GMI German-Malaysian Institute

urse Code: NTC 1072

edit: 2
BASIC
COMPUTER
ction/Department: CI/EED
mester: 4
O Name: Sir Mahidir b. Ayup

e Objective of this chapter is to help the students

derstand how to:
FORENSICS
– Recover files deleted from a hard disk [Chapter 5]
Analyze the filesystems Understanding file
Systems &
Hard disks

Tuesday 29 April 2025

 Whiteboard:
Introduction
• In this networked world
organizations need to manage
systems, network, and applications
running over them, which can
enable effective data and resource
sharing
• No operating system can guarantee
100% security to the available
resources and data. There are
several shortcomings in their
designs
• This situation, if exploited well by
hackers can lead to end of any
organization’s business !!

Page: 01
• The pitiable thing is that, end users
are unaware of the vulnerabilities.

Tuesday 29 April 2025

 Chapter Whiteboard:
Objective
• Understanding file • NTFS Encrypted File
systems Systems(EFS) and
Master File Table(MFT)
• Understanding the boot
sequence • EFS Recovery Key
Agent
• Examining registry data
• Deleting NTFS files
• Disk drive overview
• Understanding
• Exploring Microsoft file Microsoft boot tasks
structures stem
• Windows XP, 2000,
• Disk partition concerns and NT startup
• Boot partition concerns• Windows XP system
• Examining FAT disks files
• Examining NTFS disks• Understanding MS-
• NTFS system files DOS startup tasks
• NTFS attributes • Other DOS operating
system

Page: 02
• NTFS data streams
• NTFS compressed files

Tuesday 29 April 2025

Disk Drive Whiteboard:
Overview - I
• There are two types of
Disk drives:
• Fixed storage drives
• External storage drives
• Few of removable storage
drives are:
• Floppy disks
• Compact Disks
• Digital Versatile Disk (DVD)
• ZIP Disks

Page: 03
• r/m Drive

Tuesday 29 April 2025

Disk Drive Whiteboard:
Overview - II
• Hard disk drive is a good
example for permanent
storage device
• The data is recorded
magnetically onto the
hard disk
• Main components of hard
disk are:
• Cylinders
• Head

Page: 04
• Platter
• The data is stored on the
tracks of the sector
Tuesday 29 April 2025
 Whiteboard:
Hard Disk

Page: 05
Tuesday 29 April 2025
Disk Drive Whiteboard:
Overview - III
• The data is recorded onto the hard
disk using the zoned bit recording
• Zoned Bit Recording:
• It is the task of grouping the tracks
by zones to ensure the same size of
all the tracks
• The densities of the data on the
disk drive are of two types namely:
• Track density: It is the space between
tracks on a disk
• Areal density: It is defined as the
number of bits per square inch on a
platter
• Bit density: It is bits per unit length of
track

Page: 06
Tuesday 29 April 2025
 Whiteboard:
Hard Disk
• A hard disk is a sealed unit
containing a number of
platters in a stack. Hard disks
may be mounted in a
horizontal or a vertical
position
• Electromagnetic read/write
heads are positioned above
and below each platter
• As the platters spin, the drive
heads move in toward the
center surface and out

Page: 07
toward the edge

Tuesday 29 April 2025

 Whiteboard:
Disk Platter
• An aluminum alloy is
used to make disk platter
• Glass and ceramic is used
for modern day platters
• Magnetic media coating
is done on the part where
data resides
• Coating is done by iron
oxide substance or cobalt
alloy

Page: 08
Tuesday 29 April 2025
 Whiteboard:
Disk Platter
• Data is written on both
sides of a hard disk
platter
• Numbering is done on
both the sides as side 0 Home - DF
and side 1

Page: 09
Tuesday 29 April 2025
 Whiteboard:
Tracks
• A circular ring on one side
Tracks of the platter is known
as track
• Drive head can access this
circular ring in one position at
a time
• Track are numbered for their
identification
• Data exists in thin concentric
bands on a hard disk
• A 3.5-inch hard disk consists

Page: 10
of more than a thousand
tracks
Tuesday 29 April 2025
Tracks Whiteboard:
Numbering
• Tracks numbering
begins from 0 at outer
edge and moves
towards center
reaching the value of
typically 1023
• A cylinder is formed
when tracks are lined
up

Page: 11
Tuesday 29 April 2025
 Whiteboard:
Sector
• Smallest physical storage
unit on the disk
• Normally 512 bytes in size
• Factory track-positioning
data determines labeling of
disk sector
• Data is stored on the disk
in contiguous series
• For example, if the file size
is 600 bytes, two 512 k

Page: 12
sectors are allocated for
the file
Tuesday 29 April 2025
Sector Whiteboard:
Addressing
• Cylinders, heads and
sectors determine address
of individual sectors on the
disk
• For example, on formatting
a disk have 50 tracks
divided into 10sectors each
• Track and sector numbers
are used by operating
system and disk drive to

Page: 13
identify the stored
information
Tuesday 29 April 2025
 Whiteboard:
Cluster
• Smallest allocation unit of a hard
disk
• Relevant formatting scheme
determines range of tracks and
sectors from 2 to 32
• Minimum size can be of one sector http://ncfs.org/swgde/index.html
(1 sector / cluster)
• Allocation unit can be made of two
or more sectors (2 sectors / cluster)
• Any read or write operation
consumes space of at least 1 cluster
• Lot of slack space or unused space
is wasted in the cluster beyond the

Page: 14
data size in the sector

Tuesday 29 April 2025

 Whiteboard:
Cluster Size
• For optimum disk storage
cluster size can be altered
• Larger cluster size(greater
than one sector) will
encounter the following
points :
• minimize fragmentation
problem
• greatly increases the
probability for unused space
in the cluster

Page: 15
• reduces disk storage area to
save information
• also reduces unused area on
Tuesday 29 April 2025
the disk
 Whiteboard:
Slack Space
• Slack space is the free space on
the cluster after writing data on
that cluster
• Dos and Windows utilizes fixed
size clusters for file system
• If the size of stored data is less
than the cluster size, the unused
area remains reserved for the file
resulting in slack space
• DOS and FAT 16(file allocation * Reference:
https://www.securitynik.com/2015/06/forensic-imaging-and-their-formats-
table) file system in the Windows dd.html
utilizes very large sized clusters
• For example, if the partition size
is 4 GB, each cluster will be 32 K.

Page: 16
Even if a file needs only 10 K, the
entire 32 K will be allocated,
resulting in 22 K of slack space.
Tuesday 29 April 2025
 Whiteboard:
Lost Clusters
• Operating system
marks cluster as used
but not allocate them to
any file such clusters
are known a lost cluster
• Lost clusters can be
reassigned data making
disk space free
• ScanDisk utility has the
capability to identify

Page: 17
lost clusters in DOS and
Windows operating
system
Tuesday 29 April 2025
 Whiteboard:
Bad Sector
• A damaged portion of a
disk on which no
read/write operation
can be performed
• Formatting a disk
enables operating
system to identify
unusable sector and
marks them as bad
• Special software is

Page: 18
used to recover the
data on a bad sector
Tuesday 29 April 2025
Understanding Whiteboard:
File Systems
• File system is a set of data
types, which is employed for
storage, hierarchical
categorization, management,
navigation, access, and
recovering the data
• File system can use storage
devices like hard disks, CD-
ROM or floppy disk
• Command line or graphical
user interface can be used to
access the files

Page: 19
• File systems are arranged into
tree-structured directories and
directories require access
authorization
Tuesday 29 April 2025
Types of File Whiteboard:
System
File system are classified
into four types. They
are:
• Disk file systems
• Network file systems
• Database file systems
• Special purpose file
systems

Page: 20
Tuesday 29 April 2025
List of Disk File Whiteboard:
Systems
• ADFS – Acorn filing system, successor to DFS.
• BFS – the Be File System used on BeOS
• EFS – Encrypted filesystem, An extension of NTFS
• EFS (IRIX) – an older block filing system under IRIX.
• Ext – Extended filesystem, designed for Linux systems
• Ext2 – Extended filesystem 2, designed for Linux
systems
• Ext3 – Extended filesystem 3, designed for Linux
systems, (ext2+journalling)
• FAT – Used on DOS and Microsoft Windows, 12 and
16 bit table depths
• FAT32 – FAT with 32 bit table depth
• FFS (Amiga) – Fast File System, used on Amiga
systems. Nice for floppies, but fairly useless on hard
drives.

Page: 21
• FFS – Fast File System, used on *BSD systems
• Files-11 – OpenVMS filesystem
• HFS – Hierarchical File System, used on older Mac OS
systems
Tuesday 29 April 2025
List of Disk File Systems,
cont’d
Whiteboard:
• HFS Plus – Updated version of HFS used on
newer Mac OS systems
• HFSX – Updated version of HFS Plus to
remove some backward compatibility
limitations.
• HPFS – High Performance Filesystem, used
on OS/2
• ISO 9660 – Used on CD-ROM and DVD-
ROM discs (Rock Ridge and Joliet are
extensions to this)
• JFS – IBM Journaling Filesystem, provided
in Linux, OS/2, and AIX
• Kfs
• LFS – Log-structured filesystem
• MFS – Macintosh File System, used on
early Mac OS systems
• Minix file system – Used on Minix systems

Page: 21
• NTFS – Used on Windows NT based
systems
• OFS – Old File System, on Amiga
Tuesday 29 April 2025
List of Disk File Systems, Whiteboard:
cont’d
• PFS – and PFS2, PFS3, etc. Technically
interesting filesystem available for the Amiga,
performs very well under a lot of
circumstances. Very simple and elegant.
• ReiserFS – Filesystem which uses journaling
• Reiser4 – Filesystem which uses journaling,
newest version of ReiserFS
• SFS – Smart File System, available for the
Amiga.
• Sprite – The original log-structured filesystem.
• UDF – Packet based filesystem for WORM/RW
media such as CD- RW and DVD.
• UFS – Unix Filesystem, used on older BSD
systems
• UFS2 – Unix Filesystem, used on newer BSD
systems
• UMSDOS – FAT filesystem extended to store
permissions and metadata, used for Linux.

Page: 22
• VxFS – Veritas file system, first commercial
journaling file system; HP-UX, Solaris, Linux, AIX
• XFS – Used on SGI IRIX and Linux systems
• ZFS – Used on Solaris 10
Tuesday 29 April 2025
List of Network Whiteboard:
File Systems
• AFS (Andrew File System)
• AppleShare
• CIFS (Microsoft's
documented version of SMB)
• Coda
• GFS
• InterMezzo
• Lustre
• NFS
• OpenAFS

Page: 23
• SMB (sometimes also called
Samba filesystem)
Tuesday 29 April 2025
Special Purpose Whiteboard:
File Systems
• acme (Plan 9) (text windows)
• archfs (archive)
• cdfs (reading and writing of CDs)
• cfs (caching)
• Davfs2 (WebDAV)
• DEVFS
• ftpfs (ftp access)
• lnfs (long names)
• LUFS ( replace ftpfs, ftp ssh ... access)
• nntpfs (netnews)
• plumber (Plan 9) (interprocess
communication – pipes)
• PROCFS

Page: 24
• ROMFS
• TMPFS
• wikifs (wiki wiki)
Tuesday 29 April 2025
Popular Linux Whiteboard:
File systems
• EXT (Extended File System )
• First filesystem for the Linux operating
system to overcome certain limitations
of the Minix file system
• Quickly replaced by the second
extended file system
• EXT2 (Second Extended File System )
• Standard filesystem with improved
algorithms used on the Linux operating
system for a number of years
• Not a journaling file system
• EXT3 (Third Extended File System )
• Journaled filesystem used in the
GNU/Linux operating system
• Can be mounted and used as an Ext2

Page: 25
filesystem
• Can use file system maintenance
utilities (like fsck) for maintaining and
repairing alike Ext2 filesystem
Tuesday 29 April 2025
Sun Solaris 10 Whiteboard:
File System - ZPS
• ZFS is a filesystem first used in Sun
Microsystems Solaris 10
• Uses 128-bit addressing to perform read/write
operation referred to as a "gigaterabyte" (a
zettabyte)
• Any modification to this filesystem will never
increase its storage capacity
• Main Features:
• Facilitates immediate backup as the file is
written
• Introduced Logical Volume Management(LVM)
features into the filesystem
• File systems are portable between little-endian
and big-endian systems
• Provides data integrity to detect and correct
errors
• HA Storage+ feature provides cluster/failover
compatibility in case of any interruption(only
one server is empowered to perform write
operation on the disk)

Page: 26
• Creates many copies of the single snapshot
with minimum overheads
• Deletes all the unused memory space out of
files
• Supports full range of NFSv4/Windows NT-style
Tuesday ACLs
29 April 2025
Windows File Whiteboard:
Systems
• FAT (File Allocation Table)
• 16 bit file system developed for MS-
DOS
• Used in consumer versions of
Microsoft Windows till Windows Me
• Considered relatively uncomplicated
and became popular format for
devices like floppy disks, USB devices,
Digital cameras, flash disks
• FAT32
• 32 bit version of FAT file system with
storage capacity up to 2 GB
• NTFS (New Technology File System)
• NTFS has three versions
• v1.2 (v4.0) found in NT 3.51 and NT 4
• v3.0 (v5.0 ) found in Windows 2000 and
• v3.1 (v5.1) found in Windows XP and
Windows Server 2003

Page: 27
• Newer versions added extra features
like quotas introduced by Windows
2000. In NTFS, anything such as file
name, creation date, access
permissions and even contents is
Tuesday 29 April 2025
written down as metadata
Mac OS X File Whiteboard:
system
• HFS (Hierarchical File System)
• Developed by Apple Computer to
support Mac Operating System
• Traditionally used by floppy and
hard disks but now also used by
CD-ROMs
• UFS (UNIX file system)
• Derived from the Berkeley Fast
File System (FFS) that was
originally developed at Bell
Laboratories from first version of
UNIX FS
• All BSD UNIX derivatives
including FreeBSD, NetBSD,
OpenBSD, NeXTStep, and Solaris

Page: 28
use a variant of UFS
• Acts as a substitute for HFS in
Mac OS X
Tuesday 29 April 2025
CD-ROM / DVD Whiteboard:
File system
• ISO 9660 (International
Organization for Standardization)
defines a file system for CD-ROM
and DVD-ROM media
• To exchange data it supports
various computer operating
systems like Microsoft Windows,
Mac OS, and UNIX based systems
• There are some extensions to ISO
9660 to cope up its demerits
• Longer ASCII coded names and UNIX
permissions are facilitated by Rock
Ridge
• Unicode naming (like non roman
scripts)are also supported by Joliet

Page: 29
• Bootable CDs are facilitated by El
Torito
• ISO 13490 is combination of ISO
9660
Tuesday with
29 April 2025 multisession support
File system Comparison Whiteboard:

Page: 30
Tuesday 29 April 2025
 Whiteboard:
Boot Sector
• Boot Sector is the first
sector (512 bytes) of a
FAT file system
• Unix-like terminology
defines it as superblock

Page: 31
* Sector is the smallest unit of
storage on a hard drive.
Tuesday 29 April 2025
Exploring Microsoft Whiteboard:
File Structures
• Filesystems:
• File Allocation Tables (FAT)
• New technology File
system(NTFS)
• High Performance File system
• Windows supports two types
of file systems on CDROM
and Digital Versatile Disk
(DVD ):
• Compact Disc File System
(CDFS)
• Universal File System (UDF)

Page: 32
• A file system can be chosen
as per the storage needs of
the organization and the
type
Tuesday of
29 April 2025operating system use
Exploring Microsoft Whiteboard:
File Structures
• FAT vs NTFS

Page: 33
Tuesday 29 April 2025
Exploring Microsoft Whiteboard:
File Structures
• Cluster is defined as the
smallest amount of space
allocated by the operating
system to hold a file
• Cluster is more efficient if
size of the cluster is small * Cluster size
• There is no default size for
the cluster
• The cluster address allocated
by the operating system is
called logical address

Page: 34
• The physical addresses are
the addresses that exists at
firmware or hardware level
Tuesday 29 April 2025
Disk Partition Whiteboard:
Concerns
• Partitioning of hard disk drive is
done for effective storage
management of data
• Partition is logical part of the disk
that holds data
• It can be divided into
• Primary Partition
• Extended Partition
• A basic disk can have one primary
partition and any number of
extended partition
• Windows look for primary partition
to start the computer. This active
partition contains the boot files

Page: 35
used to start an operating system
• Inter-partition gap is unused or
void space between the primary
and first logical partition
Tuesday 29 April 2025
Boot Partition Whiteboard:
Concerns
• The information regarding
the files on the disk, their
location, size and other
important data is stored in
the Master Boot Record file
• Every disk has Master Boot
Record that contains the
information about
partitions on the disk
• User can choose the
operating system by using

Page: 36
the third party boot
utilities, which change the
Master Boot record
Tuesday 29 April 2025
 Whiteboard:
Examining FAT
• When a file is deleted from
the operating system it
replaces the first word of
the file name by a lower
case Greek letter. The
space is made available for
new files
• These files can be
recovered using forensic
tools
• Few tools which can be
used for forensics are:

Page: 37
• WINHEX
• UNDELETE
• FILE SCAVENGER
Tuesday 29 April 2025
 Whiteboard:
NTFS
• New Technology File
System was introduced by
Microsoft
• In NTFS every data written
on the disk is considered as
the file
• Partition Boot Sector is the
first data set on the disk
• After the PBS, the first file
set is Master File Table,
which occupies space

Page: 38
12.5% to 50% of disk space
• NTFS uses UNICODE data
format
Tuesday 29 April 2025
NTFS System Whiteboard:
Files

Page: 39
Tuesday 29 April 2025
NTFS Partition Whiteboard:
Boot Sector
• When you format an
NTFS volume, the
format program
allocates the first 16
sectors for the boot
sector and the
bootstrap code.

Page: 40
Tuesday 29 April 2025
NTFS Master Whiteboard:
File system contains for NTFS, all
File Table (MFT) information, size, time & data stamps,
permissions, & data contents are stored
• Each file on an NTFS volume is represented by a either in MFT entries or in space outside
record in a special file called the master file table the MFT.
(MFT).
• NTFS reserves the first 16 records of the table for
special information.
• The first record of this table describes the master
file table itself, followed by a MFT mirror record.
• If the first MFT record is corrupted, NTFS reads the
second record to find the MFT mirror file, whose
first record is identical to the first record of the MFT.
• The locations of the data segments for both the
MFT and MFT mirror file are recorded in the boot
sector. A duplicate of the boot sector is located at
the logical center of the disk.
• The third record of the MFT is the log file, used for

Page: 41
file recovery. The seventeenth and following records
of the master file table are for each file and
directory (also viewed as a file by NTFS) on the
volume
Tuesday 29 April 2025
NTFS Whiteboard:
Attributes-I
• Every file has a unique
identities like
• Name
• Security information and
• It can also contain metadata of
file system in the file.
• Every attribute is identified by
an attribute type code.
• There are two categories of
attributes:
• Resident attributes : These are
the attributes that are contained
in the MFT.
• Non-resident attributes: These

Page: 42
are the attributes that are
allocated one or more clusters of
disk space
Tuesday 29 April 2025
NTFS Whiteboard:
Attributes-II

Page: 43
Tuesday 29 April 2025
NTFS Data Whiteboard:
Stream-I
• A sequence of bytes is
called data stream
• Data can be added to the
stream when examining the
attributes of the file
• Data streams can create
obscure data intentionally
or by coincidence
• In this file system data
stream becomes an data
attribute of the a file
• Data stream can be created

Page: 44
by using the following
command
Tuesday 29 April 2025
NTFS Data Whiteboard:
Stream-II

Page: 45
Tuesday 29 April 2025
NTFS Data Whiteboard:
Stream-III

Page: 46
Tuesday 29 April 2025
NTFS Whiteboard:
Compressed Files
• The compressed files
present on the NTFS volume
can be accessed, read or
modified by any Windows
application without
decompressing the file
• When an application like
Microsoft word or operating
system commands like copy
command requests to
access, file is decompressed
by the filter driver
• NTFS compression

Page: 47
algorithms supports cluster
sizes of up to 4 KB
Tuesday 29 April 2025
NTFS Encrypted Whiteboard:
File Systems (EFS)
• Main file encryption technology
used to store encrypted files in
the NTFS
• Encryption of the file or folder
can be read or modified, just like
any other file or folder
• EFS uses public and private keys
to encrypt the files, folders, and
disk volumes
• Encrypted files can be accessed
only if the user has the private
key and the operating system
has the public key

Page: 48
• If an intruder tries to modify,
copy or rename the files then the
intruder receives an access
denied
Tuesday message
29 April 2025
EFS File Whiteboard:
Structure

Page: 49
Tuesday 29 April 2025
Metadata File Whiteboard:
Table (MFT)
• MFT is a relational database,
which consists of information
regarding the files and the
file attributes
• The rows consists of file
records and the columns
consists of file attributes
• It has information of every
file on the NTFS volume
including information about
itself
• MFT has 16 records reserved

Page: 50
for system files
• MFT for small folder is
represented as follows
Tuesday 29 April 2025
EFS Recovery Whiteboard:
Key Agent-I
• A recovery policy is always
associated with a
encryption policy. A
recovery agent decrypts
the file if encryption
certificate of an encrypted
file is lost
• The recovery agent is used
in following conditions:
• When a user loses a private
key
• When a user leaves the

Page: 51
company
• Whenever a law enforcement
agency makes a request
Tuesday 29 April 2025
EFS Recovery Whiteboard:
Key Agent-II
• The Windows administrator
can recover key from the
Windows or from the MS-
DOS command prompt
• The keys can be recovered
from command prompt
using the following
commands:
• CIPHER
• COPY
• EFSRECVR

Page: 52
• Recovery agent information
of an encrypted file can be
viewed using the EFS info
tool
Tuesday 29 April 2025
Deleting NTFS Whiteboard:
Files
• On deletion from Windows Explorer
the file is moved into the recycle
bin
• If the file is deleted from command
prompt then recycle bin is
bypassed. It can be recovered only
by using the forensic tools
• When a file is deleted the following
tasks are performed by the
operating system in the NTFS:
• The clusters are made available for
the new data
• MFT attribute $BITMAP is updated
• File attribute of the MFT is marked
available

Page: 53
• Any linking inodes and VFN/LCN
cluster locations are removed from
MFT
• The list of links to the cluster
locations
Tuesday 29 April 2025 is delete
Understanding Whiteboard:
Microsoft Boot Tasks
• These are the steps
that are followed by
NTFS during the
startup:
• Power-on self test
(POST)
• Initial startup
• Boot loader
• Hardware detection

Page: 54
and configuration
• Kernel loading
Tuesday 29 April 2025
• User logon
Windows XP Whiteboard:
system files
• Essential system
files used by
windows XP:

Page: 55
Tuesday 29 April 2025
Understanding Boot Whiteboard:
Sequence DOS
• Boot sequence steps are
as follows:
• Computer waits for power
good signal
• Processor executes the
BIOS boot program
• BIOS performs Power on
self test (POST)
• BIOS initializes the system
settings from CMOS
settings
• PCI initializes and displays

Page: 56
the configuration and
status of devices
Tuesday•29 BIOS
April 2025 locates and loads Disk

operating system (DOS)

Understanding Boot Whiteboard:
Sequence DOS
• BIOS then loads the Master
Boot Record(MBR)
• Volume boot sector is
loaded and tested
• Loads and executes IO.SYS
• IO.SYS searches for
MSDOS.SYS, loads it and
executes the file
• COMMAND.COM is loaded
and executed for
interpreting and reading
CONFIG.SYS and

Page: 57
AUTOXEC.BAT
• After this point the
operating system takes
Tuesday 29 April 2025
control of the computer
Understanding MS- Whiteboard:
DOS Startup Tasks
• IO.SYS – It contains all instructions
used by the operating system to
interact with the hardware. It is
the first file loaded after bootstrap
detects the operating system
• MSDOS.SYS –It is the kernel in MS-
DOS and loads COMMAND.COM
and AUTOEXEC.BAT
• COMMAND.COM- It provides
internal DOS commands
• CONFIG.SYS – It contains the
commands that are required
during the startup
• AUTOEXEC.BAT- It contains

Page: 58
customized settings for the MS-
DOS
Tuesday 29 April 2025
Other DOS Whiteboard:
Operating Systems
Following are the useful disk
operating system other than
Microsoft’s DOS:
• 4DOS: It has more commands,
better editor, online help and
flow control commands like; DO
WHILE, RETURN, IF..THEN...ELSE
• Dr- DOS: It is DOS compatible
and offers pre-emptive
multitasking and 32-bit protected
mode etc ~ Caldera OpenDOS:
It’s a MS-DOS compatible OS. It
is the descendant of DR DOS and

Page: 59
Novell DOS
• Novell DOS: A full feature DOS
built for workstations on Novell
networks
Tuesday 29 April 2025
Other DOS Whiteboard:
Operating Systems
• PTS-DOS: Simple graphical
user interface DOS; which
supports FAT32, big hard
drives, and CDROMs.
Partition Manager Easy
makes it easy to partition
the hard drives;
• QDOS: A 16MB OS created
for CP/M operating system
• FreeDOS: It is cheaper
than IBM’s and Microsoft’s

Page: 60
and is being used in China
on HP PC’s
Tuesday 29 April 2025
 Whiteboard:
Registry Data-I
• Registry is the hierarchical
database
• Used to store the
information regarding the
users, applications, and
the hardware devices
• Windows continuously
refers the registry for the
information during the
execution of the
application

Page: 61
• The data in the registry is
saved in the form of
Tuesday 29 April 2025
binary files
 Whiteboard:
Registry Data-II

Page: 62
Tuesday 29 April 2025
Registry Data- Whiteboard:
III

Page: 63
Tuesday 29 April 2025
Examining Whiteboard:
Registry Data
• Registry has predefined set
of keys for every folder
• A registry hive is defined as
a set of keys, sub keys, and
values in the used in the
windows registry, which has
a group of supporting files
that contain backups of its
data
• Registry can be examined
manually using the register
editor

Page: 64
• Registry can be examined
using the tools like:
• Registry Monitor
Tuesday 29 April 2025
• Registry Checker
 Whiteboard:
Summary
• File system is a set of data
types, which is employed for
storage, hierarchical
categorization, management,
navigation, access, and
recovering the data
• Registry is the hierarchical
database
• The data is recorded onto the
hard disk using the zoned bit
recording
• Partitioning of hard disk drive is
done for effective storage
management of data

Page: 65
• Every disk has Master Boot
Record that contains the
information about partitions on
Tuesday 29 April 2025
the disk
 Whiteboard:
Summary
• FAT is located at the sector
zero (starting) on a disk
• Drive Slack is the void or the
free space allocated for files
(in clusters) by the operating
system
• EFS is the main file encryption
technology used to store
encrypted files in the NTFS.
• MFT is a relational database,
which consists of information
regarding the files and the file
attributes

Page: 66
• Few of the other useful disk
operating system are 4DOS,
Dr-DOS and Caldera
Tuesday 29 April 2025
OpenDOS.
 Activity Students Whiteboard:
Exercise 1: Recovering Deleted Files from Hard Disks
Using WinHex
Scenario
WinHex inspects and edits all kinds of files, recovers deleted files or lost data from hard
drives with corrupt file systems, or from digital camera cards. It is a universal
hexadecimal editor, particularly helpful in the realm of computer forensics, data
recovery, low-level data processing, and IT security.
Lab Scenario
The investigators started scanning the computers for deleted data to catch the
perpetrator, who has been collection the company’s private data for harmful purposes.
To avoid identification, the perpetrator had deleted the data from the system. The
investigators were able to trace the system used by analyzing the file systems and
recovering deleted data using the WinHex tool.
As a computer forensic investigator, you should know how to recover files that have
been permanently deleted and the tools that can be used for recovering them.

Page: 67
Lab Objectives
The objective of this lab is to help you understand how to recover files that
have been permanently deleted using the WinHex tool.
Tuesday 29 April 2025
 Activity Students Whiteboard:
Exercise 2: Analyzing File System Types Using The Sleuth Kit
(TSK)
Scenario
The Sleuth Kit (TSK) is a library and collection of command-line tools that allow you to
investigate volume and filesystem data. The library can be incorporated into larger digital
forensics tools, and the command-line tools can be used directly to find evidence.
Lab Scenario
Sam had called investigators to catch the criminal, who was leaking the company’s secret
information. The investigators faced the challenge of scanning a large number of systems for
identifying the culprit. In order to simplify the search, the investigators used the Sleuth Kit to
determine the volume and file system data, which reduced their work and helped in finding
the culprit in time.
In order to investigate a hard disk, as a forensic investigator, you must know the types of
filesystems and how to analyze them using various tools.
Lab Objectives
The objective of this lab is to help investigators learn and perform filesystem analysis.
The Sleuth Kit (TSK) is used to obtain:

Page: 68
• Filesystem type
• Metadata information
• Content information
Tuesday 29 April 2025
Activity Whiteboard:
Students

Page: 69
Tuesday 29 April 2025
Tuesday 29 April 2025