Digital Forensics

Lecture 6
Working with Windows and DOS Systems
 Objectives
• Identify a number of different storage devices
• Explain the purpose and structure of file systems
• Describe Microsoft file structures
• Explain the structure of New Technology File
System (NTFS) disks
• List some options for decrypting drives encrypted
with whole disk encryption
• Explain how the Windows Registry works
• Describe Microsoft startup tasks and boot process
 Categorising Storage Devices
• The purpose of the storage unit of the computer is to store
the data entered before processing and also to store the
results after processing.

• Physical devices used to store programs or data on a

temporary or permanent basis for use in a computer.
– Memory: Data stored in the form of chips.
– Storage: Data stored in tapes or disks.
These two can be categorised as primary and secondary
storage.
 Primary Storage Device
RAM
• The term random access means that any word in the
memory may be accessed, without having to go through all
the other words to get to it.
• It can read and write.
• Memory consist of integrated- circuit either on motherboard
or small circuit board attached to motherboard.
• Memory enhance easily by adding memory chip.
• It is a volatile form of memory.
 Primary Storage Device
ROM
• ROM is “built-in “computer memory containing data that
normally can only be read, not written to.
• ROM is a Non-volatile memory.
• ROM is one in which information are stored permanently.
• The access time for memory is very fast.
• ROM is very expensive to design and manufacturer.
 Secondary Storage Device
• This section of the memory is also referred to as
backup storage.

• The storage capacity of primary storage is not sufficient

to store the large volume so secondary storage.

• Secondary storage also know as external memory or

auxiliary storage not directly accessible by the CPU.
Measurements of Storage Capacity
Size Equals Example
Byte 8 bits One character of text
Kilobyte (KB) 1,024 bytes A 1,000-character plain text file
or a tiny graphic
Megabyte 1,024 KB 600 x 600 photo or one minute
(MB) of a music clip
Gigabyte 1,024 MB Full length audio CD is 800 GB,
(GB) a two-hour DVD movie is 4GB

Terabyte (TB) 1,024 GB Large business database

Petabyte (PB) 1,024 TB All the data for an entire

government
 Hard Disks
• A hard disk is a large capacity rigid magnetic disk that is used for
storing data.

• It is a sealed stack of multiple platters, stacked on a spindle. Each

platter has two read/write heads on a retractable arm, one for each
side.

• Hard disks use higher-quality media and a faster rotational speed

than diskettes.

• Removable hard disks combine high capacity with the

convenience of diskettes.

• External ones use USB or FireWire (IEEE 1394) connector

Read/write heads
 How Magnetic Storage Works
• A magnetic disk's medium contains iron particles, which can
be polarized—given a magnetic charge—in one of two
directions.

• Each particle's direction represents a 1 (on) or 0 (off),

representing each bit of data that the CPU can recognize.

• A disk drive uses read/write heads containing

electromagnets to create magnetic charges on the medium.
 As the medium
rotates, the head
writes the data.
 Low-Level Formatting
• Before a magnetic disk can be used, it must be formatted—a
process that maps the disk's surface and determines how
data will be stored.

• Defines the number of cylinders, heads, and sectors on the

drive, which collectively determine its capacity

• During formatting, the drive creates circular tracks around

the disk's surface, then divides each track into sectors.
 Low-Level Formatting Continued
• A cylinder is the collection of tracks that the data is being
recorded on

• A track is a concentric ring on an individual side of a platter

• Heads: Number of platter sides

• Sectors: Number of segments that each track is divided into

• The OS organizes sectors into groups, called clusters, then

tracks each file's location according to the clusters it
occupies.
Formatted Disk
 Disk Areas
When a disk is formatted, the OS creates four areas on its surface:

• Boot sector – stores the master boot record, a small program

that runs when you first start (boot) the computer

• File allocation table (FAT) – a log that records each file's

location and each sector's status

• Root folder – enables the user to store data on the disk in a

logical way

• Data area – the portion of the disk that actually holds data
RAID - Redundant Array of Inexpensive Disks
• Disk organization techniques that manage a large numbers
of disks, providing a view of a single disk

• Storage is larger, more reliable and faster than what a single

disk drive can provide.

• The RAID array of Physical Disks is treated as one logical

Disk.

• Stripping data across multiple disks to allow parallel I/O,

thus improving performance
 Other Magnetic Storage Devices
• High-capacity floppy disks offer capacities up to 250MB and
the portability of standard floppy disks.

• Disk cartridges are like small removable hard disks, and can
store up to 2 GB.

• Magnetic tape systems offer very slow data access, but

provide large capacities and low cost.
 Due to long access times, tape
drives are used mainly for backups.
 Optical Storage Devices
• An optical disk is a high-capacity storage medium. An
optical drive uses reflected light to read data.

• To store data, the disk's metal surface is covered with tiny

dents (pits) and flat spots (lands), which cause light to be
reflected differently.

• When an optical drive shines light into a pit, the light cannot
be reflected back. This represents a bit value of 0 (off). A
land reflects light back to its source, representing a bit value
of 1 (on).
 CD Writing Technologies
• In PCs, the most commonly used optical storage technology is
called Compact Disk Read-Only Memory (CD-ROM).

• A standard CD-ROM disk can store up to 650 MB of data, or about

70 minutes of audio.

• Once data is written to a standard CD-ROM disk, the data cannot

be altered or overwritten.

• CD-ROM is typically used to store software programs. CDs can

store audio and video data, as well as text and program
instructions.

• Compact Disc Rewriteable - Can be written to, erased, and reused

 DVD-ROM
• A variation of CD-ROM is called Digital Video Disk Read-
Only Memory (DVD-ROM), and is being used in place of CD-
ROM in many newer PCs.

• Standard DVD disks store up to 9.4 GB of data—enough to

store an entire movie. Dual-layer DVD disks can store up to
17 GB.

• DVD disks can store so much data because both sides of

the disk are used, along with sophisticated data compression
technologies.
 Blu-Ray Discs and Drives
• Similar to DVDs but can hold more data

• Use a blue laser rather than a standard red one

• Can hold 25GB per layer

 Flash RAM Storage
Stores data in static (non-volatile) RAM
– USB flash drives
– Flash memory cards and readers
 Solid-State Storage Devices
• A data storage device that uses solid-state memory

• All flash memory devices have a feature called

wear-leveling
– An internal firmware feature used in solid-state drives that
ensures even wear of read/writes for all memory cells
• When dealing with solid-state devices, making a full
forensic copy as soon as possible is crucial
– In case you need to recover data from unallocated disk
space
 Files
• In windows, the file extension says what a file is. For example:
– alesso.doc
– This is a Word document, due to a file association (.doc ->
Word)
• Secretive windows users may change an extension to hide
evidence.
• It would be better to look at the data in each file to decide what
it is.
• In Linux, there are no file extensions, and thus all associations
are calculated from the contents of a file.
– This is often called Signature Analysis
• In Linux there is a useful tool for this analysis.
– The command is “file”
 File Systems
• Before a volume can be used it must be formatted
with a File System.
• A File System is the method for storing and
organizing files and data on the volume.
• Formatting is the act of setting up an empty file
system on a volume.
• When you need to access a suspect’s computer to
acquire or inspect data
– You should be familiar with the computer’s platform
• Popular File Systems EXT3, ZFS, NTFS, HFS
(Mac), FAT
 File Systems - Volumes
• Volume – segment of storage as seen by the operating
system.
• A single hard drive (or logical disk) can be one volume.
• One hard drive (or LD) can be multiple volumes.
We call this partitioning the disk.

• Many hard disks can be combined into one logical volume.

 Understanding File Systems
• File – logical unit of storage
• Basic file management system provides
– Directory structures for each I/O device
– Tools to copy, move, store, retrieve, and manipulate
files
– Information about each file in the system and the
tools to access that information
– Security mechanisms to protect files and control
access
• Additional file management features
– Backup, emergency retrieval, and recovery
– File compression
– Transparent network file access
– Auditing
 Microsoft Windows File Structures
• In Microsoft Windows file structures
– Sectors are grouped to form clusters
• Storage allocation units of one or more sectors
• Combining sectors minimizes the overhead of writing or reading files
to a disk
• Sector numbers are called physical addresses
– Clusters range from 512 bytes up to 32,000 bytes each
• Clusters are numbered sequentially starting at 0 in NTFS
and 2 in FAT
• First sector of all disks contains a system area, the boot
record, and a file structure database
• Cluster number are called logical addresses
• Clusters and their addresses are specific to a logical
disk drive, which is a disk partition
 Disk Partitions
• A selection of addressable sectors that are
consecutive. By definition, a partition is a volume
• A partition is a logical drive
• Windows OSs can have three primary partitions
followed by an extended partition that can contain
one or more logical drives
• Hidden partitions or voids
– Large unused gaps between partitions on a disk
• Partition gap
– Unused space between partitions
 Disk Partitions (Cont.)
• The partition table is in the Master Boot Record
(MBR)
– Located at sector 0 of the disk drive
• MBR stores information about partitions on a
disk and their locations, size, and other
important items
 Examining FAT Disks
• File Allocation Table (FAT)
– File structure database that Microsoft originally designed
for floppy disks
• FAT database is typically written to a disk’s outermost track
and contains:
– Filenames, directory names, date and time stamps, the
starting cluster number, and file attributes
• Three current FAT versions
– FAT16, FAT32, and exFAT (used by Xbox game systems)
– different size of addressable clusters
• Cluster sizes vary according to the hard disk size and file
system
 Deleting FAT Files
• First letter of the file is overwritten with 0xE5
• FAT pointers to allocation areas set to zero
– Indicated that they are ready for re-use
• Data in the file remains on the disk drive
• Area of the disk where the deleted file resides
becomes unallocated disk space
– Available to receive new data from newly
created files or other files needing more space
 Examining NTFS Disks (Cont.)
• On an NTFS disk
– First data set is the Partition Boot Sector
– Next is Master File Table (MFT)
• Clusters are smaller for smaller disk drives
• NTFS also uses Unicode, An international data
format
 NTFS System Files

• MFT contains information about all files and directories

on the disk
– Including the system files the OS uses
– Every file and directory has at least one entry in the
table
• In the MFT, the first 15 records are reserved for system
files
• Records in the MFT are called metadata
 MFT and File Attributes
• In the NTFS MFT
– All files and folders are stored in separate records of
1024 bytes each
• Each record contains file or folder information
– This information is divided into record fields
containing metadata
• A record field is referred to as an attribute ID
• File or folder information is typically stored in
one of two ways in an MFT record:
– Resident and nonresident
 NTFS Compressed Files
• NTFS provides compression similar to FAT
DriveSpace 3 (a Windows 98 compression
utility)
• Under NTFS, files, folders, or entire volumes
can be compressed
• Most computer forensics tools can uncompress
and analyze compressed Windows data
– Including data compressed with the LZH algorithm
and in formats such as PKZip, WinZip, GNU gzip.
– Might have difficult with 3rd party such as .rar format.
 NTFS Encrypting File System
(EFS)
• Encrypting File System (EFS)
– Introduced with Windows 2000
– Implements a public key and private key method of
encrypting files, folders, or disk volumes
• When EFS is used in Windows 2000 and later
– A recovery certificate is generated and sent to the
local Windows administrator account
• Users can apply EFS to files stored on their
local workstations or a remote server
 Deleting and Resilient NTFS Files
• When a file is deleted in Windows NT and later
– The OS renames it and moves it to the Recycle Bin
• Can use the Del (delete) MS-DOS command
– Eliminates the file from the MFT listing in the same way
FAT does
• Resilient File System (ReFS) - Designed to
address very large data storage (E.g. cloud)
• Features incorporated into ReFS’s design:
– Maximized data availability
– Improved data integrity
– Designed for scalability
 Understanding Whole Disk
Encryption
• Recently more concern about loss of
– Personal identity information (PII) and trade secrets
caused by computer theft
– Of particular concern is the theft of laptop computers
and other handheld devices
• To help prevent loss of information, software
vendors now provide whole disk encryption
tools that offer the following features:
– Preboot authentication
– Full or partial disk encryption with secure hibernation
 Understanding Whole Disk
Encryption (Cont.)
• Whole disk encryption (WDE) tools encrypt
each sector of a drive separately
• Many of these tools encrypt the drive’s boot
sector
– To prevent any efforts to bypass the secured drive’s
partition
• To examine an encrypted drive, decrypt it first
– Run a vendor-specific program to decrypt the drive
– Many vendors use a bootable CD or USB drive that
prompts for a one-time passphrase
• Cybercriminal use it recently as ransomware
 Examining Microsoft BitLocker
• Available Vista Enterprise/Ultimate, Windows 7
and 8 Professional/Enterprise, and Server 08
and 12
• Hardware and software requirements
– A computer capable of running Windows Vista or
later
– The TPM microchip, version 1.2 or newer
– A computer BIOS compliant with Trusted Computing
Group (TCG)
 Disk Blocks

• Disk storage devices deal with data block transfers,

not bytes.
• When a whole disk is copied to a file, it is called a
disk image.
• When performing forensics, reading and writing
blocks in disks or images may be necessary.
• In Linux, the system command to perform block reads
and writes is called data dump “dd”.
 Journaling

• Updates are done in transactions, and each transaction

has a sequence number.
• Each transaction starts with a descriptor block that
contains the transaction sequence number and a list of
what blocks are being updated.
• Following the descriptor block are the updated blocks.
• When the updates have been written to disk, a commit
block is written with the same sequence number.
 Understanding the Windows Registry

• Registry
– A database that stores hardware and software
configuration information, network connections, user
preferences, and setup information
• For investigative purposes, the Registry can
contain valuable evidence
• To view the Registry, you can use:
– Regedit (Registry Editor) program for Windows 9x
systems
– Regedt32 for Windows 2000 and XP
Understanding Microsoft Startup Tasks
• Learn what files are accessed when Windows
starts
• This information helps you determine when a
suspect’s computer was last accessed
– Important with computers that might have been used
after an incident was reported
 Startup in Windows NT and Later
• All NTFS computers perform the following steps
when the computer is turned on:
– Power-on self test (POST)
– Initial startup
– Boot loader
– Hardware detection and configuration
– Kernel loading
– User logon
 Startup in Windows NT and Later
(continued)
• Contamination Concerns with Windows XP
– When you start a Windows XP NTFS workstation,
several files are accessed immediately
• The last access date and time stamp for the files
change to the current date and time
– Destroys any potential evidence
• That shows when a Windows XP workstation was last
used
Thank You!