· Milav

Disk Forensics

Storage Device Investigation and Analysis

What is Disk Forensics?

Disk Forensics: The process of examining storage devices (hard drives, SSDs, USB drives) to recover, analyze, and preserve digital evidence while maintaining data integrity and legal admissibility.

Storage Analysis: Examining various storage media types
Data Recovery: Retrieving deleted or hidden information
Evidence Preservation: Maintaining forensic soundness
File System Examination: Understanding data organization

Storage Device Types

Hard Disk Drives (HDD)

Magnetic storage technology
Mechanical read/write heads
Traditional forensic target
Data remnants in unallocated space

Solid State Drives (SSD)

Flash memory technology
No mechanical components
TRIM command challenges
Wear leveling complexities

Optical Media

CD, DVD, Blu-ray discs
Write-once or rewritable
Session-based writing
Physical damage assessment

External Storage

USB flash drives
External hard drives
Memory cards (SD, microSD)
Portable storage devices

File System Analysis

Common File Systems:

NTFS: Windows NT File System with security features
FAT32/exFAT: File Allocation Table systems
ext4: Fourth extended filesystem for Linux
HFS+/APFS: Apple file systems for macOS
UFS: Unix File System variants

File System Components: • Boot sector - Contains file system information • File Allocation Table - Tracks file locations • Directory structure - Organizes files and folders • Data area - Stores actual file content • Metadata - File attributes and timestamps

Data Acquisition Process

Acquisition Methods:

Physical Imaging: Bit-by-bit copy of entire drive
Logical Imaging: Copy of file system and allocated data
Sparse Imaging: Copy only allocated data blocks
Live Imaging: Acquisition from running system

Write Blockers:

Hardware Write Blockers: Physical devices preventing writes
Software Write Blockers: OS-level write protection
Purpose: Prevent evidence contamination
Validation: Test before and after use

Disk Structure and Organization

Physical Disk Layout: Cylinder → Head → Sector (CHS addressing) OR Logical Block Addressing (LBA) Typical Structure: • Master Boot Record (MBR) or GUID Partition Table (GPT) • Partition tables • File system boot sectors • Data areas

Partition Analysis

Primary and extended partitions
Hidden partitions
Deleted partition recovery
Partition table reconstruction

Slack Space

RAM slack space
Drive slack space
Data hiding locations
Evidence remnants

Deleted File Recovery

File Deletion Process: When files are deleted, the data typically remains on disk until overwritten, with only the file system metadata being modified to mark the space as available.

Recovery Techniques:

Undelete Utilities: Recover recently deleted files from file system
File Carving: Search for file signatures in unallocated space
Journal Analysis: Examine file system journals for deleted entries
Shadow Copy Analysis: Recover from Windows Volume Shadow copies
Recycle Bin Forensics: Analyze deleted file metadata

File Signature Examples: JPEG: FF D8 FF PNG: 89 50 4E 47 0D 0A 1A 0A PDF: 25 50 44 46 ZIP: 50 4B 03 04 EXE: 4D 5A

Timeline Analysis

Timestamp Types (MACB):

Modified (M): When file content was last changed
Accessed (A): When file was last accessed
Changed (C): When file metadata was changed
Born (B): When file was created

Timeline Creation Process:

Extract timestamps from file system metadata
Parse log files for time-based events
Correlate events across different sources
Create comprehensive timeline of activities
Identify suspicious patterns or gaps

Timeline Analysis Benefits:

Reconstruct sequence of events
Identify user activity patterns
Detect evidence manipulation attempts
Establish incident timelines

Windows Registry Forensics

Windows Registry: Hierarchical database storing system configuration, user preferences, software settings, and forensically valuable artifacts.

Registry Hives

HKEY_LOCAL_MACHINE (HKLM)
HKEY_CURRENT_USER (HKCU)
HKEY_USERS (HKU)
HKEY_CURRENT_CONFIG (HKCC)

Forensic Artifacts

Recently used file lists
USB device connection history
Network connection records
Program execution evidence

Key Forensic Registry Locations: • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs • HKLM\SYSTEM\CurrentControlSet\Enum\USB • HKCU\Software\Microsoft\Internet Explorer\TypedURLs

Dealing with Encryption

Encryption Technologies:

BitLocker: Microsoft's full disk encryption
FileVault: Apple's disk encryption for macOS
LUKS: Linux Unified Key Setup
TrueCrypt/VeraCrypt: Third-party encryption tools
Hardware Encryption: Self-encrypting drives (SEDs)

Investigation Strategies:

Live Analysis: Access encrypted data while system is running
Memory Acquisition: Extract encryption keys from RAM
Hibernation Files: Keys may be stored in hiberfil.sys
Key Recovery: Use recovery keys or certificates
Brute Force: Last resort for weak passwords

Anti-Forensic Challenges

Anti-Forensics: Techniques used to impede digital forensic investigations by hiding, destroying, or altering evidence.

Data Hiding Techniques

Steganography in files
Alternate data streams (NTFS)
Hidden partitions
File signature manipulation

Data Destruction Methods

Secure deletion utilities
Disk wiping software
Physical drive destruction
Degaussing magnetic media

Countermeasures:

Multiple acquisition methods
Deep analysis of unallocated space
File carving and signature analysis
Cross-correlation with other evidence
Specialized anti-anti-forensic tools

SSD Forensic Challenges

SSD Unique Characteristics:

TRIM Command: Immediately marks deleted blocks for erasure
Wear Leveling: Distributes writes across all cells
Over-provisioning: Hidden spare blocks for wear management
Garbage Collection: Background cleanup of invalid data

Forensic Implications:

Deleted data may be immediately unrecoverable
Data location is not predictable
Traditional file carving may be less effective
Need for live acquisition techniques
Importance of RAM and hibernation file analysis

SSD Investigation Strategies:

Disable TRIM during acquisition
Perform live acquisition when possible
Focus on allocated data analysis
Examine firmware and controller logs
Use specialized SSD forensic tools

Disk Forensic Tools

Commercial Tools

EnCase Forensic
FTK (AccessData)
X-Ways Forensics
Magnet AXIOM
MSAB XRY

Open Source Tools

Autopsy (The Sleuth Kit)
PhotoRec/TestDisk
DEFT Linux
Paladin Forensic Suite
SIFT Workstation

Command Line Tools: • dd - Create bit-by-bit copies • fsstat - Display file system details • fls - List file and directory names • icat - Display contents of a file • mmls - Display partition layout • blkls - List unallocated disk blocks

Quality Assurance and Validation

Hash Verification:

MD5: 128-bit hash (legacy, collision concerns)
SHA-1: 160-bit hash (deprecated for security)
SHA-256: 256-bit hash (current standard)
Purpose: Verify data integrity throughout process

Validation Procedures:

Pre-acquisition hash of source drive
Post-acquisition hash of forensic image
Regular verification during analysis
Tool validation and testing
Documentation of all procedures

Chain of Custody:

Detailed evidence logging
Access control and monitoring
Transfer documentation
Storage environment controls
Regular integrity checks

Reporting and Documentation

Report Components:

Executive Summary: High-level findings
Case Information: Background and scope
Evidence Description: Items examined
Methodology: Procedures and tools used
Findings: Detailed analysis results
Conclusions: Summary and opinions
Appendices: Supporting documentation

Documentation Best Practices:

Contemporaneous notes during examination
Screenshot evidence of findings
Step-by-step procedure documentation
Tool version and configuration records
Peer review of findings

Legal and Ethical Considerations

Legal Requirements:

Search Warrants: Legal authority to examine evidence
Privacy Rights: Respect for personal information
Evidence Admissibility: Meeting court standards
Chain of Custody: Maintaining evidence integrity
Expert Testimony: Explaining findings in court

Ethical Guidelines:

Maintain objectivity and impartiality
Only examine authorized evidence
Protect sensitive personal information
Report findings honestly and completely
Continue professional development

Key Takeaways

Critical Points:

Methodical Approach: Systematic examination procedures
Technology Awareness: Understanding different storage types
Evidence Preservation: Maintaining forensic integrity
Comprehensive Analysis: Multiple examination techniques
Legal Compliance: Meeting court and legal standards

Disk Forensics Excellence: Combine technical expertise, proper methodology, and legal compliance to conduct thorough storage device examinations that produce reliable and admissible digital evidence.