Digital Forensics

Unit – 2
 2

Hello!
I am Sarang Rajvansh
Assistant Professor,
School of Cyber Security & Digital Forensics,
National Forensic Sciences university,
Gujarat Campus, Gandhinagar.

You can find me at [email protected]

 3

How Data is stored?

➜ Magnetic disk drives historically stored data in units known

as cylinders, heads, and sectors. These units were then used to
assign address to each storage block on a disk.

➜ concentric circles of storage areas on each side of the drive’s

platter were known as tracks. Tracks were limited to 63
sectors.
 4

How Data is stored?

➜ computer’s operating system only stores data as clusters.

➜ Slack Space: The slack space, is the difference between the

space that is assigned and the space that is actually used.

➜ The hard drive is used to store your data and applications

when they aren’t being used.

➜ The sectors containing leftover data are commonly referred to

as slack space or cluster slack.
 5

Slack Space using Example

➜ If we created a one-byte file, an NTFS file system would write

the single byte and 511 null bytes to the cluster.

➜ If the cluster size was equal to one sector, it would be written

in the same way. If the cluster size was 4 Kb (eight sectors),
then the file system would write the first byte of the file,
followed by 511 null bytes into the first sector.

➜ The remaining sectors in the cluster would not be written to

(or overwritten if they previously contained data from a
deleted file).
 6

Data Carving

➜ Carving is the practice of extracting media based on content,

rather then on metadata. ~NIST

➜ Data carving is the act of searching for particular strings or

bytes within a structure.

➜ A hex editor or other data-viewing tools can be used to carve

for data.
 7

Data Carving

➜ The analyst determines a string or binary pattern to search for,

then initiates a search across a device or structure for that
string or pattern.

➜ Carving for records can be a very effective method of finding

evidence when it’s been deleted either intentionally or
through normal system processes.

➜ The process of restoring the artifacts is known as carving.

 8

Data Carving

➜ More generally, data carving is the process of reconstructing

logical objects (such as files, database records, and other data
structures) directly from a bulk data capture (such as a disk,
or RAM image) without the use of metadata describing the
location and layout of the artifacts.

➜ Identifying and recovering files based on analysis of file

formats is known as file carving.

➜ It is helpful technique in finding hidden or deleted files from

digital media.
 9

Data Carving

➜ The target can be of whatever scope is appropriate for the

task, such as a file, slack space, unallocated space, a full
volume, a memory image, or a swap file.

➜ The technique can be used to carve for full files – such as

recovering deleted JPG image files; or for records – such as
recovering portions of a deleted Windows event log.
 10

Data Carving : Files

➜ Full files can be carved by searching for particular file headers

or signatures.

➜ File carving is typically limited to carving for contiguous –

non fragmented – files in unallocated space or in other files.

➜ Techniques exist to carve data that is fragmented using fuzzy

hashing
 11

Data Carving : Records

➜ Carving for records involves searching for data where the full
file may not be essential to recovering information.

➜ Like to carve for a weblog entry that contains full context in a

single event: date and time, webpage visited, IP address
accessing the page, browser ID, and so on.

➜ While a weblog is typically maintained in plain text, other

data may be contained in binary blobs (such as Windows
event logs) or a database format.
 12

Data Carving: Example

➜ The forensic investigator received a CPU from law

enforcement for examination.

➜ The system was seized because it was running a Windows

System.

➜ When the system was analyzed, the system logs had been
deleted and very little other logical evidence remained.

➜ The investigator carved for Windows Event Log records and

successfully recovered over twenty two thousand entries.
 13

Data Carving: Example

➜ These entries were key in helping law enforcement determine

the evidence for intrusion in the case because they contained
information about all malware infections from the infected
system checking into the system logs.

➜ Information retrieved included:

- IP address of remote server,
- system host name, and
- date and time of the check-in etc.
 14

Data Carving: The Way

➜ Block-Based Carving:- Any carving method (algorithm) that

analyzes the input on block-by-block basis to determine if a
block is part of a possible output file.

➜ This method assumes that each block can only be part of a

single file (or embedded file).

➜ Statistical Carving:- Any carving method (algorithm) that

analyzes the input on characteristic or statistic for example,
entropy) to determine if the input is part of a possible output
file.
 15

Data Carving: The Way

➜ Header/Footer Carving:- A method for carving files out of

raw data using a distinct header (start of file marker) and
footer (end of file marker).

➜ Header/Maximum (file) size Carving A method for carving

files out of raw data using a distinct header (start of file
marker) and a maximum (file) size.

➜ This approach works because many file formats (e.g. JPEG,

MP3) do not care if additional junk is appended to the end of
a valid file.
 16

Data Carving: The Way

➜ Header/Embedded Length Carving:- A method for carving

files out of raw data using a distinct header and a file length
(size) which is embedded in the file format.

➜ File structure based Carving:- A method for carving files out

of raw data using a certain level of knowledge of the internal
structure of file types.

➜ Semantic Carving:- A method for carving files based on a

linguistic analysis of the file's content.
 17

Data Carving: The Way

➜ Fragment Recovery Carving:- A carving method in which two

or more fragments are reassembled to form the original file or
object.

➜ Repackaging Carving:- A carving method that modifies the

extracted data by adding new headers, footers, or other
information so that it can be viewed with standard utilities.
 18

Data Recovery

➜ Data recovery is the process of restoring lost, corrupted,

accidentally deleted, or otherwise inaccessible data.[IBM]
➜ Data Recovery can also refer to
- Software designed to ‘undelete’ files a user may have
accidentally deleted by restoring system formatting to
those files.
- Specialized services for physically recovering data from
damaged disks.
- Restoring data to a mobile device from a cloud-based
backup, such as iCloud.
 19

Carving Vs Recovery

➜ Data Carving is File System Independent.

➜ Data Recovery relies on the File System.
➜ You can carve the data from the formatted hard drives.
➜ You can recover deleted data from File System indexing like
MFT or FAT or Journaling from EXT File Systems.
➜ Data Carving Relies on File Signatures.
➜ Data Recovery relies on File Systems, Backups to retrieve the
data.
 20

Data Acquisition

➜ Data acquisition is the act of collecting data relevant to an

investigation.

➜ This data can be live data, including memory captures, or it

can be collected in a forensically sound manner as an image
or a forensic copy.

➜ The data acquisition should be conducted in a manner that

creates the fewest changes to a system.
 21

Data Acquisition
➜ The acquisition of a system that is powered off is the simplest
example of collecting data in a forensically sound manner:
- The analyst removes the system’s hard drive.

- The hard drive is connected to the read-only port of a

firmware write block.

- A target device to store an image or a copy is connected

to the read-write port of the write block.
 22

Data Acquisition

- The communications port of the write block is connected

to a computer or a stand alone device, or is built in.

- The analyst then creates an image or a copy by writing to

the target device.

- The original is maintained and documented in a

chain-of-custody form.
 23

Data Acquisition

- The image or copy can then be examined (or additional

copies made) on the analysis platform.

- This is typically done as a read-only operation as well,

which allows for repeatability of any examination or
experiments without modifying the data.
 24

References

➜ Digital Forensics by André Årnes

➜ Computer Systems: Digital Design, Fundamentals of

Computer Architecture and Assembly Language by Ata Elahi

➜ Practical Forensic Imaging: Securing Digital Evidence with

Linux Tools by Bruce Nikkel

➜ A Practical Guide to Digital Forensics Investigations 2nd

Edition by Darren R. Hayes