Master Boot Record
The first block of a drive is known as the MBR, or Master Boot Record. This record tells the BIOS where on the disk it should go next to continue booting the system. The MBR will point either to a boot loader that allows you to choose between installed operating systems or to the operating system on a partition. Most operating systems make use of the MBR, and all file systems we cover in this book are accessed through the MBR. The MBR points to partitions on the disk, and for each partition, a partition table informs the operating system of what type of file system is contained within it. If the partition table gets deleted, such as when someone deletes a partition with the fdisk utility, the partition still remains.
FAT File System
The FAT file system was used in MS-DOS and Windows 98 and earlier versions, though modern versions of FAT can still be found on external USB hard drives. FAT comes in three flavors—FAT12, FAT16, and FAT32—according to the amount of space that the file system could address in each partition. After Windows 98, some Windows Server versions had their boot partitions formatted in FAT and data partitions formatted in NTFS to allow for easy system recovery, since most boot disks cannot access NTFS file systems. Another offshoot introduced in Windows 95 was VFAT (Virtual File Allocation Table), which gave Windows the ability to use filenames longer than eight characters.
Common among all the FAT file systems is its structure on the physical disk. By knowing this structure, you can examine a disk and determine whether a FAT file system existed on it and whether files and directories can be recovered from it, and you can even possibly recover a deleted FAT partition. The FAT structure begins with the boot block. A hard drive is laid out in a logical form for the BIOS to access. Figure 6-1 shows an example of how this physical disk layout looks in EnCase.
Table 6-1 Default File Systems for Windows
In the FAT file system, the namesake File Allocation Table describes clusters that are free for use, occupied, or bad. For occupied clusters, pointers in the FAT indicate whether they are linked to another cluster, and if they are, they indicate which cluster the system should go to next. Note that the FAT does not contain any information about the stored file—no filenames; attributes; modified, accessed, and created (MAC) times; or any other data about the file. The FAT simply informs the operating system of which clusters are free for use and which clusters to string together to read a file. The actual filenames, attributes, and MAC times are stored in the directory entries.
Directory entries are stored just like files on the disk but are linked to the FAT and noted as a special type of file entry in directory entries. These directories are linked from a parent directory, meaning that the directory layout is not defined in the FAT table but is found as you traverse linked directories. The exception is the root directory, which is a special file whose space is allocated at the time of the file system creation, otherwise known as formatting. By accessing the root directory, you can access files and directories that are linked to it. Each directory contains the first cluster of a file or a directory and the file size of the file.
Figure 6-1 Hard drive layout in EnCase
To read a file, the directory entry is accessed; the size is read and used to calculate how many clusters the file occupies. The first cluster number is read, and then the corresponding cluster marker in the FAT is accessed. If the file occupies more than one cluster, the first cluster marker in the FAT will contain the number of the second cluster, and the second cluster marker will contain the number of the third cluster, and so on until the last cluster marker is reached. The last cluster marker for the file contains “EOF” as an end of file marker. This string of clusters referenced in the FAT is read and the file is then strung together.
Since all FAT directories are written to the disk the same way as files, you can recover FAT directories as well as files. This is useful when portions of the disk have been overwritten or are physically damaged. Once a FAT directory entry has been recovered, the names of the files that were contained within it and their sizes and MAC times can be read. If the clusters to which the directory links still contain those files, you can access them as well.
Remember that a FAT directory is just a special file entry; it exists on a FAT file system as a file entry but in terms of recovery exists just as a file.
You can recover a deleted FAT partition by finding the first sector of the partition and using your forensic tools to reconstruct it. For a FAT partition, the first sector, or the volume boot sector, of the file system will begin with ëX MSDOS or ëR MSWIN4.1 and end with hex characters 55 AA. For FAT32, a backup of the volume boot sector also is present, so if the volume boot sector is overwritten or physically damaged you can still recover the partition.
Recover FAT Partitions in EnCase
Here’s how you can recover FAT partitions using EnCase:
1. Load your image in EnCase.
2. Create a new keyword: MSWIN4.1
3. Search the image for the keyword you just created.
4. View the hits in the disk view.
5. If the last four hexadecimal characters of the sector are 55 AA, right-click the sector in the disk view and choose Add Partition, as shown in Figure 6-2.
6. In the Add Partition dialog box, accept the defaults and click OK, as shown in Figure 6-3.
Figure 6-2 Adding a FAT partition in EnCase
Figure 6-3 Accepting the partition configuration
Recover FAT Partitions in SMART
To recover FAT partitions using ASR Data’s SMART, simply load your image into SMART. The program will scan the image and find the partitions itself.
NTFS
The NTFS file system, present in Windows NT and later versions, is a much more robust file system than FAT, as it allows for a multiple user environment with file-level permissions and ownership with much more security. Instead of using a FAT, NTFS uses a Master File Table (MFT) to keep track of the contents of the partition. For each entry in the MFT, a filename, attributes, and MAC time are stored, as well as other attributes accessed by the system when a user accesses a file. The list of available clusters exists in a special inode called $BITMAP, which stores that information. One entry is made for every cluster on the disk, and a value indicates whether the cluster is free.
Like FAT32, NTFS keeps a backup of its file records in a backup MFT called $MFTMrr. So if the MFT is overwritten or physically damaged, the backup can be read and you can still re-create the drive. However, you can no longer easily recover directories, as you can in FAT. Just as in FAT, an NTFS partition can be recovered if the partition entry is deleted. You will often encounter a system that has had its partition table wiped or the MFT quick-formatted. When this occurs, the backup MFT should still be in place, and you should still be able to recover the original data. The NTFS partition lies on the disk, just like FAT. In NTFS, the volume boot sector begins with ëR□NTFS and ends with the hex characters 55 AA.
Recover NTFS Partitions in EnCase
To recover NTFS partitions in EnCase, follow these instructions:
1. Create a new keyword: NTFS.
2. Search the image for the keyword you just created.
3. View the hits in the disk view.
4. If the last four hex characters of the sector are 55 AA, right-click the sector in the disk view and choose Add Partition, as shown in Figure 6-4.
5. In the Add Partition dialog box, accept the defaults and click OK, as shown in Figure 6-5.
Figure 6-4 Adding a NTFS partition in EnCase
Figure 6-5 Accepting the partition configuration
Recover NTFS Partitions in SMART
To recover NTFS partitions using SMART, load your image into SMART, which will scan the image and find the file system itself.
RECOVERING DELETED FILES
One of the most common tasks requested in any investigation is to find and recover the files that have been deleted from the system. If you find mass deletions before your imaging occurred, this wi
ll often be a prime indicator of what the suspect was trying to hide.
Recovering deleted files with modern forensic tools is not an overly complex task, depending on the time frame between when the files were deleted and when they are being recovered. Most recovery tools allow you to view, examine, and recover many deleted items on a system.
Legal Briefs
If you’re involved in a lawsuit, the judge may put forward a protective order, which allows the judge to state that nothing should be removed on identified systems. Protective orders are common in suits where electronic evidence is identified early in the case. With a protective order in place, there are real sanctions that can be put in place for even attempting to remove data from the system. If you are working on a system that is under a protective order, you should check to see when the last file was deleted to determine whether that order was violated.
This note is especially for those unfamiliar with how the file system works. When we use the phrase Deleted items here, we are not referring to items in the Recycle Bin. Rather, we’re referring to files that are marked as deleted or inactive by the file system and are no longer accessible to the user or the operating system, but that are still referenced through the FAT or MFT.
When file systems are designed, multiple factors are examined to determine what features should be implemented. For end-user systems, the top two priorities are usually speed and throughput. So when a deletion takes place, the software designer has two options: overwrite the data that existed on the disk and remove it from the disk, or mark it in the main allocation table as unused and move on to the next operation. Almost all file system designers choose the second option, because it takes less time to process. As a result, the data remains and only the pointer to it is lost. The good news for the forensic investigator is that we can recover possibly years’ worth of deleted data because of this design.
Every file system marks a file as deleted in different ways. In Windows FAT file systems, the first character of the filename listed in the directory is marked with special hex characters E5, which is replaced by _ in most tools. These characters tell the operating system that the file is no longer in active use and that the clusters it occupies are available for reuse, as shown in Figure 6-6. In NTFS, the operating system will change an entry in the MFT to reflect this deletion. Specifically, when a user deletes a file, the operating system clears the IN_USE flag from the file’s entry in the MFT.
Forensic tools automatically scan the MFT and FAT tables to show you the file system that exists on an image; locating any files that have been marked as deleted is part of that scan. The deleted filename, its attributes, and its data will continue to exist until the file is overwritten in part or in total while other actions are saved to disk. How soon overwriting occurs depends on three factors: the size of the disk, how far into the disk data has been written to, and how often large amounts of data are written to the disk. You may wonder why the size and location of data on the disk are important; since a disk allows for random access, why would we care about linear access? While it is true that you can access any part of the disk at any time, continually doing so takes time. Causing the user to wait for processing is considered bad, so designers try to keep this from occurring. This means that the operating system will attempt to write data out in a linear stream so that it can be read faster. If it cannot find a free cluster in its current position, it will skip forward in the disk to another free area.
Figure 6-6 Deleted FAT file with E5 character
Over time, the data deletions cause fragmentation of the disk. This is why Windows comes with a defragment utility (defrag) that scans the disks for the unallocated space left by deleted files and tries to put the still active files on the disk in a more linear form. However, until that defrag utility is run, the deleted data remains in its pristine state unless it is overwritten by another file. Even though a file is overwritten, fragments of the file may still exist, and the file’s name and MAC times may still exist in the MFT or FAT directory entries. (We discuss recovering file fragments later in the chapter.) Basically, when the end of the disk is reached, data can no longer be written out in a linear fashion, so the operating system looks for locations to place new data. File allocation strategies actually change with file system revisions, and though this is not in fact how the file system operates, it’s a good way to think about it; it can help you understand the three factors that make deleted files available for longer periods of time:
• Disk size The larger the disk, the longer it will take for the operating system to reach the end of the disk and then go back to overwrite deleted files.
• Disk position If the operating system is storing data at the beginning of the disk, it will take longer to reach the end of the disk; if the storage occurs farther down the storage line, it will reach the end more quickly.
• Disk activity The more data written to the disk, the faster it will affect the other two factors.
Deleted Files
Deleting files is something that everyone knows how to do. If you as an investigator do not review the deleted files in a system, you could be missing out on important evidence, placing your investigation at risk of losing valuable information.
Recovering Deleted Files
When we talk about recovering deleted files, we are referring to taking a file that we know was marked as deleted or inactive in the file system and exporting that data out of the forensic environment for review with the application that created it. Although many tools can help you recover deleted files from a hard drive you directly attach to your system, forensic images require that sophisticated forensic tools be used to examine images. Most forensic software tools include built-in features for recovering deleted files.
Let’s look at the steps you’ll need to take with each tool to recover deleted files. Because the recovery process is the same for both FAT and NTFS file systems, they are treated as equals for the processes described here. If you were not using a modern forensic utility, the procedure could be much more manual and would involve many more steps.
Recovering Deleted Files in EnCase
Here’s how to use EnCase to recover deleted files:
1. Load your image into EnCase.
2. Choose a deleted file (as identified in the Description column) and right-click the filename.
3. In the context menu, select Copy/Unerase, as shown in Figure 6-7.
Figure 6-7 Selecting a file to recover in EnCase
4. Choose the Highlighted File option; for FAT file systems, you will pick the character that will replace the first character—the default is _. Remember that we lost the original character when the operating system replaced it with E5. Then click Next.
5. In the next dialog box, choose Logical File Only or Entire Physical File. Then click Next.
6. Indicate where you want to save the file and click Finish.
The file is now recovered and stored in the location you indicated in step 6.
Recovering Deleted Files in SMART
To recover a deleted file in SMART:
1. Load your image into SMART.
2. In the Active Case menu, right-click the partition in which you are interested.
3. Choose Filesystem | SMART | Study.
4. When the study completes, click File List.
5. Select a deleted file. A red X in the file icon next to the filename marks these files as deleted.
6. Right-click the deleted filename and choose Export Files, as shown in Figure 6-8.
7. Click Save Data To and choose where you want to store the data.
8. Click Export Files.
The file is now recovered at the location you selected in step 7.
Unallocated Data
After the file entry has been overwritten in FAT or NTFS, the clusters that contained the file’s data become part of the unallocated space. The unallocated space is the group of clusters not in active use by any file; data within this space could have come from any fi
le including the pagefile, and its file system MAC times are gone for good because you can no longer match the file’s contents to its entry in the MFT or FAT. Good evidence often exists in unallocated space, and by not taking the time to find it, you could risk missing valuable data. Figure 6-9 shows how allocated and unallocated space looks on the disk.
Figure 6-8 Selecting a file to recover in SMART
Figure 6-9 Viewing allocated and unallocated space on a disk
Recovering Unallocated Data
Since the unallocated space has no structure, you cannot expect an automated tool to show you a list of all of the files within it. Instead, you must decide what you are looking for to determine how you are to search or parse the unallocated space. Three major methods can be used for recovering data from the unallocated space: recovering complete files, recovering file fragments, and recovering slack space. As we venture into the unallocated data space, we also come into the portions of deleted data called slack space.
Recovering Complete Files
To recover complete files, you will need to know the header and footer for each file type you are seeking. This is a simple task for HTML documents, Microsoft Word documents, PDF documents, and other major structured file types; these documents have well-defined structures that contain plain ASCII or unique hexadecimal representations, leading to results with few false positives. This process lends itself to automation, and most recovery tools provide some ability to perform an automated recovery of complete files in the unallocated space.
Hacking Exposed Page 14