Scribd
Upload
26 views78 pages

Gcfi6e PPT ch05

Uploaded by

nou20200619
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
26 views78 pages

Gcfi6e PPT ch05

Uploaded by

nou20200619
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 78

Guide to Computer Forensics

and Investigations
Sixth Edition

Chapter 5
Working with Windows and CLI Systems

1
Objectives

• Explain the purpose and structure of file systems


• Describe Microsoft file structures
• Explain the structure of NTFS disks
• List some options for decrypting drives encrypted with whole disk encryption
• Explain how the Windows Registry works
• Describe Microsoft startup tasks
• Explain the purpose of a virtual machine

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 2 2
protected website for classroom use.
Understanding File Systems

• File system
• Gives OS a road map to data on a disk
• Type of file system an OS uses determines how data is stored on the disk
• When you need to access a suspect’s computer to acquire or inspect data
• You should be familiar with both the computer’s OS and file systems

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 3 3
protected website for classroom use.
Understanding the Boot Sequence (1 of 3)

• Complementary Metal Oxide Semiconductor (CMOS)


• Computer stores system configuration and date and time information in the CMOS
- When power to the system is off
• Basic Input/Output System (BIOS) or Extensible Firmware Interface (EFI)
• Contains programs that perform input and output at the hardware level

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 4 4
protected website for classroom use.
Understanding the Boot Sequence (2 of 3)

• Bootstrap process
• Contained in ROM, tells the computer how to proceed
• Displays the key or keys you press to open the CMOS setup screen
• CMOS should be modified to boot from a forensic floppy disk or CD

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 5 5
protected website for classroom use.
Understanding the Boot Sequence (3 of 3)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 6 6
protected website for classroom use.
Understanding Disk Drives (1 of 4)

• Disk drives are made up of one or more platters coated with magnetic material
• Disk drive components
• Geometry
• Head
• Tracks
• Cylinders
• Sectors

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 7 7
protected website for classroom use.
Understanding Disk Drives (2 of 4)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 8 8
protected website for classroom use.
Understanding Disk Drives (3 of 4)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 9 9
protected website for classroom use.
Understanding Disk Drives (4 of 4)

• Properties handled at the drive’s hardware or firmware level


• Zone bit recording (ZBR)
• Track density
• Areal density
• Head and cylinder skew

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 10 10
protected website for classroom use.
Solid-State Storage Devices

• All flash memory devices have a feature called wear-leveling


• An internal firmware feature used in solid-state drives that ensures even wear of
read/writes for all memory cells
• When dealing with solid-state devices, making a full forensic copy as soon as
possible is crucial
• In case you need to recover data from unallocated disk space

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 11 11
protected website for classroom use.
Exploring Microsoft File Structures (1 of 2)

• In Microsoft file structures, sectors are grouped to form clusters


• Storage allocation units of one or more sectors
• Clusters range from 512 bytes up to 32,000 bytes each
• Combining sectors minimizes the overhead of writing or reading files to a disk

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 12 12
protected website for classroom use.
Exploring Microsoft File Structures (2 of 2)

• Clusters are numbered sequentially starting at 0 in NTFS and 2 in FAT


• First sector of all disks contains a system area, the boot record, and a file structure
database
• OS assigns these cluster numbers, called logical addresses
• Sector numbers are called physical addresses
• Clusters and their addresses are specific to a logical disk drive, which is a disk
partition

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 13 13
protected website for classroom use.
Disk Partitions (1 of 3)

• A partition is a logical drive


• Windows OSs can have three primary partitions followed by an extended
partition that can contain one or more logical drives
• Hidden partitions or voids
• Large unused gaps between partitions on a disk
• Partition gap
• Unused space between partitions

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 14 14
protected website for classroom use.
Disk Partitions (2 of 3)

• The partition table is in the Master Boot Record (MBR)


• Located at sector 0 of the disk drive
• In a hexadecimal editor, such as WinHex, you can find the first partition at offset
0x1BE
• The file system’s type hexadecimal code is offset 3 bytes from 0x1BE for the first
partition

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 15 15
protected website for classroom use.
Disk Partitions (3 of 3)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 16 16
protected website for classroom use.
Examining FAT Disks (1 of 7)

• File Allocation Table (FAT)


• File structure database that Microsoft originally designed for floppy disks
• FAT database is typically written to a disk’s outermost track and contains:
• Filenames, directory names, date and time stamps, the starting cluster number, and
file attributes
• Three current FAT versions
• FAT16, FAT32, and exFAT (used for mobile personal storage devices)
• Cluster sizes vary according to the hard disk size and file system

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 17 17
protected website for classroom use.
Examining FAT Disks (2 of 7)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 18 18
protected website for classroom use.
Examining FAT Disks (3 of 7)

• Microsoft OSs allocate disk space for files by clusters


• Results in drive slack
- Unused space in a cluster between the end of an active file’s content and the end of
the cluster
• Drive slack includes:
• RAM slack and file slack
• An unintentional side effect of FAT16 allowing large clusters was that it reduced
fragmentation
• As cluster size increased

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 19 19
protected website for classroom use.
Examining FAT Disks (4 of 7)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 20 20
protected website for classroom use.
Examining FAT Disks (5 of 7)

• When you run out of room for an allocated cluster


• OS allocates another cluster for your file
• As files grow and require more disk space, assigned clusters are chained
together
• The chain can be broken or fragmented
• When the OS stores data in a FAT file system, it assigns a starting cluster
position to a file
• Data for the file is written to the first sector of the first assigned cluster

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 21 21
protected website for classroom use.
Examining FAT Disks (6 of 7)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 22 22
protected website for classroom use.
Examining FAT Disks (7 of 7)

• When this first assigned cluster is filled and runs out of room
• FAT assigns the next available cluster to the file
• If the next available cluster isn’t contiguous to the current cluster
• File becomes fragmented

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 23 23
protected website for classroom use.
Deleting FAT Files

• In Microsoft OSs, when a file is deleted


• Directory entry is marked as a deleted file
- With the HEX E5 character replacing the first letter of the filename
- FAT chain for that file is set to 0
• Data in the file remains on the disk drive
• Area of the disk where the deleted file resides becomes unallocated disk space
• Available to receive new data from newly created files or other files needing more
space

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 24 24
protected website for classroom use.
Examining NTFS Disks (1 of 3)

• NT File System (NTFS)


• Introduced with Windows NT
• Primary file system for Windows 10
• Improvements over FAT file systems
• NTFS provides more information about a file
• NTFS gives more control over files and folders
• NTFS was Microsoft’s move toward a journaling file system
• It records a transaction before the system carries it out

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 25 25
protected website for classroom use.
Examining NTFS Disks (2 of 3)

• In NTFS, everything written to the disk is considered a file


• On an NTFS disk
• First data set is the Partition Boot Sector
• Next is Master File Table (MFT)
• NTFS results in much less file slack space
• Clusters are smaller for smaller disk drives
• NTFS also uses Unicode
• An international data format

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 26 26
protected website for classroom use.
Examining NTFS Disks (3 of 3)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 27 27
protected website for classroom use.
NTFS System Files (1 of 3)

• MFT contains information about all files on the disk


• Including the system files the OS uses
• In the MFT, the first 15 records are reserved for system files
• Records in the MFT are called metadata

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 28 28
protected website for classroom use.
NTFS File System (2 of 3)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 29 29
protected website for classroom use.
NTFS File System (3 of 3)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 30 30
protected website for classroom use.
MFT and File Attributes (1 of 7)

• In the NTFS MFT


• All files and folders are stored in separate records of 1024 bytes each
• Each record contains file or folder information
• This information is divided into record fields containing metadata
• A record field is referred to as an attribute ID
• File or folder information is typically stored in one of two ways in an MFT
record:
• Resident and nonresident

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 31 31
protected website for classroom use.
MFT and File Attributes (2 of 7)

• Files larger than 512 bytes are stored outside the MFT
• MFT record provides cluster addresses where the file is stored on the drive’s partition
- Referred to as data runs
• Each MFT record starts with a header identifying it as a resident or nonresident
attribute

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 32 32
protected website for classroom use.
MFT and File Attributes (3 of 7)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 33 33
protected website for classroom use.
MFT and File Attributes (4 of 7)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 34 34
protected website for classroom use.
MFT and File Attributes (5 of 7)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 35 35
protected website for classroom use.
MFT and File Attributes (6 of 7)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 36 36
protected website for classroom use.
MFT and File Attributes (7 of 7)

• When a disk is created as an NTFS file structure


• OS assigns logical clusters to the entire disk partition
• These assigned clusters are called logical cluster numbers (LCNs)
• Become the addresses that allow the MFT to link to nonresident files on the disk’s
partition
• When data is first written to nonresident files, an LCN address is assigned to the
file
• This LCN becomes the file’s virtual cluster number (VCN)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 37 37
protected website for classroom use.
MFT Structures for File Data (1 of 7)

• For the header of all MFT records, the record fields of interest are as follows:
• At offset 0x00 - the MFT record identifier FILE
• At offset 0x1C to 0x1F - size of the MFT record
• At offset 0x14 - length of the header (indicates where the next attribute starts)
• At offset 0x32 and 0x33 - the update sequence array, which stores the last 2 bytes of
the first sector of the MFT record

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 38 38
protected website for classroom use.
MFT Structures for File Data (2 of 7)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 39 39
protected website for classroom use.
MFT Structures for File Data (3 of 7)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 40 40
protected website for classroom use.
MFT Structures for File Data (4 of 7)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 41 41
protected website for classroom use.
MFT Structures for File Data (5 of 7)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 42 42
protected website for classroom use.
MFT Structures for File Data (6 of 7)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 43 43
protected website for classroom use.
MFT Structures for File Data (7 of 7)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 44 44
protected website for classroom use.
NTFS Alternate Data Streams (1 of 2)

• Alternate data streams


• Ways data can be appended to existing files
• Can obscure valuable evidentiary data, intentionally or by coincidence
• In NTFS, an alternate data stream becomes an additional file attribute
• Allows the file to be associated with different applications
• You can only tell whether a file has a data stream attached by examining that
file’s MFT entry

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 45 45
protected website for classroom use.
NTFS Alternate Data Streams (2 of 2)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 46 46
protected website for classroom use.
NTFS Compressed Files

• NTFS provides compression similar to FAT DriveSpace 3 (a Windows 98


compression utility)
• With NTFS, files, folders, or entire volumes can be compressed
• Most computer forensics tools can uncompress and analyze compressed
Windows data

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 47 47
protected website for classroom use.
NTFS Encrypting File System (EFS)

• Encrypting File System (EFS)


• Introduced with Windows 2000
• Implements a public key and private key method of encrypting files, folders, or disk
volumes
• When EFS is used in Windows 2000 and later
• A recovery certificate is generated and sent to the local Windows administrator
account
• Users can apply EFS to files stored on their local workstations or a remote
server

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 48 48
protected website for classroom use.
EFS Recovery Key Agent

• Recovery Key Agent implements the recovery certificate


• Which is in the Windows administrator account
• Windows administrators can recover a key in two ways: through Windows or
from a command prompt
• Commands:
• cipher
• copy

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 49 49
protected website for classroom use.
Deleting NTFS Files

• When a file is deleted in Windows NT and later


• The OS renames it and moves it to the Recycle Bin
• Can use the del (delete) MS-DOS command
• Eliminates the file from the MFT listing in the same way FAT does

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 50 50
protected website for classroom use.
Resilient File System

• Resilient File System (ReFS) - designed to address very large data storage needs
• Such as the cloud
• Features incorporated into ReFS’s design:
• Maximized data availability
• Improved data integrity
• Designed for scalability
• ReFS uses disk structures similar to the MFT in NTFS

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 51 51
protected website for classroom use.
Understanding Whole Disk Encryption (1 of
3)
• In recent years, there has been more concern about loss of
• Personal identity information (PII) and trade secrets caused by computer theft
• Of particular concern is the theft of laptop computers and handheld devices
• To help prevent loss of information, software vendors now provide whole disk
encryption

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 52 52
protected website for classroom use.
Understanding Whole Disk Encryption (2 of
3)
• Current whole disk encryption tools offer the following features:
• Preboot authentication
• Full or partial disk encryption with secure hibernation
• Advanced encryption algorithms
• Key management function

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 53 53
protected website for classroom use.
Understanding Whole Disk Encryption (3 of
3)
• Whole disk encryption tools encrypt each sector of a drive separately
• Many of these tools encrypt the drive’s boot sector
• To prevent any efforts to bypass the secured drive’s partition
• To examine an encrypted drive, decrypt it first
• Run a vendor-specific program to decrypt the drive
• Many vendors use a bootable CD or USB drive that prompts for a one-time
passphrase

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 54 54
protected website for classroom use.
Examining Microsoft BitLocker

• Available Vista Enterprise/Ultimate, Windows 7, 8, and 10


Professional/Enterprise, and Server 2008 and later
• Hardware and software requirements
• A computer capable of running Windows Vista or later
• The TPM microchip, version 1.2 or newer
• A computer BIOS compliant with Trusted Computing Group (TCG)
• Two NTFS partitions
• The BIOS configured so that the hard drive boots first before checking other bootable
peripherals

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 55 55
protected website for classroom use.
Examining Third-Party Disk Encryption Tools

• Some available third-party WDE utilities:


• Endpoint Encryption
• Voltage SecureFile
• Jetico BestCrypt Volume Encryption

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 56 56
protected website for classroom use.
Understanding the Windows Registry

• Registry
• A database that stores hardware and software configuration information, network
connections, user preferences, and setup information
• To view the Registry, you can use:
• Regedit (Registry Editor) program for Windows 9x systems
• Regedt32 for Windows 2000, XP, and Vista
• Both utilities can be used for Windows 7 and 8

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 57 57
protected website for classroom use.
Exploring the Organization of the Windows
Registry (1 of 5)
• Registry terminology:
• Registry
• Registry Editor
• HKEY
• Key
• Subkey
• Branch
• Value
• Default value
• Hives

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 58 58
protected website for classroom use.
Exploring the Organization of the Windows
Registry (2 of 5)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 59 59
protected website for classroom use.
Exploring the Organization of the Windows
Registry (3 of 5)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 60 60
protected website for classroom use.
Exploring the Organization of the Windows
Registry (4 of 5)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 61 61
protected website for classroom use.
Exploring the Organization of the Windows
Registry (5 of 5)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 62 62
protected website for classroom use.
Examining the Windows Registry (1 of 2)

• Tools with built-in or add-on Registry viewers:


• X-Ways Forensics
• OSForensics
• Forensic Explorer
• FTK

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 63
protected website for classroom use.
Examining the Windows Registry (2 of 2)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 64
protected website for classroom use.
Understanding Microsoft Startup Tasks

• Learn what files are accessed when Windows starts


• This information helps you determine when a suspect’s computer was last
accessed
• Important with computers that might have been used after an incident was reported

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 65 65
protected website for classroom use.
Startup in Windows 7, Windows 8 and
Windows 10
• Windows 8 and 10 are multiplatform OSs
• Can run on desktops, laptops, tablets, and smartphones
• The boot process uses a boot configuration data (BCD) store
• The BCD contains the boot loader that initiates the system’s bootstrap process
• Press F8 or F12 when the system starts to access the Advanced Boot Options

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 66 66
protected website for classroom use.
Startup in Windows NT and Later (1 of 5)

• All NTFS computers perform the following steps when the computer is turned
on:
• Power-on self test (POST)
• Initial startup
• Boot loader
• Hardware detection and configuration
• Kernel loading
• User logon

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 67 67
protected website for classroom use.
Startup in Windows NT and Later (2 of 5)

• Startup Files for Windows Vista:


• The Ntldr program in Windows XP used to load the OS has been replaced with these
three boot utilities:
- Bootmgr.exe
- Winload.exe
- Winresume.exe
• Windows Vista includes the BCD editor for modifying boot options and updating the
BCD registry file
• The BCD store replaces the Windows XP boot.ini file

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 68 68
protected website for classroom use.
Startup in Windows NT and Later (3 of 5)

• Startup Files for Windows XP:


• NT Loader (NTLDR)
• Boot.ini
• Ntoskrnl.exe
• Bootvid.dll
• Hal.dll
• BootSect.dos
• NTDetect.com
• NTBootdd.sys
• Pagefile.sys
• Device drivers
• Contain instructions for the OS for hardware devices

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 69 69
protected website for classroom use.
Startup in Windows NT and Later (4 of 5)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 70 70
protected website for classroom use.
Startup in Windows NT and Later (5 of 5)

• Contamination Concerns with Windows XP


• When you start a Windows XP NTFS workstation, several files are accessed
immediately
- The last access date and time stamp for the files change to the current date and
time
• Destroys any potential evidence
- That shows when a Windows XP workstation was last used

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 71 71
protected website for classroom use.
Understanding Virtual Machines (1 of 3)

• Virtual machines
• Enable you to run another OS on an existing physical computer (known as the host
computer) by emulating a computer’s hardware environment
• A virtual machine is just a few files on your hard drive
• Must allocate space to it
• A virtual machine recognizes components of the physical machine it’s loaded on
• Virtual OS is limited by the physical machine’s OS

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 72 72
protected website for classroom use.
Understanding Virtual Machines (2 of 3)

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 73 73
protected website for classroom use.
Understanding Virtual Machines (3 of 3)

• In digital forensics
• Virtual machines make it possible to restore a suspect drive on your virtual machine
- And run nonstandard software the suspect might have loaded
• From a network forensics standpoint, you need to be aware of some potential
issues, such as:
• A virtual machine used to attack another system or network

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 74 74
protected website for classroom use.
Creating a Virtual Machine

• Common applications for creating virtual machines


• VMware Server, VMware Player and VMware Workstation, Oracle VM VirtualBox,
Microsoft Virtual PC, and Hyper-V
• Using VirtualBox
• An open-source program (download)
• Consult with your instructor before doing the activities using VirtualBox

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 75 75
protected website for classroom use.
Summary (1 of 3)

• When starting a suspect’s computer, using boot media, such as forensic boot
CDs or USB drives, you must ensure that disk evidence isn’t altered
• The Master Boot Record (MBR) stores information about partitions on a disk
• Microsoft used FAT12 and FAT16 on older operating systems
• To find a hard disk’s capacity, use the cylinders, heads, and sectors (CHS)
calculation

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 76 76
protected website for classroom use.
Summary (2 of 3)

• When files are deleted in a FAT file system, the hexadecimal value 0x05 is
inserted in the first character of the filename in the directory
• NTFS is more versatile because it uses the Master File Table (MFT) to track file
information
• Records in the MFT contain attribute IDs that store metadata about files
• In NTFS, alternate data streams can obscure information that might be of
evidentiary value

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 77 77
protected website for classroom use.
Summary (3 of 3)

• File slack, RAM slack, and drive slack are areas in which valuable information
can reside on a drive
• NTFS can encrypt data with EFS and BitLocker
• NTFS can compress files, folders, or volumes
• Windows Registry keeps a record of attached hardware, user preferences,
network connections, and installed software
• Virtualization software enables you to run other OSs on a host computer

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 78 78
protected website for classroom use.

You might also like