Difference between pages "File Systems" and "Global Positioning System"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (CD and DVD File Systems: DVD-RAM was lumped together with WO-media, but should be recognized as an exception)
 
(Forensics)
 
Line 1: Line 1:
= Conventional File Systems =
+
The '''Global Positioning System''' ('''GPS''') is a satellite navigation system.
  
; [[Ext2]], [[Ext3]]
+
== Forensics ==
: Ext2 was introduced with [[Linux]]. Ext3 is a journaled version of Ext2 which allows for speedy disk recovery after a crash.
+
  
; [[FAT]]
+
There are several places where GPS information can found. It can be very useful for forensic investigations in certain situations. GPS devices have expanded their capabilites and features as the technology has improved. Some of the most popular GPS devices today are made by [http://www.TomTom.com TomTom]. Some of the other GPS manufacturors include [http://www.garmin.com Garmin] and [http://www.magellangps.com Magellan].
: Originally used by [[MS-DOS]]. Includes [[FAT12]] (for floppy disks), [[FAT16]] and [[FAT32]].
+
  
; [[Ffs|FFS]]
+
[http://www.cortextech.com/tomtom910.jpg Picture of TomTom910]
: The '''Fast File System''' used by some BSD versions of [[UNIX]] and from which [[UFS]] was derived supporting faster disk access and [[symbolic link]]s like ffs.
+
  
; [[HFS]]
+
TomTom provides a wide range of devices for biking, hiking, and car navigation. Depending on the capabilities of the model, several different types of digital evidence can be located on these devices. For instance, the [http://www.tomtom.com/products/product.php?ID=212&Category=0&Lid=1 TomTom 910] is basically a 20GB external harddrive. This model can be docked with a personal computer via a USB cable or through the use of Bluetooth technology. The listed features include the ability to store pictures, play MP3 music files, and connect to certain cell phones via bluetooth technology. Data commonly found on cell phones could easily be found on the TomTom910. Via the Bluetooth, the TomTom can transfer the entire contact list from your phone. The GPS unit also records your call logs and SMS messages. Research needs to be done to see if the TomTom stores actual trips conducted with the unit. This would include routes, times, and travel speeds.  
: Used by [[Apple]] systems, it has been succeed by [[HFS+]].
+
  
; [[JFS]]
+
The TomTom unit connects to a computer via a USB base station. An examiner should be able to acquire the image of the harddrive through a USB write blocker. If not, it may be necessary to remove the hard drive from the unit.
: IBM's Journaled File System introduced with their flavor of UNIX (AIX)
+
  
; [[NTFS]]
+
TomTom models such the TomTom One Regional, TomTom Europe, Go 510, Go 710 and the Go 720 store map data, favourites, and recent destinations on a removable SD card.  This allows the forensic examiner to remove the SD card and make a backup with a write blocked SD card reader. The most important file for the forensic examiner will be the CFG file that is held in the map data directory. This holds a list of all recent destinations that the user has entered into the device.  The information is held in a hex file and stores the represents grid coordinates of these locations.
: The '''New Technology File System''', introduced by [[Microsoft]] with [[Windows NT]] 4.0. Now used on [[Windows XP]].
+
  
; [[reiserfs]]
+
Certain TomTom models (Go 510, Go 910, Go 920 etc.) allow the user to pair their mobile phone to the device so they can use the TomTom as a hands free kit.  If the user has paired their phone to the TomTom device, then the TomTom will store the Bluetooth MAC ID for up to five phones, erasing the oldest if a sixth phone is paired.  Depending on the phone model paired with the TomTom, there may also be Call lists, contacts and text messages (sent & received) stored in the device too.  
: A journaling filesystem for Linux.
+
  
; [[Ufs|UFS]]
+
Automated forensic analysis for TomTom GPS units is possible with software from Digivence - Forensic Analyser - TomTom Edition.  [http://www.digivence.com/SCREEN%20OPTIMISED%20REPORT%20-%20Demo%2011072007%20163219.htm Sample Report]. Whilst not shown in the example report, call history, contacts, text messages, Bluetooth MAC ID, and unit info is also automatically processed if available.
: The '''Unix File System''', introduced with [[UNIX]].
+
 
 +
=== Digital Camera Images with GPS Information ===
  
; [[XFS]]
+
Some recent digital cameras have built-in GPS receivers (or external modules you can connect to the camera). This makes it possible for the camera to record where extactly a photo was taken. This positioning information (latitude, longitude) can be stored in the [[Exif]] [[metadata]] header of [[JPEG]] files. Tools such as [[jhead]] can display the GPS information in the [[Exif]] headers.
: [[SGI]]’s high performance journaling filesystem that originated on their [[IRIX]] (flavor of [[UNIX]]) platform. XFS supports variable blocking sizes, is extent based, and makes extensive use of [[Btree]]s to facilitate both performance and scalability. Additionally, support is also provided for real-time environments.
+
  
; [[YAFFS2]]
+
=== Cell Phones with GPS ===
: Yet Another Flash File System is a filesystem which is used on Android smartphones and was build for NAND and NOR flash.
+
  
= Cryptographic File Systems =
+
Some recent cell phones (e.g. a [http://wiki.openezx.org Motorola EZX phone] such as the Motorola A780) have a built-in GPS receiver and navigation software. This software might record the paths travelled (and the date/time), which can be very useful in forensic investigations.
  
'''Cryptographic file systems,''' also known as encrypted file systems, encrypt information before it is stored on the media. Some of these file systems store encrypted files directly. Others are better thought of as device drivers, which are then used to store some of the file systems discussed above.
+
== External Links ==
  
; [[File Vault]]
+
* [http://en.wikipedia.org/wiki/Global_Positioning_System Wikipedia: GPS]
: A clever user interface to [[Apple]]'s encrypted disk images. Uses the ".sparseimage" extension on disk files.
+
  
; [[CFS]]
 
: Matt Blaze's '''Cryptographic File System''' for [[Unix]].
 
: [http://www.crypto.com/papers/cfskey.pdf Key Management in an Encrypting File System], Matt Blaze, USENIX Summer 1994 Technical Conference, Boston, MA, June 1994.
 
: [http://www.crypto.com/papers/cfs.pdf A Cryptographic File System for Unix], Matt Blaze, Proceedings of the First ACM Conference on Computer and Communications Security, Fairfax, VA, November 1993.
 
  
; [[Windows Encrypted File System |EFS]]
+
* [http://www.digivence.com Digivence: TomTom Forensic Analyser]
: EFS is the Encrypted File System built into versions of Microsoft Windows.
+
 
+
; [[NCryptfs]]
+
: [http://www.fsl.cs.sunysb.edu/docs/ncryptfs/ncryptfs.pdf NCryptfs: A Secure and Convenient Cryptographic File System], Charles P. Wright, Michael C. Martino, and Erez Zadok, Stony Brook University, USENIX 2003 Annual Technical Conference.
+
 
+
; [[TCFS]]
+
: '''Transparent Cryptographic File System'''.
+
: http://www.tcfs.it/
+
: http://www.tcfs.it/docs/tcfs.ps
+
 
+
; [[SFS]]
+
: '''Secure File System'''.
+
: http://atrey.karlin.mff.cuni.cz/~rebel/sfs/
+
 
+
; [[ZFS]]
+
: http://hub.opensolaris.org/bin/view/Project+zfs-crypto/WebHome
+
 
+
See also [[Full Disk Encryption]], which are disk- or applicance-based cryptographic file systems.
+
 
+
= CD and DVD File Systems =
+
Optical media use different file systems than hard disks or flash media, primarily because of the write-once nature of most optical discs.  Even rewritable discs use different file systems because of the way that rewritable media is managed.  So while you will never find NTFS or FAT32 on an optical disc (though the exceptional nature of DVD-RAM must be remembered -- you ''can'' create a FAT DVD-RAM), you will find the systems listed below.
+
 
+
; [[HFS]] and [[HFS+]]
+
; These file systems are defined by Apple and only limited support is available for them outside of the Macintosh world.  These are the identical implementations for hard disk file systems on MacOS operating systems.
+
 
+
; [[ISO 9660]]
+
: This is the most basic file system and the foundation for a number of extensions which have been made to it.  It was originally defined in 1989 and was an outgrowth of the previous HSG (High Sierra Group) definition of a file system for CDs.
+
 
+
; [[Joliet]]
+
: This is a Microsoft defined extension to ISO 9660 to support Unicode and 64-character file names.  It was introduced with Windows 95.  It has gained some support for Linux and MacOS file systems but remains something that is used primarily in the Windows environment.
+
 
+
; [[Red Book]]
+
: The original definition of audio CDs was distributed with a red cover, hence the term "Red Book".  This is not properly a file system as it does not define files, file names or any metadata.  It is the definition by which music discs are created.
+
 
+
; [[Rock Ridge]]
+
: Rock Ridge is a set of extensions based on the System Use Sharing Protocol or SUSP definition.  It is a method by which POSIX file attributes, including very long file names, can be applied to optical media.  Today it is only really supported by Linux and other Unix-derived operating systems.
+
 
+
; [[UDF]]
+
: UDF is the acronym for Universal Disk Format which was defined by the Optical Storage Technology Association as an implementable subset of ISO 13346.  It is part of the definition for DVD Video and DVD Audio discs as well as being used by a number of drag-and-drop disc writing programs.  It is supported for reading by Windows 98 and later versions and is supported beginning with OS 9 on the Macintosh.  Both Windows Vista and Windows 7 can write discs using this as either a "mastered" format with a static, read-only file system or as a "live" file system which can be updated on both write-once and rewritable media.
+
 
+
= Distributed File Systems =
+
 
+
'''Distributed file systems,''' also known as network file systems, allow any number of remote clients to access one or more servers which store the files. The client nodes do not have direct access to the underlying block storage on the server(s), which are transparent to the clients and may include facilities for replication or fault tolerance.
+
 
+
Ceph
+
 
+
OracleFS
+
 
+
AndrewFS
+
 
+
 
+
; [[Hadoop Distributed File System|HDFS]]
+
: The GoogleFS clone, built from a cluster of data nodes.
+
 
+
; [[Network File System|NFS]]
+
: Originally from Sun, it is the standard in UNIX-based networks.
+
 
+
= External Links =
+
 
+
* http://en.wikipedia.org/wiki/File_system
+
* http://en.wikipedia.org/wiki/List_of_file_systems
+
* http://en.wikipedia.org/wiki/Comparison_of_file_systems
+
* [http://www.springerlink.com/content/408263ql11460147/ Overwriting Hard Drive Data: The Great Wiping Controversy]
+
 
+
[[Category:Disk encryption]]
+

Revision as of 08:53, 17 October 2007

The Global Positioning System (GPS) is a satellite navigation system.

Forensics

There are several places where GPS information can found. It can be very useful for forensic investigations in certain situations. GPS devices have expanded their capabilites and features as the technology has improved. Some of the most popular GPS devices today are made by TomTom. Some of the other GPS manufacturors include Garmin and Magellan.

Picture of TomTom910

TomTom provides a wide range of devices for biking, hiking, and car navigation. Depending on the capabilities of the model, several different types of digital evidence can be located on these devices. For instance, the TomTom 910 is basically a 20GB external harddrive. This model can be docked with a personal computer via a USB cable or through the use of Bluetooth technology. The listed features include the ability to store pictures, play MP3 music files, and connect to certain cell phones via bluetooth technology. Data commonly found on cell phones could easily be found on the TomTom910. Via the Bluetooth, the TomTom can transfer the entire contact list from your phone. The GPS unit also records your call logs and SMS messages. Research needs to be done to see if the TomTom stores actual trips conducted with the unit. This would include routes, times, and travel speeds.

The TomTom unit connects to a computer via a USB base station. An examiner should be able to acquire the image of the harddrive through a USB write blocker. If not, it may be necessary to remove the hard drive from the unit.

TomTom models such the TomTom One Regional, TomTom Europe, Go 510, Go 710 and the Go 720 store map data, favourites, and recent destinations on a removable SD card. This allows the forensic examiner to remove the SD card and make a backup with a write blocked SD card reader. The most important file for the forensic examiner will be the CFG file that is held in the map data directory. This holds a list of all recent destinations that the user has entered into the device. The information is held in a hex file and stores the represents grid coordinates of these locations.

Certain TomTom models (Go 510, Go 910, Go 920 etc.) allow the user to pair their mobile phone to the device so they can use the TomTom as a hands free kit. If the user has paired their phone to the TomTom device, then the TomTom will store the Bluetooth MAC ID for up to five phones, erasing the oldest if a sixth phone is paired. Depending on the phone model paired with the TomTom, there may also be Call lists, contacts and text messages (sent & received) stored in the device too.

Automated forensic analysis for TomTom GPS units is possible with software from Digivence - Forensic Analyser - TomTom Edition. Sample Report. Whilst not shown in the example report, call history, contacts, text messages, Bluetooth MAC ID, and unit info is also automatically processed if available.

Digital Camera Images with GPS Information

Some recent digital cameras have built-in GPS receivers (or external modules you can connect to the camera). This makes it possible for the camera to record where extactly a photo was taken. This positioning information (latitude, longitude) can be stored in the Exif metadata header of JPEG files. Tools such as jhead can display the GPS information in the Exif headers.

Cell Phones with GPS

Some recent cell phones (e.g. a Motorola EZX phone such as the Motorola A780) have a built-in GPS receiver and navigation software. This software might record the paths travelled (and the date/time), which can be very useful in forensic investigations.

External Links