Document Analysis (No plagiarism at all)
Chapter 9
Document Analysis
1
Files are the Key
Aren’t always what they appear to be
Metadata can hold clues
Can be hidden in strange places
Can be attached to others with alternate data streams
File Identification
File extensions
Control behavior of files
Generally identify the type of file
But can easily be changed
File headers
Used by application to identify type of file
Not so easily changed (but can be)
Magic numbers (Linux/Unix)
File Metadata
MFT attributes
File header information
End of file marker (EOF)
Magic numbers
MFT Attributes
18 identifiable attributes plus user-identifiable attributes
Only a few are usable to the investigator
File name attribute
Object ID
Data attribute
MFT record does not go away when file is deleted
File Headers
Contains a string that identifies the file type
Human-readable files have human readable identifiers
Binary files have binary identifiers
But these are “rules of thumb” and not enforced
Provides the starting point for data carving utilities
Magic Numbers
Performs the same function as a header string
Used by Unix/Linux flavors
Magic numbers are humanly readable from a disk editor
Types of Metadata
File system metadata
Substantive metadata
Embedded metadata
External metadata
File System Metadata
Tells the file system how to find the file
Provides identifying information for each file
Security applications use metadata for managing permissions
Modify/Access/Create (MAC) data is maintained by the file system
MAC Data
Is not always an accurate measure
Create dates only show when the file appeared on the system, not when it was originally created
Copying a file to a system modifies the create date
Many utilities can be used to modify the create date
Any change to the file resets the modify date
Virtually any action will modify the access date
Embedded and Substantive Metadata
Applications generate metadata for the files they create and modify
Many applications allow users to input custom metadata
Embedded/Substantive metadata may have different MAC data than the system metadata
Not all of this information is available to the user
Temporary Files
Most applications use temporary files
Auto-save functions keep one or more copies
Undo or scratch files can keep several copies
Spooler files keep the raw data used to print a file
Auto-save or scratch files deleted when an application closes are recoverable if not overwritten
Data Hiding
The Registry
Document metadata
Bad clusters
Alternate data streams
Unallocated space
The Registry
Several register key types allow long string variables to be stored
Up to 16,383 characters can be stored in a single key
That’s about 6.5 pages of unformatted text
Multiple entries can be used to hold a single file
Document Metadata
Most applications such as iTunes and Microsoft Word allow string variables in metadata fields
Several pages of text can be stored in the “Comments” field of Microsoft Word
Bad Clusters
NTFS uses the bad clusters metafile to list clusters marked as bad
Generally obsolete technology, so if there are bad clusters, you should examine them
Alternate Data Streams
Files are linked to a valid host file through the streams command
The Streams utility can find all streams in a file system
Unallocated Space
Utilities such as Slacker can take unallocated and slack space and create a hidden volume in which data can be stored
The space still is mapped in the volume
A volume with a large discrepancy between reported space and available space is suspect