12.4 File System Traces

Previous page
Table of content
Next page

12.4 File System Traces

When files on HFS are moved or copied, their date-time stamps are not updated - as far as the system is concerned, only the contents of the parent directories have changed. A summary of common actions and the associated date-time stamp changes on MacOS 9 is provided in Table 12.1.

Table 12.1: Date-lime stamp behavior on MacOS 9.

ACTION

LAST MODIFIED DATE-TIME

LAST ACCESSED DATE-TIME

CREATED DATE-TIME

Moving files

Unchanged

N/A

Unchanged

Copying files

Unchanged

N/A

Unchanged

Parent directories

Updated

N/A

Unchanged

Macintosh reduces the chances of accidental data loss by maintaining redundant information in the catalog about files and using the Trash folder. The main volume on a Macintosh system has a folder named "Trash" where deleted files are stored in case the user later decides he/she needs the data. All other volumes have folders named ".Trashes" for the same purpose.

Macintosh systems maintain a list of recently accessed applications and files to provide users with easy access to commonly used items. For instance, as the names suggest, the "System Folder:Apple Menu Items:Recent Applications" and "System Folder:Apple Menu Items:Recent Documents" folders list recently accessed applications and files.

Name

File Created

Last Written

APPENDlX-II.doc

01/28/03 03:22:22PM

01/28/03 03:22:22PM

AZ_V_BASS_2001.doc

01/22/03 11:58:57AM

01/22/03 11:58:57AM

CHAPTER3-new.doc

01/28/03 03:21:42PM

01/28/03 03:21:42PM

CHAPTER4.doc

01/28/03 03:22:10PM

01/28/03 03:22:11PM

Chapters 1 & 2.doc

01/28/03 03:20:54PM

01/28/03 03:20:54PM

notes-network.txt

11/20/02 07:25:42PM

11/20/02 07.25:42PM

The Crown v Speyer

12/09/02 10:51:29AM

12/09/02 10:51:29AM

The associated "System Folder: Preferences:Apple Menu Options Prefs" file also contains information about recently accessed files on the system as shown here.

click to expand

CASE EXAMPLE

start example

A suspect's computer was examined but no incriminating digital evidence was found. However, entries relating to PGP in the Recent Applications, suggested that someone may have encrypted or wiped data on the system.

end example

On each volume of a Macintosh system, there is a database in files named "Desktop DB" and "Desktop DF". This Desktop database contains information about activities on the system including programs that were run and files and Web sites that were accessed. These database files can be viewed using a program like Desktop DB Diver. Notably, when viewing applications that were run on the system, the "creation date" in "Deskop DB" files corresponds to the creation date-time stamp of the associated executable, indicating when the application was installed on the system, not when it was first used. Also, when a Web page is saved to disk using Netscape or Internet Explorer, the URL is inserted into a "comments" field of the file. These comments are also stored in the Desktop database and can persist long after the associated file is deleted.

It is instructive to observe the simple case of file system traces on external media such as floppy diskettes and memory cards. When files are saved to a HFS formatted floppy diskette, a Desktop Folder is created to store files that the user wants to appear on the Macintosh Desktop when the floppy is inserted into a system. A number of interesting file system traces are created when files are saved from a Macintosh to a floppy diskette or memory card (e.g. from a digital camera) formatted using FAT. In addition to a folder named "resource.frk" that contains the resource forks of files saved from HFS, Apple's PC Exchange program creates two files named "finder.dat" and "fileid.dat" are created. Using the Sleuth Kit to examine a floppy diskette formatted with FAT and used to store files from a Macintosh. Note that the last accessed times of the files copied from a Macintosh onto a FAT formatted disk are meaningless since the HFS does not maintain access times.

    examiner1% dd if=/dev/disk3 | md5    2880+0 records in    2880+0 records out    X bytes transferred in Y secs (Z bytes/sec)    d14cbf5e5dccbbbace817409b494c602    examiner1% dd if=/dev/disk3 of=fat-mac-floppy.dd    2880+0 records in    2880+0 records out    X bytes transferred in Y secs (Z bytes/sec)    examiner1 % fls -l -f fat12 /morgue/fat-mac-floppy.dd    <note added by author       last written               created                    size>    r/r 3: pubring.pkr          1999.01.05 12:32:14 (EST)  1999.01.05 11:11:06 (EST)  1146    r/r 4: secring.skr          1999.01.05 12:32:14 (EST)  1999.01.05 11:11:12 (EST)  1099    r/r 5: FINDER.DAT           1999.01.28 22:15:30 (EST)  1999.01.28 21:57:36 (EST)  1628    r/r 6: Desktop              1999.01.28 19:57:42 (EST)  1999.01.28 21:57:42 (EST)  0    r/r 7: FILEID.DAT           1999.01.28 20:42:02 (EST)  1999.01.28 21:57:42 (EST)  704    r/r 8: NAV QuickScan        1999.03.18 19:51:52 (EST)  1999.01.28 21:57:36 (EST)  582    d/d 20: RESOURCE.FRK        1999.01.28 21:57:42 (EST)  1999.01.28 21:57:42 (EST)  512    d/d * 25: Desktop Folder    1999.04.03 23:15:08 (EST)  1999.04.03 23:15:08 (EST)  0    d/d * 27: Trash             1999.04.03 23:15:10 (EST)  1999.04.03 23:15:10 (EST)  0    d/d * 34: Temporary Items   1999.04.03 23:15:10 (EST)  1999.04.03 23:15:10 (EST)  0    r/r 37: OpenFolderListDF_   1999.01.28 22:15:30 (EST)  1999.01.28 22:15:30 (EST)  0

The "finder.dat" file contains information that Macintosh systems use to organize the files on screen and the "fileid.dat" file contains long file names. Interestingly, a segment of the "finder.dat" file shown here contains date-time stamps (in bold) for files on the disk and some date-time stamps from 1 year prior (April 10, 1998 and June 1, 1998).

    examiner1% task/bin/icat -f fat12 /morgue/fat-mac-floppy.dd 5 | xxd    <cut for brevity>    0000250:  4944  454e  5449  5459  2020  2084  0b53  4543          IDENTITY ..SEC    0000260:  5249  4e47  2e53  4b52  0000  0793  b154  0793          RING.SKIR.....T..    0000270:  b198  0084  4c30  5345  4352  494e  5445  5854   .....LOSECRINTEXT    0000280:  646f  7361  0100  0000  0081  0000  0000  0000         dosa............    0000290:  0000  0000  0000  0000  0000  0002  b2b7  a3d0   .........................    00002a0:  b2b7  b6ce  0000  0000  7fff  fff0  5345  4352   ..................SECR    06002b0:  494e  4720  534b  5284  0b50  5542  5249  4e47   ING SKR..PUBRING    00002c0:  2e50  4b52  0000  0793  b154  0793  b198  0084       .PKR.....T......    00002d0:  4c30  5055  4252  494e  5445  5854  646f  7361   LOPUBRINTEXTdosa    00002e0:  0100  0000  0001  0000  0000  0000  0000  0000   ...........................    00002f0:  0000  0000  0000  0002  b2b7  a3ca  b2b7  b6ce   ...........................    0000300:  0000  0000  7fff  ffef  5055  4252  494e  4720   .............. PUBRING    0000310:  504b  5284  114e  4156  2051  7569  636b  5363    PKR..NAV QuickSc    <cut for brevity>

These "finder.dat" files may contain names and date-time stamps of files deleted from the diskette using a non-Macintosh system that does not update these files. Also, keep in mind that the date-time stamps on the files in "resource.frk" may not be identical to those of the corresponding data fork if changes were made to the data using Windows.



Previous page
Table of content
Next page
Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279
Authors: Eoghan Casey BS MA
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Cisco Voice Gateways and Gatekeepers
Competency-Based Human Resource Management
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy