Digital Evidence and Computer Crime, Second Edition
12.4 File System Traces
When files on HFS are moved or copied, their date-time stamps are not updated - as far as the system is concerned, only the contents of the parent directories have changed. A summary of common actions and the associated date-time stamp changes on MacOS 9 is provided in Table 12.1.
| ACTION | LAST MODIFIED DATE-TIME | LAST ACCESSED DATE-TIME | CREATED DATE-TIME |
|---|---|---|---|
| Moving files | Unchanged | N/A | Unchanged |
| Copying files | Unchanged | N/A | Unchanged |
| Parent directories | Updated | N/A | Unchanged |
Macintosh reduces the chances of accidental data loss by maintaining redundant information in the catalog about files and using the Trash folder. The main volume on a Macintosh system has a folder named "Trash" where deleted files are stored in case the user later decides he/she needs the data. All other volumes have folders named ".Trashes" for the same purpose.
Macintosh systems maintain a list of recently accessed applications and files to provide users with easy access to commonly used items. For instance, as the names suggest, the "System Folder:Apple Menu Items:Recent Applications" and "System Folder:Apple Menu Items:Recent Documents" folders list recently accessed applications and files.
| Name | File Created | Last Written |
|---|---|---|
| APPENDlX-II.doc | 01/28/03 03:22:22PM | 01/28/03 03:22:22PM |
| AZ_V_BASS_2001.doc | 01/22/03 11:58:57AM | 01/22/03 11:58:57AM |
| CHAPTER3-new.doc | 01/28/03 03:21:42PM | 01/28/03 03:21:42PM |
| CHAPTER4.doc | 01/28/03 03:22:10PM | 01/28/03 03:22:11PM |
| Chapters 1 & 2.doc | 01/28/03 03:20:54PM | 01/28/03 03:20:54PM |
| notes-network.txt | 11/20/02 07:25:42PM | 11/20/02 07.25:42PM |
| The Crown v Speyer | 12/09/02 10:51:29AM | 12/09/02 10:51:29AM |
The associated "System Folder: Preferences:Apple Menu Options Prefs" file also contains information about recently accessed files on the system as shown here.
CASE EXAMPLE
A suspect's computer was examined but no incriminating digital evidence was found. However, entries relating to PGP in the Recent Applications, suggested that someone may have encrypted or wiped data on the system.
On each volume of a Macintosh system, there is a database in files named "Desktop DB" and "Desktop DF". This Desktop database contains information about activities on the system including programs that were run and files and Web sites that were accessed. These database files can be viewed using a program like Desktop DB Diver. Notably, when viewing applications that were run on the system, the "creation date" in "Deskop DB" files corresponds to the creation date-time stamp of the associated executable, indicating when the application was installed on the system, not when it was first used. Also, when a Web page is saved to disk using Netscape or Internet Explorer, the URL is inserted into a "comments" field of the file. These comments are also stored in the Desktop database and can persist long after the associated file is deleted.
It is instructive to observe the simple case of file system traces on external media such as floppy diskettes and memory cards. When files are saved to a HFS formatted floppy diskette, a Desktop Folder is created to store files that the user wants to appear on the Macintosh Desktop when the floppy is inserted into a system. A number of interesting file system traces are created when files are saved from a Macintosh to a floppy diskette or memory card (e.g. from a digital camera) formatted using FAT. In addition to a folder named "resource.frk" that contains the resource forks of files saved from HFS, Apple's PC Exchange program creates two files named "finder.dat" and "fileid.dat" are created. Using the Sleuth Kit to examine a floppy diskette formatted with FAT and used to store files from a Macintosh. Note that the last accessed times of the files copied from a Macintosh onto a FAT formatted disk are meaningless since the HFS does not maintain access times.
examiner1% dd if=/dev/disk3 | md5 2880+0 records in 2880+0 records out X bytes transferred in Y secs (Z bytes/sec) d14cbf5e5dccbbbace817409b494c602 examiner1% dd if=/dev/disk3 of=fat-mac-floppy.dd 2880+0 records in 2880+0 records out X bytes transferred in Y secs (Z bytes/sec) examiner1 % fls -l -f fat12 /morgue/fat-mac-floppy.dd <note added by author last written created size> r/r 3: pubring.pkr 1999.01.05 12:32:14 (EST) 1999.01.05 11:11:06 (EST) 1146 r/r 4: secring.skr 1999.01.05 12:32:14 (EST) 1999.01.05 11:11:12 (EST) 1099 r/r 5: FINDER.DAT 1999.01.28 22:15:30 (EST) 1999.01.28 21:57:36 (EST) 1628 r/r 6: Desktop 1999.01.28 19:57:42 (EST) 1999.01.28 21:57:42 (EST) 0 r/r 7: FILEID.DAT 1999.01.28 20:42:02 (EST) 1999.01.28 21:57:42 (EST) 704 r/r 8: NAV QuickScan 1999.03.18 19:51:52 (EST) 1999.01.28 21:57:36 (EST) 582 d/d 20: RESOURCE.FRK 1999.01.28 21:57:42 (EST) 1999.01.28 21:57:42 (EST) 512 d/d * 25: Desktop Folder 1999.04.03 23:15:08 (EST) 1999.04.03 23:15:08 (EST) 0 d/d * 27: Trash 1999.04.03 23:15:10 (EST) 1999.04.03 23:15:10 (EST) 0 d/d * 34: Temporary Items 1999.04.03 23:15:10 (EST) 1999.04.03 23:15:10 (EST) 0 r/r 37: OpenFolderListDF_ 1999.01.28 22:15:30 (EST) 1999.01.28 22:15:30 (EST) 0
The "finder.dat" file contains information that Macintosh systems use to organize the files on screen and the "fileid.dat" file contains long file names. Interestingly, a segment of the "finder.dat" file shown here contains date-time stamps (in bold) for files on the disk and some date-time stamps from 1 year prior (April 10, 1998 and June 1, 1998).
examiner1% task/bin/icat -f fat12 /morgue/fat-mac-floppy.dd 5 | xxd <cut for brevity> 0000250: 4944 454e 5449 5459 2020 2084 0b53 4543 IDENTITY ..SEC 0000260: 5249 4e47 2e53 4b52 0000 0793 b154 0793 RING.SKIR.....T.. 0000270: b198 0084 4c30 5345 4352 494e 5445 5854 .....LOSECRINTEXT 0000280: 646f 7361 0100 0000 0081 0000 0000 0000 dosa............ 0000290: 0000 0000 0000 0000 0000 0002 b2b7 a3d0 ......................... 00002a0: b2b7 b6ce 0000 0000 7fff fff0 5345 4352 ..................SECR 06002b0: 494e 4720 534b 5284 0b50 5542 5249 4e47 ING SKR..PUBRING 00002c0: 2e50 4b52 0000 0793 b154 0793 b198 0084 .PKR.....T...... 00002d0: 4c30 5055 4252 494e 5445 5854 646f 7361 LOPUBRINTEXTdosa 00002e0: 0100 0000 0001 0000 0000 0000 0000 0000 ........................... 00002f0: 0000 0000 0000 0002 b2b7 a3ca b2b7 b6ce ........................... 0000300: 0000 0000 7fff ffef 5055 4252 494e 4720 .............. PUBRING 0000310: 504b 5284 114e 4156 2051 7569 636b 5363 PKR..NAV QuickSc <cut for brevity>
These "finder.dat" files may contain names and date-time stamps of files deleted from the diskette using a non-Macintosh system that does not update these files. Also, keep in mind that the date-time stamps on the files in "resource.frk" may not be identical to those of the corresponding data fork if changes were made to the data using Windows.
Категории