Windows Forensics

Registry:

Database of stored configuration information about the users, hardware, and software on a
Windows system.

Although the registry was designed to configure the system, to do so, it tracks such a huge
information about the user's activities, the devices connected to system, what software was used &
when etc.

All of this can be useful for the forensic investigator in tracking the criminal, what, where, & when of
a forensic Investigation. The key is just knowing where to look for it.

The registry or Windows registry is a database of information, settings, options, and other values for
software and hardware installed on all versions of Microsoft Windows operating systems. When a
program is installed, a new sub key is created in the registry. This sub key contains settings specific
to that Program, such as its location, version, and primary executable.

Note:
As a forensic analyst, the registry can be a best place for evidence of what, where, when, and how
something occurred on the system.

Wireless Evidence :

A type of Evidence, when the Attacker was connected to which wireless AP.

Types of Registry Hives

-- > HKEY_USERS: -Contains all the loaded user profiles

-- > HKEYCURRENT_USER: ---- Profile of the currently logged - on user

-- > HKEYCLASSES_ROOT: -- Configuration information on the application used to open files

-- > HKEYCURRENT_CONFIG: ---- Hardware profile of the system at start-up

-- > HKEYLOCAL_MACHINE: ----- Configuration information including hardware and software settings

-----------------------Importance of Registry in Windows Forensics-----------------------------

For a Forensic analyst, the Registry is a treasure box of information. It is the database that contains
the default settings, user, and system defined settings in windows computer. Registry serves as
repository, monitoring, observing and recording the activities performed by the user in the
computer. The Data is stored in the main folders in a Tree like structure which is called Hive and its
subfolders are called KEYS and SUBKEYS where each component’s configuration is stored called
VALUES. Some Important aspects of Windows Registry are:

Windows Registry can be considered as a gold mine of forensic evidence.

We can create new registries manually or we can modify the ones that already exist.

Original files that contain registry values are stored in the system directory itself.

Registry files are system protected and cannot be accessed by any user unless administration access
is provided.

For the investigation purpose, the forensic investigator analyses registry files via tools such as
Registry Viewer, Reshot, and Registry Browser etc...

Trojans and Malware information can be found in the registries.

----------------------Main Registry Hives--------------------------

HKEY_CURRENT_CONFIG – System, System.alt, System.log, System.sav

HKEY_CURRENT_USER – Ntuser.dat, Ntuser.dat.log

HKEY_LOCAL_MACHINE\SAM – Sam, Sam.log, Sam.sav

HKEY_LOCAL_MACHINE\Security – Security, Security.log, Security.sav

HKEY_LOCAL_MACHINE\Software – Software, Software.log, Software.sav

HKEY_LOCAL_MACHINE\System – System, System.alt, System.log, System.sav

HKEY_USER\.DEFAULT – Default, Default.log, Default.sav

File System
What is file System?
In computing, file system controls how data is stored and retrieved. In other words, it is the
method and data structure that an operating system uses to keep track of files on a disk or
partition. It separates the data we put in computer into pieces and gives each piece a name,
so the data is easily isolated and identified. Without file system, information saved in a
storage media would be one large body of data with no way to tell where the information
begins and ends. Any computer file is stored on a storage medium with a given
capacity. In actual fact, each storage is linear space for reading or both reading
and writing digital information. Each byte of information on it has its offset from
the storage start known as an address and is referenced by this address. The
file system is a structured representation of data and a set
of metadata describing this data.
 Files metadata
File metadata is a data structure that contains data about a file, such as:

 File size

 Timestamps, like creation date, last accessed date, and modification date

 The file's owner

 The file's mode (who can do what with the file)

 What blocks on the partition are allocated to the file and a lot more

Metadata isn’t stored with the file content, though. Instead, it’s stored in a different place on the
disk - but associated with the file.
In Unix-like systems, the metadata is in the form of data structures, called anode.

Anodes are identified by a unique number called the anode number.

Anodes are associated with files in a table called anode tables.

Each file on the storage device has an anode, which contains information about it such as the time it
was created, modified, etc.

How file system works?

A file system stores and organizes data and can be thought of as a type of index for all the data
contained in a storage device. These devices can include hard drives, optical drives and flash drives.

File systems specify conventions for naming files, including the maximum number of characters in a
name, which characters can be used and, in some systems, how long the file name suffix can be. In
many file systems, file names are not case sensitive.

Along with the file itself, file systems contain information such as the size of the file, as well as its
attributes, location and hierarchy in the directory in the metadata. Metadata can also identify free
blocks of available storage on the drive and how much space is available.
A file system also includes a format to specify the path to a file through the structure of directories.
A file is placed in a directory or a folder in Windows OS or subdirectory at the desired place in
the tree structure.

Before files and directories are created on the storage medium, partitions should be put into place.
A partition is a region of the hard disk or other storage that the OS manages separately. One file
system is contained in the primary partition, and some OSes allow for multiple partitions on one disk. In this

situation, if one file system gets corrupted, the data in a different partition will be safe.

File system access

File systems can also restrict read and write access to a particular group of users. Passwords are the easiest

way to do this. Along with controlling who can modify or read files, restricting access can ensure that data

modification is controlled and limited.

File permissions such as access or capability control lists can also be used to moderate file system access.

These types of mechanisms are useful to prevent access by regular users, but not as effective against outside

intruders.
Encrypting files can also prevent user access, but it is focused more on protecting systems from outside

attacks. An encryption key can be applied to unencrypted text to encrypt it, or the key can be used to decrypt

encrypted text. Only users with the key can access the file. With encryption, the file system does not need to

know the encryption key to manage the data effectively.

Types of file system

There are a number of types of file systems, all with different logical structures and properties, such as speed

and size. The type of file system can differ by OS and the needs of that OS. The three most common PC

operating systems are Microsoft Windows, Mac OS X and Linux.

FAT (File allocation table) - It is a file system developed for personal computers. Originally developed in
1977 for use on floppy disks, it was adapted for use on hard disks and other devices. It is often supported for

compatibility reasons by current operating systems for personal computers and many mobile

devices and embedded systems, allowing interchange of data between disparate systems. The increase in disk

drives capacity required three major variants: FAT12, FAT16 and FAT32.

FAT12: 32 MB (256 MB for 64 KB clusters)

FAT16: 2 GB (4 GB for 64 KB clusters)

FAT32: 2 TB (16 TB for 4 KB sectors)

A sector is the smallest unit that can be accessed on a storage device like an HDD or SSD. A cluster,
or allocation unit, is a group of sectors that make up the smallest unit of disk allocation for a file
within a file system.

HPFS (High Performance file system) - It is a file system designed especially for
the IBM OS/2. It is known for handling large files of up to 2 GB across multiple hard disks, as well as
for handling long file names of up to 256 bytes. HPFS was designed to improve on the weaknesses of
the file allocation table file system.

The advantages of HPFS include:

1. Contiguous storage
2. Separate date stamps for file creation and last access and modification
3. Less file fragmentation
4. Smaller cluster size
5. Support for storage devices of up to 512 GB
6. Requires more system memory

Reefs (Resilient File System) - It is the latest development of Microsoft introduced with
Windows 8 and now available for Windows 10. Its architecture absolutely differs from other
Windows formats and is mainly organized in a form of the Bree. Reefs has high tolerance to failures
due to new features included into it. The most noteworthy one among them is Copy-on-Write no
metadata is modified without being copied; data is not written over the existing data it is placed to
another area on the disk.

EXFAT (Extended File Allocation Table) - which is a file system introduced by

Microsoft in 2006. It is created to be used on flash memory like USB flash drives, SD cards and so on.
The name of EXFAT gives a hint for its precursors: FAT file system. EXFAT is a newer version of the
FAT32 file system, and you can think it this way: it is a middle ground between FAT32 and NTFS file
system (New Technology File System).Cluster size up to 32MB.

NTFS (New Technology File System) - It was introduced in 1993 with Windows NT and is
currently the most common file system for end user computers based on Windows. Most operating
systems of the Windows Server line use this format as well.

Today, NTFS is used most often with the following Microsoft operating systems:

 Windows 10
 Windows 8
 Windows 7
 Windows Vista
 Windows XP
 Windows 11
We can see NTFS in our system normally in the file system option as shown in
figure in window 10 system.