Forensics: Mounting Images

September 19, 2009 — 585

The site, Windows Incident Response, has produced another useful article, this one on tools for mounting images.

The headline information is below, the full article is available here
VDKWin (free) – Excellent UI for VDK.
ImDisk (free) – installs as a Control Panel applet
SMARTMount (pay) – Andy Rosen’s superb mounting utility; requires a dongle, mounts raw, SMART, EWF, SAW, VMWare virtual disk format images, and detects a wide variety of file systems.
P2Explorer (free, requires registration) – Lots of cool features, mounts a variety of formats.
Captain Nemo (pay) – Mounts raw and RAID Reconstructor images from Linux, MS, and Novell systems.

Similar tools that may be of use:
MKS Software‘s mount utility
MS’s Virtual CD-ROM drive from XP (1, 2, 3)
Mounting ISO images on Vista/Win7
WinCDEmu – mount ISO images

Posted in 0 - Forensics. Tags: , , , , . Leave a Comment »

Forensics: Examing USB Drives

June 6, 2009 — 585

When conducting a computer forensics investigation on a USB thumb drives, in addition imaging the drive, it is recommended that the PID and Serial numbers from the USB drive are obtained, particularly for those civil sector.

The reason is that those involved in the civil sector often image/collect the data at the scene and then have to return the original source media, leaving with only the images.

With hard drives, CDs, etc, this is not a problem, because an image obtains all of the data required, however with a USB drive this “may” not be the case.

A USB drive, the actual hardware, contains the serial number/PID of the device, which is not captured on the image.

This information can be important if the investigator is trying to prove that a particular USB drive was connected to a computer as the the serial number/PID of the USB drive is written the registry and Setupapi.log of the computer it is connected. If this information is not obtained from the USB thumb drive, at the time collection,  this information may never be available again.[The USB drive could be lost, destroyed, or access refused].

If the USB Serial Numbers/PID are not available it may not be possible to prove a sequence of events, this is particularly important for data theft investigations.

Software tools are able to pull this information out of the USB drive, but this requires connecting a USB drive directly to a computer, which may not be feasible. Tableau’s hardware write blocker, the T8,  for USBs, has the ability to display all of the information required.

Tableau USB Write Blocker

Tableau USB Write Blocker

Posted in 0 - Forensics. Tags: , , , , , . Leave a Comment »

Forensics: What is the $BadClus?

June 6, 2009 — 585

What is the $BadClus?

The $BadClus is one of the 16 key NTFS metadata files. Its role is to track sectors that a damaged/unable to be used on the drive. The Bad Clus  has a MFT record number of 8 and, in the MFT, it comes just below $BitMap and $Boot.

The file $BadClus, as the name implied, is to store a reference of the bad clusters on the hard drive.  Its the same concept as the $BitMap, which stores a list of available and not available sectors across the parition. However the $BadClus keeps track of sectors which is believes are bad/faulty and should not be written to.  If data exists on a sector it will remain there even if the $BadClus marks the sector as bad. Remeber it does not mean that the sector is bad, only that the NTFS file system thinks it is.

If a drive is formatted “Quickly” the $BadClus, will be empty as it does not know what is and is not a bad cluster. If a drive is formatted via the longer method then every cluster will be checked and the $BadClus will be fully updated.

Posted in 0 - Forensics, File Systems. Tags: , , , , . Leave a Comment »

What is unallocated space?

October 3, 2008 — 585

What is unallocated space?

Unallocated space, sometimes called “free space”, is logical space on a hard drive that the operating system, e.g Windows, can write to. To put it another way it is the opposite of “allocated” space, which is where the operating system has already written files to.

Examples.

If the operating system writes a file to a certain space on the hard drive that part of the drive is now “allocated”, as the file is using it the space, and no other files can be written to that section. If that file is deleted then that part of the hard drive is no longer required to be “allocated” it becomes unallocated. This means that  new files can now be re-written to that location.

On a standard, working computer, files can only be written to the unallocated space.

If a newly formatted  drive is connected to a computer, virtually all of the drive space is unallocated space (a small amount of space will be taken up by files within the file system, e.g $MFT, etc). On a new drive the unallocated space is normally zeros, as files are written to the hard drive the zeros are over written with the file data

Working Example

Blank Drive

A freshly formatted (NTFS) 500 GB hard drive starts with 99.9% unallocated space; we will assume its 100% to make the maths slightly easier. All of the unallocated space will be zeros, literally 00 00 00 written on the hard drives.

If a 5 GB file, e.g a large movie, is placed on the drive, then there will be 1% (5 GB)  allocated space and 99% unallocated (495 GB)

If a 10 GB database file is now added to this hard drive there will be a total of 3 % (15 GB) of allocated space and 485 GB unallocated space. New files will only be written into the remaining unallocated space.

What happens when a file is deleted?

If the movie file, from the above example, is deleted the allocated space it was using will now become unallocated. I.e There will now be 2% allocated space (the 10 GB database) and 98% unallocated space.

However the data from the movie file is still on the hard drive, it does not just disappear, it just changes its status. This means that the following situation now exists:

There is 10 GB of allocated space and 490 GB of unallocated space.

Of the 490 GB, 485 GB would be all zeros, however 5 GB of the unallocated space would be the old movie data.

Until new files are written to the hard drive this movie file will remain deleted but still  recoverable from the hard drive. Even if new files are written it must overwrite the same unallocated space as the movie file, before the movie file is destroyed.

Unallocated space can only be accessed by specialist tools, and now directly from Windows. Such tools include:

Posted in File Systems. Tags: , , , , , . 5 Comments »

ACPO Guidelines

August 9, 2008 — 585

Below are the principles that computer forensic experts in both the police and private sector follow, these come from the ACPO Guidelines.

These principles cover the imaging of the hard drives.

Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.

Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

ACPO Guidelines

Part 35 of the Civil Procedure Rules defines how an expert witness (e.g computer forensics expert) should give evidence in court, produce reports, and what evidence should be given for civil cases

Posted in Guides. Tags: , , , . Leave a Comment »
Follow

Get every new post delivered to your Inbox.

Join 25 other followers