Introduction to Digital Forensics Rob Savage
BSc Computer Science (2006) MSc Computer Security (2007)
Agenda
• Introduction • What is Digital Forensics • Applications of Digital Forensics • ACPO Guidelines • Recovery of Deleted Data • Windows File Systems • Recovering Deleted Data from NTFS
What is Digital Forensics?
“Digital forensics is the application of computer investigation techniques to collect, analyse and report on digital data in a way that is legally admissible”
What is Digital Forensics?
“Digital forensics is the application of computer investigation techniques to collect, analyse and report on digital data in a way that is legally admissible”
Applications of Digital Forensics
• Criminal proceedings – Computer based crime where seized devices are also
the ‘scene’ of the crime – Non-Computer based crime where seized devices
contain evidence relevant to the investigation • Civil matters
– Theft of intellectual property – Industrial espionage – Employment disputes – Fraud, bribery and corruption – Civil litigation
Applications of Digital Forensics
– Laptops / Desktops – Mobile Phone – Removable Media – Tablets – Smart Watches – Cloud Storage – Cloud Email – Social Media
– Games Consoles – Car Keys – Cars – Home Appliances – Routers/Modems – Smart TVs – Backups
• Potential Sources of Electronic Evidence
“…in a way that is legally admissible”
• Association of Chief Police Officers Good Practice Guide for Digital Evidence (ACPO Guidelines)
• First issued 2007, now on 5th revision • Issues for the benefit of UK law enforcement,
regularly used in court as a test of a test of admissibility
• Shift away from a narrow definition of ‘computer forensics’ to cover the diverse and evolving range of devices available to consumers and businesses
• Based on 4 key principles…
ACPO Guidelines: Principle 1
“No action taken by law enforcement agencies, persons employed within those
agencies or their agents should change data which may subsequently be relied upon in
court.”
ACPO Guidelines: Principle 2
“In circumstances where a person finds it necessary to access original data, that
person must be competent to do so and be able to give evidence explaining the
relevance and the implications of their actions.”
ACPO Guidelines: Principle 3
“An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those
processes and achieve the same result.”
ACPO Guidelines: Principle 4
“The person in charge of the investigation has overall responsibility for ensuring that
the law and these principles are adhered to.”
Recovery of Deleted Data • Possible in the vast majority of file systems and
devices • Success is dependent on:
– Subsequent user activity – Elapsed time between deletion and analysis – Amount of free space on the drive – Encryption / Counter-Forensics
• Three ways to recover deleted files from a file system – ‘File System Recoverable’ – ‘Carved Recoverable’ – ‘File Slack / Fragments’
Recovery of Deleted Data from Windows File Systems
• NTFS or FAT • FAT – “File Allocation Table”
– Designed in 1987 for use on floppy disk drives – Theoretical maximum volume size of 8TB – Maximum supported file size is 6GB – Primary file system used in Windows 9x and ME era – Still used in removable media and some mobile devices
• NTFS – “New Technology File System” – Designed by Microsoft and introduced into Windows NT in
1993 – Theoretical maximum volume size of 16 EB (16 billion TB) – Maximum supported file size is 256TB – Primary file system used in Windows NT to Windows 10
NTFS Basics • Central to the NTFS file system is the ‘Master File
Table’ (MFT) • The MFT is a relational database and contains one
record for each file and folder on the system. Each record is 1024 bytes long.
• The MFT is generally stored at the start of the file system and is a file in its own right ($MFT)
• The MFT grows as files and folders are added to the system (but it never shrinks)
• By default 12.5% of the partition is a dedicated ‘MFT Zone’
• MFT records are never deleted. Records referencing deleted files remain until they are overwritten. Records are overwritten from the top down.
NTFS Basics
NTFS Boot Sector
Master File Table
File System Data Master File Table Mirror
MFT Entry Header
File Name Index Other A>ributes
Unused Space
NTFS File System
MFT Entry Header
File Name Index Other A>ributes
Unused Space
MFT Entry Header
File Name Index Other A>ributes
Unused Space
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
MFT
NTFS Forensics
001 Holiday.jpg Index Live Unused Space
MFT File System Data
002 Naughty_File.pdf Index Live Unused Space
003 DissertaMon.doc Index Live Unused Space
004 AnotherFile.mp4 Index Live Unused Space
005 YetAnother.mp3 Index Live Unused Space
NTFS Forensics
001 Holiday.jpg Index Live Unused Space
MFT File System Data
002 Naughty_File.pdf Index Live Unused Space
003 DissertaMon.doc Index Live Unused Space
004 AnotherFile.mp4 Index Live Unused Space
005 YetAnother.mp3 Index Live Unused Space
002 Naughty_File.pdf Index Deleted Unused Space
“File System Recoverable”
NTFS Forensics
001 Holiday.jpg Index Live Unused Space
MFT File System Data
002 Naughty_File.pdf Index Live Unused Space
003 DissertaMon.doc Index Live Unused Space
004 AnotherFile.mp4 Index Live Unused Space
005 YetAnother.mp3 Index Live Unused Space
002 Naughty_File.pdf Index Deleted Unused Space
“Carved Recoverable”
002 NewFile.psd Index Live Unused Space
NTFS Forensics
001 Holiday.jpg Index Live Unused Space
MFT File System Data
002 Naughty_File.pdf Index Live Unused Space
003 DissertaMon.doc Index Live Unused Space
004 AnotherFile.mp4 Index Live Unused Space
005 YetAnother.mp3 Index Live Unused Space
002 Naughty_File.pdf Index Deleted Unused Space
“File Slack / Fragment”
002 NewFile.psd Index Live Unused Space
006 SmallFile.txt Index Live Unused Space
Questions
?