module 11 cs 996 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Digital Forensics PowerPoint Presentation
Download Presentation
Digital Forensics

Loading in 2 Seconds...

share
play prev play next
play fullscreen
1 / 29

Digital Forensics - PowerPoint PPT Presentation

  • 172 Views
  • Uploaded on

Module 11 CS 996. Digital Forensics. Outline of Module #11. Overview of Windows file systems Overview of ProDiscover Overview of UNIX file systems (Kulesh) ProDiscover workshop (remaining time). Reminder. InfraGard Chapter meeting on Counterintelligence Bear Stearns, 383 Madison Avenue

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Digital Forensics' - kim


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
module 11 cs 996
outline of module 11
Outline of Module #11
  • Overview of Windows file systems
  • Overview of ProDiscover
  • Overview of UNIX file systems (Kulesh)
  • ProDiscover workshop (remaining time)

Module 11

reminder
Reminder
  • InfraGard Chapter meeting on Counterintelligence
  • Bear Stearns, 383 Madison Avenue
  • 9-4, April 28
  • RSVP: www.nym-infragard.us

Module 11

hard drive data hiding places
Hard Drive Data Hiding Places
  • Low Level Format
    • Redundant sectors
    • Bad sectors
  • Partition
    • Interpartition gaps
    • Unallocated space
    • “Hidden” partitions
    • Boot records and partition tables
    • Deleted partitions

Module 11

physical disk geometry chs
Physical Disk Geometry (CHS)
  • One head for each surface (H)
  • All tracks at r = dn form “cylinder” (C)
  • Each sector has 512 bytes of user data (S)
  • One disk surface devoted to positioning and synchronization
  • Not all parts of the disk are addressable by the OS
  • Disk capacity = C x H x S x 512 bytes

Module 11

lifecycle of disk drive
Lifecycle of Disk Drive
  • Blank media
  • Low level format
    • Performed at the factory
  • Partition
  • High level file system format
  • Operating system install
  • System operations

Module 11

low level format
Low Level Format
  • Low level formatting creates sectors
  • Each sector holds 512 bytes + overhead bytes
  • Overhead provides error correction and timing recovery
  • Bad sectors remapped to redundant sectors by the HDD controller.

Module 11

low level format1
Low Level Format

REDUNDANT SECTOR

512 BYTES

SECTOR OVERHEAD

Module 11

partitioning
Partitioning

PARTITION #2

PARTITION #1

MASTER

BOOT

RECORD

INTER-PARTITION GAP

VOLUME BOOT RECORD

VOLUME BOOT RECORD

Module 11

partitioning drive
Partitioning Drive
  • Master Boot Record = Master Boot Code + Master Partition Table (MPT)
    • Always at sector #1
  • Volume Boot Record = Volume Boot Code + Disk Parameter Block
    • Each partition

Module 11

fat file system
FAT File System
  • Four parts
    • Volume boot record
    • File allocation tables
    • Root directory
    • User data area
  • Types
    • FAT 12, 16, 32 bits; cluster address size
    • FAT1 and FAT2; first and second copy of FAT
    • Floppy: FAT12

Module 11

fat12 16 structure
FAT12/16 Structure

DOS BOOT SECTOR

ROOT DIRECTORY

USER DATA AREA

FAT #1

FAT #2

Module 11

fat32 structure
FAT32 Structure

DOS BOOT

RECORD (3)

COPY OF

DOS BOOT

RECORD

FAT #1

FAT #2

USER DATA

RESERVED

SECTORS

RESERVED

SECTORS

32 SECTORS

Module 11

file allocation table
File Allocation Table

0

TEST

217

DIRECTORY ENTRY

217

618

339

EOF

618

339

Module 11

winhex forensic hex editor
WinHex: Forensic Hex Editor
  • www.x-ways.net
  • Disk cloning
    • DOS version
    • Windows version (use write blocker)
  • Disk editor
  • API for scripting tasks

Module 11

slide16
slide17
navigating to fat12 directory
Navigating to FAT12 Directory
  • Start at boot sector #1
  • Add 2 x 9 sectors
  • Directory at sector #20
  • Offset is: 19 x 512 = 9728 bytes = 2600H

Module 11

slide19
navigating to fat32 allocation table
Navigating to FAT32 Allocation Table
  • Start at boot sector
  • Go to sector #33, offset of 32 x 512 bytes
  • 32 x 512 = 16384 = 4000H

Module 11

slide21
winhex ntfs partition analysis
prodiscover forensic software
ProDiscover Forensic Software
  • www.techpathways.com
  • Disk imaging: meets NIST Specification 3.1.6
  • Works with FAT, NTFS, Sun Solaris UFS
  • Displays Windows ADS!
  • File signature analysis
  • Search capability
  • Recover deleted files and slack space
  • Reasonable price!

Module 11

slide24
capture evidence files
image evidence windows laptop
Image Evidence: Windows Laptop

USB TO IDE

ADAPTER

IDE CABLE

PRODISCOVER

EVIDENCE DRIVE

Module 11

keyword search
reporting view report
references for module 11
References for Module #11
  • Bill Nelson, Guide to Computer Investigations, 2004.
  • Warren Kruse, Computer Forensics, 2002.
  • Kevin Mandia, Incident Response, 2003.
  • EnCase Legal Journal (course web site)
  • www.cs.nmt.edu (cs491_02)
  • NTFS:

Module 11