Digital Forensics

Lecture 2
0011 0010 1010 1101 0001 0100 1011

Hard Disk Drive (HDD)

Media Forensics
 Quiz Number 1
0011 0010 1010 1101 0001 0100 1011

10 minutes to complete
 Current, Relevant Topics
• --Study Turns Up Problems with eVoting System in Ohio
0011 0010 1010 1101 0001 0100 1011
(21 August 2006)
A report based on a study of a May 2006 primary election in Cuyahoga
County, Ohio indicates that the electronic voting system used in the
election presents significant concerns about accuracy. Close to ten
percent of the paper versions of the votes, or the voter-verifiable
paper audit trail, generated by Diebold Election System's AccuVote
TSx
touch-screen voting equipment were "either destroyed, blank, illegible,
missing, taped together or otherwise compromised."

– http://www.computerworld.com
 Research Topics Presentation
(Due Next Week)
We are counting on you for the specifics
0011 0010 1010 1101 0001 0100 1011

1. CD-R/RW and DVD+-R/RW media

analysis
2. File carving
3. Tools for Mac digital forensics
• With emphasis on HFS File System
 Lecture Overview
0011 0010 1010 1101 0001 0100 1011
Legal/Policy
Findings/ Reporting/
Preparation Collection Analysis
Evidence Action

• The role of a HDD in DF

• Our approach to understanding HDD DF
• Physical-layer storage and operations
• Volumes
• Very brief file system overview
• The boot process
• Isolation through virtualization
• Relevant DF tools
 The role of a HDD in DF
0011 0010 1010 1101 0001 0100 1011
Stored
Physics Physical
Process
Data Transmitted
Intelligence
Automated
Process
Processed

• HDDs are the most significant method of

data storage
• Relatively low internal data transfer rates
and immature optimization algorithms
extend the lifetime of data written to HDDs
 Our approach to understanding
HDD DF
• We will begin at the physical-layer and
0011 0010 1010 1101 0001 0100 1011

work toward increasing abstraction using a

data driven approach
Understanding and Evidence

?
Specific to Abstract

File

File System

Volume 1 Volume n

Physical Media
 Module 1
0011 0010 1010 1101 0001 0100 1011

HDD Physical-Layer
 Types of Magnetic Storage
• There
0011 0010 1010 are
1101a 0001
variety of1011
0100 magnetic storage devices that a DF
investigator might encounter

Zip Drive Video Cassette

Tape Drive

Floppy Drive
Drum Memory

Hard Drive
 Major Components of a HDD
0011 0010 1010 1101 0001 0100 1011

Platter Controller

Read Write Head

 The Basic Unit
of HDD Storage is a Platter
0011 0010 1010 1101 0001 0100 1011
 Physical Disk Geometry
0011 0010 1010 1101 0001 0100 1011
• One head for each
surface
• All tracks at r = dn form
a cylinder
• The number of sectors
varies with the cylinder
• Each sector has 512+
octets of information
• One surface is dedicated
for positioning and
synchronization
• Not all portions of the
disk are addressable by
the OS
 A Linear Model For Magnetic Media
• For simplicity, we will use a
0011 0010 1010 1101 0001 0100 1011
Storage Platters linear model of the magnetic
media
• Unless we are performing
electron microscopy, the exact
media geometry is not
significant
• The blank magnetic media has
only geometric structure and
End raw magnetic storage capacity
Beginning

Linear Model

Beginning End
 Read/Write Process
(simplified)
0011 0010 1010 1101 0001 0100 1011

Linear Model
Read/Write Head

Beginning End

• Write Process
– Digital signals are encoded (for timing recovery) and
transformed into analog signals that drive the magnetic
field on the write head
• Read Process
– Analog magnetic field is sensed, timing is recovered,
and sampled signals are converted into digital data
 Disk Wiping Programs
• Why isn’t a single pass adequate?
0011 0010 1010 1101 0001 0100 1011

• How many passes are necessary?

• What influences each write pass?

• What disk areas must be wiped to ensure

destruction of data?
– You should be able to answer this question at
the end of the next lecture
 Physical Layer Forensics
• Magnetic Force Microscopy (MFM)
0011 0010 1010 1101 0001 0100 1011

• can map the spatial distribution of magnetism by

measuring the magnetic interaction between a sample and
a tip. As magnetic devices have become smaller and
smaller, an evaluation technique with nanoscale spatial
resolution has become necessary. To meet this need, the
MFM was developed.
 Magnetic Media Data Recovery
0011 0010 1010 1101 0001 0100 1011

Sense
Magnetic Force Microscope
Magnetization

Transform Two Dimensional Signal Processing

To Tracks

One Sector Signal Processing

Channel Data

512B Sector Timing Recover / Decode 100110…

Does This Yield Useful Data?

 HDD User Storage, Administrative
Storage, and Redundancy
0011 0010 1010 1101 0001 0100 1011

User Storage R HPA DCO Bad

Beginning End

• User Storage = Usable Capacity

• R = Redundant Sectors
• HPA = Host Protected Area
• DCO = Device Configuration Overlay
• Bad = Determined to be Bad At Manufacture or During Operation
NOTE: These Sectors Are Distributed Throughout the Storage Media
 Low Level Format
0011 0010 1010 1101 0001 0100 1011

Sectors (512 octets plus overhead)

Redundant
Individual Sector 512 Sectors
octets (Only visible to HDD controller)
Sector overhead

• Low-level formatting adds indivisible units of storage called sectors

• Most modern HDDs use 512+ octet sectors
– The + accounts for sector overhead bytes (differs by manufacturer)
• Overhead bytes provide error correction and timing recovery functions
• Bad sectors are automatically remapped to redundant sectors by the HDD
controller
 HDD Interfaces
• SCSI
– Primarily
0011 0010 workstation
1010 1101 0001 0100 and
1011 • IDE/EIDE/ATA/ATAPI/
server class machines PATA/SATA
– Might be a good topic for a – Uses ATA commands
research paper • E.g., Read Sector, Write
– It’s possible to low-level Sector,
Identify Device, etc.
format some SCSI drives
– Can be accessed directly
– Basics are the same or through BIOS
– There are write blockers
to provide hardware
protection against
corrupted “evidence”
 Overview of Some Key Physical-
Layer DF Issues with HDDs
• Overwritten
0011 0010 data0100
1010 1101 0001 can potentially
1011 be recovered
• Not all areas of a HDD can be accessed through standard
ATA commands
– Sector overhead, P-Lists, G-Lists, Administrative Storage,
Excluded Storage…
• Bad sectors are remapped to redundant sectors and no
longer addressable (i.e., through ATA commands)
• It is possible to replace failed controllers and interface
circuitry
• It is standard practice to use a hardware write-blocker
when collecting data from a HDD
• New physical interfaces on micro-disks
• What else?
 Module 2
0011 0010 1010 1101 0001 0100 1011

HDD Volumes
 Volumes Are Logical Storage
Containers On HDDs
0011 0010 1010 1101 0001 0100 1011
Volume 3
Volume 1 Volume 2 Unallocated

Primary Storage Media 1 P G R PSM 2

• Volumes can contain most

any data structure
– File systems
– Databases
– Swap space
– Hidden backups
– Other containers P = P-List Sectors
G = G-List Sectors
R = Redundant Sectors
 Partitioning
Inter-partition gap Unused sectors
0011 0010 1010 1101 0001 0100 1011 Partition #2
Master Boot Record Volume Boot Record
Partition #1 (VBR)
(MBR)

MBC MPT VBC DPB VBC DPB

On each partition a VBR contains Volume Boot Code and a Disk Parameter Block

• The Master Boot Record is created and includes the Master Boot Code (MBC) and the
Master Partition Table (MPT) – always at sector 1 on any bootable media
• The MBC is executed at boot if the HDD is designated as the boot device
• The MPT contains information about logical volumes (partitions), including the active
partition, the partition whose Volume Boot Code (VBC) will be executed
• Each partition has a Disk Parameter Block that stores information about extended
partitions, file system type, date and time last mounted, etc.
• Inter-partition gaps are a collection of unused sectors
• Some sectors are unused due to addressing issues
 Module 3
0011 0010 1010 1101 0001 0100 1011

The Boot Process

 The Boot Process
• Begin
0011 0010 execution
1010 1101 from1011
0001 0100 ROM (address 0xFFF0)
• Jump to BIOS power on self test (POST)
• System initialization from CMOS and device BIOS
• Transfer execution to master boot record (MBR) at
cylinder 0, head 0, sector 1 of boot media (if it exists)
• Transfer execution to boot code on “active” partition
indicated by the master partition table in the MBR
– Hundreds of files are modified/touched
• Constant memory and HDD modification during system
operation
 Module 4
0011 0010 1010 1101 0001 0100 1011

Isolation Through Virtualization

(e.g., VMWare)
 The Goal is to Maintain Integrity of the Investigation
Unauthorized
Investigator
New Tools Testing Users and
Change ACCESS Networks
ACCESS
Process

MODIFY
Investigation “Evidence”
Environment READ
Data

Investigator TOO VERIFY

LS
Verify
Evidence
Consumer MODIFY
Reports
GENERATE

GENERATE MODIFY
READ
GENERATE Incremental
Reports
Analysis Data
 VMWare Will Serve as Our
Investigation Environment
0011 0010 1010 1101 0001 0100 1011
 VMware Device Specifics
• Provides a variety of virtual hardware
0011 0010 1010 (IDE
– HDD 1101or0001
SCSI)0100 1011
• Stored as a binary file on the host OS
• Can add or remove HDD very easily
– CD and DVD drives (IDE or SCSI)
• Can use ISO image on host OS as CD or DVD
– Memory (RAM) – limited by physical RAM
– USB 1.1 and 2.0
– Floppy
• Can use ISO image on host OS as floppy
– NIC (Ethernet)
– Audio Adapter
– Serial port
– Parallel port
– Generic SCSI device
• Can save and revert to snapshots of system state
• Virtual hardware is very stable
 Module 5
0011 0010 1010 1101 0001 0100 1011

Relevant Tools
 The Sleuth Kit Tools
(learn through hands-on labs)
• File system layer (partitions, file systems)
0011 0010 1010 1101 0001 0100 1011
– fsstat – first used in lab 3 to determine block size
• File name layer (file name structures)
– ffind
– fls
• Meta-data layer (inodes, directory entries, file attributes)
– icat
– ifind
– ils
– istat
• Data unit layer (disk blocks)
– dcat – first used in lab 3 to extract disk blocks
– dls – first used in lab 2 to copy unallocated space and slack space
– dstat
– dcalc – first used in lab 3 to compute absolute block to recover
 Questions?
0011 0010 1010 1101 0001 0100 1011

After all, you are an investigator