5.1: Understanding File Systems

• File System: Gives an OS a road map to data on a disk.

  • The type of file system an OS uses determines how data is stored on the disk.

  • When you need to access a suspect’s computer to acquire or inspect data related to your investigation, you should be familiar with both the computer’s OS and file system so that you can access and modify system settings when necessary.

Understanding the Boot Sequence

• To ensure that you don’t contaminate or alter data on a suspect’s system, you must know how to access and modify Complementary Metal Oxide Semiconductor (CMOS), BIOS, Extensible Firmware Interface (EFI), and Unified Extensible Firmware Interface (UEFI) settings.

• A computer stores system configuration and date and time information in the CMOS when power to the system is off.

• The system BIOS or EFI contains programs that perform input and output at the hardware level.

• BIOS is designed for x86 computers and is typically used on disk drives with Master Boot Records (MBRs).

• EFI is designed for x64 computers and uses GUID Partition Table (GPT)–formatted disks.

• In an effort to reduce the relationship with firmware, Intel developed UEFI, which defines the interface between a computer’s firmware and the OS.

• Bootstrap Process: Tells the computer how to proceed.

Understanding Disk Drives

• Geometry: Refers to a disk’s logical structure of platters, tracks, and sectors.

• Head: The device that reads and writes data to a drive.

• Tracks: Concentric circles on a disk platter where data is located.

• Cylinder: A column of tracks on two or more disk platters.

• Sector: A section on a track, usually made up of 512 bytes.

• Zone Bit Recording (ZBR): It is how most manufacturers deal with a platter’s inner tracks having a smaller circumference (and, therefore, less space to store data) than its outer tracks.

• Track density: The space between each track.

• Areal density: The number of bits in one square inch of a disk platter.

• Head and cylinder skew: Used to improve disk performance.

Solid-State Storage Devices

• Flash memory storage devices used in USB drives, laptops, tablets, and cell phones can be a challenge for digital forensics examiners because if deleted data isn’t recovered immediately, it might be lost forever.

• The reason is a feature all flash memory devices have: wear-leveling.

• When data is deleted on a hard drive, only the references to it are removed, which leaves the original data in unallocated disk space.

• USB drives and other solid-state drive systems are different, in that memory cells shift data at the physical level to other cells that have had fewer reads and write continuously.

• The purpose of shifting data from one memory cell to another is to make sure all memory cells on the flash drive wear evenly.

• Memory cells are designed to perform only 10,000 to 100,000 reads/writes, depending on the manufacturer’s design.

  • When they reach their defined limits, they can no longer retain data.

  • When you attempt to connect to the device, you get an access failure message.

• When data is rotated to another memory cell, the old memory cell addresses are listed in a firmware file called a “garbage collector.”

• When dealing with solid-state devices, making a full forensic copy as soon as possible is crucial in case you need to recover data from unallocated disk space.

5.2: Exploring Microsoft File Structures

• Clusters: Storage allocation units of one or more sectors. It range from 512 bytes up to 32,000 bytes each.

  • Clusters are numbered sequentially, starting at 0 in NTFS and 2 in FAT.

• The first sector of all disks contains a system area, the boot record, and a file structure database.

• Logical Addresses: Cluster numbers.

• Physical Addresses: Sector numbers.

Disk Partitions

• Partition:  A logical drive.

• Partition Gap: The unused space between partitions.

Hexadecimal codes in the partition table

Examining FAT Disks

• File Allocation Table (FAT): The file structure database that Microsoft designed for floppy disks.

  • It’s used to organize files on a disk so that the OS can find the files it needs.

• FAT12: This version is used specifically for floppy disks, so it has a limited amount of storage space.

  • It was originally designed for MS-DOS 1.0, the first Microsoft OS, used for floppy disk drives and drives up to 16 MB.

• FAT16: It supports disk partitions with a maximum storage capacity of 4 GB.

  • Developed by Microsoft to handle larger disks, it is still used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 and Windows NT 3.5 and 4.0.

• FAT32: When disk technology improved and disks larger than 2 GB were developed, Microsoft released FAT32, which can access larger drives.

• exFAT: Developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks.

  • The exFAT file system can store very large files, such as digital images, video, and audio files.

• VFAT: Developed to handle files with more than eight-character filenames and three-character extensions; introduced with Windows 95.

• Drive Slack: Composed of the unused space in a cluster between the end of an active file’s content and the end of the cluster.

  • RAM Slack: The portion of the last sector used in the last assigned cluster.

  • File Slack: The remaining sectors in the last assigned cluster.

• Unallocated Disk Space: The area of the disk where the deleted file resides.

5.3: Examining NTFS Disks

• NT File System (NTFS) was introduced when Microsoft created Windows NT and is still the main file system in Windows 10.

• The NTFS design was partially based on, and incorporated many features from, Microsoft’s project for IBM with the OS/2 operating system; in this OS, the file system was High Performance File System (HPFS).

• NTFS offers substantial improvements over FAT file systems. It provides more information about a file, including security features, file ownership, and other file attributes.

• NTFS was Microsoft’s move toward a journaling file system. The system keeps track of transactions such as file deleting or saving.

• Partition Boot Sector: The first data set on an NTFS disk.

• Master File Table: The first file on an NTFS disk.

  • It is created at the same time a disk partition is formatted as an NTFS volume and usually consumes about 12.5% of the disk when it’s created.

• Unicode: An international data format.

  • It uses an 8-bit (UTF-8), 16-bit (UTF-16) or a 32-bit (UTF-32) configuration.

• For Western-language alphabetic characters, UTF-8 is identical to ASCII.

NTFS System Files

• Metadata: Records in the MFT.

Metadata records in the MFT

MFT and File Attributes

• Attribute ID: A record field.

• File or folder information is typically stored in one of two ways in an MFT record: resident and nonresident.

  • Resident Files: All information stored in the MFT record.

  • Nonresident Files: All information stored outside MFT record.

• Logical Cluster Numbers (LCNs): Are sequentially numbered from the beginning of the disk partition, starting with the value 0.

  • It becomes the addresses that allow the MFT to link to nonresident files on the disk partitions.

• When data is first written to nonresident files, an LCN address is assigned to the file in the attribute 0x80 field of the MFT. This LCN becomes the file’s virtual cluster number (VCN).

Attributes in the MFT

NTFS Alternate Data Streams

• Alternate Data Streams: Are ways data can be appended to existing files.

• When you’re examining a disk, be aware that alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence.

NTFS Compressed Files

• To improve data storage on disk drives, NTFS provides compression similar to FAT DriveSpace 3, a Windows 98 compression utility.

• With NTFS, you can compress files, folders, or entire volumes. With FAT16, you can compress only a volume.

• During an investigation, typically you work from an image of a compressed disk, folder, or file.

• Most forensics tools can uncompress and analyze compressed Windows data, including data compressed with the Lempel-Ziv-Huffman (LZH) algorithm and in formats such as PKZip, WinZip, and GNU gzip. However, .rar files have exemptions.

NTFS Encrypting File System

• Encrypting File System (EFS): added by Microsoft as optional built-in encryption to NTFS when they introduced Windows 2000.

• EFS uses public key and private key methods of encrypting files, folders, or disk volumes (partitions).

• When EFS is used in Windows 2000 and later, a recovery certificate is generated and sent to the local Windows administrator account.

• The purpose of the recovery certificate is to provide a mechanism for recovering files encrypted with EFS if there’s a problem with the user’s original private key.

• The recovery key is stored in one of two places.

  • When a network user initiates EFS, the recovery key is sent to the local domain server’s administrator account.

  • On a stand-alone workstation, the recovery key is sent to the local administrator account.

EFS Recovery Key Agent

• The Recovery Key Agent implements the recovery certificate, which is in the Windows administrator account.

• Windows administrators can recover a key in two ways:

  • Through Windows; or

  • From a command prompt.

• These two commands are available from a command prompt: cipher and copy.

• Encrypted files aren’t part of the FAT12, FAT16, or FAT32 file systems, so cipher command works only on NTFS systems running Windows 2000 Professional or later.

• The copy command, however, works in both FAT and NTFS.

• To recover an encrypted EFS file, a user can e-mail it or copy the file to the administrator, who can then run the Recovery Key Agent function to restore the file.

Deleting NTFS Files

• When you delete a file in Windows or File Explorer, you can restore it from the Recycle Bin. The OS takes the following steps when you delete a file or a folder in Windows or File Explorer:

  • Windows changes the filename and moves the file to a subdirectory with a unique identity in the Recycle Bin.

  • Windows stores information about the original path and filename in the Info2 file, which is the control file for the Recycle Bin. It contains ASCII data, Unicode data, and the date and time of deletion for each file or folder.

• NTFS files deleted at a command prompt function much like FAT files. The OS performs the following tasks:

  • The associated clusters are designated as free—that is, marked as available for new data.

  • The $Bitmap file attribute in the MFT is updated to reflect the file’s deletion, showing that this space is available.

  • The file’s record in the MFT is marked as being available.

  • VCN/LCN cluster locations linked to deleted nonresident files are then removed from the original MFT record.

  • A run-list is maintained in the MFT of all cluster locations on the disk for nonresident files. When the list of links is deleted, any reference to the links is lost.

Resilient File System

• ReFS is designed to address very large data storage needs, such as the cloud.

• The following features are incorporated into ReFS’s design:

  • Maximized data availability

  • Improved data integrity

  • Designed for scalability

• ReFS is an outgrowth of NTFS designed to provide a large-scale data storage access capability. It’s intended only for data storage, so as of this writing, it can’t be used as a boot drive.

• It uses a method called “allocate-on-write” that copies updates of data files to new locations; similar to shadow paging, it prevents overwriting the original data files.

5.4: Understanding Whole Disk Encryption

• Loss of personal identity information (PII) and trade secrets caused by computer theft has become more of a concern.

• Company PII might consist of employees’ full names, home addresses, and Social Security numbers. With this information, criminals could easily apply for credit card accounts in these employees’ names.

• Whole disk encryption tools offer the following features that forensics examiners should be aware of:

  • Preboot authentication; such as a single sign-on password, fingerprint scan, or token (USB device)

  • Full or partial disk encryption with secure hibernation; such as activating a password-protected screen saver

  • Advanced encryption algorithms; such as Advanced Encryption Standard (AES) and International Data Encryption Algorithm (IDEA)

  • Key management function that uses a challenge-and-response method to reset passwords or passphrases

Examining Microsoft BitLocker

• BitLocker: Microsoft’s utility for protecting drive data.

• Guidance Software Encase can decrypt BitLocker drives, although the process can take a lot of time.

• BitLocker’s current hardware and software requirements are as follows:

  • A computer capable of running Windows Vista or later (non-home editions).

  • The Trusted Platform Module (TPM) microchip, version 1.2 or newer.

  • A computer BIOS compliant with Trusted Computing Group (TCG).

  • Two NTFS partitions for the OS and an active system volume with available space.

  • The BIOS configured so that the hard drive boots first before checking the CD/ DVD drive or other bootable peripherals.

Examining Third-Party Disk Encryption Tools

• Endpoint Encryption can be used on PCs, laptops, and removable media to secure an entire disk volume. This tool works in Windows Server 2008 and later and Windows 7 and later.

• Voltage SecureFile is designed for an enterprise computing environment.

• Jetico BestCrypt Volume Encryption provides WDE for older MS-DOS and current Windows systems.

5.5: Understanding the Windows Registry

• Registry: A database that stores hardware and software configuration information, network connections, user preferences, and setup information.

Exploring the Organization of the Windows Registry

Terminologies

• Registry: A hierarchical database containing system and user information.

• Registry Editor: A Windows utility for viewing and modifying data in the Registry.

  • There are two Registry Editors: Regedit and Regedt32.

• HKEY: Windows splits the Registry into categories with the prefix HKEY_.

• Key: Folders in each HKEY. Keys can contain other key folders or values.

• Subkey: A key displayed under another key, similar to a subfolder in Windows or File Explorer.

• Branch: A key and its contents, including subkeys.

• Value: A name and value in a key; it’s similar to a file and its data content.

• Default value: All keys have a default value that may or may not contain data.

• Hives: These are specific branches in HKEY_USER and HKEY_LOCAL_MACHINE.

Registry file locations and purposes

Registry HKEYs and their functions

5.6: Understanding Microsoft Startup Tasks

Startup in Windows 7, Windows 8, and Windows 10

• Since Windows Vista, Microsoft has changed its approach to OS boot processes.

• All Windows 8 and 10 boot processes are designed to run on multiple devices, ranging from desktop or laptop systems to tablets and smartphones.

• In Windows Vista and later, the boot process uses a boot configuration data (BCD) store.

• For desktops and laptops (BIOS-designed systems), a BCD Registry file in the \Boot\Bcd folder is maintained to control the boot process.

• In Windows 8 and 10, the BCD contains the boot loader that initiates the system’s bootstrap process when Windows starts.

Startup in Windows NT and Later

• Any computer using NTFS performs the following steps when the computer is turned on:

  • Power-on self-test (POST)

  • Initial startup

  • Boot loader

  • Hardware detection and configuration • Kernel loading

  • User log-on

Startup Files for Windows Vista

• Bootmgr.exe: The Windows Boot Manager program controls boot flow and allows booting multiple OSs, such as booting Vista along with XP.

• Winload.exe: The Windows Vista OS loader installs the kernel and the Hardware Abstraction Layer (HAL) and loads memory with the necessary boot drivers.

• Winresume.exe: This tool restarts Vista after the OS goes into hibernation mode.

Startup Files for Windows XP

• NT Loader (Ntldr) loads the OS.

• When the system is powered on, Ntldr reads the Boot.ini file, which displays a boot menu.

• After you select the mode to boot to, Boot.ini runs Ntoskrnl.exe and reads Bootvid.dll, Hal.dll, and startup device drivers.

• Boot.ini specifies the Windows XP path installation and contains options for selecting the Windows version.

• If a system has multiple boot OSs, including older ones such as Windows 9x or DOS, Ntldr reads BootSect.dos (a hidden file), which contains the address of each OS.

• When the boot selection is made, Ntldr runs NTDetect.com, a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr.

  • This program identifies components and values on the computer system, such as the following:

    • CMOS time and date value

    • Buses attached to the motherboard, such as Industry Standard Architecture (ISA) or Peripheral Component Interconnect (PCI)

    • Disk drives connected to the system

    • Mouse input devices connected to the system

    • Parallel ports connected to the system

• NTBootdd.sys: The device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS.

• Ntoskrnl.exe: The Windows XP OS kernel, located in the systemroot\Windows\ System32 folder.

• Hal.dll: The Hardware Abstraction Layer (HAL) dynamic link library, located in the systemroot\Windows\System32 folder.

• At startup, data and instruction code are moved in and out of the Pagefile.sys file to optimize the amount of physical RAM available.

• Device drivers contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the systemroot\Windows\System32\ Drivers folder.

Windows XP System Files

5.7: Understanding Virtual Machines

• As an investigator, you might need a virtual server to view legacy systems, and you might need to forensically examine suspects’ virtual machines.

• Virtual machines enable you to run another OS on an existing physical computer by emulating a computer’s hardware environment.

• A virtual machine consists of several files. The two main files are:

  • Configuration File: Contains hardware settings, such as RAM, network configurations, port settings, and so on.

  • Virtual Hard Disk File: Contains the boot loader program, OS files, and users’ data files.

• Another reason for using a virtual machine in an investigation is to emulate actions taken by a suspect or even by malware.

• Several forensics analysis tools can convert a forensic image to an ISO image or a virtual hard disk (VHD) file, which enables you to run a suspect’s computer in a virtual environment.

• A virtual machine acts like any other computer but with a twist: It performs all the tasks the OS running on the physical computer can, do up to a certain point.

• The virtual machine recognizes the hardware components of the host computer it’s loaded on.

• The guest OS is limited by the host computer’s OS, which might block certain operations.

• In digital forensics, virtual machines make it possible to restore a suspect drive on a virtual machine and run nonstandard software the suspect might have loaded, for example.

  • You can browse through the drive’s contents, and then go back to the forensic image and test the items you found.