SlideShare a Scribd company logo

CF_Unit5_WorkingWithWindowsAndDOS23052021.ppt

Download as PPT, PDF
N
nikithareddi16

cyber forensics unit 5 ppt

Engineering
1 of 91
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
Chapter 6 Working with Windows and DOS Systems Guide to Computer Forensics and Investigations Fourth Edition
Objectives • Explain the purpose and structure of file systems • Describe Microsoft file structures • Explain the structure of New Technology File System (NTFS) disks • List some options for decrypting drives encrypted with whole disk encryption
Objectives (continued) • Explain how the Windows Registry works • Describe Microsoft startup tasks • Describe MS-DOS startup tasks • Explain the purpose of a virtual machine
Understanding File Systems Understanding File Systems
Understanding File Systems • File system – Gives OS a road map to data on a disk • Type of file system an OS uses determines how data is stored on the disk • A file system is usually directly related to an OS • When you need to access a suspect’s computer to acquire or inspect data – You should be familiar with the computer’s platform
Understanding the Boot Sequence • Complementary Metal Oxide Semiconductor (CMOS) – Computer stores system configuration and date and time information in the CMOS • When power to the system is off • Basic Input/Output System (BIOS) – Contains programs that perform input and output at the hardware level
Understanding the Boot Sequence (continued) • Bootstrap process – Contained in ROM, tells the computer how to proceed – Displays the key or keys you press to open the CMOS setup screen • Could be Delete, F2, F10, Ctrl+Alt+Insert, Ctrl+A, Ctrl+S, Ctrl+F1, or something else • CMOS should be modified to boot from a forensic floppy disk or CD
BIOS Setup Utility
Understanding Disk Drives • Disk drives are made up of one or more platters coated with magnetic material • Disk drive components – Geometry – Head – Tracks – Cylinders – Sectors • Holds 512 bytes, you cannot read or write anything less than a sector
CF_Unit5_WorkingWithWindowsAndDOS23052021.ppt
CF_Unit5_WorkingWithWindowsAndDOS23052021.ppt
Understanding Disk Drives (continued) • Properties handled at the drive’s hardware or firmware level – Zoned bit recording (ZBR) – Track density – Areal density – Head and cylinder skew
No Need for Multi-Path Erasure • On older disks, the space between tracks was wider, which allowed heads to wander • This made it possible for specialists to retrieve data from previous writes to a platter, even after erasure – Using an electron microscope • On any IDE or SATA or later hard drive, this is impossible • A single pass of zeroes erases all data on a disk so it cannot be recovered by any currently known technique
Exploring Microsoft File Exploring Microsoft File Structures Structures
Exploring Microsoft File Structures • In Microsoft file structures, sectors are grouped to form clusters – Storage allocation units of one or more sectors • Clusters are typically 512, 1024, 2048, 4096, or more bytes each • Combining sectors minimizes the overhead of writing or reading files to a disk
Exploring Microsoft File Structures (continued) • Clusters are numbered sequentially starting at 2 – First sector of all disks contains a system area, the boot record, and a file structure database • OS assigns these cluster numbers, called logical addresses • Sector numbers are called physical addresses • Clusters and their addresses are specific to a logical disk drive, which is a disk partition
Disk Partitions • A partition is a logical drive • FAT16 does not recognize disks larger than 2 GB – Note error on page 202 of textbook • It's 2 GB, not 2 MB – Large disks have to be partitioned • Hidden partitions or voids – Large unused gaps between partitions on a disk • Partition gap – Unused space between partitions
Disk Partitions (continued) • Disk editor utility can alter information in partition table – To hide a partition • Can examine a partition’s physical level with a disk editor: – HxD, Norton DiskEdit, WinHex, or Hex Workshop • Analyze the key hexadecimal codes the OS uses to identify and maintain the file system
Demo: VM with Three Partitions • Partition Types – NTFS: 07 – FAT: 06 – FAT32: 0B
Viewing the Partition Table HxD • Start HxD, Extras, Open Disk, choose Physical Disk • Partition Table starts at 0x1BE • Partition Type field is at offset 0x04 in each record
Master Boot Record Structure • From Wikipedia • Link Ch 6a
Partition Table Structure • From Wikipedia • Link Ch 6a
CF_Unit5_WorkingWithWindowsAndDOS23052021.ppt
Partition Mark at Start of Volume • Start HxD, Extras, Open Disk • NTFS • FAT32
BMP File in HxD • Start HxD, File, Open • BM at start indicates a BMP file
Word Doc File in HxD • Start HxD, File, Open • Word 2003 Format uses these 7 bytes • .docx format is actually a Zip archive – See links Ch 6b, 6c
Master Boot Record • On Windows and DOS computer systems – Boot disk contains a file called the Master Boot Record (MBR) • MBR stores information about partitions on a disk and their locations, size, and other important items • Several software products can modify the MBR, such as PartitionMagic’s Boot Magic
Examining FAT Disks • File Allocation Table (FAT) – File structure database that Microsoft originally designed for floppy disks – Used before Windows NT and 2000 • FAT database is typically written to a disk’s outermost track and contains: – Filenames, directory names, date and time stamps, the starting cluster number, and file attributes • FAT versions – FAT12, FAT16, FAT32, FATX (for Xbox), and VFAT
FAT Versions • FAT12—for floppy disks, max size 16 MB • FAT16—allows hard disk sizes up to 2 GB • FAT32— allows hard disk sizes up to 2 TB  • FATX—For Xbox media – The date stamps start at the year 2000, unlike the other FAT formats that start at 1980 • VFAT (Virtual File Allocation Table) – Allows long file names on Windows (MS-DOS had 8.3 limitation)
Examining FAT Disks (continued) • Cluster sizes vary according to the hard disk size and file system • This table is for FAT-16
Examining FAT Disks (continued) • Microsoft OSs allocate disk space for files by clusters – Results in drive slack • Unused space in a cluster between the end of an active file and the end of the cluster • Drive slack includes: – RAM slack and file slack • An unintentional side effect of FAT16 having large clusters was that it reduced fragmentation – As cluster size increased
Examining FAT Disks (continued)
Examining FAT Disks (continued) • When you run out of room for an allocated cluster – OS allocates another cluster for your file, which creates more slack space on the disk • As files grow and require more disk space, assigned clusters are chained together – The chain can be broken or fragmented
ProDiscover Showing Cluster Chain
Examining FAT Disks (continued) • When the OS stores data in a FAT file system, it assigns a starting cluster position to a file – Data for the file is written to the first sector of the first assigned cluster • When this first assigned cluster is filled and runs out of room – FAT assigns the next available cluster to the file • If the next available cluster isn’t contiguous to the current cluster – File becomes fragmented
Deleting FAT Files • In Microsoft OSs, when a file is deleted – Directory entry is marked as a deleted file • With the HEX E5 (σ) character replacing the first letter of the filename • FAT chain for that file is set to 0 • Data in the file remains on the disk drive • Area of the disk where the deleted file resides becomes unallocated disk space – Available to receive new data from newly created files or other files needing more space
Examining NTFS Disks • New Technology File System (NTFS) – Introduced with Windows NT – Recommended file system for Windows 200 Pro, XP, and later versions through Windows 7 at least • Improvements over FAT file systems – NTFS provides more information about a file – NTFS gives more control over files and folders • NTFS was Microsoft’s move toward a journaling file system
Examining NTFS Disks (continued) • In NTFS, everything written to the disk is considered a file • On an NTFS disk – First data set is the Partition Boot Sector – Next is Master File Table (MFT) • NTFS results in much less file slack space • Clusters are smaller for smaller disk drives • NTFS also uses Unicode – An international data format
Examining NTFS Disks (continued)
NTFS File System • MFT contains information about all files on the disk – Including the system files the OS uses • In the MFT, the first 15 records are reserved for system files • Records in the MFT are called metadata
NTFS File System (continued)
NTFS File System (continued)
MFT and File Attributes • In the NTFS MFT – All files and folders are stored in separate records of 1024 bytes each • Each record contains file or folder information – This information is divided into record fields containing metadata • A record field is referred to as an attribute ID • File or folder information is typically stored in one of two ways in an MFT record: – Resident and nonresident
MFT and File Attributes (continued) • Files larger than 512 bytes are stored outside the MFT – MFT record provides cluster addresses where the file is stored on the drive’s partition • Referred to as data runs • Each MFT record starts with a header identifying it as a resident or nonresident attribute
CF_Unit5_WorkingWithWindowsAndDOS23052021.ppt
Resident File in a MFT Record
Resident File Data in the MFT • This figure is a repeat of a portion of the previous one
Nonresident File's MFT Record
Skip Pages 216-223 Skip Pages 216-223
MFT and File Attributes (continued) • When a disk is created as an NTFS file structure – OS assigns logical clusters to the entire disk partition • These assigned clusters are called logical cluster numbers (LCNs) – Become the addresses that allow the MFT to link to nonresident files on the disk’s partition
NTFS Data Streams • Data streams – Ways data can be appended to existing files – Can obscure valuable evidentiary data, intentionally or by coincidence • In NTFS, a data stream becomes an additional file attribute – Allows the file to be associated with different applications • You can only tell whether a file has a data stream attached by examining that file’s MFT entry
Alternate Data Streams Demonstration
NTFS Compressed Files • NTFS provides compression similar to FAT DriveSpace 3 • Under NTFS, files, folders, or entire volumes can be compressed • Most computer forensics tools can uncompress and analyze compressed Windows data
NTFS Encrypting File System (EFS) • Encrypting File System (EFS) – Introduced with Windows 2000 – Implements a public key and private key method of encrypting files, folders, or disk volumes • When EFS is used in Windows 2000 – A recovery certificate is generated and sent to the local Windows administrator account • Users can apply EFS to files stored on their local workstations or a remote server
Error in Textbook • Page 225 • Only Windows 2000 used the Administrator account as the default EFS Recovery Agent • Windows XP and later versions have no EFS recovery agent by default – Links Ch 6e, 6f
Deleting NTFS Files • When a file is deleted in Windows XP, 2000, or NT – The OS renames it and moves it to the Recycle Bin • Can use the Del (delete) MS-DOS command – Eliminates the file from the MFT listing in the same way FAT does
Understanding Whole Disk Understanding Whole Disk Encryption Encryption
Understanding Whole Disk Encryption • In recent years, there has been more concern about loss of – Personal identity information (PII) and trade secrets caused by computer theft • Of particular concern is the theft of laptop computers and other handheld devices • To help prevent loss of information, software vendors now provide whole disk encryption
Understanding Whole Disk Encryption (continued) • Current whole disk encryption tools offer the following features: – Preboot authentication – Full or partial disk encryption with secure hibernation – Advanced encryption algorithms – Key management function – A Trusted Platform Module (TPM) microchip to generate encryption keys and authenticate logins
Understanding Whole Disk Encryption (continued) • Whole disk encryption tools encrypt each sector of a drive separately • Many of these tools encrypt the drive’s boot sector – To prevent any efforts to bypass the secured drive’s partition • To examine an encrypted drive, decrypt it first – Run a vendor-specific program to decrypt the drive
Examining Microsoft BitLocker • Available only with Vista/Win 7 Enterprise and Ultimate editions • Hardware and software requirements – A computer capable of running Windows Vista/7 – The TPM microchip, version 1.2 or newer – A computer BIOS compliant with Trusted Computing Group (TCG) – Two NTFS partitions; a 1.5 GB or 100 MB partition use just for BitLocker, and the partition containing Windows – The BIOS configured so that the hard drive boots first before checking other bootable peripherals
Examining Third-Party Disk Encryption Tools • Some available third-party WDE utilities: – PGP Whole Disk Encryption – Voltage SecureDisk – Utimaco SafeGuard Easy – Jetico BestCrypt Volume Encryption – SoftWinter Sentry 2020 for Windows XP • Some available open-source encryption tools: – TrueCrypt – CrossCrypt – FreeOTFE
Understanding the Windows Understanding the Windows Registry Registry
Understanding the Windows Registry • Registry – A database that stores hardware and software configuration information, network connections, user preferences, and setup information • For investigative purposes, the Registry can contain valuable evidence • To view the Registry, you can use: – Regedit (Registry Editor) program for Windows 9x systems – Regedt32 for Windows 2000 and XP
Exploring the Organization of the Windows Registry • Registry terminology: – Registry – Registry Editor – HKEY – Key – Subkey – Branch – Value – Default value – Hives
Exploring the Organization of the Windows Registry (continued)
Exploring the Organization of the Windows Registry (continued)
Understanding Microsoft Understanding Microsoft Startup Tasks Startup Tasks
Understanding Microsoft Startup Tasks • Learn what files are accessed when Windows starts • This information helps you determine when a suspect’s computer was last accessed – Important with computers that might have been used after an incident was reported
Startup in Windows NT and Later • All Windows NT computers perform the following steps when the computer is turned on: – Power-on self test (POST) – Initial startup – Boot loader – Hardware detection and configuration – Kernel loading – User logon
Startup Process for Windows Vista • Uses the new Extensible Firmware Interface ( EFI) as well as the older BIOS sys-tem. • NT Loader (NTLDR) has been replaced by three boot utilities – Bootmgr.exe—displays list of operating systems – Winload.exe—loads kernel, HAL, and drivers – Winresume.exe—restarts Vista after hibernation • See link Ch 6g
Startup Files for Windows XP • NT Loader (NTLDR) • Boot.ini • BootSect.dos • NTDetect.com • NTBootdd.sys • Ntoskrnl.exe • Hal.dll • Pagefile.sys • Device drivers
Startup in Windows NT and Later (continued) • Windows XP System Files
Startup in Windows NT and Later (continued) • Contamination Concerns with Windows XP – When you start a Windows XP NTFS workstation, several files are accessed immediately • The last access date and time stamp for the files change to the current date and time – Destroys any potential evidence • That shows when a Windows XP workstation was last used
Startup in Windows 9x/Me • System files in Windows 9x/Me containing valuable information can be altered easily during startup • Windows 9x and Windows Me have similar boot processes – With Windows Me you can’t boot to a true MS-DOS mode • Windows 9x OSs have two modes: – DOS protected-mode interface (DPMI) – Protected-mode GUI
Startup in Windows 9x/Me (continued) • The system files used by Windows 9x have their origin in MS-DOS 6.22 – Io.sys communicates between a computer’s BIOS, the hardware, and the OS kernel • If F8 is pressed during startup, Io.sys loads the Windows Startup menu – Msdos.sys is a hidden text file containing startup options for Windows 9x – Command.com provides a command prompt when booting to MS-DOS mode (DPMI)
Understanding MS-DOS Understanding MS-DOS Startup Tasks Startup Tasks
Understanding MS-DOS Startup Tasks • Two files are used to configure MS-DOS at startup: – Config.sys • A text file containing commands that typically run only at system startup to enhance the computer’s DOS configuration – Autoexec.bat • A batch file containing customized settings for MS- DOS that runs automatically • Io.sys is the first file loaded after the ROM bootstrap loader finds the disk drive
Understanding MS-DOS Startup Tasks (continued) • Msdos.sys is the second program to load into RAM immediately after Io.sys – It looks for the Config.sys file to configure device drivers and other settings • Msdos.sys then loads Command.com • As the loading of Command.com nears completion, Msdos.sys looks for and loads Autoexec.bat
Other Disk Operating Systems • Control Program for Microprocessors (CP/M) – First nonspecific microcomputer OS – Created by Digital Research in 1970 – 8-inch floppy drives; no support for hard drives • Digital Research Disk Operating System (DR-DOS) – Developed in 1988 to compete with MS-DOS – Used FAT12 and FAT16 and had a richer command environment
Other Disk Operating Systems (continued) • Personal Computer Disk Operating System (PC- DOS) – Created by Microsoft under contract for IBM – PC-DOS works much like MS-DOS
Understanding Virtual Understanding Virtual Machines Machines
Understanding Virtual Machines • Virtual machine – Allows you to create a representation of another computer on an existing physical computer • A virtual machine is just a few files on your hard drive – Must allocate space to it • A virtual machine recognizes components of the physical machine it’s loaded on – Virtual OS is limited by the physical machine’s OS
CF_Unit5_WorkingWithWindowsAndDOS23052021.ppt
Understanding Virtual Machines (continued) • In computer forensics – Virtual machines make it possible to restore a suspect drive on your virtual machine • And run nonstandard software the suspect might have loaded • From a network forensics standpoint, you need to be aware of some potential issues, such as: – A virtual machine used to attack another system or network
Creating a Virtual Machine • Two popular applications for creating virtual machines – VMware and Microsoft Virtual PC • Using Virtual PC – You must download and install Virtual PC first
Creating a Virtual Machine (continued)
Creating a Virtual Machine (continued)
Creating a Virtual Machine (continued) • You need an ISO image of an OS – Because no OSs are provided with Virtual PC • Virtual PC creates two files for each virtual machine: – A .vhd file, which is the actual virtual hard disk – A .vmc file, which keeps track of configurations you make to that disk • See what type of physical machine your virtual machine thinks it’s running – Open the Virtual PC Console, and click Settings
Creating a Virtual Machine (continued)
Creating a Virtual Machine (continued)

More Related Content

PPT
Working with Windows and DOS Systems (1).ppt
mcjaya2024
 
PPT
Working with Windows and DOS Systems.ppt
ChSamson2
 
PPT
Windows Forensics- Introduction and Analysis
Don Caeiro
 
PPTX
Windows File Systems
primeteacher32
 
PPTX
Windows File Systems
primeteacher32
 
PPTX
Digital Information Forensics Lecture on the topic of Partion Table
muhammadqasim586302
 
PPT
File system
harleen_johal
 
PPT
File system
Harleen Johal
 
Working with Windows and DOS Systems (1).ppt
mcjaya2024
 
Working with Windows and DOS Systems.ppt
ChSamson2
 
Windows Forensics- Introduction and Analysis
Don Caeiro
 
Windows File Systems
primeteacher32
 
Windows File Systems
primeteacher32
 
Digital Information Forensics Lecture on the topic of Partion Table
muhammadqasim586302
 
File system
harleen_johal
 
File system
Harleen Johal
 

Similar to CF_Unit5_WorkingWithWindowsAndDOS23052021.ppt (20)

PPT
Cos413day3
Sumit Tambe
 
PPTX
6-File Systems logically for storage and retrieval..pptx
FahadBurhanAhmad1
 
PPTX
Seminar 1
Ahmad Amin
 
DOC
File System FAT And NTFS
Inocentshuja Ahmad
 
PPT
Lesson four operating system basics
Mik Endale
 
PPT
File system
Harleen Johal
 
PDF
NTFS file system
Ravi Yasas
 
PPTX
File system
Mohammad Noman
 
PPTX
Os
Raghuraaman Raghu
 
PPTX
Working of Volatile and Non-Volatile memory
Don Caeiro
 
PPTX
Windows file system
sumitjain2013
 
PPTX
Mshd
Yazan Maswadeh
 
PPTX
File and fat
Vimal Madhale
 
PPTX
File system Os
Nehal Naik
 
PDF
NTFS
ArthyR3
 
PPTX
Introduction to Disk Storage
Amir Villas
 
PPT
Demystifying the Microsoft Extended FAT File System (exFAT)
overcertified
 
PPTX
NTFS vs FAT
Tanveer Ahmed
 
PPTX
File and fat 2
Vimal Madhale
 
PPTX
File System
Thayalan Danusan
 
Cos413day3
Sumit Tambe
 
6-File Systems logically for storage and retrieval..pptx
FahadBurhanAhmad1
 
Seminar 1
Ahmad Amin
 
File System FAT And NTFS
Inocentshuja Ahmad
 
Lesson four operating system basics
Mik Endale
 
File system
Harleen Johal
 
NTFS file system
Ravi Yasas
 
File system
Mohammad Noman
 
Os
Raghuraaman Raghu
 
Working of Volatile and Non-Volatile memory
Don Caeiro
 
Windows file system
sumitjain2013
 
Mshd
Yazan Maswadeh
 
File and fat
Vimal Madhale
 
File system Os
Nehal Naik
 
NTFS
ArthyR3
 
Introduction to Disk Storage
Amir Villas
 
Demystifying the Microsoft Extended FAT File System (exFAT)
overcertified
 
NTFS vs FAT
Tanveer Ahmed
 
File and fat 2
Vimal Madhale
 
File System
Thayalan Danusan
 
Ad

Recently uploaded (20)

PDF
Accra-Kumasi Expressway - Prefeasibility Report Volume 1 of 7.11.2018.pdf
JeorgeWilsonKingson1
 
PPTX
6ME3A-Unit-II-Sensors and Actuators_Handouts.pptx
anukaranugi
 
PPT
Occupational Health and Safety Management System
Akshay Kant Mishra
 
PPTX
Sorting and Hashing in Data Structures with Algorithms, Techniques, Implement...
usham61
 
PDF
Exploratory_Data_Analysis_Fundamentals.pdf
Ashutosh Satapathy
 
PDF
UNIT no 1 INTRODUCTION TO DBMS NOTES.pdf
pawarbhaktiit
 
PPTX
Nature of X-rays, X- Ray Equipment, Fluoroscopy
DJERALDINAUXILLIAECE
 
PDF
SMART SIGNAL TIMING FOR URBAN INTERSECTIONS USING REAL-TIME VEHICLE DETECTI...
Niraj Aarya
 
PDF
A SYSTEMATIC REVIEW OF APPLICATIONS IN FRAUD DETECTION
IJNSA Journal
 
PPTX
communication and presentation skills 01
CdtAfrazAttaullah
 
PPTX
"Array and Linked List in Data Structures with Types, Operations, Implementat...
usham61
 
PPT
Total quality management ppt for engineering students
juleeyadav818
 
PPTX
Module 8- Technological and Communication Skills.pptx
Ramya Nellutla
 
PDF
Categorization of Factors Affecting Classification Algorithms Selection
IJDKP
 
PDF
737-MAX_SRG.pdf student reference guides
ssusere2119a1
 
PDF
Level 2 – IBM Data and AI Fundamentals (1)_v1.1.PDF
KSRIHARISASANKA
 
PDF
PREDICTION OF DIABETES FROM ELECTRONIC HEALTH RECORDS
ijaia
 
PPTX
Graph Data Structures with Types, Traversals, Connectivity, and Real-Life App...
usham61
 
PDF
III.4.1.2_The_Space_Environment.p pdffdf
sittiporn2
 
PDF
Artificial Superintelligence (ASI) Alliance Vision Paper.pdf
SonaliPatil325517
 
Accra-Kumasi Expressway - Prefeasibility Report Volume 1 of 7.11.2018.pdf
JeorgeWilsonKingson1
 
6ME3A-Unit-II-Sensors and Actuators_Handouts.pptx
anukaranugi
 
Occupational Health and Safety Management System
Akshay Kant Mishra
 
Sorting and Hashing in Data Structures with Algorithms, Techniques, Implement...
usham61
 
Exploratory_Data_Analysis_Fundamentals.pdf
Ashutosh Satapathy
 
UNIT no 1 INTRODUCTION TO DBMS NOTES.pdf
pawarbhaktiit
 
Nature of X-rays, X- Ray Equipment, Fluoroscopy
DJERALDINAUXILLIAECE
 
SMART SIGNAL TIMING FOR URBAN INTERSECTIONS USING REAL-TIME VEHICLE DETECTI...
Niraj Aarya
 
A SYSTEMATIC REVIEW OF APPLICATIONS IN FRAUD DETECTION
IJNSA Journal
 
communication and presentation skills 01
CdtAfrazAttaullah
 
"Array and Linked List in Data Structures with Types, Operations, Implementat...
usham61
 
Total quality management ppt for engineering students
juleeyadav818
 
Module 8- Technological and Communication Skills.pptx
Ramya Nellutla
 
Categorization of Factors Affecting Classification Algorithms Selection
IJDKP
 
737-MAX_SRG.pdf student reference guides
ssusere2119a1
 
Level 2 – IBM Data and AI Fundamentals (1)_v1.1.PDF
KSRIHARISASANKA
 
PREDICTION OF DIABETES FROM ELECTRONIC HEALTH RECORDS
ijaia
 
Graph Data Structures with Types, Traversals, Connectivity, and Real-Life App...
usham61
 
III.4.1.2_The_Space_Environment.p pdffdf
sittiporn2
 
Artificial Superintelligence (ASI) Alliance Vision Paper.pdf
SonaliPatil325517
 
Ad

CF_Unit5_WorkingWithWindowsAndDOS23052021.ppt

  • 1. Chapter 6 Working with Windows and DOS Systems Guide to Computer Forensics and Investigations Fourth Edition
  • 2. Objectives • Explain the purpose and structure of file systems • Describe Microsoft file structures • Explain the structure of New Technology File System (NTFS) disks • List some options for decrypting drives encrypted with whole disk encryption
  • 3. Objectives (continued) • Explain how the Windows Registry works • Describe Microsoft startup tasks • Describe MS-DOS startup tasks • Explain the purpose of a virtual machine
  • 5. Understanding File Systems • File system – Gives OS a road map to data on a disk • Type of file system an OS uses determines how data is stored on the disk • A file system is usually directly related to an OS • When you need to access a suspect’s computer to acquire or inspect data – You should be familiar with the computer’s platform
  • 6. Understanding the Boot Sequence • Complementary Metal Oxide Semiconductor (CMOS) – Computer stores system configuration and date and time information in the CMOS • When power to the system is off • Basic Input/Output System (BIOS) – Contains programs that perform input and output at the hardware level
  • 7. Understanding the Boot Sequence (continued) • Bootstrap process – Contained in ROM, tells the computer how to proceed – Displays the key or keys you press to open the CMOS setup screen • Could be Delete, F2, F10, Ctrl+Alt+Insert, Ctrl+A, Ctrl+S, Ctrl+F1, or something else • CMOS should be modified to boot from a forensic floppy disk or CD
  • 9. Understanding Disk Drives • Disk drives are made up of one or more platters coated with magnetic material • Disk drive components – Geometry – Head – Tracks – Cylinders – Sectors • Holds 512 bytes, you cannot read or write anything less than a sector
  • 12. Understanding Disk Drives (continued) • Properties handled at the drive’s hardware or firmware level – Zoned bit recording (ZBR) – Track density – Areal density – Head and cylinder skew
  • 13. No Need for Multi-Path Erasure • On older disks, the space between tracks was wider, which allowed heads to wander • This made it possible for specialists to retrieve data from previous writes to a platter, even after erasure – Using an electron microscope • On any IDE or SATA or later hard drive, this is impossible • A single pass of zeroes erases all data on a disk so it cannot be recovered by any currently known technique
  • 14. Exploring Microsoft File Exploring Microsoft File Structures Structures
  • 15. Exploring Microsoft File Structures • In Microsoft file structures, sectors are grouped to form clusters – Storage allocation units of one or more sectors • Clusters are typically 512, 1024, 2048, 4096, or more bytes each • Combining sectors minimizes the overhead of writing or reading files to a disk
  • 16. Exploring Microsoft File Structures (continued) • Clusters are numbered sequentially starting at 2 – First sector of all disks contains a system area, the boot record, and a file structure database • OS assigns these cluster numbers, called logical addresses • Sector numbers are called physical addresses • Clusters and their addresses are specific to a logical disk drive, which is a disk partition
  • 17. Disk Partitions • A partition is a logical drive • FAT16 does not recognize disks larger than 2 GB – Note error on page 202 of textbook • It's 2 GB, not 2 MB – Large disks have to be partitioned • Hidden partitions or voids – Large unused gaps between partitions on a disk • Partition gap – Unused space between partitions
  • 18. Disk Partitions (continued) • Disk editor utility can alter information in partition table – To hide a partition • Can examine a partition’s physical level with a disk editor: – HxD, Norton DiskEdit, WinHex, or Hex Workshop • Analyze the key hexadecimal codes the OS uses to identify and maintain the file system
  • 19. Demo: VM with Three Partitions • Partition Types – NTFS: 07 – FAT: 06 – FAT32: 0B
  • 20. Viewing the Partition Table HxD • Start HxD, Extras, Open Disk, choose Physical Disk • Partition Table starts at 0x1BE • Partition Type field is at offset 0x04 in each record
  • 21. Master Boot Record Structure • From Wikipedia • Link Ch 6a
  • 22. Partition Table Structure • From Wikipedia • Link Ch 6a
  • 24. Partition Mark at Start of Volume • Start HxD, Extras, Open Disk • NTFS • FAT32
  • 25. BMP File in HxD • Start HxD, File, Open • BM at start indicates a BMP file
  • 26. Word Doc File in HxD • Start HxD, File, Open • Word 2003 Format uses these 7 bytes • .docx format is actually a Zip archive – See links Ch 6b, 6c
  • 27. Master Boot Record • On Windows and DOS computer systems – Boot disk contains a file called the Master Boot Record (MBR) • MBR stores information about partitions on a disk and their locations, size, and other important items • Several software products can modify the MBR, such as PartitionMagic’s Boot Magic
  • 28. Examining FAT Disks • File Allocation Table (FAT) – File structure database that Microsoft originally designed for floppy disks – Used before Windows NT and 2000 • FAT database is typically written to a disk’s outermost track and contains: – Filenames, directory names, date and time stamps, the starting cluster number, and file attributes • FAT versions – FAT12, FAT16, FAT32, FATX (for Xbox), and VFAT
  • 29. FAT Versions • FAT12—for floppy disks, max size 16 MB • FAT16—allows hard disk sizes up to 2 GB • FAT32— allows hard disk sizes up to 2 TB  • FATX—For Xbox media – The date stamps start at the year 2000, unlike the other FAT formats that start at 1980 • VFAT (Virtual File Allocation Table) – Allows long file names on Windows (MS-DOS had 8.3 limitation)
  • 30. Examining FAT Disks (continued) • Cluster sizes vary according to the hard disk size and file system • This table is for FAT-16
  • 31. Examining FAT Disks (continued) • Microsoft OSs allocate disk space for files by clusters – Results in drive slack • Unused space in a cluster between the end of an active file and the end of the cluster • Drive slack includes: – RAM slack and file slack • An unintentional side effect of FAT16 having large clusters was that it reduced fragmentation – As cluster size increased
  • 32. Examining FAT Disks (continued)
  • 33. Examining FAT Disks (continued) • When you run out of room for an allocated cluster – OS allocates another cluster for your file, which creates more slack space on the disk • As files grow and require more disk space, assigned clusters are chained together – The chain can be broken or fragmented
  • 35. Examining FAT Disks (continued) • When the OS stores data in a FAT file system, it assigns a starting cluster position to a file – Data for the file is written to the first sector of the first assigned cluster • When this first assigned cluster is filled and runs out of room – FAT assigns the next available cluster to the file • If the next available cluster isn’t contiguous to the current cluster – File becomes fragmented
  • 36. Deleting FAT Files • In Microsoft OSs, when a file is deleted – Directory entry is marked as a deleted file • With the HEX E5 (σ) character replacing the first letter of the filename • FAT chain for that file is set to 0 • Data in the file remains on the disk drive • Area of the disk where the deleted file resides becomes unallocated disk space – Available to receive new data from newly created files or other files needing more space
  • 37. Examining NTFS Disks • New Technology File System (NTFS) – Introduced with Windows NT – Recommended file system for Windows 200 Pro, XP, and later versions through Windows 7 at least • Improvements over FAT file systems – NTFS provides more information about a file – NTFS gives more control over files and folders • NTFS was Microsoft’s move toward a journaling file system
  • 38. Examining NTFS Disks (continued) • In NTFS, everything written to the disk is considered a file • On an NTFS disk – First data set is the Partition Boot Sector – Next is Master File Table (MFT) • NTFS results in much less file slack space • Clusters are smaller for smaller disk drives • NTFS also uses Unicode – An international data format
  • 39. Examining NTFS Disks (continued)
  • 40. NTFS File System • MFT contains information about all files on the disk – Including the system files the OS uses • In the MFT, the first 15 records are reserved for system files • Records in the MFT are called metadata
  • 41. NTFS File System (continued)
  • 42. NTFS File System (continued)
  • 43. MFT and File Attributes • In the NTFS MFT – All files and folders are stored in separate records of 1024 bytes each • Each record contains file or folder information – This information is divided into record fields containing metadata • A record field is referred to as an attribute ID • File or folder information is typically stored in one of two ways in an MFT record: – Resident and nonresident
  • 44. MFT and File Attributes (continued) • Files larger than 512 bytes are stored outside the MFT – MFT record provides cluster addresses where the file is stored on the drive’s partition • Referred to as data runs • Each MFT record starts with a header identifying it as a resident or nonresident attribute
  • 46. Resident File in a MFT Record
  • 47. Resident File Data in the MFT • This figure is a repeat of a portion of the previous one
  • 49. Skip Pages 216-223 Skip Pages 216-223
  • 50. MFT and File Attributes (continued) • When a disk is created as an NTFS file structure – OS assigns logical clusters to the entire disk partition • These assigned clusters are called logical cluster numbers (LCNs) – Become the addresses that allow the MFT to link to nonresident files on the disk’s partition
  • 51. NTFS Data Streams • Data streams – Ways data can be appended to existing files – Can obscure valuable evidentiary data, intentionally or by coincidence • In NTFS, a data stream becomes an additional file attribute – Allows the file to be associated with different applications • You can only tell whether a file has a data stream attached by examining that file’s MFT entry
  • 52. Alternate Data Streams Demonstration
  • 53. NTFS Compressed Files • NTFS provides compression similar to FAT DriveSpace 3 • Under NTFS, files, folders, or entire volumes can be compressed • Most computer forensics tools can uncompress and analyze compressed Windows data
  • 54. NTFS Encrypting File System (EFS) • Encrypting File System (EFS) – Introduced with Windows 2000 – Implements a public key and private key method of encrypting files, folders, or disk volumes • When EFS is used in Windows 2000 – A recovery certificate is generated and sent to the local Windows administrator account • Users can apply EFS to files stored on their local workstations or a remote server
  • 55. Error in Textbook • Page 225 • Only Windows 2000 used the Administrator account as the default EFS Recovery Agent • Windows XP and later versions have no EFS recovery agent by default – Links Ch 6e, 6f
  • 56. Deleting NTFS Files • When a file is deleted in Windows XP, 2000, or NT – The OS renames it and moves it to the Recycle Bin • Can use the Del (delete) MS-DOS command – Eliminates the file from the MFT listing in the same way FAT does
  • 57. Understanding Whole Disk Understanding Whole Disk Encryption Encryption
  • 58. Understanding Whole Disk Encryption • In recent years, there has been more concern about loss of – Personal identity information (PII) and trade secrets caused by computer theft • Of particular concern is the theft of laptop computers and other handheld devices • To help prevent loss of information, software vendors now provide whole disk encryption
  • 59. Understanding Whole Disk Encryption (continued) • Current whole disk encryption tools offer the following features: – Preboot authentication – Full or partial disk encryption with secure hibernation – Advanced encryption algorithms – Key management function – A Trusted Platform Module (TPM) microchip to generate encryption keys and authenticate logins
  • 60. Understanding Whole Disk Encryption (continued) • Whole disk encryption tools encrypt each sector of a drive separately • Many of these tools encrypt the drive’s boot sector – To prevent any efforts to bypass the secured drive’s partition • To examine an encrypted drive, decrypt it first – Run a vendor-specific program to decrypt the drive
  • 61. Examining Microsoft BitLocker • Available only with Vista/Win 7 Enterprise and Ultimate editions • Hardware and software requirements – A computer capable of running Windows Vista/7 – The TPM microchip, version 1.2 or newer – A computer BIOS compliant with Trusted Computing Group (TCG) – Two NTFS partitions; a 1.5 GB or 100 MB partition use just for BitLocker, and the partition containing Windows – The BIOS configured so that the hard drive boots first before checking other bootable peripherals
  • 62. Examining Third-Party Disk Encryption Tools • Some available third-party WDE utilities: – PGP Whole Disk Encryption – Voltage SecureDisk – Utimaco SafeGuard Easy – Jetico BestCrypt Volume Encryption – SoftWinter Sentry 2020 for Windows XP • Some available open-source encryption tools: – TrueCrypt – CrossCrypt – FreeOTFE
  • 63. Understanding the Windows Understanding the Windows Registry Registry
  • 64. Understanding the Windows Registry • Registry – A database that stores hardware and software configuration information, network connections, user preferences, and setup information • For investigative purposes, the Registry can contain valuable evidence • To view the Registry, you can use: – Regedit (Registry Editor) program for Windows 9x systems – Regedt32 for Windows 2000 and XP
  • 65. Exploring the Organization of the Windows Registry • Registry terminology: – Registry – Registry Editor – HKEY – Key – Subkey – Branch – Value – Default value – Hives
  • 66. Exploring the Organization of the Windows Registry (continued)
  • 67. Exploring the Organization of the Windows Registry (continued)
  • 69. Understanding Microsoft Startup Tasks • Learn what files are accessed when Windows starts • This information helps you determine when a suspect’s computer was last accessed – Important with computers that might have been used after an incident was reported
  • 70. Startup in Windows NT and Later • All Windows NT computers perform the following steps when the computer is turned on: – Power-on self test (POST) – Initial startup – Boot loader – Hardware detection and configuration – Kernel loading – User logon
  • 71. Startup Process for Windows Vista • Uses the new Extensible Firmware Interface ( EFI) as well as the older BIOS sys-tem. • NT Loader (NTLDR) has been replaced by three boot utilities – Bootmgr.exe—displays list of operating systems – Winload.exe—loads kernel, HAL, and drivers – Winresume.exe—restarts Vista after hibernation • See link Ch 6g
  • 72. Startup Files for Windows XP • NT Loader (NTLDR) • Boot.ini • BootSect.dos • NTDetect.com • NTBootdd.sys • Ntoskrnl.exe • Hal.dll • Pagefile.sys • Device drivers
  • 73. Startup in Windows NT and Later (continued) • Windows XP System Files
  • 74. Startup in Windows NT and Later (continued) • Contamination Concerns with Windows XP – When you start a Windows XP NTFS workstation, several files are accessed immediately • The last access date and time stamp for the files change to the current date and time – Destroys any potential evidence • That shows when a Windows XP workstation was last used
  • 75. Startup in Windows 9x/Me • System files in Windows 9x/Me containing valuable information can be altered easily during startup • Windows 9x and Windows Me have similar boot processes – With Windows Me you can’t boot to a true MS-DOS mode • Windows 9x OSs have two modes: – DOS protected-mode interface (DPMI) – Protected-mode GUI
  • 76. Startup in Windows 9x/Me (continued) • The system files used by Windows 9x have their origin in MS-DOS 6.22 – Io.sys communicates between a computer’s BIOS, the hardware, and the OS kernel • If F8 is pressed during startup, Io.sys loads the Windows Startup menu – Msdos.sys is a hidden text file containing startup options for Windows 9x – Command.com provides a command prompt when booting to MS-DOS mode (DPMI)
  • 78. Understanding MS-DOS Startup Tasks • Two files are used to configure MS-DOS at startup: – Config.sys • A text file containing commands that typically run only at system startup to enhance the computer’s DOS configuration – Autoexec.bat • A batch file containing customized settings for MS- DOS that runs automatically • Io.sys is the first file loaded after the ROM bootstrap loader finds the disk drive
  • 79. Understanding MS-DOS Startup Tasks (continued) • Msdos.sys is the second program to load into RAM immediately after Io.sys – It looks for the Config.sys file to configure device drivers and other settings • Msdos.sys then loads Command.com • As the loading of Command.com nears completion, Msdos.sys looks for and loads Autoexec.bat
  • 80. Other Disk Operating Systems • Control Program for Microprocessors (CP/M) – First nonspecific microcomputer OS – Created by Digital Research in 1970 – 8-inch floppy drives; no support for hard drives • Digital Research Disk Operating System (DR-DOS) – Developed in 1988 to compete with MS-DOS – Used FAT12 and FAT16 and had a richer command environment
  • 81. Other Disk Operating Systems (continued) • Personal Computer Disk Operating System (PC- DOS) – Created by Microsoft under contract for IBM – PC-DOS works much like MS-DOS
  • 83. Understanding Virtual Machines • Virtual machine – Allows you to create a representation of another computer on an existing physical computer • A virtual machine is just a few files on your hard drive – Must allocate space to it • A virtual machine recognizes components of the physical machine it’s loaded on – Virtual OS is limited by the physical machine’s OS
  • 85. Understanding Virtual Machines (continued) • In computer forensics – Virtual machines make it possible to restore a suspect drive on your virtual machine • And run nonstandard software the suspect might have loaded • From a network forensics standpoint, you need to be aware of some potential issues, such as: – A virtual machine used to attack another system or network
  • 86. Creating a Virtual Machine • Two popular applications for creating virtual machines – VMware and Microsoft Virtual PC • Using Virtual PC – You must download and install Virtual PC first
  • 87. Creating a Virtual Machine (continued)
  • 88. Creating a Virtual Machine (continued)
  • 89. Creating a Virtual Machine (continued) • You need an ISO image of an OS – Because no OSs are provided with Virtual PC • Virtual PC creates two files for each virtual machine: – A .vhd file, which is the actual virtual hard disk – A .vmc file, which keeps track of configurations you make to that disk • See what type of physical machine your virtual machine thinks it’s running – Open the Virtual PC Console, and click Settings
  • 90. Creating a Virtual Machine (continued)
  • 91. Creating a Virtual Machine (continued)