GUIDE TO COMPUTER FORENSICS

6TH EDITION

CHAPTER 5
WORKING WITH WINDOWS AND CLI SYSTEMS
OBJECTIVES

Explain the purpose

Describe Microsoft file Explain the structure
and structure of file
structures of NTFS disks
systems

List some options for Describe Microsoft

Explain how the
decrypting drives startup tasks Explain
Windows Registry
encrypted with whole the purpose of a
works
disk encryption virtual machine
UNDERSTANDING FILE SYSTEMS

 File system
 Gives OS a road map to data on a disk

 Type of file system an OS uses

determines how data is stored on the
disk
 When you need to access a suspect’s
computer to acquire or inspect data
 You should be familiar with both the
computer’s OS and file systems
Understanding File Systems
UNDERSTANDING THE BOOT SEQUENCE

Complementary Metal Oxide Basic Input/Output System

Semiconductor (CMOS) (BIOS) or Extensible Firmware
Computer stores system configuration Interface
Contains programs (EFI)
that perform input
and date and time information in the and output at the hardware level
CMOS –
• When power to the system is off
 Bootstrap Displays
process
Contained in ROM, tells the key or keys
the computer how to you press to open the
proceed CMOS setup screen
UNDERSTANDING
THE BOOT
SEQUENCE
CMOS should be modified to
boot from a forensic floppy
disk or CD

Disk drives are made up of one or
more platters coated with magnetic
material
UNDERSTANDING DISK DRIVES
Disk drive components
• Geometry: disk’s logical structure of
platters, tracks, and sectors.
• Head: reads and writes data to a
drive. There are two heads per platter
that read and write the top and
bottom sides.
• Tracks: concentric circles on a disk
platter where data is located
• Cylinders: column of tracks on two or
more disk platters. Typically, each
platter has two surfaces: top and
bottom
• Sectors: section on a track, usually
made up of 512 bytes.
A comparison of sectors on an older and a more modern hard disk drive
  Properties handled at the drive’s hardware or
firmware level
 Zone bit recording (ZBR)- (inner tracks smaller
circumference than outer tracks)
UNDERSTANDING  Track density-(space between each track)
DISK DRIVES  Areal density-(of bits in one square inch of a disk
platter)
 Head and cylinder skew- (used to improve disk
performance)
 NO NEED FOR MULTI-PATH ERASURE

On older disks, the space between tracks was wider, which allowed heads to wander

This made it possible for specialists to retrieve data from previous writes to a
platter, even after erasure
– Using an electron microscope

On any IDE or SATA or later hard drive, this is impossible

A single pass of zeroes erases all data on a disk so it cannot be recovered by any
currently known technique
 Flash memory:

• Have feature of Wear-Leveling

• Fixed read writes operations
SOLID- • data is rotated to another memory cell
• old memory cell addresses are listed in
STATE a firmware file called a “garbage
STORAGE collector”
DEVICES • The flash drive’s firmware erases data in
unallocated cells by overwriting the
value of 1 in all cells listed in the
Challenging task in making
garbage collector file.
forensics copy, e.g. Image of a
cell phone
EXPLORING MICROSOFT FILE STRUCTURES (1/2)

 In Microsoft file structures, sectors are

grouped to form clusters
 Storage allocation units of one or more
sectors
 Clusters range from 512 bytes up to
32,000 bytes each
 Combining sectors minimizes the
overhead of writing or reading files to a
disk
EXPLORING MICROSOFT FILE STRUCTURES (2/2)

Clusters are Clusters

numbered OS assigns and their
sequentially these Sector addresses
starting at 0 in cluster numbers are specific
NTFS and 2 in numbers, are called to a logical
FAT called physical disk drive,
• First sector of all
logical addresses which is a
disks contains a addresses disk
system area, the partition
boot record, and a
file structure
database
DISK PARTITIONS

 A partition is a logical drive

 Windows OSs can have three primary partitions followed
by an extended partition that can contain one or more
logical drives
 Hidden partitions or voids
 Large unused gaps between partitions on a disk

 Partition gap
 Unused space between partitions
HIDING DATA

 Create a partition
 Add data to it
 Remove references to the partition
 Data hidden in partition gap
 a disk editor utility could be used to access it

 Another technique is to hide incriminating digital evidence at the end of a disk by declaring
a smaller number of bytes than the actual drive size
 With disk editing tools, however, you can access these hidden or empty areas of the disk
DISK EDITOR

 Examine a partition’s physical level

 WinHex or Hex Workshop
 to view file headers and other critical parts of a file
 Analyze the key hexadecimal codes the OS uses to identify and maintain the file system
DISK MANAGEMENT VIEW - PARTITIONS
PARTITION TABLE

 Maintained by OS
 Outlines and describes the partitions on the disk
 Two partitioning schemes:
 MBR
 GPT
MBR PARTITION TABLE

 saves partition information on the first sector of disk (MBR sector)

 Each partition entry is 16 bytes, and the total is 64 bytes
 Each entry starts at a predetermined offset from the beginning of the sector, as follows:
 Partition 1 0x01BE (446)
 Partition 2 0x01CE (462)
 Partition 3 0x01DE (478)
 Partition 4 0x01EE (494)

 MBR-based hard disk can support up to 4 partitions

 The size of a single partition in MBR disk can only amount to 2TB
MBR PARTITION TABLE
PARTITION RECORD LAYOUT – ANOTHER LOOK !
Partition Total Sectors in
Bootable Partition
Type

8 0 0 0 0 8 2 1 8 0 0 0 0 4 0 0
0 2 3 0 7 0 7 9 0 0 0 0 0 0 6 0

CHS CHS LBA of 1st

Address of Address of Sector in
1st Sector Last Sector partition
of Partition
CHS ADDRESS

Head (h) Head (h)

[00000010] [10000000]
Sector (s) Sector (s)
[00000011] [00100111]

Cylinder (c) Cylinder (c)

[0000000000] [0000011001]
HPC AND SPT

 HPC (Heads per Cylinder) is the number of heads per cylinder. Generally the
manufacturer uses 8 bits to address the number of heads per cylinder. So the
value of HPC is 2^8 – 1 = 255

 SPT (Sectors per Track) is the number of sectors on a track. Generally the
manufacturer uses 6 bits to address the sectors in one track. So the value of SPT
is 2^6 – 1 = 63
LBA TO CHS

LBA = (c x HPC + h) x SPT + (s-1)

DISK PARTITION-DETAILS

 The file system’s hexadecimal code is offset 3 bytes from 0x1BE for the first partition
 The sector address of where this partition starts on the drive is offset 8 bytes from 0x1BE
 The number of sectors assigned to the partition are offset 12 bytes for position 0x1BE
HEXADECIMAL CODES OF FILE SYSTEMS
Examining FAT Disks

• File Allocation Table (FAT)

– File structure database that Microsoft originally designed for floppy disks
– Used before Windows NT and 2000

• FAT database is typically written to a disk’s outermost track and

contains:
– Filenames, directory names, date and time stamps, the starting cluster
number, and file attributes

• FAT versions
– FAT12, FAT16, FAT32, FATX (for Xbox), and VFAT
 FAT VERSIONS

• FAT12—for floppy disks, max size 16 MB

• FAT16—allows hard disk sizes up to 2 GB
• FAT32— allows hard disk sizes up to 2 TB

• FATX—For Xbox media

– The date stamps start at the year 2000, unlike the other FAT formats
that start at 1980

• VFAT (Virtual File Allocation Table)

– Allows long file names on Windows
EXAMINING FAT DISKS

• Cluster sizes vary according to the hard disk

size and file system
• This table is for FAT-16
EXAMINING FAT DISKS

 Microsoft OSs allocate disk space for files by clusters

 Results in drive slack - Unused space in a cluster between the end of an active file’s content and the
end of the cluster
 Drive slack includes: RAM slack and file slack
 RAM slack: the data required to fill in the space from the end of the file to the end of the sector.
 File Slack: File Slack is the remaining sectors to the end of the cluster

 An unintentional side effect of FAT16 allowing large clusters was that it reduced
fragmentation
 As cluster size increased
EXAMINING FAT DISKS
 EXAMINING FAT DISKS

• When you run out of room for an allocated cluster

– OS allocates another cluster for your file, which creates
more slack space on the disk

• As files grow and require more disk space,

assigned clusters are chained together
– The chain can be broken or fragmented
WINHEX SHOWING CLUSTER CHAIN
EXAMINING FAT DISKS (CONTINUED)

• When the OS stores data in a FAT file system, it assigns a starting cluster
position to a file
– Data for the file is written to the first sector of the first assigned cluster

• When this first assigned cluster is filled and runs out of room
– FAT assigns the next available cluster to the file

• If the next available cluster isn’t contiguous to the current cluster

– File becomes fragmented
 DELETING FAT FILES

• In Microsoft OSs, when a file is deleted

– Directory entry is marked as a deleted file

• With the HEX E5 (σ) character replacing the first letter of the filename

• FAT chain for that file is set to 0

• Data in the file remains on the disk drive

• Area of the disk where the deleted file resides becomes unallocated disk
space
– Available to receive new data from newly created files or other files needing more space
EXAMINING NTFS DISKS

 NT File System (NTFS)

 Introduced with Windows NT
 Primary file system for Windows 10

 Improvements over FAT file systems

 NTFS provides more information about a file
 NTFS gives more control over files and folders

 NTFS was Microsoft’s move toward a journaling file system

 It records a transaction before the system carries it out
EXAMINING NTFS DISKS

 In NTFS, everything written to the disk is considered a file

 On an NTFS disk
 First data set is the Partition Boot Sector
 Next is Master File Table (MFT)

 NTFS results in much less file slack space

 Clusters are smaller for smaller disk drives
 NTFS also uses Unicode
 An international data format
NTFS FILESYSTEM

 MFT contains information about all files on the disk

 Including the system files the OS uses

 In the MFT, the first 15 records are reserved for system files
 Records in the MFT are called metadata
NTFS FILE SYSTEM
NTFS FILE SYSTEM
MFT AND FILE ATTRIBUTES

 In the NTFS MFT

 All files and folders are stored in separate records of 1024 bytes each

 Each record contains file or folder information

 This information is divided into record fields containing metadata

 A record field is referred to as an attribute ID

 File or folder information is typically stored in one of two ways in an MFT record:
 Resident and nonresident
MFT AND FILE ATTRIBUTES

 Files larger than 512 bytes are stored outside the MFT
 MFT record provides cluster addresses where the file is stored on the drive’s partition
 Referred to as data runs
 Each MFT record starts with a header identifying it as a resident or nonresident attribute
Resident
File in a
MFT
Record
RESIDENT FILE DATA IN THE MFT

• This figure is a repeat of a portion of the previous one

NONRESIDENT FILE'S MFT RECORD
MFT AND FILE ATTRIBUTES

 When a disk is created as an NTFS file structure

 OS assigns logical clusters to the entire disk partition

 These assigned clusters are called logical cluster numbers (LCNs)

 Become the addresses that allow the MFT to link to nonresident files on the disk’s partition

 When data is first written to nonresident files, an LCN address is assigned to the file
 This LCN becomes the file’s virtual cluster number (VCN0)
 VCN(1) and other VCNs are the offset of the cluster’s number from the previous VCN
cluster position in the data run
 VCNs are signed integers
 if the next largest unused disk space is at a lower address than the previous VCN, the lower value address
can be computed by simply adding a negative number to the VCN
MFT STRUCTURES FOR FILE DATA

 For the header of all MFT records, the record fields of interest are as follows:
 At offset 0x00 - the MFT record identifier FILE
 At offset 0x1C to 0x1F - size of the MFT record
 At offset 0x14 - length of the header (indicates where the next attribute starts)
 At offset 0x32 and 0x33 - the update sequence array, which stores the last 2 bytes of the first
sector of the MFT record. It’s used only when MFT data exceeds 512 bytes. The update sequence
array is used as a checksum for record integrity validation
MFT HEADER FIELDS
ATTRIBUTE 0X10: STANDARD INFORMATION

• Offset 0x38 from beginning of MFT record—start of attribute 0x10.

• Offset 0x04 and 0x05 from beginning of attribute 0x10—Size of 0x10

attribute.
• Offset 0x18 to 0x1F—File’s create date and time; all dates and times are
stored in Win32 Filetime format.
• Offset 0x20 to 0x27—Last modified date and time for file.

• Offset 0x28 to 0x2F—Last access date and time.

• Offset 0x30 to 0x37—Record update date and time.

ATTRIBUTE 0X10: STANDARD INFORMATION
 ATTRIBUTE 0X30: FILE_NAME

• For files with filenames of eight or fewer characters, the MFT record has only one
attribute 0x30.
• If a filename is longer than eight characters, there are two attribute
0x30s.
• Offset 0x04 and 0x05 from beginning of attribute 0x30—Size of attribute 0x30.

• Offset 0x5A from 0x30 attribute’s starting position—Short filename; in Unicode.

• Offset 0x20 to 0x27— File’s create date and time; in Win32 Filetime format.

• Offset 0x28 to 0x2F— Last modified date and time for file.

• Offset 0x30 to 0x37— Last access date and time.

• Offset 0x38 to 0x3F— Record update date and time.

A: Attribute 0x30 short filename
B: Size of attribute 0x30 short
filename C: Short create date and
time
D: Short last modified date and time
E: Short last access date and time
F: Short record update date and
H: Attribute 0x30 long filename
I: Size of attribute 0x30 long
filename J: Long create date and
time
K: Long last modified date and
time L: Long last access date and
time
 ATTRIBUTE 0X40: OBJECT_ID
• Depending on the Windows version, sometimes attribute 0x40 is listed in the MFT.
• This attribute contains file ownership and access control information
• Offset 0x04 and 0x05 from beginning of attribute 0x40—The size of attribute 0x40
• Offset 0x14—Starting offset position for GUID data
• Offset 0x18 to 0x27—Starting position for GUID Object_ID data
ATTRIBUTE 0X80: DATA FOR A RESIDENT
FILE
• Offset 0x04 and 0x05 from beginning of attribute 0x80—Size of the attribute.

• Offset 0x08—Resident/nonresident flag; for resident data, it’s set to 0x00

• Offset 0x40—Number of bytes in the data run.
• Offset 0x18—Start of the resident data run.

• Offset 0x1FE and 0x1FF from beginning of MFT header— Sector checksum value, used to
validate first 512 bytes of MFT record. Break between the first and second sectors is referred to
as sector boundary. The 2 bytes at positions 0x32 and 0x33 of MFT header in the update
sequence array field are where the actual values for these bytes are stored.
• End of the MFT record is indicated by the hexadecimal values FF FF FF FF at the end of
the record.
ATTRIBUTE 0X80: DATA FOR A RESIDENT
FILE
ATTRIBUTE 0X80: DATA FOR NONRESIDENT
FILE

• Offset 0x04 and 0x05 from beginning of attribute 0x80—Size of

attribute.
• Offset 0x08—Resident/nonresident flag; for nonresident
data, it’s set to 0x01.
• Offset 0x40—The start of the data run. The first run is the LCN; if
the file is fragmented, additional data runs follow
• Following the last data run, the value 0x00 indicates the
end of the Data attribute
A: Start of attribute F: Additional data
0x80 B: Size of runs G: End of data
attribute 0x80 C: run
Nonresident flag H: End of MFT
D: First data run record I: Sector
E: Second data run checksum
INTERPRETING DATA RUNS

 first data run for a nonresident attribute 0x80 field starts at offset 0x40 from the beginning
of the attribute
 Data runs have three components:
 The first component declares how many bytes in the attribute field are needed to store the values
for the second and third components.
 The second component stores the number of clusters assigned to the data run
 The third component contains the starting cluster address value (the LCN or the VCN)
INTERPRETING A DATA RUN
INTERPRETING DATA RUN

 For the first component:

 the 32 is shown as the data run’s starting
position:
 the second digit, 2, means that the next
2 bytes contain the number of clusters
assigned to this data run.
 The first digit, 3, means that the next 3
bytes (after the number of clusters
assigned) contain the cluster address
value VCN(0); for the first data run, this
value is the LCN
NTFS ALTERNATE DATA STREAMS

 Alternate data streams

 Ways data can be appended to existing files
 ability of forking data into an existing file without changing its file size or functionality.
 Can obscure valuable evidentiary data, intentionally or by coincidence

 In NTFS, an alternate data stream becomes an additional file attribute

 Allows the file to be associated with different applications

 You can only tell whether a file has a data stream attached by examining that file’s MFT
entry
NTFS COMPRESSED FILES

 NTFS provides compression similar to FAT DriveSpace 3 (a Windows 98 compression utility)

 With NTFS, files, folders, or entire volumes can be compressed
 Most computer forensics tools can uncompress and analyze compressed Windows data
NTFS ENCRYPTING FILE SYSTEM (EFS)

 Encrypting File System (EFS)

 Introduced with Windows 2000
 Implements a public key and private key method of encrypting files, folders, or disk volumes

 When EFS is used in Windows 2000 and later

 A recovery certificate is generated and sent to the local Windows administrator account

 Users can apply EFS to files stored on their local workstations or a remote server
EFS RECOVERY KEY AGENT

 Recovery Key Agent implements the recovery certificate

 Which is in the Windows administrator account

 Windows administrators can recover a key in two ways:

 through Windows or from a command prompt

 Commands:
 cipher
 copy
DELETING NTFS FILES

 When a file is deleted in Windows NT and later

 The OS renames it and moves it to the Recycle Bin
 Can use the del (delete) MS-DOS command
 Eliminates the file from the MFT listing in the same way FAT does

78
DELETING NTFS FILES

 When you delete a file in Windows or File Explorer, you can restore it from the Recycle Bin.
 The OS takes the following steps when you delete a file or a folder in Windows or File
Explorer:
 Windows changes the filename and moves the file to a subdirectory with a unique identity in the
Recycle Bin.
 Windows stores information about the original path and filename in the Info2 file, which is the
control file for the Recycle Bin. It contains ASCII data, Unicode data, and the date and time of
deletion for each file or folder.
DELETING NTFS FILES

 NTFS files deleted at a command prompt function much like FAT files.
 The following steps also apply when a user empties the Recycle Bin:
 The associated clusters are designated as free—that is, marked as available for new data.
 The $Bitmap file attribute in the MFT is updated to reflect the file’s deletion, showing that this space
is available.
 The file’s record in the MFT is marked as being available.
 VCN/LCN cluster locations linked to deleted nonresident files are then removed from the original
MFT record.
 A run list is maintained in the MFT of all cluster locations on the disk for nonresident files. When the
list of links is deleted, any reference to the links is lost.