Chapter 4

STW109SE
Digital Forensics Fundamentals

Chapter 4: Operating Systems and File Systems

Dipesh Maskey 1
Lesson Objectives

 Develop an understanding of Operating System (Windows, Linux etc.)

overview.
 Knowing User Data, Profiles and attributes of files and folders.
 Understanding Disk Structure and Directory Structure
 Understanding the Boot Process.
 Understanding the different File System (FAT, NTFS, EXT2, EXT3,etc.)
 File extension and File Signature

Dipesh Maskey 2
 Chapter 4: Operating System (OS)
 An operating system is a program that controls
how a computer functions.
 controls how data is accessed, saved, and
organized on a storage device.

 Acts as an interface between the software and the

computer hardware.

 Specialized programs used to manage overall

resources of hardware and software.

 core software programs that enables user to

interact with the hardware.
Dipesh Maskey 3
Chapter 4: Few Examples of Operating System
Microsoft Windows Operating System
(Windows 10, Window 8, Windows XP etc.)
 Linux Operating System.
Apple MacOS
 iOS
 Google Android Operating System.
Unix
DOS

Dipesh Maskey 4
 Chapter 4: Operating System
Core of the operating system is called the kernel

A microkernel delegates user

a monolithic kernel
services and kernel services in
executes all the
different address spaces to
operating instructions in
make the operating system
the same address space
more modular and, therefore
easy to maintain.

Kernel is responsible for memory management, process and task management, and disk management, I/O
Communication, Interrupt Handling, Device Management. Kernel Performs its task in Kernel Space.

Everything a user normally does, such as writing text in a text editor or running programs in a GUI, is done in user
space.
Dipesh Maskey 5
Chapter 4: Operating System Interfaces

A user interface is the way a user communicates with

the computer
User interface may also be known as a shell
Two major interface types:
Graphical user interface (GUI)
Command-line interface (CLI)

Dipesh Maskey 6
Chapter 4: Functions of Operating System

It provide the Interface to the user to interact with the hardware
Coordinate between multiple hardware components
Provide environment for Software to function
User Management
Disk and File Structure Management
(Files, Folders) (view, copy, move, rename, delete etc.)
Memory Management
Task management
Device Management
Process Management
Handling Interrupts and Input/output
Security
Monitor system health and functionality
Dipesh Maskey 7
Chapter 4: User Management
User Management is the ability to create and manage users with
different roles and privileges for specific task by operating system.
Different Kinds of User Accounts in Windows

Administrator: The administrator controls the entire computer or

specific Service. e.g. – Administrators, Domain Admins, Enterprise
Admins etc.

Standard: Standard account holders can access most of the

computer, but they can’t make any big changes to it. They can’t run
or install new programs, for example, but they can run existing
programs

Child: The Child account setting is actually just a Standard account

with the Family Safety settings automatically turned on.

Guest: Guests can play with the computer, but the computer doesn’t
recognize them by name. Anybody can sign in with the Guest
Dipesh Maskey 8
account, and the desktop will look the way the last guest left it.
Chapter 4: User Management (Windows)
A security identifier (SID) is a unique and unchallengeable identifier with a variable length used to point or
identify a trustee (a user, user group or security principal). The security principal can only have one security
identifier, which it retains for life and is also associated with all the principal’s properties including its name.

To Check the SID of all users within the system.

Dipesh Maskey 9
 Chapter 4: User Management (Windows)
How to Find a User's SID in the Registry
You can also determine a user's SID by looking through the ProfileImagePath values in each S-1-5-21 prefixed SID
listed under this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Dipesh Maskey 10
Chapter 4: User Management
Different Kinds of User Accounts in Linux

Super Users:
Super User are administrator or root User. Control to whole system.

System User:
They are the software/applications users created automatically by
the system) e.g. mail, MySQL, ftp etc.

Normal User:
Normal users are the account that you use regularly. A regular user
has no privileges for changing system files and root managed files.
But some system files can be viewed. Regular user access all the files
in that user's domain. 

Dipesh Maskey 11
Chapter 4: Disk and File Management
Disk
Disk is a device that stores data permanently.
Disk Drive
A disk drive is a device that reads and/or writes data to a disk for the
permanent storage.

The most common type of Disk with disk drive are;

 Floppy Disk with Floppy Disk Drive
 Hard Disk with Hard Disk Drive
 HDD (Hard disk Drive)
 SSD (Solid State Drive)
 Removable Storage
 USB Drive
 Optical Drives
 CD
 DVD Dipesh Maskey 12
 Chapter 4: Disk and File Management
HDD
 is a non-volatile memory hardware device that
permanently stores and retrieves data on a computer.
 The size of the Disk can be expressed as KB, MB, GB,TB etc.
 Internal hard drive is connected to the computer using a
data cable (IDE, SATA, or SCSI) that connects to the
motherboard and a power cable that connects to the
power supply.

IDE SATA SCSI

Power Cable

Dipesh Maskey 13
Chapter 4: Disk and File Management
HDD Physical Structure
 Platters
 Circular Magnetic Plate which contain Read/Write Heads
 A disk can contain multiple Platters.
 The platters rotate at a constant speed, eg: 7200 rpm, 5400 rpm
etc.
 Track
 Each platter is broken into thousands of tightly packed concentric
circles, known as tracks.
 All Information in Disk is recorded in Tracks.
 Sector
 Each track is further broken down into smaller units called
sectors.
 A single track typically can have thousands of sectors and each
sector can hold around 512 bytes of data.
 There are normally 1024 tracks on a hard disk, numbered from
Track 0 (at the edge of the disk) to Track 1023 (near the center).
 Since most files are longer than 512 bytes, the file system must
allocate the number of sectors required to store the file, eg: a 640
byte file would require two sectors. Dipesh Maskey 14
Chapter 4: Disk and File Management
HDD Physical Structure
 Cylinder
 A group of tracks which have the same track number, but
are on different platters, is referred to as a cylinder
 Cluster or Blocks
 group a number of storage areas (Sectors) together is
blocks or clusters of a larger size.
 MS-DOS refers to them as file allocation units.
 These blocks are usually made up from contiguous areas on
the disk, typically 1, 2, 4, 8 or 16 kilobytes in size.
 Larger capacity hard disks have a larger block size.
 Files are stored in units of blocks, rather than sectors, and
these blocks are identified to the file system by a number,
from 0 up to the total number of blocks on the disk.
 If the file is smaller than the cluster size for the disk, then
this cluster will contain the whole file, and no other
information needs to be stored.

But What if File Size is Large ? Dipesh Maskey 15
Chapter 4: Disk and File Management

Large ?
But What if File Size is
 We could insist that files are stored contiguously. If we know the first cluster and the
file's size we shouldn't have any problem finding the data. However, even if there is
plenty of storage available, we can run in to problems we have no way of knowing which
areas on the disk are free and which are allocated
 We could use a few bytes in each cluster to hold a pointer to the next one. This is known
as a linked list.
 We could use an index table which has as many entries as there are clusters on the disk.
The start cluster number from a file's directory points into the table. This entry contains
the number of the next cluster allocated to that file and this is used to point into the table
again and get the next cluster number until all the file's clusters have been accounted for.
This is the solution adopted by MS-DOS and Windows. The table is known as the File
Allocation Table (FAT)

Dipesh Maskey 16
Chapter 4: Disk and File Management
SDD Physical Structure
 is a type of non-volatile storage media that stores persistent data on
solid-state flash memory.
 Two key components make up an SSD: a flash controller and
NAND flash memory chips.
 Rather than using disks, motors and read/write heads, SSDs use flash
memory instead — that is, computer chips that retain their
information even when the power is turned off.
 An SSD has access speeds of 35 to 100 microseconds, which is nearly
100 times faster than HDD.
 In terms Reliability, The SSD has no moving parts. It uses flash
memory to store data. But HDD has moving parts and magnetic
platters, meaning the more use they get, the faster they wear down
and fail.
 SSD is more expensive than HDD.

Dipesh Maskey 17
Chapter 4: Disk and File Management

Check if the Disk is HDD or SSD?

Go to Control Panel
Administrative Tools
Select
Defragment and Optimize Drives

Dipesh Maskey 18
Chapter 4: Disk and File Management
HDD Logical Structure
 Master Boot Record (main boot loader)
 Boot Loader
 Partition Table
 Volume
 Drives
 Boot Record
 File System - FAT, NTFS –registry of the
available/occupied areas on disk
 Root Directory –evidence of file names,
attributes, etc.
 Folders
 Files
Dipesh Maskey 19
Chapter 4: Disk and File Management
HDD Logical Structure
 Master Boot Record (main boot loader)
 the information in the first sector of any hard disk that identifies
how and where an operating system is located so that it can be
started.
 The size of the MBR is 512 bytes.
 Boot Loader
The boot loader is the first 446 bytes of the MBR. This section
contains executable code, where programs are housed.
 Partition Table
The partition tables are 4 slots of 16 bytes each, containing
the description of a partition (primary or extended) on the
disk. Dipesh Maskey 20
Chapter 4: Disk and File Management
Partition
 A hard disk drive can be divided in to several storage units. These
storage units are called partitions.
 A hard disk drive could be divided in to three main partitions called
the primary and extended partition. The extended partition in a
hard disk drive could be subdivided in to several partitions called
logical partitions.
 Primary partition is a bootable partition and it contains the
operating system/s of the computer, while extended partition is a
partition that is not bootable.
 The structure of the logical portions is described using one or more
Extended Boot Records (EBR).
 The structure of the logical portions is described using one or more
Dipesh Maskey 21
Extended Boot Records (EBR).
Chapter 4: Disk and File Management
Partition (Windows) 1.Open the Control Panel.
2.Open Administrative Tools Open the Computer Management.
3.In Computer Management, under Storage, click Disk
Management, which displays all drives and each of their file
systems

Dipesh Maskey 22
Chapter 4: Disk and File Management
Partition Details (Windows)
Go to Control Panel
Administrative Tools
Select
System Information  Components Storage  Disk

Dipesh Maskey 23
Chapter 4: Disk and File Management
Partition and Partition Details (Linux)
# fdisk -l
# fdisk -l /dev/sda

Dipesh Maskey 24
Chapter 4: Disk and File Management
EMBR = Extended Master boot record
DBR – DOS Boot record
FAT – File Allocation Table

Primary Partition

Logical Partition

Extended Partition

The number of primary partitions that could be

created in a hard disk is limited (maximum is four),
whereas the number of logical Partition that could
be created is limited only by the available hard
Dipesh Maskey 25
disk space.
Chapter 4: Disk and File Management
Volume, Drive and Root Directory
 A volume is a partition that has been formatted into a file system to
make it usable. A volume is also more flexible than a partition.
 Specific Name or identifier given to specific size volume is known as
Drive and recognized by Alphabets like (C,D,E,F etc.)
 Generally, primary partitions are assigned the first letters in the
alphabet as drive letters (such as C, D) whereas logical drives get the
other letters (such as E, F, G).
 The layer of system software responsible for organizing and
managing the storage of data (Files and Folders) in Volume is known
as File System.
 Root Directory –evidence of file names, attributes, etc.
 Folders (Directory)
 Files Dipesh Maskey 26
Chapter 4: Disk and File Management
Windows Files and Directory Structure

Dipesh Maskey 27
 Chapter 4: Disk and File Management
Linux Files and Directory Structure
Directory Description
/ (root filesystem) The root file system is the top-level directory of the file system. It must contain all of the files required to boot the
Linux system before other file systems are mounted.
/bin The /bin directory contains user executable files.
/boot Contains the static bootloader and kernel executable and configuration files required to boot a Linux computer.
/dev This directory contains the device files for every hardware device attached to the system. These are not device
drivers, rather they are files that represent each device on the computer and facilitate access to those devices.
/etc Contains the local system configuration files for the host computer.
/home Home directory storage for user files. Each user has a subdirectory in /home.
/lib Contains shared library files that are required to boot the system.
/media A place to mount external removable media devices such as USB thumb drives connected to the host.
/mnt A temporary mountpoint for regular filesystems (as in not removable media) that can be used while the
administrator is repairing or working on a filesystem.
/opt Optional files such as vendor supplied application programs should be located here.
/root This is not the root (/) filesystem. It is the home directory for the root user.
/sbin System binary files. These are executables used for system administration.
/tmp Temporary directory. Used by the operating system and many programs to store temporary files..
/usr These are shareable, read-only files, including executable binaries and libraries, man files, and other types of
documentation.
/var Variable data files are stored here. This can include things like log files, MySQL, and other database files, web server
data files, email inboxes, and much more.
Dipesh Maskey 28
Chapter 4: Disk and File Management
File System
 Is the layer of system software responsible for organizing and managing the storage
of data (Files and Folders) and the way to access it.
 This defines how a file can be named, specifically the length of a filename and the
subset of characters that can be used for filenames out of the total set of characters
available.
 It also defines the logical structure of the data on a disk, such as the use of
directories for organizing files.
 It defines meta data structure, which determine which blocks of space on the disk
are used and which are available; information about the files such as their size and
times they were created, modified or last accessed; and the location or locations of
the data belonging to the file on the disk.
 Modern file systems also provide a security model, which is a scheme for defining
access rights to files and directories. It ensure that users only have access to their
own files and not those of others or the operating system itself.
Dipesh Maskey 29
Chapter 4: Disk and File Management
File System
 FAT 12
 FAT 16
 FAT 32
 NTFS
 EXT 2
 EXT 3
 HFS+ ( Apple IOS, macOS).

Dipesh Maskey 30
Chapter 4: Disk and File Management
File System (FAT – File Allocation Table File System)
 Used by early Microsoft operating systems that was first introduced in 1977.
 The table is a chart of numbers that correspond to cluster addresses on the hard drive,
unused disk space, or other areas of the drive that are specially reserved.
 Maximum file size is limited to 4,294,967,295 bytes
 Maximum files within folder is 65,536 (i.e. a directory must not be larger than 2,097,152
bytes).
 Maximum File Name = 8.3 Characters
FAT 12 (1977) FAT 16 (1983) FAT 32 (1997)
contains 1.5 bytes per cluster FAT16 file system contains 2 bytes FAT32 file system includes 4 bytes
within the file allocation table. per cluster within the file per cluster within the file
allocation table. allocation table.
The amount of data clusters is less The amount of data clusters is The amount of data clusters is
than 4087 clusters between 4087 and 65526 clusters, between 65526 and 268,435,456
inclusive. clusters, inclusive.
Maximum volume size 256MB Maximum volume size 4GB Maximum volume size 2TB
Dipesh Maskey 31
Chapter 4: Disk and File Management
File System (NTFS – New Technology File System)
 is a file system first introduced by Microsoft in 1993 with the release of Windows NT 3.1.
 NTFS is the primary file system used in Microsoft's Windows 10, Windows 8, Windows 7,
Windows Vista, Windows XP, Windows 2000 etc…
 The file system is also supported in other operating systems like Linux and BSD. macOS has read-
only support for NTFS.
 File attributes previously unseen in Windows operating systems, like the compressed attribute and
indexed attribute, are available with NTFS-formatted drives.
 NTFS can support hard drives up to just under 16 EB (Exabyte). Individual file size is capped at just
under 256 TB.
 NTFS supports Disk usage quotas. It's used mainly to control the amount of shared disk space
someone can use, usually on a network drive.
 Encrypting File System (EFS) is another feature supported by NTFS. EFS provides file-level
encryption, which means that individual files and folders can be encrypted. This is a different
feature than full-disk encryption, which is the encryption of an entire drive.
 NTFS is a journaling file system, which means it provides a way for system changes to be written to
a log, or a journal, before the changes are actually written. NTFS log provides file system
recoverability by logging, or recording, the operations required for any transaction that alters
important file system data structures. Dipesh Maskey 32
Chapter 4: Disk and File Management
Checking File System (Window System)
1.Open the Control Panel.
2.Open Administrative Tools Open the Computer Management.
3.In Computer Management, under Storage, click Disk Management, which
displays all drives and each of their file systems
Dipesh Maskey
Go to > Computer, right-click on the
drive you wish to examine, and select >
Properties from the menu. The >
General tab shows the > File system.
33
Chapter 4: Disk and File Management
Checking File System (Window System)
•Use diskpart or Open PowerShell as administrator and get-volume and press the Enter key.

Dipesh Maskey 34
Chapter 4: Disk and File Management
Checking File System (Window System – USB Drives)
Use fsutil fsinfo volumeInfo
For example, on an USB drive:

Dipesh Maskey 35
Chapter 4: Disk and File Management
File System (EXT – Extended File System)
 Implemented in April 1992 as the first file system created specifically for the Linux
kernel.
 It has metadata structure inspired by the traditional Unix File System (UFS)
 The Linux file system unifies all physical hard drives and partitions into a single
directory structure instead of multiple partition, volume, drives (C/DE) etc as in
Windows. Unified Directory Structure.
 It all starts at the top–the root (/) directory. All other directories and their
subdirectories are located under the single Linux root directory.
 Different versions are ext, ext2, ext3 and ext 4

Dipesh Maskey 36
Chapter 4: Disk and File Management
File System (EXT – Extended File System)
EXT 2
It was introduced in 1993
Ext2 does not have journaling feature.
When the system crashes, the
possibility of file  system corruption is
high because of no journaling.
Maximum individual file size can be
from 16 GB to 2 TB
Overall ext2 file system size can be from
2 TB to 32 TB
Maximum filename length: 255 bytes
(255 characters)
Maximum number of files: 10^18
Filenames: All characters except
NULL('\0') and '/' are allowed
EXT 3
It was introduced in 2001.
Journaling has a dedicated area in the
file system, where all the  changes are
tracked.
Maximum individual file size can be
from 16 GB to 2 TB
Overall ext3 file system size can be from
2 TB to 32 TB
Maximum filename length: 255 bytes
(255 characters)
Maximum number of files: Variable
Filenames: All characters except
NULL('\0') and '/' are allowed
Dipesh Maskey
EXT 4
It was introduced in 2008
you also have the option of turning the
journaling feature “ON” and “OFF”.
Maximum individual file size can be
from 16 GB to 16 TB
Overall maximum ext4 file system size is
1 EB (exabyte). 1 EB = 1024 PB
(petabyte). 1 PB = 1024 TB (terabyte).
Maximum filename length: 255 bytes
(255 characters)
Maximum number of files: 4 billion
Filenames: All characters except
NULL('\0') and '/' are allowed
37
Chapter 4: Disk and File Management
File System (EXT – Extended File System)
EXT 4
Several other new features are introduced in ext4:
 Extents (An extent is a contiguous area of storage reserved for a file in a file system,
represented as a range of block numbers) –
Pre-allocation and Multiblock  allocation
 Backward compatibility
 Unlimited number of subdirectories
 Journal checksum,
 Faster FS check,
 Encryption

Dipesh Maskey 38
Chapter 4: Disk and File Management
Checking File System (Linux)
Using df Command

Get A Details From /etc/fstab File

Dipesh Maskey 39
Chapter 4: Disk and File Management
Structure of EXT File System

 boot sector in the first sector of the hard drive on which it is installed, which includes a very
small boot record and a partition table.
 The space in each EXT2 partition is divided into cylinder groups.
 The first block in the cylinder group is a superblock, which contains the metadata that defines
the other file system structures and locates them on the physical disk.
 The block bitmap keeps track of the used and free data blocks within the file system.
 Each cylinder group has its own inode bitmap that is used to determine which inodes are used
and which are free within that group.
 Inode table contains the pointer to each inode identified by unique Inode number for each file.
 An inode is a data structure on a file system on Linux and other Unix-like operating systems that
store all the information about a file except its name and its actual data.
Dipesh Maskey 40
Chapter 4: Disk and File Management
Structure of EXT File System
Information of File hold by Inode
 File types ( executable, block special etc )
 Permissions ( read, write etc )
 UID ( Owner )
 GID ( Group )
 File Size
 Time stamps including last access, last modification and last inode number change.
 File deletion time
 Number of links ( soft/hard )
 Location of File on hard disk.

To check inode number of file use following command. search file with an inode number

Dipesh Maskey 41
Chapter 4: Disk and File Management
File attributes
File attributes are settings associated with computer files that grant or deny certain rights to how a user
or the operating system can access that file.

Windows OS
Read-only - Allows a file to be read, but nothing can be written to the file or changed.
Archive - Tells Windows Backup to backup the file.
System - System file.
Hidden - File will not be shown when doing a regular DIR from DOS.

In operating systems like Linux, there are three main file attributes: read (r), write (w),
execute (x).
Read - Designated as an "r"; allows a file to be read, but nothing can be written to or changed in the file.
Write - Designated as a "w"; allows a file to be written to and changed.
Execute - Designated as an "x"; allows a file to be executed by users or the operating system.

Dipesh Maskey 42
Chapter 4: Disk and File Management
File attributes, permission and ownership in Windows
Right-click the file/folder and choose Properties from the pop-up menu.

Dipesh Maskey 43
Chapter 4: Disk and File Management
File attributes, permission and ownership in Linux
•File type
use ls –al (-a also list out hidden files)
the first character describes whether it is a directory
(d) or file (-)

•file permissions
the permissions in a nine-character section (3x3 for
owner / group / other users)
•number of links
The number of links is the number of hard links to the
file. For a directory, the number of hard links is the
number of (immediate) subdirectories plus the parent
directory and itself.
•owner name
•owner group
•file size
You see many files with the of 4096, which is the
minimum size for a directory on ext3 and ext4
•time of last modification
•the name of the file or directory
Dipesh Maskey 44
Chapter 4: Disk and File Management
File attributes, permission and ownership in Linux (Hard Link Vs. Soft Link)
Hard Link
Hard Link acts like a mirror copy of the original file.
has the same inodes number and permissions of original
file. Permissions will be updated if we change the
permissions of source file,
Changes made to the original or hard linked file will
reflect in the other.
When you delete Hard Link nothing will happen to the
other file and there will be content.
Hard links can't cross file systems boundaries
You cannot create a Hard Link for a directory.
$ ln source.file hardlink.file
Soft Link (Symbolic Link)
Soft Link is an actual link to the original file. Soft Link
contains the path for original file and not the contents.
has different inodes number and file permissions than
original file. permissions will not be updated
Soft link points to the original file so if the original file is
deleted then the soft link fails.
If you delete the Soft Link, nothing will happen to file the
link becomes a useless link that points to nonexistent file.
Its like creating shortcuts for original file
Soft links can cross file systems boudaries
A Soft Link can link to a directory.
$ ln -s source.file softlink.file

Dipesh Maskey 45
Chapter 4: Disk and File Management
File attributes, permission and ownership in Linux (Hard Link Vs. Soft Link)

Hard Link ($ ls -lia) inode number is same for both file

search file with an inode number using

find command. For example:
$ find / -inum 15745555
/hardlink.file
/source.file

Soft Link (Symbolic Link) (ls- lia) -

inode number is different.

symbolic link has an "l"

before the rwxrwxrwx

Dipesh Maskey 46
Chapter 4: Disk and File Management
File attributes, permission and ownership in Linux (Other Attributes)
a - append only: this attribute allows a file to be added to, but not to be removed. It prevents accidental or
malicious changes to files that record data, such as log files.
c - compressed: it causes the kernel to compress data written to the file automatically and uncompress it when it’s read
back.
d - no dump: it makes sure the file is not backed up in backups where the dump utility is used.
e - extent format: it indicates that the file is using extents (ext) for mapping the blocks on disk. (An extent is a contiguous
area of storage reserved for a file in a file system, represented as a range of block numbers, or tracks. A file can consist of
zero or more extents; one file fragment requires one extent.)
i - immutable: it makes a file immutable, which goes a step beyond simply disabling write access to the file. The file can’t
be deleted, links to it can’t be created, and the file can’t be renamed. Only the superuser can set or clear this attribute.
j - data journaling: it ensures that on an Ext3 file system the file is first written to the journal and only after that to the
data blocks on the hard disk.
s - secure deletion: it makes sure that recovery of a file is not possible after it has been deleted.
A - no atime updates: Linux won’t update the access time stamp when you access a file.
D - synchronous directory updates: it makes sure that changes to files are written to disk immediately, and not to cache
first.
S - synchronous updates: the changes on a file are written synchronously on the disk.
u - undeletable: makes that if a file is deleted, its contents are saved. This allows the user or develop utility to ask for its
undeletion Dipesh Maskey 47
Chapter 4: Disk and File Management
File attributes, permission and ownership in Linux (Other Attributes)
How to set an “i” attribute with example filename file1

Chattr command is used to change

or update the attributes

lsattr command is used to view the

attributes

Dipesh Maskey 48
 Chapter 4: Process Management
 A process is a program in execution.
 When a program is loaded into the memory and it becomes a process. Process is assigned resources and CPU
to execute.
 Processing can be categorized into four sections. These are:
 Stack
The process Stack contains the temporary data such as method/function parameters, return address
and local variables.
 Heap
This is dynamically allocated memory to a process during its run time.
 Text
This includes the current activity represented by the value of Program Counter and the contents of the
processor's registers.
 Data
This section contains the global and static variables.
 Process managements involve the execution of various tasks such as creation of processes, scheduling of
processes, management of deadlock, and termination of processes.
 A process consists of set of instruction to be executed called process code.
 The resources that a process required for its execution is called process components.
 There is also a state that is associated with a process at a particular instant of time called process state.

Dipesh Maskey 49
 Chapter 4: Process Management
 Process States
There are different process states. These stages may differ in different operating systems, and the names of
these states are also not standardized.
1.New
Basically it specified the time when a process is created.
2.Ready
In this time interval the state of the process is loaded into the primary
memory and ready for execution.
3.Waiting
In this sate the process when a process waits for the allocation of CPU
time and the other resources for its execution.
4.Executing
This is the main state of any process in this state the process is running.
5.Blocked
It specifies the time interval when a process is waiting for an event like
input / output operations to complete.
6.Suspended
It specifies the time when a process is ready for execution but has not
been placed in the ready queue by operating system.
7.Terminated
It specifies the time when a process is terminated or ended and all the
resources that are utilized by process and memory that is utilized by the
process are free. Dipesh Maskey 50
 Chapter 4: Process Management
Process Control Block (PCB)
A Process Control Block is a data structure maintained by the Operating System for every process. The PCB is
identified by an integer process ID (PID). A PCB keeps all the information needed to keep track of a process as
listed below
S.N. Information & Description
1 Process State
The current state of the process
Process privileges
2
This is required to allow/disallow access to system resources.
Process ID
3 Unique identification for each of the process in the operating system.

4 Pointer
A pointer to parent process.
Program Counter
5
Program Counter is a pointer to the address of the next instruction to be executed for this process.

6 CPU registers
Various CPU registers where process need to be stored for execution for running state.
CPU Scheduling Information
7
Process priority and other scheduling information which is required to schedule the process.
Memory management information
8 This includes the information of page table, memory limits, Segment table depending on memory used by the operating system.

9 Accounting information
This includes the amount of CPU used for process execution, time limits, execution ID etc.
IO status information
10
This includes a list of I/O devices allocated to the process.
Dipesh Maskey 51
Chapter 4: Process Management

Dipesh Maskey 52
Chapter 4: Process Management
Process in Window 10
Task Manager -> Process Tab
Right Click on each process and select Process details

To write the table of running

processes to a text file, enter the
following line at the prompt and
press Enter.
tasklist > c:\processes_list.txt

To Kill The Task : taskkill

winword

Dipesh Maskey 53
Chapter 4: Process Management
Process in Linux
Two commands generally used are top and ps -ax.

Top displays a list of processes, with the

ones using the most CPU at the top ps -ax will give you a listed sorted by PID

Use kill <PID> to kill the process Dipesh Maskey 54

Chapter 4: File Extension
 A file extension or file name extension is the ending of a file that helps identify the
type of file in Operating System, such as Microsoft Windows, MacOS etc.
 A file name extension is often between one and four characters and will always be
at the end of the file name after period.
 As an example the filename "myfile.txt" has a file extension of ".txt," which is a file
name extension associated with text files.
Picture File Sound File OS File Text and Word File Web File Spreadsheet
.bmp .mp3 .dll .txt .html .xls
.jpeg .wav .bat .docx .aspx .csv
.gif .exe .rtf .xml .xlsx

 File extensions also often indicate the file type, or file format.
 Any file's extension can be renamed but that won't convert the file to another
format or change anything about the file other than this portion of its name.
 Window File extension association is stored in Registry under HK_CLASSES_ROOT.
Dipesh Maskey 55
Chapter 4: File Extension (Linux and macOS)
 File extensions do not show up in macOS by default. The reason for this is that
macOS doesn’t really use extensions and they don’t rely on them like Windows
does.
 You can make macOS show file extensions, though, and it’s probably not a bad idea
to do so. With Finder open, just head to Finder > Preferences > Advanced, and then
enable the “Show all filename extensions” check box.

Dipesh Maskey 56
Chapter 4: File Extension (Linux and macOS)
 Linux and macOS uses something called MIME types and creator codes
to determine what a file is.
 In Linux, all files are plain text files.
This information is stored within the header of the file, and both macOS
and Linux use that information to determine what type of file they’re
dealing with.
Since file extensions aren’t really required on macOS or Linux, you could
very well have a valid file with no extension, but the OS could still open
the file with the right program because of the file information contained
in the file header.

Dipesh Maskey 57
Chapter 4: File Extension Vs. File Formats
 A file format is a layout and organization of data within the file. File extension is used
to identify the file format at glance.
 A file extension is just the alphanumeric characters that appear after the period,
while the file format speaks to the way in which the data in the file is organized.
 A file extension can be changed or renamed but File Format remains the same.
For example, in the file name mydata.txt, the file extension is txt, indicating that
this is a Text File. A computer user could rename that file to mydata.mp3,
however that wouldn't mean you could play the file on a mp3 player. The file itself is
still rows of text not a compressed musical recording (an MP3 file).
 In order to convert the file format,
 Both format has to recognize each other compression and encoding.
 It has to be converted using a program that supports both types of files or a
dedicated tool designed to convert the file from the format it's in to the format
you want it to be in.
Dipesh Maskey 58
Chapter 4: File Extension (Challenges in Forensic)
a) Hiding of File Extension

 Open the Run dialog box via

WIN+R.
 Enter control folders.
 Go into the View tab.
 Remove the check next to Hide
extensions for known file types.

Dipesh Maskey 59
Chapter 4: File Extension (Challenges in Forensic)
b) Removing or Renaming File Extension
 Windows uses these file extensions to determine the best program to open the files and a list of
other recommended programs to open the files.
 Without the proper file extension, Windows may attempt to open the file with a program that is
incapable of opening the file which could cause an error or produce unintelligible output.
 For such cases, File Headers or MIME types can be used to identify to determine the format of a
file similar to file extensions.
 The file headers are not visible in normal programs. Hex editor or hex dump program can
display these file headers as well as the contents of the file in hex.
File Type: File Header information:
JPEG the ASCII code for 'JFIF'
PDF %PDF

 MIME (Multipurpose Internet Mail Extensions ) represents file types for messages and files sent
over the Internet. This helps to allow other files such as images, movies, and executable over
Internet.
MIME-Version: 1.0
Content-Type: text/plain
Dipesh Maskey 60
 Chapter 4: File Extension (Challenges in Forensic)
b) Removing or Renaming File Extension
 The digital forensics investigators uses different tools to examine file header
information to identify files with incorrect file extensions.
 file - a Unix command that examines the header of the file to determine the
type
 DROID (Digital Record Object Identification tool)
 Sleuth Kit - also uses the file command
 TrID or TrIDnet – Generally for Binary files (Non-Text Files)
 Hex Dump Tools

The challenges is when both the file extension and file header have been modified
but can be identified if the file type are different.
A more interesting and biggest challenge is the case may be a change of both the file
extension and header to the same type

Dipesh Maskey 61
Chapter 4: File Signature
 A file signature is data used to identify or verify the contents of a file.
 File Signature are File Headers to recognize the file formats so that specific program
can be used to access the file. It Generally refer to;
 File Magic Number
bytes within a file used to identify the format of the file; generally a short
sequence of bytes (most are 2-4 bytes long) placed at the beginning of the file.
 File Checksum
or more generally the result of a hash function over the file contents: data used
to verify the integrity of the file contents, generally against transmission errors or
malicious attacks.
 Performing a signature analysis identifies which files may have been altered to hide
their true identity.
 File signature is a sequence of bytes that is used by application programs to confirm
file data before loading and processing the rest of the file.

Dipesh Maskey 62
Chapter 4: File Signature
File Magic Number

Dipesh Maskey 63
Chapter 4: File Signature
File Magic Number

Dipesh Maskey 64
 Chapter 4: Registry
 The registry or Windows registry is a database of information, settings, options,
and other values for users preferences, software and hardware devices and
operating system configurations.
 The Windows Registry is accessed and configured using the Registry Editor –
regedit command.
 Windows Registry backup files are saved as REG files.

Dipesh Maskey 65
Chapter 4: Registry

Dipesh Maskey 66
Chapter 4: Thumbnails
 Thumbnails (“thumb” for short) are reduced-size versions (preview) of original
pictures or videos, used to help in recognizing and organizing them.
 A website will have significantly faster loading times if its range of image and
video content is initially displayed in the form of thumbnails.
 Forensics people can still retrieve the image from your computer, thanks to the
thumbnail caching feature.
 The hidden file thumbs.db is a database file containing a small JPEG representing
each of the thumbnails in a folder.
 In Windows XP, the hidden thumbnail file which is thumbs.db are placed at the
same location of the images but in Windows Vista/7 onwards, the thumbnail files
are stored at the user’s folder but will still generate thumbs.db when you access
shared network folders.
 In newer version of window The centralized thumbnail database is located in the
following folder:
\Users\[User Account Name]\AppData\Local\Microsoft\Windows\Explorer
Dipesh Maskey 67
Chapter 4: Thumbnails
Till Window XP After Window XP

Dipesh Maskey 68
Chapter 4: Thumbnails
We can use tools like Thumb_viewer or Thumbcache_viewer to
extract images from Thumbnails databases.

Dipesh Maskey 69
Chapter 4: Shortcuts
 shortcut is a link that points to a program on the
computer.
 Shortcuts allow you to create links to programs in any
folder, start bar, Taskbar, desktop or other locations on
the computer.
 A shortcut is useful for accessing software programs or
files more easily.
 In Windows, the shortcut file are recognized with
extension (.lnk).
 To view the details of shortcut;
Right Click the shortcut icon  Properties

Dipesh Maskey 70
Chapter 4: AutoRun (Type of Shortcut File)
 Windows launches a file called autorun.inf when external devices (USB, memory
card, CDs, DVDs, SD cards) are plugged into the computer.
 Features like AutoRun are designed to improve the PC experience.
Unfortunately, the AutoRun feature had been abused by some malicious people.
A virus from USB flash can now be attached to autorun.inf so both would launch at the
same time. This means you’re essentially installing a virus the second you plug in
your USB.
 During Digital Forensic, you should disable AutoRun.
Go to Settings (Windows + I) > Devices > AutoPlay.

Dipesh Maskey 71
Chapter 4: AutoRun (Type of Shortcut File)
 Deleting AutoRun (Autorun.inf).
If you suspect that your USB drive has a virus, deleting the autorun.inf file will
prevent the virus from launching.
Assume USB drive letter as F:

Launch Windows Explorer (Windows + E)

 Open the USB drive found This action will
Launch Command Line show you the content of the USB.
 Autorun.inf is usually a hidden file. Make
sure you have Show Hidden Files enabled
by going to View and ticking Hidden Items.

Type DEL AUTORUN.INF and press Enter.

Select autorun.inf from the list and press Delete.

Dipesh Maskey 72
Chapter 4: Prefetch files
 Prefetch is a set of temporary file, introduced in Windows XP and still used in Windows 10, that
save the information required for the program to load and run.
 The files help in loading the same program faster, when they are opened again. This is because
the computer does not have to refer to the original source files, all over again.
 Prefetch files monitor the files and applications that you use over time.
 This Prefetch Files are located in C:\Windows\Prefetch directory
 The extension of Prefetch File is (.pf).

Dipesh Maskey 73
 Chapter 4: Prefetch files
 The Prefetcher configuration is stored in the windows registry at the following
location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management\PrefetchParameters.

The EnablePrefetcher value can set to be

one of the following:
•0 = Disabled
•1 = Application launch prefetching enabled
•2 = Boot prefetching enabled
•3 = Applaunch and Boot enabled (Optimal
and Default)

Dipesh Maskey 74
Chapter 4: Forensic Value of Prefetch files
 Prefetch files are great artifacts for forensic investigators trying to analyze applications
that have been run on a system.
 For investigators, these files contain some valuable data on a user’s application history
on a computer. They monitor the files and applications that you use over time.
 The forensic value of the Prefetch files will be examined from two different
perspectives:
 The contents of the Prefetch file.
 The creation of the existence of the Prefetch file in the Prefetch directory
 When the application was executed first time, last time. Timeline analysis
 How many times the application was executed.
 Identification of any program like CCleaner to cover up any potential wrongdoing.
 If the program has since been deleted, a prefetch file may still exist on the system
to provide evidence of execution.
 Another valuable use for prefetch files is in malware investigations which can assist
examiners in determining when a malicious program was run.
Dipesh Maskey 75
Chapter 4: Forensic Value of Prefetch files
 Prefetch files are all named in a common format where the name of the application is
appended by hyphen (-) and eight character hash value. followed by the .PF extension
 The hash value defines the location where the application was run last time.
 For example, the Prefetch file for calc.exe would appear as CALC.EXE-0FE8F3A9.pf,
where 0FE8F3A9 is a hash of the path from where the file was executed.
 The hash value maintain the integrity of the Prefetch files.

Dipesh Maskey 76
Chapter 4: Superfetch File
 SuperFetch (introduced in Windows Vista) is designed to identify the way the user uses applications and to
look for patterns in use.
 For example, after starting Windows the user might always open their email client followed by the web
browser.
 SuperFetch records these usage patterns and uses the Prefetch tool to pre-load RAM with the files for the
applications that it expects the user to open next, so that the user has an even more responsive experience.
 SuperFetch is thus predictive, it tries to predict the user's actions and pre-load RAM with pages for
applications that it expects the user to open next.
 SuperFetch Files are stored in a series of files in the c:\windows\Prefetch directory. These files appear to
start with the prefix Ag and have a .db extension.
 Check the status of SuperFetch, Launch the Services app from Control Panel  Administrative Tools or
using command services.msc.

Dipesh Maskey 77
Chapter 4: Recent files
 When a person uses a Windows computer, every time he or she opens a file or
accesses a file of any kind, whether from the Internet, or stored on the hard
drive, a CD-ROM, or a floppy disk, the computer keeps a tiny record of the
activity in the form of a "link" file known as Recent Files.
 The computer creates a "link" containing in time and date of accessing the
document, and the path leading to the place where the document is (or was)
stored on the computer.
 Such Recent Files can be examined by Investigator in digital forensic to identify
the list of files or application accessed in the system.
 Recently accessed but deleted files are also shown in the recent files.
 In windows 10, Recent Files can be accessed through;
C:\Users\Dell\AppData\Roaming\Microsoft\Windows\Recent
 Recent Files also can be viewed through,
Window Explorer/File Explorer -- > Quick Access
Dipesh Maskey 78
Chapter 4: Temporary files
 Windows Temp files are temporary files which are created by Windows services and many
3rd party software programs.
 Windows Temporary files are created by the operating system during the normal course of its
running when there may not be enough memory allocated for the task.
 Temporary Files are also created for backup purposes, by programs. For instance, Microsoft
Office saves a Temporary File of the open document every few minutes. f you save the
document and exit, the Temporary File gets deleted. If the program crashes unexpectedly,
the Temporary File is not deleted. They can thus be useful to help recover lost data if the
program or the system crashes.
 Location of System temporary file:
C:\Windows\Temp
 Location of User Temporary File:
C:\Users\Dell\AppData\Local\Temp
Separate for each Users in the system
 To access these 2 "Temp" folders, use following commands in Run Box:
TEMP
%TEMP% Dipesh Maskey 79
Chapter 4: Temporary files
 The path of the Temporary Files/Folders can be verified through Environment
Variables incase anybody has changed the path.
 Environmental Variable can be accessed using command in Run Box as:
sysdm.cpl
Advanced Tab  Environment Variables.

Dipesh Maskey 80
Chapter 4: Internet Temporary files
 Temporary Internet Files are direct downloads from the
Internet, usually containing graphic pictures in bmp, jpeg,
gif etc. format.
 There will also be html and htm files for website home page
components.
 The Temporary Internet Files folder also store reference to
any website we recently visited to keep track for next time
and load faster.
 In Internet Explorer, It is refer to as Temporary Internet Files
To view the Files, Control Panel  Internet Options 
General Tab  Settings  Temporary Internet Files Tab 
View Files.
 In Mozilla Firefox, it is refer to as Cache.
To view the files, Open the browser  Select Option -->
Privacy and Security and scroll down to Cookies and Site
Data  Manage Data. Dipesh Maskey 81
Chapter 4: Recycle BIN
This holds files that have been deleted by the user.
When a user deletes files, a copy of them is stored in recycle
bin. This process is called “Soft Deletion.”
Recovering files from recycle bin can be a good source of
evidence.

Dipesh Maskey 82
Chapter 1: System Configurations

Go to Control Panel
Administrative Tools
Select  System Configurations

Dipesh Maskey 83
Chapter 1: User Data and Profiles
Finding User Data and Profiles in Windows System.

Documents and Settings folder

 Contains a user root folder for each user account created on the computer
Data stored in the user root folder:
 Desktop settings, such as wallpaper, screensavers, color schemes, and themes
 Internet customizations, such as the homepage, favorites, and history
 Personal files and folders, such as My Documents, My Pictures, and so on
Some of the subfolders in the user root folder include:
 Application data (hidden)
 Cookies
 Desktop
 Favorites
 Local Settings (hidden)
 My Documents
 Temp Files
Location of user root folder
<partition>:\Documents and Settings\userid\NTUSER.DAT file
Dipesh Maskey 84