTFS, it becomes
an additional data attribute of the file.
Searching for evidence
• If metadata entry is unallocated then we can
recover metadata – links and properties
• May be out of sync if we are unsure whether data
units are allocated to new files
• Very difficult to determine
• Compressed files are also a challenge since he
tool used to recover the compressed file must
support the same algorithm
Application level searching
• Many application files have a structure and
signature type
• Data ‘carving’ can be carried out where a chunk
of data is searched for signatures of beginning
and end of file eg standard jpg headers and
footers
• Eg tool foremost has signatures and searches for
– Eg jpg y
200000 \xff\xd8
\xff\xd9
Examining NTFS Disks
Encrypted File System (EFS) –
Encryption first used in Windows 2000 on
NTFS formatted disks.
If a user encrypts a recovery certificate is
generated and sent to admin account –
otherwise will automatically decrypt on
use
Examining NTFS Disks
EFS Recovery Agent Functions – DOS
commands
-CIPHER
-COPY
-EFSRECVER
Examining NTFS Disks
• Deleting files
– File is renamed and moved to recycle bin
– Windows stores info about path in Info2 file
– Files are permanently deleted in the same
way as in FAT
•
•
•
•
Associated clusters marked as free for new data
$BITMAP attribute updated to reflect deletion
File attribute record marked as being available
Andy linking nodes and VFN/LCN cluster
removed
• Any link references removed
Understanding Microsoft Boot Tasks
Need to understand boot tasks to know what
might be altered if you had to boot up
Windows XP, 2000, and NT Startup
-Power on self test
-Initial startup
-Boot loader
-Hardware detection and configuration
-Kernel loading
-User logon
Understanding Microsoft Boot Tasks
Windows XP startup
NT Loader (NTLDR) – Loads Windows NT. It is
located in the root folder of the system partition.
Reads boot.ini to display booyt menu
Runs Ntoskrnl.exe and Bootvid.dll, Hal.dllamd
device drviers
Understanding Microsoft Boot
Tasks
• Boot.ini – Specifies the Windows NT
path installation.
• BootSect.dos – Contains the address of
the boot sector location of each operating
system.
• NTDetect.com – A command file that
identifies hardware components during
bootup and sends the information to
NTLDR.
Understanding Microsoft Boot Tasks
NTBootdd.sys – Device driver that allows
access to SCSI or ATA drives that are not related
to the BIOS.
Ntoskrnl.exe – The Windows NT operating
system kernel. It is located in the
Windows\System32 folder.
Hal.dll – Hardware abstraction layer dynamic
link library. It tells the operating system kernel
how to interface with the hardware.
Device Drivers – Contain instructions for the
operating system for hardware devices.
Understanding Microsoft Boot Tasks
Understanding Microsoft Boot
Tasks
• When you start Win NT or older NTFS several
file are immediately accessed and thus dates
change to current date
Understanding Microsoft Boot Tasks
DOS Protected-Mode Interface (DPMI)
– Used by many computer forensics tools
that do not operate in the Windows
environment.
Understanding Microsoft Boot Tasks
Understanding Microsoft Boot Tasks
Command.com – Provides a prompt when
booting to MS-DOS mode. User interface for the
MS-DOS operating system. Contains the
following commands:
-DIR
-CD
-CLS
-DATE
-COPY
-DEL
Understanding Microsoft Boot Tasks
-MD
-PATH
-PROMPT
-RD
-SET
-TIME
-TYPE
-VER
-VOL
Understanding MS-DOS Startup Tasks
IO.SYS – The first file loaded after the ROM
bootstrap loader finds the operating system.
This file allows for communication between the
computer’s BIOS and Hardware, and with MSDOS code.
MSDOS.SYS – A hidden text file that contains
startup options for Windows 9x. In MS-DOS, this
file is the operating system kernel.
CONFIG.SYS – A text file that contains
commands that are typically run only at system
startup.
Understanding MS-DOS Startup Tasks
AUTOEXEC.BAT – An automatically
executed batch file that contains
customized commands and settings for
MS-DOS.
Understanding MS-DOS Startup Tasks
Summary
-The Microsoft operating systems used FAT12
and FAT16 on older systems such as MS-DOS,
Windows 3.X and Windows 9x.
-The Registry on older Windows OSs is used to
keep a record of hardware attached, user
preferences, network information, and installed
software.
-The capacity of a hard disk is obtained by using
the cylinders, heads, and sectors. To find the
capacity of a disk, multiply the number of heads,
sectors, and tracks.
Summary
-Clusters are used to accommodate large files.
Sectors are grouped into clusters and clusters
are chained to minimize the overhead of reading
and writing files to a disk.
-The New Technology File System is more
versatile because it uses the MFT to track
information such as security items, the first 750
bytes of data, long and short filenames, and a
list of nonresident attributes.
-File slack, RAM slack, and drive slack are all
areas in which valuable information may reside
on a drive.
Summary
-To be an effective computer forensics
investigator, you need to maintain a library of
older operating systems and applications.
-NTFS uses Unicode to store information.
Unicode is an international code and uses a 16bit configuration instead of an 8-bit configuration
used by ASCII.
-Hexadecimal codes provide information about
files and OSs. You can determine the file type by
using various tools such as WinHex and Hex
Workshop.
Summary
-NTFS uses inodes to link file attribute records to
other file attribute records. Attributes fall into two
categories: resident and nonresident.
-NTFS can compress individual files, folders, or
entire partitions. FAT16 can only compress
entire volumes.