Disk Forensics
Storage Device Investigation and Analysis
What is Disk Forensics?
Disk Forensics: The process of examining storage devices (hard drives, SSDs, USB drives) to recover, analyze, and preserve digital evidence while maintaining data integrity and legal admissibility.
- Storage Analysis: Examining various storage media types
- Data Recovery: Retrieving deleted or hidden information
- Evidence Preservation: Maintaining forensic soundness
- File System Examination: Understanding data organization
Storage Device Types
Hard Disk Drives (HDD)
- Magnetic storage technology
- Mechanical read/write heads
- Traditional forensic target
- Data remnants in unallocated space
Solid State Drives (SSD)
- Flash memory technology
- No mechanical components
- TRIM command challenges
- Wear leveling complexities
Optical Media
- CD, DVD, Blu-ray discs
- Write-once or rewritable
- Session-based writing
- Physical damage assessment
External Storage
- USB flash drives
- External hard drives
- Memory cards (SD, microSD)
- Portable storage devices
File System Analysis
Common File Systems:
- NTFS: Windows NT File System with security features
- FAT32/exFAT: File Allocation Table systems
- ext4: Fourth extended filesystem for Linux
- HFS+/APFS: Apple file systems for macOS
- UFS: Unix File System variants
File System Components:
• Boot sector - Contains file system information
• File Allocation Table - Tracks file locations
• Directory structure - Organizes files and folders
• Data area - Stores actual file content
• Metadata - File attributes and timestamps
Data Acquisition Process
Acquisition Methods:
- Physical Imaging: Bit-by-bit copy of entire drive
- Logical Imaging: Copy of file system and allocated data
- Sparse Imaging: Copy only allocated data blocks
- Live Imaging: Acquisition from running system
Write Blockers:
- Hardware Write Blockers: Physical devices preventing writes
- Software Write Blockers: OS-level write protection
- Purpose: Prevent evidence contamination
- Validation: Test before and after use
Disk Structure and Organization
Physical Disk Layout:
Cylinder → Head → Sector (CHS addressing)
OR
Logical Block Addressing (LBA)
Typical Structure:
• Master Boot Record (MBR) or GUID Partition Table (GPT)
• Partition tables
• File system boot sectors
• Data areas
Partition Analysis
- Primary and extended partitions
- Hidden partitions
- Deleted partition recovery
- Partition table reconstruction
Slack Space
- RAM slack space
- Drive slack space
- Data hiding locations
- Evidence remnants
Deleted File Recovery
File Deletion Process: When files are deleted, the data typically remains on disk until overwritten, with only the file system metadata being modified to mark the space as available.
Recovery Techniques:
- Undelete Utilities: Recover recently deleted files from file system
- File Carving: Search for file signatures in unallocated space
- Journal Analysis: Examine file system journals for deleted entries
- Shadow Copy Analysis: Recover from Windows Volume Shadow copies
- Recycle Bin Forensics: Analyze deleted file metadata
File Signature Examples:
JPEG: FF D8 FF
PNG: 89 50 4E 47 0D 0A 1A 0A
PDF: 25 50 44 46
ZIP: 50 4B 03 04
EXE: 4D 5A
Timeline Analysis
Timestamp Types (MACB):
- Modified (M): When file content was last changed
- Accessed (A): When file was last accessed
- Changed (C): When file metadata was changed
- Born (B): When file was created
Timeline Creation Process:
- Extract timestamps from file system metadata
- Parse log files for time-based events
- Correlate events across different sources
- Create comprehensive timeline of activities
- Identify suspicious patterns or gaps
Timeline Analysis Benefits:
- Reconstruct sequence of events
- Identify user activity patterns
- Detect evidence manipulation attempts
- Establish incident timelines
Windows Registry Forensics
Windows Registry: Hierarchical database storing system configuration, user preferences, software settings, and forensically valuable artifacts.
Registry Hives
- HKEY_LOCAL_MACHINE (HKLM)
- HKEY_CURRENT_USER (HKCU)
- HKEY_USERS (HKU)
- HKEY_CURRENT_CONFIG (HKCC)
Forensic Artifacts
- Recently used file lists
- USB device connection history
- Network connection records
- Program execution evidence
Key Forensic Registry Locations:
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
• HKLM\SYSTEM\CurrentControlSet\Enum\USB
• HKCU\Software\Microsoft\Internet Explorer\TypedURLs
Dealing with Encryption
Encryption Technologies:
- BitLocker: Microsoft's full disk encryption
- FileVault: Apple's disk encryption for macOS
- LUKS: Linux Unified Key Setup
- TrueCrypt/VeraCrypt: Third-party encryption tools
- Hardware Encryption: Self-encrypting drives (SEDs)
Investigation Strategies:
- Live Analysis: Access encrypted data while system is running
- Memory Acquisition: Extract encryption keys from RAM
- Hibernation Files: Keys may be stored in hiberfil.sys
- Key Recovery: Use recovery keys or certificates
- Brute Force: Last resort for weak passwords
Anti-Forensic Challenges
Anti-Forensics: Techniques used to impede digital forensic investigations by hiding, destroying, or altering evidence.
Data Hiding Techniques
- Steganography in files
- Alternate data streams (NTFS)
- Hidden partitions
- File signature manipulation
Data Destruction Methods
- Secure deletion utilities
- Disk wiping software
- Physical drive destruction
- Degaussing magnetic media
Countermeasures:
- Multiple acquisition methods
- Deep analysis of unallocated space
- File carving and signature analysis
- Cross-correlation with other evidence
- Specialized anti-anti-forensic tools
SSD Forensic Challenges
SSD Unique Characteristics:
- TRIM Command: Immediately marks deleted blocks for erasure
- Wear Leveling: Distributes writes across all cells
- Over-provisioning: Hidden spare blocks for wear management
- Garbage Collection: Background cleanup of invalid data
Forensic Implications:
- Deleted data may be immediately unrecoverable
- Data location is not predictable
- Traditional file carving may be less effective
- Need for live acquisition techniques
- Importance of RAM and hibernation file analysis
SSD Investigation Strategies:
- Disable TRIM during acquisition
- Perform live acquisition when possible
- Focus on allocated data analysis
- Examine firmware and controller logs
- Use specialized SSD forensic tools
Disk Forensic Tools
Commercial Tools
- EnCase Forensic
- FTK (AccessData)
- X-Ways Forensics
- Magnet AXIOM
- MSAB XRY
Open Source Tools
- Autopsy (The Sleuth Kit)
- PhotoRec/TestDisk
- DEFT Linux
- Paladin Forensic Suite
- SIFT Workstation
Command Line Tools:
• dd - Create bit-by-bit copies
• fsstat - Display file system details
• fls - List file and directory names
• icat - Display contents of a file
• mmls - Display partition layout
• blkls - List unallocated disk blocks
Quality Assurance and Validation
Hash Verification:
- MD5: 128-bit hash (legacy, collision concerns)
- SHA-1: 160-bit hash (deprecated for security)
- SHA-256: 256-bit hash (current standard)
- Purpose: Verify data integrity throughout process
Validation Procedures:
- Pre-acquisition hash of source drive
- Post-acquisition hash of forensic image
- Regular verification during analysis
- Tool validation and testing
- Documentation of all procedures
Chain of Custody:
- Detailed evidence logging
- Access control and monitoring
- Transfer documentation
- Storage environment controls
- Regular integrity checks
Reporting and Documentation
Report Components:
- Executive Summary: High-level findings
- Case Information: Background and scope
- Evidence Description: Items examined
- Methodology: Procedures and tools used
- Findings: Detailed analysis results
- Conclusions: Summary and opinions
- Appendices: Supporting documentation
Documentation Best Practices:
- Contemporaneous notes during examination
- Screenshot evidence of findings
- Step-by-step procedure documentation
- Tool version and configuration records
- Peer review of findings
Legal and Ethical Considerations
Legal Requirements:
- Search Warrants: Legal authority to examine evidence
- Privacy Rights: Respect for personal information
- Evidence Admissibility: Meeting court standards
- Chain of Custody: Maintaining evidence integrity
- Expert Testimony: Explaining findings in court
Ethical Guidelines:
- Maintain objectivity and impartiality
- Only examine authorized evidence
- Protect sensitive personal information
- Report findings honestly and completely
- Continue professional development
Key Takeaways
Critical Points:
- Methodical Approach: Systematic examination procedures
- Technology Awareness: Understanding different storage types
- Evidence Preservation: Maintaining forensic integrity
- Comprehensive Analysis: Multiple examination techniques
- Legal Compliance: Meeting court and legal standards
Disk Forensics Excellence: Combine technical expertise, proper methodology, and legal compliance to conduct thorough storage device examinations that produce reliable and admissible digital evidence.