After acquiring and preserving the pertinent evidence, we move onto analyzing Windows images.
As mentioned earlier, forensic analysis tools usually bypass operating systems normal operations to show you deleted content and other data that is typically inaccessible.
In this video, we will review Windows file system basics
to help you understand how forensic analysis tools are able to retrieve data
that is typically inaccessible by normal users.
In a Windows system, the smallest unit for storage is called a cluster, which is equivalent to a block in Linux UNIX systems.
When a cluster is reused but not filled completely, Windows does not overwrite the unused portion.
This space inside a cluster is called slack space.
Forensic investigators care about slack spaces because this space can contain deleted data that can be crucial evidence for investigations.
However, in Linux UNIX file systems, the unused portion of this block is usually filled with zeros.
When a file system is being stored on a partition, the partition will have an organized structure for the operating system to store files and for users to access them by name and location.
What does a file system do?
- make a structure for an operating system to store files for you to access them by name, date, or other characteristics.
- File system format: The process of turning a partition into a recognizable file system.
The process of turning a partition into a recognizable file system is called file system formatting.
Windows file systems include
- FAT 12, FAT 16, FAT 32, exFAT, NTFS, and the newest ReFS (a file system for Windows server 2012).
In this class, I will focus on the basics of FAT and NTFS file systems and explain how forensic tools access the basic file system structure to identify information.
The FAT file system was developed in 1977 based on Bill Gates idea.
FAT 12 was originally designed for floppy disks, FAT 16, 32, and exFAT, still commonly used for USB flash drives, SD cards, and hard drives.
A FAT file system starts with a boot record followed by the file allocation table,
short for FAT, then the root directory and finally the data area.
FAT FILE SYSTEM STRUCTURE
- The boot record
- The file allocation tables
- The root directory
- The data area
Here I used in cases disk review feature to show you the disk layout of a FAT 12 system.
In this picture, each square represents a sector of 512 bytes.
The first sector in red color is the boot record followed by the primary FAT and then the backup FAT.
The green sectors store the root directory content.
The blue sectors currently used the files and directories.
The gray sectors are not in use at this moment.
The data in this gray sector come from previous files or directories.
- The first sector of a FAT12 or FAT16 Volume.
- The first 3 sectors of a FAT32 volume.
- Defines the volume, the offset of the other 3 areas.
- Contains boot program if it is bootable.
The boot record, the first sector for a FAT 12 or FAT 16 volume defines the cluster size, the number of sectors per FAT, and the maximum number of entries in the root directory.
It may also contain a boot program if this partition is bootable.
The file allocation table is the key component of a FAT system.
FAT is a lookup table to tell which cluster comes next.
To locate a file’s data content given a filename, we only need to know the first cluster’s address then use the FAT to find the rest of the cluster addresses.
The number after FAT defines the number of bits used for a cluster’s address.
For a FAT 16 file system, each table cell is 16 bits representing the clusters address,
while FAT 32 file system uses 32 bits for cluster’s address.
Therefore, the maximum number of clusters that a FAT 16 file system can have is 2 to the 16th power.
Each table cell has its own address.
And its content is the address of the next cluster if the file uses more than one cluster.
If the cluster is the last cluster for this file, its content will always be hex or ones.
If a cluster is currently not in use, its content is all zero.
A bad cluster always contains hex FFF7.
Now if we can find an address of the first cluster that is assigned to the given filename, we will have all the pieces to map the filename to its data content.
This information actually resides in the files parent directory.
Windows root directory typically follows immediately after the FATs.
Each directory entry representing a file or sub-directory
in the current directory is 32 bytes long.
It contains information of the filename and extension, entry type, either a directory or file, the address of the first data cluster at byte 26 and 27,
the lens of the file at byte 28, 29 and data time.
Here is the process to locate a file in a FAT system.
Starting from the Windows root directory, find a directory entry whose filename matched for the sub-directory or the file’s name.
In this directory entry, find its first cluster at byte 26, 27 then use the FAT to get the chain of clusters for this sub-directory or file.
If this is a sub-directory, repeat this process using the sub-directory’s content
until you reach to the file’s content.
This unit includes a video that shows you how to find this information in a FAT 16 system.
FILE DELETION AND RECOVERY UNDER FAT
What happens to a deleted file in a FAT file system?
When a file is deleted, the system replaces the first character of the filename
with the hex code hex E5 and unallocates the files clusters in FAT table.
Windows system does not remove the contents of that file
until the cluster is used or overwritten by new files.
If the directory entry information is available, we still can find the first cluster for the file.
RECOVER FOLDERS IN FAT PARTITION
To recover folders in a FAT partition, a forensic analysis tool usually searches
through unallocated clusters.
If that and a dot dot are found in a cluster, it is very likely that you’ll find an old
directory or portion of a directory since each directory
contains just two sub-directories.
People usually sanitize disks by performing a formatting process before returning our recycling disks.
However, there are two types of formatting in Windows: quick formatting and full formatting.
If you perform a quick format, this process will zero out both the root directory entries
and the file allocation table entries.
The data area is not touched.
If you use a forensic analysis tool to recover folders,
you will find many information on this partition.
If you bought a used disk from eBay years ago, it was likely the partition was fast formatted.
Nowadays, used disks from eBay use a full format.
A full format will check bad sectors and then write either the hex characters F6 or zeros through the whole disk leaving no evidence behind.
Reference: Yin Pan,
Professor, Computing Security
Rochester Institute of Technology