>> After acquiring and preserving the pertinent evidence, we move onto analyzing Windows images.
>>在获取并保存相关证据后,我们继续分析Windows图像。
As mentioned earlier, forensic analysis tools usually bypass operating systems normaloperations to show you deleted content and other data that is typically inaccessible.
如前所述,法医分析工具通常会绕过操作系统的正常操作,显示删除的内容和其他通常无法访问的数据。
In this video, we will review Windows file system basicsto help you understand how forensic analysis tools are able to retrieve datathat is typically inaccessible by normal users.
在这个视频中,我们将回顾Windows文件系统的基础知识,以帮助您理解法医分析工具如何能够检索一般用户通常无法访问的数据。
In a Windows system, the smallest unit for storage is called a cluster, which is equivalentto a block in Linux UNIX systems.
在Windows系统中,最小的存储单元称为集群,它相当于Linux UNIX系统中的块。
When a cluster is reused but not filled completely, Windows does not overwrite the unused portion.This space inside a cluster is called slack space.
当一个集群被重用但没有完全填充时,Windows不会覆盖未使用的部分。
集群中的这个空间称为松弛空间。
Forensic investigators care about slack spaces because this space can contain deleted datathat can be crucial evidence for investigations.
法医调查人员关心空闲空间,因为这个空间可能包含被删除的数据,这些数据可能是调查的关键证据。
However, in Linux UNIX file systems, the unused portionof this block is usually filled with zeros.
但是,在Linux UNIX文件系统中,这个块中未使用的部分通常用0填充。
When a file system is being stored on a partition, the partition will have an organized structurefor the operating system to store files and for users to access them by name and location.
当一个文件系统存储在一个分区上时,该分区将具有一个有组织的结构,以便操作系统存储文件,并让用户通过名称和位置访问它们。
The process of turning a partition into a recognizable file system is calledfile system formatting.
将分区转换为可识别文件系统的过程称为文件系统格式化。
Windows file systems include FAT 12, FAT 16, FAT 32, exFAT, NTFS, and the newest ReFS.
Windows文件系统包括FAT 12、FAT 16、FAT 32、exFAT、NTFS和最新的ReFS。
In this class, I will focus on the basics of FAT and NTFS file systemsand explain how forensic tools access the basic file system structure to identify information.
在本课程中,我将重点介绍FAT和NTFS文件系统的基础知识,并解释法医工具如何访问基本文件系统结构来识别信息。
The FAT file system was developed in 1977 based on Bill Gates idea.
FAT文件系统是在1977年基于比尔盖茨的想法开发的。
FAT 12 was originally designed for floppy disks, FAT 16, 32, and exFAT, still commonlyused for USB flash drives, SD cards, and hard drives.
FAT 12最初是为软盘、FAT 16、FAT 32和exFAT而设计的,现在仍然普遍用于USB闪存驱动器、SD卡和硬盘驱动器。
A FAT file system starts with a boot record followed by the file allocation table,short for FAT, then the root directory and finally the data area.
FAT 12最初设计于软盘,FAT 16、FAT 32和exFAT,普遍用于USB闪存驱动器、SD卡和硬盘驱动器。
Here I used in cases disk review feature to show youthe disk layout of a FAT 12 system.
在这里,我使用了case disk review特性向您展示了FAT 12系统的磁盘布局。
In this picture, each square represents a sector of 512 bytes.
在这幅图中,每个正方形代表一个512字节的扇区。
The first sector in red color is the boot record followedby the primary FAT and then the backup FAT.
第一个扇区里面红色是引导记录,然后是主FAT,然后是备份FAT。
The green sectors store the root directory content.
绿色扇区存储根目录内容。
The blue sectors currently used the files and directories.
蓝色扇区当前使用的是文件和目录。
The gray sectors are not in use at this moment.
灰色区域目前没有使用。
The data in this gray sector come from previous files or directories.
灰色区域中的数据来自以前的文件或目录。
The boot record, the first sector for a FAT 12 or FAT 16 volume defines the cluster size,the number of sectors per FAT, and the maximum number of entries in the root directory.
引导记录,FAT 12或FAT 16卷的第一个扇区,定义了集群大小、每个FAT的扇区数量和根目录中的最大条目数量。
It may also contain a boot program if this partition is bootable.
如果这个分区是可引导的,它也可能包含一个引导程序。
The file allocation table is the key component of a FAT system.
文件分配表是FAT系统的关键组件。
FAT is a lookup table to tell which cluster comes next.
FAT是一个查找表,用于判断下一个集群。
To locate a file's data content given a filename, we only need to know the first cluster's addressthen use the FAT to find the rest of the cluster addresses.
要定位给定文件名的文件的数据内容,我们只需要知道第一个集群的地址,然后使用FAT查找其余的集群地址。
The number after FAT defines the number of bits used for a cluster's address.
FAT之后的数字定义了用于集群地址的比特数。
For a FAT 16 file system, each table cell is 16 bits representing the clusters address,while FAT 32 file system uses 32 bits for cluster's address.
对于FAT 16文件系统,每个表单元是16位,表示集群地址,而FAT 32文件系统使用32位表示集群地址。
Therefore, the maximum number of clusters that a FAT 16 file system can have is 2 tothe 16th power.
因此,FAT 16文件系统最多可以拥有2的16次方个集群。
Each table cell has its own address.
每个表单元格都有自己的地址。
And its content is the address of the next cluster if the file uses more than one cluster.
如果文件使用多个集群,它的内容就是下一个集群的地址。
If the cluster is the last cluster for this file, its content will always be hex or ones.
如果集群是该文件的最后一个集群,那么它的内容将始终是十六进制或1。
If a cluster is currently not in use, its content is all zero.
如果一个集群当前没有使用,那么它的内容都是零。
A bad cluster always contains hex FFF7.
一个坏的集群总是包含十六进制FFF7。
Now if we can find an address of the first cluster that is assigned to the given filename,we will have all the pieces to map the filename to its data content.
现在,如果我们能够找到分配给给定文件名的第一个集群的地址,我们将拥有将文件名映射到其数据内容的所有部分。
This information actually resides in the files parent directory.
该信息实际上驻留在文件的父目录中。
Windows root directory typically follows immediately after the FATs.
Windows根目录通常紧跟在fat之后。
Each directory entry representing a file or subdirectoryin the current directory is 32 bytes long.
表示当前目录中的文件或子目录的每个目录条目的长度为32字节。
It contains information of the filename and extension, entry type, either a directoryor file, the address of the first data cluster at byte 26 and 27,the lens of the file at byte 28, 29 and data time.
它包含文件名和扩展名、条目类型、目录或文件、第一个数据集群的地址(字节26和27)、文件的镜头(字节28、29和数据时间)等信息。
Here is the process to locate a file in a FAT system.
下面是在FAT系统中定位文件的过程。
Starting from the Windows root directory, find a directory entry whose filename matchedfor the subdirectory or the file's name.
从Windows根目录开始,找到与子目录或文件名匹配的目录条目。
In this directory entry, find its first cluster at byte 26, 27 then use the FAT to get thechain of clusters for this subdirectory or file.
在这个目录条目中,在字节26,27处找到它的第一个集群,然后使用FAT获取该子目录或文件的集群链。
If this is a subdirectory, repeat this process using the subdirectory's contentuntil you reach to the file's content.
如果这是一个子目录,则使用子目录的内容重复此过程,直到到达文件的内容为止。
This unit includes a video that shows you how to find this information in a FAT 16 system.
本单元包括一个视频,向您展示如何在FAT 16系统中找到这些信息。
What happens to a deleted file in a FAT file system?
在胖文件系统中删除的文件会发生什么?
When a file is deleted, the system replaces the first character of the filenamewith the hex code hex E5 and unallocates the files clusters in FAT table.
删除文件时,系统将文件名的第一个字符替换为十六进制代码十六进制E5,并在FAT表中取消对文件集群的分配。
Windows system does not remove the contents of that fileuntil the cluster is used or overwritten by new files.
Windows系统在集群被新文件使用或覆盖之前不会删除该文件的内容。
If the directory entry information is available, we still can find the first cluster for thefile.
如果目录条目信息可用,我们仍然可以找到文件的第一个集群。
To recover folders in a FAT partition, a forensic analysis tool usually searchesthrough unallocated clusters.
要恢复FAT分区中的文件夹,法医分析工具通常通过未分配的集群进行搜索。
If that and a dot dot are found in a cluster, it is very likely that you'll find an olddirectory or portion of a directory since each directorycontains just two subdirectories.
如果在集群中找到该目录和一个点,很可能会找到一个旧目录或目录的一部分,因为每个目录只包含两个子目录。
People usually sanitize disks by performing a formatting process before returning ourrecycling disks.
人们通常在返回可回收磁盘之前执行格式化过程来对磁盘进行消毒。
However, there are two types of formatting in Windows: quick formatting and full formatting.
然而,在Windows中有两种格式:快速格式和完全格式。
If you perform a quick format, this process will zero out both the root directory entriesand the file allocation table entries.
如果您执行一种快速格式,这个过程将清除根目录项和文件分配表项。
The data area is not touched.
未触及数据区域。
If you use a forensic analysis tool to recover folders,you will find many information on this partition.
如果您使用法医分析工具来恢复文件夹,您将在这个分区上找到许多信息。
If you bought a used disk from eBay years ago, it was likely the partition was fastformatted.
如果你几年前在eBay上买过一张旧磁盘,那么这个分区很可能是快速格式化的。
Nowadays, used disks from eBay use a full format.
如今,eBay上的二手磁盘使用的是完整格式。
A full format will check bad sectors and then write either the hex characters F6 or zerosthrough the whole disk leaving no evidence behind.
完整的格式将检查坏扇区,然后在整个磁盘中写入十六进制字符F6或0,不留下任何证据。
>> EnCase Forensic is a fantastic tool for forensic analysis.
>>外壳法医学是法医学分析的一个极好的工具。
In this demo, I only want to show you how do we use EnCaseto visually see filesystems we covered in the lecture, for example FAT system and NTFS.
在这个演示中,我只想向您展示如何使用EnCase来直观地查看我们在这节课中介绍的文件系统,例如FAT系统和NTFS。
So, in this demo I want to show you the FAT system how do we visuallyto see what components inside of the FAT system.
所以,在这个演示中,我想向你们展示脂肪系统我们如何直观地看到脂肪系统内部的组成部分。
I have already prepared a case called case one and then I move on to the evidence.
我已经准备好了一个案例,叫做案例一,然后我继续讲证据。
In this case, I have a couple of images loaded into this forensic case,but the first image is a FAT 12 system so I open up.
在这个案例中,我有一些图片加载到这个法医案例中,但是第一张图片是一个FAT 12系统,所以我打开它。
Don't worry about the EnCase GUI interface and all that,we will discuss this detail later.
不要担心EnCase GUI接口和所有这些,我们稍后将讨论这个细节。
But in this demo, I only want to focus on how to study the system.
但是在这个演示中,我只想关注如何研究这个系统。
So, this is the chief structure on here and then first let's move on to a disk view.
这就是这里的主要结构首先我们来看一个圆盘视图。
If you recall, I used the disk view before to show you how to see a mass boot record.
如果您还记得,我以前使用过disk视图向您展示了如何查看大量引导记录。
But now I look at the disk view from this image and again, this image is a FAT 12 image.
但现在我从这个图像看圆盘视图,这个图像是一个胖的12图像。
Okay and you can see the first one is red okay, that's the first sector, it's a bootrecord.
你可以看到第一个是红色的,这是第一个扇区,它是一个引导记录。
And then follow by this one, if I click one this is all, this is the FAT tableand the two is the backup, the backup of FAT table.
然后是这个,如果我点击一个,这就是全部,这是脂肪表,这两个是备份,脂肪表的备份。
So, FAT 1 and the backup FAT table.
那么,FAT 1和备份FAT表。
The green one those are the content for the root directory.
绿色的是根目录的内容。
So, all root directory content is in these green boxes, each box is 512 bytes.
所有根目录内容都在这些绿色框中,每个框是512字节。
And then the blue one those are currently allocated data sectors.
蓝色的是当前分配的数据区。
And then the grey one currently is not in use it's just historical data, garbage,nothing okay.
然后灰色的现在没有使用它只是历史数据,垃圾,什么都没有。
Now let's move on to examine the root directory.
现在让我们继续研究根目录。
If you recall from this week's lecture you know directory's content is for Trojan.
如果你记得这周的讲座,你知道目录的内容是木马。
Basically, is for a file residing in this directoryor a separate directory resides in this directory.
基本上,是针对驻留在这个目录中的文件或驻留在这个目录中的独立目录。
Each entry uses 32 bytes to contain information including the file name and extension,what type is the file either is directory or file,and what is the first cluster's address which is important right.
每个条目使用32字节来包含信息,包括文件名和扩展名,文件的类型是目录还是文件,第一个集群的地址是什么,这是重要的权利。
And also, the length of the file and then date and time.
还有文件的长度,日期和时间。
So, each entry uses 32 bytes to represent one entry.
因此,每个条目使用32字节来表示一个条目。
Now we look at the content here because now I click on the green one, click on the greento look at the root directory and then I change that to hex view.
现在我们看一下这里的内容,因为现在我点击绿色的,点击绿色来查看根目录,然后我把它改为十六进制视图。
Okay, so if you look at the offset you see I have actually adjusted the paneto be 32 bytes long for each line because it's from 00 to 31, this is the start from32.
好的,如果你看一下偏移量你会发现我实际上已经将窗格调整为每一行32字节因为它是从00到31,这是从32开始的。
So, each line is 32 bytes which means I line up correctly,so each line represents one entry in this directory, one entry.
所以,每一行是32字节,这意味着我正确地排好了,所以每一行表示这个目录中的一个条目,一个条目。
So, for example the second line here is called file four.
例如,这里的第二行称为file 4。
Now you can see that the first 12, first 11 bytes it is the filenameand followed by other information.
现在您可以看到前12、前11个字节是文件名,后面是其他信息。
We said the first cluster information is reside in byte 26 of 27,which is this one, byte 26 of 27.
我们说第一个集群信息驻留在27的第26字节中,也就是这个,27的第26字节。
And since this is a little endian so you have to really swap those two bytes, so it readsas 0002.
因为这是一个小的尾数所以你必须交换这两个字节,所以它读作0002。
It means the first cluster is 0002 and once the FAT gets this first cluster for this fileand then it will use FAT table to represent, to find the chain of other clusters.
这意味着第一个集群是0002,一旦FAT获得了这个文件的第一个集群,它将使用FAT表来表示,以找到其他集群的链。
So here is the first cluster information it's very important.
这是第一个非常重要的聚类信息。
And when you get a chance to use EnCase if you wantto practice this exercise make sure here each line is 32 bytes that's critical.
当你有机会使用EnCase时如果你想练习这个练习,确保每一行是32字节,这很关键。
And also, in the class I talk about the file if in FAT 2 --if in FAT system the if the file is deleted the file name's first character change toE5.
在课上,我还讲了文件如果在FAT 2中,如果在FAT系统中如果文件被删除了文件名的第一个字符改为E5。
So, if you see the file's name started with E5like for example File1 this is deleted okay.
如果你看到文件名以E5开头比如File1,这就被删除了。
You will see many of those E files, those are all deleted files,the first character of the filename changed to E5.
你会看到很多E文件,这些都是被删除的文件,文件名的第一个字符变成了E5。
So, you will see the whole content from this root directory because every file startsfrom root directory, you will see the whole content of the root directory.
因此,您将看到这个根目录中的全部内容,因为每个文件都是从根目录开始的,所以您将看到根目录的全部内容。
Okay now let's go back to the evidence here.
现在让我们回到这里的证据。
If I look at here okay.
看这里。
If I choose one folder, let's see if I choose this folder.
如果我选择一个文件夹,看看我是否选择这个文件夹。
No, this folder has nothing.
不,这个文件夹什么都没有。
If I choose a folder here, now you can see which folder I choose,I choose that fseventst folder okay, that one you see the content.
如果我在这里选择一个文件夹,现在你可以看到我选择了哪个文件夹,我选择了那个fseventst文件夹好的,就是你看到内容的那个。
See this is the folder and the content has the dot and the dot dot.
看,这是文件夹内容有点和点。
And this is the way EnCase or other forensic tools use to recover a deleted folderbecause they just look at the content and if they find the dotand the dot dot those are the ones that means there is content,then they assume oh this might be a directory because directory always has those two entriesin there.
这是包住的方式或其他法医工具使用恢复删除的文件夹,因为他们只看内容,如果他们找到点和点点都是那些意味着内容,然后他们承担哦,这或许是一个目录,因为目录总是这两个条目。
Now previously, when we looked at the root directory view we analyzed a file for --it's in second line right, this is file four has a first clusteras a 00, first cluster number is 0002.
之前,当我们查看根目录视图时,我们分析了一个文件,它在第二行,这是文件4第一个集群是00,第一个集群号是0002。
Let's see if that's correct whether this file four and the starting cluster number is 0002.
让我们看看这个文件4和开始的集群号是否为0002是否正确。
So, we go back to here find file four, so look for file four, actually there's a pictureand then EnCase very smartly to show you the picture view already.
我们回到这里,找到文件4,找到文件4,实际上有一张图片,然后很巧妙地封装起来,向你们展示图片视图。
And if we look at the hex and then you look at bottom this says, this is file four.
如果我们看十六进制然后你看底部,这是文件4。
And then here CL means cluster, so the starting cluster is cluster number twoso that's also match for what we see from the entry from file four entry.
这里CL的意思是群集,所以开始的群集是群集2这也符合我们从文件4的条目中看到的。
Okay that's it for this video.
好了,这节课就讲到这里。
转载于:https://www.cnblogs.com/sec875/articles/10015689.html
相关资源:JAVA上百实例源码以及开源项目