What is File Slack?

August 31, 2008 — 585

What is File Slack?

This article looks at file slack, where it is, how to find it, and includes a video guide of how to view this data in EnCase 6.10

Requirements

To understand File Slack, one must first understand the basic concepts of Cluster and Sectors.

This article is based on the assumption that the reader understands these concepts. It is also written with the assumption that the hardware under consideration is a standard windows hard drive, with sector size of 512 and a cluster size of 8 sectors.

Clusters and Sectors

As the operating system can only address clusters, rather than sectors which hard drives can, it means that files are stored on a hard drive in units of clusters and not sectors.

Examples:

A 5000 byte file, takes up 9 sectors, however the operating system will allocate the file 2 clusters (16 sectors), as it does not fit into 1 sector. 2 Sectors is 8 KB

A 2500 byte file will fit into 5 sectors, however the operating system will allocate the file 1 full cluster (8 sectors), which is 4 KB

A file which is 10,000 bytes will be allocated 12 KB – 3 sectors.

Different Sizes

From this it can be seen that a file has two different sizes, the logical file size the actual size of the file and the physical file size, the size given to the file on the hard drive.

The physical file size is always greater than or equal to the logical file size (ignoring resident data for the moment).

File Slack

File slack is the difference between the physical file size and logical file size.

E.g for a 5000 byte file, which is given 2 clusters (8192 bytes), the file slack will be 8192 – 5000, which is 3192 bytes. The file slack should always be less than 1 cluster (4096 bytes).

As file slack is literally the space on the hard drive between the logical and physical file size, it means that anything that was in that space before become file slack. As a new file is created by overwriting unallocated space (even if it means deleting a file immediately before the request to write) this means that file slack is essentially old fragments of unallocated file space (RAM slack is not being discussed at this point).

This means that file slack can contain anything at all, from fragments of web pages, emails, and even complete small pictures, to junk text. It is more often than not the latter, however complete EML files, and thumbnail pictures have been recovered than can prove an entire case.

Below is a video showing file slack, using EnCase 6.10. Encase is better at viewing this type of data than FTK.

Posted in Encase, File System, Video Guides. Tags: , , , . No Comments »

Video: Locating MFT from Volume Boot

August 28, 2008 — 585

Following on from the previous articles on the MBR, and the MBR Partition Tables,   and a video on how to identify the first partition from the MBR, below is a video showing the MBR via EnCase.

Below is a guide on trying to locate the MFT (Master File Table) and MFT Mirror, from the Volume Boot/Boot Sector/BPB

Posted in Encase, File System, Video Guides. Tags: , , . No Comments »

Video – Locating the First Partiton from the MBR

August 27, 2008 — 585

Following on from the articles on the MBR, the MBR Partition Information,  and the video showing a general examination of the MBR , below is a video showing how the location of first partition can be extracted from a manual examination of the MBR.

Posted in Encase, File System, Video Guides. Tags: , . No Comments »

Video: The MBR

August 27, 2008 — 585

Following on from the previous articles on the MBR, and the MBR Partition Tables,   and a video on how to identify the first partition from the MBR, below is a video showing the MBR via EnCase.

Posted in Encase, File System, Video Guides. Tags: , . No Comments »

MBR (NTFS) Partition Table Entry

August 25, 2008 — 585

In the previous example the MBR from a drive that only had one partition, was demonstrated. So where is the information stored if there are multiple partitions?

The information is stored in the remaining bytes within the MBR – from 462 to 510. i.e All of the partition information is from 446 to 510 – a total of 64 bytes. The final two bytes (511 and 512) in the MBR are the “magic numbers”. (Remember that the MBR is 1 sector, which is 512 bytes)

Below is the location of the partition information, within the MBR. Attached is the same  information in about the MBR in PDF format

Partition Table #1

Offset (within MBR) Information Length
446 Active (80=Active) 1
450 Partition Type 1
454 Sectors Preceding Partition 1 4
458 Sectors in Partition 1 4

Partition Table #2

Offset (within MBR) Information Length
462 Active (80=Active) 1
466 Partition Type 1
470 Sectors Preceding Partition 2 4
474 Sectors in Partition 2 4

Partition Table #3

Offset (within MBR) Information Length
478 Active (80=Active) 1
482 Partition Type 1
486 Sectors Preceding Partition 3 4
490 Sectors in Partition 3 4

Partition Table #4

Offset (with MBR) Information Length
494 Active (80=Active) 1
490 Partition Type 1
502 Sectors Preceding Partition 4 4
506 Sectors in Partition 4 4

Tags:
Posted in File System. No Comments »

File Systems: MBR (NTFS)

August 25, 2008 — 585

Attached is the MBR, Master Boot Record, taken from a 500 GB drive, formatted in NTFS, with a single partition, running Windows XP

The first 440 bytes, from offset 0 to offset 439, contain the Maser Bootstrap Loader Code. In this case starting 33 C0 BE.

At offset 440, for 4 a length of 4 bytes, is the Windows Disk signature. In this example it is 2AD42AD4. This is unique for a drive, and can be considered to be a forensic artifacts.

At offset 446, for a length of 1, is a value which states if the partition (whose location is given shortly) is active or not, in this case the value is set to 80” which means it is active.

At offset 450, for a length of 1, a the partition type indicator. i.e it tells the computer if it should expect an NTFS partition or FAT32, or the like. Each partition type has its own unique number, in this case it is 07

At offset 454, for a length of 1, is a byte which states the number of sectors preceding the start of the partition 1, i.e the location of the first partition. In this example (and most “standard” drives) the value is 3F, which is 63 in decimal. This means that the partition starts at sector 63 (as the first sector is 0).

At offset 458, for a length of 4, is the size of the first partition, in sectors. In this example it is 80CE373A. This needs to be converted, (hex value is in little endian and needs to be converted to big endian). Giving the hex value of 3A37CE80, this gives the decimal value of 976735872. This is the size in sectors of the first partition, as each partition is 512, the total size of the partition is 512*976735872 = 500,088,766,464 bytes, or 465 GB

Example of MBR with colour coding

Posted in File System. Tags: , . No Comments »

File Systems: MBR and Volume Boot Record (Basic)

August 23, 2008 — 585

On a standard hard drive (with a sector size of 512), the first sector, Sector 0, is known at the MBRMaster Boot Record.

The MBR contains 4 entries about the locations and type of the logical partitions (e.g NTFS, FAT) on that physical hard drive, one of which is “active” and small piece of code (446 bytes) called the primary bootloader. The bootloader is 446 bytes long and the information describing the partitions is 64 bytes long (total 510 bytes). The final two bytes of the first sector, sometimes known as the “magic number”, is the hex value of  55AA.

MBR tells the computer the location and nature  of the first active partition, which is commonly at Sector 63.

The first sector in a partition – which the MBR points to – is known as the volume boot sector, boot block, volume boot record or by some companies as the “BPB”, and contains information about the partition, including:

  • Block size
  • Size of the partition (size in blocks)
  • The volume serial number
  • The type of partition (e.g NTFS/FAT, etc)
  • Where the MFT is (if its an NTFS)
  • Where the MFT Mirror is (if its an NTFS)
  • Location of the NTLDR or NTLoader (discussed later) – normally be straight after at sector 64.

The last sector of the partition is a mirror of the volume boot sector, and can be used for data recovery purposes.

As Sector 1 to Sector 62 are not used, they can often by blank, however manufactures like HP and Dell sometimes write information about the machine in there, e.g serial numbers, model, etc. These could, in theory, be relevant forensic artifacts.

A good resource on the MFT, and NTFS in general is book – File System Forensic Analysis

Posted in File System. Tags: . No Comments »

File System: MFT Entries (Basic)

August 22, 2008 — 585

The MFT, as previously stated is the primary file in the NTFS file system. This file points to the locations of the other files on the computer.

Within the MFT are “entires”, each entry contains information about the file it points to. These entries provide a variety of information about file it points to – including:

File Name, File Size, dates about the file included – Created, Modified, Written and Accessed, location of the data of the file.  Typically an MFT entry is 1024 bytes in size, or two sectors, and starts with “File0″ or “File*”, with the information following that.

The first 16 MFT entries within the MFT are reserved, and as they point to key NTFS artefacts these include $BitMap and $Log. The first two entries of the MFT are $MFT – which desribes the MFT. This may seem odd, but it needs to be done. Everything with the NTFS is a “file”, so the MFT, which contains all the information about files, e.g word docuemtns and emails, is also a file. Therefore MFT has an entry within itself that desribes is size, location, etc. The second entry with in the MFT is the $Mirror. The MFT Mirror is a back up of the first 16 MFT entries, that are stored just in case there is a problem with the primary MFT entries.

A more detailed article on the MFT entries will follow.

A good resource on the MFT, and NTFS in general is book –   File System Forensic Analysis

Posted in File System. Tags: , . No Comments »

RAIDs: Introduction

August 17, 2008 — 585

RAID – Redundant Array of Independent Drives or Redundant Array of Inexpensive Drives.

A RAID is a method of storing data that uses more than one disk to appear as a single disk.  There are several different types of RAID which utilize multiple disks in different ways. By arranging the disks in different ways different RAIDs have different benefits, including:

  • Increasing the size of storage
  • Increasing speed of the storage media
  • Increasing the resilience/reliability of the storage

 

How are RAIDs connected to a computer?

There are a variety of different ways of building a RAID and attaching it to a computer, but they fall into two main categories– Software RAIDs and Hardware RAIDs.

Hardware RAID: A hardware RAID is a dedicated unit that the hard drives are placed into. This unit then attaches to a computer (normally a server) via one of several connections (normally SCSI or Fiber). The RAID unit then “presents” the RAID unit to the computer. For example, the RAID unit may have 8 HDD drives in, e.g 500GB in size, but the computer would only see 1* 4 TB (Terra byte) drive, as the RAID has combined 8*500GB drives to form 1 4000GB/4TB drive. The computer does not know, or care that there are only 8 drives and will see 1 logical unit presented by the RAID.

Software RAID

A software RAID is where a host computer does all the work of converting multiple drives into a RAID. For example a user can place multiple drives into Windows XP Pro computer, and then request that Windows combine them together – using the Dynamic Disk function. The net result is that the user is presented with “volume” that can consist of multiple drives.

To the end user the Software and Hardware RAID may appear the same, i.e multiple drives are taken and presented as a single drive. The difference is cost and reliability. A dedicated  RAID unit, without any drives, can easily costs over £2,000, just for a 8 drive bay, with a SCSI connector (without any drives). This is a dedicated unit that will handle all the requests in relation to the RAID, it can manage the volumes, record activities on the RAID, and alert the administrator to the errors. A software RAID, such as the one mentioned on windows will run on any hardware, as long as Windows XP is installed, it is simply not in the same level of performance. For home use, a software RAID is perfectly fine. For business a dedicated RAID is normally required for speed and reliability.

Types of RAID

The drives in a RAID can be arrange in several different manners, however the three main ways in which they are used are as follows:

RAID 0 – This is also known as a “stripe” and takes a minimum of two disks to work. This spreads the data across the drives, e.g 2*250 GB hard drives would appear as 1*500 GB hard drive. If multiple reads and writes are occurring at the same time – e.g two people accessing different hard files, then a strip will be faster to access than a single hard drive. This is because the data can be accessed from multiple locations at the same time. i.e there are two heads reading at the same time rather than one. However, there is no “redundancy” in the a RAID 0. Therefore is one drive fails all of the data could be lost.

RAID 1 – This is also known as a “mirror” and takes a minimum of two disks to work. This is the simplest of RAIDs to understand, for every disk in the RAID another disk is an exact mirror, e.g if there are 2*500 GB hard drives, the RAID unit presents just 1*250 GB hard drive. The other is not “seen” by the user, but it constantly replicates the primary disk.This means that if one hard drive fails, the other one will take over, it is quite possible that an end user would not be aware that a hard drive had failed and they could continue working as normal. While a mirror is highly resilient, is is inefficient in its use of media, as there is a 100% redundancy.

RAID 5 – This requires a minimum of 3 disks. This has the benefits of both RAID 0 and RAID 1, and less of the disadvantages. In a RAID 5 the data is spread across the disks, have one drive acts as “spare”. This means there is an increased size, and increased speed, and increased redundancy.

For example, a RAID unit with an 8*500 GB disks in a RAID 5 array would present a single 3500 GB (3.5TB) volume to the host computer (7*500). One of the 500 GB drive drives does not count to the volume size as it provides redundancy. However, and this is were the RAID 5 is very clever, all of the spare data is not stored on a single hard drive (as it could not do that), rather it is spread across all of the other drives, evenly, taking up a total of 1 drive out of the unit. This means that if any one drive on the RAID 5 fails, the system can continue without any noticeable effect to the user (though, depending on the RAID access times may decrease). The RAID 5 achieves this by using something called “parity”, this is a more detailed topic and will be covered later this month.

Posted in File System. No Comments »

File System: MFT (technical)

August 11, 2008 — 585

MFT – The Master File Table, this is the first and key file, in an NTFS file system. For a very basic understanding of the MFT please read this post

All files are referenced through the MFT, including itself.

Within the MFT, the MFT It is given position “0”, and the name $MFT. It is just above $MFT_Mirror, position “1”. The MFT Mirror, is a copy of the first 16 entries of the MFT, which is there to help the file system deal with errors/corruption.

Each MFT entry is (as standard) 1024 bytes long, or 2 sectors, and contains information about the file it references.

This includes:

  • The file name
  • Directory the file belongs to
  • Dates: Created, Modified, Access, Entry modified – the last time the MFT entry was modified for that file
  • File Size
  • File permissions
  • Physical location of the file. This gives the location or locations of the file within NTFS file system on the hard drive. Remember that a file within an NTFS system does not need to be contiguous, and it can be split into different sections around the hard drive. All of those different sections are referenced within the MFT entry, in a section called “Index” or “Data”.

If a file is very small, just a few bytes, e.g a cookie, there is no need for the the MFT entry to have a index directing the computer to the location of the cookie (as the directions could be longer than the file), instead it can fit the small file in the MFT entry – where the index or directions would normally be. This type of data is called “resident” data, other entries, where the data is stored elsewhere on in the NTFS are called “non-resident”.

Resident data can be very interesting, because it can allow for “slack” within an MFT entry. Here is how.

Example

A small text file is created on an windows XP computer, with an NTFS file system, This means that an MFT Entry is written, with resident data. Due to the size of the file, in this case, this takes up the whole of the 1024 bytes.

A few weeks later the text file is deleted, and a new file created. In this case the MFT entry is overwritten, therefore deleting all information about the original file (e.g date, location, size, etc). Other artifacts, link files, registry entries, etc, may tell you about the file, but the MFT entry has not been overwritten. However, the new file is a non-resident contiguous file. This means that the entry is relatively short, and does not take up much space, as such the entire MFT entry is now only 600 bytes long. This means there is 424 bytes remaining of the “old” entry – this is slack, or more specifically;y MFT slack. As the remaining area is at the end of the MFT entry, this will be the data of the original text file. This data could last there for a very long time, as nothing will write into that location until the new file is deleted, or becomes very large.

In the example give an investigator could only find that information with a keyword search, and if he did find it he would not be able to say what the name of the document was, or when it was created or deleted (unless there was other supporting information). However, if your lucky, it may be the perfect evidence.

Note:

The dates for the MFT do not change, i.e the creation, access, and modification date for $MFT are always the same – the date it was created/formatted.

A good resource on the MFT, and NTFS in general is the book – File System Forensic Analysis

Posted in File System. Tags: . No Comments »
« Older posts
Newer posts »