forensics2

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Content Category

Cluster is a group of sectors and the number of sectors must be a power of 2 ! 1 (512 bytes), 2 (1024 bytes), 4, 8, 16, 32, or, 64 (?) ! The maximum cluster size is ? Address of the first cluster is 2 Clusters are all located in the data area

Timestamp Attributes

Date portion ! A 16-bit value ! Day: lower 5 bits and the valid values are 1 to 31 ! Month: next 4 bits and the valid values are 1 to 12 ! Year: last 7 bits are for the year and the valid range is from 0 to 127, which gives a year range of 1980 to 2107

File System Category

Essential boot sector data in a FAT file system—1st sector of the volume ! Location of the three physical layout areas --! Reserved area starts in sector 0 of the file system --! FAT area contains one or more FAT structures --! Data area contains the clusters

When this first assigned cluster is filled and runs out of room

FAT assigns the next available cluster to the file

File System Analysis

File System Category ! Boot sector Content Category ! Finding the clusters ! Cluster allocation status/methods Metadata Category ! Directory entry ! Cluster chains File Name Category

If the next available cluster isn't contiguous to the current cluster

File becomes fragmented

FAT database is typically written to a disk's outermost track and contains:

Filenames, directory names, date and time stamps, the starting cluster number, and file attributes

Examining E-mail Headers

Gather supporting evidence and track suspect

Metadata Category- Directory Entry

Metadata Category ! Describe a file or directory, including the locations where the content is stored, dates and times, and permissions ! Is stored in a directory entry structure --! File attributes, size, starting cluster, and dates and times --! Directory entries can exist anywhere in the data area because they are stored in the clusters allocated to a directory --! The allocation status of a directory entry is determined by using the first byte

Email used in two environments

Open (Internet) Controlled (LAN, WAN)

Tracing an E-mail Message

Preliminary Steps l Examine each field in the email header § Recorded IP address of sender l Content analysis on suspicious e-mail(s) § Determine if crime/violation of policy has been committed l Investigate attachments Verification and validation l e-mail route l Analyze domain name's point of contact l Aggregate suspect's contact information l Acquire attributes against network logs

Servers

Servers typically run specialized software

Metadata Category- Directory

When a new directory is created, a cluster is allocated to it and wiped with 0s ! The size field in the directory entry is not used and should always be 0 ! How can we determine the size of the directory? +To use starting cluster and check cluster chain in the FAT structure Two important entries ! . : is used to address the current directory ! .. : is used to address the parent directory

Examining E-mail Messages

l Access victim's computer and retrieve evidence l Use victims e-mail client l Find and copy evidence in the e-mail l Access protected or encrypted material l Carve e-mails ---l Including header l Why?

Firewall logs

l Filter e-mail traffic l Verify whether the e-mail passed through

Email Header

l From: Who the message is from. This is the easiest to forge, and thus the least reliable. l Reply-To: The address to which replies should be sent. Often absent from the message, and very easily forgeable. l Return-Path: The email address for return mail. Same as Reply-To: l Message-ID: A unique string assigned by the mail system when the message is first created. The format of a Message-ID: field is <uniquestring>@<sitename> l Received: They form a list of all sites (MTA) through which the message traveled in order to reach you

E-mail messages are saved on the client side or left at the server

l Microsoft Outlook .pst and .ost files l .pst - Sent, received, deleted, draft l .ost - Offline files

Contrast with public email

l Non-standard names l Usually not informative

Router logs

l Record all incoming and outgoing traffic l Have rules to allow or disallow traffic

supporting evidence

l Return path l Recipients e-mail address l Type of sending e-mail service l IP address of sending server l Name of the e-mail server l Unique message number l Date and time e-mail was sent l Attachment files information

Tracing corporate e-mails is easier

l Standard names l Assigned by local administrator

Client's email software

l- May be installed separately from OS l- Have their own directories and data files l- May use existing elements l- Browsers

¡ SMTP: ¡ POP: ¡ IMAP:

¡ SMTP: Simple Mail Transfer Protocol. ¡ POP: Post Office Protocol. ¡ IMAP: Internet Message Access Protocol.

Directory Table

! Describes files or directories ! Each entry represented by 32 bytes

FAT12

! Developed for floppy disk OS ! Addresses up to 16MB

Cluster chaining

! File clusters are next to each other (when possible) ! If not possible, fragmentation occurs

File Allocation Table (FAT)

! File structure database that Microsoft originally designed for floppy disks ! Used before Windows NT and 2000

To locate a specific data unit

! Locating a specific data unit in FAT is more complex than with other file systems because cluster addresses do not start at the beginning of the file system ! Data unit prior to the data area: sector addresses ! Data unit in the data area: sector or cluster addresses

Can we locate the three physical layout areas?

! Reserved area starts in sector 0 of the file system ! FAT area contains one or more FAT structures ! Data area contains the clusters

Cluster Allocation Status

! The allocation status of a cluster is determined using the FAT structure ! FATx file system: a x -bit table entry --! FAT12 (0xff7): 12-bit --! FAT16 (0xfff7): 16-bit --! FAT32 (0x0fff fff7): 32-bit (only 28 of the bits are used)

To determine its allocation status

! The allocation status of each cluster can be determined by looking at the clusters entry in the FAT table ! Entries with a zero value are unallocated and nonzero entries are allocated ! What if we want to extract the contents of ALL unallocated clusters?

FAT16

! Up to Windows 95 and Windows NT 4.0 ! Maximum storage capacity of 2GB

FAT32

! Windows 98, ME, 2000, XP ! Addresses up to 2TB

Delete the file

! With the 0xE5 (σ) character replacing the first letter of the filename ! FAT chain for that file is set to 0

Deletion

-When a file is deleted ! Directory entry is marked as a deleted file -Data in the file remains on the disk drive -Area of the disk where the deleted file resides becomes unallocated disk space ! Available to receive new data from newly created files or other files needing more space

Content Management

-When the OS stores data in a FAT file system, it assigns a starting cluster position to a file ! Data for the file is written to the first sector of the first assigned cluster -Allocate 1 cluster (8 sectors) -Record data -Write End-of-File marker

Time value

A 16-bit value ! Second: lower 5 bits, uses two-second intervals, and the valid values are 0 to 29 ! Minute: next 6 bits and the valid values are 0 to 59 ! Hour: last 5 bits are for the hour and the valid range is from 0 to 23


Ensembles d'études connexes

Med Surg 2: Test 5 Burns/medical emergencies Prepu

View Set

S.H.W.-L15-17: Hazardous Waste Treatment

View Set

Ch 14: Summarizing Secure Application Concepts

View Set

Chapter 4.3 Modern Atomic Theory

View Set