Introduction to Digital Forensics › internal › courses › comp... · • NTFS – “New...

Introduction to Digital Forensics Rob Savage

BSc Computer Science (2006) MSc Computer Security (2007)

Agenda

•  Introduction •  What is Digital Forensics •  Applications of Digital Forensics •  ACPO Guidelines •  Recovery of Deleted Data •  Windows File Systems •  Recovering Deleted Data from NTFS

What is Digital Forensics?

“Digital forensics is the application of computer investigation techniques to collect, analyse and report on digital data in a way that is legally admissible”

Applications of Digital Forensics

•  Criminal proceedings –  Computer based crime where seized devices are also

the ‘scene’ of the crime –  Non-Computer based crime where seized devices

contain evidence relevant to the investigation •  Civil matters

–  Theft of intellectual property –  Industrial espionage –  Employment disputes –  Fraud, bribery and corruption –  Civil litigation

Applications of Digital Forensics

–  Laptops / Desktops – Mobile Phone – Removable Media – Tablets – Smart Watches – Cloud Storage – Cloud Email – Social Media

– Games Consoles – Car Keys – Cars – Home Appliances – Routers/Modems – Smart TVs – Backups

•  Potential Sources of Electronic Evidence

“…in a way that is legally admissible”

•  Association of Chief Police Officers Good Practice Guide for Digital Evidence (ACPO Guidelines)

•  First issued 2007, now on 5th revision •  Issues for the benefit of UK law enforcement,

regularly used in court as a test of a test of admissibility

•  Shift away from a narrow definition of ‘computer forensics’ to cover the diverse and evolving range of devices available to consumers and businesses

•  Based on 4 key principles…

ACPO Guidelines: Principle 1

“No action taken by law enforcement agencies, persons employed within those

agencies or their agents should change data which may subsequently be relied upon in

court.”


“In circumstances where a person finds it necessary to access original data, that

person must be competent to do so and be able to give evidence explaining the

relevance and the implications of their actions.”


“An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those

processes and achieve the same result.”


“The person in charge of the investigation has overall responsibility for ensuring that

the law and these principles are adhered to.”

Recovery of Deleted Data •  Possible in the vast majority of file systems and

devices •  Success is dependent on:

–  Subsequent user activity –  Elapsed time between deletion and analysis –  Amount of free space on the drive –  Encryption / Counter-Forensics

•  Three ways to recover deleted files from a file system –  ‘File System Recoverable’ –  ‘Carved Recoverable’ –  ‘File Slack / Fragments’

Recovery of Deleted Data from Windows File Systems

•  NTFS or FAT •  FAT – “File Allocation Table”

–  Designed in 1987 for use on floppy disk drives –  Theoretical maximum volume size of 8TB –  Maximum supported file size is 6GB –  Primary file system used in Windows 9x and ME era –  Still used in removable media and some mobile devices

•  NTFS – “New Technology File System” –  Designed by Microsoft and introduced into Windows NT in

1993 –  Theoretical maximum volume size of 16 EB (16 billion TB) –  Maximum supported file size is 256TB –  Primary file system used in Windows NT to Windows 10

NTFS Basics •  Central to the NTFS file system is the ‘Master File

Table’ (MFT) •  The MFT is a relational database and contains one

record for each file and folder on the system. Each record is 1024 bytes long.

•  The MFT is generally stored at the start of the file system and is a file in its own right ($MFT)

•  The MFT grows as files and folders are added to the system (but it never shrinks)

•  By default 12.5% of the partition is a dedicated ‘MFT Zone’

•  MFT records are never deleted. Records referencing deleted files remain until they are overwritten. Records are overwritten from the top down.

NTFS Basics

NTFS Boot Sector

Master File Table

File System Data Master File Table Mirror

MFT Entry Header

File Name Index Other A>ributes

Unused Space

NTFS File System

MFT Entry Header


Unused Space

MFT Entry Header


Unused Space

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

MFT

NTFS Forensics

001 Holiday.jpg Index Live Unused Space

MFT File System Data

002 Naughty_File.pdf Index Live Unused Space

003 DissertaMon.doc Index Live Unused Space

004 AnotherFile.mp4 Index Live Unused Space

005 YetAnother.mp3 Index Live Unused Space

NTFS Forensics







002 Naughty_File.pdf Index Deleted Unused Space

“File System Recoverable”

NTFS Forensics








“Carved Recoverable”

002 NewFile.psd Index Live Unused Space

NTFS Forensics








“File Slack / Fragment”

002 NewFile.psd Index Live Unused Space

006 SmallFile.txt Index Live Unused Space

Questions

?

Introduction to Digital Forensics › internal › courses › comp... · • NTFS – “New...

Documents

Transcript of Introduction to Digital Forensics › internal › courses › comp... · • NTFS – “New...