CNS 450: COMPUTER FORENSICS & INCIDENT RESPONSE

Week 2 Lecture

Copyright 2011, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Overview of Todays Material

Evidence Terminology & Courtroom Usage Tool Selection Data Formatting Terminology Disk Layout & Partitioning Windows Filesystems

FAT NTFS

Master File Table Attributes Folder Structures Timestamps

2

Digital Evidence Analysis (Generally)

Courtroom Treatment of Digital Evidence

Best Evidence Rule Hearsay Rule Expert Witness Testimony E-Discovery

Other Federal Rules of Evidence Applying to Digital Evidence

Relevant (FRE 401) Authentic (FRE 901(a) Chain of Custody Hearsay (FRE 801) Original (FRE 1001-1008) Unfair prejudice (FRE 403)

Additional Evidence Terminology

Reliability Demonstrative Evidence Real Evidence Testimonial Evidence Circumstantial Evidence Direct Evidence

Evidence terminology

Reliability

Evidence may be given different weight or credibility by the fact finder (judge, jury, arbitrator) Evidence that is corroborated (fact is evidenced from an independent source) may be given added weight. Reliability is related to how you go about collecting and preserving evidence.

Evidence terminology

Demonstrative evidence

Generally a visual aid to help further the understanding of the trier of fact Charts, Maps and Models Photographs, sound recordings

Evidence terminology

Real evidence

An object that had a direct part in the incident or event Tangible object (bullet, weapon, document, clothing, defective bolt)

Evidence terminology

Circumstantial evidence

An inference in addition to the truth of the matter stated needs to be made. Inference: User A (person) modified the database:

the log entry shows the username and password of User A were used to access the database, and the IP address of the connection to the database matches the IP address of User As computer, as verified by log at the time.

Therefore User A must have been performing the action, since no one else should have had access to his account

Evidence terminology

Testimonial evidence

Witness with personal knowledge Expert or opinion witness

10

Evidence terminology

Direct evidence

The sole inference that must be made to establish a fact of consequence is the truth of the matter asserted. Log entry shows that a database was accessed on May 19, 2004 and the Customers table was changed.

11

Spoliation
The destruction or significant alteration of evidence, or the failure to preserve property for anothers use as evidence in pending or reasonably foreseeable litigation A party claiming Spoliation must demonstrate: The party having control of the evidence had an obligation to preserve it at the time it was destroyed The evidence was destroyed with a culpable state of mind The destroyed evidence was relevant to the partys claim or defense such that reasonable trier of fact could find that it would support that claim or defense
12

Selecting Forensic Tools

Requirements

Reliability (Repeatability) Efficacy Transparency

13

Reliability of Forensic Tools

Testing: Can and has the procedure been tested? Errors: Is there a known failure condition for the procedure? Publication: Has the procedure been published and subject to peer review? Acceptance: Is the procedure generally accepted in the relevant scientific community?
14

Reliability of Forensic Tools

Resources:

NIST Computer Forensics Tool Testing (CFTT) Project Web Site at http://www.cftt.nist.gov/ Brian Carriers Article, Open Source Digital Forensics Tools The Legal Argument http://www.digitalevidence.org/papers/opensrc_legal.pdf

15

Empty Space Terms (used inconsistently)

Unallocated Space Unused Space Slack Space

16

Unallocated Space: typical usage

Can be within any structure for example:

Disk Volume (term not used consistently) Filesystem (most used) Database File Registry Hive Directory Physical Memory (Heap)

Any location which does not currently hold referenced data

17

Slack Space

Space at the end of a record, allocated but not used, typically because of a fixed allocation unit size. May contain remnants of previously allocated record.

RAM Slack Space in the last sector of a file after the end of the file. File Slack Any remaining sectors in the last cluster of a file following the RAM Slack. Typical usage may include the RAM slack. Volume/Partition Slack (inconsistent usage) Space between the end of a volume/filesystem, and the end of the disk partition it occupies
18

Data Storage: Big-Endian vs. Little-Endian

Big-Endian: Most significant byte stored first (lowest address) Used by mainframes & UNIX systems Little-Endian: Least significant byte stored first Used by PCs

Value: 258 Hex: 0102 Big-Endian: 01 02 Little-Endian: 02 01

19

Mnemonic: LLL Little Least Left

Unicode

Multi-byte characters Because of various localization initiatives, much Windows internal storage, especially including memory, is in 2-byte unicode If your search tool doesnt directly support unicode, this means you must manually convert your search strings Add a null (0x00) before each character There are 3-byte and multi-byte unicode formats as well, but theyre less used
20

Timestamps

Windows uses a variety of timestamp formats in different areas

Windows Filetime: 64bit little-endian quantity representing the number of 100 nanosecond periods since 1/1/1601 00:00:00 UTC Typically found in filesystem metadata in sets of four (MACB times)
2 4 3 1

Last [M]odified time Last [A]ccessed time MFT entry modified ([C]hanged) time Creation ([B]orn) time
21

Drive Geometry Terms Sectors, and Tracks, and Clusters (Oh My!)

Disk Drives are physically divided up into platters, each of which has one or more heads. Contiguous chunks of data are variously referenced as sectors, clusters, blocks, or cylinders Physical arrangement can be important when attempting to recover data from damaged media For our current purposes, a disk is simply a long sequence of sectors (the smallest directly accessible chunk of disk typically 512 bytes), which are grouped into clusters, the size of which vary by filesystem Disks are then divided up using a partitioning scheme into partitions/volumes, which are in turn typically formatted as filesystems Note: Drives with 4K sectors are becoming more popular & typically are partitioned using GPT (GUID Partition Table) rather than MBR 22

MBR Partitioning

Most Windows partitions are MBR

Master Boot Record lives in first 512-byte sector on disk & contains:
Boot record 4 Primary Partition Table Entries (not all need be valid) Signature Value (0xAA55)

Partition Table Entry Contains:

Primary Partition may be an Extended Partition, which references a linked list of Secondary Extended Partition Tables

Starting CHS address Ending CHS address Starting LBA address Number of sectors in partition Type of partition Flags

First partition usually starts 63 sectors after partition table due to legacy cylinder boundary requirement
23

MBR Partition Structure

24

File Systems

A filesystem is a method of mapping file data and metadata onto a storage volume in such a way that it can be stored and retrieved efficiently Filesystem Data Categories:

File System Data pertaining to the filesystem as a whole Content Data contained within the bodies of files Metadata Data about files File Name Human interface reference for a file identifier Application Data implementing special filesystem features such as journaling or quotas
25

Locations for potential data hiding

Host Protected Area (HPA)/Device Configuration Overlay (DCO) 62 sectors after MBR Volume/Partition Slack Unpartitioned Space Disk blocks not assigned to a partition Non-bootable Partition Boot Sector Unallocated space within a filesystem or within files/directories File Slack
26

FAT Filesystems

FAT12: 512B-8KB clusters, 2^12 addressable, 32MB max vol size (floppy disks only) FAT16: 512B-64KB clusters, 2^16 addressable, 4GB max vol size FAT32: 512B-32KB clusters, 2^32 addressable, 8TB max vol size (but Windows only allows formatting of 32GB partition and MBR limitations only allow partitions up to 2TB) All FAT filesystems have no ACLs 27

NTFS

64 bit cluster numbers File size max

Theoretically up to 16 exabytes minus 1024 (264 1024) Actually 16 terabytes minus 64KB (244 1024) Theoretically 256 terabytes minus 64KB Actually 16 terabytes

Volume size max

MBR partitions only support up to 2TB Max number of files 4,294,967,295 (232 1) 28

NTFS Data Structure - Master File Table (MFT)

Heart of NTFS. Has an entry for every file and directory, including itself MFT entries are 1024 bytes in length, & start with FILE (typically) or BAAD A single file can (rarely) require multiple MTF entries to store all its attributes Its sometimes possible to find complete MFT entries in unallocated space that reference remnant file data also in unallocated
29

MFT Structure

The first 42 bytes of the data structure contain specialized fields, and the remaining 982 bytes are unstructured and can be filled with attributes and fixup values.

30

Fields in first 42 MFT bytes

Offset Value

0 4 6 8 16

Signature - 4 bytes (FILE or BAAD) Offset to fixup array, relative to start of MFT entry 2 bytes Number of entries in fixup array 2 bytes $Logfile Sequence Number 8 bytes (part of journaling file system) Sequence value 2 bytes (counter indicating the number of times this MFT entry has been unallocated, minus one) 18 Link Count 2 bytes (number of directories that have entries for this file) 20 Offset to first attribute 2 bytes 22 Flags 2 bytes 24 Used size of MFT entry 4 bytes 28 Allocated size of MFT entry - 4 bytes 32 File reference to base record 8 bytes 40 Next attribute ID 2 bytes 42 Attributes and fixup values 982 bytes

31

Attribute Header Structure

Byte Range 03 47 88 99 1011 1213 1415

Description Attribute type identifier Length of attribute Non-resident flag Length of name Offset to name Flags Attribute identifier
32

Resident Attribute Structure

Byte Range 015 1619 2021 Description General header Size of content Offset to content

33

MFT Attribute Types

Type ID 16 32 48 64 64 80 96 Name $STANDARD_INFORMATION $ATTRIBUTE_LIST $FILE_NAME $VOLUME_VERSION $OBJECT_ID $SECURITY_ DESCRIPTOR $VOLUME_NAME Description General information, such as flags; the last accessed, written, and created times; and the owner and security ID List where other attributes for file can be found. File name, in Unicode, and the last accessed, written, and created times Volume information. Exists only in version 1.2 (Windows NT) A 16-byte unique identifier for the file or directory. Exists only in versions 3.0+ and after (Windows 2000+) The access control and security properties of the file Volume name

112
128 144 160 176 192

$VOLUME_ INFORMATION
$DATA $INDEX_ROOT $INDEX_ALLOCATION $BITMAP $SYMBOLIC_LINK

File system version and other flags

File contents Root node of an index tree Nodes of an index tree rooted in $INDEX_ROOT attribute A bitmap for the $MFT file and for indexes Soft link information. Exists only in version 1.2 (Windows NT)

192
208 224 256

$REPARSE_POINT
$EA_INFORMATION $EA $LOGGED_UTILITY_STREAM

Contains data about a reparse point, which is used as a soft link in version 3.0+ (Windows 2000+)
Used for backward compatibility with OS/2 applications (HPFS) Used for backward compatibility with OS/2 applications (HPFS) Contains keys and information about encrypted attributes in version 3.0+ (Windows 2000+)

Standard NTFS file system metadata files

Entry File Name Description 0 $MFT The entry for the MFT itself 1 $MFTMirr Backup of the first entries in the MFT 2 $LogFile Filesystem Journal that records metadata transactions 3 $Volume Volume information - label, identifier, version, etc. 4 $AttrDef Attribute information, such as the identifier values, name, and sizes. 5 . Root directory of the file system. 6 $Bitmap Allocation status of each cluster in the file system. 7 $Boot Boot sector and boot code for the file system. 8 $BadClus List of clusters that have bad sectors. 9 $Secure Information about security and access control for the files (Windows 2000 and XP version only) 10 $Upcase Uppercase version of every Unicode character. 11 $Extend Directory that contains files for optional extensions. Microsoft does not typically place the files in this directory into the reserved MFT entries.
35

Example MFT Entry

36

Timestamps in NTFS

NTFS files can have several associated attributes that contain timestamps:

$STANDARD_INFORMATION $FILE_NAME (SHORT & POSSIBLY LONG) $INDEX_ROOT (contains $FILE_NAME entries) $INDEX_ALLOCATION (contains $FILE_NAME entries)

Four file system timestamps (MACB times) will be contained in each entry 2 Last [M]odified time 4 Last [A]ccessed time 3 MFT entry modified ([C]hanged) time 1 creation ([B]orn) time
37

Windows Usage of NTFS Timestamps

Windows itself generally uses only $STANDARD_INFORMATION for anything accessed via their API.

38

Manual Timestamp Alteration

Manually changing a timestamp in $STANDARD_INFORMATION is fairly trivial

Time Stamp 1.1 - Set a file's time stamp to a precise value Change File Time stamp - Novell Cool Solutions: Cool Tool Attribute changer Vinnie Liu's timestomp, one of the antiforensics tools built into Metasploit
39

File Timestamp Changes by Activity

40

NTFS directory entries also have timestamps & file sizes

The Index Entry structure of an NTFS directory stores a complete copy of (both) the referenced files filename attributes This includes all timestamps and file sizes. When a file is deleted, this entry is unlinked from the directorys btree, but is not wiped unless overwritten during ensuing btree rebalancing If you find a filename in unallocated space, or in the Index_Allocation or Index_Root attribute of a folder which doesnt contain a file of that name, it helps to know what youre looking at 41

INDEX_ROOT Attribute Structure

42

$INDEX_ROOT Header Structure

Byte Range 0-3 4-7 8-11 12-12 13-15 16+ Description Type of attribute in index (0 if entry does not use an attribute) Collation sorting rule Size of each index record in bytes Size of each index record in clusters Unused Node header Essential Yes Yes Yes Yes No Yes

43

INDEX_ALLOCATION Attribute Structure

44

Index Record Header Structure

Byte Range 0-3 4-5 6-7 Description Signature value (INDX) Offset to fixup array Number of entries in fixup array Essential No Yes Yes

8-15
16-23 24+

$LogFile Sequence Number (LSN)

The VCN of this record in the full index stream Node header

No
Yes Yes

45

Index Entry Structure

Byte Range 0-7 8-9 10-11 Description MFT file reference for file name Length of this entry Length of $FILE_NAME attribute Essential Yes Yes No

12-15
16+

Flags

Yes
Yes

$FILE_NAME Attribute (if length is > 0) Yes

Last 8 VCN of child node in bytes of $INDEX_ALLOCATION (field exists only entry, if flag is set) starting on an 8-byte boundary

46

Filename Attribute Structure

Byte Range 07 815 1623 2431 3239 4047 4855 5659 6063 6464 6565 66 Description Essential File reference of parent directory No File creation time No File modification time No MFT modification time No File access time No Allocated size of file No Real size of file No Flags No Reparse value No Length of name Yes / No Namespace Yes / No +Name Yes / No

47

Things to Remember

Focus on the timestamps

Sets of four (64bit, little-endian, # of 100ns periods since 1/1/1601 00:00:00) Exist in both Std Info Attributes & (long and 8.3) Filename Attributes
MFT Records (1024 byte length, FILE or BAAD record signature) INDEX_ROOT Attributes (resident in the MFT, no other signature) INDEX_Allocation Attributes (non-resident, 48 INDX record signature)

Filename Attributes are found inside:

Detecting timestamp manipulation

Compare standard information attribute timestamps with filename timestamps Compare with other timestamps for the same file recovered from directory entries or unallocated space Utilities which set timestamps typically will set to either a particular time rounded to the nearest second, or will copy standard info attribute times for some other file Look for log references to the questionable file
49

The Windows Recycle Bin

User file recovery mechanism shoehorned in before actual FAT or NTFS file deletion. Applies only to deletion done via the Windows GUI. Hidden folder at top of drive

RECYCLED (Win95/98) RECYCLER (Win2K/NT/XP/2k3) $Recycle.bin (WinVista/7)

50

WinNT/2K/XP/2K3 Recycle Bin

Subfolder under RECYCLER named with users SID When a file goes into the trash, its moved to a unique name under this folder such as D<DriveLetter>_<IndexNumber>_<FileExtension> Also under this subfolder will be a hidden binary file named INFO2 containing records which document current name, original full path, & deletion time for each file in the recycle bin When the recycle bin is emptied, all these files are deleted

51

WinVista/7 Recycle Bin

User SID folder created under $Recycle.bin Each deleted file now gets moved to $R###### under the new SID folder $I###### with the same number in that folder contains the original path and deletion time for that file
52

Linux SIFT Kit Registry & MFT Tools

Python scripts

analyszeMFT.py - parse MFT structure, pulling out all metadata into csv or body file (doesnt do folder data) INDEXParse.py Parse extracted INDEX_Allocation attributes into csv or body file

Well use these in todays lab, and talk more about them in the timelining section

Evidence Analysis

First, figure out what youre looking for Search through all evidence for caserelated keywords (in unicode & custom codepages as well as ASCII) Identify data types of search hits, formulate appropriate followup searches, lather, rinse, repeat Timeline case data, and examine artifacts that have timestamps close to those of known case-related events
54

The importance of a dirty word list

As you proceed through an investigation, you will discover various bits of information that can be used as search terms Keep a list of these and periodically search through all of the evidence for those that are new Often the search hits will themselves suggest new search terms
55

Dirty Word Categories

What (data), Why (motivation) How (procedures) Who (people) Where (location) When (time/date) various formats

56

Important Material

Important = Relevant to the case youre working on If you find it in a search even in unallocated space, you need to be able to identify the type of structure it is or was embedded in & know whether other information contained in that structure may be significant So think carefully about what kinds of things youll be running searches for, your dirty word list

Recognizing Structures In Which Search Results Are Found

Examples of what youre looking for Dirty Word List for keyword searches

Filenames, Account Names, Registry Key or Value Names (next week) Data from file contents: People, Places, specific chunks of text Keywords relating to specific subjects: crime/drug/hacking terminology Dates/Timestamps in any format, binary or text (may have to convert & run multiple searches)

Recognizing Structures In Which Search Results Are Found

Any time I discuss a specific structure or artifact, look for where within it something might match a dirty word list element Consider how you would recognize the structure if that happened, and what other useful information you might be able to extract

Recognizing Structures In Which Search Results Are Found

When I describe an artifact that can be extracted with a specific tool, consider whether a keyword search might return hits based on that artifact, and how you might recognize that this is what has happened Please ask questions, I may not always follow through and draw out all the implications explicitly

Recognizing Structures In Which Search Results Are Found

Examples of structures you should be able to recognize from context if they turn up in search results

Once you recognize the structure, the next step is to find associated info from that structure (timestamps, etc.) to add to your case & dirty word list

MFT Record (STD Info Attribute, or more likely, Filename Attributes) INDX Record (Filename Attributes) Windows EVT Log Registry Key or Value File Metadata (might need file type for additional context, such as if you see an account name turn up buried in a PDF or Word doc)

Reading for Next Week

1. 2.

3.

CERT, Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis (August 2008) Brian Carriers Article, Open Source Digital Forensics Tools The Legal Argument Chapter 5 of Windows Forensic Analysis Toolkit 3rd Edition Registry Analysis By: Harlan Carvey Publisher: Syngress Pub. Date: January 15, 2012 Print ISBN-13: 978-1-59749-727-5 Web ISBN-13: 978-1-59749-728-2 Available as an ebook at http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/ -/9781597497275

62

Questions?

63