Midterm Study CSE469
CHS addresses have a limit of xx GB, what overcome this?
8GB, LBA
●Maintaining the integrity of the evidence
Acquisition and Authentication
Copy the evidence/data without altering or damaging the original data or scene.
Acquisition/Preparation/Preservation
●Not essential to file system operations. Journal
Application category
Prove that the recovered evidence/data is the same as the original data.
Authentication
●Protect the integrity of the evidence. ●Maintain control until final disposition. ●At Booting, HD disconnection and HD Lock. ●Verify the forensic/exact image.
Authentication
Acquisition Must be done concurrently with
Authentication: to prove that the recovered evidence/data is the same as the original data.
What is the first section and the size in the ext4 layout
Boot code, 1024 bytes (2 sectors)
Investigating criminal activities using scientific knowledge or methods to produce evidence for legal actions
Digital Forensics
the application of technical knowledge to extract information from evidence while adhering to a lawful process.
Digital forensics
Refers to the sequential order in which bytes are arranged into larger numerical values when stored in memory or when transmitted over digital links
Endianness
●a.k.a Human interface category. ●Name of the file. ●Normally stored in contents of a directory along with location of the file's metadata.
File name category
( ) files result when we don't do a good job of predicting what space we need
Fragmented
Three Levels of Law Enforcement Expertise
Level 1: Street police officer Level 2: Detective Level 3: Digital forensics expert
●Data that describes a file (except for the name of the file!). ●Size, locations of content, times modified, access control info.
Metadata category
Storing data in ( ) locations improves performance when reading, writing, and updating
contiguous.
What command shows the contents of the super block?
dumpe2fs
How to see the inode number?
ls -ai
LBA = (((C * XXX) + H) * XXX) + S -1
Number of heads per cylinder (HPC). Number of sectors per track (SPT).
Digital forensics involves
Obtaining and analyzing digital information for use as evidence in civil, criminal, or administrative cases.
Legacy operating systems used to read an entire block of data from RAM when writing to disk, whether or not the entire block was part of the file being written
RAM slack
Bytes/records can be read in any order Writing can replace existing bytes or records. Seek operation moves current file pointer.
Random Access Method
"Universal" data format - not specific to any tool Requires as much storage as original disk or data
Raw
lists, creates, deletes, and verifies of partitions in Linux
fdisk
Relative to the start of the volume in logical volume address?
Logical "Disk" Volume Address (LDVA)
Relative to the start of the partition.?
Logical "Partition" Volume Address (LPVA)
Managing scheme of the volumes for data storage separately from the underlying physical disks in Linux
Logical Volume Management (LVM)
What is the usual size of the block in Linux ?
4096
what is the size of the bootstrap code in MBR?
446 bytes
What is the size of the MBR?
512 bytes
First step in the forensic process
Acquisition
●Legal rules which determine whether potential evidence can be considered by a court.
Admissibility
Provide compressed or uncompressed image files. No size restriction for disk-to-image files. Provide space in the image file or segmented files for metadata. Open source for multiple platforms and OSs - no vendor lock-in. Internal consistency checks for self-authentication.
Advanced Forensics Format ●*.afd for segmented image files. ●*.afm for AFF metadata.
The assurance that a message, transaction, or other exchange of information is from the source it claims to be from
Authenticity
Prevent/detect/deter improper denial of access to services provided by the system
Availability
●Puts the Most Significant Byte of the number in the first storage byte. ●Sun SPARC, Motorola Power PC, ARM, MISP.
Big-endian
If there are 23 or more in a particular place, the probability that two or more of them have the same birthday is greater than 0.5
Birthday attack
To copy Contents of evidence written to a storage device that exactly matches the make and model of the original: a literal duplicate of the original. Only used when something about the storage device itself is important.
Bit-stream disk-to-disk
Set of blocks. Size is configurable but always has the same structure which numbered starting at 0
Block group
Before power on, we need to change it first, when we acquire the hdd as an evidence.
Boot sequence
One of the most important things to consider in private investigations
Business continuity
Access items in file based on the contents of (part of) an item in the file. Provided in older commercial operating systems (IBM ISAM).
Keyed (or Indexed) Access Methods
What is the meaning of the 0x83 in offset 0x04 of the 1st partition entry?
Linux FS
●Puts the Least Significant Byte of the number in the first storage byte. ●IA32-based systems.
Little-endian ordering
What is meaning of permission mode 0754
see figure slide 33
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue
the Fourth Amendment
Public vs Private Investigations
the law enforcement officers w/ the statutes in the criminal law. vs. corporations, organizations w/ statutes of the civil law
what is the essential data in partition analysis
the starting and ending location for each partition
Four Rules of Evidence
●Authenticity ●Admissibility ●Completeness ●Reliability / Accuracy
Three Time Attributes
●M-A-C - mtime: Modified time - atime: Accessed time - ctime : changed time
Digital Forensics Objectives
●Retrieve data from a suspect's digital devices ●Figure out what happened, when, and who was responsible. ●Collect computer evidence for judicial purposes. ●the preservation, identification, extraction, documentation, and interpretation of computer data. ●Must be able to show proof
●Unidirectional relationship between a filename and the file. ●Directory entry contains text describing absolute or relative path name of original file. ●If the source file is deleted, the link exists but pointer is invalid.
●Symbolic (soft) links
2 types of the links in Linux system
●Symbolic (soft) links ●Hard links
How many partition entries are in the MBR? and the size of each one?
4 and 16 bytes
All bits from the evidence are copied to a file: a virtual duplicate of the original. Referred to as an "image" or "image file".
Bit-stream disk-to-image file
●General info about the file system. ●Size and layout, location of data structures, size of data units.
File system category
The assurance that someone cannot deny something, such as the receipt of a message or the authenticity of a statement or contract.
Non-repudiation
Collection of consecutive sectors in a volume.
Partitions
●How to collect the targeted evidence ●Prepare an evidence form and establish a chain of custody ●How to transport the evidence to a digital forensics lab ●How to secure evidence in an approved secure container
Planning
sabotage, embezzlement, and industrial espionage
Private investigations
Two Elements of Digital Forensics
Process and Technical Knowledge
drug crimes, sexual exploitation, and theft
Public investigations
State what you did and what you found, and show conclusive evidence
Reporting and Documentation
The way you communicate the results of your forensic examination of the evidence
Reporting/Documentation
The BIOS hardware is now being replaced by it. Adapted the GPT partitioning scheme instead of MBR.
UEFI (Unified Extensible Firmware Interface)
●Covers 163 modern and historic scripts, as well as multiple symbol sets and emoji.
Unicode
Collection of addressable sectors that an OS or application can use for data storage.
Volume/Partition
Command or tool to acquire data in Linux.Creates a raw format file that most computer forensics analysis tools can read.
dd ("data dump")
What kinds of tools are needed to extract the data in partitions?
ddmmlshex editors
What is the file type 2 in the directory entry table?
directory
What is the Linux file system format which organizes a disk into blocks and block groups ?
ext
The part of drive slack that isn't RAM slack
file slack
●Hard link: A { } that points to an { } ●Everything has a hard link to it. ●Soft link: An { } that points to a { } ●Optional.
filename, inode inode, filename
What contains the metadata about the file in EXT filesystems but does not contain the name of the file?
inode
When you are creating the file system you must ( ) of where data is stored.
keep track
Information about a file. Data about the data, Maintained by the file system. Separate from file itself but Usually attached or connected to the file.
metadata
What kinds of attributes are there in file?
name, type, date/time, size, protection, locks
What is the Linux command to see the detail file or file system's metadata?
stat filename fsstat image
Obtaining evidence covered by
the Fourth Amendment
Four Steps for Forensics Process/Flow
●Acquisition/Preparation/Preservation ●Authentication ●Analysis/Examination/Evaluation ●Reporting/ Presentation/ Documentation/Interpretation
What kinds of the info is stored in super block?
●Block size ●Total # of blocks ● # blocks per group ●# reserved blocks before group 0 ●# of inodes (total) ●# of inodes per block group
Data Recovery vs Digital Forensics
●Data Recovery - Retrieving data accidentally deleted - User WANTS it back ●Digital Forensics - Retrieving data the user deliberately obscured - User DOESN'T want it back
What are there in Directory Considerations
●Efficiency: locating a file quickly. ●Naming: convenient to users. ●Grouping: logical grouping of files by properties.
Bidirectional relationship between file names and files. ● a directory entry that points to a source file's metadata (inode). ●Metadata maintains the reference count of the number of its pointing to it ●Link reference count is decremented when a hard link is deleted. ●File data is deleted and space freed when the link reference count goes to zero.
●Hard links:
3 considerations to make file systems
●Need a location to store metadata for each file ●Directory structure ●Advanced features (self-healing files, automatic defragmentation)
Desirable Properties of Hash Functions
●Performance: Easy to compute H(m) ●Preimage resistance: Given a hash value h, it's computationally infeasible to find an m that H(m)=h ●2nd preimage (weak collision) resistance: Given m, it's computationally infeasible to find m' such that H(m')=H(m) and m'!=m ●Strong collision resistance: Computationally infeasible to find m, m' such that H(m)=H(m')
3 methods for accessing files
●Sequential Access Methods (SAM) ●Random Access Methods (RAM) ●Keyed (or indexed) Access Methods (KAM)
Four layers Forensic Analysis in media devices
●Storage media (Physical) layer analysis: storage locations of partitions and volumes ●Volume layer analysis: where the file system or data ●File system layer analysis: data structures ●Application layer analysis: to determine what program we should use.
3 features of Hash functions
1. Various Input and Unique fixed-length output 2. One-Way function (irreversible process) 3. Collision resistance
Two Acquisition Types
1. Static (or dead) acquisitions 2. Live acquisitions
When inode number is set to 0?
Deleting a File in ext4
A tool for users and applications to organize and find files.The data structure for OS to locate files (i.e., containers) on disk.
Directory (folder)
A large amount of information or data that lives a very long time and usually organized as a linear array of bytes or blocks. It is also often requiring concurrent access by multiple processes. Called a container of the information
File
What maps file names and offsets to disk blocks
File system
Five Reference model catagories
File system categoryContent categoryMetadata categoryFile name categoryApplication category
the first international treaty seeking to address Internet and computer crime (cybercrime)
The Convention on Cybercrime (Budapest Convention on Cybercrime), 2001
Forensic Science
The application of science to those criminal and civil laws that are enforced by police agencies in a criminal justice system
Where is MBR located in the disk?
The first sector (CHS 0,0,,1)
Six steps for Systematic Approach in Digital Forensics
1. Initial Assessment 2. Planning 3. Resource determination 4. Evidence acquisition and authentication 5. Risk identification, mitigation & Investigation 6. Reporting and Evaluation
Three Acquisition Methods
1. Logical Acquisition 2. Sparse Acquisition 3. Bit-stream Copy or Acquisition
Concentric circles on a disk platter
Track
3 steps in boot process.
1. POST (check HW) 2. MBR (seek boot code) 3. Bootloader (load OS)
What is the Boot signature code in MBR?
0x55 0xAA
What is the size of the LBA of the first sector in the partition?
1 double word (4 bytes)
What is the size of the Number of Sectors in the Partition?
1 double word (4 bytes)
What is the meaning of the 0x80 in offset 0x00 the 1st partition entry?
0x00=Inactive, 0x80=Active
Two types of bit-stream copies
1.Bit-stream disk-to-disk 2.Bit-stream disk-to-image file
Partition Analysis Steps
1.Locate the partition tables 2.Process the data structures to identify the partition layout of the volume 3.Conduct the consistency checks
What states that if n items are put into m containers, with n > m, then at least one container must contain more than one item
The pigeonhole principle
Provides a paper trail that tracks each time someone handles a piece of physical evidence
Chain of Custody (Evidence)
Prevent/detect/deter improper disclosure of information
Confidentiality
Goals of Computer Security (CIA Triad)
Confidentiality, Integrity, Availability
●Data on the actual files - the reason file systems exist. ●Organized into collections of standard-sized containers
Content category
What kinds of operations are there in file?
Create, Delete, Open, Close, Read, Write, Truncate, Seek, Tell
A column of tracks on disk platters
Cylinder
Describes the layout of the data
Data Structures
The area on a disk that is allocated to a file, but doesn't store any of the file's data
Drive Slack
What is the tool to acquire volatile memory
FTK imager (AccessData)
How can you prove two digital things are exactly the same?
Hash functions (Message Digests)
The device that reads and writes data to a drive in hard disk
Head
In six steps, ●Situation: ●Nature of the case: ●Specifics of the case: ●Type of evidence: ●Operating system: ●Known disk format: ●Location of evidence:
Initial Assessment
Prevent/detect/deter improper modification of information
Integrity
Discover, Extract, and Analyze the data
Investigation
A section on a track
Sector
Read all bytes or records in order from the beginning. Writing implicitly truncates files Cannot jump around
Sequential Access Method
What is the first block and the size in the block group? It stores layout info for the file systems
Super block, 1 block
How to overcome 2038 problem in ext4 filesystems?
They extends the time values from 32 bits to 64.and takes the the last two bits the least significant two bits in the new time field of the extended time