Performing Forensic Duplication: When a Clone Really Is a Clone

< Day Day Up >

---

In any critical incident response, the preferred methodology is to prepare for trial whether there is going to be one or not. Following the most stringent procedures will allow investigators to introduce their evidence regardless of future legal circumstances. Consequently, investigators should always follow the rules of evidence in performing their investigation.

Here are some areas that will likely trigger future legal action:

• Is the incident considered high-profile receiving significant internal and external attention?

• Does the incident involve unequal treatment?

• Does the incident involve criminal allegations?

• Does the incident involve individual privacy?

• Has there been a significant financial or business loss attributed to the incident?

• Is there a need to forensically examine slack space and unallocated free space in the examination to collect evidence in proving the case?

Here are some rules that have been formulated to make it difficult to limit successful legal challenges that the evidence has been altered in any fashion thereby reducing its value.

• The examination of evidence is performed on forensically sterile media. This means that it has been forensically proven that the media on which the original was copied was devoid of any electronic characters. Examining the media with a disk editor or creating a hash of it will generally suffice proving it to be sterile. An exact bit-by-bit copy is made of the original to the sterile media. Examinations and analyses are performed on copies, never on the originals.

• The target system and related data must be protected during the collection ensuring that the data is not altered in any fashion. This includes measures that preclude the target machine's operating system from accessing the media containing the evidence at any point.

• Examinations of media must be made in such a fashion, as the file attributes are not changed from the original. When this is not possible, examiners will perform analyses giving priority to examining the media rather than preserving attributes.

• All examinations are accompanied by an investigator's activity log. In this document, all examination/investigative activities are logged including but not limited to the following:

  • Time/date/place media was acquired for examination

  • Name and title of examiner

  • Hardware and software configuration of machine on which the examination took place

  • Software tools and their versions

  • Commands used in examination

  • Tools and respective commands used in examination

  • Logging should reflect case-relevant discoveries

  • Serial numbers, identification numbers, and other relevant identification of original and examined media

  • Screen prints of examined evidence should be made according to a formal procedure rather than on a random basis

Steps to Follow when Collecting Evidence

Collecting digital evidence consists of securing the target system, conducting an examination of the system and its surrounding environment, forensically duplicating the target media, and preserving the forensic copies. The following are suggested steps provided to assist investigators in collecting evidence:

• Secure the crime scene. Physically control people and possible evidence-items from entering and leaving the target area. In other words, when responders are notified about a possible critical incident, the physical and logical areas should be immediately secured so the critical incident cannot spread. Once this is performed, all persons not directly connected with the investigation should be asked leave the area. Of course, all employees should drop what they are doing and leave the area immediately. At no time is any employee allowed to remove anything from the area or access any device remotely. Designated first-response employees should immediately contain the spread of any damage. In these cases, first-responders are chosen to use finely tuned people-skills when securing an area in advance of the responders.

  Investigators must do their jobs while controlling the comings and goings of people and potential evidence inside the target-area. Regardless of who wants to enter the area, and position in the organization, unless that person is part of the investigation, he should be courteously asked to wait until evidence collection is completed.

• Shut down the victim-machine. Do not touch the keyboard; just unplug the machine from the power supply. There is a significant degree of discussion about this topic involving interacting with the system while an attack is live or concern about lost data when the power is extinguished on the target machines. This is an area where responders must use their experience and training.

  Experience Note

  While responding to a systems attack, the responders interacted with the system for over an hour only to discover that there were several attackers. While the responders had been interacting with the system, other attackers carefully concealed their activities, disabled safeguards, and installed back-doors throughout the system. This was a tragedy as the investigators were out-foxed by the attackers.

  Depending on the machine and its software, going through a normal shutdown may trigger logic bombs or other data-destroying software. It is also possible that going through the normal shut down routine could change file attributes. This is one of these judgment areas where it is possible that evidence may be lost versus the spread of any damage. Preference in this case must go to the prevention of more damage.

• Physically secure the system. If the machine is going to be seized and transported, it must be sealed before it is transported. Take photographs of the cabling and label all cables before disconnecting. Cables may be left attached to the machine for future reference and examination depending on circumstances. Machines and cables should be wrapped in electrostatically neutral plastic wrap and sealed before being entered as evidence. Wrapping the machine precludes contaminates from entering the machine during transportation and initial storage. The first person who removes the wrapping should be the examiner. It is recommended that a virgin blank floppy disk should be inserted into the corresponding drive to act as spacer.

• If the examination is going to take place on the target machine or if the target machine is going to be used to make forensic duplicates of the hard drive, then changing the boot sequence is going to be required. Investigators must determine the operating platform of the target machine before they begin their task. They should know how to change the boot settings before starting the machine. Change the boot sequence so that it recognizes the floppy drive first, then the CD drive, then hard drive. This process will allow investigators to use bootable floppy disks or bootable CDs to take control of the subject-machine away from its native operating system. Bootable floppy disks or bootable CDs have utilities that block writing to the original hard drives or other media as well as other utilities that allow a forensically viable copy to be made of the target media.

Different Approaches to Media Duplication

If there is going to be an examination that will possibly lead to legal action, there needs to be a defined procedure for creating a forensically sound duplicate. Forensically sound media duplicates must be bit-by-bit duplicates of the entire target media. In making forensic duplications there are essentially three approaches:

1. Image the storage medium by removing it from the target machine and connecting it to the forensic computer for duplication. The forensic computer will have software already installed:

   • Allowing an exact duplicate to be made

   • Block any writing to the target medium

   • Survive a critical third-party expert analysis as part of its use as a duplication tool

     This method removes the target media from the BIOS or any other hardware configuration of the original machine. In most cases, this is the preferred duplication procedure.

2. Image the storage media by attaching virgin-storage media to the target machine. This method usually involves using utilities that prevent writing to the target medium and delivers forensically sound duplicates of the target.

3. Image the storage medium by sending the disk image over a closed network to the forensics workstation remotely as it is forensically duplicated. For many, this is the preferred method. If this method is used, it must be thoroughly qualified so juries and judges will understand the process. It must also be shown that through the connected systems, none of the digital information was changed or missing.

Removing the Target Hard Drive

Trained and experienced forensic investigators have the ability to remove the target media, duplicate it on their specially prepared forensic machine and return it to the target. Many private and law enforcement investigators have already invested in purchasing or building forensic computers with the software required to complete a forensically sound duplicate, software that will not allow the target medium to be changed in any fashion, removable drive bays, and connections to complete most tasks. Carefully investigators document all physical details, cable attachments, model names, serial numbers, appropriate jumper settings, peripheral equipment, and cable connections.

Investigators must be trained to use specialized software proven to deliver forensically sound duplications. Hard drives and other electronic media may be duplicated with such software as Safeback, EnCase, Ghost, or the UNIX dd command. These are applications that have been popular with investigators for many years and have successfully withstood legal challenges when used correctly.

• Safeback is available from www.forensics-intl.com.

• EnCase is available from www.guidancesoftware.com.

• Ghost is available from www.symantec.com.

Information about using the UNIX or Linux dd command is available in the "man dd," the systems manuals that are accessible from the command line interface.

Experience Note

Before any media is used to store a copy of the original, it should be "scrubbed" or "wiped" of any data that it may contain. This process ensures that the accepting-media is devoid of any data before being used. There are several applications that are considered adequate for cleansing media. After cleansing the media, perform a checksum (hash) of the media using a tool like MD-5 or similar tool. If it is devoid of any digital information, the checksum should read 00. This will show for future argument sake that the media was clean. Another method of verifying the cleanliness of the media is to manually examine it through a disk editor.

There are several advantages to using the investigator's machine in the duplication method:

• The investigators are in control of the situation by not allowing the target machine's operating system to be launched during any duplication or examining operation.

• The investigators can testify about the level professional due diligence they exercised in using their own tested machine.

• There should not be any surprises like configurations that unless discovered will result in files being changed during the startup process.

• This duplication method has been introduced many times previously in judicial proceedings and is understandable by individuals who do not have a great deal of background in technology matters.

• Using the investigator's forensic machine, rather than the target machine for duplication, eliminates problems of compatibility.

Attaching a Hard Drive

There is another duplicating approach - attaching another hard drive or other storage device to the target machine.

Experience Note

Some responders install interfaces and drivers on the target machines to expedite duplication. Beware that installing software on target machines could be responsible for overwriting irretrievable evidence. Changing the original machine's logical and physical configuration may be the basis of future legal challenges.

The above two duplication methods are basically the same with the exception one is performed on the investigator's machine and the other is performed on the target machine. Attach a forensically cleansed hard drive to the target machine, while the power is off, then as the power comes on, enter the BIOS process and make certain it "sees" the new hard drive.

Safeback, Ghost, and EnCase duplication applications are sufficiently small - they can fit on a floppy disk or bootable CD, so the target machine boots to them and a forensically sound duplicate can be made. In this fashion, the target machine is not allowed to launch its own operating system thereby preserving file attributes.

Experience Note

On launching, it is estimated that most operating systems routinely change the attributes of approximately 200 or more files.

A Word about BIOS

The Basic Input/Output System, BIOS, is the small firmware utility used during initial startup. When the workstation is started, the BIOS is activated, the system's basic configuration is consulted and each of the machine's devices is queried to see if it is present and functioning properly. Investigators should open the BIOS and consult its settings to determine the drive geometry for the media where suspected evidence is located and the boot sequence of the target machine. The BIOS of the target machine will show on the monitor how to access it when it starts up. At times it is accessed by the Delete key, the F2 key, or a combination of the Ctrl+AlT+Esc keys.

Investigators might go to a similar workstation having the same hardware and see the startup screen to determine the key, or combination of keys, to access the BIOS. Regardless, duplicating from the target machine where evidence is located is not for weak hearts. During the BIOS startup process, investigators will have one hand on the power switch and the other hand on the BIOS access key. They will be watching the monitor for the BIOS access notification. Be thoroughly prepared to stop the process if the system gets past the BIOS operation and start again.

Exhibit 4 is a sample of BIOS access information.

Exhibit 4: BIOS Access Information

Bios Manufacturer	Key Command(s)
ALR Advanced Logic Research, Inc.® PC/PCI	F2
ALR PC non-PCI	Ctrl+Alt+Esc
AMD® (Advanced Micro Devices, Inc.) BIOS	F1
AMI (American Megatrends, Inc.) BIOS	Del
Award™ BIOS	Ctrl+Alt+Esc
Award BIOS	Del
DTK® (Datatech Enterprises Co.) BIOS	Esc
Phoenix™ BIOS	Ctrl+Alt+Esc
Phoenix BIOS	Ctrl+Alt+S
Phoenix BIOS	Ctrl+Alt+Ins

Computer	Key Command(s)
Acer	F1, F2, Ctrl+Alt+Esc
AST	Ctrl+Alt+Esc, Ctrl+Alt+Del
Compaq	F10
CompUSA	Del
Cybermax	Esc
Dell	F3
Dell 400	F1
Dell Dimension	F2 or DEL
Dell Inspiron	F2
Dell Latitude	Fn+F1 (while booted)
Dell Latitude	F2 (on boot)
Dell Optiplex	Del
Dell Optiplex	F2
Dell Precision	F2
eMachine	Del
Gateway 2000 1440	F1
Gateway 2000 Solo	F2
HP	F1, F2
IBM	F1
IBM E-Pro Laptop	F2
IBM PS/2	Ctrl+Alt+Ins after Ctrl+Alt+Del
IBM Thinkpad (newer)	Windows Programs: Thinkpad CFG
Intel Tangent	Del
Micron	F1, F2, or Del
Packard Bell	F1, F2, Del
Sony VAIO	F2, F3
Tiger	Del
Toshiba 335 CDS	ESC
Toshiba Protege	ESC
Toshiba Satellite 205 CDS	F1
Toshiba Tecra	F1 or ESC

Power-On Self Test

Power-on self-test, also known as POST, is started the moment the computer is turned on. There are several initial steps involving the BIOS presented on the monitor in the order they occur:

• BIOS boot program initiates a series of system checks, known as Power-On Self-Tests (POST). The CPU first checks itself and the POST program by comparing code against identical permanent records.

• The CPU sends signals over the system bus to make sure it is functioning properly. The CPU checks the system's timer, which is responsible for making sure that all of the PC's operations function in a synchronized, orderly fashion.

• The POST then tests the video display adapter. This is usually the first information that appears on the monitor.

• POST checks for RAM. Usually it runs a test to ensure that the RAM chips are functioning properly by writing to and reading from each chip and comparing the result. An accounting of the amount of memory that's been checked is usually displayed on the monitor during this test.

• The CPU checks to make sure the keyboard is attached properly and looks to see if any keys have been pressed. Pressing a key at this point will often interrupt the POST process. This feature can often be disabled in the BIOS settings and not all brands of computers are configured to do this check from the factory.

• The POST sends signals over specific paths on the bus to any disk drives and listens for a response to determine what drives are available. The lights on the drives usually flash briefly during this process.

• The results of the POST are compared with a record of which components are installed and control is passed to the operating system.

BIOS Passwords

BIOS settings held in the CMOS, Complementary Metal Oxide Semiconductor, chip are refreshed by a small battery located on the computer's motherboard. Basic configuration settings regarding the computer's disk drives are stored here and launched every time the computer is started with power-on. Most BIOS systems may be configured to request a password when power is first applied to the computer and will not progress further until the correct password is entered. Because all essential configuration functions are suspended at this time, the computer will not proceed to the startup phase until the correct password is entered. The BIOS configuration cannot be either altered to remove the password requirement either until the password is entered. Of course, BIOS passwords are not intended to keep out determined intruders that have access to the workstation or server.

BIOS passwords sometimes represent a bit of a problem for investigators. To gain entry, the settings of the BIOS must be reset to the default settings removing the password protection. There are essentially three ways of doing this.

Experience Note

Investigators must document changing the machine's BIOS configuration in their activity log.

One way of bypassing the BIOS password is to remove the target machine's hard drive and place it in the forensic machine for duplication. Because the BIOS is a process that is restricted to the target machine's motherboard, this effectively bypasses this barrier.

The next process involves opening the computer's case and accessing the motherboard. Located in a small case is a flat battery used to refresh the CMOS chip holding the configuration settings. Removing the battery for a period of several hours is usually sufficient to cause the BIOS to reset to its default settings. The default settings do not include a password. Replacing the battery after allowing the system to reset removes the password settings and permits accessing the system normally on applying power.

Investigators may try to enter a default password to the BIOS and, if successful, the configuration settings will be preserved. BIOS settings should be documented for the analysis report. BIOS default passwords are listed on the Internet and are usually specific to manufacturer. Again, the chip's manufacturer is usually marked on the chip and is usually located adjacent to the refresh-battery. With the manufacturer identified, it is a simple task to research the default password on the Internet. More BIOS password information is available at www.pwcrack.com/bios.shtml.

Hard Disk Construction

Hard disks are constructed of rigid platters composed of a supporting substrate material covered with a magnetic medium. The substrate is a non-magnetic base material, manufactured with a smooth finish and called a platter. Substrates are usually made of either aluminum alloy or a mixture of class and ceramic materials. To support magnetic data, both sides of each platter are coated with magnetic medium usually called a thin-film medium capable of storing roughly a billion bits per square inch of platter surface.

Platters may vary in size with common hard drive disk sizes in two basic forms, 5.25 inches and 3.5 inches.

Currently, manufacturers are tending toward glass technology, as this has better heat-resistance and permits thinner platters. The inside of the hard drive must be kept as dust-free as it was built at the factory. Basically, the platters are hermetically sealed in a metal case with the interior maintained in a partial vacuum. Often, this chamber is referenced as the head disk assembly and will often be written as HDA.

Hard disk construction places three or more platters in the HDA stacked on top of one another with a common spindle allowing the whole platter assembly to revolve at speeds of 5000 or 7500 rpm. Platter speeds have recently exceeded 12,000 rpm. High speeds are used to increase data transfer from the drive to other components of the machine. There is a gap between the platters that makes room for magnetic read/write heads that are mounted on the end of an actuator arm. These heads pass over the magnetic media covering the platters. Heads are mounted so close to the platter surface that they clear by only a fraction of a millimeter or about .07 mm. In the case of IDE or SCSI drives, the disk controller electronic circuits are usually incorporated into the drive-case design.

When a hard drive disk undergoes a low-level format, it is divided into tracks and sectors. Tracks are concentric circles around the central spindle on both sides, top and bottom, of each platter. Tracks are located physically above each other and are grouped together into areas called cylinders. Cylinders are essentially the same areas spanning the vertical height of each platter. Cylinders are further divided into sectors containing 512 bytes each. The concept of cylinders is important because the same cylinder can be accessed without having to move the heads. In other words, cylinders are the areas of each platter that can be accessed by the heads without moving.

In physical addressing for disks, once the formatting is complete, each physical sector has a unique address based on the Cylinder, starting with cylinder 0; Head, starting with head 0; and Sector, starting with sector 1. The part of a cylinder that is the circular strip on a platter is called a track. If there are three platters in a hard drive, then there are six read/write heads. In reality, the outermost surface of most platters does not have heads above them so in these cases, there are only four heads.

Experience Note

Sectors are the smallest parts of the disk that can be read or written at one time. The physical geometry of the disk is specified as the number of cylinders the disk contains, number of tracks the disk contains, number of heads, number of sectors per track, and the size of each sector measured in bytes.

In descending order, disk geometry is read CHS or Cylinder, Head, and Sector. Reading and calculating the physical layout of the hard drive would proceed like this example - the target hard drive has 1000 cylinders, 6 heads, 15 sectors per track, with each sector containing 512 bytes. Calculating the size of this drive results in about 46 megs (Exhibit 5).

Exhibit 5: Typical Disk Geometry

Relative Addressing

There are two types of addressing, relative addressing and absolute addressing. An address found on a disk is specified indicating its distance from another address, called the base address. For example, a relative address might be B+15, with B being the base address and 15 the distance (called the offset). In absolute addressing, you specify the actual address (called the absolute address) of a memory location.

Relative and absolute addressing are used in a variety of circumstances. In programming, you can use either mode to identify locations in main memory or on mass storage devices.

Digital information is recorded on the magnetic surface of the disk in basically the same way as it is on floppy disks or tapes. Basically, the magnetic surface is an array of binary dot positions with each being set to either a "1" or "0." The position of each element is not identifiable as an absolute, so a scheme of guidance marks helps the read/write head find the positions on the disk. This is the reason why disks must be formatted before they can be used to record information.

When the computer reads data, the operating system works out where the data is located on the disk according to its filing system. In the Windows FAT (file allocation table), the operating system consults the FAT located at the beginning of the disk's partition. This alerts the operating system in which sector on which track the desired information is located. With this information, the head moves to the requested data (Exhibit 6).

Exhibit 6: Relative Addressing

Exhibit 7 is a table reflecting the typical floppy disk physical geometry.

Exhibit 7: Typical Floppy Disk Geometry

3.5∝Floppy Disk	Low Density	High Density
Bytes per sector	512	512
Sectors per track	9	18
Tracks per side	80	80
Sides	2	2
Capacity	720 kb	1.44 MB

Windows DOS-Based File Allocation Table

The FAT is really a table that resides at the top of the partition or volume.

Experience Note

In explaining a FAT table to juries, investigators frequently compare it to index cards at a library. It is through their use that library patrons use the cards to locate books on their respective shelves.

FAT is a reference table present in the Windows DOS, 95, 98, and ME operating systems. As a safeguard, two copies of the FAT are preserved in the event one of them becomes damaged. The FAT tables and the root directory must be stored in fixed locations so the system's boot files can be correctly located.

A disk formatted with FAT is allocated in clusters. The size of these clusters is determined by the size of the volume. When a file is created by the operating system, an entry is created in the FAT directory and the first cluster number containing data is established at this time.

This entry in the FAT table either indicates that this entry is the last cluster of the file or it points to the next cluster. The table above compares the FAT with NTFS (Exhibit 8).

Exhibit 8: Partitions and Cluster Sizes

Partition Size	FAT16 Cluster Size	FAT32 Cluster Size	NTFS Cluster Size
0 MB to 15 MB	4 kb	4 kb	512 bytes
16 MB to 127 MB	2 kb	4 kb	512 bytes
128 MB to 255 MB	4 kb	4 kb	512 bytes
256 MB to 511 MB	8 kb	4 kb	512 bytes
512 MB to 1023 MB	16 kb	4 kb	512 bytes
1 GB to 2 GB	32 kb	4 kb	1 kb
2 GB to 8 GB	N/A	4 kb	2 kb
8 GB to 16 GB	N/A	8 kb	4 kb
16 GB to 32 GB	N/A	16 kb	4 kb
More than 32 GB	N/A	32 kb	4 kb

Updating the FAT table is imperative for the file system to function properly and it is resource consuming as well. If the FAT table is not regularly updated, it can result in lost data. The reason it is time consuming is because the read-heads must be repositioned to the drive's logical track zero each time the FAT table is updated. FAT supports only read-only, hidden, system, and archive file attributes.

FAT implements traditional 8.3 file naming convention, and all file names must be created within the ASCII character set. The names start with either a letter or number and can contain any characters except for the following: "/\ [ ] : ; | = . The following names are also reserved: CON, AUX, COM1, COM2, COM3, COM4, LPT1, LPT2, LPT3, PRN, and NUL.

Specialized software is required to perform an undelete function under Windows NT on any of the supported file systems. However, if the file was located on a FAT partition, and the system is restarted under MS-DOS, the deleted file can be undeleted and restored.

Experience Note

It is not possible to set file privileges on files within the FAT system.

Undeleting in Windows-Based Operating Systems

There are several tools that are useful when addressing Windows platforms, DOS-based (FAT), and NT. One such tool is called WinHex and is available at www.sfsoft.de/winhex/index-m.html. This hex editor is useful in granting access to floppy disks, CD-ROMs, DVD, ZIP, Smart Media, Compact Flash cards, and so on. It will read FAT12, FAT16, FAT32, and NTFS file systems. WinHex will recover data from deleted files manually or automatically in FAT and NTFS drives. This tool has many significant forensically valuable features such as drive cloning tolerating damaged sectors, erasing drive media and converting binary, hexadecimal, and ASCII.

R-Studio is a family of data recovery and undelete tools available at www.rtt.com/RStudio.shtml. There is a comprehensive product for data recovery from FAT12, FAT16, FAT32, NTFS, NTFS5, and Ext2FS (Linux). It functions well on local and network disks that are damaged or contain deleted data.

Information Hiding in the Windows FAT

If a disk operating utility within the Windows DOS-based operating system marks the hard disk with a number of bad clusters or if clusters have been manually marked as bad, it is possible to unmark them using a disk editor. Regardless, investigators should verify that clusters are physically bad or are merely marked bad so they will not be recognized by the operating system. It is possible these bad clusters are being used to conceal information from prying eyes.

Experience Note

If investigators find a disk editor utility present on a target machine, it is possible that a user was engaged in hiding data in clusters marked "bad."

Clusters marked bad may be unmarked by the disk editor by locating the Find function of the disk editor and locating files with F7 FF for FAT16 and F7 FF FF 0F in the case of FAT32. It is possible for disk editors such as Winhex or Norton's Disk Editor (available at www.symantec.com) to recover data on a physical and on a logical level recovering data in clusters that have been marked as bad and reconstruct the clusters into the original file.

Windows NT File System

The main structure of the Windows NT file system, NTFS, consists of a logical partition on a disk. A disk may contain one or several partitions, also called volumes, with each volume containing files. There is no specially formatted space for the file system, rather all needed file system data such as bitmaps, directories, and system boot are stored as regular files. Files are divided as clusters on the disk with each cluster having a number of physical sectors. NTFS is not constrained to a certain sector size, such as 512 bytes. The cluster size varies with the size of the volume and is determined by the NTFS file format utility.

In NTFS, a file can be located on a disk through the master file table, MFT. This is a relational database, consisting of an array of file records contained in the volume. There is a record in the MFT for each file. Additionally, the MFT has its own record.

Each file in the volume is identified by a file reference consisting of a 64-bit value holding the file number and the sequence number. The file number records the position of the file's file record on the MFT and the sequence number is incremented each time an MFT file record position is reused. This enables the NTFS to perform consistency checks.

To reference a file's physical location on the disk, NTFS uses a logical cluster number, LCN, stored in the MFT. LCNs are simply the numbering of clusters in a volume from beginning to end. NTFS goes about the process of locating the physical disk address of a file by multiplying the LCN by the cluster factor.

A file directory in NTFS is simply an index of file names and their references. If the attributes of a directory are smaller than the record size, then all the information will be resident in the MFT.

NTFS has the ability to recover from a system failure and make the volume consistent again; it uses a system of logging transactions that occur within the volume. A log file created by the Format command and the log file service (LFS) is a series of kernel-mode routines, allow logging to be recorded.

Log files consist of a restart area and a logging area. The restart area stores information that allows NTFS to know where recovering should start, and there is a second copy of this information in case the first becomes inaccessible or corrupted. The logging area contains the records of transactions and I/O operations that alter files system data or change the volume's directory structure.

There are two types of records written to the log file, update records and checkpoint records. Included in an update record is "redo" information and "undo" information. The redo information tells how to redo one sub-operation of a transaction if system failure occurs before volume changes are flushed to disk. Undo information tells how to reverse one sub-operation of a transaction that has not been committed. A transaction is considered committed when a record indicating that the transaction is completed in the cache is sent to the log file. Committed transactions will be performed on disks even if a system failure subsequently occurs. NTFS records are updated for the following file actions: creating, deleting, extending, truncating, setting file information, renaming, and changing security.

Checkpoint records indicate where recovery should start after system failure. Every five seconds a transaction table, dirty page table, and the checkpoint record are written to the log file. These components of the log file are crucial to maintaining integrity for the volume (partition). The transaction table keeps track of transactions that have been started but were not committed at the point of system failure. The sub-operations of this transaction must be rolled back. The dirty page table keeps track of pages in the cache containing changes to the file system structure that have not been written to disk. Obviously, the data in these pages must be flushed to disk so the updating process is complete. The log file's restart area contains the LSN of the checkpoint record. Each checkpoint record stores LSNs for the nearest transaction table and dirty page table. This referencing allows NTFS to find these records quickly at the time of system recovery. At recovery, NTFS does three scans of the log file.

The first scan is the analysis pass. NTFS finds the most current transaction table and dirty page table indicated by the checkpoint record, and scans forward to the end of the log file. In doing so, any update records that are found are added to the two tables. Next the NTFS uses the tables to determine the LSN of the oldest update record containing an operation not written to disk.

Now the second scan can start, which is the redo pass. Starting at the LSN, the analysis pass found each update until the end of the log file is redone in the cache. These updates are then written to disk as a background action (lazy writing). Finally, NTFS does the undo pass using the transaction table to find transactions not committed at the time of the system failure. It then undoes each sub-operation of a transaction that is connected by backward pointers and continues undoing these transactions until all of them have been rolled back.

UNIX File System

Every item in a UNIX file system can be defined as belonging to one of our file types:

• Ordinary files. An ordinary file may contain text, data, or program information. It cannot contain another file or directory.

• Directories. A directory is actually implemented as a file that has one line for each item contained in the directory. Each line in a directory file contains only the name of the item and a numerical reference to the location of the item. The reference is called an I-number, and is an index to a table called the I-list. The I-list is a complete list of all the storage space available to the UNIX file system.

• Special files. Special files represent input/output (I/O) devices, like a tty (terminal), a disk drive or a printer. Because UNIX treats such devices as files, a degree of compatibility can be achieved between device I/O and ordinary file I/O, allowing for the more efficient use of software. Special files can be either character special files, that deal with streams of characters, or block special files that operate on larger blocks of data. Typical block sizes in UNIX are 512 bytes, 1024 bytes, and 2048 bytes.

• Links. A link is a pointer to another file. Remember that a directory is nothing more than a list of the names and i-numbers of files. A directory entry can be a hard link, in which the i-number points directly to another file. A hard link to a file is indistinguishable from the file itself. When a hard link is made, the i-numbers of two different directory file entries point to the same inode. (Inodes are explained a bit later.) For that reason, hard links cannot span across file systems. A soft link (or symbolic link) provides an indirect pointer to a file. A soft link is implemented as a directory file entry containing a pathname. Soft links are distinguishable from files and can span across file systems. Not all versions of UNIX support soft links.

The I-list is actually referring to a physical memory location represented by a single I-list. Each UNIX machine has an I-list pointing to a special storage area, known as the root file system. The root file system contains the files for the operating system itself and is available at all times. Other file systems are removable. Removable file systems can be attached or mounted to the root file system. Typically, an empty directory is created on the root file system as a mount point and a removable file system is attached there. When a user issues a cd command to access the files and directories of a mounted removable file system, file operations will be controlled through the I-list of the removable file system.

The purpose of the I-list is to provide the operating system with a map into the memory of some physical storage device. This file map is constantly being revised, as files are created and removed and as they shrink and grow in size. In this fashion, the mechanism of mapping must be very flexible to accommodate changes in the number and size of files. The I-list is stored in a known location on the same memory storage device that it maps.

Each entry in an I-list is called an inode. An inode is a complex structure that provides the necessary flexibility to track the changing file system. Inodes contain the information necessary to get information from the storage device, which typically communicates in fixed-size disk blocks. An inode contains 10 direct pointers that point to disk blocks on the storage device. In addition, each inode also contains one indirect pointer, one double indirect pointer, and one triple indirect pointer. The indirect pointer points to a block of direct pointers. The double indirect pointer points to a block of indirect pointers and the triple indirect pointer points to a block of double indirect pointers.

In summary, the UNIX file directory is really a list of i-numbers; each i-number references a specific inode on a specific i-list. In operation, UNIX traces its way through a file path by following the inodes until it reaches the direct pointers that contain the actual location of file on the storage device.

Forensically Sound Duplication Tools

Here are requirements for a duplication tool to be considered trusted and sufficient to provide services that meet legal requirements:

• Applications must have the ability to create images of storage in a bit-by-bit fashion. Having a duplication of the files is not sufficient. The tool must have the ability to duplicate the entire medium including unallocated files space and free space known as slack space. Slack space includes file slack and RAM slack.

• Applications must not make any changes in the evidence-media being duplicated or in the copy it creates.

• Applications must have the ability to survive challenges and scrutiny by third-party experts.

  Experience Note

  Investigators should use tools that have a positive history in judicial proceedings. This saves a significant amount of time and money and helps win cases. If the duplication tool does not have a favorable court history or is a tool used only by attackers, investigators are reminded they must justify the use of their procedures and tools. Under the law, procedures, standards, and results must be provided to the opposing attorneys and will likely be subjected to expert examination. However, if the tool has an extensive court presence, these cases may be cited when providing the tool and results to the opposing attorneys often resulting in fewer meritorious legal challenges.

• Applications must have the ability to generate a checksum or one-way hash of image creation and time. It is acceptable for the tool to generate this integrity safeguard during or after the image is completed.

Forensic Media Duplication Tools

The most commonly accepted forensic duplication tools are Safeback, EnCase, Ghost, and the UNIX dd utility. Safeback is probably the most common duplication tool, in that more digital evidence has been duplicated with this application than any other single application.

EnCase is an entire suite of tools directed to the purpose of duplicating evidence, organizing files and directories, viewing evidence, etc. It is an incredibly useful application and has an extensive legal history. Guidance Software, the manufacturer of EnCase, offers training sessions and certification in forensic examination.

The UNIX dd command is a duplication utility that gained popularity several years ago with investigators. Many investigators are unfamiliar with the flexibility and strength of UNIX commands, so they tend to shy away from them. Those who are comfortable with command line interface structures tend to use it.

There are many opinions about Symantec's Ghost as a forensic duplication tool. However, in the research done by many investigators, it appears to render forensically sound duplicates.

Producing Hash Values

A hash value, or simply stated as "hash," is a number generated from a string of text. Producing hash values ensures security and integrity of data. The hash is a number generated by an algorithm in such a way that it is extremely unlikely that other text can produce the same hash value. Hash is considered as encoding and is mathematically infeasible to reverse.

In essence, the hash program scans the text string and mathematically calculates the hash value. Hashes are generally substantially smaller than the text itself. Hashes play an important role in forensic examination where they ensure the duplicated material has not been altered in any way. Investigators commonly create hash values of collected digital evidence to ensure its integrity from the time it is duplicated, through the examination process, passing the evidence to the opposing counsel during the legal discovery process, and through judicial proceedings. Hashing can be applied to any size input and produce a fixed size output sometimes called the message digest.

Experience Note

Remember that hashing is one-way, computationally infeasible to reverse, yet relatively easy to compute.

There are two hash algorithms that are in common usage: (1) the MD-5 hash function was designed by Ron Rivest, one of the trio of RSA public key encryption key engineers; and (2) the MD-5 algorithm produces a 128-bit output. More information is available at www.ietf.org/rfc/rfc1321.txt.

The SHA-1, Secure Hash Algorithm, is similar to the MD-5 algorithm. The SHA-1 algorithm produces a 160-bit output. More information is available at www.itl.nist.gov/fipspubs/fip180-1.htm.

Boot Disk

One of the most basic doctrines of forensic duplication is never permit the machine containing the evidence (target machine) to boot to its native operating system. Evidence files will be updated or their attributes changed by the native operating system. Altered files are subject to legal challenges disputing their integrity.

Experience Note

One of the most common legal arguments in preserving digital evidence is the investigator changed the file's content during the collection, examination, or preservation process. Consequently, it is alleged the investigator tampered with the evidence and destroyed its evidentiary value in the process, relieving the defendant of the responsibility of the file and its content.

During the boot-phase, the workstations operating system updates file access times, registry configurations, log files, and system configuration files. Of course these file modifications are reflected in the file's attributes: Modified, Accessed, Created (MAC). When making media images, it is necessary to have an operating system outside the target machine. It may be located on a bootable floppy or CD, but the important point is to disable or remove control from the target machine's operating system.

One of the simpler ways to create a bootable floppy with an operating system on it is to create a DOS boot disk. Creating a Microsoft DOS boot floppy disk is a simple process. It is strongly recommended that a disk wiping utility be used here ensuring there are no stray commands or data on the boot disk. Just to be certain, it is a good idea to hash the disk with the resulting hash being 00. There are many hashing applications available. Dan Mares, a retired IRS Special Agent, has assembled many tools on his Web page plus links to other valuable tool sites. ^[2]

Boot Disk Creation

Using a copy of Microsoft DOS 6.22 or Windows 95, format a floppy disk using the following command:

   C:\format a:/s 

In creating this disk, you will notice there are four directories that are listed in Exhibit 9.

Exhibit 9: Boot Utilities

The first file listed and ready to be processed is IO.SYS. The code contained within this file loads the contents of MSDOS.SYS and begins to initialize the required device drivers, tests and resets the hardware, and loads the command line interpreter, COMMAND.COM. These files form the basic kernel of the DOS operating system.

If, during the process of loading the device drivers, a disk or partition is detected using compression software, IO.SYS loads the DRVSPACE.BIN driver. As DRVSPACE.BIN loads, it will mount the compressed file, uncompress it, and present the operating system with the uncompressed file. In this process, it changes the time and date stamps of the compressed file resulting in unacceptable changes to the file's attributes.

Experience Note

DOS 6.22 and 7.0 are favorites for forensic investigations, as many investigators are convinced these operating systems do not change file attributes.

Disabling DRVSPACE.BIN

To make your boot disk useful, the DRVSPACE.BIN file must be disabled. It is not sufficient to remove the file, as IO.SYS is programmed to look at all root directories of all partitions for the file. Consequently, the most effective means of assuring the failure of DRVSPACE.BIN is to load IO.SYS into a hex editor and manually alter the strings. There are a variety of hex editors, also commonly called disk editors available. One of the best editors is available as part of the Norton's Utilities available at www.symantec.com. There is another very useful hex editing tool available at the Hackman Web site (www.technologismiki.com/hackman/index.html).

The process involves loading the IO.SYS into the hex editor and executing the string search for the word "SPACE." You are searching for entries that refer to DriveSpace or DoubleSpace. Needing to have IO.SYS fail to execute this driver, you can change the name to ZZZGONEZZZ.ZZZ. The naming convention is immaterial, but it is suggested that you decide on a naming convention for continuity purposes. There are four instances in IO.SYS that need to be altered in the same fashion as the first. Use the hex editor in each case. Additionally, it is strongly recommended to remove the DRVSPACE.BIN file from the boot floppy disk.

Physical Write Blockers

As you can see, redundancy is one of the key features of forensic investigation because evidence is so fragile and volatile. Usually there is only one chance to obtain it. Such is the case with using a physical write blocker. Physical write blocker utilities use a technique termed interrupt masking to prevent writing requests. Interrupts are the method by which the operating system performs write functions. If a request is made to write to protected media, the write blocker discards the request, denying the ability to write to the media.

A very well written piece of physical write blocking software called PDBlock is available through the folks at Digital Intelligence (www.digitalintel.com/pdblock.htm). They offer useful software and hardware products with particular application to digital forensic investigations.

Using Safeback in Forensic Duplications

As mentioned earlier, Safeback has the ability to create bit-by-bit images of the evidence media and operates in four modes:

1. The copy function delivers backup and restores operations

2. The verify function verifies the checksum values generated by Safeback within the image file

3. The backup function creates the bit-by-bit duplication of the evidence media

4. The restore function restores the files created by the backup function

When Safeback is started from the bootable floppy disk, it will prompt for a location to create an audit file that serves to log the process by which the forensic duplication is made. This file is a convenient place for the storage of significant items related to the investigation of this particular medium, e.g., serial number of the medium, evidence tag number, case file number, time/date/place of the medium investigation, investigator's name and title, and other related information. Because this file constitutes an investigator's notes, it necessarily is an item to be retained as evidence. It is likely this file will be requested as part of the legal discovery process.

Safeback's options and features are fairly straightforward, having an easy-to-navigate interface. Safeback creates an image of the target media and writes that image to the media selected by the user. At some later time, the investigator restores the imaged drive and voila! her evidence is ready for review and analysis. There is one very interesting feature in that Safeback has the capability of filling the medium, where the copy is being written, with zeros. For example, this option is very useful if you are restoring a 10 Gb drive to a 20 Gb drive.

UNIX dd Commands

One of the best methods of ensuring originals and copies are exactly the same is to use an operating system that is not capable of writing to the target disk format. If investigators are going to use UNIX dd commands, it is prudent to remove all non-essential features from it. This may seem to be unnecessary, however, when the investigator is providing testimony. Removing all unnecessary features other than those necessary to create the forensic duplication will help establish the investigator's credibility and her professional due diligence.

Experience Note

Investigators must be familiar with using UNIX dd before they use it to duplicate evidence. Showing up on a job and using UNIX dd for the first time is a recipe for disaster.

Information and instructions about using UNIX dd commands are available at www.cse.ogi.edu/cgi-bin/man-cgi?dd+1.

EnCase

EnCase is probably the most widely used forensic software suite in production today. EnCase has a significant following among law enforcement agencies and has faired well in legal challenges when used correctly. It is a suite of useful and tested tools for a Windows-based environment. EnCase permits investigators to duplicate original media and enables the duplication of multiple files using their own compression method. At the time of creation, each file is hashed and the hash is verified at the time of analysis. It supports file systems, FAT 16, FAT 32, NTFS, Linux, and Macintosh file systems. EnCase is supported by technical support, training, and a certification process. Information is available at www.guidancesoftware.com.

^[2]www.dmares.com/maresware/forensic_tools.htm; Dan offers a hash tool at www.dmares.com/maresware/gk.htm#HASH.

---

< Day Day Up >