Saturday, October 2, 2010

Forensics 2: Identifying File System and Extracting it

The advantages of analyzing disk images are that the investigators can:
a) preserve the digital crime-scene
b) obtain the information in slack space
c) access unallocated space, free space, and used space
d) recover file fragments, hidden or deleted files and directories
e) view the partition structure and
f) get date-stamp and ownership of files and folders.

Here we will try to concentrate on extracting the File System if any from the image for analysis available from the Crime Scene.

Lets check the md5 hash of the image under analysis for integrity purposes. The md5 hash algorithm produces a 128 bit “fingerprint” of a file, also known as a message digest. To view the md5 hash value assigned to a given file, the md5sum utility can be used.Lets check the file type of the image under analysis by using file command. The file command works by testing “arguments” within a file, and will then classify the file as whichever file type the file command sees fit. We see from the output of the file command that the image file contains an x86 boot sector. The boot sector of a computer is a primary starting point for an OS. The operating system will start at the boot loader, and the machine will read the first 512 bytes of the disk, which is known as the boot sector. The first 512 Bytes (boot sector) will be loaded into memory and will then be executed. This will initiate the boot process.

The x86 boot sector type message was obtained because the magic number 0xAA55 value is located at the 0x1FE offset within the image; defined in the file “/usr/share/file/magic” which is used by file command.

Determining the File System type of the Image
Lets run mmls utility to determine the File System type of the given image extracted by using dd command as shown below.-t Specify the media management type (dos, mac, bsd etc)

We see above that the NTFS (New Technology File System) partition begins at sector 63 (to see this look at the last column in the row where it says NTFS (0x07). Now look to the left in the start column of the row NTFS and we can see the value 0000000063). So for all the Sleuth Kit commands we need to specify an offset of 63 if the file used is raw image.
MMLS is a forensics utility that query’s an image file, and prints the partition tables and disk labels. This command is very useful when attempting to determine at which sector a partition begins and ends. We see that there is a NTFS file system on this image. We use the –t dos switch to tell mmls to utilize a dos based architecture for the file system.

File system is extracted using dd.exe command. Input file is the raw image collected from the machine which is under forensic investigation. Block size used to extract File system is 512 bytes and skipped 62 sectors because our NTFS File System is starting after those sectors.

Thus extracted File System image can be mounted by using mount command, we can check the mounted File System using fdisk -l command.

After extracting the image calculate md5 of the extracted NTFS File System image for integrity purposes.

Extracting the File System from the image

-b partition sizes in bytes
-r Recurse into DOS partitions and look for other partition tables.
-v verbose