Week 5 - File Analysis

Question 1

Name the common file systems and the operating systems they run on

Answer 1

FAT - File Allocation Table - mostly used on removeable media now

NTFS - New Technology File System - Windows

EXT - Linux

HFS- Hierachical File System - Mac

APFS - Apple File System - Mac

Question 2

Why can’t we just view / analyse the HDD using windows explorer (or similar)?

Answer 2

This would not be forensically sound.

It would mean we have to mount the file system. This is a process by which the computer’s oeprating system makes the files and directories available to access by the file system. It means you alter it in some way. Even oif you mpiunted it read only you would only have access to live files

Question 3

Using TSK Commands (a command line tool)

Answer 3

When examining an image of a disk

mmls - gives info on DISK STRUCTURE

fstat - gives info on FILE SYSTEM

fls - LISTS FILES

istat - gives file METADATA

icat - EXTRACTS a FILE CONTENTS

Question 4

How can we recover files that are no longer recorded in the file system structure?

Answer 4

By DATA CARVING

Data carving uses the raw data (not the file system) - examining it for known file signatures and reconstructung them. It will include data that is not referenced by the file system.
Pros are that it can find more files than using forensic file system tools can find alone (because it can find files in unallocated space and soemtimes file slack). But is slower and gives false positives (when file signatures are located by chance)

This is in contrast to file recovery that uses the file system information that remains after a file has been delted. This is quicker

Windows relies on file extensions to decide how to open a file whereas Linux uses the file signatures.

Question 5

List some common file signatures

Answer 5

JPG - FF D8 (start) & FF D9 (end)

DOC - D0 CF

ZIP - 50 4B 03 04

EXE - 4D 5A

MOV - 6D 6F 6F 76 (at offset 0x04 not 0x00)

Question 6

List some data carving tools

Answer 6

PhotoRec

Scalpel

Encase

FTK

Question 7

What are forensic artifacts

Answer 7

Forensic artifacts are particular files or structures that are often of interest to investigators.

Once we have recovered the the files we need to analyse the artifacts.

There are lots of different types e.g:

Browser artifacts
Communication artifacts
Windows system artifacts

Question 8

Browser artifacts

Answer 8

Can include things like cookies, history, bookmarks, passwords, downloads, email data (if web based)

Question 9

Communication artifacts

Answer 9

Email, chat apps, voip, message history can be obtained

Question 10

Window System Artifacts

Answer 10

The windows OS creates numerous artifacts such as:

APPLICATION logs: - important value. Info on installed applications.

SYSTEM logs: Info logged by the OS incl - info about start-up, shutdown, hardware failures.

SECURITY logs: Log in and log out events, account management changes and useage such as when files are accessed and deleted