Chapter 5 Computer Forensics
NTBootdd.sys
. A device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS.
Bytes in Sector
512
NTDetect.com
A 16-bit program that identifies hardware components during startup and sends the information to Ntldr.
0x1BE
A Master Boot Record (MBR) partition table this offset marks the first partition
Boot.ini
A file that specifies the Windows path installation and a variety of other startup options
Resilient File System (ReFs)
A new file system developed for Windows Server 2012. It allows increased stability for disk storage and improved features for data recovery and error checking.
Encryption file system
A public/private key encryption first used in Windows 2000 on NTFS-formatted disks. The file encrypted with a symmetric key, and then a public/private key is used to encrypt the symmetric key.
Logical Cluster Numbers
Addresses that allow the MFT to link to nonresident files
Why are alternate data streams of particular interest when examining NTFS disks?
Alternate data streams can obscure valuable evidence data, intentionally or unintentionally
Tracks
Concentric circles on a disk platter where data is stored.
$Secure metadata file
Contains security files, unique security descriptors. Where the acces control list is maintained for all files and folders on the NTFS
exFAT
File system was developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks
Hexidecimal 07
Identifies an NTFS file system in a partition table
Bootstrap Process
Information contained in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive.
Offset 0x14
Length of the header which indicates where the next attribute starts' its typically 0x38 bytes
Offset 0x00
MFT record identifier FILE
Which Microsoft OS's use FAT32?
OS's that require access to larger drives that are large than 2GB
MTF record identifier file
Offset 0x00 MFT Header Field
When data is deleted on a FAT or NTFS hard drive what happens?
Only the references to it are removed, which leaves the original data on unallocated space.
Resilient File System features
Provides large scale data access capability. Increased stability for disk storage Improved features for data recovery and error checking
Offset 0x1x to 0x1F
Size of the MFT record, the default is 0x400(1024 bytes or 2 sectors)
B + - tree
The ReFS storage engine uses a this sort method for fast access to large data sets
Hive
The branches in HKEY_LOCAL_MACHINE\Software consist of SAM, Security, Components, and System
efsrecvr
The command can be used to decrypt EFS files
Head
The device that reads and writes data to a disk drive.
New Technology File System (NTFS)
The file system that Microsoft created to replace FAT. It uses security features, allows smaller cluster sizes, and uses Unicode, which makes it a more versatile system.
$LogFile
The metadata record in the MFT keeps track of previous transactions to assist in recovery after a system failure in an NTFS volume.
File Allocation Table (FAT)
The original Microsoft file structure database. It's written to the outermost track of a disk and contains information about each file stored on the drive. PCs use this to organize files on a disk so that the OS can find the files it needs.
Recovery certificate
The purpose of this is to provide a mechanism for recovering files encrypted with EFS if there's a problem with the user's original private key.
Software.dat
The registry file that contains installed programs' settings and associated usernames and passwords
SAM.dat
The registry file that contains user account management and security settings
Zone bit record or ZBR
The technique most manufacturers use in order to deal with the fact that a platter's inner tracks have a smaller circumference than the outer tracks.
Geometry
The term is used to describe a disk's logical structure of platters, tracks, and sectors
cylinders
The term that describes a column of tracks on two or more disk platters
TrueCrypt
The third party encryption tool that creates a virtual encrypted volume, which is a file mounted as though it were a disk drive
Offset 0x32 and 0x33
The update sequence array
Disk Drive
These are made up of one or more platters coated with magnetic material, and data is stored in a particular way.
echo text > myfile. txt:stream_name
These commands create an alternate data stream
Delete
This command inserts a HEX E5 (0xE5) in a filename's first letter position in the associated directory entry
Bootmgr.exe
This executable is the Windows Boot Manager program, which controls boot flow and allows booting multiple OSs
Valid Configurations of Unicode
UTF-8 UTF-16 UTF-32
Partition Gap
Unused space or void between the primary partition and the first logical partition
How to hide data with a partition gap.
Users can remove references to partitions to hide data in Window and use large gaps so that they look unused
Drive slack
composed of the unused space in a cluster between the end of an active file's content and the end of the cluster
Head
the device that reads and writes data to a drive