forensics2
Content Category
Cluster is a group of sectors and the number of sectors must be a power of 2 ! 1 (512 bytes), 2 (1024 bytes), 4, 8, 16, 32, or, 64 (?) ! The maximum cluster size is ? Address of the first cluster is 2 Clusters are all located in the data area
Timestamp Attributes
Date portion ! A 16-bit value ! Day: lower 5 bits and the valid values are 1 to 31 ! Month: next 4 bits and the valid values are 1 to 12 ! Year: last 7 bits are for the year and the valid range is from 0 to 127, which gives a year range of 1980 to 2107
File System Category
Essential boot sector data in a FAT file system—1st sector of the volume ! Location of the three physical layout areas --! Reserved area starts in sector 0 of the file system --! FAT area contains one or more FAT structures --! Data area contains the clusters
When this first assigned cluster is filled and runs out of room
FAT assigns the next available cluster to the file
File System Analysis
File System Category ! Boot sector Content Category ! Finding the clusters ! Cluster allocation status/methods Metadata Category ! Directory entry ! Cluster chains File Name Category
If the next available cluster isn't contiguous to the current cluster
File becomes fragmented
FAT database is typically written to a disk's outermost track and contains:
Filenames, directory names, date and time stamps, the starting cluster number, and file attributes
Examining E-mail Headers
Gather supporting evidence and track suspect
Metadata Category- Directory Entry
Metadata Category ! Describe a file or directory, including the locations where the content is stored, dates and times, and permissions ! Is stored in a directory entry structure --! File attributes, size, starting cluster, and dates and times --! Directory entries can exist anywhere in the data area because they are stored in the clusters allocated to a directory --! The allocation status of a directory entry is determined by using the first byte
Email used in two environments
Open (Internet) Controlled (LAN, WAN)
Tracing an E-mail Message
Preliminary Steps l Examine each field in the email header § Recorded IP address of sender l Content analysis on suspicious e-mail(s) § Determine if crime/violation of policy has been committed l Investigate attachments Verification and validation l e-mail route l Analyze domain name's point of contact l Aggregate suspect's contact information l Acquire attributes against network logs
Servers
Servers typically run specialized software
Metadata Category- Directory
When a new directory is created, a cluster is allocated to it and wiped with 0s ! The size field in the directory entry is not used and should always be 0 ! How can we determine the size of the directory? +To use starting cluster and check cluster chain in the FAT structure Two important entries ! . : is used to address the current directory ! .. : is used to address the parent directory
Examining E-mail Messages
l Access victim's computer and retrieve evidence l Use victims e-mail client l Find and copy evidence in the e-mail l Access protected or encrypted material l Carve e-mails ---l Including header l Why?
Firewall logs
l Filter e-mail traffic l Verify whether the e-mail passed through
Email Header
l From: Who the message is from. This is the easiest to forge, and thus the least reliable. l Reply-To: The address to which replies should be sent. Often absent from the message, and very easily forgeable. l Return-Path: The email address for return mail. Same as Reply-To: l Message-ID: A unique string assigned by the mail system when the message is first created. The format of a Message-ID: field is <uniquestring>@<sitename> l Received: They form a list of all sites (MTA) through which the message traveled in order to reach you
E-mail messages are saved on the client side or left at the server
l Microsoft Outlook .pst and .ost files l .pst - Sent, received, deleted, draft l .ost - Offline files
Contrast with public email
l Non-standard names l Usually not informative
Router logs
l Record all incoming and outgoing traffic l Have rules to allow or disallow traffic
supporting evidence
l Return path l Recipients e-mail address l Type of sending e-mail service l IP address of sending server l Name of the e-mail server l Unique message number l Date and time e-mail was sent l Attachment files information
Tracing corporate e-mails is easier
l Standard names l Assigned by local administrator
Client's email software
l- May be installed separately from OS l- Have their own directories and data files l- May use existing elements l- Browsers
¡ SMTP: ¡ POP: ¡ IMAP:
¡ SMTP: Simple Mail Transfer Protocol. ¡ POP: Post Office Protocol. ¡ IMAP: Internet Message Access Protocol.
Directory Table
! Describes files or directories ! Each entry represented by 32 bytes
FAT12
! Developed for floppy disk OS ! Addresses up to 16MB
Cluster chaining
! File clusters are next to each other (when possible) ! If not possible, fragmentation occurs
File Allocation Table (FAT)
! File structure database that Microsoft originally designed for floppy disks ! Used before Windows NT and 2000
To locate a specific data unit
! Locating a specific data unit in FAT is more complex than with other file systems because cluster addresses do not start at the beginning of the file system ! Data unit prior to the data area: sector addresses ! Data unit in the data area: sector or cluster addresses
Can we locate the three physical layout areas?
! Reserved area starts in sector 0 of the file system ! FAT area contains one or more FAT structures ! Data area contains the clusters
Cluster Allocation Status
! The allocation status of a cluster is determined using the FAT structure ! FATx file system: a x -bit table entry --! FAT12 (0xff7): 12-bit --! FAT16 (0xfff7): 16-bit --! FAT32 (0x0fff fff7): 32-bit (only 28 of the bits are used)
To determine its allocation status
! The allocation status of each cluster can be determined by looking at the clusters entry in the FAT table ! Entries with a zero value are unallocated and nonzero entries are allocated ! What if we want to extract the contents of ALL unallocated clusters?
FAT16
! Up to Windows 95 and Windows NT 4.0 ! Maximum storage capacity of 2GB
FAT32
! Windows 98, ME, 2000, XP ! Addresses up to 2TB
Delete the file
! With the 0xE5 (σ) character replacing the first letter of the filename ! FAT chain for that file is set to 0
Deletion
-When a file is deleted ! Directory entry is marked as a deleted file -Data in the file remains on the disk drive -Area of the disk where the deleted file resides becomes unallocated disk space ! Available to receive new data from newly created files or other files needing more space
Content Management
-When the OS stores data in a FAT file system, it assigns a starting cluster position to a file ! Data for the file is written to the first sector of the first assigned cluster -Allocate 1 cluster (8 sectors) -Record data -Write End-of-File marker
Time value
A 16-bit value ! Second: lower 5 bits, uses two-second intervals, and the valid values are 0 to 29 ! Minute: next 6 bits and the valid values are 0 to 59 ! Hour: last 5 bits are for the hour and the valid range is from 0 to 23