File System Analysis
Transcription
File System Analysis
Digital Forensics: FAT February 23, 2007 File System Analysis File System Analysis ”File system analysis examines data in a volume and interprets them as a file system” When compared to this… Or, How useful is this really? 01101100111001110111000111101 Overview Data categories Difficulties 0011100011100111110000 B0mb A file system consists of Structural data and User data. Essential: Needed to store and retrieve data Analogy: A text- or notebook. Paragraphs Dude! File System Analysis: Essential (and nonessential) data File System Analysis Dude… 111110000 This would be text contained in the book. E.g., location and size of file, location of metadata Essential data need to be trusted Non-essential: Adds convenience to user Access times, protection Chapters Sections And so would this. To restore a file, we need to know where it is, but not who was allowed to read it. File System Analysis: Data categories File System: General file system information Location of data structures, data unit sizes Content: The data itself Content of files organized in standard-size container Metadata: Data that describe files File Name: The name of the file Application: Data that provides special features Loc. of file content, size, times, access control info File System Analysis: File System File System Category: Determine the type of file system Map the values of the file system information sector to the file system data structure Example: Name of file Quotas, journals 0000000: eb58 0000010: 0200 0000020: c539 0000030: 4d45 <removed> 00001f0: 0000 904d 0200 0100 2020 5357 00f8 8000 2020 494e 9d00 292c 4641 342e 3f00 24f0 5431 3100 ff00 794e 3620 0202 dfba 4f20 2020 0100 6500 4e41 0000 .X.MSWIN4.1..... ........?.....e. .9....),$.yNO NA ME FAT16 .. 0000 0000 0000 0000 0000 0000 55aa ..............U. Bytes/sector Sectors/cluster Sectors in FS Reserved area … 512 2 80325 1 sec. Note: All data covered by <removed> tag is 0s. Good(?) place to hide data. Ulf Larson 1 Digital Forensics: FAT February 23, 2007 File System Analysis: Content File System Analysis: Content Last alloc’ed Storage locations that are allocated to files and directories Contains a lot of data, a 40 Mb volume contains > 80000, 512 byte sectors. Usually investigated by tools 1 2 3 4 Allocated Unallocated ? ? E.g., Look for signatures, such as “B0mb, virus, evil-Ulf” The used allocation strategy affects the probability of recovering deleted (unallocated) content. 5 6 7 8 2 5 First available 5 7 Next available 7 8 Best fit Pointers: Fragmentation makes recovery difficult Data in beginning more often replaced if First available is used. File System Analysis: Metadata Contains descriptive data Metadata contains file times and access lists Metadata also (more important) points out where the data is located and how large the data is. Also, if a file is deleted, we can still get to its contents through the metadata (assuming that this info is intact). File.txt 6000B Data rwx 070214 Start But…what if data size > unit size? •Cluster chaining w/ aux. struct •Multiple pointers to data File System Analysis: Filename Contains name of the file Allows user to refer to a file by its name instead of its metadata address. File1.txt Metadata Data As long as the pointer to metadata is intact, we can potentially recover data even if both filename and metadata is unallocated. File System Analysis: Difficulties Encryption makes the retrieval of deleted data difficult Access to key is (almost) necessary I.e., unless time consuming brute force method is used Secure wiping overwrites the data at deletion time Ulf Larson The FAT File System Not only remove allocation status, but also overwrite the various information structures General concepts Data categories Layout Data structures and operation Analysis cases, data hiding 2 Digital Forensics: FAT February 23, 2007 The FAT file system: Overview FAT abbr. for File Allocation Table Primary fs for MS DOS and Windows9x Also found in flash cards Considered ”simple” due to small number of data structures The FAT file system: Data structures FAT data structures grouped by category: File System – Boot Sector Content – Clusters, FAT The FAT file system: Layout Reserved FAT A directory entry data structure containing metadata Extracting file system information using the boot sector. (Here as output by fsstat in TSK). Res. FILE SYSTEM INFORMATION -------------------------------------------File System Type: FAT16 File System Layout (in sectors) Total Range: 0 – 80324 * Reserved: 0 – 0 ** Boot Sector: 0 * FAT 0: 1 – 157 * FAT 1: 158 – 314 * Data Area: 315 – 80324 ** Root Directory: 315 – 346 ** Cluster Area: 347 – 80324 Reserved area - contains boot sector FAT area - contains the FATs Data area - contains clusters and the root directory. In FAT, everything is represented as files and directories To keep track on files and directories the following is used: File Name – Directory entries fsstat -f fat FATdump.dd Data The FAT file system: Files and directories Directory entries contain file name, file size and pointer to first cluster of file. The FAT file system: Layout Physical layout of a FAT fs: Clusters are the data units of the FAT fs. FATs contain cluster allocation information. Metadata – Directory entries, FAT Boot sector contains location information of different structures. Also volume, sector and cluster sizes. Data A storage location for the content, i.e., one or more clusters An entry in the FAT data structure denoting the cluster containing the file or directory as allocated Data FAT1 Root Cluster Total Range Clusters are 2 sectors wide, one sector is 512 bytes. The FAT file system: Files and directories Keeping track on files FAT structure TESTFIL.TXT 0x23 = d35 Cluster 3 Cluster 2 File name, size starting address of file content Both directory entry structures and pure file content is located in clusters in the data area. Ulf Larson Res. FAT0 CONTENT INFORMATION -------------------------------------------Sector Size: 512 Cluster Size: 1024 Total Cluster Range: 2 – 39990 32 bytes, located in cluster Cluster 3 Name 2 3 4 A A A U U A Type 5445 5354 4649 4c20 5458 5420 0000 0000 0000 4f36 0000 c87b 4f36 0300 2300 0000 FAT Cluster addr. TESTFIL TXT .... ..O6...{O6..#... FAT, Cluster #3 in red Size f8ff ffff ffff ffff ffff 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 3 Digital Forensics: FAT February 23, 2007 The FAT file system: Chaining Cluster chaining used if file size > cluster size The FAT file system: Analysis considerations - File System Case 1: The missing partition table FAT fs on part. TESTFIL.TXT 0x401 = d1025 ? Cluster 3 FAT structure 0000200: f8ff ffff ffff ffff ffff ffff ffff ffff 0000210: 0900 0a00 ffff 0000 0000 0000 0000 0000 2 3 4 A 4 EOF U U A The FAT file system: Analysis considerations - Content Case 2: The whereabouts of a cluster numbered 812 We know that a file named B0mb is in cluster 812, but where is this? Data Case 3: You did what!?? Give here them directories…NOW! When a directory is deleted, two things happen: Search boot sector for size of reserved area (R), FAT (F), no of directory entries in root dir. (D) and sectors/cluster (S). Consult literature for size of directory entry (E). Do the math: Second, search the unallocated data for directory entry for “.”, 0x2e202020 Display cluster size bytes from where the signature starts. Signature 2e20 0000 2e2e 0000 e545 0000 2020 4f36 2020 4f36 5354 4f36 2020 0000 2020 0000 4649 0000 2020 b17b 2020 b17b 4c20 c87b 2020 4f36 2020 4f36 5458 4f36 2010 0500 2010 0000 5420 0600 0000 0000 0000 0000 0000 2300 0000 0000 0000 0000 0000 0000 . ..... ..O6...{O6...... .. ..... ..O6...{O6...... .ESTFIL TXT .... ..O6...{O6..#... The FAT entry is set to 0000 for the affected clusters. Also, the first character in filename for files in dir. is replaced with ”_”, (0xe5). However…as long as the directory is not wiped. We can get it back. First, we identify unallocated data only Use from book: R = 6, F = 249, D = 512, E = 32, S = 32, C = 812 Sec. addr of cluster = (C - 2) * S + R + 2*F + (D*E/512) = 26456 Here cluster 812 = sec. 26456 The FAT file system: Analysis considerations - Metadata We do not know where the fs starts, so an exhaustive search is needed A random distribution of 2 byte signatures that match yields one hit every 2^16 sectors The FAT file system: Analysis considerations - Metadata ? All FAT fs have the 0x55 0xAA sig. in bytes 510 and 511 of boot sector -> Search disk for 55AA. Be prepared for lots of false positives 812 ? Objective: Find file system (if possible) Solution: Use signature matching. Look in FAT. Entries with 0000 are unallocated. Extract the corresponding clusters. f8ff ffff ffff ffff ffff 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 The FAT file system: Analysis considerations - Metadata How well are we able to recover lost data? We know the file size and the starting cluster as given by the directory entry structure, but FAT is zeroed out. We have two options: 1, we read file size / cluster size clusters regardless of alloc. status 2, we read file size / cluster size clusters from unallocated space only. Cluster1 = 56, size 4+ clusters Unallocated 56 Cluster address (0x06) File size (0x23) 57 58 59 60 61 File Content 56 57 58 59 60 61 56 57 58 59 60 61 Allocated And you are saved from the wrath of your boss…once again! Ulf Larson 4 Digital Forensics: FAT February 23, 2007 The FAT file system: Data hiding Boot sector hiding. Boot sector is often not fully occupied. “Lots” of space to hide data here. Volume slack hiding. The FAT file system: Data hiding example Put data after the filesystem. Fs size can be changed by editing the boot sector. Hide and alter data in the boot sector. 1, Stupifying the user by direct insult… 0000000: ëX.MSWIN4.1..... 0000010: .....ø..?.ÿ.ߺe. 0000020: Å9....),$ðyNO NA 0000030: ME FAT16 .. 0000040: ................ 0000050: ............¾t~. 0000060: "Àt.´.Í.ëõ´.Í.´. Í.ëþThis partiti 0000070: Í.ëþDude, trying on boot does this not have 0000080: to pa an operating sy 0000090: rtition...Welcom stem loader inst 00000a0: e to stupidland, alled on it...Pr 00000b0: man! ...Pr 00000c0: ess a key to reb 00000d0: oot............. 00000e0: ................ 00000f0: ................ <removed> 00001f0: ..............Uª 1. Det. address of char T in This -- 0x74 = d116 2. Create message and insert it into the image (I used dd for this) -- dd if=<Insult text> obs=1 seek=116 conv=notrunc of=<imgname> The FAT file system: Data hiding example 1. 2. Actually hiding data Det. beginning of unused space --0xd4 = d212 --dd if=<hidden> obs=1 seek=116 conv=notrunc of=<imgname> Ulf Larson 0000000: 0000010: 0000020: 0000030: 0000040: 0000050: 0000060: 0000070: 0000080: 0000090: 00000a0: 00000b0: 00000c0: 00000d0: 00000e0: 00000f0: 0000100: 0000110: 0000120: 0000130: 0000140: 0000150: 0000160: 0000170: 0000180: 0000190: 00001a0: 00001b0: 00001c0: 00001d0: 00001e0: 00001f0: ëX.MSWIN4.1 .....ø..?.ÿ.ߺe. Å9....),$ðyNO NA ME FAT16 .. ................ ............¾t~. "Àt.´.Í.ëõ´.Í.´. Í.ëþThis partiti on does not have an operating sy stem loader inst alled on it...Pr ess a key to reb oot............. oot.---These are super extra imp ................ ................ ortant things th ................ at should not co me in the .wrong ................ ................ hands. I hid it ................ here.../kilroy--.............. ................ ................ ................ ................ ................ ................ ................ ................ ................ ................ ................ ..............Uª 5