Tuesday, December 28, 2010

Missão: EnCE - Algumas "notas de rodapé" II

Finalizando o post de ontem sobre notas de rodapé, estou publicando mais algumas notas sobre o EnCase, da Guidance Software:



File Systems 
• FAT file systems (FAT12, 16, 32) group one or more sectors in powers of 2 into clusters.
• The number of clusters that the file system can manage is determined by the available bits employed by the FAT.
• FAT16 (2/16) allows 65,536 clusters.
• FAT32 (2/28) allows 268,435,456 clusters.
• The FAT maintains information regarding the status of all the clusters on the volume (available -0, in use), indicated cluster number, containing the end of a file (EOF), and containing one or more defective sectors (BAD).
• The FAT also tracks file fragmentation.
• Directory entries maintain the file name, logical file size, and starting cluster.
• FAT is read to begin locating the files data.
• Each FAT volume maintains two copies of the FAT – FAT1 and FAT2.
• Each sector contains 512 data bytes, and this size is consistent across different media types. (ZIP disks, floppies, HDD, etc.)
• Logical file size is the actual number of bytes that the file contains.
• Physical file size is the amount of actual media space allocated to the file.
• Only one file can occupy a cluster at one time – no two files can occupy the same cluster.

File Slack 
• Displayed in EnCase as red text. It is the data from the end of the logical file to the end of the physical file.
• EnCase also displays FAT directory entries in red text because neither slack nor FAT directories have any logical file size


Deleted Files 
• Two actions occur when a file is deleted from a FAT system – the first character of the directory entry(s) pertaining to the file is/are changed to E5h, and the values within the FAT that pertain to this file are reset to 0
(available).
• Deleting a file has no effect on the actual data in FAT or NTFS.
• EnCase reads the directory entry for a deleted file and will obtain the starting extent. It then will determine the number of clusters the file requires by dividing the logical file size by the bytes per cluster.
• EnCase reads the FAT to determine if the indicated starting extent (cluster) is in use by any other file.
• If the indicated starting extent (cluster) is in use by another file, EnCase deems this file to be overwritten.

Computer Hardware and Systems 
• BIOS – Basic Input Output System
• The BIOS is responsible for the initial checking of the system components and initial configuration of the system once power is turned on.
• Examiners should access the BIOS and determine the boot sequence as well as the indicated date/time.
• Depending on the settings, the computer system may or may not attempt to boot from a diskette drive.
• The BIOS is typically contained within a chip located on the system motherboard, which is the main circuit board within a computer system.
• Add-in cards – video controller, SCSI controller, NIC, etc.
• SCSI host adapters manage SCSI devices and make them accessible to the OS.
• RAM – Random Access Memory – stores data temporarily and is accessible immediately to the OS.
• ROM – Read Only Memory
• CPU – the actual processor chip – not the whole computer.
• POST – Power On Self Test – first activity following the application of power to the computer system.
• The POST activity includes the testing of identified attached devices on the system bus, including the HDD(s), diskette drives, installed memory, etc.
• Drive letters are assigned by the OS during the boot process, but are not recorded to the media involved.
• Bootable media must maintain a bootable partition/volume, which in the case of HDDs, must be set as active.

HDDs 
• IDE drives are set for Master/Slave/Cable. Select through jumper pinning on the physical drive.
• SCSI drives do not maintain “Master/Slave” settings; rather they are assigned ID numbers, again usually through jumper settings.
• When employing CHS geometry, the formula for determining the HDD capacity is CxHxSx512.
• The first sector on every HDD contains the Master Boot Record, and the partition table for the drive is located within this sector for Windows and Linux – offset 446-509.
• The partition table within the MBR can maintain 4 entries, each 16 bytes in length.
• Each defined partition on a physical HDD will contain a Volume Boot Record as the first sector within the partition.
• Selecting the Volume Boot sector, right-clicking and choosing Add Partition can recover deleted partitions.

Restoring E01 Files 
• Evidence files can be restored to media of equal or greater size.
• The hash value of a properly restored evidence file will match the value maintained within the evidence file, which is the value computed against the original source media.
• Restoring evidence files of physical media must be made to a physical drive, logical evidence files to a defined logical partition.
• Logical restores must be made to a created partition equal to or larger than the evidence file partition, and must be of the same file system – FAT16/32.
• Restored drives are validated by the MD5 value.

OS Artifacts 
• Review Recycle Bin functions – DC0.TXT, DC1.JPG, etc.
• On Windows XP/2003 and below, the date/time deleted stems from the INFO record within the Recycle Bin.
• FAT directory entries in DOS/Windows are 32 bytes in length.
• Review directory structure – parent/child relationships.
• Review Windows XP/2000 artifact locations: C\Windows\Recent, Desktop, Send To, and Temporary Internet Files.
• Review LNK files – linking a diskette to the computer that wrote to it – embedded date/time as well as full path and file name of the target file.
• Review EMF files, SPL, and SHD files – definition and content.
• BASE64 encoding – common to email attachments.
• Windows 2000 and XP have user personal folders stored under C:\Documents and Settings.

Os estudos continuam!

No comments:

Post a Comment