Digital Forensics

FARAZ ALI
FarazAli@ucp.edu.pk
+92-321-404-1740
 OBJECTIVES
• Physical Characteristics of Hard Drive

• Logical Partitioning and Formatting of Hard Drive

• FAT16 and FAT32 and NTFS File System

• Master Boor Record

• Overview of Automated Computer Forensic Tools

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 TYPES OF HARD DRIVE
• There are four different time of hard drives used in computers

(personal & Servers)

• PATA (Ground Parallel Advance Technology)

• IDE (Integrated Drive Technology)

• SATA (Serial Advance Technology Attachment)

• SSD (Solid State Drive)

• SCSI (Small Computer System Interface)

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 HARD DRIVE
• A device which can store and retrieve large
number of data for a long period of time.
• It has ability to retain data without power for long
period of time.
• It has metal enclosure holding logic board, head
and platter.
• Having 3.5” and 2.5” enclosure.

• New form of hard drive stores data on NAND

Flash Memory same like USB’s.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 PHYSICAL CHARACTERISTICS OF
HARD DRIVE
HDD SSD

• Platters • Cache
• Spindle • NAND Flash Memory
• R/W Head • Controller
• Actuator Arm
• Actuator Axis
• Actuator

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 HOW HARD DRIVE WORKS

DISK PLATTER
• Platter is made of a magnetic material.

• Data is stored in the platter

• Each magnetic particles is collection of a unit called bit.

• Newer version uses thin-film metals as platters to increase efficiency and

drive storage capacity

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 HOW HARD DRIVE WORKS
STEPPER MOTOR
• Stepper motor is used to control read and write head position.
• It usually use +12v power.
• Newer stepper motors use low power drives +5V power
SPINDLE MOTOR
• Spindle motor controls the Platter.
• Speed on which motor rotates can very from 3600 r.p.m to 10,000 r.p.m
R/W HEAD
• It reads or writes the information to the drive platter.
• Head writes magnetic information on the platter.
HEAD ARM
• Only purpose of head arm is to perform reads and writes operations.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 HOW HARD DRIVE WORKS
DISK STRUCTURE
• Track
• Sector
• Cylinder
• Storage Capacity

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 LOGICAL PARTITIONING AND
FORMATTING OF HARD DRIVE
The logical structure of hard drive is composed of:
• Start-Up Sector

• Partitioned Space

• No-Partitioned Space

START-UP SECTOR

It contains the information about partition and MBR (Master Boot Record)

PARTITIONED SPACE

It is a part of the hard drive that has been assigned to any partition.

NON- PARTITIONED SPACE

It is not assigned to any partition, it is not accessible not usable.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 LOGICAL PARTITIONING AND
FORMATTING OF HARD DRIVE
The are two types of Partitions:
• Primary Partition

• Extended Partition

PRIMARY PARTITION
•The active logic units that can contain an operating system.

•In windows this unit is identified as C.

•Max number of primary partition in Hard drive is 3 + 1 extended partition or

4.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 LOGICAL PARTITIONING AND
FORMATTING OF HARD DRIVE
EXTENDED PARTITION
•Logic unit that can not contain operating systems.

•Hard drive can contain a maximum of one extended partition.

•User can create different logic units in windows which can be D,E,F etc

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 LOGICAL PARTITIONING AND
FORMATTING OF HARD DRIVE
EXTENDED PARTITION
•Logic unit that can not contain operating systems.

•Hard drive can contain a maximum of one extended partition.

•User can create different logic units in windows which can be D,E,F etc

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 FAT 16 & FAT 32
FAT 16:
• FAT16 was Primary file system for MS-DOS 4.0 & 6.22.

• Use 16 bits for addressing clusters.

• Format drive can be range from 2GB to 16GB.

• FAT16 hold 65,536 number of maximum numbers of files.

FAT 32
• Support larger volumes, better performance and flexibility.

• Enable partition size up till 2TB or more.

• FAT32 hold 268,173,300 number files.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS
• NTFS “New Technology File System”

• NTFS File System is supported by Windows operating system.

• NTFS uses 64-bit cluster index.

• NTFS addresses volumes of up to 16 exabytes (16 billion GB)

• NTFS volume to that addressable with 32 bit clusters, which is 128 TB.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS
NTFS Supports: -
•Large file size and disk.

•Better performance on large disks and large directories.

•Reliability

•Security

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS
Overcome Limitations present in FAT
•FAT does not support large disks very well.

•FAT root directory represents single point of failure

•Number of entries in root directory is limited.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS
• NTFS “New Technology File System”

• NTFS File System is supported by Windows operating system.

• NTFS uses 64-bit cluster index.

• NTFS addresses volumes of up to 16 exabytes (16 billion GB)

• NTFS volume to that addressable with 32 bit clusters, which is 128 TB.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS
• NTFS I/O operations alter structure in change of directory structures.

• Extend files, allocate space for new files

• Transactions are either completed or rolled back

• NTFS uses redundant storage for vital FS information.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS SECURITY
• NTFS security is derived from Windows object model.

• NT security system verifies access rights when a process tries to open.

• Administrator or file owner may set permission.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS
• NTFS has maximum file size: 264 bytes

• Cluster size is adjustable

• It has multiple data streams i.e;

• File info: name, owner, time stamp

• Each attributes consists of a sequence of bytes.

• Default data stream has no name.

• New stream can be added “anyfile.dat:stream2”

• Files operations manipulate all streams simultaneously.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS FEATURES
• Multiple data streams

• Hard links

• Compression and sparse files

• Change logging

• Per user volume quotas

• Link tracking is easy

• Better encryption

• Defragmentation

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS FEATURES
Multiple data streams
•In NTFS each unit of information associated with a file including

•Name

•Owner information

•Time stamp information

•Contents of file

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS FEATURES
Hard links
•A hard link allows multiple pats to refer to the same file or directory.

•If a hard link named: C:\Users\Documents\abc.doc that refers to the existing

file C: C:\My Documents\abc.doc. The two paths link to the same on disk file
and you can make changes to the file using either path.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS FEATURES
Compression and sparse files
•Many types of applications, such as incremental backup utilities, need to
monitor a volume fir changes.
•To watch changes is to perform a full scan.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS FEATURES
• Change logging

• With windows 2000, NTFS interduces the change log, which is sparse
metadata file that records file system events.
• An application uses WIN32 APIs to read events.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS FEATURES
Per user volume quotas
•Quota management support allows for per user specification of quota
enforcement.
•If a user attempts to use more volume storage then his/her assigned quota
system event log will fail the application that have caused the quota violation
with a disk full error.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS FEATURES
• Link tracking is easy

• Several types of symbolic file links are used by layered applications

• In past these links were difficult to manage

• Windows has link tracking service “TrkWks “it runs in services.exe” it tags
link sources with a unique object ID.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS FEATURES
Better encryption
•NTFS implements security for files and directories.

•The security is ineffective if the physical security of the computer is

compromised.

Encrypting File System

•Like compression, its operation is transparent.

•Also like compression, encryption is a file and directory attribute.

•File which are encrypted can be accessed only by using the private Public or
Private key.
•Private keys are locked using an accounts password.
Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS FEATURES
Defragmentation
•A file is fragmented if its data occupies discontigous clusters.

•Defragmentation APIs have been present since NT4.

•Windows 2000 introduced a non-schedulable graphical defragmenter.

•A command line interface was added in windows XP

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 NTFS
File System Driver

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
MASTER BOOT RECORD

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 MASTER BOOT RECORD
• It is the second phase of the booting process that the BIOS contained within
these Intel base computers, it will load the first sector of the Hard Drive into
memory.
• First sector is called the Master boot record (MBR).

• MBR consist of three components: -

i. A small amount of executable code called the master boot code.

ii. The disk signature

iii. The partition table for the disk

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 BOOT LOADER
• The boot loader works by looking for the active partition in the partition
table and load the first sector in that partition.
• Partition Boot Record is the first sector.

• The Partition Boot Record will then start the process of loading the
operating system kernel.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 MASTER BOOT CODE ACTIVITES
• Scan the partition table for the active partition

• Finds the starting sector of the active partition

• Loads a copy of the boot sector from the active partition into memory

• Transfers control to the executable code in the boot sector

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 MBR
• MBR contains 3 components:-

i. The boot loader

•Loads the main operating system for the computer. Looks for the active
partition of the partition table to load first sector in that partition usually os
boot record.

ii. The partition table

•It begins immediately after boot loader area starts with value of 0x80 that
represent the active partition.

iii.The signature bytes

•It should always be 0x55AA in a valid MBR.

•If the signature bytes are not 0x55AA hard drive will not boot.
Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 HEARINGS FRYE TEST – PAST METHOD
DAUBERT HEARING – CURRENT METHOD
HEARINGS FRYE TEST
Responsibility on scientific community.
Defined acceptable evidence gathering procedures.
Used Peer Reviewed Journals.
Daubert Hearing
Offers additional methods to test quality of evidence.
“The Frye test originated from Court of Appeals of the District of
Columbia135 in a decision rejecting admissibility of a systolic blood pressure
deception test (a forerunner of the polygraph test).

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 HEARINGS FRYE TEST – PAST METHOD
DAUBERT HEARING – CURRENT METHOD
The court stated that admission of this novel technique was dependent on its
acceptance by the scientific community.
There are three problems with the Frye standard:-
i.At what point is the principle of "sufficiently established"
ii.Determined, at what point is "general acceptance" reached
iii.And what is the proper definition of "the particular field in which it
belongs".

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 DAUBERT HEARING PROCESS
Testing
Is this procedure tested?
Error Rate
What is the error rate of this procedure?
Publication
Has procedure been published and reviewed by peers?
Acceptance
Is the procedure generally accepted within the relevant scientific community?

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 TYPES OF SECURITY SOFTWARES
Security tools are software applications that are used to prevent unauthorized
access and use of digital media.
These tools are in use by Home users, Corporations and small business.

•Antispyware
•Antivirus
•Authentication
•Security Identity & Access Management
•Intrusion Detection
•Intrusion Prevention
•Network Firewall
•Remote Access
•Network Security Management

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 TYPES OF FORENSIC SOFTWARE
These are many standard tools in use by Computer Forensic experts in an
attempt to trace what happened, when it occurred and who the perpetrator may
have been.

•Acquisition Tools
•Data Discovery Tools
•Internet History Tools
•Image Viewers
•Password Cracking Tools
•Open Source Tools
•Mobile Device tools (PDA/Cell Phone)
•Large Storage Analysis Tools

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 ELECTRONIC DATA DISCOVERY TOOLS
Electronic Data Discovery tools, abbreviated DAQ, assist in the recovery of
data that may have been deleted but not completely removed from a computer
system

•Extract & Index Data

•Create Electronic Images of Data
•Search by Keyword or Document Similarity
•Metadata
•Author
•Date Created & Updated
•date sent, received, etc.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 INTERNET HISTORY TOOLS
Internet history tools are useful in tracking how users have used the internet
and sites on the internet that were accessed.

•Reads Information in Complete History Database

•Displays List of Visited Sites
•Opens URLs in Internet Explorer
•Adds URLs to Favorites
•Copies URLs
•Prints URLs
•Saves Listing/Ranges as Text File

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 PASSWORD CRACKING TOOLS
Dictionary Attack
A dictionary file (a text file full of dictionary words) is loaded into a cracking
application, which is run against user accounts located by the application.
Because the majority of passwords are often simplistic, running a dictionary
attack is often sufficient to to the job.
Hybrid Attack
A hybrid attack will add numbers or symbols to the filename to successfully
crack a password. Many people change their passwords by simply adding a
number to the end of their current password. The pattern usually takes this
form: first month password is "cat"; second month password is "cat1"; third
month password is "cat2"; and so on.
Brute Force Attack
A brute force attack is the most comprehensive form of attack, though it may
often take a long time to work depending on the complexity of the password.
Some brute force attacks can take a week depending on the complexity of the
password.
Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Thank You
Question and Answers

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)