File System Analysis

Digital Forensics: FAT
February 23, 2007
File System Analysis
File System Analysis
„
”File system analysis examines data in a
volume and interprets them as a file system”
When compared
to this…
Or, How useful
is this really?
01101100111001110111000111101
Overview
Data categories
Difficulties
0011100011100111110000
B0mb
A file system consists of
‰
„
„
Structural data and User data.
Essential: Needed to store and retrieve data
‰
Analogy: A text- or notebook.
Paragraphs
Dude!
File System Analysis: Essential (and nonessential) data
File System Analysis
„
Dude…
111110000
‰
„
This would be text contained
in the book.
E.g., location and size of file, location of metadata
Essential data need to be trusted
Non-essential: Adds convenience to user
‰
Access times, protection
Chapters
Sections
And so would this.
To restore a file, we need to know where it is, but not who was allowed to read it.
File System Analysis: Data categories
„
File System: General file system information
‰
„
Location of data structures, data unit sizes
Content: The data itself
‰
Content of files organized in standard-size container
„
Metadata: Data that describe files
„
File Name: The name of the file
„
Application: Data that provides special features
‰
‰
‰
Loc. of file content, size, times, access control info
File System Analysis: File System
„
File System Category:
‰
‰
‰
Determine the type of file system
Map the values of the file system information
sector to the file system data structure
Example:
Name of file
Quotas, journals
0000000: eb58
0000010: 0200
0000020: c539
0000030: 4d45
<removed>
00001f0: 0000
904d
0200
0100
2020
5357
00f8
8000
2020
494e
9d00
292c
4641
342e
3f00
24f0
5431
3100
ff00
794e
3620
0202
dfba
4f20
2020
0100
6500
4e41
0000
.X.MSWIN4.1.....
........?.....e.
.9....),$.yNO NA
ME
FAT16
..
0000 0000 0000 0000 0000 0000 55aa
..............U.
Bytes/sector
Sectors/cluster
Sectors in FS
Reserved area
…
512
2
80325
1 sec.
Note: All data covered by <removed> tag is 0s. Good(?) place to hide data.
Ulf Larson
1
Digital Forensics: FAT
February 23, 2007
File System Analysis: Content
File System Analysis: Content
Last alloc’ed
„
„
„
Storage locations that are allocated to files and
directories
Contains a lot of data, a 40 Mb volume contains >
80000, 512 byte sectors.
Usually investigated by tools
‰
„
1
2
3
4
Allocated
Unallocated
?
?
E.g., Look for signatures, such as “B0mb, virus, evil-Ulf”
The used allocation strategy affects the probability
of recovering deleted (unallocated) content.
5
6
7
8
2
5
First available
5
7
Next available
7
8
Best fit
Pointers:
Fragmentation makes recovery difficult
Data in beginning more often replaced if First available is used.
File System Analysis: Metadata
„
Contains descriptive data
‰
‰
‰
Metadata contains file times and access lists
Metadata also (more important) points out where the data
is located and how large the data is.
Also, if a file is deleted, we can still get to its contents
through the metadata (assuming that this info is intact).
File.txt 6000B
Data
rwx
070214
Start
But…what if data size > unit size?
•Cluster chaining w/ aux. struct
•Multiple pointers to data
File System Analysis: Filename
„
„
Contains name of the file
Allows user to refer to a file by its name
instead of its metadata address.
File1.txt
Metadata
Data
As long as the pointer to metadata is intact, we can potentially recover
data even if both filename and metadata is unallocated.
File System Analysis: Difficulties
„
Encryption makes the retrieval of deleted
data difficult
‰
Access to key is (almost) necessary
„
„
I.e., unless time consuming brute force method is used
Secure wiping overwrites the data at deletion
time
‰
Ulf Larson
The FAT File System
Not only remove allocation status, but also
overwrite the various information structures
General concepts
Data categories
Layout
Data structures and operation
Analysis cases, data hiding
2
Digital Forensics: FAT
February 23, 2007
The FAT file system: Overview
„
„
„
„
FAT abbr. for File Allocation Table
Primary fs for MS DOS and Windows9x
Also found in flash cards
Considered ”simple” due to small number of
data structures
The FAT file system: Data structures
„
FAT data structures grouped by category:
‰
File System – Boot Sector
„
‰
Content – Clusters, FAT
„
„
‰
The FAT file system: Layout
„
Reserved
„
„
„
FAT
„
„
‰
A directory entry data structure containing metadata
„
‰
‰
Extracting file system information using the boot sector. (Here
as output by fsstat in TSK).
Res.
FILE SYSTEM INFORMATION
-------------------------------------------File System Type: FAT16
File System Layout (in sectors)
Total Range: 0 – 80324
* Reserved: 0 – 0
** Boot Sector: 0
* FAT 0: 1 – 157
* FAT 1: 158 – 314
* Data Area: 315 – 80324
** Root Directory: 315 – 346
** Cluster Area: 347 – 80324
Reserved area - contains boot sector
FAT area - contains the FATs
Data area - contains clusters and the root directory.
In FAT, everything is represented as files and
directories
To keep track on files and directories the following is
used:
File Name – Directory entries
fsstat -f fat FATdump.dd
Data
The FAT file system: Files and directories
Directory entries contain file name, file size and pointer
to first cluster of file.
The FAT file system: Layout
„
Physical layout of a FAT fs:
Clusters are the data units of the FAT fs.
FATs contain cluster allocation information.
Metadata – Directory entries, FAT
„
‰
Boot sector contains location information of different
structures. Also volume, sector and cluster sizes.
Data
A storage location for the content, i.e., one or more clusters
An entry in the FAT data structure denoting the cluster
containing the file or directory as allocated
Data
FAT1
Root
Cluster
Total Range
Clusters are 2 sectors wide, one sector is 512 bytes.
The FAT file system: Files and directories
„
Keeping track on files
FAT structure
TESTFIL.TXT
0x23 = d35
Cluster 3
Cluster 2
File name, size starting address of file content
Both directory entry structures and pure file content
is located in clusters in the data area.
Ulf Larson
Res. FAT0
CONTENT INFORMATION
-------------------------------------------Sector Size: 512
Cluster Size: 1024
Total Cluster Range: 2 – 39990
32 bytes, located in cluster
Cluster 3
Name
2
3
4
A
A
A
U
U
A
Type
5445 5354 4649 4c20 5458 5420 0000 0000
0000 4f36 0000 c87b 4f36 0300 2300 0000
„
FAT
Cluster addr.
TESTFIL TXT ....
..O6...{O6..#...
FAT, Cluster #3 in red
Size
f8ff ffff ffff ffff ffff 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
3
Digital Forensics: FAT
February 23, 2007
The FAT file system: Chaining
„
Cluster chaining used if file size > cluster size
The FAT file system: Analysis
considerations - File System
„
Case 1: The missing partition table
FAT fs on part.
TESTFIL.TXT 0x401 = d1025
?
Cluster 3
„
FAT structure
0000200: f8ff ffff ffff ffff ffff ffff ffff ffff
0000210: 0900 0a00 ffff 0000 0000 0000 0000 0000
‰
2
3
4
A
4
EOF
U
U
A
The FAT file system: Analysis
considerations - Content
„
„
„
Case 2: The whereabouts of a cluster numbered 812
We know that a file named B0mb is in cluster 812, but where is this?
Data
‰
„
„
Case 3: You did what!?? Give here them directories…NOW!
„
When a directory is deleted, two things happen:
‰
‰
„
Search boot sector for size of reserved area (R), FAT (F), no of
directory entries in root dir. (D) and sectors/cluster (S).
Consult literature for size of directory entry (E).
Do the math:
‰
‰
‰
„
„
Second, search the unallocated data for directory entry for “.”,
0x2e202020
Display cluster size bytes from where the signature starts.
Signature
2e20
0000
2e2e
0000
e545
0000
2020
4f36
2020
4f36
5354
4f36
2020
0000
2020
0000
4649
0000
2020
b17b
2020
b17b
4c20
c87b
2020
4f36
2020
4f36
5458
4f36
2010
0500
2010
0000
5420
0600
0000
0000
0000
0000
0000
2300
0000
0000
0000
0000
0000
0000
.
.....
..O6...{O6......
..
.....
..O6...{O6......
.ESTFIL TXT ....
..O6...{O6..#...
The FAT entry is set to 0000 for the affected clusters.
Also, the first character in filename for files in dir. is replaced with ”_”,
(0xe5).
„
However…as long as the directory is not wiped. We can get it back.
„
First, we identify unallocated data only
‰
Use from book: R = 6, F = 249, D = 512, E = 32, S = 32, C = 812
Sec. addr of cluster = (C - 2) * S + R + 2*F + (D*E/512) = 26456
Here cluster 812 = sec. 26456
The FAT file system: Analysis
considerations - Metadata
We do not know where the fs starts, so an exhaustive search is needed
A random distribution of 2 byte signatures that match yields one hit every 2^16
sectors
The FAT file system: Analysis
considerations - Metadata
?
„
All FAT fs have the 0x55 0xAA sig. in bytes 510 and 511 of boot
sector -> Search disk for 55AA.
Be prepared for lots of false positives
„
812
„
?
Objective: Find file system (if possible)
Solution: Use signature matching.
Look in FAT. Entries with 0000 are unallocated. Extract the
corresponding clusters.
f8ff ffff ffff ffff ffff 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
The FAT file system: Analysis
considerations - Metadata
„
„
„
How well are we able to recover lost data?
We know the file size and the starting cluster as given by the
directory entry structure, but FAT is zeroed out.
We have two options:
‰
‰
1, we read file size / cluster size clusters regardless of alloc. status
2, we read file size / cluster size clusters from unallocated space only.
Cluster1 = 56, size 4+ clusters
Unallocated
56
Cluster address (0x06)
File size (0x23)
„
57
58
59
60
61
File Content
56
57
58
59
60
61
56
57
58
59
60
61
Allocated
And you are saved from the wrath of your boss…once again!
Ulf Larson
4
Digital Forensics: FAT
February 23, 2007
The FAT file system: Data hiding
„
Boot sector hiding.
‰
„
„
Boot sector is often not fully occupied. “Lots” of
space to hide data here.
Volume slack hiding.
‰
The FAT file system: Data hiding example
Put data after the filesystem. Fs size can be
changed by editing the boot sector.
Hide and alter data in the boot sector.
‰
1, Stupifying the user by direct insult…
0000000: ëX.MSWIN4.1.....
0000010: .....ø..?.ÿ.ߺe.
0000020: Å9....),$ðyNO NA
0000030: ME
FAT16
..
0000040: ................
0000050: ............¾t~.
0000060: "Àt.´.Í.ëõ´.Í.´.
Í.ëþThis partiti
0000070: Í.ëþDude,
trying
on boot
does this
not have
0000080: to
pa
an operating sy
0000090: rtition...Welcom
stem
loader inst
00000a0: e
to stupidland,
alled on it...Pr
00000b0: man!
...Pr
00000c0: ess a key to reb
00000d0: oot.............
00000e0: ................
00000f0: ................
<removed>
00001f0: ..............Uª
1. Det. address of char T in This
-- 0x74 = d116
2. Create message and insert it
into the image (I used dd for this)
-- dd if=<Insult text> obs=1 seek=116 conv=notrunc of=<imgname>
The FAT file system: Data hiding example
‰
1.
2.
Actually hiding data
Det. beginning of unused space
--0xd4 = d212
--dd if=<hidden> obs=1 seek=116 conv=notrunc of=<imgname>
Ulf Larson
0000000:
0000010:
0000020:
0000030:
0000040:
0000050:
0000060:
0000070:
0000080:
0000090:
00000a0:
00000b0:
00000c0:
00000d0:
00000e0:
00000f0:
0000100:
0000110:
0000120:
0000130:
0000140:
0000150:
0000160:
0000170:
0000180:
0000190:
00001a0:
00001b0:
00001c0:
00001d0:
00001e0:
00001f0:
ëX.MSWIN4.1
.....ø..?.ÿ.ߺe.
Å9....),$ðyNO NA
ME
FAT16
..
................
............¾t~.
"Àt.´.Í.ëõ´.Í.´.
Í.ëþThis partiti
on does not have
an operating sy
stem loader inst
alled on it...Pr
ess a key to reb
oot.............
oot.---These
are
super
extra imp
................
................
ortant
things th
................
at
should not co
me
in the .wrong
................
................
hands.
I hid it
................
here.../kilroy--..............
................
................
................
................
................
................
................
................
................
................
................
..............Uª
5