Chapter 6. Filesystem Analysis and Data Recovery
Although there are many automated and commercial tools available nowadays, understanding how these tools perform can distinguish one from another, and this can provide great support during expert testimony in the courtroom. Filesystem analysis and data recovery are considered as the main categories in the digital forensics process. Extracting files from a storage device or recovering deleted ones with evidential related data can solve a case.
In this chapter, we will go through two different filesystems: the FAT and the NTFS. We will basically explain how the files are structured in each one and how the recovery process of deleted files actually works. We will start with the famous TSK or The Sleuth Kit and how its command line tools are categorized, as they are based on each layer in the hard drive or the forensic image. After this, we will discuss Autopsy, the TSK graphical user interface. At the end of this chapter, we will show you Foremost...
Before we start explaining the different filesystem structures, we need to illustrate the different parts in a partitioned hard drive in Windows OS. The following figure illustrates simply the structure of a whole partitioned hard drive:
The master boot record is the first sector (512 bytes) of the hard drive. It contains, besides the boot code, all the information about the hard drive. One of the important pieces of information that can be found in the MBR is the partition table, which contains information about the partition structure in the hard drive, and for each partition, it can tell where it starts, its size, and type.
The investigator can check the existing partition with the information in the MBR and the printed size of the hard drive for a match. If there is some missing space, the handler may assume the presence of an intended action to hide some space contains usually some related important information.
FAT or File Allocation Table became famous with the announcement of the DOS operating system from Microsoft in 1980. After this, FAT went through many improvements trying to make it adapt with the rapidly improving technology. So, we can see FAT12, FAT16, FAT32, and exFAT. Each version overcame some of the limitations of the filesystem until the announcement of NTFS filesystem.
FAT partition contains five main areas. They comprise the following:
Boot sector: This is the first sector of the partition that is loaded in memory. If this partition is the active partition, it contains information such as, but not limited to, the following:
Jump code: This is the location of the bootstrap and OS initialization code
Sector size: This is almost fixed (512 bytes)
Cluster size: This is in sectors (sectors/clusters)
Number of sectors: The total number of sectors in the partition
Number of root entries: This value is used with FAT12 and FAT16 only
NTFS or New Technology Filesystem is the default filesystem in Windows NT as a result of the storage capacity increasing and the need for a more secure, scalable, and advanced filesystem. NTFS overcame the FAT limitations and was more suitable for high storage capacity. In NTFS, everything is a file including the filesystem area itself, as we will see in the following section.
Like FAT and any other filesystem, NTFS has its components as follows:
The boot sector is the first sector in the partition, and it contains some information about the filesystem itself, such as start code, sector size, cluster size in sectors, and the number of reserved sectors. The filesystem area contains many files, including the MFT or Master File Table, which contains the metadata of the files and directories in the partition. It will be discussed later.
The Sleuth Kit or TSK is a collection of open source digital forensic tools developed by Brian Carrier and Wieste Venema. TSK can read and parse different types of filesystems, such as FAT, NTFS, and EXT. Each area of the hard drive in the figure in the Hard drive structure section has a set of tools in The Sleuth Kit that parses that area and extracts forensically important information for the investigator. Usually, each step leads to the next while using TSK in analysis.
In the upcoming sections, we will go through the different tool sets of The Sleuth Kit. We will use an image of the hard drive with Windows 7 installed, which shows the results from each part in the hard drive. The image was acquired using the FTK Imager lite from a Windows 7 virtual machine with a size of only 15 GB and a single NTFS partition.
As we will see, TSK tool names are easy to understand as they consist of two parts. The first part represents the area or the layer under investigation, such...
Autopsy is a web-based interface for TSK, which uses the same tools in TSK and presents the results in a graphical interface. To conduct analysis with TSK, the investigator needs to start the server first from the command line. After starting the autopsy, it will give the investigator the URL to access it from the Internet, which in this case is http://localhost:9999/autopsy. Don't shut down the process of the autopsy during the analysis; otherwise, the analysis won't be active:
Then, from the browser, open that URL to start creating the case:
We need to create a new case, and then enter some information about the case to make it easy for the investigator to follow up about the cases and who is working on each case:
After creating the case, a directory for this case will be created by default at /var/lib/autopsy (which is named after the case name), including all the files of the case. What we did is just create the case; now, we need...
With TSK, we could find and recover the deleted files. These deleted files still have their information in the metadata area, which is why we could identify their information and know their location in the data area. This leaves us with a simple step to recover these files by redirecting the contents of each file to a new file. What if there are no entries for the deleted file, and we only have the contents of the file in the data area and no metadata about this file (which under this assumption will be in the unallocated area of the hard drive)? In this case, the file carving technique will be useful to recover such files.
Each file has a different type, such as Microsoft Office, Adobe, exe, and AVI. The extension at the end of the filename is not what is needed to differentiate between one file type and another. There is a header in the beginning of each file which differs from one type to another. Some file types have a footer in the end of the file, but this is not mandatory...
In this chapter, we saw how the files are organized in the filesystem, and how it differs from FAT to NTFS. Then, we learned about reading files from a forensic image using TSK and its GUI Autopsy. We also discussed file carving and how to recover a file, based on its signature using Foremost.
In the next chapter, we will learn about Windows registry—a complex yet very important artifact in the Windows operating system. We will learn about registry structure, and its important value to the investigation and different tools to parse and analyze the registry.
