File Carving and Me...
 
Notifications
Clear all

File Carving and Metadata Question.

22 Posts
6 Users
0 Likes
2,075 Views
(@nerdrage)
Posts: 21
Eminent Member
Topic starter
 

Hi,

Trying to study and prepare to take the CCE. Just going through the prep tests on the site. The Physical Exam example is a floppy image. I created a virtual floppy in VMware, Imaged with FTK imager, verified hashes then popped it into Autopsy 3. I noticed Autopsy only picked up the mbr, FAT1&2, but not a root dir or any files. Not sure how I would prove and document a drive was possibly reformatted?

Back on track, I jumped into caine and ran scalpel over the image, I was able to pickup a few docs. I want to be able to analyze the meta on those docs, but am unsure what the best way or tools to use would be? In this case I have gone with Doc Scrubber. I have been able to pickup everything for the most part but the document name and location. While viewing the unallocated space in Autopsy3 I notice
————-
Default Paragraph Font
2C\WINDOWS\TEMP\AutoRecovery save of Document1.asd
A\Magna Carta.doc
Times New Roman
Symbol
Arial
JOHN, by the grace of God King of England, Lord of Ireland, Duke of Normandy and Aquitaine, and Count of Anjou, to his archbishops, bishops, abbots, earls, barons, justices, foresters, sheriffs, stewards, servants, and to all his officials and loyal subj
Emma Crook
—–

which matches up with what doc scrubber is giving on the carved files, all but the doc name and dir path.

———–
DOC SCRUBBER v1.2
Analysis Performed at 32604 PM on 9/25/2012
File Analyzed C\Documents and Settings\IE User\Desktop\scalp\doc-19-0\00000023.doc

Title JOHN, by the grace of God King of England, Lord of Ireland, Duke of Normandy and Aquitaine, and Count of Anjou, to his archbishops, bishops, abbots, earls, barons, justices, foresters, sheriffs, stewards, servants, and to all his officials and loyal subj
Author Emma Crook
Company Really Big Company
Keywords
Subject
Comments
Template Used Normal.dot
Application Microsoft Word 8.0
Created 9/15/2004 122000 PM
Last Saved 9/15/2004 122200 PM
Last Edited By
Last Printed
Page Count 7
Word Count 3652
Character Count 20818
Revision Count 1
Total Editing Time (minutes) 1

Unique Identifier (GUID) Not Found.
Recent Hyperlinks List Not Found.

Revision Log None Found.
———————————–

Is there a fault in my process or something I am missing, or is doc scrubber not parsing file name and path from meta?

 
Posted : 26/09/2012 4:02 am
(@nerdrage)
Posts: 21
Eminent Member
Topic starter
 

Attempt to make this more of a coherent thought. After googling, I am guessing filename and path are not stored to word metadata fields, could be wrong (more application level knowledge than I have). My thought is fat would have a dir entry with a short name, and possibly a long name entry. Since the drive was reformatted and the original directory structures and fat were replaced, now I just have a large file in the $unalloc dir (Unalloc_9_16896_1474560) parts =1 size=1457664. Viewing in text. I see there are document names there, the file carve is going off pure file signature, if the metadata does not store the file name, there is no way for it to know and label of the file it just carved, and If the original filesystem structure has been reformatted the original pointers are going to be wiped. I can see that file names are in the unallocated file there if I want to read through all the lines. How would I prove what the file names are of the files being carved in this case? Seems like a pretty fundamental link I am missing.

Totally don't want to get to osdf con and be the guy that has to ask this. I'll do it. . .

 
Posted : 26/09/2012 7:36 am
(@athulin)
Posts: 1156
Noble Member
 

I noticed Autopsy only picked up the mbr, FAT1&2, but not a root dir or any files. Not sure how I would prove and document a drive was possibly reformatted?

Are you saying that Autopsy did not locate a root directory, or are you saying that the root directory was empty?

As to proof of reformatting … list all the effects that reformatting has on a device (there might be more than one kind of reformatting), then, list all the other actions that could produce the same effect, severally or together. If you have one single effect that only can be traced back to reformatting, and to no other action, you have a proof … of sorts. If you have multiple points, the proof will be stronger.

Is there a fault in my process or something I am missing, or is doc scrubber not parsing file name and path from meta?

The last question is something you should be able to decide for yourself – with a bit of testing. (Don't use autopsy or Doc Scrubber myself)

As to faults in your process … well, you seem to missing one thing, at least. If it's an important point, I'm not sure – the 'expected answers' to the trial exam will tell you if it is. If you make a few tests of what reformatting a floppy actually does, I'm sure you will realise what it is.

Or … read Brian Carrier's book on File System Forensics for the relevant file system.

Your second post asks the right kind of questions. But your apparent inability to answer them suggests you need to understand the floppy file system better – there may be more user-created things on a floppy than just files. Get Carrier's book and study it.

 
Posted : 26/09/2012 11:38 am
(@nerdrage)
Posts: 21
Eminent Member
Topic starter
 

Great advice thank you. Funny you mentioned it, I am reading carrier's File Systems Analysis book in parallel. I just finished reading the FAT and Fat Structures chapters, trying to use/grow that knowledge with this practical. Looks like I need to research what happens to a floppy when reformatting.


 
Posted : 26/09/2012 8:02 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hi,
The Physical Exam example is a floppy image.

Are you talking of this? ?
http//www.isfce.com/sample-pe.htm
http//www.isfce.com/cce-ans.htm

Have you tried plainly using PHOTOREC on the image?

And then running Doc Scrubber on the "recovered" files?

Did you try some other metadata extraction tool?
http//www.forensicswiki.org/wiki/Document_Metadata_Extraction

Have you checked directly with a Hex Editor?

As a side note, if Autopsy found a "MBR" on a floppy (as opposed to the FAT12 PBR), I wonder what it would find on hard disk image. roll

jaclaz

 
Posted : 26/09/2012 9:25 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

A format on a floppy disk is normally a full format. ie everything is erased and a blank FAT and root directory is added.

For a 3.5" HD floppy this will be 80 tracks, and depending on the disk, normally both sides. Track 80 (after tracks 0-79) could sometimes be used for security, and would not be erased by default.

If there is data on tracks 0-79, it was not reformatted.

 
Posted : 26/09/2012 10:34 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

A format on a floppy disk is normally a full format. ie everything is erased and a blank FAT and root directory is added.

Please define "normally".
Format /q or the correspondent checkbox in the GUI is commonly used AFAIK.

If there is data on tracks 0-79, it was not reformatted.

Or it was, but with the /q option.

jaclaz

 
Posted : 26/09/2012 11:20 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

format /q

Fair comment. My 'normal' is that most floppy disks relate to DOS days and the 'normal' command was

c\format a

I had forgotten about other format options.. Was there also a /v to verify ?? useful for old disks that failed.

 
Posted : 27/09/2012 12:00 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

format /qx

Fair comment. My 'normal' is that most floppy disks relate to DOS days and the 'normal' command was

c\format a

I had forgotten about other format options.. Was there also a /v to verify ?? useful for old disks that failed.

Yes/No, the /V was to provide the LABEL (without being prompted for it or for use in batch)
http//www.computerhope.com/formathl.htm

There is the /C to check clusters marked bad, but it is more likely that you are remembring the COPY /V one (which was actually for "verify") or possibly the officially UNdocumented format /u
http//www.mdgx.com/secrets.htm#FORMAT
http//www.mdgx.com/secrets.htm#FORMAT-U

That particular floppy appears to have been formatted under a 9x/Me OS, as it uses the (INfamous) volume tracking abomination roll
http//en.wikipedia.org/wiki/File_Allocation_Table#Boot_Sector
http//homepage.ntlworld.com./jonathan.deboynepollard/FGA/volume-boot-block-oem-name-field.html

OT, but not much, one could also check the actual Volume serial, see
http//www.msfn.org/board/topic/152097-on-superfloppies-and-their-images/page__view__findpost__p__980297
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2134

jaclaz

 
Posted : 27/09/2012 12:27 am
(@nerdrage)
Posts: 21
Eminent Member
Topic starter
 

Hi,
The Physical Exam example is a floppy image.

Are you talking of this? ?
http//www.isfce.com/sample-pe.htm
http//www.isfce.com/cce-ans.htm

Have you tried plainly using PHOTOREC on the image?
jaclaz

Jaclaz, yep that is the image off isfce.com I was looking at, I should have said Practical Exam rather than Physical.

First time I have heard of PHOTOREC, looks pretty cool though. Had issues trying to run it in the VM. Doesn't show the A drive as one of the option drives. I am noticing that Disk manager also is not picking up a. I need to see whats the deal with the virtual env, it is accessible otherwise.

I did try to find a few other options off wiki; there are few dead links and few free options. I could have tried to use one of the perl scripts, but was running on the fly, will have to give those a shot.

 
Posted : 27/09/2012 12:57 am
Page 1 / 3
Share: