System Forensics, Investigation, and Response Day 1-3

port 445 for windows – fileshares, cifs, smb fileshares, netbios a little, direcotry services, rpc, lots of stuff.

0xEBFE jumps back two spaces and loops to produce a processor spike.

AUP should wave all rights of privacy.

• Does the person who gave you computer have authority to investigate machine?
• Do you have the authority to investigate machine? Forensics must be part of job description. (Forensic Investigator or Forensic Analsys)
• Who approved you to start case.
• Make sure you have approval. (cya)
• Evidence Integrity..8

# Following best practices (like chain of custody) of data integrity is used to show expertise in handling evidence. Law enforcement is leagaly bound to follow chain of custody rules. Absence of tampering cannot be used to throw out evidence because it 'could' be tampered with. Evidence of tampering must be present to bring up evidence tampering arguments.

• Dirty Words List..9
• Image..10
• Forensic Incident Response..11
• Media Analysis..12
• Forensic Principles..13
• Two Situations Dead/Live..14
• Volitile Evidence..15

# live image

• Just the Facts Ma'am..16
• IR Forensics..17
• Forensic Methodology Summary..18

• System Description..21
• Evidence Collection..22
• Timeline..23
• Media Analysys..24
• Media Analysys Examples..25
• String/Keyword Search..26
• Data Recovery..27
• Reporting..28
• Verification Exercise..29

• Objectives..31
• Bits and Bytes..32
• Numbers..33
• Little Endian/Big Endian..34
  • most systems are little endian.
  • ppc macs are big endian
• File System 5-Layers..35

Drive itself

first 512 bytes(one sector) are MBR

In MBR are partition table and boot loader (LILO, Grub, Windows has one, partition magic has one)

length of partions is in MBR

partition ends in 55aa

DOS based partitions are used by x86 Intel systems despite OS

the 512 byte MBR can have a max of 4 partitions max in MBR

partition table tells starting sector, number of sectors and type (ext3, ntfs, swap)

one of the 4 can designate an extended partion

At the begining of the extended partion is a 512 byte sector of another partition table, or an extended partition table.

uses 512 byte sectors

cluster, fragment or block (depending on OS) can be multiple sectors.

everything sits at the data layer

Similar to Card Catalog

Generic name for metadata is inode. In windows ntfs=master file table entry; fat=fat directory.

many blocks or cluster can be associated with a file,

• Name
• file type (dir, exe, link)
• Pointer to start of file on device (Data)
• Link Count
• Size
• Security Mechanisms
• mac times

• points to inode number which points to location of data.

• data layer contains
  • filename points to inode number
    • inode contains block or cluster pointers

1. Physical layer–Hard drive
2. File system Layer–includes partitioning information
3. Data Layer–Start of partition, addressable block or cluster. allocated/not allocated. multiple sectors.
4. metadata layer is card catalog. points to data layer
5. filename points to inode number.

• File System Layer..36
• Data Layer..37
• DOS-Based Partitions..38
• Extended Partitions..39
• Example Partition Figure..40
• Master Boot Record..41
• Partition Table Contents..42

Page 42 has Partition table entry contents

mount (to determine the device name)
dd if=/dev/hda bs=512 count=1 of=mbr.img

• Common Types of Partitions..43
• Partition Exercise..44
• Data Storage..45
• Data Layer Allocated or Unallocated?..46
• Slack Space..47
• Contiguous Disk Space..48
• Metadata Layer..49
• Metadata in File System..50
• File System Metadata..51
• Security..52
• File System Security..53
• File Name Layer..54
• File System Forensic Intro..55

• Superblock (File System Layer)..57
• Ext2/3 SuperBlock..58

Linux Ext2/Ext3 File system layer (Superblock)

1. Block size
2. Total Number of Blocks
3. Number of Blocks per group
4. Number of reserved blocks(prior to first block group.)
5. total number of inodes
6. number of inodes per block group

table of contents at each block group Page 58

• Blocks (Data Layer)..59
• Block Groups..60
• File Access Permissions..61
• Unix File Types..62
• Timestamps..63
  1. modification - blocks that contain data have been modified
  2. access - data was read
  3. change - modification of metadata layer (inode itself). Deleting a file modifies inode link count to 0
  4. delete - always will match change time.

• Inode (Metadata Layer)..64
  1. File owner identifier
  2. File type
  3. File access permisions
  4. mac times
  5. number of links
  6. table of contents
  7. file size

inode has enough pointer for 12 addressed. 13th entry is an indirect block list. 14th is double indirect block.

• Data Pointers..65
• Directories..66
• What datastill exists upon file deletion?..67
• Linux Deleted Files..68
• Forensic Notes..69

• Windows File System Evolution..71
• FAT Filesystem..72
• Fat 12 and 16..73
• Fat 32..74
• FAT Format..75
• FAT Boot Sector..76
• FAT12/16 Partition Boot Sector..77
• FAT12/16 Boot Sector..78
• FAT32 Partition Boot Sector..79
• FAT 32 Boot Sector..80
• FAT Content Data..81
• FAT Cluster Chains..82
• FAT Root Directroy (Metadata Layer)..83
• FAT Directory Entry..84
• FAT Directory Entry and the FAT Cluster Chains Relationship..85
• FAT Timestamps..86
• What data still exists upon file deletion?..87
• FAT Review..88
• NTFS New Technologies File System..89
• NTFS Partition Boot Sector..90
• NTF Boot Sector..91
• NT Volumes..92
• NTFS - Clusters (Data Layer)..93
• NTFS - MFT (Metadata Layer)..94
• NTFS File (Metadata Layer)..95
• Master File Table Entry..96
• Master File Table Entry Layout..97
• NTFS Timestamps..98
• MFT Record Header..99
• $STANDARD_INFO Entry..100
• $STANDARD_INFORMATION Attributes..101
• $FILE_NAME Entry..102
• $FILE_NAME Attributes..103
• $Data Entry..104
• $Data Attributes..105
• NTFS - File Creation..106
• NTFS - File Deletion…107
• NTFS - Directories (File Name Layer)..108
• Windows NTFS Reserved Files..109
• NTFS - Forensic Notes..110
• What data still exists upon file deletion?..112
• NTFS - Forensic Time Example..113
• File System Summary..115