https://github.com/txuswashere/digital-forensics
Digital Forensics Essentials (DFE)
https://github.com/txuswashere/digital-forensics
dfe digital-forensic digital-forensic-tool digital-forensics digital-forensics-course digitalforensics ec-council forensic forensic-analysis forensic-tools forensics forensics-investigations forensics-tools
Last synced: 5 months ago
JSON representation
Digital Forensics Essentials (DFE)
- Host: GitHub
- URL: https://github.com/txuswashere/digital-forensics
- Owner: txuswashere
- Created: 2024-03-18T13:56:31.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2024-03-18T13:57:05.000Z (about 2 years ago)
- Last Synced: 2025-03-25T14:45:31.816Z (about 1 year ago)
- Topics: dfe, digital-forensic, digital-forensic-tool, digital-forensics, digital-forensics-course, digitalforensics, ec-council, forensic, forensic-analysis, forensic-tools, forensics, forensics-investigations, forensics-tools
- Homepage:
- Size: 92.8 KB
- Stars: 13
- Watchers: 3
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Digital-Forensics
Digital Forensics Essentials
Table of Contents
- Module 01: Computer Forensics Fundamentals
- Fundamentals of Computer Forensics
- Digital Evidence
- Forensic Readiness
- Roles and Responsibilities of a Forensic Investigator
- Legal Compliance in Computer Forensics
- Module 02: Computer Forensics Investigation Process
- Forensic Investigation Process and its Importance
- Forensic Investigation Process - Pre-investigation Phase
- Forensic Investigation Process - Investigation Phase
- Forensic Investigation Process - Post-investigation Phase
- Module 03: Understanding Hard Disks and File Systems
- Different Types of Disk Drives and their Characteristics
- Logical Structure of a Disk
- Booting Process of Windows, Linux, and Mac Operating Systems
- File Systems of Windows, Linux, and Mac Operating Systems
- File System Examination
- Module 04: Data Acquisition and Duplication
- Data Acquisition Fundamentals
- Types of Data Acquisition
- Data Acquisition Format
- Data Acquisition Methodology
- Module 05: Defeating Anti-forensics Techniques
- Anti-forensics and its Techniques
- Anti-forensics Countermeasure
- Module 06: Windows Forensics
- Volatile and Non-Volatile Information
- Windows Memory and Registry Analysis
- Cache, Cookie, and History Recorded in Web Browsers
- Windows Files and Metadata
- Module 07: Linux and Mac Forensics
- Volatile and Non-Volatile Data in Linux
- Analyze Filesystem Images Using The Sleuth Kit
- Memory Forensics
- Mac Forensics
- Module 08: Network Forensics
- Network Forensics Fundamentals
- Event Correlation Concepts and Types
- Identify Indicators of Compromise (IoCs) from Network Logs
- Investigate Network Traffic
- Module 09: Investigating Web Attacks
- Web Application Forensics
- IIS and Apache Web Server Logs
- Investigating Web Attacks on Windows-based Servers
- Detect and Investigate Attacks on Web Applications
- Module 10: Dark Web Forensics
- Dark Web
- Dark Web Forensics
- Tor Browser Forensics
- Module 11: Investigating Email Crimes
- Email Basics
- Email Crime Investigation and its Steps
- Module 12: Malware Forensics
- Malware, its Components and Distribution Methods
- Malware Forensics Fundamentals and Recognize Types of Malware Analysis
- Static Malware Analysis
- Analyze Suspicious Word Documents
- Dynamic Malware Analysis
- System Behavior Analysis
- Network Behavior Analysis
# Module 01: Computer Forensics Fundamentals
- Fundamentals of Computer Forensics
- Understanding Computer Forensics
- Objectives of Computer Forensics
- Identify, gather, and preserve the evidence of a cybercrime
- Identify and gather evidence of cybercrimes in a forensically sound manner
- Track and prosecute the perpetrators in a court of law
- Interpret, document, and present the evidence such that it is admissible during prosecution
- Estimate the potential impact of malicious activity on the victim and assess the intent of the perpetrator
- Find vulnerabilities and security loopholes that help attackers
- Understand the techniques and methods used by attackers to avert prosecution and overcome them
- Recover deleted files, hidden files, and temporary data that can be used as evidence
- Perform incident response (IR) to prevent further loss of intellectual property, finances, and reputation during an attack
- Know the laws of various regions and areas, as digital crimes are widespread and remote
- Know the process of handling multiple platforms, data types, and operating systems
- Learn to identify and use the appropriate tools for forensic investigations
- Prepare for incidents in advance to ensure the integrity and continuity of network infrastructure
- Offer ample protection to data resources and ensure regulatory compliance
- Protect the organization from similar incidents in the future
- Help counteract online crimes such as abuse, bullying, and reputation damage
- Minimize the tangible and intangible losses to an organization or an individual
- Support the prosecution of the perpetrator of a cybercrime
- Need for Computer Forensics
- Ensure the overall integrity and the continued existence of an organization’s computer system and network infrastructure
- Help the organization capture important information if their computer systems or networks are compromised. Forensic evidence also helps prosecute the perpetrator of a cybercrime, if caught.
- Extract, process, and interpret the actual evidence so that it proves the attacker’s actions and their guilt or innocence in court
- Efficiently track down perpetrators/terrorists from different parts of the world. Terrorists who use the Internet as a communication medium can be tracked down, and their plans can be discovered. IP addresses are vital to finding the geographical location of the terrorists.
- Save the organization’s money and valuable time. Many managers allocate a large portion of their IT budget for computer and network security.
- Track complex cases such as ransomware attacks, email spamming, etc.
- When Do You Use Computer Forensics?
- Prepare for incidents by securing and strengthening the defense mechanism as well as closing the loopholes in security
- Gaining knowledge of the regulations related to cyber laws and comply with them
- Report incidents involving a breach of cybersecurity
- Identify the actions needed for incident response
- Act against copyright and intellectual property theft/misuse
- Settle disputes among employees or between the employer and employees
- Estimate and minimize the damage to resources in a corporate setup
- Set a security parameter and formulate security norms for ensuring forensic readiness
- Types of Cybercrimes
- Internal/Insider attacks
- External attacks
- Examples of Cybercrimes
- Espionage
- Intellectual property theft
- Data manipulation
- Trojan horse attack
- Structured query language (SQL) attack
- Brute-force attack
- Phishing/spoofing
- Privilege escalation attacks
- Denial-of-service (DoS) attack
- Cyber defamation
- Cyberterrorism
- Cyberwarfare
- Impact of Cybercrimes at the Organizational Level
- Loss of confidentiality, integrity and availability of information stored in organizational systems
- Theft of sensitive data
- Sudden disruption of business activities
- Loss of customer and stakeholder trust
- Substantial reputational damage
- Huge financial losses
- Penalties arising from the failure to comply with regulations
- Digital Evidence
- Types of Digital Evidence
- Volatile data
- Non-volatile data
- Roles of Digital Evidence
- Identity theft
- Malicious attacks on the computer systems themselves
- Information leakage
- Unauthorized transmission of information
- Theft of commercial secrets
- Use/abuse of the Internet
- Production of false documents and accounts
- Unauthorized encryption/ password protection of documents
- Abuse of systems
- Email communication between suspects/conspirators
- Sources of Potential Evidence
- User-Created Files
- Address books
- Database files
- Media (images, graphics, audio, video, etc.) files
- Documents (text, spreadsheet, presentation, etc.) files
- Internet bookmarks, favorites, etc.
- User-Protected Files
- Compressed files
- Misnamed files
- Encrypted files
- Password-protected files
- Hidden files
- Steganography
- Computer-Created Files
- Backup files
- Log files
- Configuration files
- Printer spool files
- Cookies
- Swap files
- System files
- History files
- Temporary files
- Location of Potential Evidence
- Hard Drive: Text, picture, video, multimedia, database, and computer program files
- Thumb Drive: Text, graphics, image, and picture files
- Memory Card: Event logs, chat logs, text files, image files, picture files, and internet browsing history
- Smart Card, Dongle, and Biometric Scanner: Evidence is found by recognizing or authenticating the information of the card and the user, through the level of access, configurations, permissions, and in the device itself
- Answering Machine: Voice recordings such as deleted messages, last called number, memo, phone numbers, and tapes
- Digital Camera/Surveillance cameras: Images, removable cartridges, video, sound, time and date stamp, etc.
- Random Access Memory (RAM) and Volatile storage: Evidence is located and can be acquired from the main memory of the computer
- Handheld Devices: Address book, appointment calendars or information, documents, email, handwriting, password, phone book, text messages, and voice messages
- Local Area Network (LAN) Card/ Network Interface Card (NIC): MAC (Media Access Control) address
- Routers, Modem, Hubs, and Switches: For routers, evidence is found in the configuration files. For hubs, switches, and modems evidence is found on the devices themselves
- Network Cables and Connectors: On the devices themselves
- Server: Computer system
- Printer: Evidence is found through usage logs, time and date information, and network identity information, ink cartridges, and time and date stamp
- Internet of Things and wearables: Evidence can be acquired in the form of GPS, audio and video recordings, cloud storage sensors, etc.
- Removable Storage Device and Media: Storage device and media such as tape, CD, DVD, and Blu-ray contain the evidence in the devices themselves
- Scanner: Evidence is found by looking at the marks on the glass of the scanner
- Telephones: Evidence is found through names, phone numbers, caller identification information, appointment information, electronic mail, and pages, etc.
- Copiers: Documents, user usage logs, time, and date stamps, etc.
- Credit Card Skimmers: Evidence is found through card expiration date, user’s address, credit card numbers, user’s name, etc.
- Digital Watches: Evidence is found through address book, notes, appointment calendars, phone numbers, email, etc.
- Facsimile (Fax) Machines: Evidence is found through documents, phone numbers, film cartridge, send or receive logs
- Global Positioning Systems (GPS): Evidence is found through previous destinations, way points, routes, travel logs, etc.
- Rules of Evidence
- Understandable
- Admissible
- Authentic
- Reliable
- Complete
- Best Evidence Rule
- Federal Rules of Evidence (United States) https://www.rulesofevidence.org
- Preserving a claim of error
- Not needing to renew an objection or offer of proof
- Court’s statement about the ruling; directing an offer of proof
- Preventing the jury from hearing inadmissible evidence
- Taking Notice of Plain Error
- Scientific Working Group on Digital Evidence (SWGDE) https://www.swgde.org
- The Association of Chief Police Officers (ACPO) Principles of Digital Evidence https://www.college.police.uk
- Forensic Readiness
- An incident response team that is forensically ready offers an organization the following benefits:
- It eases evidence gathering to act in the company’s defense in case of a lawsuit
- It enables the use of comprehensive evidence collection to act as a deterrent to insider threats and to process all important pieces of evidence without fail
- It helps the organization conduct a fast and efficient investigation in the event of a major incident and take the required actions with minimal disruption to day-to-day business activities
- It facilitates a well-designed, fixed, and structured approach toward the storage of evidence to reduce investigation expenses and time considerably and to simultaneously preserve the all-important chain of custody
- It establishes a structured approach toward the storage of all digital information, which not only reduces the cost of any court-ordered disclosure or regulatory/legal need to disclose data but also fulfills requirements under federal law (e.g., as a response to a request for discovery under the Federal Rules of Civil Procedure)
- It extends the protection offered by an information security policy to cover the broader threats of cybercrime, such as intellectual property thefts, fraud, or extortion
- It demonstrates due diligence and good corporate governance of the company’s information assets, as measured by the “Reasonable Man” standard
- It ensures that the investigation meets all regulatory requirements.
- It can improve upon and make the interface to law enforcement easier
- It improves the prospects of successful legal action.
- It can provide evidence to resolve commercial or privacy disputes.
- It can support employee sanctions up to and including termination based on digital evidence (e.g., to prove a violation of an acceptable-use policy)
- It prevents attackers from covering their tracks
- It limits the cost of regulatory or legal requirements for disclosure of data
- It helps avert similar attacks in the future
- Forensic Readiness and Business Continuity
- Forensic readiness allows businesses to:
- Quickly determine the incidents
- Understand relevant information
- Collect legally sound evidence and analyze it to identify attackers
- Minimize the required resources
- Eliminate the threat of repeated incidents
- Quickly recover from damage with less downtime
- Gather the evidence required to claim insurance
- Legally prosecute the perpetrators and claim damages
- Lack of forensic readiness results in the following:
- Loss of clients due to damage to the organization’s reputation
- System downtime
- Data manipulation, deletion, and theft
- Inability to collect legally sound evidence
- Forensic Readiness Planning
- Identify the potential evidence required for an incident
- Determine the sources of evidence
- Define a policy that determines the pathway to legally extract electronic evidence with minimal disruption
- Establish a policy for securely handling and storing the collected evidence
- Identify if the incident requires full or formal investigation
- Create a process for documenting the procedure
- Establish a legal advisory board to guide the investigation process
- The legal advisory board will help the organization do the following:
- Manage any threats arising from the incident
- File the incident legally and ensure proper prosecution
- Understand the legal and regulatory constraints and suggest necessary action
- Handle processes such as reputation protection and public relations issues
- Design legal agreements with partners, customers, investors, and employees
- Investigate the company’s commercial and civil disputes
- Keep an incident response team ready to review the incident and preserve the evidence
- Roles and Responsibilities of a Forensic Investigator
- Need for a Forensic Investigator
- Cybercrime Investigation
- Sound Evidence Handling
- Incident Handling and Response
- Roles and Responsibilities of a Forensics Investigator
- Evaluates the damages of a security breach
- Identifies and recovers data required for investigation
- Extracts the evidence in a forensically sound manner
- Ensures appropriate handling of the evidence
- Acts as a guide to the investigation team
- Creates reports and documents about the investigation for presenting in a court of law
- Reconstructs the damaged storage devices and uncovers the information hidden on the computer
- Updates the organization about various methods of attack and data recovery techniques, and maintains a regularly updated record of them (by determining and using the relevant documentation method)
- Addresses the issue in a court of law and attempts to win the case by testifying in court
- What Makes a Good Computer Forensics Investigator?
- Interviewing skills to gather extensive information about the case from the client or victim, witnesses, and suspects
- Researching skills to know the background and activities pertaining to the client or victim, witnesses, and suspects
- Maintains perfect accuracy of the tests performed and their records
- Patience and willingness to work long hours
- Excellent writing skills to detail findings in the report
- Strong analytical skills to find the evidence and link it to the suspect
- Excellent communication skills to explain their findings to the audience
- Remains updated about new methodologies and forensic technology
- Well-versed in more than one computer platform (including Windows, Macintosh, and Linux)
- Knowledge of various technologies, hardware, and software
- Develops and maintains contact with computing, networking, and investigating professionals
- Honest, ethical, and law abiding
- Has knowledge of the laws relevant to the case
- Ability to control emotions when dealing with issues that induce anger
- Multi-discipline expertise related to both criminal and civil cases
- Legal Compliance in Computer Forensics
- Gramm-Leach-Bliley Act (GLBA) https://www.ftc.gov
- Federal Information Security Modernization Act of 2014 (FISMA) https://csrc.nist.gov
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) https://www.hhs.gov
- Payment Card Industry Data Security Standard (PCI DSS) https://www.nist.gov
- The Electronic Communications Privacy Act https://it.ojp.gov
- General Data Protection Regulation (GDPR) https://gdpr.eu
- Data Protection Act of 2018 http://www.legislation.gov.uk
- Sarbanes-Oxley Act (SOX) of 2002 https://www.sec.gov
- Other Laws Relevant to Computer Forensics
- United States
- Foreign Intelligence Surveillance Act https://www.fas.org
- Protect America Act of 2007 https://www.congress.gov
- Privacy Act of 1974 https://www.justice.gov
- National Information Infrastructure Protection Act of 1996 https://www.congress.gov
- Computer Security Act of 1987 https://www.congress.gov
- Freedom of Information Act (FOIA) https://www.foia.gov
- United Kingdom
- Regulation of Investigatory Powers Act 2000 https://www.legislation.gov.au
- Australia
- Cybercrime Act 2001 https://www.legislation.gov.au
- Information Privacy Act 2014 https://www.findandconnect.gov.au
- India
- Information Technology Act http://www.dot.gov.in
- Germany
- Section 202a. Data Espionage, Section 303a. Alteration of Data, Section 303b. Computer Sabotage http://www.cybercrimelaw.net
- Italy
- Penal Code Article 615 ter http://www.cybercrimelaw.net
- Canada
- Canadian Criminal Code Section 342.1 https://laws-lois.justice.gc.ca
- Singapore
- Computer Misuse Act https://sso.agc.gov.sg
- Belgium
- Computer Hacking http://www.cybercrimelaw.net
- Brazil
- Unauthorized modification or alteration of the information system https://www.domstol.no
- Philippines
- Data Privacy Act of 2012 https://www.privacy.gov.ph
- Hong Kong
- Cap. 486 Personal Data (Privacy) Ordinance https://www.pcpd.org.hk
# Module 02: Computer Forensics Investigation Process
- Forensic Investigation Process and its Importance
- Forensic Investigation Process. Pre-investigation Phase
- Forensic Investigation Process. Investigation Phase
- Forensic Investigation Process. Post-investigation Phase
- Forensic Investigation Process. Pre-investigation Phase
- Setting Up a Computer Forensics Lab
- Planning and budgeting considerations
- Types of Investigations
- Number of Investigators/Examiners
- Equipment Requirement
- Software Requirement
- Physical and structural design considerations
- Lab Size
- Access to Essential Services
- Space Estimation for Work Area and Evidence Storage
- Heating, Ventilation, and Air-Conditioning
- Work area considerations
- Workstation Requirement
- Ambience
- Internet, Network, and Communication Line
- Lighting Systems and Emergency Power
- Physical security considerations
- The level of physical security required for a forensics lab depends on the nature of investigations performed in the lab
- Maintain a log register at the entrance of the lab to record visitor data such as the address and name of the visitor with date, time, and the purpose of the visit, as well as name of the contact person. Provide visitors with passes to distinguish them from the lab staff and maintain an electronic sign-in log for them.
- Install an intrusion alarm system in the lab to provide an additional layer of protection and deploy guards around the premises
- Keep the lab under surveillance by placing closed-circuit cameras in the lab and around its premises
- Place fire extinguishers within and outside the lab and provide training to the lab personnel and guards on how to use them, in case of a fire
- Shield workstations from transmitting electromagnetic signals, which is common with electronic equipment. The solution is to shield emissions through a process the US Department of Defense has named TEMPEST. To prevent eavesdropping, TEMPEST labs use sheets of good metallic conductors such as copper for lining the walls, ceilings, and floor. Insulate the power cables to prevent radiation and add filters to the telephones within the lab.
- Human resource considerations
- The overall success of a computer forensics laboratory mainly relies on experience gathering, knowledge sharing, ongoing education, and investment in human resources development
- Estimate the number of personnel required to deal with the case based on its nature and the skills they should have to complete the tasks
- Interview the appropriate candidates and recruit them legally. Ensure they have certification pertaining to their job roles.
- In the case of a computer forensics laboratory, key job roles include lab cybercrime investigator, lab director, forensic technician, and forensic analyst
- Forensic lab licensing
- Forensics labs should be licensed by the concerned authorities to indicate trustworthiness
- The authorities provide these licenses after reviewing the lab and the facilities it has for performing investigations
- Some such licenses include the American Society of Crime Laboratory Directors (ASCLD)/LAB accreditation and the ISO/IEC 17025 accreditation
- Building the Investigation Team
- Identify the team members and assign them responsibilities
- Appoint a person as the technical lead for the investigation
- Keep the investigation team as small as possible to achieve confidentiality and avoid information leaks
- Provide each team member with the necessary clearance and authorization to complete the assigned tasks
- Enlist help from a trusted external investigation team, if required
- To find the appropriate evidence from a variety of computing systems and electronic devices, the following people may be involved:
- Photographer
- Incident Responder
- Incident Analyzer
- Evidence Examiner/Investigator
- Evidence Documenter
- Evidence Manager
- Expert Witness
- Attorney:
- Understanding the Hardware and Software Requirements of a Forensic Lab
- Hardware
- Two or more forensic workstations with good processing power and RAM
- Specialized cables
- Write-blockers
- Drive duplicators
- Archive and Restore devices
- Media sterilization systems
- Other equipment that allows forensic software tools to work
- Computer Forensic hardware toolkit, such as Paraben's First Responder Bundle, DeepSpar Disk Imager, FRED forensic workstation etc.
- Software
- OSes
- Data discovery tools
- Password-cracking tools
- Acquisition tools
- Data analyzers
- Data recovery tools
- File viewers (Image and graphics)
- File type conversion tools
- Security and Utilities software
- Computer forensic software tools such as Wireshark, Access Data’s FTK, etc.
- Forensic Investigation Process. Investigation Phase
- Computer Forensics Investigation Methodology
- Documenting the Electronic Crime Scene
- Search and Seizure
- Evidence Preservation
- Data Acquisition
- Data Analysis
- Case Analysis
- Reporting
- Testifying as an Expert Witness
- Documenting the Electronic Crime Scene
- Documentation of the electronic crime scene is a continuous process during the investigation that makes a permanent record of the scene
- It is essential to properly note down the site and state of computers, digital storage media, and other electronic devices
- Document the physical crime scene, noting the position of the system and other equipment, if any
- Document details of any related, difficult-to-find electronic components
- Record the state of the computer system, digital storage media, electronic devices, and predictable evidence, including the power status of the computer
- Take a photograph of the computer monitor’s screen and note down what you see on the screen
- Search and Seizure
- Planning the Search and Seizure
- Description, title, and location of the incident
- Applicable jurisdiction, relevant legislation, and organizational policy
- Determining the extent of authority to search
- Creating a chain of custody document
- Details of equipment to be seized, such as structure type and size, location (all in one place, spread across the building or floors), type of device and model number, power status, network status and type of network, backups (if any), last time and date, location of backup and if it is necessary to take the server down and the business impact of this action
- Search and seizure type (overt/covert) and approval from the local management
- Health and safety precautions, such as all forensic teams wearing protective latex gloves for all searching and seizing operations onsite to protect the staff and preserving any fingerprints that may come handy in the future
- Evidence Preservation
- The logbook of the project to record observations related to the evidence
- A tag to uniquely identify any evidence
- A chain of custody record
- Data Acquisition
- Data Analysis
- Analyzing the file content for data usage
- Analyzing the date and time of file creation and modification
- Finding the users associated with file creation, access, and file modification
- Determining the physical storage location of the file
- Timeline generation
- Identifying the root cause of the incident
- Case Analysis
- Check if there is a possibility to follow other investigative methods to, for instance, identify a remote storage location, examine network service logs for any information of evidentiary value, collect case-specific evidence from social media, identifying remote storage locations etc.)
- Gather additional information related to the case (e.g., aliases, email accounts, ISP used, names, network configuration, system logs, and passwords) by interviewing the respective individuals.
- Identify the relevance of various network elements to the crime scene such as credit cards, check papers, scanners, and cameras
- Consider the relevance of peripheral components to the investigation; for instance, in forgery or fraud cases, consider non-computer equipment such as laminators, check paper, scanners, printers, and digital cameras
- Forensic Investigation Process. Post-investigation Phase
- Gathering and Organizing Information
- Identification
- Procedures
- Gather all notes from different phases of the investigation process
- Identify the facts to be included in the report for supporting the conclusions
- List all the evidence to submit with the report
- List the conclusions that need to be in the report
- Organize and classify the information gathered to create a concise and accurate report
- Writing the Investigation Report
- It should accurately define the details of an incident.
- It should convey all necessary information in a concise manner.
- It should be technically sound and understandable to the target audience.
- It should be structured in a logical manner so that information can be easily located.
- It should be created in a timely manner.
- It should be able to withstand legal inspection.
- It should include conclusions that can be completely reproduced by a third-party.
- It should try to answer questions raised during a judicial trial.
- It should provide valid conclusions, opinions, and recommendations supported by figures and facts.
- It should adhere to local laws to be admissible in court.
- Forensics Investigation Report Template
- Executive summary
- Case number
- Names and Social Security Numbers of authors, investigators, and examiners
- Purpose of investigation
- Significant findings
- Signature analysis
- Investigation objectives
- Details of the incident
- Date and time the incident allegedly occurred
- Date and time the incident was reported to the agency’s personnel
- Details of the person or persons reporting the incident
- Investigation process
- Date and time the investigation was assigned
- Allotted investigators
- Nature of the claim and information provided to the investigators
- Evidence information
- Location of the evidence
- List of the collected evidence
- Tools involved in collecting the evidence
- Preservation of the evidence
- Evaluation and analysis Process
- Initial evaluation of the evidence
- Investigative techniques
- Analysis of the computer evidence (Tools involved)
- Relevant findings
- Supporting Files
- Attachments and appendices
- Full path of the important files
- Expert reviews and opinion
- Other supporting details
- Attacker’s methodology
- User’s applications and Internet activity
- Recommendations
- Testifying as an Expert Witness
- Familiarize the expert witness with the usual proceduresthat are followed during a trial
- The attorney introduces the expert witness
- The opposing counsel may try to discredit the expert witness
- The attorney leads the expert witness through the evidence
- Later, it is followed by the opposing counsel’s cross-examination
# Module 03: Understanding Hard Disks and File Systems
- Different Types of Disk Drives and their Characteristics
- Capacity
- Interface used
- Speed in RPM
- Seek time
- Access time
- Transfer time
- Understanding Hard Disk Drive: HDD is a non-volatile digital data storage device that records data magnetically on a metallic platter
- Tracks: Tracks are the concentric circles on platters where all the information is stored. Platters have two surfaces, each of which is divided into concentric circles called tracks. Tracks store all the information on a hard disk
- Track Numbering: Track numbering on a hard disk begins at 0 from the outer edge and moves towards the center. The number of tracks on a hard disk depends on the size of the disk
- Sector: Tracks contain smaller divisions called sectors, which are the smallest physical storage units on a hard-disk platter.
- ID information: This part contains the sector number and location, which identify sectors on the disk. It also contains status information on the sector.
- Synchronization fields: The drive controller drives the read process using these fields
- Data: This part is the information stored on the sector
- Error correction coding (ECC): This code ensures the integrity of the data
- Gaps: These are spaces used to provide time for the controller to continue the read process
- Sector Addressing: Cylinders, heads, and sectors (CHS) determine the address of the individual sectors on the disk. When a disk is formatted, it is divided into tracks and sectors
- 4K Sectors: New hard drives use 4096-byte (4 KB or 4K) advanced format sectors. Generation-one Advanced Format, also called as 4K sector technology, efficiently uses the storage surface media of a disk by merging eight 512-byte sectors into a single sector of 4096 bytes
- Data Density on a Hard Disk: Data is recorded onto a hard disk using a method called zoned bit recording (also known as a multiple zone recording). In this technique, tracks are combined together into zones depending on their distance from the center of the disk. Each zone is assigned a number of sectors per track
- Track density: This term refers to the space required by a particular number of tracks on a disk. Disks with a greater track density can store more information and offer better performance.
- Areal density: This term refers to the number of bits per square inch on a platter, and it represents the amount of data a hard disk can hold.
- Bit density: This term refers to the number of bits a unit length of track can accommodate.
- CHS (Cylinder-Head-Sector) Data Addressing and Disk Capacity Calculation
- The CHS addressing method addresses each physical block of data on a hard disk by specifying the cylinder (radius), head (platter side), and sector (angular position)
- Measuring the Hard Disk Performance
- Access time: Access time refers to the time taken by a drive to initiate data transfer. This time depends on the mechanical nature of rotating disks and moving heads.
- Seek time: This is the time required for a hard-disk controller to find a particular piece of data. When reading or writing data, the disk heads move to the correct position through the process of seeking. The time taken to move read or write disc heads from one point to another on the disk is the seek time.
- Rotational latency: This refers to the rotational delay in the chosen disk sector to rotate under read or write disk-drive heads. The average disk rotational latency is half the time taken by the disk to complete one revolution. The term is applicable only to rotating storage devices such as HDDs and floppy drives but not tape drives.
- Data transfer rate: The data transfer rate of a drive is expressed by the internal rate, which is the rate of data transfer between the disk surface and drive controller, as well as the external rate, which is the rate of data transfer between the drive controller and host system.
- Understanding Solid-State Drive (SSD): SSD is a non-volatile storage device that uses NAND flash memory chips to store digital data. SSDs are faster than HDDs as they have no moving parts, and the read/write performance depends on data connection of the drive
- NAND-based SSDs
- Volatile RAM-based SSDs
- Advantages of SSD:
- Faster data access
- Lower power usage
- Higher reliability
- Components of SSD
- NAND flash memory—It uses non-volatile storage technology to store data and consists of floating gate transistors that do not require power to retain data
- Controller—It is an embedded processor that acts as a bridge between the flash memory components and the system by executing firmware-level software
- DRAM—It is a volatile memory and requires power to retain data. DRAM is included in an SSD to increase its read/write performance.
- Host interface—Based on performance requirements, various host interfaces are used in SSDs. Commonly used SSD host interfaces include Serial Advanced Technology Attachment (SATA), Peripheral Component Interconnect Express (PCIe), and SCSI.
- Disk Interfaces:
- ATA/PATA (IDE/EIDE): ATA (Advanced Technology Attachment) is the official ANSI (American National Standards Institute) name of Integrated Drive Electronics (IDE), a standard interface between a motherboard’s data bus and storage disks
- Serial ATA/ SATA (AHCI): It is an advancement of ATA and uses serial signaling, unlike IDE’s parallel signaling
- SAS (Serial Attached SCSI): is the successor and an advanced alternative to parallel SCSI in enterprise environments
- PCIe SSD: A PCIe (Peripheral Component Interconnect Express) SSD is a high-speed serial expansion card that integrates flash directly into the motherboard
- SCSI (Small Computer System Interface) refers to a set of ANSI standard interfaces based on the parallel bus structure and designed to connect multiple peripherals to a computer
- Logical Structure of a Disk
- Clusters:
- A cluster is the smallest logical storage unit on a hard disk
- It is a set of sectors within a disk ranging from cluster number 2 to 32 or more, depending on the formatting scheme in use
- The file system divides the storage on a disk volume into discreet chunks of data for efficient disk usage and performance. These chunks are called clusters
- The process by which files are allocated to clusters is called allocation; therefore, clusters are also known as allocation units.
- In the File Allocation Table (FAT) file system, the clusters linked with a file keep track of file data in the hard disk's file allocation table
- Cluster Size:
- Cluster sizing has a significant impact on the performance of an OS and disk utilization
- Cluster size can be altered for optimum disk storage
- The size of a cluster depends on the size of the disk partition and type of file system installed on the partition
- A large cluster size (greater than one sector) has the following effects:
- Minimizes the fragmentation problem
- Increases the probability of unused space in the cluster
- Reduces the disk storage area in which information can be saved
- Reduces the unused area on the disk
- Lost Clusters:
- When the OS marks clusters as used but does not allocate them to any file, such clusters are known as lost clusters
- A lost cluster is a FAT file system error that results from the manner in which the FAT file system allocates space and chains files together
- It is mainly the result of a logical structure error and not a physical disk error
- They usually occur because of interrupted file activities caused when, for example, a file is not properly closed; thus, the clusters involved in such activity are never linked correctly to a file
- CHKDSK is a system tool in Windows that authenticates the file system reliability of a volume and repairs logical file system errors
- Slack Space:
- Slack space is the storage area of a disk between the end of a file and the end of a cluster
- If the file size is less than the cluster size, a full cluster is still assigned to that file. The remaining unused space is called slack space.
- File Slack Types:
- RAM slack: RAM slack is the data storage space that starts from the end of a file to the end of the last sector of the file
- Drive slack: Drive slack is the data storage space that starts from the end of the last sector of a file to the end of the last cluster of the file
- Master Boot Record (MBR)
- A master boot record (MBR) is the first sector ("sector zero") of a data storage device such as a hard disk
- The information regarding the files on the disk, their locations and sizes, and other important data is stored in the MBR file
- In practice, MBR almost always refers to the 512-byte boot sector (or partition sector) of a disk
- MBR is used for the following:
- Holding a partition table which refers to the partitions of a hard disk
- Bootstrapping an OS
- Distinctively recognizing individual hard disk media with a 32-bit disk signature
- The MBR consists of the following structures:
- Partition Table
- Master Boot Code
- Examines the partition table to find the active partition
- Locates the first sector of the active partition
- Loads a boot sector copy from the active partition into memory
- Transfers control to the executable code in the boot sector
- Structure of a Master Boot Record
- Master Boot Code or Boot Strap: It is an executable code and responsible for loading OS into computer memory. It consists of a data structure of 446 bytes.
- Partition Table: It maintains the data of all the hard disk partitions and consists of a data structure 64 bytes
- Disk Signature: It is located at the end of the MBR and contains only 2 bytes of data. It is required by BIOS during booting.
- Backing up MBR
- dd if=/dev/xxx of=mbr.backupbs=512 count=1
- Restoring MBR
- dd if=mbr.backup of=/dev/xxx bs=512 count=1
- Disk Partitions:
- Disk partitioning is the creation of logical divisions on a storage device (HDD/SSD) to allow the user to apply OS-specific logical formatting
- The disk-partitioning process is the same for both HDDs and SSDs
- Primary partition:
- It is the drive that holds information regarding the OS, the system area, and other information required for booting.
- In MS-DOS and earlier versions of Microsoft Windows systems, the first partition (C:) must be a primary partition.
- Extended partition:
- It is the logical drive that holds information regarding the data and files stored on the disk.
- BIOS Parameter Block (BPB)
- The BIOS parameter block (BPB) is a data structure in the partition boot sector
- It describes the physical layout of a data storage volume, such as the number of heads and the size of the tracks on the drive
- BPB in file systems such as FAT12 (except in DOS 1.x), FAT16, FAT32, HPFS (High Performance File System), and NTFS (New Technology File System) defines the filesystem structure
- The BPB length varies for FAT16, FAT32, and NTFS boot sectors due to different types of fields and the amount of data stored in them
- BPB assists investigators to locate the file table on the hard drive
- Globally Unique Identifier (GUID): Is a 128-bit unique number generated by the Windows OS for identifying a specific device, a document, a database entry, and/or the user. In general, GUIDs are displayed as 32 hexadecimal digits with groups separated by hyphens.
- Common Uses:
- In Windows Registry, GUIDs are used to identify COM (Component Object Model) DLLs (dynamic-link libraries)
- In database tables, GUIDs are used as primary key values
- In some instances, a website may assign a GUID to a user’s browser to record and track the session
- Windows assigns a GUID to a username to identify user accounts
- GUID Partition Table (GPT)
- Unified Extensible Firmware Interface (UEFI) replaces legacy BIOS firmware interfaces
- UEFI is a specification that defines a software interface between an OS and platform firmware
- It uses a partition system known as GUID Partition Table (GPT), which replaces the traditional MBR
- Advantages of the GPT disk layout:
- Supports a maximum partition size ranging from 2 Tebibytes (TiB) to 8 Zebibytes (ZiB)
- It allows users to have 128 partitions in Windows using the GPT partition layout
- GPT partition and boot data are more secure than MBR because GPT stores data in multiple locations across a disk
- Provides primary and backup partition tables for redundancy
- It uses cyclic redundancy checks (CRCs) to ensure data integrity
- Uses CRC32 checksums that detect errors in the header and partition table
- Booting Process of Windows, Linux, and Mac Operating Systems
- What is the Booting Process?
- Booting refers to the process of starting or restarting the OS when the user turns on a computer system
- It loads the OS (stored in the hard disk) to the RAM (working memory)
- Types of Booting:
- Cold boot (Hard boot): This process occurs when the user first turns on the computer. Also called as hard booting, this is required after the user completely cuts the power supply to the system.
- Warm boot (Soft boot): It is the process of restarting a computer that is already turned on. A warm boot might occur when the system encounters a program error or requires a restart to make certain changes after installing a program, etc.
- Essential Windows System Files:
- Ntoskrnl.exe Executive and kernel
- Ntkrnlpa.exe Executive and kernel with support for Physical Address Extension (PAE)
- Hal.dll Hardware abstraction layer
- Win32k.sys Kernel-mode part of the Win32 subsystem
- Ntdll.dll Internal support functions and system service dispatch stubs to executive functions
- Kernel32.dll Win32 subsystem DLL files
- Advapi32.dll Win32 subsystem DLL files
- User32.dll Win32 subsystem DLL files
- Gdi32.dll Win32 subsystem DLL files
- Windows Boot Process: BIOS-MBR Method
- Windows XP, Vista, and 7 OSes power on and start up using the traditional BIOS-MBR method
- OSes starting from Windows 8 and above use either the traditional BIOS-MBR method or newer UEFI-GPT method according to the user’s choice
- When the user switches the system ON, the CPU sends a Power Good signal to the motherboard and checks for the computer’s BIOS firmware
- BIOS starts a power-on self-test (POST), which checks if all the hardware required for system boot are available and loads all the firmware settings from non-volatile memory onto the motherboard
- If POST is successful, add-on adapters perform a self-test for integration with the system
- The pre-boot process is completed with POST, detecting a valid system boot disk
- After POST, the computer’s firmware scans the boot disk and loads the master boot record (MBR), which searches for basic boot information in Boot Configuration Data (BCD)
- MBR triggers Bootmgr.exe, which locates the Windows loader (Winload.exe) on the Windows boot partition and triggers Winload.exe
- The Windows loader loads the OS kernel ntoskrnl.exe
- Once the Kernel starts running, the Windows loader loads hal.dll, boot-class device drivers marked as BOOT_START, and the SYSTEM registry hive into the memory
- The kernel passes the control of the boot process to the Session Manager Process (SMSS.exe), which loads all other registry hives and drivers required to configure the Win32 subsystem run environment
- The Session Manager Process triggers Winlogon.exe, which presents the user login screen for user authorization
- The Session Manager Process initiates the Service Control Manager, which starts all the services, the rest of the non-essential device drivers, the security subsystem LSASS.EXE, and Group Policy scripts
- Once user logs in, Windows creates a session for the user
- The Service Control Manager starts explorer.exe and initiates the Desktop Window Manager (DMW) process, which initializes the desktop for the user
- Identifying the MBR Partition
- Windows Boot Process: UEFI-GPT
- Security phase
- Pre-EFI initialization phase
- Driver Execution Environment phase
- Boot Device Selection phase
- Runtime phase
- Identifying the GUID Partition Table (GPT)
- Get-GPT
- It parses the GPT data structure contained within the first few sectors of the device specified
- It requires the use of the -Path parameter, which takes the Win32 device namespace (e.g., \\.\PHYSICALDRIVE1) for the device from which the GPT should be parsed
- If Get-GPT is run against a disk formatted with an MBR, it will throw an error prompting to use Get-MBR instead
- Alternate Method:
- Open “Computer Management” application and click “Disk Management” on the left pane. Right-click on the primary disk (here, Disk 0) and then click Properties.
- In the Device Properties window, click “Volumes” tab to view the Partition style Investigators can use cmdlets given below in Windows PowerShell to identify the presence of GPT:
- Get-BootSector
- It reviews the hard drive's first sector and determines if the disk is formatted using the MBR or GPT partitioning scheme; once done, it acts just as Get-MBR or Get-GPT would, respectively
- Get-PartitionTable
- Analyzing the GPT Header and Entries
- Most OSes that support GPT disk access provide a basic partitioning tool, which displays details about GPTs
- Example: DiskPart tool (Windows), OS X Disk utility (Mac), GNU Parted tool (Linux)
- Sleuthkit (mmls command) can be used to view the detailed partition layout for a GPT disk
- Alternatively, details about the GPT header and partition entries can be obtained via manual analysis using a hex editor
- GPT Artifacts
- Deleted and Overwritten GUID Partitions
- Case 1:
- If the MBR disk is repartitioned or converted to GPT, then sector zero will be generally overwritten with a protective MBR
- To recover data from previously MBR-partitioned volumes, investigators can use standard forensic methods used to perform an extensive search for file systems
- Case 2:
- If the GPT disk is repartitioned or converted to MBR, then the GPT header and tables may remain intact based on the tool used
- Implementation of general partition deletion tools on a GPT disk might only delete the protective MBR, which can be recreated by simply reconstructing the disk
- As per UEFI specifications, if all the fields in a partition entry are zeroed, it implies that the entry is not in use. In this case, data recovery from deleted GUID partition entries is not possible
- GUID Identifiers
- The GPT scheme provides GUIDs of investigative value as they are unique and hold potentially useful information within them
- GUIDs possess unique identifying information for both disks and individual partitions
- Investigators can use tools such as uuid to decode various versions of GUID/UUID
- Hidden Information on GPT Disks
- Intruders may hide data on GPT disks as they do it on traditional MBR disks
- Locations on GPT disks where data may be hidden are inter-partition gaps, unpartitioned space towards the end of the disk, GPT header, and reserved areas
- Current forensic methods and tools to perform GPT analysis are unsatisfactory
- Macintosh Boot Process
- The Macintosh boot process starts with the activation of BootROM, which initializes system hardware and selects an OS to run
- Once the Macintosh system is powered on, BootROM performs POST to test some hardware interfaces required for startup
- On PowerPC-based Macintosh computers, Open Firmware initializes the rest of the hardware interfaces
- On Intel-based Macintosh computers, EFI initializes the rest of the hardware interfaces
- After initializing the hardware interfaces, the system selects the OS
- If the system contains multiple OSes, then it allows the user to choose a particular OS by holding down the Option key
- Once the BootROM operation is completed, the control passes to the BootX (PowerPC) or boot.efi (Intel) boot loader, which is located in the /System/Library/CoreServices directory
- The boot loader loads a pre-linked version of the kernel located at /System/Library/Caches/com.apple.kernelcaches
- If the pre-linked kernel is missing, the boot loader attempts to load the mkext cache file, which contains a set of device drivers
- If the mkext cache file is also missing, the boot loader searches for drivers in the /System/Library/Extensions directory
- Once the essential drivers are loaded, the boot loader starts the initialization of the kernel, Mach, and BSD data structures, as well as the I/O kit
- The I/O kit uses the device tree to link the loaded drivers to the kernel
- The launchd process, which has replaced the mach_init process, runs startup items and prepares the system for the user
- Linux Boot Process
- BIOS Stage
- Bootloader Stage
- Kernel Stage
- File Systems of Windows, Linux, and Mac Operating Systems
- Windows File Systems
- File Allocation Table (FAT)
- The FAT file system is used with DOS, and it was the first file system used with the Windows OS
- It is named for its method of organization, the file allocation table, which resides at the beginning of the volume
- FAT has three versions (FAT12, FAT16, and FAT32), which differ in terms of the size of the entries in the FAT structure
- New Technology File System (NTFS)
- NTFS is the standard file system of Windows NT and its descendants Windows XP, Vista, 7, 8.1,10, Server 2003, Server 2008, Server 2012, Server 2016 and Server 2019
- From Windows NT 3.1 onwards, it is the default file system of the Windows NT family
- It has several improvements over FAT such as improved support for metadata and the use of advanced data structures to improve performance, reliability, and disk-space utilization, as well as additional extensions such as security access-control lists and file system journaling
- Features of NTFS:
- NTFS uses the b-tree directory scheme to store information about file clusters
- NTFS stores the information about a file’s clusters and other data within the cluster
- NTFS supports files of size up to approximately 16 billion bytes
- An access-control list (ACL) allows the server administrator to access specific files
- NTFS features integrated file compression
- NTFS provides data security on both removable and fixed disks
- NTFS Architecture
- Hard disk
- Master Boot Record
- Boot sector: Also known as volume boot record (VBR)
- Ntldlr.dll: As a boot loader, it accesses the NTFS filesystem and loads contents of the boot.ini file
- Ntfs.sys
- Kernel mode
- User mode
- NTFS System Files
- $attrdef Contains definitions of all system-and user-defined attributes of the volume
- $badclus Contains all the bad clusters
- $bitmap Contains bitmap for the entire volume
- $boot Contains the volume's bootstrap
- $logfile Used for recovery purposes
- $mft Contains a record for every file
- $mftmirr Mirror of the MFT used for recovering files
- $quota Indicates disk quota for each user
- $upcase Converts characters into uppercase Unicode
- $volume Contains volume name and version number
- Encrypting File Systems (EFS)
- Encrypting File System (EFS) was first introduced in version 3.0 of NTFS and offers file system-level encryption
- This encryption technology maintains a level of transparency to the user who encrypted the file, which means there is no need for users to decrypt the file to access it to make changes
- After a user is done with the file, the encryption policy is automatically restored
- When any unauthorized user tries to access an encrypted file, they are denied access
- To enable the encryption and decryption facilities, a user must set the encryption attributes of the files and folders they wish to encrypt or decrypt
- Components of EFS:
- EFS Service
- EFS Driver
- CryptoAPI
- EFS FSRTL
- Win32 API
- Sparse Files
- Sparse files provide a method of saving disk space for files by allowing the I/O subsystem to allocate only meaningful (nonzero) data
- If NTFS marks a file as sparse, it assigns a hard disk cluster only for the data defined by the application
- Non-defined data of the file are represented by non-allocated space on the disk
- Linux File Systems
- Linux File System Architecture
- User space
- Kernel space
- Filesystem Hierarchy Standard (FHS): Some Linux file-system types are Minix, Filesystem Hierarchy Standard (FHS), ext, ext2, ext3, xia, MS-DOS, UMSDOS, VFAT, /proc, NFS, ISO 9660, HPFS, SysV, SMB, and NCPFS. Minix was Linux’s first file system.
- The Filesystem Hierarchy Standard (FHS) defines the directory structure and its contents in Linux and Unix-like OSes
- In FHS, all files and directories are present under the root directory (represented by /)
- /bin Essential command binaries; e.g., cat, ls, cp
- /boot Static files of the boot loader; e.g., Kernels, Initrd
- /dev Essential device files; e.g., /dev/null
- /etc Host-specific system configuration files
- /home Users’ home directories, which hold saved files, personal settings, etc.
- /lib Essential libraries for the binaries in /bin/ and /sbin/
- /media Mount points for removable media
- /mnt Temporarily mounted file systems
- /opt Add-on application software packages
- /root Home directory for the root user
- /proc Virtual file system providing process and kernel information as files
- /run Information about running processes; e.g., running daemons, currently logged-In users
- /sbin Contains the binary files required for working
- /srv Site-specific data for services provided by the system
- /tmp Temporary files
- /usr Secondary hierarchy for read-only user data
- /var Variable data; e.g., logs, spool files, etc.
- Extended File System (ext)
- The extended file system (ext) is the first file system for the Linux OS to overcome certain limitations of the Minix file system
- It has a maximum partition size of 2 GB and a maximum filename size of 255 characters
- It removes the two major Minix file system limitations: a maximum partition size of 64 MB and short filenames
- The major limitation of this file system is that it does not support separate access, inode modification, and data-modification timestamps
- It was replaced by the second extended file system (ext 2)
- Second Extended File System (ext2)
- ext2 is a standard file system that uses improved algorithms compared to ext, which greatly enhances its speed; further, it maintains additional time stamps
- It maintains a special field in the superblock that keeps track of the file system status and identifies it as either clean or dirty
- Its major shortcomings are the risk of file system corruption when writing to ext2, and the lack of journaling
- Superblock: A superblock stores information about the size and shape of the ext2 file system.
- Magic number: It allows the mounting software to verify the Superblock for the ext2 file system. For the present ext2 version, it is 0xEF53.
- Revision level: The major and minor revision levels allow the mounting code to determine whether a file system supports features that are only available in particular revisions of the file system. There are also feature compatibility fields that help the mounting code in determining which new features can safely be used on the file system.
- Mount count and maximum mount count: Together, these allow the system to determine if it needs to fully check the file system. The mount count is incremented each time the system mounts the file system. When the mount count reaches the maximum mount count, the warning message “maximal mount count reached, running e2fsck is recommended” is displayed.
- Block group number: It is the block-group number containing the superblock copy
- Block size: It contains information on the size of a block for the file system in bytes
- Blocks per group: It is a fixed number equal to the number of blocks in a group
- Free blocks: It is the number of free blocks in the file system
- Free inodes: It is the number of free inodes in the file system
- First inode: It is the inode number of the first inode of the file system
- Group Descriptor
- Block bitmap: It is the block number of the block allocation bitmap for the block group. It is used in block allocation and deallocation.
- Inode bitmap: It is the block number of the inode allocation bitmap for the block group. It is used in inode allocation and deallocation.
- Inode table: It is the block number of the starting block for the inode table for the block group
- Free block count, free inode count, and used directory count: All the group descriptors together constitute the group descriptor table. Every block group has the whole group descriptor table.
- Third Extended File System (ext3)
- ext3 is a journaling version of the ext2 file system and is greatly used in the Linux OS
- It uses file system maintenance utilities (such as fsck) for maintenance and repair, as in the ext2 file system
- It is an enhanced version of the ext2 file system
- The following command converts ext2 to ext3 file system: # /sbin/tune2fs -j
- Features of Ext3
- Data integrity: It provides stronger data integrity for events that occur because of computer-system shutdowns. It allows the user to choose the type and level of protection for the received data.
- Speed: As the ext3 file system is a journaling file system, it has a higher throughput in most cases than ext2. The user can choose the optimized speed from three different journaling modes.
- Easy transition: The user can easily change the file system from ext2 to ext3 and increase the performance of the system by using the journaling file system without reformatting.
- Journaling File System
- Journaling file systems ensure data integrity on a computer
- These file systems consist of a journal that records all the information on the updates that are ready to be applied to the file system before they are applied. This mechanism is referred to as journaling.
- Journaling prevents data corruption by restoring the data on the hard disk to the state it existed in before the occurrence of a system crash or power failure. This helps the system to resume the completion of tasks or updates that were interrupted by an unexpected event.
- ext3, ext4, ZFS, and XFS are some of the examples of journaling file systems in Linux. Because of its stability, ext4 is the most commonly implemented file system on Linux systems.
- Fourth Extended File System (ext4)
- ext4 is a journaling file system developed as the replacement of the commonly used ext3 file system
- With the incorporation of new features, ext4 has significant advantages over ext3 and ext2 file systems, particularly in terms of performance, scalability, and reliability
- It supports Linux Kernel v2.6.19 onwards
- Key Features:
- File System Size: Ext4 supports maximum individual file sizes up to 16 TB and maximum volumes sizes of about 1 EiB (exbibyte)
- Extents: It replaces the block mapping scheme found in ext2 and ext3 to increase performance and reduce fragmentation
- Delayed allocation: It improves performance and reduces fragmentation by effectively allocating larger amounts of data at a time by delaying allocation till the system flushes data to the disk
- Multiblock allocation: It allocates multiple files contiguously on a disk, thereby reducing the work of calling the block allocator and optimizing memory allocation
- Increased file system checking (fsck) speed: It marks unallocated block groups and sections and skips the marked elements while performing checks. Thus, it supports faster file system checking.
- Journal check summing: It uses checksums in the journal to improve reliability
- Persistent pre-allocation: The file system can pre-allocate the on-disk space for a file by writing zeroes to it during creation
- Improved timestamps: It provides timestamps measured in nanoseconds and has support for date-created timestamps
- Backwards compatibility: The file system is backwards compatible and allows the user to mount ext3 and ext2 as ext4
- macOS File Systems
- UNIX File System (UFS)
- UFS is derived from the Berkeley Fast File System (FFS) that was originally developed at Bell Laboratories from the first version of UNIX FS
- All BSD UNIX derivatives including FreeBSD, NetBSD, OpenBSD, NeXTStep, and Solaris use a variant of UFS
- Hierarchical File System (HFS)
- Developed by Apple Computer, Inc. to support macOS
- HFS Plus
- HFS Plus (HFS+) is the successor to HFS and is used as the primary file system in Macintosh
- Apple File System (APFS)
- It is a proprietary file system developed by Apple Inc. for macOS 10.13 and later versions
- UNIX File System (UFS)
- A few blocks at the beginning of the partition reserved for boot blocks, which must be initialized separately from the file system
- A superblock, including a magic number identifying the file system as UFS, and some other vital numbers describing this file system’s geometry, statistics, and behavioral tuning parameters
- A collection of cylinder groups, each of which has the following components:
- A backup copy of the superblock
- A cylinder group header with statistics, free lists, etc., which is similar to those in the superblock
- Numerous inodes, each containing file attributes
- Numerous data blocks
- Hierarchical File System Plus (HFS+)
- HFS+ is the successor to HFS and used as the primary file system in Macintosh
- It supports large files and uses Unicode for naming items (files and folders)
- It is also called macOS Extended (HFS Extended) and is one of the formats used in the Apple iPod
- The HFS Plus allows user to:
- Efficiently use hard disk space
- Use only international-friendly filenames
- Easily boot on non-Mac OSes
- The following are a few of the features added to HFS+:
- HFS+ uses B-tree to store data
- It supports files 64 bits in length
- It permits filenames 255 characters in length
- It uses a 32-bit allocation table for the mapping table, unlike the 16-bits allocation table in HFS
- HFS+ enables the following:
- Efficient use of hard disk space
- Use of only international-friendly filenames
- Easy booting on non-Mac OSes
- Apple File System (APFS)
- APFS (Apple File System), is a file system developed and introduced by Apple for MacOS High Sierra and later versions as well as iOS 10.3 and later versions in the year 2017
- It replaced all the file systems used by Apple and is suitable for all Apple OSes including iOS, watchOS, tvOS, and macOS
- The Apple File System (APFS) comprises of two layers:
- The container layer: It organizes information on the file-system layer and stores higherlevel information such as volume metadata, encryption state, and snapshots of the volume
- The file-system layer: It consists of data structures that store information such as file metadata, file content, and directory structures
- File System Examination
- File System Analysis Using Autopsy
- Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit (TSK) and other digital forensics tools
- It can be used to investigate activities on a computer
- Timeline analysis: Advanced graphical event viewing interface (video tutorial included)
- Hash filtering: Flags known bad files and ignores known good files
- Keyword search: Indexed keyword search to find files that mention relevant terms
- Web artifacts: Extracts history, bookmarks, and cookies from Firefox, Chrome, and Internet Explorer
- Data carving: Recovers deleted files from unallocated space using PhotoRec
- Multimedia: Extracts Exif files from pictures and videos
- Indicators of compromise: Scans a computer using Structured Threat Information Expression (STIX)
- File System Analysis Using The Sleuth Kit (TSK)
- The Sleuth Kit (TSK) is a library and a collection of command-line tools that allow the investigation of volume and file system data
- The file system tools allow you to examine file systems of a suspect computer in a non-intrusive fashion
- It supports DOS partitions, BSD partitions (disk labels), Mac partitions, Sun slices (Volume Table of Contents), and GPT disks
- It analyzes raw (i.e. dd), Expert Witness (i.e. EnCase), and AFF file systems and disk images
- It supports the NTFS, FAT, ExFAT, UFS 1, UFS 2, ext2, ext3, ext4, HFS, ISO 9660, and YAFFS2 file systems
- Recovering Deleted Files from Hard Disks using WinHex https://x-ways.net
- WinHex is a hexadecimal editor, used for computer forensics, data recovery, low-level data processing, and IT security
- It is mainly used to inspect and edit all types of files and to recover deleted files or lost data from hard drives with corrupt file systems or from memory cards of digital cameras
- Features:
- Disk editor for hard disks, floppy disks, CD-ROMs, DVDs, ZIP files, SmartMedia cards, etc.
- Native support for FAT12/16/32, exFAT, NTFS, Ext2/3/4, Next3®, CDFS, and UDF
- Built-in interpretation of RAID systems and dynamic disks
- Various data recovery techniques
- RAM editor, providing access to physical RAM and virtual memory of other processes
- Data interpreter
- Editing data structures using templates
- Concatenating and splitting files; unifying and dividing odd and even bytes/words
- Analyzing and comparing files
- Flexible search and replace
- Disk cloning
- Drive images and backups
- Application programming interface (API) and scripting
- 256-bit AES encryption, checksums, CRC32, hashes (MD5, SHA-1, etc.)
- Securely erasing (wiping) confidential files and cleansing hard drives
- Importing from all clipboard formats, including ASCII hex values
# Module 04: Data Acquisition and Duplication
- Data Acquisition Fundamentals
- Data acquisition is the use of established methods to extract Electronically Stored Information (ESI) from suspect computer or storage media to gain insight into a crime or an incident
- Investigators must be able to verify the accuracy of acquired data, and the complete process should be auditable and acceptable in the court
- Data Acquisition Categories
- Live Acquisition: It involves collecting data from a system that is powered ON
- Dead Acquisition (Static Acquisition): It involves collecting data from a system that is powered OFF
- Live Acquisition
- Live data acquisition involves collecting volatile data from a live system
- Volatile information assists in determining the logical timeline of the security incident, and the possible users responsible
- Live acquisition can then be followed by static/dead acquisition, where an investigator shuts down the suspect machine, removes the hard disk and then acquires its forensic image
- Types of data captured during live acquisition
- System Data
- Current configuration
- Running state
- Date and time
- Current system uptime
- Running processes
- Logged on users
- DLLs or shared libraries
- Swap files and temp files
- Network Data
- Routing tables
- ARP cache
- Network configuration
- Network connections
- Order of Volatility: When collecting evidence, an investigator needs to evaluate the order of volatility of data depending on the suspect machine and the situation
- According to the RFC 3227, below is an example of the order of volatility for a typical system:
- Registers, processor cache: The information in the registers or the processor cache on the computer exists for nanoseconds. It is constantly changing and can be classified as the most volatile data.
- Routing table, process table, kernel statistics, and memory: The routing table, ARP cache, and kernel statistics reside in the ordinary memory of the computer. These are slightly less volatile than the information in the registers, with a life span of about ten nanoseconds.
- Temporary system files: Temporary system files tend to persist for a longer time on the computer compared to routing tables and ARP caches. These systems are eventually overwritten or changed, sometimes in seconds or minutes later.
- Disk or other storage media: Anything stored on a disk stays for a while. However, sometimes due to unforeseen events, these data can be erased or overwritten. Therefore, disk data may also be considered somewhat volatile, with a lifespan of some minutes.
- Remote logging and monitoring data related to the target system: Data that pass through a firewall cause a router or switch to generate logs. The system might store these logs elsewhere. These logs may overwrite themselves within an hour, a day, or a week. However, these are generally less volatile data.
- Physical configuration and network topology: Physical configuration and network topology are less volatile and have a longer life span than some other logs
- Archival media: A DVD-ROM, a CD-ROM, or a tape contains the least volatile data because the digital information does not change in such data sources automatically unless damaged under a physical force
- Dead Acquisition
- Dead acquisition is defined as the acquisition of data from a suspect machine that is powered off
- Dead acquisition usually involves acquiring data from storage devices such hard drives, DVDROMs, USB drives, flash cards, and smart phones
- Examples of static data: emails, word documents, web activity, spreadsheets, slack space, unallocated drive space, and various deleted files
- Static data recovered from a hard drive include the following:
- Temporary (temp) files
- System registries
- Event/system logs
- Boot sectors
- Web browser cache
- Cookies and hidden files
- Rules of Thumb for Data Acquisition
- Do not work on original digital evidence. Create a bitstream/logical image of a suspicious drive/file to work on.
- Use clean media to store the copies
- Produce two or more copies of the original media
- The first is the working copy to be used for analysis
- The other copies act as the library/control copies that are stored for disclosure purposes or in the event that the working copy gets corrupt
- Upon creating copies of original media, verify the integrity of copies with the original
- Types of Data Acquisition
- Logical Acquisition
- Logical acquisition allows an investigator to capture only selected files or files types of interest to the case
- Examples of logical acquisition include:
- Email investigation that requires collection of Outlook .pst or .ost files
- Collecting specific records from a large RAID server
- Sparse Acquisition
- Sparse acquisition is similar to logical acquisition, which in addition collects fragments of unallocated data, allowing investigators to acquire deleted files
- Use this method when inspection of the entire drive is not required
- Bit-Stream Imaging: Bit-stream imaging creates a bit-by-bit copy of a suspect drive, which is a cloned copy of the entire drive including all its sectors and clusters, which allows forensic investigators to retrieve deleted files or folders
- Bit-stream disk-to-image file
- It is the most common method used by forensic investigators
- The created image file is a bit-by-bit replica of the suspect drive
- Tools used: ProDiscover, EnCase, FTK, The Sleuth Kit, X-Ways Forensics, etc.
- Bit-stream disk-to-disk
- Disk-to-image copying is not possible in situations where
- The suspect drive is very old and incompatible with the imaging software
- Investigator needs to recover credentials used for websites and user accounts
- To overcome this situation, investigators can create a diskto-disk bit-stream copy of the target media
- While creating a disk-to-disk copy, investigators can adjust the target disk’s geometry (its head, cylinder, and track configuration) to align with the suspect drive. This results in smooth data acquisition process.
- Tools used: Encase, Tableau Forensic Imager, etc.
- Data Acquisition Format
- Raw Format: Raw format creates a bit-by-bit copy of the suspect drive. Images in this format were are usually obtained by using the dd command.
- Advantages
- Fast data transfers
- Minor data read errors on source drive are ignored
- Read by most of the forensic tools
- Disadvantages
- Requires same amount of storage as that of the original media
- Tools (mostly open source) might fail to recognize/collect marginal (bad) sectors from the suspect drive
- Proprietary Format: Commercial forensics tools acquire data from the suspect drive and save the image files in their own formats
- They offer certain features which include the following:
- Option to compress the image files of the evidence disk/drive in order to save space on the target media
- Ability to split an image into multiple segments, in order to save them to smaller target media such as CD/DVD, while maintaining their integrity
- Ability to incorporate metadata into the image file, which includes date and time of acquisition, hash values of the files, case details, etc.
- Disadvantages
- Image file format created by one tool may not be supported by other tool(s)
- Advanced Forensics Format (AFF)
- Advanced Forensics Format is an open source acquisition format with the following design goals
- No size limitation for disk-to-image files
- Option to compress the image files
- Allocates space to record metadata of the image files or segmented files
- Simple design and customizable
- Accessible through multiple computing platforms and OSes
- Internal consistency checks for selfauthentication
- File extensions include .afm for AFF metadata and .afd for segmented image files
- AFF supports the following two compression algorithms:
- Zlib, which is faster but less efficient
- LZMA, which is slower but more efficient
- Advanced Forensic Framework 4 (AFF4)
- Redesign and revision of AFF to manage and use large amounts of disk images, reducing both acquisition time and storage requirements
- Basic types of AFF4 objects: volumes, streams, and graphs. They are universally referenced through a unique URL.
- Volumes: They store segments, which are indivisible blocks of data
- Streams: These are data objects that can help in reading or writing, for example, segments, images, and maps
- Graphs: Collections of RDF statements
- Abstract information model that allows storage of disk-image data in one or more places while the information about the data is stored elsewhere
- Stores more kinds of organized information in the evidence file
- Offers unified data model and naming scheme
- Data Acquisition Methodology
- Determining the data acquisition method
- An investigator needs to identify the best data acquisition method suitable for the investigation, depending on the situation the investigator is presented with
- These situations include:
- Size of the suspect drive
- Time required to acquire the image
- Whether the investigator can retain the suspect drive
- Example:
- In case the original evidence drive needs to be returned to the owner, as in the case of a discovery demand for a civil litigation case, check with the requester (lawyer or supervisor) whether logical acquisition of the disk is acceptable. If not, you may have to go back to the requester.
- Investigators need to acquire only the data that is intended to be acquired
- Determining the data acquisition tool
- Mandatory Requirements
- The tool should not change the original content
- The tool should log I/O errors in an accessible and readable form, including the type of the error and location of the error
- The tool must have the ability to pass scientific and peer review. Results must be repeatable and verifiable by a third party if necessary.
- The tool should alert the user if the source is larger than the destination
- The tool should create a bit-stream copy of the original content when there are no errors in accessing the source media
- The tool should create a qualified bit-stream copy (a qualified bitstream copy is defined as a duplicate except in identified areas of the bit-stream) when I/O errors occur while accessing the source media
- Optional requirements
- The tool should compute a hash value for the complete bit-stream copy generated from a source image file, compare it with the source hash value computed at the time of image creation, and display the result on a disk file
- The tool should divide the bit-stream copy into blocks, compute hash values for each block, compare them with the hash value of original block data computed at the time of image creation, and display the result on a disk file
- The tool should log one or more items on a disk file (items include tool version, subject disk identification, any errors encountered, tool actions, start and finish run times, tool settings, and user comments)
- The tool should create a qualified bit-stream duplicate and adjust the alignment of cylinders to cylinder boundaries of disk partitions when the destination is of a different physical geometry
- The tool should create a bit-stream copy of individual partitions as per user direction
- The tool should make the source disk partition table visible to users, and record its contents
- The tool should create an image file on a fixed or removable magnetic or electronic media that is used to create a bit-stream copy of the original
- The tool should create a bit-stream copy on a platform that is connected through a communications link to a different platform containing the source disk
- Sanitizing the target media
- Investigators must properly sanitize the target media in order to any prior data residing on it, before it is used for collecting forensic data
- Post investigation, they must dispose this media by following the same standards, so as to mitigate the risk of unauthorized disclosure of information, and ensure its confidentiality
- The following are some standards for sanitizing media:
- Russian Standard, GOST P50739-95
- (6 passes): It is a wiping method that writes zeros in the first pass and then random bytes in the next pass
- German: VSITR
- (7 passes): This method overwrites in 6 passes with alternate sequences of 0x00 and 0xFF, and with 00xAA in the last (7th) pass
- American: NAVSO P-5239-26 (MFM)
- (3 passes): This is a three-pass overwriting algorithm that verifies in the last pass
- American: DoD 5220.22-M
- (7 passes): This standard destroys the data on the drive’s required area by overwriting with 010101 in the first pass, 101010 in the second pass and repeating this process thrice. This method then overwrites that area with random characters which is the 7th pass.
- American: NAVSO P-5239-26 (RLL)
- (3 passes): This is a three-pass overwriting algorithm that verifies in the last pass
- NIST SP 800-88
- Clear: Logical techniques applied to sanitize data in all storage areas using the standard read and write commands
- Purge: Involves physical or logical techniques to make the target data recovery infeasible by using state-of-the-art laboratory techniques
- Destroy: Enables target data recovery to be infeasible with the use of state-of-the-art laboratory techniques, which result in an inability to use the media for data storage
- The application of complex access controls and encryption can reduce the chances for an attacker to gain direct access to sensitive information
- An organization can dispose of the not so useful media data by internal or external transfer or by recycling to fulfill data sanitization
- Effective sanitization techniques and tracking of storage media are crucial to ensure protection of sensitive data by organizations against attackers
- All organizations and intermediaries are responsible for effective information management and data sanitization
- Acquiring volatile data
- Volatile data acquisition involves collecting data that is lost when the computer is shut down or restarted
- This data usually corresponds to running processes, logged on users, registries, DLLs, clipboard data, open files, etc.
- Acquire Volatile Data from a Windows Machine
- Belkasoft Live RAM Capturer https://belkasoft.com
- Belkasoft Live RAM Capturer is a forensic tool that allows extracting the entire contents of a computer’s volatile memory
- It saves the image files in .mem format
- Enabling write protection on the evidence media
- It is necessary to write protect the suspect drive using write blockers to preserve and protect the evidence contained in it
- A write blocker is a hardware device or software application that allows data acquisition from the storage media without altering its contents
- It blocks write commands, thus allowing read-only access to the storage media
- If hardware write blocker is used:
- Install a write blocker device
- Boot the system with the examiner-controlled operating system
- Examples of hardware devices: CRU® WiebeTech® USB WriteBlocker, Tableau Forensic Bridges, etc.
- If software write blocker is used:
- Boot the system with the examiner-controlled operating system
- Activate write protection
- Examples of software applications: SAFE Block, MacForensicsLab Write Controller, etc.
- The following are some measures that provide defense mechanisms against alterations:
- Set a hardware jumper to make the disk read-only
- Use operating system and software that cannot write to the disk unless instructed
- Employ a hard disk write block tool to protect against disk writes
- Acquiring non-volatile data
- Non-volatile data can be acquired in both live acquisition and dead acquisition. It mainly involves acquiring data from a hard disk.
- There is no significant difference in the amount of data acquired from a hard disk between the live and dead acquisition methods
- Live Acquisition of a hard disk is performed by using remote acquisition tools (e.g. netcat), and bootable CDs or USBs (e.g. CAINE); while dead acquisition involves removing the hard disk from the suspect drive, connecting it to a forensic workstation, write-blocking the hard disk, and running a forensic acquisition tool on the disk
- The dead acquisition process can be performed via the following steps:
- Remove the hard drive from the suspect drive
- Connect it to a forensic workstation to perform the acquisition
- Write-block the hard disk to ensure that it provides only read-only access to the hard drive and prevents any modification or tampering of its contents
- Run any forensic acquisition tool suitable for the purpose of acquiring/collecting data
- Acquire Non-volatile Data (Using a Windows Forensic Workstation)
- To acquire forensic image of a hard disk during dead acquisition, remove the hard disk, connect it to a forensic workstation, enable write-blocker, and run a forensic imaging tool (e.g. AccessData FTK Imager) on the workstation
- AccessData FTK Imager is a disk imaging program which can preview recoverable data from a disk of any kind and also create copies, called forensics images, of that data
- AccessData FTK Imager https://accessdata.com
- Features
- Create forensic images of local hard drives, CDs and DVDs, thumb drives, or other USB devices, entire folders, or individual files from various places within the media
- Enables previewing files and folders on local hard drives, network drives, CDs and DVDs, thumb drives, or other USB devices
- Enables previewing the contents of forensic images stored on a local machine or a network drive
- Enables mounting an image for a read-only view that leverages Windows Internet Explorer to display the content of the image exactly as the user saw it on the original drive
- Exports files and folders from forensic images
- Recovers files that have been deleted from the Recycle Bin, but have not yet been overwritten on the drive
- Creates hashes of files to check the integrity of the data by using either of the two hash functions available in FTK Imager: Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1)
- Planning for contingency
- Investigators must prepare for contingencies such as when the hardware or software does not work, or a failure occurs during acquisition
- Hard Disk Data Acquisition
- Investigators must create at least two images of the digital evidence collected, in order to preserve it. If one copy of the digital evidence recovered becomes corrupt, investigators can then use the other copy.
- Imaging Tools
- If you possess more than one imaging tool, such as Pro-iscoverForensics or AccessData FTK Imager, it is recommended to create the first image with one tool and the second image with the other tool. If you posses only one tool, make two or more images of the drive using the same tool.
- Hardware Acquisition Tool
- Consider using a hardware acquisition tool (such as UFED Ultimate or IM SOLO-4 G3 IT RUGGEDIZED) that can access the drive at the BIOS level to copy data in the Host Protected Area (HPA)
- Drive Decryption
- Be prepared to deal with encrypted drives that need the user to provide the decryption key for decrypting. Microsoft includes a full disk encryption feature (BitLocker) with select editions of Windows Vista and later.
- Validating data acquisition
- Validating data acquisition involves calculating the hash value of the target media and comparing it with its forensic counterpart to ensure that the data is completely acquired
- The unique number (hash value) is referred to as a “digital fingerprint”
- As hash values are unique, if two files have the same hash value, they are 100% identical even if the files are named differently
- Utility algorithms that produce hash values include CRC-32, MD5, SHA-1, and SHA-256
- The following are some hashing algorithms that can be used to validate the data acquired:
- CRC-32: Cyclic redundancy code algorithm-32 is a hash function based on the idea of polynomial division. The number 32 indicates that the size of the resulting hash value or checksum is 32 bits. The checksum identifies errors after data transmission or storage.
- MD5: This is an algorithm used to check data integrity by creating a 128-bit message digest from data input of any length. Every MD5 hash value is unique to that particular data input.
- SHA-1: Secure Hash Algorithm-1 is a cryptographic hash function developed by the United States National Security Agency, and it is a US Federal Information Processing Standard issued by NIST. It creates a 160-bit (20-byte) hash value called a message digest. This hash value is a 40 digits long hexadecimal number.
- SHA-256: This is a cryptographic hash algorithm that creates a unique and fixed-size 256-bit (32-byte) hash. Therefore, it is ideal for anti-tamper technologies, password validation, digital signatures, and challenge hash authentication.
- Validate Data Acquisition. Windows Validation Methods
- Windows computers come with PowerShell utility, which has the ability to run cmdlet
- The Get-FileHash cmdlet computes the hash value for an evidence file by using the specified hash algorithm
- This hash value is used throughout the investigation for validating the integrity of the evidence
- Investigators can also use commercial computer forensics programs, which have built-in validation features that can be used to validate the evidence files
- For instance:
- ProDiscover’s .eve files contain metadata in segmented files or acquisition files, including the hash value for the original media
- When you load the image to ProDiscover, it compares the hash value of this image to the hash value of the original media
- If the hashes do not match, the tool notifies that the image is corrupt, implying that the evidence cannot be considered reliable
- Note: In most computer forensics tools, raw format image files do not contain metadata. For raw acquisitions, therefore, a separate manual validation is recommended during analysis.
# Module 05: Defeating Anti-forensics Techniques
- Anti-forensics and its Techniques
- Anti-forensics (also known as counter forensics) is a common term for a set of techniques aimed at complicating or preventing a proper forensics investigation process
- Goals of Anti-forensics
- Interrupt and prevent information collection
- Make difficult the investigator’s task of finding evidence
- Hide traces of crime or illegal activity
- Compromise the accuracy of a forensics report or testimony
- Delete evidence that an anti-forensics tool has been run
- Anti-forensics Techniques
- Data/File Deletion
- Password Protection
- Steganography
- Data Hiding in File System Structures
- Trail Obfuscation
- Artifact Wiping
- Overwriting Data/Metadata
- Encryption
- Program Packers
- Minimizing Footprint
- Exploiting Forensics Tool Bugs
- Detecting Forensics Tool Activities
- Anti-forensics Technique: Data/File Deletion
- When a file is deleted from the hard drive, the pointer to the file gets deleted but the contents of file remain on the disk
- In other words, the deleted files can be recovered from the hard disk until the sectors containing the contents of the file are overwritten with the new data
- Data recovery Tools such as Autopsy, Recover My Files, EaseUS Data Recovery Wizard Pro, and R-Studio can be used for recovering deleted files/folders
- What Happens When a File is Deleted in Windows?
- FAT File System
- The OS replaces the first letter of a deleted file name with a hex byte code: E5h
- E5h is a special tag that indicates that the file has been deleted
- The corresponding cluster of that file in FAT is marked as unused, although it will continue to contain the information until it is overwritten
- NTFS File System
- When a user deletes a file, the OS just marks the file entry as unallocated but does not delete the actual file contents
- The clusters allocated to the deleted file are marked as free in the $BitMap ($BitMap file is a record of all used and unused clusters)
- The computer now notices those empty clusters and avails that space for storing a new file
- The deleted file can be recovered if the space is not allocated to any other file
- Recycle Bin in Windows
- The Recycle Bin is a temporary storage place for deleted files
- The file remains in the Recycle Bin until you empty the Recycle Bin or restore the file
- Items can be restored to their original positions with the help of the Restore all items option of the Recycle Bin
- The storage location of Recycle Bin depends on type of OS and file system
- Recycle Bin storage location on FAT file systems:
- On older FAT file systems (Windows 98 and prior), it is located in Drive:\RECYCLED
- Recycle Bin storage location on NTFS file systems:
- On Windows 2000, NT, and XP it is located in Drive:\RECYCLER\
- On Windows Vista and later versions, it is located in Drive:\$Recycle.Bin\
- When a file is deleted, the complete path of the file and its name is stored in a hidden file called INFO2 ( in Windows 98) in the Recycled folder. This information is used to restore the deleted files to their original locations.
- Prior to Windows Vista, a file in the Recycle Bin was stored in its physical location and renamed using the syntax: D<#>.
- “D” denotes that a file has been deleted
- In Windows Vista and later versions, the deleted file is renamed using the syntax: $R<#>., where <#> represents a set of random letters and numbers
- At the same time, a corresponding metadata file is created which is named as: $I<#>., where <#> represents a set of random letters and numbers the same as used for $R
- The $R and $I files are located at C:\$Recycle.Bin\\
- $I file contains following metadata:
- Original file name
- Original file size
- The date and time the file was deleted
- Recycle Bin Forensics
- The original files pertaining to the $I files are not visible in the Recycle Bin folder when,
- $I file is corrupted or damaged
- The attacker/insider deletes $I files from the Recycle Bin
- During forensic investigation, the investigator should check for the $R files in the Recycle Bin directory to counter the anti-forensic technique used by the attacker
- If the metadata files related to the original files are not present in the folder, then the investigator can use ‘copy’ command to recover the deleted files ($R files)
- Command: copy <$R*(or File name)>
- In case, the metadata of Recycle Bin is lost, or the data is hidden intentionally by the perpetrator, the investigator can follow above steps to recover the deleted files from Recycle Bin for further analysis
- File Carving
- It is a technique to recover files and fragments of files from the hard disk in the absence of file system metadata
- In this technique, file identification and extraction is based on certain characteristics such as file header or footer rather than the file extension or metadata
- A file header is a signature (also known as a magic number), which is a constant numeric or text value that determines a file format
- Example:
- A suspect may try to hide an image from being detected by investigators by changing the file extension from .jpg to .dll
- However, changing the file extension does not change the file header, and analysis tells the actual file format
- Example:
- A file format is confirmed as .jpg if it shows “JFIF” in the file header and hex signature as “4A 46 49 46“
- Investigators can take a look at file headers to verify the file format using tools such as 010 Editor, CI Hex Viewer, Hexinator, Hex Editor Neo, Qiew, WinHex, etc.
- File Carving on Windows
- Windows tracks its files/folders on a hard drive using the pointers that tells the system where the file begins and ends
- When a file is deleted from the hard drive, the pointer to the file gets deleted but the contents of file remains on the disk
- In other words, the deleted files can be recovered from the hard disk until the sectors containing the contents of the file are overwritten with new data
- Data recovery Tools such as Autopsy, Recover My Files, EaseUS Data Recovery Wizard Pro, R-Studio for Windows, etc., can be used for recovering deleted files/folders from Windows
- File Recovery Tools: Windows
- EaseUS Data Recovery Wizard Pro https://www.easeus.com
- EaseUS Data Recovery Wizard Pro Hard drive data recovery software to recover lost data from PC, laptop or other storage media due to deleting, formatting, partition loss, OS crash, virus attacks, etc.
- Specifies file types before file recovery to find lost files quickly
- Saves previous searching results for continuous recovery
- Scans lost files faster by skipping bad sectors automatically
- Recover My Files https://getdata.com
- DiskDigger https://diskdigger.org
- Handy Recovery https://www.handyrecovery.com
- Quick Recovery https://www.recoveryourdata.com
- Stellar Phoenix Windows Data Recovery https://www.stellarinfo.com
- File Carving on Linux
- When a file is deleted from Linux using the command /bin/rm/, the inode pointing to the file gets removed but the file remains on the disk until it is overwritten with new data
- If a running process keeps a file open and then removes the file, the file contents are still on the disk, and other programs will not reclaim the space
- It is required to note that if an executable erases itself, its contents can be retrieved from a /proc memory image. The command cp /proc/$PID/exe/tmp/file creates a copy of a file in /tmp
- Third-party tools such as Stellar Phoenix Linux Data Recovery, R-Studio for Linux, TestDisk, PhotoRec, and Kernel for Linux Data Recovery can be used to recover deleted files from Linux
- SSD File Carving on Linux File System
- Forensic workstation used: Windows 10
- The forensically acquired image from TRIM disabled SSD should be examined using file carving tools such as Autopsy, R-Studio, etc.
- In Autopsy, the carved data from the forensic evidence file is displayed under the appropriate data source with heading “$CarvedFiles”
- Recovering Deleted Partitions
- The MBR partition table contains the records of the primary and extended partitions of a disk
- When a partition is deleted from a disk, the entries with respective to deleted partition are removed by the computer from the MBR partition table
- Investigators use tool