SlideShare una empresa de Scribd logo

Introduction to filesystems and computer forensics

Descargar como PPTX, PDF
Mayank Chaudhari
Mayank Chaudhari

This presentation provides a basic introduction to filesystems and data forensics using FAT32 filesystem.

Ingeniería
1 de 45
INTRODUCTION TO FILESYSTEMS AND COMPUTER FORENSICS BY: MAYANK CHAUDHARI DEPARTMENT OF COMPUTER ENGINEERING COLLEGE OF TECHNOLOGY PANTNAGAR(GBPUAT)
FIRST THING FIRST DATA • Facts and statics collected together for reference and analysis. INFORMATION • facts provided or learned about something or someone. FILE • A computer file is a resource for storing information, which is available to a computer program and is usually based on some kind of durable storage. A file is "durable" in the sense that it remains available for other programs to use after the program that created it has finished executing.
WHAT IS A FILE SYSTEM ? A filesystem is the methods and data structures that an operating system uses to keep track of files on a disk or partition; that is, the way the files are organized on the disk. The word is also used to refer to a partition or disk that is used to store the files or the type of the filesystem. It is responsible for arranging storage space; reliability, efficiency, and tuning with regard to the physical storage medium are important design considerations.
COMMON FILESYSTEMS WINDOWS BASED FILESYSTEMS FAT, NTFS , exFAT. LINUX BASED FILESYSTEMS ext, ext2 , ext3, ext4. MAC BASED FILESYSTEMS HFS, HFS+, LisaFS. OTHERS : Reiser-4, ReiserFS, ZFS, HPFS, etc.
ASPECTS OF FILESYSTEM Space management The file system is responsible for organizing files and directories, and keeping track of which areas of the media belong to which file and which are not being used. One common issue related to it is fragmentation. Filenames A filename (or file name) is used to identify a storage location in the file system. Most file systems have restrictions on the length of filenames.
Directories File systems typically have directories (also called folders) which allow the user to group files into separate collections. This may be implemented by associating the file name with an index in a table of contents or an inode in a Unix-like file system. Metadata Other bookkeeping information is typically associated with each file within a file system
FAT (FILE ALLOCATION TABLE) • File Allocation Table (FAT) is a computer file system architecture and a family of industry-standard file systems utilizing it. • The FAT file system is a legacy file system which is simple and robust. It offers good performance even in light-weight implementations, but cannot deliver the same performance, reliability and scalability as some modern file systems. • The name of the file system originates from the file system's prominent usage of an index table, the File Allocation Table (FAT), statically allocated at the time of formatting.
• The FAT file system is named for its method of organization, the file allocation table, which resides at the beginning of the volume. To protect the volume, two copies of the table are kept, in case one becomes damaged. • In addition, the file allocation tables and the root folder must be stored in a fixed location so that the files needed to start the system can be correctly located. • A volume formatted with the FAT file system is allocated in clusters. The default cluster size is determined by the size of the volume. For the FAT file system, the cluster number must fit in 16 bits and must be a power of two.
FAT ARCHITECTURE
FAT COMPONENTS Hard disk: Contains one or more partitions. Boot sector: Bootable partition that stores information about the layout of the volume and the file system structures, as well as the boot code that loads Ntdlr. Master Boot Record: Contains executable code that the system BIOS loads into memory. The code scans the MBR to find the partition table to determine which partition is the active, or bootable, partition.
Ntldlr.dll : Switches the CPU to protected mode, starts the file system, and then reads the contents of the Boot.ini file. This information determines the startup options and initial boot menu selections. Fastfat.sys : System file driver for FAT16 and FAT32. Ntoskrnl.exe : Extracts information about which system device drivers to load and the load order. Kernel Mode : The processing mode that allows code to have direct access to all hardware and memory in the system. User Mode : The processing mode in which applications run.
PHYSICAL STRUCTURE OF FAT Clusters and Sectors on a FAT Volume A cluster (or allocation unit) is the smallest amount of disk space that can be allocated to hold a file. Sequence of Clusters on a FAT Volume Clusters are numbered sequentially from the beginning of the partition into logical cluster numbers. Because FAT file system data clusters are located after the BIOS Parameter Blocks (BPB), reserved sectors, and two FAT structures, FAT formatting cannot guarantee that data clusters are aligned on a cluster boundary.
ORGANIZATION OF FAT
Boot Sector Contains the BIOS parameter block that stores information about the layout of the volume and the file system structures, as well as the boot code that loads operating system. Reserved Sectors The number of sectors that precede the start of the first FAT, including the boot sector. FAT 1 Original FAT.
FAT 2 (Duplicate) Backup copy of the FAT. Root folder Describes the files and folders in the root of the partition. Other folders and all files Contains the data for the files and folders within the file system.
BOOT SECTORS ON MBR AND GPT DISKS On MBR disks the boot sector, which is located at the first logical sector of each partition, is a critical disk structure for starting your computer. It contains executable code and the data required by the code, including information that the file system uses to access the volume. At the end of the boot sector is a 2-byte structure called a signature word or end of sector marker, which is always set to 0x55AA.
BOOT SECTOR A boot sector consists of the following elements: • An x86-based CPU jump instruction. • The original equipment manufacturer identification (OEM ID). • The BIOS parameter block (BPB), a data structure. • The extended BPB. • The executable boot code (or bootstrap code) that starts the operating system.
Boot Sector Sections on a FAT32 Volume Byte Offset Field Length Field Name 0x00 3 bytes Jump instruction 0x03 8 bytes OEM ID 0x0B 53 bytes BPB 0x40 26 bytes Extended BPB 0x5A 420 bytes Bootstrap code 0x01FE 2 bytes End of sector marker
FAT1 AND FAT2 The file allocation table, FAT 1, identifies each cluster in the volume as one of the following: • Unused • Cluster in use by a file • Bad cluster • Last cluster in a file
FAT PROCESSES AND INTERACTIONS Mounting a FAT Volume When mounting a FAT volume, the MBR executes code to start up the boot sector. The boot sector then executes additional code to mount the volume. Master Boot Code Startup Process The MBR contains a small amount of executable code called the master boot code, the disk signature, and the partition table for the disk. During startup, the master boot code performs the following activities:
1. Scans the partition table for the active partition. 2. Finds the starting sector of the active partition. 3. Loads a copy of the boot sector from the active partition into memory. 4. Transfers control to the executable code in the boot sector.
Boot Sector Startup Process Computers use the boot sector to run instructions during startup. The initial startup process is summarized in the following steps: 1. The system BIOS and the CPU initiate the power-on self test (POST). 2. The BIOS finds the boot device, which is typically the first disk the BIOS finds, unless the controller is configured to boot from a different disk. 3. The BIOS loads the first physical sector of the boot device into memory and transfers CPU execution to that memory address.
If the boot device is on a hard disk, the BIOS loads the MBR. The master boot code in the MBR loads the boot sector of the active partition, and transfers CPU execution to that memory address. On computers that are running Windows Server 2003, the executable boot code in the boot sector finds Ntldr, loads it into memory, and transfers execution to that file.
File Processing on FAT Clusters When a file is saved to a FAT-formatted volume, it stores file information in clusters on the hard disk. If a file requires space greater than the cluster’s size, FAT continues to store file information in the next available cluster until all information about the file is stored. The following figure shows an example of how FAT stores and retrieves file information from clusters.
File Processing on a FAT Volume In this figure, 10 clusters (0 through 9) contain 3 files. One file occupies clusters 2, 3, 6, and 8; a second file occupies clusters 4 and 5; and a third file occupies cluster 7. The starting cluster number is the address of the first cluster used by the file. Each cluster contains a pointer to the next cluster in the file, or an end-of-file indicator (0xFFFF), which indicates that this cluster is the end of the file.
Formatting Volumes & Converting Volumes During volume format, operating system places key file system structures on the volume, including the boot sector as well as replacing Ntldr. A check of the integrity of all sectors on the volume is performed, and you have the opportunity to change the cluster size used on the volume. If a volume is formatted using Quick format, the file system structure on the volume is created, but the integrity of every sector in the volume is not checked.
COMPUTER FORENSIC
INTRODUCTION Computer forensics (sometimes known as computer forensic science) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.
THE FORENSICS PROCESS MODEL The U.S. Department of Justice published a process model in the Electronic Crime Scene Investigation: A guide to first responders[5] that consists of four phases: - 1. Collection; which involves the evidence search, evidence recognition, evidence collection and documentation. 2. Examination; this is designed to facilitate the visibility of evidence, while explaining its origin and significance. It involves revealing hidden and obscured information and the relevant documentation.
3. Analysis; this looks at the product of the examination for its significance and probative value to the case. 4. Reporting; this entails writing a report outlining the examination process and pertinent data recovered from the overall investigation.
TECHNIQUES A number of techniques are used during computer forensics investigations. Cross-drive analysis A forensic technique that correlates information found on multiple hard drives. The process, still being researched, can be used to identify social networks and to perform anomaly detection.
Live analysis The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.
Deleted files A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data. Most operating systems and file systems do not always erase physical file data, allowing investigators to reconstruct it from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials
Link files Link files are created when files are opened from a removable device or from a share on the network. Link files contain metadata including the file path, MAC times (last modified date, access date, etc..) and a serial number for the volume on which the file originated. Forensic investigators can use link files to determine if other computers or devices should be analyzed.
Volatile data When seizing evidence, if the machine is still active, any information stored solely in RAM that is not recovered before powering down may be lost. One application of "live analysis" is to recover RAM data (for example, using Microsoft's COFEE tool, windd, WindowsSCOPE) prior to removing an exhibit. CaptureGUARD Gateway bypasses Windows login for locked computers, allowing for the analysis and acquisition of physical memory on a locked computer.
THANK YOU

Recomendados

CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imagerParminderKaurBScHons
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation Jyothishmathi Institute of Technology and Science Karimnagar
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 

Recomendados

CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imagerParminderKaurBScHons
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation Jyothishmathi Institute of Technology and Science Karimnagar
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Incident response process
Incident response processIncident response process
Incident response processBhupeshkumar Nanhe
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools Jyothishmathi Institute of Technology and Science Karimnagar
 
Data recovery tools
Data recovery toolsData recovery tools
Data recovery toolsuniversity of Gujrat, pakistan
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
File system
File systemFile system
File systemHarleen Johal
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensicsprimeteacher32
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicTawhidur Rahman
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics pptNikhil Mashruwala
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Os
OsOs
OsRaghuraaman Raghu
 
File System and File allocation tables
File System and File allocation tablesFile System and File allocation tables
File System and File allocation tablesshashikant pabari
 

Más contenido relacionado

La actualidad más candente

E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 

La actualidad más candente (20)

Network forensic
Network forensicNetwork forensic
Network forensic
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigation
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Incident response process
Incident response processIncident response process
Incident response process
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
Data recovery tools
Data recovery toolsData recovery tools
Data recovery tools
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
File system
File systemFile system
File system
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 

Similar a Introduction to filesystems and computer forensics

File System and File allocation tables
File System and File allocation tablesFile System and File allocation tables
File System and File allocation tablesshashikant pabari
 
File Access & File System & File Allocation Table
File Access & File System & File Allocation TableFile Access & File System & File Allocation Table
File Access & File System & File Allocation TableChinmaya M. N
 
OS_Assignment for Disk Space & File System & File allocation table(FAT)
OS_Assignment for Disk Space & File System & File allocation table(FAT)OS_Assignment for Disk Space & File System & File allocation table(FAT)
OS_Assignment for Disk Space & File System & File allocation table(FAT)Chinmaya M. N
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in LinuxHenry Osborne
 
Filesystemimplementationpre final-160919095849
Filesystemimplementationpre final-160919095849Filesystemimplementationpre final-160919095849
Filesystemimplementationpre final-160919095849marangburu42
 
File system, dual boot, addon components, create user
File system, dual boot, addon components, create userFile system, dual boot, addon components, create user
File system, dual boot, addon components, create userHarman Gahir
 
File System, Dual Boot, Addon Components, Create User
File System, Dual Boot, Addon Components, Create UserFile System, Dual Boot, Addon Components, Create User
File System, Dual Boot, Addon Components, Create UserHarman Gahir
 
File systemimplementationfinal
File systemimplementationfinalFile systemimplementationfinal
File systemimplementationfinalmarangburu42
 
Computer Forensicschap05.doc Computer ForensicsChapter 5 – .docx
Computer Forensicschap05.doc Computer ForensicsChapter 5 – .docxComputer Forensicschap05.doc Computer ForensicsChapter 5 – .docx
Computer Forensicschap05.doc Computer ForensicsChapter 5 – .docxmaxinesmith73660
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux SecurityGeo Marian
 
Root file system
Root file systemRoot file system
Root file systemBindu U
 
Microsoft Windows File System in Operating System
Microsoft Windows File System in Operating SystemMicrosoft Windows File System in Operating System
Microsoft Windows File System in Operating SystemMeghaj Mallick
 
Fat File Systems
Fat File SystemsFat File Systems
Fat File SystemsArthyR3
 
Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1) Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1) Ahmed El-Arabawy
 

Similar a Introduction to filesystems and computer forensics (20)

Os
OsOs
Os
 
File System and File allocation tables
File System and File allocation tablesFile System and File allocation tables
File System and File allocation tables
 
File Access & File System & File Allocation Table
File Access & File System & File Allocation TableFile Access & File System & File Allocation Table
File Access & File System & File Allocation Table
 
OS_Assignment for Disk Space & File System & File allocation table(FAT)
OS_Assignment for Disk Space & File System & File allocation table(FAT)OS_Assignment for Disk Space & File System & File allocation table(FAT)
OS_Assignment for Disk Space & File System & File allocation table(FAT)
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in Linux
 
Filesystemimplementationpre final-160919095849
Filesystemimplementationpre final-160919095849Filesystemimplementationpre final-160919095849
Filesystemimplementationpre final-160919095849
 
File system
File systemFile system
File system
 
File system
File systemFile system
File system
 
File system, dual boot, addon components, create user
File system, dual boot, addon components, create userFile system, dual boot, addon components, create user
File system, dual boot, addon components, create user
 
File System, Dual Boot, Addon Components, Create User
File System, Dual Boot, Addon Components, Create UserFile System, Dual Boot, Addon Components, Create User
File System, Dual Boot, Addon Components, Create User
 
File systemimplementationfinal
File systemimplementationfinalFile systemimplementationfinal
File systemimplementationfinal
 
Computer Forensicschap05.doc Computer ForensicsChapter 5 – .docx
Computer Forensicschap05.doc Computer ForensicsChapter 5 – .docxComputer Forensicschap05.doc Computer ForensicsChapter 5 – .docx
Computer Forensicschap05.doc Computer ForensicsChapter 5 – .docx
 
DBMS
DBMSDBMS
DBMS
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
 
Root file system
Root file systemRoot file system
Root file system
 
Microsoft Windows File System in Operating System
Microsoft Windows File System in Operating SystemMicrosoft Windows File System in Operating System
Microsoft Windows File System in Operating System
 
Fat File Systems
Fat File SystemsFat File Systems
Fat File Systems
 
Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1) Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1)
 
XFS.ppt
XFS.pptXFS.ppt
XFS.ppt
 
File and fat
File and fatFile and fat
File and fat
 

Último

CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Standamitlee9823
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfSuman Jyoti
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxfenichawla
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Christo Ananth
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...SUHANI PANDEY
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfRagavanV2
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptDineshKumar4165
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 

Último (20)

CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdf
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 

Introduction to filesystems and computer forensics

  • 1. INTRODUCTION TO FILESYSTEMS AND COMPUTER FORENSICS BY: MAYANK CHAUDHARI DEPARTMENT OF COMPUTER ENGINEERING COLLEGE OF TECHNOLOGY PANTNAGAR(GBPUAT)
  • 2. FIRST THING FIRST DATA • Facts and statics collected together for reference and analysis. INFORMATION • facts provided or learned about something or someone. FILE • A computer file is a resource for storing information, which is available to a computer program and is usually based on some kind of durable storage. A file is "durable" in the sense that it remains available for other programs to use after the program that created it has finished executing.
  • 3. WHAT IS A FILE SYSTEM ? A filesystem is the methods and data structures that an operating system uses to keep track of files on a disk or partition; that is, the way the files are organized on the disk. The word is also used to refer to a partition or disk that is used to store the files or the type of the filesystem. It is responsible for arranging storage space; reliability, efficiency, and tuning with regard to the physical storage medium are important design considerations.
  • 4. COMMON FILESYSTEMS WINDOWS BASED FILESYSTEMS FAT, NTFS , exFAT. LINUX BASED FILESYSTEMS ext, ext2 , ext3, ext4. MAC BASED FILESYSTEMS HFS, HFS+, LisaFS. OTHERS : Reiser-4, ReiserFS, ZFS, HPFS, etc.
  • 5. ASPECTS OF FILESYSTEM Space management The file system is responsible for organizing files and directories, and keeping track of which areas of the media belong to which file and which are not being used. One common issue related to it is fragmentation. Filenames A filename (or file name) is used to identify a storage location in the file system. Most file systems have restrictions on the length of filenames.
  • 6. Directories File systems typically have directories (also called folders) which allow the user to group files into separate collections. This may be implemented by associating the file name with an index in a table of contents or an inode in a Unix-like file system. Metadata Other bookkeeping information is typically associated with each file within a file system
  • 7. FAT (FILE ALLOCATION TABLE) • File Allocation Table (FAT) is a computer file system architecture and a family of industry-standard file systems utilizing it. • The FAT file system is a legacy file system which is simple and robust. It offers good performance even in light-weight implementations, but cannot deliver the same performance, reliability and scalability as some modern file systems. • The name of the file system originates from the file system's prominent usage of an index table, the File Allocation Table (FAT), statically allocated at the time of formatting.
  • 8. • The FAT file system is named for its method of organization, the file allocation table, which resides at the beginning of the volume. To protect the volume, two copies of the table are kept, in case one becomes damaged. • In addition, the file allocation tables and the root folder must be stored in a fixed location so that the files needed to start the system can be correctly located. • A volume formatted with the FAT file system is allocated in clusters. The default cluster size is determined by the size of the volume. For the FAT file system, the cluster number must fit in 16 bits and must be a power of two.
  • 10. FAT COMPONENTS Hard disk: Contains one or more partitions. Boot sector: Bootable partition that stores information about the layout of the volume and the file system structures, as well as the boot code that loads Ntdlr. Master Boot Record: Contains executable code that the system BIOS loads into memory. The code scans the MBR to find the partition table to determine which partition is the active, or bootable, partition.
  • 11. Ntldlr.dll : Switches the CPU to protected mode, starts the file system, and then reads the contents of the Boot.ini file. This information determines the startup options and initial boot menu selections. Fastfat.sys : System file driver for FAT16 and FAT32. Ntoskrnl.exe : Extracts information about which system device drivers to load and the load order. Kernel Mode : The processing mode that allows code to have direct access to all hardware and memory in the system. User Mode : The processing mode in which applications run.
  • 12. PHYSICAL STRUCTURE OF FAT Clusters and Sectors on a FAT Volume A cluster (or allocation unit) is the smallest amount of disk space that can be allocated to hold a file. Sequence of Clusters on a FAT Volume Clusters are numbered sequentially from the beginning of the partition into logical cluster numbers. Because FAT file system data clusters are located after the BIOS Parameter Blocks (BPB), reserved sectors, and two FAT structures, FAT formatting cannot guarantee that data clusters are aligned on a cluster boundary.
  • 14. Boot Sector Contains the BIOS parameter block that stores information about the layout of the volume and the file system structures, as well as the boot code that loads operating system. Reserved Sectors The number of sectors that precede the start of the first FAT, including the boot sector. FAT 1 Original FAT.
  • 15. FAT 2 (Duplicate) Backup copy of the FAT. Root folder Describes the files and folders in the root of the partition. Other folders and all files Contains the data for the files and folders within the file system.
  • 16. BOOT SECTORS ON MBR AND GPT DISKS On MBR disks the boot sector, which is located at the first logical sector of each partition, is a critical disk structure for starting your computer. It contains executable code and the data required by the code, including information that the file system uses to access the volume. At the end of the boot sector is a 2-byte structure called a signature word or end of sector marker, which is always set to 0x55AA.
  • 17. BOOT SECTOR A boot sector consists of the following elements: • An x86-based CPU jump instruction. • The original equipment manufacturer identification (OEM ID). • The BIOS parameter block (BPB), a data structure. • The extended BPB. • The executable boot code (or bootstrap code) that starts the operating system.
  • 18. Boot Sector Sections on a FAT32 Volume Byte Offset Field Length Field Name 0x00 3 bytes Jump instruction 0x03 8 bytes OEM ID 0x0B 53 bytes BPB 0x40 26 bytes Extended BPB 0x5A 420 bytes Bootstrap code 0x01FE 2 bytes End of sector marker
  • 19.
  • 20. FAT1 AND FAT2 The file allocation table, FAT 1, identifies each cluster in the volume as one of the following: • Unused • Cluster in use by a file • Bad cluster • Last cluster in a file
  • 21.
  • 22.
  • 23.
  • 24.
  • 25. FAT PROCESSES AND INTERACTIONS Mounting a FAT Volume When mounting a FAT volume, the MBR executes code to start up the boot sector. The boot sector then executes additional code to mount the volume. Master Boot Code Startup Process The MBR contains a small amount of executable code called the master boot code, the disk signature, and the partition table for the disk. During startup, the master boot code performs the following activities:
  • 26. 1. Scans the partition table for the active partition. 2. Finds the starting sector of the active partition. 3. Loads a copy of the boot sector from the active partition into memory. 4. Transfers control to the executable code in the boot sector.
  • 27. Boot Sector Startup Process Computers use the boot sector to run instructions during startup. The initial startup process is summarized in the following steps: 1. The system BIOS and the CPU initiate the power-on self test (POST). 2. The BIOS finds the boot device, which is typically the first disk the BIOS finds, unless the controller is configured to boot from a different disk. 3. The BIOS loads the first physical sector of the boot device into memory and transfers CPU execution to that memory address.
  • 28. If the boot device is on a hard disk, the BIOS loads the MBR. The master boot code in the MBR loads the boot sector of the active partition, and transfers CPU execution to that memory address. On computers that are running Windows Server 2003, the executable boot code in the boot sector finds Ntldr, loads it into memory, and transfers execution to that file.
  • 29. File Processing on FAT Clusters When a file is saved to a FAT-formatted volume, it stores file information in clusters on the hard disk. If a file requires space greater than the cluster’s size, FAT continues to store file information in the next available cluster until all information about the file is stored. The following figure shows an example of how FAT stores and retrieves file information from clusters.
  • 30. File Processing on a FAT Volume In this figure, 10 clusters (0 through 9) contain 3 files. One file occupies clusters 2, 3, 6, and 8; a second file occupies clusters 4 and 5; and a third file occupies cluster 7. The starting cluster number is the address of the first cluster used by the file. Each cluster contains a pointer to the next cluster in the file, or an end-of-file indicator (0xFFFF), which indicates that this cluster is the end of the file.
  • 31. Formatting Volumes & Converting Volumes During volume format, operating system places key file system structures on the volume, including the boot sector as well as replacing Ntldr. A check of the integrity of all sectors on the volume is performed, and you have the opportunity to change the cluster size used on the volume. If a volume is formatted using Quick format, the file system structure on the volume is created, but the integrity of every sector in the volume is not checked.
  • 33. INTRODUCTION Computer forensics (sometimes known as computer forensic science) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.
  • 34. THE FORENSICS PROCESS MODEL The U.S. Department of Justice published a process model in the Electronic Crime Scene Investigation: A guide to first responders[5] that consists of four phases: - 1. Collection; which involves the evidence search, evidence recognition, evidence collection and documentation. 2. Examination; this is designed to facilitate the visibility of evidence, while explaining its origin and significance. It involves revealing hidden and obscured information and the relevant documentation.
  • 35. 3. Analysis; this looks at the product of the examination for its significance and probative value to the case. 4. Reporting; this entails writing a report outlining the examination process and pertinent data recovered from the overall investigation.
  • 36. TECHNIQUES A number of techniques are used during computer forensics investigations. Cross-drive analysis A forensic technique that correlates information found on multiple hard drives. The process, still being researched, can be used to identify social networks and to perform anomaly detection.
  • 37. Live analysis The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.
  • 38. Deleted files A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data. Most operating systems and file systems do not always erase physical file data, allowing investigators to reconstruct it from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials
  • 39. Link files Link files are created when files are opened from a removable device or from a share on the network. Link files contain metadata including the file path, MAC times (last modified date, access date, etc..) and a serial number for the volume on which the file originated. Forensic investigators can use link files to determine if other computers or devices should be analyzed.
  • 40. Volatile data When seizing evidence, if the machine is still active, any information stored solely in RAM that is not recovered before powering down may be lost. One application of "live analysis" is to recover RAM data (for example, using Microsoft's COFEE tool, windd, WindowsSCOPE) prior to removing an exhibit. CaptureGUARD Gateway bypasses Windows login for locked computers, allowing for the analysis and acquisition of physical memory on a locked computer.
  • 41.
  • 42.
  • 43.
  • 44.