CH 05

Guide to Computer Forensics
and Investigations
Sixth Edition Working with Windows and
CLI Systems
Chapter 5
1
Explain the purpose and structure of file
systems
Describe Microsoft file structures
Explain the structure of NTFS disks
Objective List some options for decrypting drives
s encrypted with whole disk encryption
Explain how the Windows Registry

works
Describe Microsoft startup tasks
Explain the purpose of a virtual machine

© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole
or in part, except for use as permitted in a license distributed with a certain product or
service or otherwise on a password-protected website for classroom use.
2
2
• File system
Fil • Gives OS a road map to data on a disk
e
• Type of file system an OS uses
Understanding Ty determines how data is stored on the

disk
File Systems pe
• When you need to access a suspect’s
Ac computer to acquire or inspect data
• You should be familiar with both the
ce computer’s OS and file systems
ss
© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in
part, except for use as permitted in a license distributed with a certain product or service or
otherwise on a password-protected website for classroom use. 3
3
Understanding the Boot Sequence (1 of 3)
Complementary Metal Oxide Basic Input/Output System (BIOS) or

Semiconductor (CMOS) Extensible Firmware Interface (EFI)
• To ensure that the data is not altered on the • Contains programs that perform input and
suspect computer, you need to understand and output at the hardware level
modify the CMOS
• Computer stores system configuration and date and
time information in the CMOS
• When power to the system is off
BIOS” Basic INPUT and OUTPUT SYSTEM

CMOS: Complementary METAL OXIDE Semiconductor
UEFI: Unified Extensible Firmware Interface
4
© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Videos
Differences between BIOS, CMOS and UEFI

https://www.youtube.com/watch?v=LGz0Io_dh_I
UEFI Explained: Windows 10/11 and UEFI
https://www.youtube.com/watch?v=G_qKrJPuAmg
What is a Cluster File System?

https://www.youtube.com/watch?v=8I776gk91r8
5
Bootstrap process
• Contained in ROM, tells the

Understanding the computer how to proceed
Boot Sequence (2 • Displays the key or keys you
of 3) press to open the CMOS
setup screen
CMOS should be
modified to boot from a
forensic floppy disk or CD
© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole
or in part, except for use as permitted in a license distributed with a certain product or
service or otherwise on a password-protected website for classroom use.
6
6
Understanding the Boot
Sequence (3 of 3): UEFI
© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 7
7
Disk drives are made up of one or more
platters coated with magnetic material
Disk drive components

Understanding
Disk Drives (1 • Geometry: disk logical structure
• Head: this read and write data to a drive
of 4) • Tracks: concentric circles on the disk platter
where data is stored.
• Cylinders: column of tracks on two or more disk
platters.
• Sectors: a section on a track usually made of 512
bytes
© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 8
8
Understanding Disk
Drives (2 of 4)
license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 9
9
Understanding Disk
Drives (3 of 4)
license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 10 10
• Properties handled at the drive’s hardware or
Understanding firmware level
• Zone bit recording (ZBR)
Disk Drives (4 • Track density
of 4) • Areal density
• Head and cylinder skew
11
Class Activities
1) Watch a video on how to use WinHex
https://www.youtube.com/watch?v=AIeaSM0d_6M
2) Run the class activities from the class textbook on pages

205-208
We will need :
Download WinHex
12
• All flash memory devices have a feature called
wear-leveling
• An internal firmware feature used in solid-state
Solid-State drives that ensures even wear of read/writes
for all memory cells
Storage • When dealing with solid-state devices, making a
Devices full forensic copy as soon as possible is crucial
• In case you need to recover data from
unallocated disk space
13
Exploring Microsoft File Structures (1
of 2)
• Need to understand the MS file system, so we understand how the computer store files.
• We need to understand, Clusters, File Allocation Table (FAT) and NT File Systems. (NTFS),
• Methods the OS uses to store file, decide where the data can be hidden,
• In Microsoft file structures, sectors are grouped to form clusters,
• Storage allocation units contains one or more sectors,
• Clusters range from 512 bytes up to 32,000 bytes each
• Combining sectors minimizes the overhead of writing or reading files to a disk.
© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom
use.
14 14
Exploring Microsoft File Structures (2
of 2)
• Clusters are numbered sequentially starting at 0 in NTFS and 2 in FAT
• First sector of all disks contains a system area, the boot record, and a
file structure database
• OS assigns these cluster numbers, called logical addresses (LA)
• LA Points to a relative cluster's positions
• Sector numbers are called physical addresses
• Clusters and their addresses are specific to a logical disk drive, which is a
disk partition
use.
15 15
Disk Partitions (1 of 5)
• A partition is a logical drive
• Windows OSs can have three primary partitions followed by an extended partition
that can contain one or more logical drives
• If someone wants to hide data on HD needs to create Hidden partitions or voids.
• These are Large unused gaps between partitions on a disk.
• Partition gap
• Unused space between partitions
use.
16 16
• It is possible to create a partition, add data, then remove references to
the partition so it can be hidden in Windows.
• If the data is hidden in this partition gap, a disk editor could be used to
access it.
• Another techniques is to hide incrementing digital evidences at the end
of a disk, by declaring the small number of bytes than the actual drive
size.
• A disk editing tools can access any hidden or empty areas.
• WinHex or Hex Workshop editors can be used to examine a partition’s
physical level
© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in
a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 17 17
• WinHex and Hex workshop allows you to view
• file headers
• other critical parts of a file
• Both tasks involve analyzing the key hexadecimal codes that the OS
uses to identify and maintain the file systems,
• For example:
• The partition table in the Master Boot Record (MBR) is Located at
sector 0 of the disk drive
• In a hexadecimal editor, such as WinHex, you can find the first
partition at offset 0x1BE
• The file system’s hexadecimal code is offset 3 bytes from 0x1BE for
the first partition
use.
18 18
Disk
Partitions
(5 of 5)
19
19
• File Allocation Table (FAT)
• File structure database that Microsoft originally designed for floppy disks
• It is used to organized the files on a disk
• Other Oss, such as Linux and Mac can read and write to FAT storage
devices; USB and SD cards.
• FAT database is typically written to a disk’s outermost track and contains:
• Filenames, directory names, date and time stamps, the starting cluster
number, and file attributes
• Three current FAT versions
• FAT16, FAT32, and exFAT (used for mobile personal storage devices)
• Cluster sizes vary according to the hard disk size and file system
Examining FAT Disks (1 of 7)

0
•File Allocation Table (FAT)
• FAT12, used for floppy disk, limited storage
• FAT16, larger disks max storage of 4GB and
found in old Windows , 95, NT,
• FAT32, Access Larger drives
• exFAT , used for mobile personal storage
devices, for files such as video images and
audios
•Cluster sizes vary according to the hard disk
size and file system

1
Examining FAT
Disks (2 of 7)
22
• Microsoft OSs allocate disk space for files by clusters
• Results in drive slack
• Unused space in a cluster between the end of an active
file’s content and the end of the cluster
• Drive slack includes:
• RAM slack and file slack, used for older Microsoft
Windows
• In newer Windows, the data is written to disk and the
remaining RAM Slack is zeroed out and no RAM Data.
• An unintentional side effect of FAT16 allowing large clusters
was that it reduced fragmentation
• As cluster size increased

3
© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as 24
use.
24
When you run out of
room for an allocated
cluster
OS allocates another cluster for your file
As files grow and

require more disk
space, assigned clusters
The chain can be broken or fragmented
are chained together
When the OS stores

data in a FAT file
system, it assigns a
Data for the file is written to the first sector of
starting cluster position
to a file
the first assigned cluster
otherwise on a password-protected website for classroom use.

25
25
When this first
assigned cluster
is filled and runs
out of room
FAT assigns the next available
cluster to the file
If the next
available cluster
isn’t contiguous
to the current
File becomes fragmented
cluster

26
26
Examining
FAT Disks (6
of 7)
© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted
in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 27 27
• In Microsoft OSs, when a file is deleted
• Directory entry is marked as a deleted file
• With the HEX E5 character replacing the first letter of
the filename
• FAT chain for that file is set to 0
• Data in the file remains on the disk drive
• Area of the disk where the deleted file resides becomes
unallocated disk space
• Available to receive new data from newly created files or
other files needing more space
Deleting FAT Files

8
Video on FAT and NTFS file systems
•Videos
•https://www.youtube.com/watch?v=_h30HBYxtws
•https://www.youtube.com/watch?v=TLKZEU1DZ9c
29
• NT File System (NTFS)
• Introduced with Windows NT
• Primary file system for Windows 10
Examining • Improvements over FAT file systems
• Including, security Features, file ownership and other
NTFS Disks (1 attributes
• NTFS provides more information about a file
of 3) • NTFS gives more control over files and folders
• NTFS was Microsoft’s move toward a journaling file system
- It keeps track of transactions such as file saving or deleting
- It records a transaction before the system carries it out
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
30
30
In NTFS, everything written to the disk is considered a file
On an NTFS disk
• First data set is the Partition Boot Sector
• Next is Master File Table (MFT)
• MFT Similar to FAT and it is created at the same time as the disk partitioning is formatted as an NFTS
Clusters are smaller for smaller disk drives ( SEE next slides comparing FAT and NTFS disks
NTFS also uses Unicode ( representation of the data as codes)

• An international data format that is different from ASCII
• Uses 8, 16- and 32-bits configuration, known as UTF-8 (Unicode Transformation Format), UTF-16 and UTF-32
• UTF-8 is identical to ASCII.
• NTFS has less File Slack space with UTF
• This will make the Unicode helpful for forensics investigators.
• If you want to leant the difference between ASCII and Unicode UTF
check-http://www.differencebetween.net/technology/software-technology/difference-between-unicode-and-ascii/
Examining NTFS Disks (2 of 3) 31

31
ASCII Characters
representation
© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a 32
password-protected website for classroom use.
Examining NTFS Disks (3 of 3) vs FAT
Disks
use.
33 33
• Since everything on NTFS is a file , the MFT contains
information about all files on the disk Including the system
files the OS uses.
• In the MFT, the first 15 records are reserved for system
files,
• Records in the MFT are called metadata
NTFS System Files (1 of 3)

4
NTFS File System
(2 of 3)
35
NTFS File System
(3 of 3)
36
• In the NTFS
• All files and folders are stored in separate records of 1024
bytes each
• Each record contains file or folder information
• This information is divided into record fields containing
metadata
• A record field is referred to as an attribute ID
• File or folder information is typically stored in one of two
ways in an MFT record:
• Resident and nonresident
MFT and File Attributes (1 of 9)

7
MFT and MFT
File
Attributes
Files and Folder
(2 of 9)
Records of 1024
bytes
-Metadata of files
and folders
-Files data or links to
the data
use. 38
• Files and folders information are stored in one of two ways
in the MFT records : resident and nonresident
• Files data and metadata, of 512 bytes or less are stored in
MFT records (resident)
• Files data and metadata larger than 512 bytes are stored
outside the MFT (nonresident)
• MFT record provides cluster addresses where the file is
stored on the drive’s partition are referred to as data runs
• Each MFT record starts with a header identifying it as a
resident or nonresident attribute

9
MFT and File
Attributes (4
of 9)
distributed with a certain product or service or otherwise on a password-protected website for classroom use. 40 40
MFT and File
Attributes (5
of 9)
• When a disk is created as an NTFS file structure
• OS assigns logical clusters to the entire disk partition
• These assigned clusters are called logical cluster numbers
(LCNs)
• Become the addresses that allow the MFT to link to
nonresident files on the disk’s partition
• When data is first written to nonresident files, an LCN
address is assigned to the file
• This LCN becomes the file’s virtual cluster number (VCN)

2
MFT and File
Attributes (7
of 9)
MFT and File
Attributes (8
of 9)
• When you are view the an MFT record with hexadecimal
editor the data is displayed in little endian format, i.e. it is
read from right to left. E.g:
- Hexadecimal value 400 is displayed 00 04 00 00
- Hexadecimal value 0x40000 is displayed as 00 00 04 00
• The first section of an MFT record is the header that defines
the size and the starting position of the 1st attribute
• Following the header are attributes that are specific for the
file type such as application files or a data file.
• The followings explain how the data files are configured.
MFT Structures for File Data (1 of 7)

MFT Header
5
• For the header of all MFT records, the record fields of
interest are as follows:
• At offset 0x00 - the MFT record identifier FILE
• At offset 0x1C to 0x1F - size of the MFT record
• At offset 0x14 - length of the header (indicates where the
next attribute starts)
• At offset 0x32 and 0x33 - the update sequence array,
which stores the last 2 bytes of the first sector of the MFT
record

MFT Header
6
Header of all MFT records
47
47
Standard Info are: start of MFT records
use.
48
MFT
Structures for
File Data (4 of
7)
Files with
Files with eight or fewer MFT
records has one ox30
Files with more then 8
characters MFT records has two
attributes
This attribute contains the file ownership and access control info
use.
50
Gives the size of attribute and start of the data run
use.
51
MFT
Structures for
File Data (7 of
7)
attribute 0x80 for the nonresident
file
52 52
• The first data run for a nonresident attribute 0x80 filed start at offset
0x40
• Data Run has three components :
Interpreting a • -First component: declares how many bytes in the attribute filed
needed to store the values for the 2nd and 3rd component,
data run • Second component stores the number of clusters assigned to the
data run,
• - The third component contains the starting cluster address value
(LCN or the VCN)
• LCN: Logical Cluster Number: logical clusters of the entire disk
partition ,
• VCN: Virtual Cluster Number: LCN assigned to the file at the
attribute 0x80 field of the MFT.
a) Multiple data run b) data run components
use.
-32 is the data run’s first component,
Digit 2 is the second bytes, contains the number of clusters assigned to the data run
Digit 3: means the next 3 bytes, contain the cluster address value VCN(0).
-B1 07 is the second component, 7B1 = 1969 in decimal
2 bytes needed to store the hexadecimal values for the clusters assign to this data
-0x8C8C third component, = 35980 in decimal
First data run for the file , LCN
use. 55
use. 56
57
• Alternate data streams
• Ways data can be appended to existing files
• Can obscure valuable evidentiary data, intentionally or by
coincidence
• In NTFS, an alternate data stream becomes an additional
file attribute
• Allows the file to be associated with different applications
• You can only tell whether a file has a data stream attached
by examining that file’s MFT entry
NTFS Alternate Data Streams (1 of 2)

8
NTFS
Alternate
Data Streams
(2 of 2)
• NTFS provides compression similar to FAT DriveSpace 3 (a
Windows 98 compression utility)
• With NTFS, files, folders, or entire volumes can be
compressed
• Most computer forensics tools can uncompress and analyze
compressed Windows data
NTFS Compressed Files

0
• Encrypting File System (EFS)
- Introduced with Windows 2000
- Implements a public key and private key method of encrypting files,
folders, or disk volumes
- The owner holds the private key and the public key is held by a
certification authority, e.g. veriSign
• When EFS is used in Windows 2000 and later
- A recovery certificate is generated and sent to the local Windows
administrator account. This is needed when there is a problem with the
user private key
• Users can apply EFS to files stored on their local
workstations or a remote server
NTFS Encrypting File System (EFS)

1
cipher /w:driveletter:\foldername
• Recovery Key Agent implements the recovery certificate

• Which is in the Windows administrator account
• Windows administrators can recover a key in two ways:
through Windows or from a command prompt
• Commands:
- Cipher ( works for NTFS, Win 2000 prof and later)
- Copy ( works for FAT and NTFS)
• For Information on how to use these commands do the
followings:
- Cipher /?
- Example : cipher /w:driveletter:\foldername
EFS Recovery Key Agent

2
• When a file is deleted in Windows NT and later
• The OS renames it and moves it to the Recycle Bin
• Can use the del (delete) MS-DOS command
• Eliminates the file from the MFT listing in the same way
FAT does
• Please refer to the textbook ( page 233-234)for deleting
steps for a file or a folder in windows or file explorer.
Deleting NTFS Files

3
• Resilient File System (ReFS) - designed to address very
large data storage needs
• Such as the cloud
• Features incorporated into ReFS’s design:
• Maximized data availability
• Improved data integrity
• Designed for scalability
• ReFS uses disk structures similar to the MFT in NTFS
Resilient File System

4
• In recent years, there has been more concern about loss of
• Personal identity information (PII) and trade secrets
caused by computer theft
• Of particular concern is the theft of laptop computers and
handheld devices
• To help prevent loss of information, software vendors now
provide whole disk encryption
Understanding Whole Disk Encryption (1 of

3)
5
• Current whole disk encryption tools offer the following
features:
• Pre-boot authentication
• Full or partial disk encryption with secure hibernation
• Advanced encryption algorithms
• Key management function

3)
6
• Whole disk encryption tools encrypt each sector of a drive
separately
• Many of these tools encrypt the drive’s boot sector
• To prevent any efforts to bypass the secured drive’s
partition
• To examine an encrypted drive, decrypt it first
• Run a vendor-specific program to decrypt the drive
• Many vendors use a bootable CD or USB drive that
prompts for a one-time passphrase

3)
7
• MS utility for protecting drive data,
• Available Vista Enterprise/Ultimate, Windows 7, 8, and 10
Professional/Enterprise, and Server 2008 and later,
• BitLocker Hardware and software requirements
- A computer capable of running Windows Vista or later
- The TPM microchip, version 1.2 or newer
- A computer BIOS compliant with Trusted Computing Group (TCG)
- Two NTFS partitions
- The BIOS configured so that the hard drive boots first before checking
other bootable peripherals
Examining Microsoft BitLocker

8
• Some available third-party WDE utilities:
• Endpoint Encryption
• Voltage SecureFile
• Jetico BestCrypt Volume Encryption
Examining Third-Party Disk Encryption

Tools
9
• Registry
• A database that stores hardware and software configuration
information, network connections, user preferences, and
setup information
• For investigation purposes, the registry can contain valuable
evidence
• To view the Registry, you can use:
• Regedit (Registry Editor) program for Windows 9x systems
• Regedt32 for Windows 2000, XP, and Vista
• Both utilities can be used for Windows 7 and 8
• Normally we can use the Registry Editor to locate entities
that contain trace evident, such as last person logged on the
computer
• The registry also good when we determined the most access
files peripheral devices, or new stalled program in the
registry
Understanding the Windows

Registry
0
• The Registry contains information used by Windows and your programs.
The Registry helps the operating system manage the computer, it helps
programs use the computer’s resources, and it provides a location for
keeping custom settings you make in both Windows and your
programs.
• For example, when you change the Windows desktop, the changes are
stored in the Registry. When you see a list of recently opened files, that
list is stored in the Registry. And changes you make to the status bar in
Word they’re kept in the Registry, too.
• The Registry is essentially a database. Its information is stored on disk for
the most part, though dynamic information also exists in the computer’s
memory.
• All the information is organized by using a structure similar to folders in
the file storage system.
Understanding the Windows

Registry
1
• Registry terminology:
• Registry: a DB system contains system and user info
• Registry Editor: It is a window ultility for viewing and modifying data
• HKEY: splitting of Windows registry into categories HKEY_. Win 95 has 6
and Wind200o and later has 5.
• Key: Each Key contains folder referred to as keys. Key contains other
keys folder or values.
• Subkey: a key displayed under another key, e.g. subfolder in windows.
• Branch: A key and its contents, including subkeys, make up a branch.
• Value: a name and a value of a key, similar to a file and its data content
• Default value: a key that has a default value , may contain or not
contain data
• Hives: are specific branches in HKEY_USER and HKEY_LOCAL_MACHINE.
These files has branches for security and user account
Exploring the Organization of

the Windows Registry (1 of 6)
2
• The number of files that the registry files depends on WIN version.
• Windows 95/ME, it uses two files user.dat and system.dat
• Windows NT and later uses six files, Ntuser.dat, system.dat, SAM.dat,
security.dat and default.dat.
• During the forensic examination, an investigator examines the
registry data from a suspect drive after the acquisition process. Here
you need to know the location of these files.
• They are certain Forensics tools that can view the registry files.
Exploring the Organization of

the Windows Registry (2 of 6)
3
Exploring the Organization of the Windows Registry (3 of 6)
use.
74
use.
75
use.
76
use.
77
• Tools with built-in or add-on Registry viewers:
- X-Ways Forensics
- OSForensics
- Forensic Explorer
- FTK
Examining the Windows

Registry (1 of 2)
Examining
the Windows
Registry (2 of
2)
79
• Learn what files are accessed when Windows starts
• This information helps you determine when a suspect’s
computer was last accessed
• Important with computers that might have been used
after an incident was reported
Understanding Microsoft Startup Tasks

0
• Windows 8 and 10 are multiplatform OSs
• Can run on desktops, laptops, tablets, and smartphones
• The boot process uses a boot configuration data (BCD)
store
• The BCD contains the boot loader that initiates the
system’s bootstrap process.
• Press F8 or F12 when the system starts to access the
Advanced Boot Options
Startup in Windows 7,
Windows 8 and Windows 10
1
• All NTFS computers perform the following steps when
the computer is turned on:
• Power-on Self Test (POST)
• Initial startup
• Boot loader
• Hardware detection and configuration
• Kernel loading
• User logon
Startup in Windows NT and

Later (1 of 5)
2
Startup Files for Windows Vista:
• With the VISTA the MS updated the boot process, using
Extensible Firmware Interface (EFI) plus the BISO system
• The Ntldr program in Windows XP used to load the OS has been
replaced with these three boot utilities:
• Bootmgr.exe: Boot Manger program allow multiple booting of OSs.
• Winload.exe: install the kernel and the hardware abstraction layer (HAL)
and boot the memory with necessary boot drivers.
• Winresume.exe: This load the OS after the winds goes into hibernation
mode.
• Windows Vista includes the BCD editor for modifying boot options and
updating the BCD registry file
• The BCD store replaces the Windows XP boot.ini file

Later (2 of 5)
3
• Startup Files for Windows XP:
• NT Loader (NTLDR): Loads the OS
• When the system is powered on Ntldr reads Boot.ini file which
display a boot menu. Then after the selection on where to boot
from, the Ntoskrnl.exe reads bootvid.dll, Hal.dll, and start up
device drivers.
• If the Windows has to reboot multiple OS it uses BootSect.dos file
• The NTDetect.com file queries the system for devices and
configuration data then passes it to the Ntldr ( NT Loader).
• The NTDetect identify some components value on the computer
such as CMOS, buses, Disk drives, mouse input devices and parallel
ports.

Later (3 of 5)
4
• Startup Files for Windows XP:
• NTBootdd.sys: The device driver that allows the OS to
communicate with SCSI or ATA drives not connected to the BIOS.
• Ntoskrnl.exe: Windows XP OS Kernel, located on Windows\
system32 folder
• Hal.dll : the Hardware abstraction Layer (HAL) Dynamic Link
Library (DLL). Allows the OS Kernel to communicate with
Computer Hardware,
• Pagefile.sys: Optimise the amount of Physical RAM Available.
• Device drivers: Contain instruction for the OS for hardware devices
such as Keyboard, mouse, etc.

Later (3 of 5)
5
Startup in
Windows NT and
Later (4 of 5)
86
• Contamination Concerns with Windows XP
• When you start a Windows XP NTFS workstation,
several files are accessed immediately
• The last access date and time stamp for the files
change to the current date and time
• Destroys any potential evidence
• That shows when a Windows XP workstation was last
used

Later (5 of 5)
7
• Virtual machines
• Enable you to run another OS on an existing physical
computer (known as the host computer) by emulating a
computer’s hardware environment
• A virtual machine is just a few files on your hard drive
• Must allocate space to it
• A virtual machine recognizes components of the physical
machine it’s loaded on
• Virtual OS is limited by the physical machine’s OS
Understanding Virtual
Machines (1 of 3)
8
Understanding
Virtual
Machines (2 of
3)
• In digital forensics
• Virtual machines make it possible to restore a suspect
drive on your virtual machine
• And run nonstandard software the suspect might have
loaded
• From a network forensics standpoint, you need to be
aware of some potential issues, such as:
• A virtual machine used to attack another system or
network
Understanding Virtual
Machines (3 of 3)
0
• Common applications for creating virtual machines
• VMware Server, VMware Player and VMware
Workstation, Oracle VM VirtualBox, Microsoft Virtual
PC, and Hyper-V
• Using VirtualBox
• An open-source program (download)
• Consult with your instructor before doing the activities
using VirtualBox
Creating a Virtual Machine

1
• When starting a suspect’s computer, using boot media,
such as forensic boot CDs or USB drives, you must ensure
that disk evidence isn’t altered
• The Master Boot Record (MBR) stores information about
partitions on a disk
• Microsoft used FAT12 and FAT16 on older operating
systems
• To find a hard disk’s capacity, use the cylinders, heads,
and sectors (CHS) calculation
Summary (1 of 3)
2
• When files are deleted in a FAT file system, the hexadecimal
value 0x05 is inserted in the first character of the filename
in the directory
• NTFS is more versatile because it uses the Master File Table
(MFT) to track file information
• Records in the MFT contain attribute IDs that store
metadata about files
• In NTFS, alternate data streams can obscure information
that might be of evidentiary value
Summary (2 of 3)
3
• File slack, RAM slack, and drive slack are areas in which
valuable information can reside on a drive
• NTFS can encrypt data with EFS and BitLocker
• NTFS can compress files, folders, or volumes
• Windows Registry keeps a record of attached hardware,
user preferences, network connections, and installed
software
• Virtualization software enables you to run other OSs on a
host computer
Summary (3 of 3)
4

CH 05

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CH 05

Uploaded by

Copyright:

Available Formats

Guide to Computer Forensics

Describe Microsoft file structures

Explain the structure of NTFS disks

Objective List some options for decrypting drives

s encrypted with whole disk encryption

Explain how the Windows Registry

Describe Microsoft startup tasks

Explain the purpose of a virtual machine

Understanding Ty determines how data is stored on the

ce computer’s OS and file systems

Complementary Metal Oxide Basic Input/Output System (BIOS) or

BIOS” Basic INPUT and OUTPUT SYSTEM

Differences between BIOS, CMOS and UEFI

UEFI Explained: Windows 10/11 and UEFI

What is a Cluster File System?

• Contained in ROM, tells the

Disk drive components

1) Watch a video on how to use WinHex

2) Run the class activities from the class textbook on pages

Examining FAT Disks (1 of 7)

Examining FAT Disks (1 of 7)

Examining FAT Disks (3 of 7)

As files grow and

When the OS stores

Examining FAT Disks (5 of 7)

Examining FAT Disks (7 of 7)

Deleting FAT Files

NTFS also uses Unicode ( representation of the data as codes)

Examining NTFS Disks (2 of 3) 31

NTFS System Files (1 of 3)

MFT and File Attributes (1 of 9)

MFT and File Attributes (3 of 9)

MFT and File Attributes (6 of 9)

MFT Structures for File Data (1 of 7)

MFT Structures for File Data (1 of 7)

NTFS Alternate Data Streams (1 of 2)

NTFS Compressed Files

NTFS Encrypting File System (EFS)

• Recovery Key Agent implements the recovery certificate

EFS Recovery Key Agent

Deleting NTFS Files

Resilient File System

Understanding Whole Disk Encryption (1 of

Understanding Whole Disk Encryption (2 of

Understanding Whole Disk Encryption (3 of

Examining Microsoft BitLocker

Examining Third-Party Disk Encryption

Understanding the Windows

Understanding the Windows

Exploring the Organization of

Exploring the Organization of

Examining the Windows

Understanding Microsoft Startup Tasks

Startup in Windows NT and

Startup in Windows NT and

Startup in Windows NT and

Startup in Windows NT and

Startup in Windows NT and

Creating a Virtual Machine

You might also like