COS/PSA 413

Day 3
 Agenda

• Questions?
• Assignment 1 due
• Lab Write-ups (project 2-1 and 2-2) due next class
• Lab Recap and After Action Report
• Begin Discussion on Working with Windows and
DOS Systems
– Chapter 3 in 1e and Chapter 7 in 2e

Guide to Computer Forensics and Investigations, 2e 2

 Lab 1 Recap

• Always know what are going to do before you sit

down at the forensics workstations
– Methodical not “hack and slash”
– Requires reading and prior prep
• Learn DOS
– Most forensics work is down at low levels (not GUI)
– http://www.glue.umd.edu/~nsw/ench250/dostutor.ht
m
• Have part of the lab report started before the lab
– Know what it is you are looking for

Guide to Computer Forensics and Investigations, 2e 3

Guide to Computer
Forensics and
Investigations

Chapter 3
Working with Windows
and DOS Systems
 Objectives

• Understand file systems

• Explore Microsoft file structures
• Examine New Technology File System (NTFS)
disks

Guide to Computer Forensics and Investigations, 2e 5

 Objectives (continued)

• Understand the Windows Registry

• Understand Microsoft boot tasks
• Understand MS-DOS startup tasks

Guide to Computer Forensics and Investigations, 2e 6

 Understanding File Systems

• Understand how OSs work and store files

• CompTIA A+ certification
• File system
– Road map to data on a disk
– Determines how data is stored on disk
• Become familiar with file systems

Guide to Computer Forensics and Investigations, 2e 7

 Understanding the Boot Sequence

• Avoid data contamination or modification

• Complementary Metal Oxide Semiconductor
(CMOS)
– Stores system configuration, data, and time
• BIOS
– Performs input/output at hardware level

Guide to Computer Forensics and Investigations, 2e 8

 Understanding the Boot Sequence
(continued)

• Make sure computer boots from a floppy disk

– Modify CMOS
– Accessing CMOS depends on the BIOS
• Delete key
• Ctrl+Alt+Insert
• Ctrl+A
• Ctrl+F1
• F2
• F12

Guide to Computer Forensics and Investigations, 2e 9

 Understanding the Boot Sequence
(continued)

Guide to Computer Forensics and Investigations, 2e 10

 Understanding Disk Drives

• Composed of one or more platters

• Elements of a disk:
– Geometry
– Head
– Tracks
– Cylinders
– Sectors

Guide to Computer Forensics and Investigations, 2e 11

Understanding Disk Drives (continued)

Guide to Computer Forensics and Investigations, 2e 12

Understanding Disk Drives (continued)

• Cylinder, head, sector (CHS) calculation

– 512 bytes per sector
– Tracks contain sectors
– Number of bytes on a disk
• Cylinders (platters) x Heads (tracks) x sectors
• First track is track 0
– So if a disc list 79 tracks (like a floppy) does, it has
80 tracks

Guide to Computer Forensics and Investigations, 2e 13

Guide to Computer Forensics and Investigations, 2e 14
Understanding Disk Drives (continued)

• Zoned bit recording (ZBR)

– Platter’s inner tracks are smaller than outer tracks
– Group tracks by zone
• Track density
– Space between each track
• Areal density
– Number of bits on one square inch of a platter

Guide to Computer Forensics and Investigations, 2e 15

 Exploring Microsoft File Structures

• Need to understand
– FAT
– NTFS
• Sectors are grouped on clusters
– Storage allocation units of at least 512 bytes
– Minimize read and write overhead
• Clusters are referred to as logical addresses
• Sectors are referred to as physical addresses

Guide to Computer Forensics and Investigations, 2e 16

 Disk Partitions

• Logical drive
• Hidden partitions or voids
– Large, unused gaps between partitions
– Also known as partition gaps
– Can hide data
• Use a disk editor to change partitions table
– Norton Disk Edit
– WinHex, Hex Workshop
– http://www.x-ways.net/winhex/index-m.html

Guide to Computer Forensics and Investigations, 2e 17

 Disk Partitions (continued)

Guide to Computer Forensics and Investigations, 2e 18

 Disk Partitions (continued)

• Disk editor additional functions

– Identify OS on an unknown disk
– Identify file types

Guide to Computer Forensics and Investigations, 2e 19

 Disk Partitions (continued)

Guide to Computer Forensics and Investigations, 2e 20

Guide to Computer Forensics and Investigations, 2e 21
 Disk Partitions (continued)

Guide to Computer Forensics and Investigations, 2e 22

Guide to Computer Forensics and Investigations, 2e 23
 Master Boot Record

• Stores information about partitions

– Location
– Size
– Others
• Software can replace master boot record (MBR)
– PartitionMagic
– LILO
– Can interfere with forensics tasks
– Use more than one tool

Guide to Computer Forensics and Investigations, 2e 24

 Examining FAT Disks

• FAT was originally developed for floppy disks

– Filenames, directory names, date and time stamps,
starting cluster, attributes
• Typically written to the outermost track
• Evolution
– FAT12
– FAT16
– FAT32

Guide to Computer Forensics and Investigations, 2e 25

 Examining FAT Disks (continued)

Guide to Computer Forensics and Investigations, 2e 26

 Examining FAT Disks (continued)

• Drive slack
– Unused space on a cluster
– RAM slack
• Can contain logon IDs and passwords
• Common on older systems
– File slack
• Bytes not used on the sector by the file
• FAT16 unintentionally reduced fragmentation

Guide to Computer Forensics and Investigations, 2e 27

 Examining FAT Disks (continued)

Guide to Computer Forensics and Investigations, 2e 28

 Examining FAT Disks (continued)

• Cluster chaining
– File clusters are together (when possible)
• Produces fragmentation
• Tools
– Norton DiskEdit
– DriveSpy’s Chain Fat Entry (CFE) command
• Rebuilding broken chains can be difficult

Guide to Computer Forensics and Investigations, 2e 29

 Examining FAT Disks (continued)

Guide to Computer Forensics and Investigations, 2e 30

Guide to Computer Forensics and Investigations, 2e 31
 Deleting FAT Files

• Filename in FAT database starts with HEX E5

• FAT chain for that file is set to zero
• Free disk space is incremented
• Actual data remains on disk
• Can be recovered with computer forensics tools

Guide to Computer Forensics and Investigations, 2e 32

 Examining NTFS Disks

• First introduced with Windows NT

• Spin off HPFS
– From IBM O/S 2
• Provides improvements over FAT file systems
– Stores more information about a file
• Microsoft’s move toward a journaling file system
– Keep track of transactions
– Can be rolled back

Guide to Computer Forensics and Investigations, 2e 33

 Examining NTFS Disks (continued)

• Partition Boot Sector starts at sector 0

• Master File Table (MFT)
– First file on disk
– Contains information about all files on disk
(meta-data)
• Reduces slack space
• NTFS uses Unicode
– UTF-8, UTF-16, UTF-32

Guide to Computer Forensics and Investigations, 2e 34

 Examining NTFS Disks (continued)

Guide to Computer Forensics and Investigations, 2e 35

 NTFS File Attributes

• All files and folders have attributes

• Resident attributes
– Stored in the MFT
• Nonresident attributes
– Everything that can be stored on the MFT
• Uses inodes for nonresident attributes
• Logical and virtual cluster numbers
– LCN and VCN

Guide to Computer Forensics and Investigations, 2e 36

 NTFS Data Streams

• Data can be appended to a file when examining a

disk
– Can obscure valuable evidentiary data
• Additional data attribute of a file
• Allow files be associated with different applications

Guide to Computer Forensics and Investigations, 2e 37

 NTFS Compressed Files

• Improve data storage

– Compression similar to FAT DriveSpace 3
• File, folders, or an entire volume can be
compressed
• Transparent when working with Windows XP,
2000, or NT
• Need to decompress it when analyzing
– Advanced tools do it automatically

Guide to Computer Forensics and Investigations, 2e 38

 NTFS Encrypted File System (EFS)

• Introduced with Windows 2000

• Implements a public key/private key encryption
method
• Recovery certificate
– Recovery mechanisms in case of a problem
• Works for local workstations or remote servers

Guide to Computer Forensics and Investigations, 2e 39

 Deleting NTFS Files

• Similar to FAT
• NTFS is more efficient than FAT
– Reclaiming deleted space
– Deleted files are overwritten more quickly

Guide to Computer Forensics and Investigations, 2e 40

 Understanding the Windows Registry

• Database that stores:

– Hardware and software configuration
– User preferences (user names and passwords)
– Setup information
• Use Regedit command for Windows 9x
• Use Regedt32 command for Windows XP and
2000
• FTK Registry Viewer

Guide to Computer Forensics and Investigations, 2e 41

 Understanding the Windows Registry
(continued)

• Windows 9x Registry
– User.dat
– System.dat
• Windows 2000 and XP Registry
– \Winnt\System32\Config
– \Windows\System32\Config
– System, SAM, Security, Software, and NTUser.dat

Guide to Computer Forensics and Investigations, 2e 42

Understanding the Windows Registry
(continued)

Guide to Computer Forensics and Investigations, 2e 43

 Understanding Microsoft Boot Tasks

• Prevent damaging digital evidence

• OSs alter files when computer starts up

Guide to Computer Forensics and Investigations, 2e 44

 Windows XP, 2000 and NT Startup

• Steps:
– Power-on self test (POST)
– Initial startup
– Boot loader
– Hardware detection and configuration
– Kernel loading
– User logon

Guide to Computer Forensics and Investigations, 2e 45

 Startup Files for Windows XP

• Files used during boot process:

– NTLDR
– Boot.ini
– BootSec.dos
– NTDetect.com
– NTBootdd.sys
– Ntoskrnl.exe
– Hal.dll
– Device drivers

Guide to Computer Forensics and Investigations, 2e 46

 Windows XP System Files

Guide to Computer Forensics and Investigations, 2e 47

 Windows 9x and Me Startup

• Windows Me cannot boot to a true MS-DOS mode

• Windows 9x OSs have two modes
– DOS protected-mode interface (DPMI)
• Command prompt from boot menu
– Protected-mode GUI
• Dos shell in windows
• Startup files
– Io.sys
– Msdos.sys
– Command.com

Guide to Computer Forensics and Investigations, 2e 48

 Windows 9x and Me Startup
(continued)

Guide to Computer Forensics and Investigations, 2e 49

Understanding MS-DOS Startup Task

• Io.sys
– Loaded after the ROM bootstrap
– Finds the disk drive
– Provides basic input/output services
• Msdos.sys
– Loaded after Io.sys
– Actual kernel for MS-DOS
– Looks for Config.sys

Guide to Computer Forensics and Investigations, 2e 50

Understanding MS-DOS Startup Task
(continued)

• Msdos.sys (continued)
– Loads Command.com
– Loads Autoexec.bat
• Config.sys
– Commands run only at system startup
• Autoexec.bat
– Customized setting for MS-DOS
– Define default path and environmental variables

Guide to Computer Forensics and Investigations, 2e 51

 Other Disk Operating Systems

• Control Program for Microprocessors (CP/M)

• Digital Research Operating System (DR-DOS)
• Personal Computer Disk Operating System (PC-
DOS)
– Developed by IBM

Guide to Computer Forensics and Investigations, 2e 52

 DOS Commands and Batch Files

• Batch files
– Fixed sequence of DOS commands
– Ideal for repetitive tasks
• Batch files work like a single command
• MS-DOS supports parameter passing and
conditional execution
– Can pass up to 10 parameters

Guide to Computer Forensics and Investigations, 2e 53

 DOS Commands and Batch Files
(continued)

Guide to Computer Forensics and Investigations, 2e 54

 DOS Commands and Batch Files
(continued)

Guide to Computer Forensics and Investigations, 2e 55

 Summary

• FAT
– FAT12, FAT16, and FAT32
• Windows Registry keeps hardware and software
configuration and preferences
• CHS calculation
• NTFS
• Look for hidden information on file, RAM, and drive
slack

Guide to Computer Forensics and Investigations, 2e 56

 Summary (continued)

• NTFS uses Unicode to store information

• Hexadecimal codes identify OSs and file types
• NTFS uses inodes to link file attribute records
– Resident and nonresident
• NTFS compressed files
• NTFS encrypted files (EFS)

Guide to Computer Forensics and Investigations, 2e 57