5.4 File system analysis

File system analysis is a critical skill in network security and forensics. It involves examining the structure, metadata, and content of digital storage devices to uncover evidence and reconstruct events. Understanding file systems helps investigators locate, recover, and interpret digital data effectively.

Forensic professionals use specialized tools and techniques to analyze file systems. This includes creating forensic images, recovering deleted files, examining metadata, and analyzing timestamps. Proper file system analysis can reveal user activities, hidden data, and potential anti-forensic attempts, aiding investigations and legal proceedings.

File system structure

• Understanding file system structure is crucial for network security and forensics professionals to effectively analyze and investigate digital evidence
• File systems provide a logical structure for organizing and storing data on storage devices (hard drives, SSDs, USB drives)
• Proper knowledge of file system structure enables forensic examiners to locate, recover, and interpret digital evidence in a forensically sound manner

Hierarchical organization

Top images from around the web for Hierarchical organization

• 

  Path (computing) - Wikipedia View original

  Is this image relevant?

• 

  Navigating Files and Directories | Introducing the Unix Shell View original

  Is this image relevant?

• 

  Linux Directory Structure (File System Structure) View original

  Is this image relevant?

• 

  Path (computing) - Wikipedia View original

  Is this image relevant?

• 

  Navigating Files and Directories | Introducing the Unix Shell View original

  Is this image relevant?

1 of 3

Top images from around the web for Hierarchical organization

• 

  Path (computing) - Wikipedia View original

  Is this image relevant?

• 

  Navigating Files and Directories | Introducing the Unix Shell View original

  Is this image relevant?

• 

  Linux Directory Structure (File System Structure) View original

  Is this image relevant?

• 

  Path (computing) - Wikipedia View original

  Is this image relevant?

• 

  Navigating Files and Directories | Introducing the Unix Shell View original

  Is this image relevant?

1 of 3

• File systems typically follow a hierarchical or tree-like structure, starting from a root directory
• Hierarchical organization allows for logical grouping and nesting of files and directories
• The root directory serves as the starting point, and all other directories and files are organized beneath it
• Example: In Windows, the root directory is usually represented by a drive letter (C:$$

Directories and subdirectories

• Directories (folders) are used to organize and group related files and other directories
• Subdirectories are directories within other directories, creating a nested structure
• Directories and subdirectories help in categorizing and managing files based on their purpose, project, or user
• Example: A directory structure might include subdirectories like "Documents," "Pictures," and "Downloads" within a user's home directory

Files and file attributes

• Files are the basic units of data storage in a file system, containing user data, application data, or system data
• Each file has a unique name and is associated with a specific directory or subdirectory
• File attributes provide additional information about the file (file type, size, timestamps, permissions)
• Common file attributes include read-only, hidden, system, and archive
• File extensions (txt, docx, jpg) help identify the file type and associated application

File system types

• Different operating systems and storage devices use various file system types, each with its own structure, features, and limitations
• Understanding the characteristics and forensic implications of different file systems is essential for network security and forensics professionals
• File system types can impact the way data is stored, accessed, and recovered during forensic investigations

FAT file systems

• FAT (File Allocation Table) is a legacy file system used by older versions of Windows and removable storage devices
• Variants include FAT12, FAT16, and FAT32, differing in the number of bits used for addressing and maximum partition size
• FAT uses a file allocation table to keep track of file clusters and their allocation status
• Advantages: simple structure, wide compatibility; Disadvantages: limited file size, no built-in security features

NTFS file system

• NTFS (New Technology File System) is the default file system used by modern versions of Windows
• Provides advanced features (file permissions, encryption, journaling, data deduplication)
• Uses a Master File Table (MFT) to store file metadata and attributes
• Supports alternate data streams (ADS) for storing additional file data without modifying the main file
• Offers better security, reliability, and performance compared to FAT file systems

ext file systems

• ext (extended) file systems are commonly used in Linux and Unix-based operating systems
• Variants include ext2, ext3, and ext4, each with improved features and performance
• Use inodes (index nodes) to store file metadata and attributes
• Support journaling (ext3 and ext4) for improved data integrity and faster recovery
• Offer advanced features (access control lists, extended attributes, file system encryption)

HFS+ file system

• HFS+ (Hierarchical File System Plus) is the default file system used by older versions of macOS (before APFS)
• Uses a catalog file to store file and directory metadata, and an extents overflow file for tracking file allocation
• Supports journaling for improved data integrity and faster recovery
• Provides features like hard links, symbolic links, and file system compression
• Replaced by APFS (Apple File System) in newer versions of macOS for enhanced performance and security

File system metadata

• File system metadata provides crucial information about files and directories, aiding in forensic analysis and investigation
• Metadata includes details about file structure, allocation, timestamps, and ownership
• Understanding and interpreting file system metadata is essential for reconstructing events, establishing timelines, and identifying suspicious activities

Master File Table (MFT)

• The Master File Table (MFT) is a critical component of the NTFS file system used by Windows
• Stores metadata and attributes for all files and directories on an NTFS volume
• Each file and directory has a corresponding MFT record containing information (file name, size, timestamps, permissions)
• MFT records are typically 1 KB in size and are identified by their record number
• Analyzing the MFT can provide valuable insights into file system activity and help recover deleted files

File Allocation Table (FAT)

• The File Allocation Table (FAT) is the core data structure used in FAT file systems
• Keeps track of the allocation status and location of file clusters on the storage device
• Consists of an array of entries, each representing a cluster and its allocation status (free, allocated, or bad)
• The FAT is used to navigate the file system, locate files, and manage disk space
• Analyzing the FAT can reveal information about deleted files and help in file recovery efforts

Inodes and inode tables

• Inodes (index nodes) are fundamental data structures used in Unix-based file systems (ext2, ext3, ext4)
• Each file and directory has a unique inode number that serves as an index into the inode table
• The inode table contains metadata about files and directories (permissions, timestamps, data block pointers)
• Inodes do not store the actual file names; directory entries map file names to inode numbers
• Analyzing inodes and the inode table can provide valuable information about file system structure and activity

Timestamps and time zones

• File systems store various timestamps associated with files and directories (creation, modification, access times)
• Timestamps can be crucial in establishing a timeline of events and identifying file system activity
• Different file systems store timestamps in different formats and granularities (e.g., NTFS uses 64-bit timestamps with 100-nanosecond precision)
• Time zone information is important when interpreting timestamps, as file systems may store timestamps in local time or UTC (Coordinated Universal Time)
• Forensic examiners must consider time zone differences and daylight saving time when analyzing timestamps from multiple sources

File system analysis tools

• File system analysis tools are essential for forensic examiners to acquire, examine, and interpret digital evidence from storage devices
• These tools help in creating forensic images, recovering deleted files, analyzing file system structures, and generating timelines
• Choosing the appropriate tools and using them effectively is crucial for conducting thorough and defensible forensic investigations

Forensic imaging tools

• Forensic imaging tools are used to create bit-for-bit copies (forensic images) of storage devices or partitions
• Examples: Guymager, FTK Imager, dd
• Forensic images preserve the original data and metadata, ensuring the integrity of the evidence
• Creating a forensic image allows examiners to work on a copy of the evidence without altering the original
• Forensic imaging tools often support various formats (raw, E01, AFF) and can calculate hash values for verification

File carving tools

• File carving tools are used to recover deleted or fragmented files from unallocated space on a storage device
• Examples: Photorec, Scalpel, Foremost
• These tools work by searching for known file headers and footers and reconstructing files based on their structure
• File carving can recover files that are no longer referenced by the file system metadata
• Recovered files may lack original file names and timestamps, requiring further analysis and context

Hex editors and viewers

• Hex editors and viewers are used to examine and interpret the raw data of files and storage devices
• Examples: HxD, WinHex, Hexdump
• These tools display data in hexadecimal and ASCII formats, allowing examiners to identify patterns, headers, and hidden data
• Hex editors can be used to manually carve files, patch binary data, or search for specific byte sequences
• Viewing data in hexadecimal can reveal information not visible through normal file viewing methods

Timeline analysis tools

• Timeline analysis tools are used to create and visualize timelines of file system activity and events
• Examples: Plaso, log2timeline, Zeitline
• These tools parse file system metadata, system logs, and application artifacts to extract timestamps and events
• Timeline analysis helps in reconstructing the sequence of events, identifying suspicious activities, and correlating multiple data sources
• Timelines can be filtered, searched, and visualized to identify patterns and anomalies in file system activity

File recovery techniques

• File recovery techniques are used to retrieve deleted, hidden, or corrupted files from storage devices
• Understanding different file recovery methods is essential for forensic examiners to maximize the chances of successful data recovery and gather relevant evidence
• File recovery techniques exploit the characteristics of file systems and the way data is stored and allocated on storage devices

Deleted file recovery

• When a file is deleted, the file system typically marks the file's clusters as unallocated and removes the file's metadata
• However, the actual file data remains on the storage device until it is overwritten by new data
• Deleted file recovery techniques aim to locate and recover these "deleted" files by searching for their data in unallocated space
• Techniques include file carving (searching for file headers and footers) and analyzing file system metadata for references to deleted files
• The success of deleted file recovery depends on factors (time since deletion, file system type, disk usage patterns)

Slack space analysis

• Slack space refers to the unused space between the end of a file and the end of its allocated cluster or block
• When a file does not fill its allocated cluster completely, the remaining space can contain remnants of previously deleted or overwritten data
• Analyzing slack space can reveal fragments of deleted files or hidden data that may be relevant to an investigation
• Slack space analysis involves extracting and examining the data stored in slack space for each file on a storage device
• Specialized tools and techniques are used to carve out and reconstruct data from slack space

Alternate Data Streams (ADS)

• Alternate Data Streams (ADS) is a feature of the NTFS file system that allows storing additional data associated with a file, without modifying the file's main content
• ADS can be used legitimately for storing file metadata (author, summary) or maliciously for hiding data (malware, stolen information)
• Each ADS is identified by a unique name and can be of arbitrary size, making it difficult to detect and analyze
• Forensic examiners must be aware of ADS and use specialized tools to detect and extract data from alternate streams
• Analyzing ADS can reveal hidden data, malicious activity, or evidence of data exfiltration

File signature analysis

• File signature analysis involves examining the unique characteristics and patterns of file types to identify and validate files
• Each file type has a specific structure and may contain identifiable headers, footers, or magic numbers
• File signatures can be used to identify file types independently of file extensions, which can be easily changed or manipulated
• Forensic examiners use file signature databases and tools to match file signatures and determine the true file type
• File signature analysis helps in file recovery, malware detection, and identifying disguised or mislabeled files

File system forensic artifacts

• File system forensic artifacts are pieces of data or metadata that provide valuable information about file system activity, user actions, and system events
• These artifacts can be used to reconstruct timelines, establish user behavior, and identify suspicious or malicious activities
• Understanding and analyzing file system forensic artifacts is crucial for conducting thorough and effective forensic investigations

Recently accessed files

• Operating systems and applications often maintain records of recently accessed or opened files for user convenience and performance
• Examples: Windows Registry (RecentDocs, UserAssist), macOS (Recent Items, .plist files), and application-specific recent file lists
• Recently accessed file artifacts can provide insights into user activity, file access patterns, and application usage
• Analyzing these artifacts can help establish a timeline of events, identify relevant files, and uncover user actions
• Forensic examiners should be aware of the locations and formats of recently accessed file artifacts across different operating systems and applications

Jump lists and link files

• Jump lists and link files are Windows features that provide quick access to recently used files and directories
• Jump lists are application-specific and store information about recently opened files, directories, and application-specific tasks
• Link files (.lnk) are shortcut files that contain metadata about the target file (path, timestamps, file attributes)
• Analyzing jump lists and link files can reveal user activity, file access history, and the original location of files
• These artifacts can persist even after the original files have been deleted or moved, providing valuable forensic evidence
• Forensic examiners can parse jump lists and link files using specialized tools to extract metadata and reconstruct user activity

Prefetch and superfetch files

• Prefetch and superfetch are Windows features that improve system performance by preloading frequently used applications and data into memory
• Prefetch files (.pf) store information about application execution, including timestamps, file paths, and run count
• Superfetch files (AgAppLaunch.db, AgGlFaultHistory.db) store information about application and file usage patterns
• Analyzing prefetch and superfetch files can provide insights into application execution history, file access patterns, and system usage
• These artifacts can help establish a timeline of application and file usage, identify frequently used programs, and detect anomalous behavior
• Forensic examiners can parse prefetch and superfetch files using specialized tools to extract relevant information and metadata

Volume Shadow Copies

• Volume Shadow Copies (VSCs) are a Windows feature that allows creating point-in-time snapshots of file system volumes
• VSCs are typically used for system restore, backup, and versioning purposes
• Each VSC contains a snapshot of the file system at a specific point in time, including deleted and modified files
• Analyzing VSCs can provide access to historical data, deleted files, and previous versions of modified files
• VSCs can be a valuable source of forensic evidence, as they may contain data that has been deleted or overwritten on the main file system
• Forensic examiners can mount and analyze VSCs using specialized tools to recover deleted files, compare file versions, and investigate historical file system activity

Anti-forensic techniques

• Anti-forensic techniques are methods used by adversaries to conceal, destroy, or manipulate digital evidence to hinder forensic investigations
• Understanding common anti-forensic techniques is essential for forensic examiners to recognize and counteract attempts to obstruct or mislead investigations
• Anti-forensic techniques can target various aspects of digital evidence (data, metadata, timestamps, log files)

File wiping and shredding

• File wiping and shredding techniques aim to securely delete files by overwriting the data with random or predefined patterns
• Simple deletion only removes the file's metadata, while wiping overwrites the actual file data, making recovery more difficult
• Examples: SDelete, Eraser, Freeraser
• File wiping can be done multiple times using different patterns to ensure thorough data destruction
• Forensic examiners should be aware of file wiping artifacts (overwritten data patterns, wiping tool traces) and use specialized techniques (magnetic force microscopy) to potentially recover wiped data

Timestamp manipulation

• Timestamp manipulation involves altering the creation, modification, or access times of files and directories to conceal or mislead forensic analysis
• Adversaries may modify timestamps to hide their activities, create false alibis, or implicate innocent parties
• Techniques include changing system time, directly modifying file system metadata, or using specialized tools (Timestomp)
• Detecting timestamp manipulation can be challenging, but inconsistencies and anomalies in timestamp patterns may indicate tampering
• Forensic examiners should cross-reference timestamps from multiple sources (file system, log files, network activity) to identify discrepancies and manipulation attempts

Data hiding techniques

• Data hiding techniques involve concealing sensitive or incriminating data to evade detection during forensic investigations
• Examples: Steganography (embedding data in images, audio, or video files), alternate data streams (ADS), and file system slack space
• Adversaries may use data hiding techniques to store and transfer confidential information, malware, or stolen data
• Detecting hidden data requires specialized tools and techniques (steganalysis, ADS scanning, slack space analysis)
• Forensic examiners should be aware of common data hiding methods and actively search for hidden data in relevant file types and locations

Encryption and steganography

• Encryption is the process of converting plaintext data into an unreadable format (ciphertext) using cryptographic algorithms and keys
• Adversaries may use encryption to protect sensitive data, conceal criminal activities, or secure communication channels
• Strong encryption (AES, RSA) can make data recovery and analysis extremely difficult without the proper decryption keys
• Steganography involves hiding data within other data (images, audio, video) to avoid detection
• Steganographic techniques can be used to conceal confidential information, malware payloads, or command and control communication
• Forensic examiners should be familiar with encryption and steganography methods, and use specialized tools (password crackers, steganalysis) to detect and extract hidden data when possible

Legal considerations

• Legal considerations are crucial in network security and forensics to ensure the admissibility of digital evidence in court proceedings
• Forensic examiners must adhere to legal requirements, maintain the integrity of evidence, and follow proper procedures throughout the investigation
• Failure to comply with legal standards can result in evidence being deemed inadmissible, compromising the outcome of a case

Chain of custody

• Chain of custody refers to the documented trail of the handling, transfer, and storage of digital evidence from the point of collection to presentation in court
• Maintaining a proper chain of custody ensures the integrity and authenticity of the evidence, demonstrating that it has not been altered or tampered with
• Forensic examin