Intro to Cyber Crime and Computer Forensics CS 4273/6273 September 19, 2005

1
Intro to Cyber Crime and Computer Forensics CS
4273/6273 September 19, 2005
MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF
COMPUTER SCIENCE
2
Introduction to FAT File SystemsInvestigating
Windows ComputersChapter 8
MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF
COMPUTER SCIENCE
3
Microsoft Operating Systems

• MS-DOS
• Windows 3.1
• Windows 95
• Windows 98
• Windows NT
• Windows 2000
• Windows XP

• FAT-12
• FAT-16
• FAT-16
• FAT-32
• NTFS
• NTFS
• NTFS
• ?????

4
Storage Media Basics

• Sector 512 Bytes
• Cluster (Block) 2 or more clusters (up to 64)

5
Slack Space

• RAM Slack That portion of a sector that is not
  overwritten in memory.
• Disk Slack Those sectors of the cluster that are
  not needed to store file.

RAM Slack

EOF
Disk Slack
EOF
6
Slack Space

• File Slack Last cluster of file isnt filled up
  completely, so data from the last use of that
  cluster isnt overwritten.
• File Slack Disk Slack RAM Slack

File Slack
Disk Slack
RAM Slack
EOF
7
Free Space

• That portion of the Media that is not currently
  in use.
• Could have been used before, but not overwritten.
• Especially true today with very large disks
• Can we really erase a hard drive?
• Even if formatted, the data is not lost.

8
File Allocation Table

• Database of locations for files on computer
• 000 in location means that cluster does not
  currently contain an active file
• EOF in location means that cluster holds the end
  of a file.
• Anything else is a pointer to the next cluster in
  the file.

9
Microsoft Software

• Inadvertent Office Help
• MS Words document serial numbers
• Possibly used to track back to the creator of the
  Melissa Virus
• Uses the Serial Number of the Network Interface
  Card
• Wont work on MS Office 2000

10
Registry

• What is the registry?
• Database
• Contains information on every program that has
  been installed on the computer.
• Contains information on users and their
  preferences
• Contains hardware information
• Contains network information

11
Investigating the Registry

• Create backups of both System.dat and User.dat
• Can be manually restored afterwards or can use
  scanreg /restore command.
• regedit
• Can be used to find out what programs have been
  run on the suspect computer

12
Booting Windows Machines

• When you boot Windows 95 or 98 systems, over 400
  files are accessed and updated.
• NT 500 files
• This is important, because if you have to testify
  about the files being authentic, youll have to
  explain why they changed.
• Better to boot with a floppy or CD to prevent the
  automatic updates.

13
Finding Files on Windows Machines

• Searching My Documents folder
• Searching profile folders, if multiple users
• Find Utility
• Find .jpg
• Windows Password File
• Find .pwl
• A lot of password files means that the suspect
  computer might be being used to crack passwords.

14
Forensic Programs

• Forensic Toolkit
• The Coroners Toolkit
• ForensiX
• New Technologies Inc. (NTI)
• Safeback
• Diskscrub
• CRCMD5
• Disksig

15
Forensic Programs (Cont.)

• New Technologies Inc. (NTI) (Cont.)
• Getfree
• Getslack
• Encase
• Ilook
• Maresware