SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

FAT Directory Entry repair

This is the third installment in a series of posts about FAT file systems. We're using the usbkey.img file that's given to students of SANS Sec. 508. The image has been altered by the suspect. Our goal is to return it to it's unaltered state.

In the second post, we gathered some information about the files on the image and using a hex editor took a look at the two metadata structures for FAT file systems, the FAT Directory Entry and the

Top 7 ways investigators catch criminals using Mobile Device Forensics

Modern day mobile devices are a double-edged sword, creating new security risks while providing valuable sources of evidence for digital forensic investigators. Their ever expanding capabilities make mobile devices more like personal computers that accompany us as we navigate the world. Digital forensic investigators can use information stored on and generated by mobile devices to reconstruct our movements, communications, and other personal details.

If you need to extract information from cell phones, smart phones, and other mobile devices, or are concerned about the security of data on such devices, here are some important things you should know.

Bypassing Security Codes: Digital forensic investigators can extract the security code from some locked mobile devices using specialized tools. The screenshot below

... Continue reading Top 7 ways investigators catch criminals using Mobile Device Forensics

FAT and FAT Directory Entries

In the previous post in this Fried FAT series, we gathered some details about an altered FAT partition on a USB key by running fsstat against it. Our goal is to return the USB key image to its unaltered state.

Let's run fls to get some information about the files on the image:fls ouput from usbkey.img

Here we're concerned with the first three entries. We see a regular file that's been deleted, with metadata information at FAT Directory Entry 5. What do we mean by metadata information? Timestamps, file size and the addresses for the clusters that the file occupies on the disk are all


Fried FAT: A look into FAT file systems

Once in a while, a colleague, neighbor or friend will call me in a panic over files they have accidentally deleted from the SSD card in their daughter's camera or worse. In such cases it's often possible to carve out files from the data layer using something like foremost or in a best case scenario, if metadata still exists, sorter can be put to good use to recover the data.

But what about a case where an enterprising perpetrator with above average tech savvy has deliberately altered a partition's metadata in order to inhibit access to the data? I know it's a stretch, but let's say there's a small time drug dealer who carries operational data on a USB stick, but he's altered the metadata in such a way that recovering the files from the USB stick is non-obvious.

During SANS Security 508: Computer Forensics, Investigation and Response, such a case is presented to the


Live Investigations