±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 5
Overall: 26227
Visitors: 55

±Forensics Europe Expo


±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

File Carving and Metadata Question.

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3, 4  Next 
  

File Carving and Metadata Question.

Post Posted: Tue Sep 25, 2012 5:02 pm

Hi,

Trying to study and prepare to take the CCE. Just going through the prep tests on the site. The Physical Exam example is a floppy image. I created a virtual floppy in VMware, Imaged with FTK imager, verified hashes then popped it into Autopsy 3. I noticed Autopsy only picked up the mbr, FAT1&2, but not a root dir or any files. Not sure how I would prove and document a drive was possibly reformatted?

Back on track, I jumped into caine and ran scalpel over the image, I was able to pickup a few docs. I want to be able to analyze the meta on those docs, but am unsure what the best way or tools to use would be? In this case I have gone with Doc Scrubber. I have been able to pickup everything for the most part but the document name and location. While viewing the unallocated space in Autopsy3 I notice:
-------------
Default Paragraph Font
2C:\WINDOWS\TEMP\AutoRecovery save of Document1.asd
A:\Magna Carta.doc
Times New Roman
Symbol
Arial
JOHN, by the grace of God King of England, Lord of Ireland, Duke of Normandy and Aquitaine, and Count of Anjou, to his archbishops, bishops, abbots, earls, barons, justices, foresters, sheriffs, stewards, servants, and to all his officials and loyal subj
Emma Crook
-----

which matches up with what doc scrubber is giving on the carved files, all but the doc name and dir path.

-----------
DOC SCRUBBER v1.2
Analysis Performed at 3:26:04 PM on 9/25/2012
File Analyzed: C:\Documents and Settings\IE User\Desktop\scalp\doc-19-0\00000023.doc


Title: JOHN, by the grace of God King of England, Lord of Ireland, Duke of Normandy and Aquitaine, and Count of Anjou, to his archbishops, bishops, abbots, earls, barons, justices, foresters, sheriffs, stewards, servants, and to all his officials and loyal subj
Author: Emma Crook
Company: Really Big Company
Keywords:
Subject:
Comments:
Template Used: Normal.dot
Application: Microsoft Word 8.0
Created: 9/15/2004 12:20:00 PM
Last Saved: 9/15/2004 12:22:00 PM
Last Edited By:
Last Printed:
Page Count: 7
Word Count: 3652
Character Count: 20818
Revision Count: 1
Total Editing Time (minutes): 1

Unique Identifier (GUID): Not Found.
Recent Hyperlinks List: Not Found.

Revision Log: None Found.
-----------------------------------

Is there a fault in my process or something I am missing, or is doc scrubber not parsing file name and path from meta?  

nerdrage
Member
 
 
  

Re: File Carving and Metadata Question.

Post Posted: Tue Sep 25, 2012 8:36 pm

Attempt to make this more of a coherent thought. After googling, I am guessing filename and path are not stored to word metadata fields, could be wrong (more application level knowledge than I have). My thought is fat would have a dir entry with a short name, and possibly a long name entry. Since the drive was reformatted and the original directory structures and fat were replaced, now I just have a large file in the $unalloc dir (Unalloc_9_16896_1474560) parts =1 size=1457664. Viewing in text. I see there are document names there, the file carve is going off pure file signature, if the metadata does not store the file name, there is no way for it to know and label of the file it just carved, and If the original filesystem structure has been reformatted the original pointers are going to be wiped. I can see that file names are in the unallocated file there if I want to read through all the lines. How would I prove what the file names are of the files being carved in this case? Seems like a pretty fundamental link I am missing.

Totally don't want to get to osdf con and be the guy that has to ask this. I'll do it. . .  

nerdrage
Member
 
 
  

Re: File Carving and Metadata Question.

Post Posted: Wed Sep 26, 2012 12:38 am

- nerdrage
I noticed Autopsy only picked up the mbr, FAT1&2, but not a root dir or any files. Not sure how I would prove and document a drive was possibly reformatted?


Are you saying that Autopsy did not locate a root directory, or are you saying that the root directory was empty?

As to proof of reformatting ... list all the effects that reformatting has on a device (there might be more than one kind of reformatting), then, list all the other actions that could produce the same effect, severally or together. If you have one single effect that only can be traced back to reformatting, and to no other action, you have a proof ... of sorts. If you have multiple points, the proof will be stronger.

Is there a fault in my process or something I am missing, or is doc scrubber not parsing file name and path from meta?


The last question is something you should be able to decide for yourself -- with a bit of testing. (Don't use autopsy or Doc Scrubber myself)

As to faults in your process ... well, you seem to missing one thing, at least. If it's an important point, I'm not sure -- the 'expected answers' to the trial exam will tell you if it is. If you make a few tests of what reformatting a floppy actually does, I'm sure you will realise what it is.

Or ... read Brian Carrier's book on File System Forensics for the relevant file system.

Your second post asks the right kind of questions. But your apparent inability to answer them suggests you need to understand the floppy file system better -- there may be more user-created things on a floppy than just files. Get Carrier's book and study it.  

athulin
Senior Member
 
 
  

Re: File Carving and Metadata Question.

Post Posted: Wed Sep 26, 2012 9:02 am

Great advice thank you. Funny you mentioned it, I am reading carrier's File Systems Analysis book in parallel. I just finished reading the FAT and Fat Structures chapters, trying to use/grow that knowledge with this practical. Looks like I need to research what happens to a floppy when reformatting.


 

nerdrage
Member
 
 
  

Re: File Carving and Metadata Question.

Post Posted: Wed Sep 26, 2012 10:25 am

- nerdrage
Hi,
The Physical Exam example is a floppy image.

Are you talking of this? Question
www.isfce.com/sample-pe.htm
www.isfce.com/cce-ans.htm

Have you tried plainly using PHOTOREC on the image?

And then running Doc Scrubber on the "recovered" files?

Did you try some other metadata extraction tool?
www.forensicswiki.org/...Extraction

Have you checked directly with a Hex Editor?


As a side note, if Autopsy found a "MBR" on a floppy (as opposed to the FAT12 PBR), I wonder what it would find on hard disk image. Rolling Eyes

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: File Carving and Metadata Question.

Post Posted: Wed Sep 26, 2012 11:34 am

A format on a floppy disk is normally a full format. ie everything is erased and a blank FAT and root directory is added.

For a 3.5" HD floppy this will be 80 tracks, and depending on the disk, normally both sides. Track 80 (after tracks 0-79) could sometimes be used for security, and would not be erased by default.

If there is data on tracks 0-79, it was not reformatted.
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
  

Re: File Carving and Metadata Question.

Post Posted: Wed Sep 26, 2012 12:20 pm

- mscotgrove
A format on a floppy disk is normally a full format. ie everything is erased and a blank FAT and root directory is added.

Please define "normally".
Format /q or the correspondent checkbox in the GUI is commonly used AFAIK.

- mscotgrove

If there is data on tracks 0-79, it was not reformatted.

Or it was, but with the /q option.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 4
Go to page 1, 2, 3, 4  Next