![6
ろ 覦讌
蟇危, 誤碁 覿 豐 : 讀蟇 讌螻殊 蠍磯
覦 覃覈襴 ろ
讀蟇磯殊 覦覺襦 伎(覦覺危+ )
襦襷ろ
ろ 企語 (覲旧) : 覲願, 覿 -> 覓願屋 讌
朱 []
. IntroForensic](https://image.slidesharecdn.com/sssconforensicpt-170502094954/85/Ssscon-forensic-pt-6-320.jpg)
Ssscon forensic pt
- 1. File system Forensic File Recovery れ dnjy2002@naver.com 2017.05
- 2. I. Intro II. Disk Structure III. File System IV. Forensic Tool V. File Recovery
- 3. 3 螳瑚? Why? . Intro 讌 ル化 覦一 覲伎 蟯
- 4. 4 企? 豢豌: れ企 讌覦炎骸 螳 讌瑚鍵蠍磯ゼ 襷り豌企 覦 蟯螻襯 蠏覈螻 讀覈 蠍 谿 覦覯 覯譯 れ 蠏覈蠍 螳譬 讀蟇 襯 螻狩朱 覿 貉危 覯, 覯螻狩 覯 讀蟇磯朱 豢 襦 朱 谿 . IntroForensic
- 5. Forensic 5 覿襯 讌 る 蠍郁 蟆曙旭(企) 轟, 企狩 伎 蟆曙旭 螻狩, 伎ル 襭 覿 覦 覲糾規 蟆谿 蟆谿一沖 讌誤狩, ろ覿, DB覿, 覈覦朱 , 牛/螻譬 覿,蟲′郁規, 企 蟲覦覿 蟲磯伎, 蠍磯伎, 蟲覦覿譟一覲碁, ♀軌 覓 蟲 覯襯 蟯 覯覓 覯 蟾れ, 覲給襭, 覩狩, 螳, る 讌語蟇 覿 覓企ゼ 蟇磯 IT 蟇願骸 蟯 覲語襯 覲伎^ 覓. 螻 蟯 襭 覲伎 豌襴, 貉ろ, 企れ擦覯 襴 覓 螻 蟯 螻 覯 讌 襦危, EY , 殊 PwC, 殊 KPMG 蠍壱 蟲 -豌, 蟲語沖, 蠍糾, 螻旧蟇磯 , 覦″旧, 蟇郁襴, 蟲 襷 蟯 讌 豢豌: http://forensic-proof.com . Intro
- 6. 6 ろ 覦讌 蟇危, 誤碁 覿 豐 : 讀蟇 讌螻殊 蠍磯 覦 覃覈襴 ろ 讀蟇磯殊 覦覺襦 伎(覦覺危+ ) 襦襷ろ ろ 企語 (覲旧) : 覲願, 覿 -> 覓願屋 讌 朱 [] . IntroForensic
- 7. File System 7 豢豌: る葦螻 ろ企? 襷れ牡 OS ろ ろ レ Windows FAT12, FAT16, FAT32, exFAT, NTFS Linux Ext2, Ext3, Ext4 Unix-like UFS OS2 HPFS MAC OS HFS, HFS+ Solaris ZFS ろ 譬襯 ろ 螳 一危磯ゼ 螻殊朱 蟯襴蠍 殊 豌願朱 蠍磯 覦 手骸 磯Μ襯 螻豸糾規譟磯 覃貉る讀 貉危一 殊企 襭襯 所 覦蟆, 蠏狩 蟆 覲願企 譟 讌 豌伎 . Intro
- 8. 8 Hard Disk ろ 蟲譟 . Disk Structure 貉るロ : 螻糾 る : 一危磯ゼ 郁碓 曙, x2 螳(覃) 一危 貉るロ :ろ 貉危一伎 一危磯ゼ ″伎朱 : れ襦 一危郁 ル 螻, 1 伎朱 蟲 ろ 覈: 磯ゼ 襴 ′危 : る襯 一危郁 豺襦 讌
- 9. 9 企語 豢豌: 覲糾規覦 觚襦蠏 蟲譟 . Disk Structure 碁: 麹 覈, 豌 麹(Sector): 覓朱Μ 豕(512byte=1sector) 企ろ: 麹磯襯 覓苦 一危 豢 . 蠍磯蓋 4,096byte (=8 sector) Hard Disk
- 10. 10 ろ 豢 蟲譟 File System : 殊ろ 蠍磯蓋 伎豌伎螳 螳 殊 蠍 ル 豺襦 蠏狩 企 一危磯ゼ 暑襦 覃 手襴 : 殊企, 豺, 蠍, 螳 覲企 Data 燕 殊 伎 . File System
- 11. 11 Byte Order: Big-endian / Little-endian 覦危 る(Byte Order) : 一危郁 ル Big endian 殊曙 るジ讓曙朱 曙 覯る : IBM, 覈襦 Little endian るジ讓曙 殊曙朱 曙 覯る : 誤 . File SystemFile System
- 12. 12 譯殊 讌 覦 File System . File System - CHS - ろ 覓朱Μ 蟲譟 蠍磯 - 讌 - LBA - 覓朱Μ 蟲譟 覲 覿 - 麹 襦 ろ 襷讌襷蟾讌 谿襦襦 譯殊 讌 - 螻 ろ 讌
- 13. 13 MBR 蟲譟 Master Boot Record : 螳 一 BR 蟯襴 MBR 覿 Boot Code + 一 覲企ゼ 螳螻. Boot Code : 覿蟯 貊 , 446byte蠍 Partition Table: れ 一 覲,64byte Signature : 2 byte 512byte襦 企伎 3螳讌襦 . File System . File System
- 14. 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 0x09 0xA 0xB 0xC 0xD 0xE 0xF 0x00 Boot Code 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xA0 0xB0 0xC0 0xD0 0xE0 0xF0 0x100 0x110 0x120 0x130 0x140 0x150 0x160 0x170 0x180 0x190 0x1A0 Boot Code Boot Code 0x1B0 boot indicato - 00 : 覿 覿螳 - 08 : 覿 螳 0x1C0 Starting C HS Addres s 02 03 00 Partition type - 0B (FAT32) Ending CHS Address Starting LBA Address Size in Secrot 0x1D0 0x1E0 0x1F0 MBR Signature 55 AA (0x AA 55) 14 MBR 蟲譟 File System . File System
- 15. 15 FAT32 蟲譟 File System . File System
- 16. 16 FAT32 蟲譟 File System . File System Boot Sector(BR) Reserved FAT FAT Mirror Root Directory Data Area 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 0x09 0xA 0xB 0xC 0xD 0xE 0xF 0x00 Jump Boot Code (EB 3C 90) OEM Name (ascii MSDOS 5.X) Byte per Sector Sector per Cluster RS(暑 麹 ) 1A 10 0x10 Number of FATs Root Directory Entry Count Total Sector Media - 0xF8 螻 FAT Size 16 Sector per Track Number of Herder Hidden Sector 0x20 Total Sector FAT Size 32 蠏瑚規螳 殊ろ 覯 Root Diretory Cluster - 02 00 00 00 0x30 FS(殊ろ) info 01 00 129覯麹一 Boot Record backup sect or 06 00 134覯 麹一 Reserved (BR覦煙覲) 0x40 Drive Num ber Boot Signa ture Volume ID Volume Lavel 0x50 Volume Lavel File System Type
- 17. 17 FAT32 蟲譟 File System . File System 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 0x09 0xA 0xB 0xC 0xD 0xE 0xF 0x00 NAME - 企 襴 -0xE5襦 企 殊 伎 殊 覩 Extender - レ 殊 煙螳 5bit : 螳 6bit : 覿 5bit : 豐 0x10 殊 讌 - 7bit : - 4bit : - 5bit : Last Access date - 殊 所鍵/一 襷讌襷 讌 Fist Cluster High write time write date Fist Cluster Low File size Boot Sector(BR) Reserved FAT FAT Mirror Root Directory Data Area
- 18. 18 NTFS 蟲譟 File System . File System NTFS(New Technology File System) : , 磯Μ, 覃覲企ゼ 狩襦 蟯襴 VBR(Volume Boot Record) : 覿 麹一 覿語螳 豺, 企ろ 蠍一 磯 覲 MFT : 殊ろ 覈 朱り骸 襴 覲企ゼ . NTFS 旧!覈 , 襴 碁Μ襯 螳讌. Data : 殊 れ 伎襷
- 19. 19 VBR 蟲譟 File System . File System 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 0x09 0xA 0xB 0xC 0xD 0xE 0xF 0x00 Jump Boot Code OEM ID NTFS Byte Per Sector - 02 00 : 512 Sector Per Cluster RS 0x10 Unused Media 0xF8 : 螻 Unused 0x20 Unused Total Sectors 0x30 Start Cluster for $MFT Start Cluster for $MFT Mirr 0x40 clus per Entry Unused clus Per Index Unused Volume Serial Number 0x50 Unused
- 20. 20 MFT 蟲譟 File System . File System
- 21. 21 MTF Entry 蟲譟 File System . File System MFT Entry : 殊 覃 覲(豺, 螳 覲, 蠍, 企 ) $STANDARD_INFORMATION : 殊 .蠏. 螳, 煙 覲 $FILE_NAME : 企(貊), 殊 .蠏. 螳 $DATA : 伎
- 22. 22 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 0x09 0xA 0xB 0xC 0xD 0xE 0xF 0x00 Attribute Type ID 80 00 00 00: $DATA Length of Attribute N-R F LoN Offset to Name Flags Attribute ID 0x10 Start Virtual Cluster Number Of the Runlist End Virtual Cluster Number Of the Runlist 0x20 Offset to Runlist Compression Unit Size Unused Allocated Size of Attribute Content 0x30 Real Size of Attribute Content れ殊 蠍 Initialized Size of Attribute Content れ 豐蠍壱蠍 0x40 Attribute Name れ 一危 豺覲 File System . File System $Data蟲譟
- 23. Forensic Tool 23 伎 譬襯 . Forensic Tool HxD(覓企 レ ) 覦企襴 殊 Hex朱 覲伎譴. ク讌 螳ロ. る ! FTK Imager() ろ 企語 螳 覲糾規 覦 一危 讌 螳 焔
- 24. 覲糾規 れ FAT32 覲糾規 螻殊 24 . File Recovery LBA(BR) 螻 螻糾(RA) , FAT SIZE 螻 FAT1 : BR + RA FAT2 : FAT1 + FAT SIZE ROOT : FAT2 + FAT SIZE FILE SIZE 螻 れ 一危 豺 : ROOT + ((CH + CL)-2) * 8(1Clu) FILE SIZE 覲旧 覦 螳 : 2讌 > 5/6/5 bit 覿 10讌 > /覿/豐 讌 : 2讌 > 7/4/5 bit 覿 10讌 > //
- 25. 覲糾規 れ 25 . File Recovery NTFS 覲糾規 螻殊 VBA(BR) 螻 START MFT 螻 MFT : 128 + START MFT * 8(1Clu) Ex) MFT# 39 豺 : MFT豺 + MFT#(39) *2(1Entry 2麹一) れ FILE SIZE 螻 れ 一危 豺 覲 : 磯Μろ 螻 > BR+ 磯Μろ 螳 * 8 FILE SIZE 覲旧 覦
- 26. END 26 豢豌 讌 瑚 / 伎,譟一 Start UP ろ / 企 ろ語 / 豕蟆曙 蟯 觚襦蠏 http://forensicinsight.org/slides http://maj3sty.tistory.com/ http://forensic-proof.com/ 蟆 KDFS : 蟲 讌誤 DC3 :覩 蟲覦覿 壱 蠍郁 豈襴一 讌 覯語 谿場 (蟆曙) http://xcz.kr (覈覓語) Q&A 襾語 蟠蠍 蟇~ 螳 蟯, 覲伎/危 蟯 Tip 讌蠏麹 螳語 豢豌螻 Tip . 伎 ロ 譯殊語
- 27. Thank You!
Editor's Notes
- 殊 ル 麹磯襦 ロ蟆 覃 螳 る蟇碁Μ覩襦 企ゼ 願屋蠍一 蟆 企ろ