Module 3

MODULE 3 - INTRODUCTION TO FILE SYSTEMS

What is File System Forensics?
The process identification, collection and analysis of digital evidence from different types of
storage media is called file system forensics. The sectors for file storage on a storage media are
allocated by the file systems, which are an integral part of an operating system.

Investigating a storage media
The following steps can be followed while performing the investigation of a storage media:

1) An exact copy of the forensic image obtained from the device in question should be created
using non-intrusive methods.

2) Calculate the hash values of the images to verify their integrity.
3) Moving files and folders to a new location by using file-fragment recovery.
4) All files including the deleted files should be examined.
5) Evidentiary objects such as the following should be reviewed carefully:

a) Slack spaces, bad sectors, and free spaces.
b) Files for software applications.
c) Any printer, ancillary devices, and digital cameras.
d) Graphics images, emails, and Games.
e) Network activity logs and internet chat logs.
f) Recycle bin folders.
g) File date/time and system objects.
h) Folders and files created by users.
i) Looking for and extracting hidden data in temp, registry and page space.
6) The digital evidence data to be copied into text files.
7) Key strings should be searched for in the evidence data.
8) Going over file notations.
9) Inspect applications or indications of file encryption, file deletions, file hiding utilities, or
file compressors.

10) Based on evidentiary data extractions and investigations, any reports, exhibits, expert
findings and evidence summaries should be prepared and documented.

Analysing hidden evidence
Data can be hidden by cyber-criminals within various areas of the file system, such as the slack
space, deleted file spaces, and bad clusters.

Some concepts related to file systems:
1) Hard Disk: Data can be hidden on the maintenance tracks or the protected area on hard
disks. This hidden data can be copied using evidence collection tools.
2) File System Tables: A file allocation table in FAT and Master File Table (MFT) in NTFS
are used to keep track of files.
3) File Deletion: The entry for a file is removed from the file system table when we delete a
file. This makes it look like it is not present anymore on the hard disk. The clusters that
were in use by the deleted file are made available to be used by other files to store data.
But even though it seems that the data from the deleted file has gone away, it could still be
present on the hard disk, and can be recovered by certain techniques. One such technique
is calculating thse beginning and end of the file in Hex format and copying the contents
into a text file and saving it with an appropriate file extension.
4) Recover a JPEG file
A. Open file in the hex format.
B. Check the files signature.
C. Copy from starting signature up to ending signature. Copy from starting signature
up to ending signature. For example, FF D8 FF E1 XX XX 45 78 69 66 00 is the
starting signature of JPEG files, and ending signature is FF D9.
D. Open the file with corresponding application.
5) Partition Tables: A partition table, which is a part of the Master Boot Record or MBR,
holds the information about the various partitions that are present on a hard drive. It is the
partition table that enables a computer system to learn about the way the hard drive is
organised. The operating system fetches this information from the partition table when the
computer system is booted up. The entry stored in the partition table is erased when a

particular partition is deleted from the hard drive. This also makes the data stored in that
partition unavailable for access. But this does not mean that the data has been erased, it still
remains on the hard drive.
6) Slack Space: The whole partition space might not be utilised by a file system. Volume
slack is space that gets left over at the end of a volume, and adversaries can use it to hide
data. File slack and the space between partitions can also be used to hide data by threat
actors. There can be cases when a file does not end on the boundary of a sector. In such
cases, many operating systems fill up the remaining part of the sector with data from the
RAM. This random data is called RAM slack.
The entry for a deleted file is updated in the file system to indicate a file's deleted status.
The clusters that were being used by the file that was deleted are unallocated and can be
reused for the storage of a new file on the hard drive. But, the data present in the deleted
file is still present on the hard drive and can be used to retrieve the deleted file. Until a new
file overwrites the deleted file's data, the data will be present on the hard drive. A part of
the deleted file's data may still be stored within the slack space in the case when the new
file does not fill the entire cluster, and this can be used to recover various parts of the
deleted file.
7) Free Space: Multiple steps of copying and deleting the file are followed when a file is to
be moved from a particular hard drive or partition to another hard drive or partition. A copy
of the file is first made on the partition on which the file is to be moved to. The original
file is deleted after it being copied to the target partition. The entry is removed for the
deleted file from the partition table present on the file's original partition. After this, a new
record is created in the partition table present on the target partition. The space that gets
created after the file gets deleted from the original partition is called free space. Free space
can also be used to hide data by suspects.
8) Faked Bad Clusters: Data can also be stored inside the clusters that are marked as bad. An
MFT entry named $BadClus holds the information about the bad clusters present in the
NFTS file system. The size of the BadClus file is the same as the size of a volume. The
BadClus file is a sparse file. All bad clusters are added to this file. This file and the concept
of bad clusters can be used to hide the size of the data stored on a volume by a suspect.

They can do this by allocating more clusters for the data that they want to store and hide
on the hard disk.

FAT32

FAT32 file system was introduced in 1996 and was initially utilised in DOS and Windows
operating systems before windows XP. The ‘32’ in FAT32 tells that 32-bit numbers are being used
to depict cluster values. As 32-bit number are used in FAT32, it means that the table entry can
accommodate 2^32 values. Despite the fact that newer hard drives don’t use FAT32, the file system
is still sometimes used in removable storage devices. FAT32 is useful for these kinds of media
since it is an exceptionally universal and adaptable file system. FAT32 uses a File Allocation Table
or FAT to store information about the clusters where a particular file is stored. FAT32 file system
is very simple when compared to NTFS file system.

NTFS

NTFS is a newer file system than FAT32. It started coming out with Windows NT and Windows
2000, and with it were introduced new features, such as advanced data structures and better
metadata support. Some additional highlights to the NTFS file system are inclusion of last access
times for files, better data access efficiency, bigger volume sizes, better organisation of data, and
bigger file sizes. The NTFS file system is used on most of the latest hard drives and supports
functionality with multiple different operating systems. NTFS uses a Master File Table or MFT to
store information about the data that is stored in the file system. It also has 512 byte record called
the boot record from which the operating system reads information regarding the partitions present
on the file system, and other relevant information that is used by the operating system to load
properly.

Kali Linux

The Kali Linux file system is similar to any other Linux distribution. It follows the Filesystem
Hierarchy Standard or FHS, which makes it an effortless task for users of other flavors of the Linux
operating system to navigate the filesystem. The file system type includes ext2, ext3 ext4, etc. Ext2
was the most widely used file system format before ext3 was released. It consists of identical block
groups, and inodes that contain pointers to blocks. The ext3 format is similar to ext2 the only
difference being that ext3 includes journaling. Journaling is used by to sustain the consistency of
the file system in case the hardware fails to operate. A journal file is created to specifically record
all the actions that are performed on the file system and can be used for recovering the file system
after a failure. There are various directories in the Kali Linux file system that each serve a very
specific purpose, and those are:

1. /bin/: this directory contains very basic executable programs.
2. /boot/: this directory contains the kernel of the Kali Linux operating system and the files

required for its boot process.
3. /etc/: contains the configuration files that control applications and various components of

the operating system.
4. /dev/: it contains the device files that are used to access hardware devices.
5. /lib/: it contains the basic libraries that are used by the system to perform basic

functionality, such as booting the system and executing commands.
6. /media/*: when a removable device is connected to the computer running the Kali Linux

operating system, the mount points for those devices get created in this directory. The
devices could be USB drives, CD-ROMs, etc.
7. /home/: it contains the user’s personal files.
8. /run/: it contains runtime data that gets erased after a reboot.

9. /tmp/: all temporary files are stored in this directory and those files are deleted at boot
time.

10. /mnt/: this directory is used as a temporary mount point.
11. /srv/: it contains the data that is used by any server hosted on the system.
12. /root/: the administrator’s files are stored in this directory.
13. /usr/: this directory contains all the read-only files related to user data, such as applications.
14. /sbin/: it contains the required binaries for system programs.
15. /opt/: it contains the packages for third party applications.
16. /var/: it contains the variable data that changes while the operating system is in operation.

This data is handled by daemons, and can include log files, caches, spool files, etc.
17. /proc/ and /sys/: these directories are used to export data by the kernel to the user space.

Tools used for reading file systems:
• DiskExplorer for NTFS
• DiskExplorer for FAT