ISA 785 Research in Digital Forensics

Angelos Stavrou, George Mason University!

The UNIX file system !A gentle introduction"

ISA 785!

GMU ISA 785!

File System Basics

  Readings from the Textbook!  Unix / EXT3!  FAT/NTFS!  Others?!

  Concepts similar for all but details are important!  Support for Metadata!

  User/Group ID!  Permissions!  Timestamps!  Extra Recovery Data!  Content Blocks!

2!

GMU ISA 785!

UNIX file system basics 3!

The big Picture: File Data, Meta Data, File Blocks!

View from a directory:!

GMU ISA 785!

Unix File Types

  Regular File (most files in your disk)!  Does this hold for any type of Disk? USB, Solid State

Drives?!  Directory !

  Stored and maintained as a file!  Symbolic link (alias for other file)!

  Different types: Hard and Soft!  Why do we have symbolic links? Do they exist for all

file systems?!  Can it create any problems?!

4!

GMU ISA 785!

Unix File Types

  Device !  Terminal !  Disk!  Memory!  USB / External storage / External Device!

  Inter-process communication: !  Named pipe !  Socket!  Others?"!

Why do we care what type of a File it is?!

5!

GMU ISA 785!

Unusual File System Properties

  Everything is placed in one logical tree!  No C:, D:, etc!  Devices are accessible through the file system!  Can read/write devices while the system is running (“Live”)"

!

  Directories are files !  Users cannot control all their attributes and cannot write!  Remote file systems may disallow reading as well "

!  File names can contain anything but “/” !

  Null (output from "find" may be harmful to programs)" !

  Files may contain ‘‘holes’’ !  Space where no data is written; !  ‘‘holes’’ read back as all-zero blocks)!

6!

GMU ISA 785!

Unusual File System Properties

  A File can have Multiple references !  A file can appear in multiple places (even in places owned by

different users)!  Difficulty in tracking !

  Zero references !  A file can still exist after it is removed (zero-link file is deleted

when closed)!  What about files with references?!

  No built-in undelete provision like DOS!  Typically, only 0.5 Kbytes of wasted space at the

end of a file!  Depending on the implementation of the Unix FS!

7!

GMU ISA 785!

UNIX File Attributes

  Ownership:!  Numeric user ID & group ID!  When I ask for file listing, I only see file names, user ids, and

group ids. Is this correct?" !

  Mandatory Access Control Permissions: !  read/write/execute !  owner, group, other!  Is this information available?!

  Type: file, directory, symlink, device!  How can I identify the differences?!

  Reference count (0, 1, 2, ...)!  How do I find this? Can I do it with a command?!

8!

GMU ISA 785!

UNIX File Attributes

  File size in bytes!  Time stamps (MAC times):!

  Last file Modification time!  Last file Access time!  Last status Change (e.g., owner, permissions, reference count)"!

  Is the File System information reliable?!  Yes & No…!  Depends on which program accessed the data!  Rootkits attempt to mask the real data!  Malware can modify system clock!  Others issues?!

9!

GMU ISA 785!

Looking Deeper that the FS Layer 10!

GMU ISA 785!

Typical on-disk File System Layout 11!

GMU ISA 785!

Inode Information for removed files 12!

GMU ISA 785!

Acquiring File Forensic Evidence

"""

Tools & File Recovery Techniques"

13!

GMU ISA 785!

Direct & Indirect Blocks (FFS) 14!

GMU ISA 785!

Sequential data allocation, ideal case 15!

GMU ISA 785!

Storing Data by Appending to Files 16!

GMU ISA 785!17!

Data Hiding in “Comment” or “Meta-data” space 17!

GMU ISA 785!18!

Data Hiding by inflating file segments 18!

  Store data into the code or data segment of executable files" !

  Detectable by analyzing the code segment "and by proving that some code is unreachable!

  Detectable by analyzing the code segment "and by proving that some data will never be touched!

  Which tools can we use to detect such discrepancies? Can you find out from the toolkits that we have for this class?!

GMU ISA 785!19!

Data Hiding – Wolf in sheep’s clothes 19!

  Encoded/Encrypted data inside PGP header. Will resist brute force decryption attacks!  What can we do if the data are encrypted?!

  Encoded/encrypted data inside ZIP header!  Result appears to be a corrupted ZIP file!  Does it only work for ZIP files?!  What does that mean? Can we avoid this? !

  Any sufficiently-obscure application-specific format!  Mounting a file system on top of another one!  Use FUSE file system (a user-space file system)!  Any sufficiently nested encoding will do!

GMU ISA 785!20!

Data Hiding – Slack Disk Space 20!

  Last data block of file (UNIX: 0.5 kbyte, MS: 10+kbytes) !

  Padding of executable file segments (kbytes)!  Media bad block list (10+ kbytes) !  Disk partition boundaries (Mbytes)!  Unused disk partitions!  Device Firmware (!)!

  Keyboard, Mouse, Phone, Motherboard, etc.!  Anywhere with persistent storage that can be overwritten without

crashing the machine!  Ideas?!

GMU ISA 785!21!

Discussion – Open Questions 21!

  How do I securely Wipe data?!  Is is about the Disk or Storage?!  Is my memory erased/lost upon shutdown (or

reboot)?!  Does it depend on the type of memory?!

  What about Flash or Solid State drives?!  I use encryption, I guess I am secure (?)!

  What type of encryption?!  Does it encrypt the slack space?!  Does it encrypt memory (most probably not)!  Does it encrypt DISPLAY memory?!