0 * 1 Introduction
With the increasing number of computer crime cases and the digitalization of crime means, the collection of electronic evidence has become the key to providing important clues and solving cases. The recovery of damaged computer data and the provision of relevant electronic data evidence are electronic forensics. Nstrt has also assisted in the work of electronic forensics. In this issue, nstrt will explain the process of electronic forensics based on disk with a hypothetical case.
In general data forensics work, in order to preserve evidence and ensure data loss caused by forensics work, the first thing to do after obtaining evidence media is to make full image backup of media data. After making a mirror backup, the next thing to do is to extract data from the mirror.
According to the general idea of data extraction, this paper introduces how to use the knowledge of disk storage and file system to extract disk data.
Among the backup methods of disk data, the common formats are DD, IMG, raw, etc. After the disk image is extracted (DD image is used here), some tools can be used to analyze and find various available data in detail. Here is an example of the powerful TSK (the sleuth Kit). The sleuthkit can make detailed analysis of storage image based on file system layer, data layer, inode layer and file layer.
This example assumes that a DD image file image.dd is obtained. The goal of forensics is to find the data information related to Jimmy jungle.
In this case, we make a DD image with the file name of image.dd. The goal of this forensics is to find data information related to "Jimmy jungle".
In the process of disk data forensics, we will analyze it at multiple levels, including file system layer, data layer, inode layer and file layer. These different levels of analysis are closely related to each other. Let's introduce the function and analysis process of forensics at all levels
Analysis of 0 × 2 file system layer
After obtaining a disk or image, the file system layer analysis is usually performed first. File system layer analysis, as the name implies, is to understand the file system information of the disk partition. The purpose of obtaining file system information is not to obtain data directly, but to provide analysis basis for subsequent data layer analysis and file layer analysis. These analysis bases include sector information, data area information, directory area information and cluster information.
Fsstat tool in TSK is used to analyze the file system information of the image. It is very simple to use. Directly add the path of disk or mirror file after the command line. As shown in the figure below, the total number of sectors of this image is 2879, the data area is in sectors 19-2879, the disk root directory is in sectors 19-32, and the place for storing files is in sectors 33-2879. Cluster size is 512b, just one sector.
0 × 3 data layer analysis
Data layer analysis is simply to analyze the cluster based data information in disk image. The data layer contains the real content of the file. The purpose of analyzing the data layer is to find the target related data clues in the cluster information of the disk. The data is stored in the cell structure with different names in different file systems.
We first extract the content of unallocated space to un.ls:
Then extract the ascii string in un.ls (or select other format strings as required). D: \ program \ sleuthkit-win32-4.0.2 \ bin > strings-t D: / un.ls > D: \ str.str, search the string of the un.ls elevation, and find the relevant content of Jimmy jungle:
Find the data content Jimmy jungle, where the first information is located in the 2560th sector of the unallocated space area. Let's take address 2560 as the first clue for analysis.
According to the previous fsstat data information, the cluster size is 512. After removing the cluster size with 2612, we know that the data is between the beginning of the fifth and the sixth cluster. So the relevant data block of "Jimmy jungle" is located in the fifth cluster in the unallocated space. Next, use the blkcalc tool to calculate the sector location of the fifth cluster.
It is calculated that the fifth cluster of image.dd is located in sector 38.
Extract the content of data unit 38 from the original DD image. The command blkcat is used in the following figure, and only one cluster content is displayed by default without other parameters.
Analysis of 0 × 4 inode layer
Let's start with the file system inode. For the system, the file name is just another name or nickname that the inode number is easy to identify. On the surface, the user opens the file by its name. In fact, the internal process of the system is divided into three steps: first, the system finds the inode number corresponding to the file name; second, it obtains the inode information through the inode number; finally, according to the inode information, it finds the block where the file data is and reads out the data.
Through the inode layer, we can understand the relationship between data storage unit and file attribute information.
We use the Ifind tool to find the location of the file metadata information corresponding to the sector number of the data area:
According to the above command, the file metadata information of this file is located in the fifth metadata structure unit.
Next, we use the ISTAT tool to output the inode information of this file:
0 × 5 file layer analysis
The analysis of the file layer mainly collects the specific content of the file according to the inode information.
According to the information provided by the inode layer, it is known that this file is a document with the suffix of DOC, with a size of 20480 bytes and a total of 40 sectors occupied by 33-72 sectors. Sectors occupied include the following
Extract this content and save it as a word file.
Such a complete file is extracted.
At this point, we have extracted a complete document based on the information obtained.
0 * 6 Summary
Through the above steps, we can see the clue sharing relationship among several levels, and get the final desired results through various associated methods, in addition to the above-mentioned disk based forensics. There are many forensics technologies for other types of data, and there are many ways of forensics. This is the simplest example of disk data analysis. I hope it can bring a systematic analysis and learning idea to the disk forensics analysis. At present, the development of electronic forensics technology is faster and faster, and it has extended from PC forensics to mobile terminals. In the future, electronic forensics will also become an important branch of information security. Nstrt will continue to introduce other forensics technology to you in the future technology sharing.
The copyright of this article belongs to the nstrt team and is created by team member East. If you think this article is useful, you can share it with your friends. Also, I hope more people will pay attention to our WeChat official account trt917 and micro-blog NSTRT team. We will share some information security knowledge regularly, hoping to help you.
[author / nstrt (team account number), this is an article of freebuf original award program, which is not allowed to be reproduced without permission]