Q 1. Discuss file carving and deleted data.

File Carving

File carving is a process used in computer forensics to extract data from a disk drive or other

storage device without the assistance of the file system that originality created the file. It is a

method that recovers files at unallocated space without any file information and is used to recover

data and execute a digital forensic investigation. It also called “carving,” which is a general term

for extracting structured data out of raw data, based on format specific characteristics present in

the structured data.

Semester 7 Digital Forensics (3170725)
As a forensics technique that recovers files based merely on file structure and content and without

any matching file system meta-data, file carving is most often used to recover files from the

unallocated space in a drive. Unallocated space refers to the area of the drive which no longer

holds any file information as indicated by the file system structures like the file table. In the case

of damaged or missing file system structures, this may involve the whole drive. In simple words,

many filesystems do not zero-out the data when they delete it. Instead, they simply remove the

knowledge of where it is. File carving is the process of reconstructing files by scanning the raw

bytes of the disk and reassembling them. This is usually done by examining the header (the first

few bytes) and footer (the last few bytes) of a file.

File carving is a great method for recovering files and fragments of files when directory entries are

corrupt or missing. This is especially used by forensics experts in criminal cases for recovering

evidence. In certain cases related to child pornography, law enforcement agents are often able to

recover more images from the suspect’s hard disks by using carving techniques. Another example
Digital Forensics (3170725) Assignment (Unit 4)

is the hard disks and removable storage media that U.S. Navy Seals took from Osama Bin Laden’s

campus during their raid. Forensic experts used file carving techniques to squeeze every bit of

information out of this media.

DELETED DATA

For the average user, hitting the Delete key provides a satisfying sense of security. With the click

of a mouse, we think our data is forever obliterated, never again to see the light of day. Think again.

We know that, contrary to what many folks believe, hitting the Delete key doesn’t do anything to

the data itself. The file hasn’t gone anywhere. ―Deleting a file only tells the computer that the

space occupied by that file is available if the computer needs it. The deleted data will remain until

another file is written over it. This can take quite some time if it’s done at all.

1
Digital Forensics (3170725) Assignment (Unit 4)

Q 2. What are the different modes intended to conserve power?

Generally, a computer can go into 3 different modes or states when it sleeps. Different modes are

intended to conserve power and can vary from laptop to desktop. Through this cybernap process,

more potential evidence can be generated, depending on how deeply the PC goes to sleep. Deep

sleep modes such as hibernation and hybrid sleep save data to the hard drive as opposed to just

holding it in RAM as in sleep. As we know, data written to the drive itself is more persistent and

can be recovered. Various modes are:

SLEEP

Sleep mode is intended to conserve energy but is also intended to get the computer back into

operation as quickly as possible. Microsoft compares this state to pausing a DVD player (Microsoft,

2011; TechTarget,2011). Here, a small amount of power is continuously applied to RAM, keeping

that data intact. Remember, RAM is considered volatile memory, meaning that the data disappears

when power is removed. Sleep mode doesn’t do much for us forensically because all the data

remains in RAM.

HIBERNATION

Hibernation is also a power-saving mode but is intended for laptops rather than desktop computers.

It is here that we start to see some potential investigative benefit. In this mode, all of the data in

RAM is written to the hard drive, where, as we know, it is much harder to get rid of data.

HYBRID SLEEP

2
Digital Forensics (3170725) Assignment (Unit 4)

As the name implies, hybrid sleep is a blend of the previous two modes and is intended mainly for

desktops. It keeps a minimal amount of power applied to your RAM (preserving your data and

applications) and writes the data to disk. As with a page file, suspects bent on destroying evidence

can overlook these hibernation files. Pedophiles or corporate crooks will often attempt to avoid

detection by deleting or destroying evidence on their hard drives as investigations close in around

them. These hibernation files, unknown to most users, are often missed during these last-minute

delete-a-thons.

3
Digital Forensics (3170725) Assignment (Unit 4)

Q 3. What is windows registry? How is it useful during digital forensic

investigation?

The Registry is a various levelled or we can say a hierarchical database that stores low-level

settings and other information for the Microsoft Windows Operating System and for applications

that pick to utilize the registry. From the point of installation of operating system, registries are

used. Kernel, Device Driver settings to the Hardware and User Interface all settings are stored in

the windows registry.

When Programs and Applications are installed in the system their configurations and default values

are stored in the registry although there are some applications which do not utilize windows

registry. For example, .NET framework applications use XML files for configuration, Portable

applications usually keep their configuration data within files in the directory/folder where the

application executable resides.

Importance of Registry in Windows Forensics

For a Forensic analyst, the Registry is a treasure box of information. It is the database that contains

the default settings, user, and system defined settings in windows computer. Registry serves as

repository, monitoring, observing and recording the activities performed by the user in the

computer. The Data is stored in the main folders in a Tree like structure which is called Hive and

its subfolders are called KEYS and SUBKEYS where each component’s configuration is stored

called VALUES. Some Important aspects of Windows Registry are:

4
Digital Forensics (3170725) Assignment (Unit 4)

Windows Registry can be considered as a gold mine of forensic evidence.

We can create new registries manually or we can modify the ones that already exist.

Original files that contain registry values are stored in the system directory itself.

Registry files are system protected and cannot be accessed by any user unless administration access

is provided.

For the investigation purpose, the forensic investigator analyzes registry files via tools such as

Registry Viewer, Regshot, Registry Browser etc...

Trojans and Malware information can be found in the registries.

Main Registry Hives

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE/SAM

HKEY_LOCAL_MACHINE/SOFTWARE

HKEY_LOCAL_MACHINE/SECURITY

HKEY_LOCAL_MACHINE/SYSTEM

HKEY_USERS

HKEY_CURRENT_CONFIG

While acquiring registry files from the system we need to use an Imaging tool which can obtain

system protected files because then only we can access and analyze them with the help of registry

5
Digital Forensics (3170725) Assignment (Unit 4)

viewer. We cannot obtain these files directly from the system because they are currently being

used by the system to access registry editor. The HKEY_CURRENT_USER data file is stored in

a file called NTUSER.DAT located at “%SystemRoot%\Users\<UserName>”.

Other Important files that are monitored in HKEY_LOCAL_MACHINE are SAM, SOFTWARE,

SECURITY, SYSTEM which are located at “%SystemRoot%\Windows\System32\config” along

with some other files that are also important from the forensic perspective. These files do not have

any file extension which makes it harder to access by users.

6
Digital Forensics (3170725) Assignment (Unit 4)

Q 4. Why we cannot put full faith on recycle bin during investigation process?

Where is a file moved when it's deleted? I bet some of us would say the recycle bin. That would

make the most sense. I mean, that's where we put the unwanted files, right? But it would also be

wrong. When you delete a file, it's moved to … wait for it … nowhere. The file itself stays exactly

where it was. It's a common notion that when deleted, the file is actually picked up and moved to

the recycle bin. That's not the case.

Unwanted files can be moved to the recycle bin a few different ways. They can be moved from a

menu item or by dragging and dropping the file to the recycle bin. Finally, you can right-click on

an item and choose Delete. The benefit of putting files into the recycle bin is that we can dig

through it and pull our files back out. There have been places where digging through office trash

can be a pretty hazardous undertaking. Fortunately, things aren't nearly as dicey on our computers.

As long as our files are still “in the can,” we can get them back. However, emptying the recycle

bin (i.e., “taking out the trash”) makes recovery pretty much impossible for the average user.

Not everything that's deleted passes through the recycle bin. A user can actually bypass the bin

altogether. Bypassing can be done a couple of ways. First, if you press Shift+Delete, the file will

go straight to unallocated space without ever going through the recycle bin. You can also configure

your machine to bypass the recycle bin altogether. Your deleted files won't even brush the sides of

the recycle bin.

The recycle bin is obviously one of the first places that examiners look for potential evidence. The

first instinct suspects have is to get rid of any and every incriminating file on their computer. Not

fully understanding how their computer works, they put all their faith in the recycle bin. Now you

7
Digital Forensics (3170725) Assignment (Unit 4)

know that's a bad move. Lucky for us, many folks still don't recognize how misplaced their faith

is. As a result, the recycle bin is a great place to look for all kinds of potentially incriminating files.

Recycle Bin Bypass

If an examiner suspects that the system has been set to bypass the recycle bin, the first thing they

would check would be the registry. The “NukeOnDelete” value would be set to “1” indicating that

this function had been switched on.

8
Digital Forensics (3170725) Assignment (Unit 4)

Q 5. Elaborate on the following windows system artifacts:

a. Metadata

b. Thumbnail

c. Most recently used

d. Prefetch

e. link files

f. Restore points and shadow copies

a. Metadata

Metadata is most often defined as data about data. Odds are you’ve come across metadata at some

point, although you may not have known that’s what you were looking at. There are two flavors

of metadata if you will: application and file system. Remember, the file system keeps track of our

files and folders, as well as some information about them. File system metadata includes the date

and time a file or folder was created, accessed, or modified. If you right-click on a file and choose

Properties, you can see date/time stamps. Note the created, modified, and accessed dates and times.

Although this information can prove quite valuable to an investigation, we must keep in mind that

all these date/time stamps may not be what they seem. One problem is that the system’s clock can

be changed by the user. Time zone differences can also cause some issues. Let’s take a little closer

look at the created, accessed, and modified date/time stamps.

Created—The created date/time stamp frequently indicates when a file or folder was created on a

particular piece of media, such as a hard drive. How the file got there makes a difference. By and

large, a file can be saved, copied, cut and pasted, or dragged and dropped.

9
Digital Forensics (3170725) Assignment (Unit 4)

Modified—The modified date and time are set when a file is altered in any way and then saved.

Accessed—This date/time stamp is updated whenever a file is accessed by the file system.

Accessed does not mean the same thing as ―opened. You may be asking how a file can be

accessed without being opened, and that’s a good question. You see, the computer itself can

interact with the files. Antivirus scans and other preset events are just two examples of this

automated interaction.

b. Thumbnail

To make it easier to browse the pictures on your computer, Windows creates smaller versions of

your photos called thumbnails. Thumbnails are just miniaturized versions of their larger

counterparts. These miniatures are created automatically by Windows when the user chooses the

Thumbnail view using Windows Explorer. Windows creates a couple of different kinds of

thumbnail files, depending on the version being used. Windows XP creates a file called thumbs.

db. Microsoft Vista and Windows 7 create a similar file called thumb cache.db. Most users are

completely unaware that these files even exist. The cool thing about these files is that they remain

even after the original images have been deleted. Even if we don’t recover the original image,

thumbnails can serve as the next best evidence. Their mere existence tells us that those pictures

existed at one point on the system.

c. Most recently used

Windows tries to make our lives, at least on our computers, as pleasant as possible. They may not

always succeed, but their hearts are in the right place. The Most Recently Used (MRU) list is one

such example of Microsoft thinking of us. The MRUs are links that serve as shortcuts to

applications or files that have recently been used. You can see these in action by clicking on the

Windows Start button through the File menu in many applications.

10
Digital Forensics (3170725) Assignment (Unit 4)

d. Prefetch

Prefetching is one of the ways they try to speed up the system. Prefetch files can show that an

application was indeed installed and run on the system at one time. Take, for example, a wiping

application such as Evidence Eliminator. Programs like this are designed to destroy selected data

on a hard drive. Although we may not be able to recover the original evidence, the mere presence

of Evidence Eliminator can prove to be almost as damning as the original files themselves.

e. Link files

We all love shortcuts. They help us avoid road construction and steer clear of traffic jams. They

save us time and make our travels easier, at least in theory. Link files are simply shortcuts. They

point to other files. Link files can be created by us, or more often by the computer. You may have

created a shortcut on your desktop to your favorite program or folder. The computer itself creates

them in several different places. You’ve probably seen and used these link files before. Take

Microsoft Word, for example. If you look under the File menu, you’ll see an option called Recent.

The items in that list are link files, or shortcuts, created by the computer. Link files have their date

and time stamps, showing when they were created and last used. The existence of a link file can

be important. It can be used to show that someone opened the file in question. It can also be used

to refute the assertion that a file or folder never existed. Link files can also contain full file paths,

even if the storage device, such as a thumb drive, is no longer connected.

f. Restore points and shadow copies

Restore Points

Restore points are snapshots of key system settings and configuration at a specific moment in time.

These snapshots can be used to return the system to working order. RPs are created in different

ways. They can be created by the system automatically before major system events,

11
Digital Forensics (3170725) Assignment (Unit 4)

such as installing software. They can be scheduled at regular intervals, such as weekly. Finally,

they can be created manually by a user. The RP feature is on by default, and one snapshot is

automatically produced every day. Before you start looking around for your RPs, you should know

that Microsoft has taken steps to keep them from your prying eyes. They are normally hidden from

the user. These RPs have metadata (data about the data) associated with them. This information

could be valuable in determining the point in time when a snapshot was taken. If the RP contains

evidence, this can tell us exactly when that data existed on the system in question. Digging through

the RPs may reveal evidentiary gems that don’t exist anywhere else. For the average person trying

to conceal information from investigators, RPs are likely not the first place they would start

destroying evidence. That works in our favor.

Shadow Copies

Shadow copies provide the source data for restore points. Like the RP, a shadow file is another

artifact that could very well be worth a look. We can use shadow files to demonstrate how a

particular file has been changed over time.

12