SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

FAT and FAT Directory Entries

In the previous post in this Fried FAT series, we gathered some details about an altered FAT partition on a USB key by running fsstat against it. Our goal is to return the USB key image to its unaltered state.

Let's run fls to get some information about the files on the image:fls ouput from usbkey.img

Here we're concerned with the first three entries. We see a regular file that's been deleted, with metadata information at FAT Directory Entry 5. What do we mean by metadata information? Timestamps, file size and the addresses for the clusters that the file occupies on the disk are all


Fried FAT: A look into FAT file systems

Once in a while, a colleague, neighbor or friend will call me in a panic over files they have accidentally deleted from the SSD card in their daughter's camera or worse. In such cases it's often possible to carve out files from the data layer using something like foremost or in a best case scenario, if metadata still exists, sorter can be put to good use to recover the data.

But what about a case where an enterprising perpetrator with above average tech savvy has deliberately altered a partition's metadata in order to inhibit access to the data? I know it's a stretch, but let's say there's a small time drug dealer who carries operational data on a USB stick, but he's altered the metadata in such a way that recovering the files from the USB stick is non-obvious.

During SANS Security 508: Computer Forensics, Investigation and Response, such a case is presented to the


Live Investigations

Directory Link Counts and Hidden Directories

by Hal Pomeranz, Deer Run Associates

One of the things I love about teaching at SANS is that the students are smart people and come up with great ideas. Sometimes these ideas even lead to useful tools, as was the case a few years ago when we were talking about hidden directories in the Digital Forensics section of Sec506.

First, a little background information. Unix file systems keep track of a "link count" to all objects in the file system. This "link count" value is the number of different directory entries that all point to the inode associated with the object. In the case of a regular file, the link count is the number of hard links to that file.

However, Unix file systems don't let you create hard links to


Common Pitfalls of Forensic Processing of Blackberry Mobile Devices

by Eoghan Casey

Digital forensic investigators who are not properly trained will alter evidentiary media or will misinterpret important information, potentially damaging a case. Pitfalls that less experienced practitioners encounter when processing Blackberry devices are discussed below with guidance on how to obtain the most useful information from these devices.

We frequently encounter Blackberry devices in digital investigations that are not fully supported by commonly available forensic tools. Fortunately, a significant amount of data can be obtained using Blackberry Desktop Manager, which is freely available from the manufacturer's Web site. In fact, even when forensic tools can acquire data from a Blackberry device, it is still advisable to obtain a logical backup using Blackberry