第1页 / 共511页
第2页 / 共511页
第3页 / 共511页
第4页 / 共511页
第5页 / 共511页
第6页 / 共511页
第7页 / 共511页
第8页 / 共511页
File System Forensic Analysis 无水印原版pdf.pdf
Cover
Copyright
Preface
Roadmap
Scope of Book
Resources
Acknowledgments
Foreword
Part I: Foundations
1. Digital Investigation Foundations
Digital Investigations and Evidence
Digital Crime Scene Investigation Process
System Preservation Phase
Preservation Techniques
Evidence Searching Phase
Search Techniques
Event Reconstruction Phase
General Guidelines
Data Analysis
Analysis Types
Essential and Nonessential Data
Overview of Toolkits
EnCase by Guidance Software
Forensic Toolkit by AccessData
ProDiscover by Technology Pathways
SMART by ASR Data
The Sleuth Kit / Autopsy
Summary
Bibliography
2. Computer Foundations
Data Organization
Binary, Decimal, and Hexadecimal
Data Sizes
Strings and Character Encoding
Data Structures
Flag Values
Booting Process
Central Processing Units and Machine Code
Boot Code Locations
Hard Disk Technology
Hard Disk Geometry and Internals
ATA / IDE Interface
Types of Sector Addresses
Interface Standards
Disk Commands
Hard Disk Passwords
Host Protected Area
Device Configuration Overlay
Serial ATA
BIOS versus Direct Access
Direct Access to Controller
BIOS Access to Controller
SCSI Drives
SCSI versus ATA
Types of SCSI
Connector Types
Size Barriers
Summary
Bibliography
3. Hard Disk Data Acquisition
Introduction
General Acquisition Procedure
Data Acquisition Layers
Acquisition Tool Testing
Reading the Source Data
Direct versus BIOS Access
Dead Versus Live Acquisition
Error Handling
Host Protected Area
Device Configuration Overlay
Hardware Write Blockers
Software Write Blockers
Writing the Output Data
Destination Location
Image File Format
Compressing the Image File
Network-based Acquisition
Integrity Hashes
A Case Study Using dd
Input Sources
HPA
Output Destinations
Error Handling
Cryptographic Hashes
Summary
Bibliography
Part II: Volume Analysis
4. Volume Analysis
Introduction
Background
Volume Concepts
General Theory of Partitions
Usage of Volumes in UNIX
General Theory of Volume Assembly
Sector Addressing
Analysis Basics
Analysis Techniques
Consistency Checks
Extracting the Partition Contents
Recovering Deleted Partitions
Summary
5. PC-based Partitions
DOS Partitions
General Overview
Basic MBR Concepts
Extended Partition Concepts
Putting the Concepts Together
Boot Code
Summary
Data Structures
MBR Data Structure
Extended Partition Data Structures
Example Image Tool Output
Analysis Considerations
Summary
Apple Partitions
General Overview
Data Structures
Partition Map Entry
Example Image Tool Output
Analysis Considerations
Summary
Removable Media
Bibliography
6. Server-based Partitions
BSD Partitions
General Overview
FreeBSD Overview
NetBSD and OpenBSD Overview
Boot Code
Data Structures
Disk Label Data Structure
OpenBSD Example Image
FreeBSD Example Image
Analysis Considerations
Summary
Sun Solaris Slices
General Overview
Sparc Data Structures
i386 Data Structures
Analysis Considerations
Summary
GPT Partitions
General Overview
Data Structures
Analysis Considerations
Summary
Bibliography
7. Multiple Disk Volumes
RAID
RAID Levels
Hardware RAID
Background
Acquisition and Analysis
Software RAID
Background
Acquisition and Analysis
General Analysis Comments
Summary
Disk Spanning
Overview
Linux MD
Background
Acquisition and Analysis
Linux LVM
Background
Acquisition and Analysis
Microsoft Windows LDM
Dynamic Disks
The LDM Database
Acquisition and Analysis
Bibliography
Part III: File System Analysis
8. File System Analysis
What is a File System?
Data Categories
Essential and Non-Essential Data
Analysis by Category
File System Category
Analysis Techniques
Content Category
General Information
Logical File System Address
Allocation Strategies
Damaged Data Units
Analysis Techniques
Data Unit Viewing
Logical File System-Level Searching
Data Unit Allocation Status
Data Unit Allocation Order
Consistency Checks
Wiping Techniques
File Name Category
General Information
File Name-based File Recovery
Analysis Techniques
File Name Listing
File Name Searching
Data Structure Allocation Order
Consistency Checks
Wiping Techniques
Application Category
File System Journals
Application-level Search Techniques
Application-based File Recovery (Data Carving)
File Type Sorting
Specific File Systems
Summary
Bibliography
9. FAT Concepts and Analysis
Introduction
File System Category
General Concepts
Essential Boot Sector Data
Non-essential Boot Sector Data
Boot Code
Example Image
Analysis Techniques
Analysis Considerations
Analysis Scenario
Content Category
Finding the First Cluster
Cluster and Sector Addresses
Cluster Allocation Status
Allocation Algorithms
Analysis Techniques
Analysis Considerations
Analysis Scenario
Metadata Category
Directory Entries
Cluster Chains
Directories
Directory Entry Addresses
Example Image
Allocation Algorithms
Directory Entry Allocation
Figure 9.13. Directory entry 4 was just allocated. Windows 98 allocates entry 3 next, but Windows XP allocates entry 5 next.
Time Value Updating
Analysis Techniques
Analysis Considerations
Analysis Scenarios
File System Creation Date
Searching for Deleted Directories
File Name Category
Allocation Algorithms
Analysis Techniques
Analysis Considerations
Analysis Scenarios
File Name Searching
Directory Entry Ordering
The Big Picture
File Allocation Example
File Deletion Example
Other Topics
File Recovery
Determining the Type
Consistency Check
Summary
Bibliography
10. FAT Data Structures
Boot Sector
FAT32 FSINFO
FAT
Directory Entries
Summary
Bibliography
11. NTFS Concepts
Introduction
Everything is a File
MFT Concepts
MFT Entry Contents
MFT Entry Addresses
File System Metadata Files
MFT Entry Attribute Concepts
Attribute Headers
Attribute Content
Standard Attribute Types
Other Attribute Concepts
Base MFT Entries
Sparse Attributes
Compressed Attributes
Encrypted Attributes
Cryptography Basics
NTFS Implementation
Indexes
B-Trees
NTFS Index Attributes
Analysis Tools
Summary
Bibliography
12. NTFS Analysis
File System Category
$MFT File Overview
$MFTMirr File Overview
$Boot File Overview
$Volume File Overview
$AttrDef File Overview
Example Image
Analysis Techniques
Analysis Considerations
Analysis Scenario
Content Category
Clusters
$Bitmap File Overview
$BadClus File Overview
Allocation Algorithms
File System Layout
Analysis Techniques
Analysis Considerations
Analysis Scenario
Metadata Category
$STANDARD_INFORMATION Attribute
$FILE_NAME Attribute
$DATA Attribute
$ATTRIBUTE_LIST Attribute
$SECURITY_DESCRIPTOR Attribute
$Secure File
Example Image
Allocation Algorithms
MFT Entry and Attribute Allocation
Time Value Updating
Analysis Techniques
Analysis Considerations
Analysis Scenario
File Name Category
Directory Indexes
Root Directory
Links to Files and Directories
Object Identifiers
Allocation Algorithms
Analysis Techniques
Analysis Considerations
Analysis Scenario
Application Category
Disk Quotas
Analysis Considerations
Logging—File System Journaling
Analysis Considerations
Change Journal
Analysis Considerations
The Big Picture
File Allocation Example
File Deletion Example
Other Topics
File Recovery
Consistency Check
Summary
Bibliography
13. NTFS Data Structures
Basic Concepts
Fixup Values
MFT Entries (File Records)
Attribute Header
Index Attributes and Data Structures
$INDEX_ROOT Attribute
$INDEX_ALLOCATION Attribute
$BITMAP Attribute
Index Node Header Data Structure
Generic Index Entry Data Structure
Directory Index Entry Data Structure
File System Metadata Files
$MFT File
$Boot File
$AttrDef File
$Bitmap File
$Volume File
$VOLUME_NAME Attribute
$VOLUME_INFORMATION Attribute
$ObjId File
$Quota File
$LogFile File
$UsrJrnl File
Summary
Bibliography
14. Ext2 and Ext3 Concepts and Analysis
Introduction
File System Category
Overview
Superblock
Block Group Descriptor Tables
Boot Code
Example Image
Analysis Techniques
Analysis Considerations
Analysis Scenario
Content Category
Overview
Blocks
Allocation Status
Allocation Algorithms
Analysis Techniques
Analysis Considerations
Analysis Scenario
Metadata Category
Overview
Inodes
Block Pointers
Attributes
Example Image
Allocation Algorithms
Inode Allocation
Time Value Updating
Analysis Techniques
Analysis Considerations
Analysis Scenario
File Name Category
Overview
Directory Entries
Links and Mount Points
Hash Trees
Allocation Algorithms
Analysis Techniques
Analysis Considerations
Analysis Scenarios
Source of a Moved File
File Deletion Order
Application Category
File System Journaling
Overview
Analysis Techniques
Analysis Considerations
Analysis Scenario
The Big Picture
File Allocation Example
File Deletion Example
Other Topics
File Recovery
Consistency Check
Summary
Bibliography
15. Ext2 and Ext3 Data Structures
Superblock
Group Descriptor Tables
Block Bitmap
Inodes
Extended Attributes
Directory Entry
Symbolic Link
Hash Trees
Journal Data Structures
Summary
Bibliography
16. UFS1 and UFS2 Concepts and Analysis
Introduction
File System Category
Overview
Superblock
Cylinder Group Descriptor
Boot Code
Example Image
Analysis Techniques
Analysis Considerations
Metadata Category
Overview
Inodes
Extended Attributes
Example Image
Allocation Algorithms
Analysis Techniques
Analysis Considerations
File Name Category
Overview
Allocation Algorithms
Analysis Techniques
Analysis Considerations
The Big Picture
File Allocation Example
File Deletion Example
Other Topics
File Recovery
Consistency Check
Summary
Bibliography
17. UFS1 and UFS2 Data Structures
UFS1 Superblock
UFS2 Superblock
Cylinder Group Summary
UFS1 Group Descriptor
UFS2 Group Descriptor
Block and Fragment Bitmaps
UFS1 Inodes
UFS2 Inodes
UFS2 Extended Attributes
Directory Entries
Summary
Bibliography
Appendix A. The Sleuth Kit and Autopsy
The Sleuth Kit
Disk Tools
Volume System Tools
File System Tools
File System Category
Content Category
Metadata Category
File Name Category
Application Category
Multiple Category
Searching Tools
Autopsy
Analysis Modes
Bibliography
Copyright
Many of the designations used by manufacturers and sellers to distinguish their products
are claimed as trademarks. Where those designations appear in this book, and the
publisher was aware of a trademark claim, the designations have been printed with initial
capital letters or in all capitals.
The author and publisher have taken care in the preparation of this book, but make no
expressed or implied warranty of any kind and assume no responsibility for errors or
omissions. No liability is assumed for incidental or consequential damages in connection
with or arising out of the use of the information or programs contained herein.
The publisher offers excellent discounts on this book when ordered in quantity for bulk
purchases or special sales, which may include electronic versions and/or custom covers
and content particular to your business, training goals, marketing focus, and branding
interests. For more information, please contact:
U. S. Corporate and Government Sales
(800) 382-3419
corpsales@pearsontechgroup.com
For sales outside the U. S., please contact:
International Sales
international@pearsoned.com
Visit us on the Web: www.awprofessional.com
Library of Congress Catalog Number: 2004116962
Copyright © 2005 Pearson Education, Inc.
All rights reserved. Printed in the United States of America. This publication is protected
by copyright, and permission must be obtained from the publisher prior to any prohibited
reproduction, storage in a retrieval system, or transmission in any form or by any means,
electronic, mechanical, photocopying, recording, or likewise. For information regarding
permissions, write to
Pearson Education, Inc.
Rights and Contracts Department
One Lake Street
Upper Saddle River, NJ 07458
Text printed in the United States on recycled paper at R. R. Donnelley in Crawfordsville,
Indiana.
First printing, March 2005
Dedication
THIS BOOK IS DEDICATED TO MY GRANDPARENTS
ALBERT, AND RITA
, HENRI, GABRIELLE,
T
T
Foreword
Computer forensics is a relatively new field, and over the years it has been called many
things: "computer forensics," "digital forensics," and "media analysis" to name a few. It
has only been in the past few years that we have begun to recognize that all of our digital
devices leave digital breadcrumbs and that these breadcrumbs are valuable evidence in a
wide range of inquiries. While criminal justice professionals were some of the first to
take an interest in this digital evidence, the intelligence, information security, and civil
law fields have enthusiastically adopted this new source of information.
Digital forensics has joined the mainstream. In 2003, the American Society of Crime
Laboratory Directors–Laboratory Accreditation Board (ASCLD–LAB) recognized digital
evidence as a full-fledged forensic discipline. Along with this acceptance came increased
interest in training and education in this field. The Computer Forensic Educator's
Working Group (now known as the Digital Forensic Working Group) was formed to
assist educators in developing programs in this field. There are now over three-dozen
colleges and universities that have, or are, developing programs in this field. More join
their ranks each month.
I have had the pleasure of working with many law enforcement agencies, training
organizations, colleges, and universities to develop digital forensic programs. One of the
first questions that I am asked is if I can recommend a good textbook for their course or
courses. There have been many books written about this field. Most take a targeted
approach to a particular investigative approach, such as incident response or criminal
investigation. Some tend to be how-to manuals for specific tools. It has been hard to find
a book that provides a solid technical and process foundation for the field . . . That is,
until now.
This book is the foundational book for file system analysis. It is thorough, complete, and
well organized. Brian Carrier has done what needed to be done for this field. This book
provides a solid understanding of both the structures that make up different file systems
and how these structures work. Carrier has written this book in such a way that the
readers can use what they know about one file system to learn another. This book will be
invaluable as a textbook and as a reference and needs to be on the shelf of every digital
forensic practitioner and educator. It will also provide accessible reading for those who
want to understand subjects such as data recovery.
When I was first approached about writing this Foreword, I was excited! I have known
Brian Carrier for a number of years and I have always been impressed with his wonderful
balance of incredible technical expertise and his ability to clearly explain not just what he
knows but, more importantly, what you need to know. Brian's work on Autopsy and The
Sleuth Kit (TSK) has demonstrated his command of this field—his name is a household
name in the digital forensic community. I have been privileged to work with Brian in his
current role at Purdue University, and he is helping to do for the academic community
what he did for the commercial sector: He set a high standard.
So, it is without reservation that I recommend this book to you. It will provide you with a
solid foundation in digital media.
Mark M. Pollitt
President, Digital Evidence Professional Services, Inc.
Retired Director of the FBI's Regional Computer Forensic Laboratory Program
Preface
One of the biggest challenges that I have faced over the years while developing The
Sleuth Kit (TSK) has been finding good file and volume system (such as partition tables,
RAID, and so on) documentation. It also has been challenging to explain to users why
certain files cannot be recovered or what to do when a corrupt file system is encountered
because there are no good references to recommend. It is easy to find resources that
describe file systems at a high level, but source code is typically needed to learn the
details. My goal for this book is to fill the void and describe how data are stored on disk
and describe where and how digital evidence can be found.
There are two target audiences for this book. One is the experienced investigator that has
learned about digital investigations from real cases and using analysis tools. The other is
someone who is new to the field and is interested in learning about the general theory of
an investigation and where digital evidence may exist but is not yet looking for a book
that has a tutorial on how to use a specific tool.
The value of the material in this book is that it helps to provide an education rather than
training on a specific tool. Consider some of the more formal sciences or engineering
disciplines. All undergraduates are required to take a couple of semesters of physics,
chemistry, or biology. These courses are not required because the students will be using
all the material for the rest of their careers. In fact, software and equipment exist to
perform many of the calculations students are forced to memorize. The point of the
classes is to provide students with insight about how things work so that they are not
constrained by their tools.
The goal of this book is to provide an investigator with an education similar to what
Chemistry 101 is to a chemist in a forensics lab. The majority of digital evidence is found
on a disk, and knowing how and why the evidence exists can help an investigator to
better testify about it. It also will help an investigator find errors and bugs in his analysis
tools because he can conduct sanity checks on the tool output.
The recent trends in digital investigations have shown that more education is needed.
Forensic labs are being accredited for digital evidence, and there are debates about the
required education and certification levels. Numerous universities offer courses and even
Master's degrees in computer forensics. Government and university labs are conducting
theoretical research in the area and focusing on future, as well as current, problems.
There are also peer-reviewed journals for publishing research and investigation
techniques. All these new directions require in-depth knowledge outside of a specific tool
or technique.
The approach of this book is to describe the basic concepts and theory of a volume and
file system and then apply it to an investigation. For each file system, this book covers
analysis techniques and special considerations that the investigator should make.
Scenarios are given to reinforce how the information can be used in an actual case. In
addition, the data structures associated with volume and file systems are given, and disk
images are analyzed by hand so that you can see where the various data are located. If
you are not interested in parsing data structures, you can skip the data structure chapters.
Only non-commercial tools are used so that you can download them for free and
duplicate the results on your systems.
Roadmap
This book is organized into three parts. Part 1 provides the basic foundations, and Parts 2
and 3 provide the technical meat of the book. The book is organized so that we move up
the layers of abstraction in a computer. We start by discussing hard disks and then discuss
how disks are organized into partitions. After we discuss partitions, we discuss the
contents of partitions, which are typically a file system.
Part 1, "Foundations," starts with Chapter 1, "Digital Investigation Foundations," and
discusses the approach I take to a digital investigation. The different phases and
guidelines are presented so that you know where I use the techniques described in this
book. This book does not require that you use the same approach that I do. Chapter 2,
"Computer Foundations," provides the computer foundations and describes data
structures, data encoding, the boot process, and hard disk technology. Chapter 3, "Hard
Disk Data Acquisition," provides the theory and a case study of hard disk acquisition so
that we have data to analyze in Parts 2 and 3.
Part 2, "Volume Analysis," of the book is about the analysis of data structures that
partition and assemble storage volumes. Chapter 4, "Volume Analysis," provides a
general overview of the volume analysis techniques, and Chapter 5, "PC-based
Partitions," examines the common DOS and Apple partitions. Chapter 6, "Server-based
Partitions," covers the partitions found in BSD, Sun Solaris, and Itanium-based systems.
Chapter 7, "Multiple Disk Volumes," covers RAID and volume spanning.
Part 3, "File System Analysis," of the book is about the analysis of data structures in a
volume that are used to store and retrieve files. Chapter 8, "File System Analysis," covers
the general theory of file system analysis and defines terminology for the rest of Part 3.
Each file system has at least two chapters dedicated to it where the first chapter discusses
the basic concepts and investigation techniques and the second chapter includes the data
structures and manual analysis of example disk images. You have a choice of reading the
two chapters in parallel, reading one after the other, or skipping the data structures
chapter altogether.
The designs of the file systems are very different, so they are described using a general
file system model. The general model organizes the data in a file system into one of five
categories: file system, content, metadata, file name, and application. This general model
is used to describe each of the file systems so that it is easier to compare them.
Chapters 9, "FAT Concepts and Analysis," and 10, "FAT Data Structures," detail the
FAT file system, and Chapters 11, "NTFS Concepts," 12, "NTFS Analysis," and 13,
"NTFS Data Structures," cover NTFS. Next, we skip to the Unix file systems with
Chapters 14, "Ext2 and Ext3 Concepts and Analysis," and 15, "Ext2 and Ext3 Data
Structures," on the Linux Ext2 and Ext3 file systems. Lastly, Chapters 16, "UFS1 and
UFS2 Concepts and Analysis," and 17, "UFS1 and UFS2 Data Structures," examine
UFS1 and UFS2, which are found in FreeBSD, NetBSD, OpenBSD, and Sun Solaris.
After Part 3 of this book, you will know where a file existed on disk and the various data
structures that need to be in sync for you to view it. This book does not discuss how to
analyze the file's contents.
Scope of Book
Now that you know what is included in this book, I will tell you what is not in this book.
This book stops at the file system level and does not look at the application level.
Therefore, we do not look at how to analyze various file formats. We also do not look at
what files a specific OS or application creates. If you are interested in a step-by-step
guide to investigating a Windows '98 computer that has been used to download suspect
files, then you will be disappointed with this book. If you want a guide to investigating a
compromised Linux server, then you may learn a few tricks in this book, but it is not
what you are looking for. Those topics fall into the application analysis realm and require
another book to do them justice. If you are interested in having more than just a step-by-
step guide, then this book is probably for you.
Resources
As I mentioned in the beginning, the target audience for this book is not someone who is
new to the field and looking for a book that will show the basic investigation concepts or
how to use a specific tool. There are several quality books that are breadth-based,
including:
Casey, Eoghan. Digital Evidence and Computer Crime. 2nd ed. London: Academic Press,
2004.
Kruse, Warren and Jay Heiser. Computer Forensics. Boston: Addison Wesley, 2002.
Mandia, Kevin, Chris Prosise, and Matt Pepe. Incident Response and Computer
Forensics. Emeryville: McGraw Hill/Osborne, 2003.
Throughout this book, I will be using The Sleuth Kit (TSK) on example disk images so
that both the raw data and formatted data can be shown. That is not to say that this is a
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
