Forensic_Discovery_ch07[1]

RENMINUNIVERSITYOFCHINA系统与信息安全研究实验室1Chapter7ThePersistenceofDeletedFileInformation主讲：石文昌（博士/教授/博导）ForensicDiscovery计算机取证RENMINUNIVERSITYOFCHINA系统与信息安全研究实验室2Outline•SurvivabilityofInformationofDeletedFiles•UnderstandContentPersistenceofDeletedFiles•UnderstandMACtimePersistenceofDeletedFiles•LikelihoodofChangingInformationofDeletedFiles•ReasonsforSurvivabilityofInformationofDeletedFilesRENMINUNIVERSITYOFCHINA系统与信息安全研究实验室3FileDeletion&InformationSurvival•Thewaysfilesaredeleted–Explicitlybyuserrequest–Implicitlyinthebackground•Temporaryfiles–Fromtexteditor,compiler,webbrowsercache,network,……•Deletedfilesmayremainintactondisk–Inunallocateddatablocks–InunallocatedfileattributeblocksRENMINUNIVERSITYOFCHINA系统与信息安全研究实验室4DestroyingInformationisDifficult•Memorychipscanbereadevenafteramachineisturnedoff•DataonamagneticdiskcanberecoveredevenafteritisoverwrittenmultipletimesRENMINUNIVERSITYOFCHINA系统与信息安全研究实验室5AnalogTraitsMakeInformationLasting•Analogtechnologyisusedtostoredigitalinformation–Thevalueofabitisacomplexcombinationofpaststoredvalues•SignalsfromdiskreadheadscanrevealolderdataasmodulationsontheanalogsignalRENMINUNIVERSITYOFCHINA系统与信息安全研究实验室6MagneticTraitsMakeInformationLasting•ResidualsofoverwritteninformationmayremainonthesideofmagneticdisktracksRENMINUNIVERSITYOFCHINA系统与信息安全研究实验室7InformationOverwritingandSurvivingExample•Differentlifeofacomputer–Firstlife:asaWindowsPC–Secondlife:asaSolarisfirewall–Thirdlife:asaLinuxsystem•Afterinstallingoneoperatingsystemoveranother–DeletedSolarisandWindowsfileswerestillclearlypresentasthecontentsofunallocateddiskblocksRENMINUNIVERSITYOFCHINA系统与信息安全研究实验室8TestContentPersistenceofDeletedFiles(1/3)•Testenvironment:asmallserversystem–Handledabout1500emailmessagesdaily(about10Mbytesofdata)–Didlimitedamountsof–Loggedabout1.5Mbytesofdataeachday–The8.0GBfilesystemwasabout50%full–MostemailcontentandloggingwasautomaticallydeletedafterashorttimeRENMINUNIVERSITYOFCHINA系统与信息安全研究实验室9TestContentPersistenceofDeletedFiles(2/3)•Testexperiment:–Rantestingfor20weeks–Examinedeach1KBdiskblockautomaticallyeverynight–Recorded•Ahashofcontentofeachdiskblock•Statusofeachdiskblock:allocated,unallocated,oroverheadsuchasinode(fileattribute)orbitmapblock.RENMINUNIVERSITYOFCHINA系统与信息安全研究实验室10TestContentPersistenceofDeletedFiles(3/3)Survivingfilecontent(MB)ContentpersistenceofdeletedfileTimeofdeletion(weeks)RENMINUNIVERSITYOFCHINA系统与信息安全研究实验室11Half-LifeofContentofDeletedFilefor3SystemsMachineFilesystemHalf-lifespike.porcupine.orgentiredisk35daysflying.fish.com/17daysflying.fish.com/usr19days系统与信息安全研究实验室12ImpactonMACtimewhenaFileisDeleted•Mtimedoesnotchange(Linux)orissettothetimeofdeletion(BSD,Solaris)•Atimedoesnotchange•CtimeissettothetimeofdeletionRENMINUNIVERSITYOFCHINA系统与信息安全研究实验室13TestMACtimePersistenceofDeletedFiles(1/2)•Simulatedrootkitintrusion:–DownloadedLinuxrootkitsourcecode,lrk4.tgz–Compiledrootkitsoftware–Rantheprocedurethatinstallsthemodifiedsystemutilities–Removedtherootkitsourcecode–Therootkitgeneratedapproximately780filesanddirectoriesRENMINUNIVERSITYOFCHINA系统与信息安全研究实验室14TestMACtimePersistenceofDeletedFiles(2/2)•Simulatedinvestigation:–DownloadedtheCoroner'sToolkitsourcecode–Unpackedthearchiveintheexactsamedirectorywheretherootkitarchivewasunpacked–CompiledtheCoroner’stoolkit–RanthetheCoroner’stoolkit–Thetoolkitgeneratedabout300filesRENMINUNIVERSITYOFCHINA系统与信息安全研究实验室15TestResultaboutCtime•TheapproximatetimewhenfilesweredeletedSurvivingctimeofdeletedfileTime(seconds)RENMINUNIVERSITYOFCHINA系统与信息安全研究实验室16TestResultaboutAtime•Showswhendeletedfileswereaccessedtocompiletherootkitsourcecode•ManyUNIXfilesystemssettheatimeofafiletothetimewhenitiscreatedSurvivingatimeofdeletedfileTime(seconds)RENMINUNIVERSITYOFCHINA系统与信息安全研究实验室17TestResultaboutMtime•ShowsthelasttimethatfilecontentsweremodifiedbeforeitwasdeletedSurvivingmtimeofdeletedfileTime(seconds)RENMINUNIVERSITYOFCHINA系统与信息安全研究实验室18TestHowLongMACtimeofDeletedFilecanSurvive•Testenvironment:–AFreeBSDserverdoingroutinework•Sendingandreceivingemail•ProvidingnetworkservicessuchasDNS,FTPand•Maintaininglogfiles–Mailserversoftwarewasupdatedmonthly•Unpackingthesourcecode•Compilingthesourcecode•RemovingthesourcecodeRENMINUNIVERSITYOFCHINA系统与信息安全研究实验室19TestresultofsurvivaltimespanofMACtimeofdeletedfilesRENMINUNIVERSITYOFCHINA系统与信息安全研究实验室20TestImpactofUserActivityonMACtimesofDeletedFile•Testenvironment:–ApersonalworkstationwithRedHatLinux•Sendandreceiveemail•Surftheweb•Developsoftware•Providealimitedamountofroutine•Filesaccumulateovertimeatasteadyrate•AlargenumberoffilesaredeletedeveryfewmonthsRENMINUNIVERSITYOFCHINA系统与信息安全研究实验室21TestresultofMACtimeofdeletedfileforapersonalworkstationRENMINUNIVERSITYOFCHINA系统与信息安全研究实验室22LikelihoodofChangingMACtimeofDeletedFiles•ItisrelativelyeasytononselectivelyoverwriteMACtimeofdeletedfilesbycreatingalargenumberofsmallfiles•ItisdifficulttochangeMACtimeofsp