Disk Forensics and File System Analysis

Disk forensics is the specialized discipline of examining digital storage media to uncover, analyze, and preserve evidence. In a world driven by data, understanding where information is stored, how it is organized, and how it can persist even after deletion is fundamental to investigating cyber incidents, corporate malfeasance, and criminal activity.

Foundational Evidence Sources and File System Basics

Before diving into tools and techniques, you must understand the landscape of a storage device. When a disk is forensically acquired, you obtain a complete bit-for-bit copy, called an image. This image contains all visible data and, critically, the areas that are not immediately accessible to the operating system. The logical structure that organizes this data is the file system. Think of a file system as a sophisticated library catalog: it tracks where files are stored on the physical platters (in HDDs) or memory cells (in SSDs), their names, sizes, dates, and permissions.

The primary evidence sources on a disk are:

• Allocated Space: Sectors actively assigned to existing files.
• Unallocated Space: Sectors not currently in use by the live file system. This space often contains "deleted" file content, fragments of old data, and temporary files.
• Slack Space: The unused area between the end of a file and the end of the last cluster or block allocated to it. File slack can contain residual data from previously deleted files.
• File System Metadata: The "catalog" information itself, which is a rich source of timestamps, ownership details, and historical logs.

A forensic examiner’s skill lies in knowing how to interpret this catalog and excavate the hidden history within these spaces. The choice of tools and methods is heavily dependent on the specific file system being analyzed.

Essential Forensic Toolkits: Autopsy and The Sleuth Kit

While many tools exist, The Sleuth Kit (TSK) and its graphical interface, Autopsy, form the backbone of many forensic investigations. These open-source tools are not magic wands; they are instruments that provide structured access to the evidence sources mentioned above.

The Sleuth Kit is a collection of command-line utilities that allow low-level interrogation of disk images and file systems. Tools like fls list files and directories (including deleted entries), icat extracts the content of a specific file by its metadata address, and mmls displays the partition layout. Using TSK directly gives you granular control and is essential for scripting and automation.

Autopsy layers a user-friendly interface and case management system on top of TSK. It automates many complex processes, such as hash filtering (to ignore known benign files), keyword searching, and web artifact parsing. Autopsy allows you to ingest a disk image and then navigate through a unified view that presents the file system timeline, unallocated space analysis, and extracted artifacts side-by-side. For a new examiner, Autopsy provides a guided workflow, but understanding the TSK commands it executes is crucial for validating results and troubleshooting.

Deep Dive into NTFS and ext4 Analysis

Modern investigations frequently encounter two dominant file systems: NTFS (Windows) and ext4 (Linux). Each has unique features that both hide and reveal evidence.

NTFS (New Technology File System) is a journaling file system rich in forensic artifacts. Key features include:

• Master File Table (MFT): The core metadata file, acting as a comprehensive database for every file and directory. Each MFT entry contains standard information like timestamps ($STANDAR{D}_{I}NFORMATION)and,crucially,amorevolatilesetthatcanchangewhenafileismoved($FILE_NAME). Discrepancies between these timestamp sets can indicate tampering.
• Alternate Data Streams (ADS): A feature that allows hidden data to be attached to a file without affecting its visible size—a classic hiding technique.
• Journal: The $LogFile records metadata transactions to ensure consistency; fragments of older file operations can sometimes be recovered here.

ext4, the default file system for most Linux distributions, also uses journaling but with a different structure. Its key forensic components are:

• Inode Table: Instead of an MFT, ext4 uses inodes to store metadata about objects. Each inode contains pointers to the data blocks where the file's content resides.
• Directory Entries: These map file names to their corresponding inode numbers. When a file is deleted in ext4, its directory entry is typically removed, but the inode and data blocks may persist until overwritten.
• Journal (jbd2): Primarily records changes to filesystem metadata, which can be parsed to understand recent system activity.

Understanding these structures allows you to manually verify tool findings and exploit system-specific features for artifact recovery.

Recovering Evidence: Deleted Files and Unallocated Space

File "deletion" is usually just a catalog update. In NTFS, deleting a file marks its MFT entry as available, but the entry and its data runs (pointers to content) often remain recoverable until overwritten. In ext4, the inode is marked free, but the pointers within it may still point to viable data blocks. This is why file carving is so powerful.

File carving is the process of searching unallocated space and slack space for file signatures or file headers (unique byte sequences like FF D8 FF E0 for JPEGs). Carvers ignore the file system's catalog; they look for the start of a file, then use its internal structure or a known size to reconstruct it. This can recover files for which no metadata remains. Advanced carving techniques handle fragmented files, which are split across non-contiguous disk sectors.

Recovering data from unallocated space often involves a combination of:

1. Using fls -d to list deleted file metadata entries that still exist.
2. Extracting these files via their inode/MFT address using icat.
3. Carving the raw unallocated space for files without metadata.
4. Performing keyword searches across all raw data areas.

Constructing Timelines and Extracting Artifacts

Raw data becomes evidence when placed in context. A forensic timeline sequences file system events (e.g., file creation, modification, access, and metadata change) to reconstruct user and system activity. You generate a timeline by aggregating timestamps from the MFT, inodes, logs, and registry (on Windows). This timeline can answer critical questions: What files were accessed before a data exfiltration? Was a USB device connected after hours?

Artifact extraction goes beyond standard files to interpret system and application-specific data. This includes:

• Prefetch files (Windows): Show when applications were executed.
• Shellbags (Windows): Reveal folder browsing history, even for attached network drives.
• Bash history (Linux): Contains commands typed into the terminal.
• Browser artifacts: Cache, downloads, history, and cookies from web browsers.

By correlating file system events with these application artifacts, you can move from seeing what data existed to understanding how and potentially why it was used.

Common Pitfalls

1. Altering the Evidence: Booting a suspect drive or mounting it read/write can irrevocably change timestamps and overwrite slack space. Correction: Always work on a verified forensic image, using write-blocking hardware when creating the image, and ensure your analysis tools operate in read-only mode.

1. Misunderstanding File System Behavior: Assuming that a file's "last modified" time is when a user saved it can be misleading. This timestamp can be updated by antivirus scans, backup utilities, or simply opening the file in certain applications. Correction: Always analyze the full set of timestamps ($STANDAR{D}_{I}NFORMATIONvs.$FILE_NAME in NTFS, crtime vs. mtime in ext4) and correlate with other artifacts to deduce human action.

1. Over-Reliance on Automated Tools: Clicking "Analyze" in Autopsy and accepting its results without validation is a recipe for error. Tools can misinterpret complex file systems or miss subtle evidence. Correction: Use automated tools for discovery and efficiency, but manually verify critical findings with command-line tools (TSK) and hex examination to understand the underlying evidence.

1. Ignoring the Volume Shadow Copy (VSS): On modern Windows systems, VSS maintains previous versions of files and folders. Failing to analyze these shadow copies means missing a historical goldmine of data that may no longer exist on the live file system. Correction: Acquire and analyze VSS snapshots as a standard part of your Windows forensic process.

Summary

• Disk forensics involves the systematic analysis of allocated space, unallocated space, slack space, and file system metadata to recover and interpret digital evidence.
• Tools like The Sleuth Kit and Autopsy provide the framework for accessing and organizing this evidence, but manual verification and understanding of underlying commands are essential.
• Key file systems like NTFS (with its MFT and Alternate Data Streams) and ext4 (with its inode table) have unique structures that dictate how evidence is stored and recovered.
• File carving and analysis of unallocated space are critical for recovering data that is no longer referenced by the active file system catalog.
• The ultimate goal is to synthesize evidence into a forensic timeline and extracted artifacts to reconstruct a clear, defensible narrative of events.