Module 6:

Forensics Investigation of
Windows system

ICT3052
APIC’s Copyright Warning Notice

WARNING
This material has been reproduced and communicated to you by or on behalf of Asia Pacific
International College in accordance with section 113P of the Copyright Act 1968 (Act).
The material in this communication may be subject to copyright under the Act. Any further
reproduction or communication of this material by you may be the subject of copyright
protection under the Act.
Do not remove this notice.
Objectives
• Explain the purpose and structure of file systems
• Describe Microsoft file structures
• Explain the NTFS disk structure
• List some options for decrypting drives encrypted with whole disk encryption
• Explain the working of Windows Registry
• Describe Microsoft startup tasks
• Explain the purpose of a virtual machine
 Understanding File Systems

File system Type of file system an OS uses determines When you need to access a suspect’s
how data is stored on the disk computer to acquire or inspect data
Gives OS a road map to data on a disk You should be familiar with both the computer’s OS
and file systems

4
Understanding the Boot
Sequence
• Complementary Metal Oxide Semiconductor (CMOS)
• Computer stores system configuration and date and time information in the CMOS
• When power to the system is off
• Basic Input/Output System (BIOS) or Extensible Firmware Interface (EFI)
• Contains programs that perform input and output at the hardware level
• Bootstrap process
• Contained in ROM, tells the computer how to proceed
• Displays the key or keys you press to open the CMOS setup screen
• CMOS should be modified to boot from a forensic floppy disk or CD
Understanding the Boot Sequence
Understanding Disk Drives
• Disk drives are made up of one or more platters coated with magnetic material
• Disk drive components
• Geometry
• Head
• Tracks
• Cylinders
• Sectors
• Properties handled at the drive’s hardware or firmware level
• Zone bit recording (ZBR)
• Track density
• Areal density
• Head and cylinder skew
Solid-state Storage Devices
All flash memory devices have a feature called wear-leveling
• An internal firmware feature used in solid-state drives that
ensures even wear of read/writes for all memory cells

Making a complete forensic copy of the device is important, when

working with solid-state devices.
• In case you need to recover data from unallocated disk space
 The Purpose and Roles of File Systems
(Computer Engineering Perspective)
• A file system is simply a different way of storing and organizing files into parent
directories on storage devices.

• A file system associates names with data files, stores file attributes such as
modify, access, creation, metadata and others

• As an investigator, you should understand how data is stored and managed in

different operating-systems.
• File system gives a roadmap of how data is stored in the device.

• Type of file system an OS uses decides how data is stored on the disk

• You should be familiar with the operating systems and file system when accessing the
suspect’s computer to acquire or inspect data.
 The Purpose and Roles of File Systems
(Digital Forensics Perspective)
As a digital forensics' investigator, you may be interested in the following file / file system
attributes

• File creation time

• File modification time
• File deletion and relevant information such as deletion time
• File growth, data being added or removed from file
• File replacement
• Archive
• Hidden
• Read only
• Compressed
• And many more
 Exploring Microsoft File
Structures
• In Microsoft file structures, sectors are grouped to form clusters
• Storage allocation units of one or more sectors
• Clusters range from 512 bytes up to 32,000 bytes each
• Combining sectors minimizes the overhead of writing or reading files to a disk
• Clusters are numbered sequentially starting at 0 in NTFS and 2 in FAT
• First sector of all disks contains a system area, the boot record, and a file
structure database
• OS assigns these cluster numbers, called logical addresses
• Sector numbers are called physical addresses
• Clusters and their addresses are specific to a logical disk drive, which is a disk partition
 Disk Partitions
• A partition is a logical drive
• Windows OS can have three primary partitions followed by an extended partition that
can contain one or more logical drives
• Hidden partitions or voids
• Large unused gaps between partitions on a disk
• Partition gap
• Unused space between partitions
• The partition table is in the Master Boot Record (MBR)
• Located at sector 0 of the disk drive
• In a hexadecimal editor, such as WinHex, you can find the first partition at offset 0x1BE
• The file system’s hexadecimal code is offset 3 bytes from 0x1BE for the first
partition.
Disk
Partitions
Examining
FAT Disks
Examining FAT Disks
• File Allocation Table (FAT)
• File structure database that Microsoft originally designed for floppy disks
• FAT database is typically written to a disk’s outermost track and contains:
• Filenames, directory names, date and time stamps, the starting cluster
number, and file attributes
• Three current FAT versions
• FAT16, FAT32, and exFAT (used for mobile personal storage devices)
• Cluster sizes vary according to the hard disk size and file system
Examining FAT
Disks

• Microsoft OSs allocate space to files by clusters

• Results in drive slack
• Unused space in a cluster between the end of an active file’s content and the
end of the cluster
• Drive slack includes:
• RAM slack and file slack
• An unintentional side effect of FAT16 allowing large clusters was that it reduced
fragmentation
• As cluster size increased
Examining FAT Disks
• When you run out of space for an allocated cluster, then the OS will allocate
another cluster for the file.
• As files grow and require more disk space, assigned clusters are chained
together which can be fragment or removed.
• When the OS stores data in a FAT file system, it assigns a starting cluster
position to a file
• Data for the file is written to the first sector of the first assigned cluster
Examining FAT Disks
When this first assigned cluster is filled
and runs out of room
• FAT assigns the next available
cluster to the file
If the next available cluster isn’t
contiguous to the current cluster
• File becomes fragmented
Deleting FAT Files
In Microsoft OSs, when a file is deleted
• Directory entry is marked as a deleted file
• With the HEX E5 character replacing the first letter of the filename
• FAT chain for that file is set to 0
Data in the file remains on the disk drive
Area of the disk where the deleted file resides becomes unallocated disk space and used
by newly created files or existing files which need more space.
Examining NTFS Disks
NT File System (NTFS)
• Introduced with Windows NT
• Primary file system for Windows 10
Improvements over FAT file systems
• NTFS provides more information about a file
• NTFS gives more control over files and folders
NTFS was Microsoft’s move toward a journaling file system
• It records a transaction before the system carries it out
Examining NTFS Disks
• In NTFS, everything written to the disk is considered a file
• On an NTFS disk
• First data set is the Partition Boot Sector
• Next is Master File Table (MFT)
• NTFS results in much less file slack space
• Clusters are smaller for smaller disk drives
• NTFS also uses Unicode which is an international format.
Examining
NTFS Disks
NTFS System Files
• MFT contains information about all files on the disk including
the files relates to the operating system and system.
• In the MFT, the first 15 records are reserved for system files
• Records in the MFT are called metadata
NTFS File System
MFT and File Attributes
• In the NTFS MFT
• All files and folders are stored in separate records of 1024 bytes each
• Each record contains file or folder information
• This information is divided into record fields containing metadata
• A record field is referred to as an attribute ID
• File or folder information is typically stored in one of two ways in an MFT
record:
• Resident and nonresident
MFT and File Attributes
Files larger than 512 bytes are stored outside the MFT
• MFT record provides cluster addresses where the file is
stored on the drive’s partition called as Data Runs
Each MFT record starts with a header identifying it as a resident
or nonresident attribute
MFT and File Attributes
MFT and File Attributes
MFT and File Attributes

• When a disk is created as an NTFS file structure OS assigns logical clusters

to the entire disk partition
• These assigned clusters are called logical cluster numbers (LCNs)
• Become the addresses that allow the MFT to link to nonresident files
on the disk’s partition
• When data is first written to nonresident files, an LCN address is assigned
to the file
• This LCN becomes the file’s virtual cluster number (VCN)
MFT Structures for File Data
For the header of all MFT records, the record fields of interest are as
follows:
• At offset 0x00 - the MFT record identifier FILE
• At offset 0x1C to 0x1F - size of the MFT record
• At offset 0x14 - length of the header (indicates where the next
attribute starts)
• At offset 0x32 and 0x33 - the update sequence array, which
stores the last 2 bytes of the first sector of the MFT record
MFT Structures for File Data
MFT
Structures
for File Data
MFT Structures for File Data
MFT
Structures
for File Data
NTFS Alternate Data Streams
Alternate data streams
• Ways data can be appended to existing files
• Can obscure valuable evidentiary data, intentionally or by
coincidence
In NTFS, an alternate data stream becomes an additional file attribute
• Allows the file to be associated with different applications
You can only tell whether a file has a data stream attached by examining
that file’s MFT entry
NTFS Alternate Data
Streams

36
NTFS Compressed Files
• NTFS provides compression like FAT DriveSpace 3 (a Windows
98 compression utility)
• With NTFS, files, folders, or entire volumes can be
compressed
• Most computer forensics tools can uncompress and analyze
compressed Windows data
NTFS Encrypting File System
(EFS)
• Encrypting File System (EFS)
• Introduced with Windows 2000
• Implements a public key and private key method of encrypting files, folders, or
disk volumes
• When EFS is used in Windows 2000 and later
• A recovery certificate is generated and sent to the local Windows administrator
account
• Users can apply EFS to files stored on their local workstations or a remote server
EFS Recovery Key Agent
Recovery Key Agent implements the recovery certificate
• Which is in the Windows administrator account
Windows administrators can recover a key in two ways: through
Windows or from a command prompt
Commands:
• cipher
• copy
Deleting NTFS Files
When a file is deleted in Windows NT and later, the operating
system renames the file and places it in recycle bin.
Can use the del (delete) MS-DOS command
• Eliminates the file from the MFT listing in the same way
FAT does
Resilient File System
• Resilient File System (ReFS) - designed to address very large data storage
needs
• Such as the cloud
• Features incorporated into ReFS’s design:
• Maximized data availability
• Improved data integrity
• Designed for scalability
• ReFS uses disk structures similar to the MFT in NTFS
Understanding Whole Disk Encryption
In recent years, there has been more concern about loss of
• Personal identity information (PII) and trade secrets caused by computer
theft
Of particular concern is the theft of laptop computers and handheld devices
To help prevent loss of information, software vendors now provide whole disk
encryption
Current whole disk encryption tools offer the following features:
• Preboot authentication
• Full or partial disk encryption with secure hibernation
• Advanced encryption algorithms
• Key management function
Understanding Whole Disk
Encryption
• Whole disk encryption tools encrypt each sector of a drive separately
• Many of these tools encrypt the drive’s boot sector
• To prevent any efforts to bypass the secured drive’s partition
• To examine an encrypted drive, decrypt it first
• Run a vendor-specific program to decrypt the drive
• Many vendors use a bootable CD or USB drive that prompts for a
one-time passphrase
Examining Microsoft BitLocker
Available Vista Enterprise/Ultimate, Windows 7, 8, and 10 Professional/Enterprise, and
Server 2008 and later
Hardware and software requirements
• A computer capable of running Windows Vista or later
• The TPM microchip, version 1.2 or newer
• A computer BIOS compliant with Trusted Computing Group (TCG)
• Two NTFS partitions
• The BIOS configured so that the hard drive boots first before checking other
bootable peripherals
Examining Third-Party Disk
Encryption Tools
Some available third-party WDE utilities:
• Endpoint Encryption
• Voltage SecureFile
• Jetico BestCrypt Volume Encryption
Understanding the Windows
Registry
Registry
• A database that stores hardware and software configuration
information, network connections, user preferences, and setup
information
To view the Registry, you can use:
• Regedit (Registry Editor) program for Windows 9x systems
• Regedt32 for Windows 2000, XP, and Vista
• Both utilities can be used for Windows 7 and 8
 Registry terminology:
Exploring the • Registry

Organization • Registry Editor

• HKEY
of the • Key
• Subkey
Windows • Branch

Registry • Value
• Default value
• Hives
Exploring the Organization of the Windows
Registry
Exploring the Organization of the Windows
Registry
Examining the Windows Registry
Tools with built-in or add-on Registry
viewers:
• X-Ways Forensics
• OSForensics
• Forensic Explorer
• FTK
 • Nelson, B., Phillips, A., & Steuart,
C. (2019). Guide to Computer
Forensics and Investigations
(6/e). Boston, MA. Course
Technology
References • Brooks, C. L. (2014). CHFI
Computer Hacking Forensic
Investigator Certification All-in-
One Exam Guide. McGraw-
Hill Publisher.