1 / 14

BACS 371 Computer Forensics

BACS 371 Computer Forensics. File System “Layers” & the Sleuthkit. Introduction. One approach to analyzing a disk image begins by logically dividing it into 5 file system layers. Each of the upper layers is an abstraction above the physical disk platter.

morton
Download Presentation

BACS 371 Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BACS 371Computer Forensics File System “Layers” & the Sleuthkit

  2. Introduction • One approach to analyzing a disk image begins by logically dividing it into 5 file system layers. • Each of the upper layers is an abstraction above the physical disk platter. • These layers serve different tasks and, when analyzed, provide different information.

  3. 5 File System Layers • Physical Layer – The physical disk itself • File System Layer – Partition Information • Data Layer – Blocks and clusters (where the data are actually stored). • Metadata Layer – Structural information for the file system (FAT32, NTFS, EXT2, …) • File Name Layer – The directory information that holds the files external name.

  4. Physical Layer

  5. File System Layer • Holds the data that describes the structural details of the file system. • The boot sector (or superblock in Unix) is where much of this data is stored. • The Master Boot Record (MBR) holds information related to this layer. • The Partition Boot Record (PBR) also contains file system layer information.

  6. Data Layer • The main purpose of a disk drive is to store data; consequently, this layer holds the key information related to this task (that is, the data). • This layer organizes the physical drive into 512 byte sectors. • On Windows systems, these sectors are further organized into clusters. • Sectors in the data layer will either be “allocated” or “unallocated”. • Another way of thinking of this is that sectors are either being used in a file or waiting to be used.

  7. Allocated vs. Unallocated • Allocated data: • Is being actively used by a file • Exist in a file on the system • Is not currently deleted • Unallocated data: • Is not currently being used by a file • Can have previously deleted or unused data • Can hold pieces of old data (called “fragments”)

  8. MetaData Layer • This layer contains all the structures that describe the file. • Similar to the table of contents page of a book. • It has pointers to the data layer and the file name layer so that starting address and MAC times can be determined. • In FAT files systems it is stored in the FAT table. In NTFS systems, it is found in the Master File Table (MFT). Linux stores it in the iNodeentries. • Metadata is also either allocated or unallocated.

  9. MetaData Layer • Metadata contains: • Pointers to the data layer (either a starting sector, or list of sectors depending upon file system) • The file type • The MAC times and permissions • The file size and/or total links

  10. File Name Layer • Generally a separate structure that gives the names of files. • The metadata layer can actually describe everything about the file, but it is easier to have the name information listed without all the extra, low-level detail. • Is stored in 2 places: • MFT or FAT directory entries • Directory file – list of files in that directory structure

  11. Directory to FAT interaction

  12. The Sleuthkit (TSK) • A collection of Unix tools that allow for forensic analysis of disk images. • Written by Brian Carrier based on an older set of tools called The Coroner’s Toolkit (TCT) • The tools are fairly low-level, so they are normally used with a front-end browser component. • The “Autopsy” browser is the normal front-end for this tool set.

  13. Sleuthkit Tool Layers • The Sleuthkit Tools are divide into 5 categories which, loosely, map to the 5 file system layers. • File system layer tools – prefixed by ‘fs’ • Data layer tools – prefixed by ‘blk’ • Metadata layer tools – prefixed by ‘i’ (for inode) • File Name layer tools – prefixed by ‘f’ • Misc. tools – no standard prefix, but relate to lower level sort and find operations in file system structure.

  14. The Sleuth Kit (TSK)

More Related