Digital Forensic Analysis of Hard Disk for Evidence Collection.
1 INTRODUCTIONDigital evidence is the information stored or transmitted in binary form that may be relied on in the court. It can be found on a computer hard drive, a mobile phone, a personal digital assistant, a CD, and a flash card in a digital camera, among other places. Digital evidence is commonly associated with electronic crime, or e-crime, such as child pornography or credit card fraud. However, digital evidence is now used to prosecute all types of crimes, not just e-crime. For example, suspects' email or mobile phone files might contain critical evidence regarding their intent, their whereabouts at the time of a crime and their relationship with other suspects. Computers may constitute a 'scene of a crime', for example with hacking or denial of service attacks or they may hold evidence in the form of emails, internet history, documents or other files relevant to crimes such as murder, kidnap, fraud and drug trafficking.
It is not just the content of emails, documents and other files which may be of interest to investigators but also the 'metadata' associated with those files. A computer forensic examination may reveal when a document first appeared on a computer, when it was last edited, when it was last saved or printed and which user carried out these actions.
Computers need a method for the long-term storage and retrieval of data. Windows NTFS File systems provide a mechanism for users to store data in a hierarchy of files and directories. A file system consists of structural and user data that are organized such that the computer knows where to find them. In most cases, the file system is independent from any specific computer. The basic reference model for the file system will contain five data categories: file system, content, metadata, file name, and application [1]. All data in a file system belong to one of the categories based on the role they play in the file system. Table 1 depicts the data structures in various category of the file system.
If the MFT (Master File Table) file record in the NTFS has more than 1 $DATA attribute, additional $DATA attribute is called ADS (Alternate Data Stream). ADS can be used to hide data in NTFS file system as ADS does not show up in directory listing and the file size of original file does not change. The size of the data that can be hidden in ADS is unlimited. One major difference between this data hiding technique and others is that ADS is relatively easy to create [10]. This raises the need to do the forensic investigation of the ADS to identify if any unknown information is hidden in it. Similarly, malicious user in order to hide its malicious activity might just delete used file on the hard disk. The analysis of the MFT header is helpful in recovering the deleted files from the hard disk.
The paper is structured as follows: Section 2 covers the existing work carried out on the file system forensic. Section 3 discusses the approach and the algorithm devised to carry out the forensic investigation of the file system to identify and extract the hidden data. It also covers the approach to recover deleted data. The results are covered in section 4. The conclusion and the future work to carry out are covered in section 5.
2 RELATED WORK
The file system on the hard disk maintains the digital evidence of the crime performed. This necessitates performing the forensic investigation of the file system. This section performs the study of the strategies and techniques developed so far in the forensic investigation of the file system.
Since most desktop and laptop computers use Windows according to the usage share of operating systems, Rune Nordvik, Yi-Ching Liao, and Hanno Langweg implemented AccountabilityFS for modern versions of Windows, including Windows 7, 8 and 8.1 (32-bit and 64-bit) [2].
A survey of the existing tools and techniques for the digital forensic analysis has been performed in [3].
Pei-Hua Yen et al, Chung Huang Yang et al, Tae-Nam Ahn et al proposed a design and implementation of a Live-analysis digital forensic system [4]. In the work, open source digital forensic tools based on Linux were used and want to make sure the stability of software. They used Live-analysis to collect data and design.
According to Gyu-Sang Cho et al a forensic analysis method is provided for a directory index in NTFS file systems. For efficient storage of many files, and fast lookups B-tree indexing are employed by NTFS [5]. evin Fairbanks proposed a technique for measuring Data persistence using the Ext4 File System journal. Digital forensic tools and techniques are used to extract data from media [6].
Chen Wei et al and Liu Chun-Mei analyzed and proposed a design of Linux File System based on computer forensics. In this research, the object-oriented method is proposed to design the parsing platform of Linux file system [7]. In [8], a method for tracking file's metadata from computer memory analysis is proposed. The aim of the work was to present algorithm to track the metadata of files from well-known file systems for Windows system such as FAT and NTFS.
Alternate data streams requirement and their functionality are explained in [9]. It also discussed how the hacker can utilize the functionality of NTFS to hide malicious codes in victim's machine so as to compromise it. An ADS graphical tool enabling users to create, start, detect and delete ADS have also been proposed.
3 ANALYSIS OF FILE SYSTEM
This section performs the digital forensic investigation of NTFS file system to recover deleted files, to identify and extract the hidden data.
File carving is a method that recovers files at unallocated space without any file information and used to recover data. In general, the file carving recovers files using the inherent header and footer in files or the entire file size determined in the file header [11]. The proposed approach for the recovery of the deleted files from the NTFS file system involves three steps.
* Acquisition: It involves acquiring the hard disk image having NTFS file system.
* Analysis: This stage involves analyzing the hard disk image to recover the deleted data from the NTFS file system.
* Reporting: It involves creating a report about the digital evidence identified about the deleted files and those which are recovered.
The basic process model for the digital forensic investigation of the NTFS file system is as follows:
1. Identification: This recognizes an incident from digital devices and determines its type.
2. Preparation: Entails the preparation of forensic tools, techniques, and monitoring authorizations.
3. Preservation: Opening the Physical Drive with Read Permissions.
4. Collection: It collects the recording of the physical scene and duplicate digital evidence by creating disk images.
5. Examination:
5.1. Find the partition entry which holds the NTFS partition.
5.2. Navigate to the beginning of the Master File Table.
5.3. Find the root directory metafile entry in the MFT and extract its index allocation attribute data.
5.4. Process the INDX records found within the index allocation attribute data one by one recursively until you find a file that matches the one you are looking for.
5.5. In the index entry that matched, find the MFT record number and move to that record position within the MFT.
5.6. Record the MFT entry and process its standard attribute headers one by one until the data attribute is encountered.
5.7. Use the process of attribute data extraction in order to retrieve the data attribute, which contains the contents of the file that is being accessed.
6. Reporting: After completion of the investigation, investigator can presents his data or information, usually in the form of a written report.
3.1 Proposed Tool
The proposed tool involves two phases viz., File Extraction and File Analysis as in figure 1. In the file extraction phase disk image will be created or it can be directly imported from attached device. Boot sector will be read to locate start location of MFT, root directory entry which are major attributes used to recover deleted files.
Detailed analysis will be done in the file analysis phase. Attributes obtained in file extraction phase is used for recovery of deleted files. MAC time can be determined for analysis.
Hidden Evidence Analysis module find the evidence from the deleted files, ADS, free spaces (File slack, Volume slack). Output of the above module is loaded into the database.
In Monitor File Forensic Activity module, FileSystemWatcher class monitors file forensic activity like who deleted, accessed, alter files.
Database stores data regarding file such as file name, file type, create time, modify time, and delete time, last access time.
Report generation module, generates report for each evidences collected from file system analysis subsystem each digital device like disk image of disk drive.
3.2 Data Structure Design
The various data structure used to do the forensic investigation of the file system is summarized as follows:
1. Disk Image Table
Disk image table holds the information about the disk image considered for the forensic investigation. The structure of this table is as follows:
Disk_Image{
Did int[10],
Dname Varchar[20],
FileSystemType Varchar[20],
DiskPath Varchar[20],
ImageMACtime Varchar[20]
};
The description of these attribute is as follows:
Did: Disk image id Dname: Name of the disk FileSystemType: File System type DiskPath: Disk Path Image MACtime: Modify, Access and Creation time of the disk.
2. Recovered Files Table
This table holds the metadata about the information of the recovered files. The structure of this table is as follows:
Recovered_Files{
File_id int,
Fname Varchar[10],
Recovery_type Varchar[10],
IsDataHidden Boolean
};
The description of these attribute is as follows:
File_id: File identification Fname: File Name Recovery_type: Metadata or content based recovery IsDataHidden: If data is hidden returns true.
3. Hidden Data Table
The information about the hidden data is stored in this table. The structure of this table is as follows:
Hidden_Data{
File_id int
Did int
IsDelete Boolean
};
The description of these attribute is as follows:
File_id: File identification Did: Disk image identification IsDelete: Returns true if file is deleted.
4. File Forensic Table
This table holds the forensic information obtained from the other tables. The structure of this table is as follows:
File_Forensic{
Fid int
Did int
Fname Varchar[10]
FileType Varchar[10]
MACtime Varchar[10]
IsDelete boolean
IsRecovered boolean
};
The description of these attribute is as follows:
File_id: File identification Did: Disk image id Fname: File Name FileType: Type of the file recovered MACtime: Modify, Access and Creation time of the disk IsDelete: Returns true if file is deleted. IsRecovered: Returns true if file is recovered.
3.3 Algorithm Design
The algorithm for the various module of the proposed tool is discussed as follows:
1. Function Name: PrepareDiskImage(Disk_Drive)
Input: DiskDrive Output: DiskImage of Disk Drive Variables: handle, driveName, source, destination, HexImage Purpose: This algorithm takes as input the disk drive and copies each byte of disk drive to create disk image. First it will create handle to read disk drive with read permissions.
Algorithm:
1. handle =
CreateFile(driveName)
//Use Create File
Windows API in read
mode to create file
handle.
2. if file handle is invalid
then
3. return with error
message
4. else
5. do
6. i =
source.ReadByte();/
/Read Disk Drive
Byte by Byte
7. if(i!=1)
8. {
destination.Writeby
te(byte)i) }//Copy
Disk Drive Byte by
Byte to new
location
9. HexImage =
BitConverter.ToStri
ng(destination)//con
vert disk image to
hex format
10. end if
11. if information read is
0 then
12. return with Copy
failed status
13. end if
14. end if
2. Function Name: GetBootSector(Disk_Image)
Input: Disk Image
Output: Load Boot Sector
Variable: handle, driveName, HexImage, BootSector[]
Purpose: This algorithm takes as input the disk image and loads the boot sector of drive.
Algorithm:
1. PrepareDiskImage(dr iveName) 2. handle = CreateFile(driveNam e) //Use Create File Windows API in read mode to create file handle. 3. if file handle is invalid then 4. return with error message 5. else 6. do 7. BootSector[i] = HexImage.ReadByte( );//Read first 512 bytes of disk image 8. if information read is 0 then 9. return with read failed status 10. end if 11. end if
3. Function Name: ShowFileSystemInformation()
Input: Boot Sector loaded from disk image
Output: File System Type, Volume Serial Number
Variable: Boot Sector[], FileSysType, VolumeSerialNum
Purpose: This algorithm takes as input the boot sector of disk drive and returns file system information such as file system type and volume serial number.
Algorithm:
1. GetBootSector(Disk_Image) 2. FileSysType = BootSector.ReadByte (0x07) // 0x07th byte stores the file system type 3. If (FileSysType == NTFS) 4. VolumeSerialNum = BootSector.ReadByte (40x08) 5. Else 6. VolumeSerialNum = BootSector.ReadByte (40x03) 7. End if
4. Function Name: ListAllocatedFiles()
Input: DiskImage
Output: List of allocated files
Variables: MFT Loc, MFT Start Loc, File Name
Purpose:This algorithm locates the MFT table and parse all File Name attributes content to return allocated file names
Algorithm:
1. GetBootSector(DiskImage) R 2. FT Loc - M BootSector.ReadByte(30x00) 3. FT Start Loc - M BitConverter.ToInt(MFT Loc) 4. FileName = destination.ReadByte(MFT Start Loc+48) 5. While(true) 6. Return all file names stored in File Name Attribute 7. End while
5. Function Name: ListDeletedFileNames()
Input: DiskImage
Output: List of deleted files
Variable: MFT Loc, MFT Start Loc, File Name, Hard Link Name
Purpose: This algorithm map Hard Link Name with File Name Attribute to give list of deleted files
Algorithm:
1. GetBootSector(DiskImage) 2. MFT Loc = BootSector. ReadByte (30x00) 3. MFT Start Loc = BitConverter.ToInt( MFT Loc) 4. Hard Link Name= destination. ReadByte (MFT Start Loc+20) 5. FileName = destination. ReadByte (MFT Start Loc+48) 6. While (Hard Link Name!=null) 7. If(Hard Link Name !=File Name) 8. Return Hard Link Name; 9. End if 10. End while
6. Function Name: M RecoverDeletedFiles(List_of_delete d_files)
Input: List of deleted files
M Output: Recover Deleted Files
Variable:wFlags, handle, RecoveredData
PART 1 - Determine whether the file is deleted or not
1. if (file system == NTFS) then 2. Traverse through MFT header record to obtain details of wFlags field 3. if (wFlags == 1) then 4. return "file is in use" 5. else 6. return "file is deleted" 7. end if 8. end if 9. else if (file system == FAT) then 10. if (directory entry begin with a sigma 0xe5 && pointers changed to zero for each cluster used by the file) then 11. return "file is deleted" 12. else 13. return "file is in use" 14. end if 15. end if
PART 2 - Retrieve a fie
1. Set the physical drive handle 2. Set the starting sector of file system phy_Drive_handle.SetStartS ector(StartingRelativeSector, 512); 3. initialize, ie. read all MFT in to the memory 4. ListDeletedFiles(Disk_Image) 5. get the Hard Link or File Name for deleted files 6. RecoveredData = HexImage.read(MFTStartLoc+112); //extract the file content in to a buffer 7. new Location = RecoveredData.copyTo(Path);//creat e the same file in a new location 8. save the file data on to the new file 9. close the handle.
7. Function Name: GetMACtime(FileName)
Input: FileName
Output: Modify, Access, Creation time
Algorithm:
1. Set the physical drive handle 2. Set the starting sector of file system 3. Phy_Drive_handle.SetStartSector (StartingRelativeSector,512); 4. initialize, ie. read all MFT in to the memory 5. Parse Individual INDX Record Entry Structure to get MAC Time.
8. Function Name: HiddenEvidenceAnalysis(Disk_Drive)
Input - Disk Drive
Output - Hidden Data in ADS
Variable: Current Stream, memory stream
Purpose: Searches multiple data streams to retrieve hidden data
Algorithm:
1. Use FindFirstStreamW API in Enumerates the first stream with a ::$DATA stream type with parameter values as a file name, information level of the returned data, A pointer to a buffer that receives the file stream data and flag with value 0. 2. if file handle is invalid then 3. return with error message 4. Else 5. Add Current Stream to list; 6. While (FindNextStreamW(Handle, Current Stream) returns valid Handle) 7. Initialize new memory stream 8. Use read method to retrieve hidden content and store it in a stream
9. Function Name: MonitorFileForensicActivities(Disk_Drive)
Input: Disk Drive
Output: Changes made by attacker
Variable: handle, ip, FileSystemWatcher
Purpose: This algorithm captures changes made by an attacker, monitors his activities.
Algorithm:
1. handle = CreateFile(driveName) //Use Create File Windows API in read mode to create file handle. 2. if file handle is invalid then 3. return with error message 4. else 5. do 6. Use FileSystemWatcher API to monitor activity 7. End do 8. if (ip.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)// to capture IP address of an attacker 6. return ip.ToString(); 7. end if
4 RESULTS
The tool to recover the deleted data from the hard disk and identifying and extracting the hidden data is implemented as discussed in section 3. This section shows the screenshots of the proposed tool. The tool has ADS Detection module to identify the hidden data in the file system and Recovery module to recover the deleted data on the hard disk. The proposed approach is compared with the existing work on the hard disk forensic, following improvements have been included in the proposed approach.
1. The proposed approach identifies the hidden evidence on the hard disk apart from retrieving the deleted files.
2. The proposed approach also identifies if any changes have been made by the attacker.
Figure 2 shows a snapshot of the proposed File System Analysis tool to identify the hidden data and recover the deleted data.
Figure 3 shows the hidden file and directory identified by using proposed tool. The deleted files are recovered by using our proposed tool as shown in figure 4 and 5.
Using our tool the files are recovered which are permanently deleted from the disk drive. These files are shown in the figure 5.
5 CONCLUSION
In this work, the importance of digital forensic investigation of file System in recovering deleted data from the hard disk have been discussed. The hidden data and analysis is important as it helps in identifying suspicious or sensitive information hidden by malicious insider or external entities. After going through the various existing algorithms to identify and display hidden data, recovery of deleted files and forensic analysis of the deleted files and by studying existing different file forensic tools, a new file forensic model and tool for file system analysis and forensic analysis is proposed.
6 REFERENCES
[1.] Carrier B.: File System Forensic Analysis, Addison Wesley Professional (2005), ch. 8 pp. 129-131.
[2.] Rune Nordvik R., Liao Y., Langweg H.: Accountability FS:A file system monitor for forensic readiness, Intelligence and Security Informatics Conference (JISIC)( 2014).
[3.] Sivaprasad A., Jangale S.: A Complete Study on Tools & Techniques for Digital Forensic Analysis, Computing, Electronics and Electrical Technologies (ICCEET), International Conference IEEE (2012).
[4.] Yen P., Yang C., Ahn T.: Design and Implementation of a Live-analysis Digital Forensic System, International Conference on Convergence and Hybrid Information Technology, ACM (2009).
[5.] Cho G.: NTFS Directory Index Analysis for Computer Forensics, 9th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, IEEE (2015).
[6.] Fairbanks K.: A Technique for Measuring Data Persistence using the Ext4 File System Journal, IEEE 39th Annual International Computers, Software & Applications Conference (2015).
[7.] Wei C., Chun-Mei L.: The Analysis and Design of Linux File System Based on Computer Forensic, International Conference On Computer Design And Applications (2010).
[8.] AkramZainolArfin K., Mahmood A.: Tracking File's metadata from Computer Memory Analysis, IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing (2015).
[9.] Mahajan R., Singh M., Miglani S.: ADS: Protecting NTFS From Hacking", IEEE International Conference on Recent Advances and Innovations in Engineering, Jaipur, India (2014).
[10.] Yao Qingshan Y., Chunying G.: Research and Implementation of Data Recovery Technology Based on WINDOWS FAT, IEEE (2010).
[11.] Metz J.: carving NTFS-compressed files, Hoffmann Investigation, http: //wwwforensicfocus.com/carving-ntfs-compressed-fileshttp://wwwforensicfocus.com/carving-ntfs-compressed-files (2009).
Bandu B. Meshram (1), Dinesh N. Patil (2)
Veermata Jijabai Technological Institute Matunga, Mumbai, India
bbmeshram@ce.vjti.org.in (1), dinesh9371@gmail.com (2)
Table 1. Data structures in each data category for the file systems
File Content Metadata File Name
System
FAT Boot Clusters, Directory entries, FAT Directory entries
sector, FAT
FSINFO
NTFS $Boot, Clusters, $MFT, $MFTMirr, $FILE_NAME,
$Volume, $Bitmap $STANDARD_ $IDX_ROOT,
$AttrDef INFORMATION, $DATA, $IDX_ALLOCATION,
$ATTRIBUTE_LIST, $BITMAP
$SECURITY_DESCRIPTOR
Application
FAT N/A
NTFS Disk Quota,
Journal,
Change
Journal
 Printer friendly
 Cite/link
 Email
 Feedback
| |
| Author: | Meshram, Bandu B.; Patil, Dinesh N. |
|---|---|
| Publication: | International Journal of Cyber-Security and Digital Forensics |
| Article Type: | Report |
| Date: | Apr 1, 2018 |
| Words: | 3445 |
| Previous Article: | Cyber Intelligence & OSINT: Developing Mitigation Techniques Against Cybercrime Threats on Social Media A Systematic Review July 2017. |
| Next Article: | A research study: Usage of RC4 stream cipher in SSL configurations of web servers used by Sri Lankan Financial Institutes. |
| Topics: | |