Monday, March 11, 2013

Mac File System

Mac File System

Hierarchical File System Plus (HFS+)
  • Replaced HFS.
  • Supports much larger files 32 bit in length, instead of 16.
  • Mac OS X is built on a core called Darwin, which consists of BSD Unix.
  • Mac is Unix based.
  • Primary difference between HFS and HFS+ is that HFS is limited to 512 bytes per volume, and HFS+ raised the number of blocks to 4 billion.
  • But HFS+ supports smaller file sizes on larger volumes (resulting in more efficient disk use).
  • Macintosh file systems maintain most of their information in the Catalog and Extent files.
Technologies
  • Bonjour
  • Filevault
  • Spotlight
  • Target Disk Mode
  • Bootcamp
File Manager
  • Is a utility that handles reading, writing, and storing data on the physical media.
  • It also collects data to maintain  the HFS and manipulates files, directories, and other items.
The Finder
  • Is another Mac utility that keeps track of files and maintains the users desktop.
HFS & HFS+
  • Each file will consist of a two "forks" connection:
    • Data Fork - where data is stored. Typically contains data the user creates.
    • Resource Fork - where file metadata and app information is stored.
      • If a mac file is copied to a file system that doesn't support resource forks, the fork will be lost (creating a hidden file)
      • Can be best equated to Windows Alternate Data Streams.
 B.Nelson, 2010

    • Example: A word processing file might store its text in the data fork, while storing any embedded images in the same file's resource fork. 
    • Resource forks are used mostly by executables, but every file is able to have a resource fork.
    • Both forks can be empty in HFS+ because file manager is in charge of reading and writing information to files, it can access both forks.
    • Resource forks are sometimes used to store metadata of a file, although it can also be used for storing the actual data.
      • Note that the Macintosh file systems also have a separate area for metadata distinct from either the Data or Resource fork. Being part of the catalog entry for the file, it is much faster to access this.
      • Catalog file: contains timestamps, and catalog nodes. (Metadata stuff).
        • is a B-tree that contains records for all the files and directories stored in a volume.
        • HFS+ is able to work with larger records to allow more fields and to allow for those fields to be larger than in HFS.
      • Extents Overflow file: is another B-Tree that records the allocation blocks that are allocated to each file as extents. Each file record in the Catalog File is capable of recording eight extents for each fork of a file, and once those are used, additional extents are recorded in the Extents Overflow file.
      • So resource forks and catalog files can both contain metadata of a file.
Mac Volumes
  • A volume is any storage medium used to store files.
  • It can either take up, or all of a storage medium.
  • Volumes have allocation blocks and logical blocks.
  • Logical block: is a collection of data that can't exceed 512 bytes.
    • When you save a file, the File manager assigns the file to an allocation block (which is a group of consecutive logical blocks.)
  • Allocation Blocks: HFS divides the total space on a volume into equal sized pieces called Allocation blocks - which is usually one logical block.
    • Allocation block numbers are stored as 32-bit integers, with 4Kb as a common block size.
    • As volumes increase in size, one allocation block might be composed of three or more logical blocks. And while this volume increases, so will the amount of unused space.
    • More allocation blocks means a smaller allocation block size
      • which in turns leaves less wasted space. which means you can have more files.
  • Allocation File: which keeps track of which allocation blocks are free and which are in use. It is similar to the Volume Bitmap in HFS, in which each allocation block is represented by one bit.
    • The Volume Bitmap in HFS is different in that the allocation file is stored as a regular file, it does not occupy a special reserved space near the beginning of the volume.
      • It tracks each block on a volume to determine which blocks are in use and which ones are available to receive data.
  • Volume Header: Stores a wide variety of data about the volume itself, for example the size of allocation blocks 
    • timestamps that indicates when the volume was created or the location of other volume structures such as the Catalog File or Extent Overflow File
    • the VH is always located in the same place.
The Volume Format:
Ryan R. Kubasiak, Sean Morrissey, 2009
From top to bottom, is the beginning to the end. At offset (or the beginning) is the byte 0 which is where the Boot Blocks are located. Followed by the Volume Header, then so on and so forth.

Additional Terms
HFS Wrapper: Made for older versions to be compatible with newer versions
Startup File: allows for storing large blocks of variable size in extent headers.
Alternate Volume Header: if there is a corrupt file in the startup volume header, this acts as a bakup.
Inodes: central location for data that is shared between hard links on a volume.
Property lists (plist): Are the greatest source of information for settings and configuration. They are often simple text files formatted in XML to be read on the system. They contain strings and encoded binary. (I will discuss examination of these valuable files at a later time).
Keychain: is an Apply password management system, along with other various types of data for websites, FTP servers, SSH accounts, encrypted disk images, certificates.

Sources
Guide to computer forensics and investigations, 2010
Wikipedia: http://en.wikipedia.org/wiki/HFS_Plus
Handbook of digital forensics and investigations, 2010
Mac OS X, iPod, and Iphone Analysis Toolkit, 2009







Thursday, March 7, 2013

Windows File System

Filesystems

Windows
  • FAT12 This version is used specifically for floppy disks.
  • FAT16 Supports disk partitions with a maximum capacity of 2 GB.
  • FAT32 On versions of XP and Vista. Along with USB file systems.
  • NTFS offers significant improvements over previous FAT file systems. It provides more information about a file, such as file ownership, along with more control over files and folders. NTFS takes advantage of Journaling, where a file system keeps track of the changes that would be made such as deleting or saving. Everything written to the disk is considered a file.
  • Keeps track of many file time stamps. Create, Modify, Access,
  • Compression, auditing, encryption EFS (when a file is added, then when read is unencrypted).
  • There is less file slack space in NTFS.
  • The Master File Table MFT, is the first file on the disk. MFT contains information about all files on the disk. An MFT is created at the same time a disk partition is formatted as an NTFS volume.
  • Resident or non-resident files: If it's larger than 1024 bytes, the file is saved outside of the MFT. If the file is smaller it will be saved in the MFT (resident).
  • The first data set is the Partition boot Sector(which starts at sector 0), followed immediately by the MFT.
 

Component
Description
NTFS Boot Sector
Contains the BIOS parameter block that stores information about the layout of the volume and the file system structures, as well as the boot code that loads Windows Server 2003.
Master File Table
Contains the information necessary to retrieve files from the NTFS partition, such as the attributes of a file.
File System Data
Stores data that is not contained within the Master File Table.
Master File Table Copy
Includes copies of the records essential for the recovery of the file system if there is a problem with the original copy. 
 Here is a link that shows how the Master File Table is constructed: This includes the NTFS Metafileshttp://www.writeblocked.org/resources/NTFS_CHEAT_SHEETS.pdf
  • The MFT can expand but it never contracts. This is important for computer forensic investigators because it effects the recovery of data and the identification of deleted files.
  • When a file is deleted the MFT entry is marked as ready to be re-used. This entry will continue to exist until it is overwritten bye a new file (Unallocated to Allocated).
  • Here is a visual of these data clusters:

  • Data hiding techniques will take advantage of these unused areas and fake bad clusters.
  • Tools such as Slueth Kit, among many other tools, can check for hidden data in these fake bad clusters.
  • This process is also known as data carving. Which i wont be discussing here.
NTFS Journaling:
  • NTFS uses $LogFile to record metadata changes that occur in a volume.
  • This ensures when data is moved, it will remain consistent.
  • USN Journal records all changes to all files, streams and directories in a volume, as well as their various attributes and security settings.
NTFS Data Streams:
  • Also known as Alternate Data Streams, was developed in NTFS to be compatible with MAc. (Forks). They pose more of an alternative for Anti-Forensics, so i'll save that conversation for data hiding.
  • Every file has a single $Data stream, but NTFS allows multiple data streams.
  • You can hide data, which will not be displayed by Windows Explorer, or command dir
 $LogFile:
  • Can be considered somewhat of a recovery log (in case of a crash).
  • MTF records (which show a file header, and Standard Information Attribute, Filename Attribute, and resident data (all this can be found within the $LogFile) by searching for FILE0 which indicates the beginning of an MFT entry. 
INDX Records:
 Sparse Files:
  • To save space
  • Important parts of a file are reserved as allocated, whereas the unnecessary parts to run the file can be located to unallocated spaces.
  • This a form of Data Compression. (Used by Macs as well)
Reparse Points:
  • These are files that essential function as links, and contains information about locations to which way they point.
  • Linking files to files, or files to folders etc.. Hard linking (linked within MFT) or Soft Linking.
  • Provide a filesystem with extra information to a directory within a folder.
  • Reparse points are used to implement: Volume Mount Points, Directory Junctions, Hierarchal Storage Management, Native Structured Storage, Single Instance Storage, and Symbolic Links.
  • Volume Mount Points: Used to mount and provide an entry point to other volumes. It can give a refernce to a root directory.
    • Volume Shadow Copies: or "snapshots" of files on a volume. Users can access these copies to recover accidentaly deleted or overwritten files without requiring a backup.
    • You can also use these copies to make comparison with other files.
These following areas of the Windows filesystem, will be discussed in depth at a later time.

FAT File Deletion: the OS inserts a HEX E5 (0xE5)
NTFS File Deletion: $Bitmap is modified to show space occupied by the MFT record and the space previously occupied by the file itself is now Unallocated and ready for reuse.
Encrypting Filesystems: Bitlocker is used From Vista to Win7.
Application Analysis
Swap or File Slack Analysis
Volume Analysis
Registry Analysis
NTFS metadata file analysis: Such as deleted or not deleted, whether a file is resident or non-resident, time stamps that get updated when a file or folder is copied, moved, or written to.

Sources
Guide to Computer Forensics and Investigations 3rd.
Handbook of Digital Forensics and Investigations.
Wikipedia.