Bruce Nikkel 4_2_sleuthkit_fs_analysis.pdf
Bruce Nikkel 4_2_sleuthkit_fs_analysis.pdf
Bruce Nikkel 4_2_sleuthkit_fs_analysis.pdf
Kartei Details
Karten | 23 |
---|---|
Sprache | English |
Kategorie | Technik |
Stufe | Universität |
Erstellt / Aktualisiert | 20.06.2019 / 01.07.2020 |
Lizenzierung | Keine Angabe |
Weblink |
https://card2brain.ch/box/20190620_bruce_nikkel_42sleuthkitfsanalysis_pdf
|
Einbinden |
<iframe src="https://card2brain.ch/box/20190620_bruce_nikkel_42sleuthkitfsanalysis_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
Why do we have filesystems?
Purpose of file systems:
- Organize storage device data into files and directories/folders
- maintain meta data (timestamps, permissions, attributes, etc.)
- provide additional storage features (integrity, encryption, volume managemnt, quotas, etc.)
- Create a hierarchical abstraction layer for users and programs
Name some common filesystems and some newer filesystems.
Common files systems today:
- FAT
- NTFS
- EXT4
- HFS+
Newer filesystems:
- BTRFS
- APFS
- ZFS
What is the goal of filesystem forensics?
Why filesystem forensics is doen:
- identify the filesystem used
- recover files (including deletd files)
- recover file fragments (slack, unallocated areas)
- find attempts to hide data (change *.jpg to *.exe)
- hash individual files for search and ignore (exclusion)
- analyze meta data (timestamps, ownership, etc.)
- evidence from corrupted, partially wiped filesystems
- reconstruct past events with timelines
- special topics: raid, journals, encryption
check what filesystems are supported by TSK (sluethkit)
fsstat -f list
What areas are forensicly interesting on a storage drive?
Areas of forensic interest on a storage drive:
- sector - the smalles accessible unit of a drive
- block - consecutive sectors, smalles accessible unit on fss
- allocated blocks - fs blocks that are allocated to files
- unallocated blocks - fs blocks that are not allocated to files (previously allocated data may still exist)
- inodes - meta data describing files and directories (also MFT)
- interpartion gaps - (mmls) possible overwritten filesystems [Forensic term "slack" space]
- volume slack - between end of filesystem and end of partition
- file slack - between end of file and end of block
- ram slack - between end of flile and end of sector
- less important - 4k sectors, OSs are wiping data, TRIM
(same meaning: directories=folders, pratitions=volumes)
What are the two ways to access a filesystem for analysis?
Via normal kernel devices:
- raw devices (/dev/sda, /dev/mmcblk0, /dev/nvme0n1)
- partition devices (/dev/sda1 or /dev/nvme0n1p1)
Kernel loop devices can be created or removed from a forensic image:
- /dev/loop*
- $ sudo losetup -find -partscan -read-only image.dd
- $ sudo losetup -D loop0
Via calculated offsets (be careful, check the units!):
- byte offsets (character offsets could be 2 bytes - unicode)
- sector offsets (sector sizen is not always 512 bytes)
- block offsets (rememger to subract the partition sector offset)
- use shell math: $ echo $((1024000 / 512))
Do forensic tools require devices or images need to be mounted?
Forensic analysis tools act directly on the device, or on a forensically acquired image - no mounting needed.
I know the drive sector, what is the filesystem block?
# echo $(((sectornumber-partitionoffset)/blocksize))
how do can you find out if the filesystem block allocated?
# blkstat /dev/sdb1 1025