Chapter 05: Working with Windows and CLI Systems
Microsoft's utility for protecting drive data
BitLocker
The unused space between partitions
Partition gap
Which certificate provides a mechanism for recovering files encrypted with EFS if there is a problem with the user's original private key?
Recovery certificate
The type of file system an OS uses determines how data is stored on the disk.
True
An international data format
Unicode
Which filename refers to a core Win32 subsystem DLL file?
User32.sys
Which filename refers to a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr?
NTDetect.com
Which acronym refers to the file system that was introduced when Microsoft created Windows NT and that remains the main file system in Windows 10?
NTFS
Which filename refers to the Windows XP system service dispatch stubs to executables functions and internal support functions?
Ntdll.dll
Which filename refers to the physical address support program for accessing more than 4 GB of physical RAM?
Ntkrnlpa.exe
The first data set on an NTFS disk, which starts at sector[0] of the disk and can expand to 16 sectors
Partition Boot Sector
What enables the user to run another OS on an existing physical computer (known as the host computer) by emulating a computer's hardware environment?
A virtual machine
Ways data can be appended to existing files
Alternate data streams
What term refers to the number of bits in one square inch of a disk platter?
Areal density
What are BitLocker's current hardware and software requirements?
BitLocker's current hardware and software requirements are as follows: * A computer capable of running Windows Vista or later (non-home editions) * The Trusted Platform Module (TPM) microchip, version 1.2 or newer * A computer BIOS compliant with Trusted Computing Group (TCG) * Two NTFS partitions for the OS and an active system volume with available space * The BIOS configured so that the hard drive boots first before checking the CD/DVD drive or other bootable peripherals
How are disk clusters numbered by Microsoft file structures?
Clusters are numbered sequentially starting at 0 in NTFS and 2 in FAT. The first sector of all disks contains a system area, the boot record, and a file structure database. The OS assigns these cluster numbers, which are referred to as logical addresses. They point to relative cluster positions; for example, cluster address 100 is 98 clusters from cluster address 2. Sector numbers, however, are referred to as physical addresses because they reside at the hardware or firmware level and go from address 0 (the first sector on the disk) to the last sector on the disk. Clusters and their addresses are specific to a logical disk drive, which is a disk partition.
What specifies the Windows XP path installation and contains options for selecting the Windows version?
Boot.ini
When Microsoft created Windows 95, into what were initialization (.ini) files consolidated?
The registry
What contains instructions for the OS for hardware devices, such as the keyboard, mouse, and video card?
Device drivers
What are records in the MFT called?
Inodedata
What is on an NTFS disk immediately after the Partition Boot Sector?
MFT
Which filename refers to the device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS?
NTBootdd.sys
Microsoft's move toward a journaling file system
NTFS
One way to examine a partition's physical level is to use a disk editor, such as WinHex, or Hex Workshop.
True
In the NTFS MFT, all files and folders are stored in separate records of how many bytes each?
1024
What term refers to a column of tracks on two or more disk platters?
Cylinder
What are some of the features offered by current whole disk encryption tools?
Current whole disk encryption tools offer the following features that computer forensics examiners should be aware of: * Preboot authentication, such as a single sign-on password, fingerprint scan, or token (USB device) * Full or partial disk encryption with secure hibernation, such as activating a password-protected screen saver * Advanced encryption algorithms, such as AES and IDEA * Key management function that uses a challenge-and-response method to reset passwords or passphrases
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition. What are these cluster addresses called?
Data runs
Unused space in a cluster between the end of an active file's content and the end of the cluster
Drive slack
What is the name of the optional built-in encryption that Microsoft added to NTFS when Windows 2000 was introduced?
EFS
Which acronym refers to the file structure database that Microsoft originally designed for floppy disks?
FAT
As data is added, the MFT can expand to take up 75% of the NTFS disk.
False
From a network forensics standpoint, there are no potential issues related to using virtual machines.
False
The first 5 bytes (characters) for all MFT records are FILE.
False
Typically, a virtual machine consists of just one file.
False
Gives an OS a road map to data on a disk
File system
What are some of the components of a disk drive?
Following is a list of disk drive components: * Geometry—Geometry refers to a disk's logical structure of platters, tracks, and sectors. * Head—The head is the device that reads and writes data to a drive. There are two heads per platter that read and write the top and bottom sides. * Tracks—Tracks are concentric circles on a disk platter where data is located. * Cylinders—A cylinder is a column of tracks on two or more disk platters. Typically, each platter has two surfaces: top and bottom. * Sectors—A sector is a section on a track, usually made up of 512 bytes.
Describe some third-party disk encryption tools.
The following list describes some available third-party WDE utilities: • Endpoint Encryption (www.symantec.com/products/endpoint-encryption) can be used on PCs, laptops, and removable media to secure an entire disk volume. This tool works in Windows Server 2008 and later and Windows 7 and later. • Voltage SecureFile (www.voltage.com/products/data-security/hpe-securefile/) is designed for an enterprise computing environment. • Jetico BestCrypt Volume Encryption (www.jetico.com/products/personal-privacy/bestcrypt-volume-encryption) provides WDE for older MS-DOS and current Windows systems.
Summarize the evolution of FAT versions.
The following list summarizes the evolution of FAT versions: * FAT12—This version is used specifically for floppy disks, so it has a limited amount of storage space. It was originally designed for MS-DOS 1.0, the first Microsoft OS, used for floppy disk drives and drives up to 16 MB. * FAT16—To handle large disks, Microsoft developed FAT16, which is still used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.5 and 4.0. FAT16 supports disk partitions with a maximum storage capacity of 4 GB. * FAT32—When disk technology improved and disks larger than 2 GB were created, Microsoft released FAT32, which can access larger drives. * exFAT—Developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks. The exFAT file system can store very large files, such as digital images, video, and audio files. * VFAT—Developed to handle files with more than eight-character filenames and three-character extensions; introduced with Windows 95. VFAT is an extension of other FAT file systems.
Briefly explain NTFS compressed files.
To improve data storage on disk drives, NTFS provides compression similar to FAT DriveSpace 3, a Windows 98 compression utility. With NTFS, you can compress files, folders, or entire volumes. With FAT16, you can compress only a volume. On a Windows NT or later system, compressed data is displayed normally when you view it in Windows Explorer or applications such as Microsoft Word. During an investigation, typically you work from an image of a compressed disk, folder, or file. Most forensics tools can uncompress and analyze compressed Windows data, including data compressed with the Lempel-Ziv-Huffman (LZH) algorithm and in formats such as PKZip, WinZip, and GNU gzip. However, forensics tools might have difficulty with third-party compression utilities, such as the .rar format. If you identify third-party compressed data, you need to uncompress it with the utility that created it.
What are logical cluster numbers (LCNs)?
To understand how data runs are assigned for nonresident MFT records, you should know that when a disk is created as an NTFS file structure, the OS assigns logical clusters to the entire disk partition. These assigned clusters, called logical cluster numbers (LCNs), are sequentially numbered from the beginning of the disk partition, starting with the value 0. LCNs become the addresses that allow the MFT to link to nonresident files (files outside the MFT) on the disk's partition.
The space between each track
Track density
Concentric circles on a disk platter where data is located
Tracks
Alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence.
True
Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack.
True
In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors.
True
It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows.
True
Briefly describe how to delete FAT files.
When a file is deleted in Windows Explorer or with the MS-DOS delete command, the OS inserts a HEX E5 (0xE5) in the filename's first letter position in the associated directory entry. This value tells the OS that the file is no longer available and a new file can be written to the same cluster location. In the FAT file system, when a file is deleted, the only modifications made are that the directory entry is marked as a deleted file, with the HEX E5 character replacing the first letter of the filename, and the FAT chain for that file is set to 0. The data in the file remains on the disk drive. The area of the disk where the deleted file resides becomes unallocated disk space (also called "free disk space"). The unallocated disk space is now available to receive new data from newly created files or other files needing more space as they grow. Most forensics tools can recover data still residing in this area.
How can you make sure a subject's computer boots to a forensic floppy disk or CD?
When a subject's computer starts, you must make sure it boots to a forensically configured CD, DVD, or USB drive, because booting to the hard disk overwrites and changes evidentiary data. To do this, you access the CMOS setup by monitoring the computer during the bootstrap process to identify the correct key or keys to use. The bootstrap process, which is contained in ROM, tells the computer how to proceed. As the computer starts, the screen usually displays the key or keys, such as the Delete key, you press to open the CMOS setup screen. You can also try unhooking the keyboard to force the system to tell you what keys to use. The key you press to access CMOS depends on the computer's BIOS. If necessary, you can change the boot sequence so that the OS accesses the CD/DVD drive, for example, before any other boot device. Each BIOS vendor's screen is different, but you can refer to the vendor's documentation or Web site for instructions on changing the boot sequence.
How do most manufacturers deal with a platter's inner tracks having a smaller circumference than its outer tracks?
ZBR