Slide1 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 17

Computer Data Forensics Drive Slack and Format – Lab 2 Concept PowerPoint PPT Presentation


  • 289 Views
  • Uploaded on
  • Presentation posted in: General

Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering, WVU. Computer Data Forensics Drive Slack and Format – Lab 2 Concept. Slack – Definition. The amount of disk space that is wasted by having a large cluster size.

Download Presentation

Computer Data Forensics Drive Slack and Format – Lab 2 Concept

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Slide1 l.jpg

Joe Cleetus

Concurrent Engineering Research Center,

Lane Dept of Computer Science and Engineering, WVU

Computer Data ForensicsDrive Slack and Format – Lab 2 Concept


Slack definition l.jpg

Slack – Definition

  • The amount of disk space that is wasted by having a large cluster size.

  • For example, if a 300-byte file is stored on a disk with a cluster size of 1,024 bytes

    • - there will be 724 bytes of slack space that can't be used for any other files.

  • You can see how much space is allocated to a file by typing "DIR /v" at the command prompt.

Cluster size: This is the smallest amount of hard disk space a file can occupy. Floppies have a cluster size of 512 bytes and hard disks can have a cluster size ranging from 1 kilobyte to 16/32/64 kilobytes (sometimes even more). The larger the partition the larger the cluster size.


Ram slack l.jpg

RAM Slack

  • Clusters made up of sectors

  • For example, if a 300-byte file is stored on a disk If the file size is not an exact multiple of the sector size, the last sector is padded with bytes from memory – called RAM Slack

  • RAM Slack can contain any information in memory that may have been created, viewed, modified, downloaded or copied during work sessions

  • RAM slack occurs only in the sector of a file immediately after the last file character.

  • RAM slack is produced by the fact the disk is written from a 512-byte memory buffer


Drive slack l.jpg

Drive Slack

  • Drive slack occurs, in addition to RAM slack, when a file is recorded, if the padding required extends to more than one sector

  • Then the sector containing the last character of the file up to the end of that sector, is entirely RAM slack

  • And the following padding sector(s) contain DRIVE slack

  • Drive slack consists of whatever those extra sectors contained on the disk, prior to being written with this file

  • Hence Drive slack may have pieces of previously deleted files, or the format padding characters (if it was unused since formatting)


Drive slack example l.jpg

Drive Slack example

  • Assume a 2-sector cluster size and a file is written with the characters “Hello”

  • Then the data on disk looks as follows:--

  • Hello+++++++++++++++++++|------------------------(EOF)

  • RAM Slack is indicated by "+"Drive Slack is indicated by "-"


Slack persists l.jpg

Slack Persists

  • File slack is created when the data is written to disk

  • When the file is deleted by normal OS utilities the data remains intact

  • But the space it occupied is deallocated from the FAT

  • The data remains intact until that space is allocated to and overwritten by another file created

  • So to the Slack contained in the last cluster (RAM + Drive slack) of the deleted file remains


Significance of slack l.jpg

Significance of Slack

  • File slack contains random data dumped from memory

  • Hence it may have passwords, logon names, phone numbers, and other sensitive information

  • Slack can have traces that indicate past uses to which the computer has been put

  • Slack could be large (hundreds of MB) but it deserves a thorough analysis

  • Fragments of e-mail, word processor text, etc. can show up

Slack, an artifact of the OS file system, is a godsend to forensic investigators


References l.jpg

References

  • File slack, RAM slack and Drive slack defined

  • http://www.forensics-intl.com/def6.html

  • http://www.whitecanyon.com/library _understanding_terms.htm


Slack example of a document l.jpg

Slack – Example of a Document

Temp 1

Beginning of file

Slack

SWAP

File

Timed Backup

Document

Slack

Slack

Printer

Slack

Temp 2

End of file

Slack


Slack example of a document10 l.jpg

Slack – Example of a Document


Slack notes l.jpg

Slack Notes

  • For a single document you have many places it may be found

  • Judges think you have only one piece of evidence – wrong!

  • If you even take a floppy from a classified computer and print on another, the Print spooling file contains the data.


Format l.jpg

Format

Quick Format vs Complete Format:

  • Quick Format is the high level format. High Level – non-destructive, because it leaves data untouched, but frees all the clusters in the FAT table. Logically creates disk space, i.e., it will create a BOOT Record, FAT table, and Root Directory.

    e.g.

    FORMAT C: non-destructive FAT, all clusters are shown as unused, so all pointers are reset, and the root directory is cleared.

    FORMAT A:/Q also high level

  • Complete Format is the low level format. Low-level – destroys data by writing a pattern all through the sectors of the clusters. Physically creates sectors and tracks.

    e.g.

    FORMAT A:/U low-level format (U= unconditional)

    On HD low-level formatting is done at the factory. There are non-DOS utilities that write only sector IDs to make them readable


Utility for lab 2 l.jpg

Utility for Lab 2

  • Diskedit

  • NTI GETSLACK

    Function: Write contents of slack space on drive to a file.

    Platform: MS-DOS, Windows 3.x, Windows 9x (console mode)

    Invocation:

    To estimate output file space needed:

    GETSLACK drive: [drive:...]

    To write free space to an output file:

    GETSLACK filename drive: [drive:...]

    More than one drive may be specified.

    In addition: /f may be specified anywhere on the command line to filter non-printable values from the output, and /l may be specified anywhere on the command line to limit the size of the output file from the default size of 2.1 GB. (i.e. /l:xxx would set the size to any size less than 2.1 GB.)


Utility for lab 214 l.jpg

Utility for Lab 2

  • NTI TXTSRCHP

    TextSearch Plus is compatible with FAT 12, FAT 16 and FAT 32 systems. The program also identifies graphic files (potential steg) and performs text search of files, file slack, unallocated space and physical sectors. This program has been validated by and is used by numerous Fortune 500 corporations, all of the Big 5 accounting firms and several government agencies that deal with classified data.


Utility for lab 215 l.jpg

Utility for Lab 2

  • NTI FILTER_I

    It is used to aid in the identification of ASCII text, word combinations, passwords, network logons and English language text strings. Such identification is made from ambient data, i.e. data found in Windows swap files and files created from file slack and unallocated space. This program is primarily used to identify ‘unknowns’ and thus aid in the creation of keyword lists for use with forensic text search programs. The program is also ideal for identification of security risks and corporate policy violations.


Utility for lab 216 l.jpg

Utility for Lab 2

  • NTI FILTER_I (continued)

    FILTER (Option 1)

    This option is used to filter a specific file and to replace all occurrences of non-ASCII data with spaces. When this option is used the resulting file remains the same as the original.

    FILTER (Option 2)

    This option is used to filter a specific file and to replace all occurrences of non-ASCII data with one space per group of non-ASCII data. When this option is used the resulting file is smaller than the original.


Slide17 l.jpg

Utility for Lab 2

  • NTI FILTER_I (continued)

    GRAMMAR (Option 3)

    This option relies upon a predefined listing of common English words that are embedded into the program. This feature can be useful in the identification of data that may contain fragments of e-mail messages or word processing documents. This option normally results in a smaller output file when compared with the output of the first and second options.

    INTEL (Option 4)

    This option relies upon a fuzzy logic technique to identify English Language patterns. This feature can be useful in the identification of data that may contain the logon or password of the computer user involved. This option normally results in a smaller output file when compared with the output of the first option.

    NAMES (Option 5)

    This option was created at the request of the Royal Canadian Mounted Police. The option is used to identify names of individuals listed in computer data. Many times criminal associates are involved but their existence or identity is unknown to law enforcement. When this feature is used, it sifts through huge files and identifies individuals who may be associated with the user of the computer. The output from this option normally results in a smaller output file when compared with the output of the first option.


  • Login