Guide to Computer Forensics

and Investigations
Fifth Edition

Chapter 5
Working with Windows and CLI
Systems
 Objectives

• Explain the purpose and structure of file systems

• Describe Microsoft file structures
• Explain the structure of NTFS disks
• List some options for decrypting drives encrypted
with whole disk encryption
• Explain how the Windows Registry works
• Describe Microsoft startup tasks
• Explain the purpose of a virtual machine

Guide to Computer Forensics and Investigations, Fifth Edition 2

© Cengage Learning 2015
 Understanding File Systems

• File system
– Gives OS a road map to data on a disk
• Type of file system an OS uses determines how
data is stored on the disk
• When you need to access a suspect’s computer to
acquire or inspect data
– You should be familiar with both the computer’s OS
and file systems

Guide to Computer Forensics and Investigations, Fifth Edition 3

© Cengage Learning 2015
 Understanding the Boot Sequence

• Complementary Metal Oxide Semiconductor

(CMOS)
– Computer stores system configuration and date and
time information in the CMOS
• When power to the system is off
• Basic Input/Output System (BIOS) or Extensible
Firmware Interface (EFI)
– Contains programs that perform input and output at
the hardware level

Guide to Computer Forensics and Investigations, Fifth Edition 4

© Cengage Learning 2015
 Understanding the Boot Sequence

• Bootstrap process
– Contained in ROM, tells the computer how to
proceed
– Displays the key or keys you press to open the
CMOS setup screen
• CMOS should be modified to boot from a forensic
floppy disk or CD

Guide to Computer Forensics and Investigations, Fifth Edition 5

© Cengage Learning 2015
 Understanding the Boot Sequence

Guide to Computer Forensics and Investigations, Fifth Edition 6

© Cengage Learning 2015
 Understanding Disk Drives

• Disk drives are made up of one or more platters

coated with magnetic material
• Disk drive components
– Geometry
– Head
– Tracks
– Cylinders
– Sectors

Guide to Computer Forensics and Investigations, Fifth Edition 7

© Cengage Learning 2015
 Understanding Disk Drives

Guide to Computer Forensics and Investigations, Fifth Edition 8

© Cengage Learning 2015
 Understanding Disk Drives

Guide to Computer Forensics and Investigations, Fifth Edition 9

© Cengage Learning 2015
 Understanding Disk Drives

• Properties handled at the drive’s hardware or

firmware level
– Zone bit recording (ZBR)
– Track density
– Areal density
– Head and cylinder skew

Guide to Computer Forensics and Investigations, Fifth Edition 10

© Cengage Learning 2015
 Solid-State Storage Devices

• All flash memory devices have a feature called

wear-leveling
– An internal firmware feature used in solid-state
drives that ensures even wear of read/writes for all
memory cells
• When dealing with solid-state devices, making a
full forensic copy as soon as possible is crucial
– In case you need to recover data from unallocated
disk space

Guide to Computer Forensics and Investigations, Fifth Edition 11

© Cengage Learning 2015
 Exploring Microsoft File Structures

• In Microsoft file structures, sectors are grouped to

form clusters
– Storage allocation units of one or more sectors
• Clusters range from 512 bytes up to 32,000 bytes
each
• Combining sectors minimizes the overhead of
writing or reading files to a disk

Guide to Computer Forensics and Investigations, Fifth Edition 12

© Cengage Learning 2015
 Exploring Microsoft File Structures

• Clusters are numbered sequentially starting at 0 in

NTFS and 2 in FAT
– First sector of all disks contains a system area, the
boot record, and a file structure database
• OS assigns these cluster numbers, called logical
addresses
• Sector numbers are called physical addresses
• Clusters and their addresses are specific to a
logical disk drive, which is a disk partition

Guide to Computer Forensics and Investigations, Fifth Edition 13

© Cengage Learning 2015
 Disk Partitions

• A partition is a logical drive

• Windows OSs can have three primary partitions
followed by an extended partition that can contain
one or more logical drives
• Hidden partitions or voids
– Large unused gaps between partitions on a disk
• Partition gap
– Unused space between partitions

Guide to Computer Forensics and Investigations, Fifth Edition 14

© Cengage Learning 2015
 Disk Partitions

Guide to Computer Forensics and Investigations, Fifth Edition 15

© Cengage Learning 2015
 Disk Partitions

• The partition table is in the Master Boot Record

(MBR)
– Located at sector 0 of the disk drive
• MBR stores information about partitions on a disk
and their locations, size, and other important items
• In a hexadecimal editor, such as WinHex, you can
find the first partition at offset 0x1BE
– The file system’s hexadecimal code is offset 3 bytes
from 0x1BE for the first partition

Guide to Computer Forensics and Investigations, Fifth Edition 16

© Cengage Learning 2015
 Disk Partitions

Guide to Computer Forensics and Investigations, Fifth Edition 17

© Cengage Learning 2015
 Examining FAT Disks

• File Allocation Table (FAT)

– File structure database that Microsoft originally
designed for floppy disks
• FAT database is typically written to a disk’s
outermost track and contains:
– Filenames, directory names, date and time stamps,
the starting cluster number, and file attributes
• Three current FAT versions
– FAT16, FAT32, and exFAT (used by Xbox game
systems)

Guide to Computer Forensics and Investigations, Fifth Edition 18

© Cengage Learning 2015
 Examining FAT Disks

• Cluster sizes vary according to the hard disk size

and file system

Guide to Computer Forensics and Investigations, Fifth Edition 19

© Cengage Learning 2015
 Examining FAT Disks

• Microsoft OSs allocate disk space for files by

clusters
– Results in drive slack
• Unused space in a cluster between the end of an
active file and the end of the cluster
• Drive slack includes:
– RAM slack and file slack
• An unintentional side effect of FAT16 having large
clusters was that it reduced fragmentation
– As cluster size increased
Guide to Computer Forensics and Investigations, Fifth Edition 20
© Cengage Learning 2015
 Examining FAT Disks

Guide to Computer Forensics and Investigations, Fifth Edition 21

© Cengage Learning 2015
 Examining FAT Disks

• When you run out of room for an allocated cluster

– OS allocates another cluster for your file, which
creates more slack space on the disk
• As files grow and require more disk space,
assigned clusters are chained together
– The chain can be broken or fragmented
• When the OS stores data in a FAT file system, it
assigns a starting cluster position to a file
– Data for the file is written to the first sector of the first
assigned cluster
Guide to Computer Forensics and Investigations, Fifth Edition 22
© Cengage Learning 2015
 Examining FAT Disks

Guide to Computer Forensics and Investigations, Fifth Edition 23

© Cengage Learning 2015
 Examining FAT Disks

• When this first assigned cluster is filled and runs

out of room
– FAT assigns the next available cluster to the file
• If the next available cluster isn’t contiguous to the
current cluster
– File becomes fragmented

Guide to Computer Forensics and Investigations, Fifth Edition 24

© Cengage Learning 2015
 Deleting FAT Files

• In Microsoft OSs, when a file is deleted

– Directory entry is marked as a deleted file
• With the HEX E5 character replacing the first letter of
the filename
• FAT chain for that file is set to 0
• Data in the file remains on the disk drive
• Area of the disk where the deleted file resides
becomes unallocated disk space
– Available to receive new data from newly created
files or other files needing more space

Guide to Computer Forensics and Investigations, Fifth Edition 25

© Cengage Learning 2015
 Examining NTFS Disks

• NT File System (NTFS)

– Introduced with Windows NT
– Primary file system for Windows 8
• Improvements over FAT file systems
– NTFS provides more information about a file
– NTFS gives more control over files and folders
• NTFS was Microsoft’s move toward a journaling file
system
– It records a transaction before the system carries it
out
Guide to Computer Forensics and Investigations, Fifth Edition 26
© Cengage Learning 2015
 Examining NTFS Disks

• In NTFS, everything written to the disk is

considered a file
• On an NTFS disk
– First data set is the Partition Boot Sector
– Next is Master File Table (MFT)
• NTFS results in much less file slack space
• Clusters are smaller for smaller disk drives
• NTFS also uses Unicode
– An international data format

Guide to Computer Forensics and Investigations, Fifth Edition 27

© Cengage Learning 2015
 Examining NTFS Disks

Guide to Computer Forensics and Investigations, Fifth Edition 28

© Cengage Learning 2015
 NTFS System Files

• MFT contains information about all files on the disk

– Including the system files the OS uses
• In the MFT, the first 15 records are reserved for
system files
• Records in the MFT are called metadata

Guide to Computer Forensics and Investigations, Fifth Edition 29

© Cengage Learning 2015
 NTFS File System

Guide to Computer Forensics and Investigations, Fifth Edition 30

© Cengage Learning 2015
 MFT and File Attributes
• In the NTFS MFT
– All files and folders are stored in separate records of
1024 bytes each
• Each record contains file or folder information
– This information is divided into record fields
containing metadata
• A record field is referred to as an attribute ID
• File or folder information is typically stored in one of
two ways in an MFT record:
– Resident and nonresident
Guide to Computer Forensics and Investigations, Fifth Edition 31
© Cengage Learning 2015
 MFT and File Attributes

• Files larger than 512 bytes are stored outside the

MFT
– MFT record provides cluster addresses where the
file is stored on the drive’s partition
• Referred to as data runs
• Each MFT record starts with a header identifying it
as a resident or nonresident attribute

Guide to Computer Forensics and Investigations, Fifth Edition 32

© Cengage Learning 2015
 MFT and File Attributes

Guide to Computer Forensics and Investigations, Fifth Edition 33

© Cengage Learning 2015
 MFT and File Attributes

Guide to Computer Forensics and Investigations, Fifth Edition 34

© Cengage Learning 2015
 MFT and File Attributes

Guide to Computer Forensics and Investigations, Fifth Edition 35

© Cengage Learning 2015
 MFT and File Attributes

Guide to Computer Forensics and Investigations, Fifth Edition 36

© Cengage Learning 2015
 MFT and File Attributes

• When a disk is created as an NTFS file structure

– OS assigns logical clusters to the entire disk partition
• These assigned clusters are called logical cluster
numbers (LCNs)
– Become the addresses that allow the MFT to link to
nonresident files on the disk’s partition
• When data is first written to nonresident files, an
LCN address is assigned to the file
– This LCN becomes the file’s virtual cluster number
(VCN)
Guide to Computer Forensics and Investigations, Fifth Edition 37
© Cengage Learning 2015
 MFT Structures for File Data

• For the header of all MFT records, the record fields

of interest are as follows:
– At offset 0x00 - the MFT record identifier FILE
– At offset 0x1C to 0x1F - size of the MFT record
– At offset 0x14 - length of the header (indicates
where the next attribute starts)
– At offset 0x32 and 0x33 - the update sequence
array, which stores the last 2 bytes of the first sector
of the MFT record

Guide to Computer Forensics and Investigations, Fifth Edition 38

© Cengage Learning 2015
 MFT Structures for File Data

Guide to Computer Forensics and Investigations, Fifth Edition 39

© Cengage Learning 2015
 MFT Structures for File Data

Guide to Computer Forensics and Investigations, Fifth Edition 40

© Cengage Learning 2015
 MFT Structures for File Data

Guide to Computer Forensics and Investigations, Fifth Edition 41

© Cengage Learning 2015
 MFT Structures for File Data

Guide to Computer Forensics and Investigations, Fifth Edition 42

© Cengage Learning 2015
 MFT Structures for File Data

Guide to Computer Forensics and Investigations, Fifth Edition 43

© Cengage Learning 2015
 MFT Structures for File Data

Guide to Computer Forensics and Investigations, Fifth Edition 44

© Cengage Learning 2015
 NTFS Alternate Data Streams

• Alternate data streams

– Ways data can be appended to existing files
– Can obscure valuable evidentiary data, intentionally
or by coincidence
• In NTFS, an alternate data stream becomes an
additional file attribute
– Allows the file to be associated with different
applications
• You can only tell whether a file has a data stream
attached by examining that file’s MFT entry
Guide to Computer Forensics and Investigations, Fifth Edition 45
© Cengage Learning 2015
 NTFS Alternate Data Streams

Guide to Computer Forensics and Investigations, Fifth Edition 46

© Cengage Learning 2015
 NTFS Compressed Files

• NTFS provides compression similar to FAT

DriveSpace 3 (a Windows 98 compression utility)
• Under NTFS, files, folders, or entire volumes can
be compressed
• Most computer forensics tools can uncompress
and analyze compressed Windows data

Guide to Computer Forensics and Investigations, Fifth Edition 47

© Cengage Learning 2015
 NTFS Encrypting File System (EFS)

• Encrypting File System (EFS)

– Introduced with Windows 2000
– Implements a public key and private key method of
encrypting files, folders, or disk volumes
• When EFS is used in Windows 2000 and later
– A recovery certificate is generated and sent to the
local Windows administrator account
• Users can apply EFS to files stored on their local
workstations or a remote server

Guide to Computer Forensics and Investigations, Fifth Edition 48

© Cengage Learning 2015
 EFS Recovery Key Agent
• Recovery Key Agent implements the recovery
certificate
– Which is in the Windows administrator account
• Windows administrators can recover a key in
two ways: through Windows or from an MS-
DOS command prompt
• MS-DOS commands
– cipher
– copy
– efsrecvr (used to decrypt EFS files)

Guide to Computer Forensics and Investigations, Fifth Edition 49

© Cengage Learning 2015
 Deleting NTFS Files

• When a file is deleted in Windows NT and later

– The OS renames it and moves it to the Recycle Bin
• Can use the Del (delete) MS-DOS command
– Eliminates the file from the MFT listing in the same
way FAT does

Guide to Computer Forensics and Investigations, Fifth Edition 50

© Cengage Learning 2015
 Resilient File System

• Resilient File System (ReFS) - designed to address

very large data storage needs
– Such as the cloud
• Features incorporated into ReFS’s design:
– Maximized data availability
– Improved data integrity
– Designed for scalability
• ReFS uses disk structures similar to the MFT in
NTFS
Guide to Computer Forensics and Investigations, Fifth Edition 51
© Cengage Learning 2015
 Understanding Whole Disk Encryption

• In recent years, there has been more concern

about loss of
– Personal identity information (PII) and trade
secrets caused by computer theft
• Of particular concern is the theft of laptop
computers and other handheld devices
• To help prevent loss of information, software
vendors now provide whole disk encryption

Guide to Computer Forensics and Investigations, Fifth Edition 52

© Cengage Learning 2015
 Understanding Whole Disk Encryption

• Current whole disk encryption tools offer the

following features:
– Preboot authentication
– Full or partial disk encryption with secure hibernation
– Advanced encryption algorithms
– Key management function

Guide to Computer Forensics and Investigations, Fifth Edition 53

© Cengage Learning 2015
Understanding Whole Disk Encryption

• Whole disk encryption tools encrypt each sector of

a drive separately
• Many of these tools encrypt the drive’s boot sector
– To prevent any efforts to bypass the secured drive’s
partition
• To examine an encrypted drive, decrypt it first
– Run a vendor-specific program to decrypt the drive
– Many vendors use a bootable CD or USB drive that
prompts for a one-time passphrase

Guide to Computer Forensics and Investigations, Fifth Edition 54

© Cengage Learning 2015
 Examining Microsoft BitLocker
• Available Vista Enterprise/Ultimate, Windows 7 and
8 Professional/Enterprise, and Server 08 and 12
• Hardware and software requirements
– A computer capable of running Windows Vista or later
– The TPM microchip, version 1.2 or newer
– A computer BIOS compliant with Trusted Computing
Group (TCG)
– Two NTFS partitions
– The BIOS configured so that the hard drive boots first
before checking other bootable peripherals

Guide to Computer Forensics and Investigations, Fifth Edition 55

© Cengage Learning 2015
Examining Third-Party Disk Encryption
Tools
• Some available third-party WDE utilities:
– PGP Full Disk Encryption
– Voltage SecureFile
– Utimaco SafeGuard Easy
– Jetico BestCrypt Volume Encryption
– TrueCrypt

Guide to Computer Forensics and Investigations, Fifth Edition 56

© Cengage Learning 2015
 Understanding the Windows Registry

• Registry
– A database that stores hardware and software
configuration information, network connections, user
preferences, and setup information
• To view the Registry, you can use:
– Regedit (Registry Editor) program for Windows 9x
systems
– Regedt32 for Windows 2000, XP, and Vista
– Both utilities can be used for Windows 7 and 8

Guide to Computer Forensics and Investigations, Fifth Edition 57

© Cengage Learning 2015
 Exploring the Organization of the
Windows Registry
• Registry terminology:
– Registry
– Registry Editor
– HKEY
– Key
– Subkey
– Branch
– Value
– Default value
– Hives
Guide to Computer Forensics and Investigations, Fifth Edition 58
© Cengage Learning 2015
 Exploring the Organization of the
Windows Registry

Guide to Computer Forensics and Investigations, Fifth Edition 59

© Cengage Learning 2015
 Exploring the Organization of the
Windows Registry

Guide to Computer Forensics and Investigations, Fifth Edition 60

© Cengage Learning 2015
 Exploring the Organization of the
Windows Registry

Guide to Computer Forensics and Investigations, Fifth Edition 61

© Cengage Learning 2015
Understanding Microsoft Startup Tasks

• Learn what files are accessed when Windows

starts
• This information helps you determine when a
suspect’s computer was last accessed
– Important with computers that might have been used
after an incident was reported

Guide to Computer Forensics and Investigations, Fifth Edition 62

© Cengage Learning 2015
 Startup in Windows 7 and Windows 8

• Windows 8 is a multiplatform OS
– Can run on desktops, laptops, tablets, and
smartphones
• The boot process uses a boot configuration data
(BCD) store
• The BCD contains the boot loader that initiates the
system’s bootstrap process
– Press F8 or F12 when the system starts to access
the Advanced Boot Options

Guide to Computer Forensics and Investigations, Fifth Edition 63

© Cengage Learning 2015
 Startup in Windows NT and Later

• All NTFS computers perform the following steps

when the computer is turned on:
– Power-on self test (POST)
– Initial startup
– Boot loader
– Hardware detection and configuration
– Kernel loading
– User logon

Guide to Computer Forensics and Investigations, Fifth Edition 64

© Cengage Learning 2015
 Startup in Windows NT and Later

• Startup Files for Windows Vista:

– The Ntldr program in Windows XP used to load the
OS has been replaced with these three boot utilities:
• Bootmgr.exe
• Winload.exe
• Winresume.exe
– Windows Vista includes the BCD editor for modifying
boot options and updating the BCD registry file
– The BCD store replaces the Windows XP boot.ini file

Guide to Computer Forensics and Investigations, Fifth Edition 65

© Cengage Learning 2015
 Startup in Windows NT and Later
• Startup Files for Windows XP:
– NT Loader (NTLDR)
– Boot.ini
– Ntoskrnl.exe
– Bootvid.dll
– Hal.dll
– BootSect.dos
– NTDetect.com
– NTBootdd.sys
– Pagefile.sys
Guide to Computer Forensics and Investigations, Fifth Edition 66
© Cengage Learning 2015
 Startup in Windows NT and Later

• Windows XP System Files

Guide to Computer Forensics and Investigations, Fifth Edition 67

© Cengage Learning 2015
 Startup in Windows NT and Later

• Contamination Concerns with Windows XP

– When you start a Windows XP NTFS workstation,
several files are accessed immediately
• The last access date and time stamp for the files
change to the current date and time
– Destroys any potential evidence
• That shows when a Windows XP workstation was last
used

Guide to Computer Forensics and Investigations, Fifth Edition 68

© Cengage Learning 2015
 Understanding Virtual Machines

• Virtual machine
– Allows you to create a representation of another
computer on an existing physical computer
• A virtual machine is just a few files on your hard
drive
– Must allocate space to it
• A virtual machine recognizes components of the
physical machine it’s loaded on
– Virtual OS is limited by the physical machine’s OS

Guide to Computer Forensics and Investigations, Fifth Edition 69

© Cengage Learning 2015
 Understanding Virtual Machines

Guide to Computer Forensics and Investigations, Fifth Edition 70

© Cengage Learning 2015
 Understanding Virtual Machines

• In digital forensics
– Virtual machines make it possible to restore a
suspect drive on your virtual machine
• And run nonstandard software the suspect might have
loaded
• From a network forensics standpoint, you need to
be aware of some potential issues, such as:
– A virtual machine used to attack another system or
network

Guide to Computer Forensics and Investigations, Fifth Edition 71

© Cengage Learning 2015
 Creating a Virtual Machine

• Popular applications for creating virtual machines

– VMware Server, VMware Player and VMware
Workstation, Oracle VM VirtualBox, Microsoft Virtual
PC, and Hyper-V
• Using VirtualBox
– An open-source program that can be downloaded at
www.virtualbox.org/wiki/Downloads
• Consult with your instructor before doing the
activities using VirtualBox

Guide to Computer Forensics and Investigations, Fifth Edition 72

© Cengage Learning 2015
 Summary

• When booting a suspect’s computer, using boot

media, such as forensic boot CDs or USB drives,
you must ensure that disk evidence isn’t altered
• The Master Boot Record (MBR) stores information
about partitions on a disk
• Microsoft used FAT12 and FAT16 on older
operating systems
• To find a hard disk’s capacity, use the cylinders,
heads, and sectors (CHS) calculation

Guide to Computer Forensics and Investigations, Fifth Edition 73

© Cengage Learning 2015
 Summary

• When files are deleted in a FAT file system, the

Greek letter sigma (0x05) is inserted in the first
character of the filename in the directory
• NTFS is more versatile because it uses the Master
File Table (MFT) to track file information
• Records in the MFT contain attribute IDs that store
metadata about files
• In NTFS, data streams can obscure information
that might have evidentiary value

Guide to Computer Forensics and Investigations, Fifth Edition 74

© Cengage Learning 2015
 Summary
• File slack, RAM slack, and drive slack are areas in
which valuable information can reside on a drive
• NTFS can encrypt data with EFS and BitLocker
• NTFS can compress files, folders, or volumes
• Windows Registry keeps a record of attached
hardware, user preferences, network connections,
and installed software
• Virtual machines enable you to run other OSs from
a Windows computer

Guide to Computer Forensics and Investigations, Fifth Edition 75

© Cengage Learning 2015