CYBR 4853 - Chapter 5
The OS takes the following steps when you delete a file or a folder in Windows or File Explorer
1. Windows changes the filename and moves the file to a subdirectory with a unique identity in the Recycle Bin 2. Windows stores information about the original path and filename in the Info2 file, which is the control file for the Recycle Bin. It contains ASCII data, Unicode data, and the date and time of deletion for each file or folder.
Registry
A hierarchical database containing system and user information.
Branch
A key and its contents, including subkeys, make up a branch in the Registry.
Subkey
A key displayed under another key is a subkey, similar to a subfolder in Windows or File Explorer
Registry Editor
AWindows utility for viewing and modifying data in the Registry. There are two Registry Editors: Regedit and Regedt32 (introduced in Windows 2000)
Default value
All keys have a default value that may or may not contain data
Pagefile.sys
At startup, data and instruction code are moved in and out of the file to optimize the amount of physical RAM available.
NTFS System Files
Because everything on an NTFS disk is a file, the first file, the MFT, contains information about all files on the disk, including the system files the OS uses In the MFT, the first 15 records are reserved for system files.
Attribute 0x40: Object ID
Depending on the Windows version, sometimes attribute 0x40 is listed in the MFT. ntains file ownership and access control information and has the following fields • At offset 0x04 and 0x05 from the beginning of attribute 0x40—The size of attribute 0x40 • At offset 0x14—Starting offset position for GUID data • At offset 0x18 to 0x27—Starting position for GUID Object_ID data
exFAT
Developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks. The exFAT file system can store very large files, such as digital images, video, and audio files.
VFAT
Developed to handle files with more than eight-character filenames and threecharacter extensions; introduced with Windows 95. VFAT is an extension of other FAT file systems.
Key
Each HKEY contains folders referred to as keys. Keys can contain other key folders or values
Attribute 0x80: Data for a Nonresident File
For a nonresident file, the fields of interest for attribute 0x80 are as follows: • At offset 0x04 and 0x05 from the beginning of attribute 0x80—Size of the attribute. • At offset 0x08—The resident/nonresident flag; for nonresident data, it's set to 0x01. • At offset 0x40—The start of the data run. The first run is the LCN; if the file is fragmented, additional data runs follow, as shown in Figure 5-18. In this example, there are a total of six data runs, which means this file has several fragments.
Attribute 0x80: Data for a Resident File
For a resident file's attribute 0x80, the fields of interest are as follows (see Figure 5-17): • At offset 0x04 and 0x05 from the beginning of attribute 0x80—Size of the attribute. • At offset 0x08—The resident/nonresident flag; for resident data, it's set to 0x00. • At offset 0x10—Number of bytes in the data run. • At offset 0x18—Start of the resident data run. • At offset 0x1E and 0x1F from the beginning of the MFT header—The sector checksum value, used to validate the first 512 bytes of the MFT record. The break between the first and second sectors is referred to as the sector boundary. The 2 bytes at positions 0x32 and 0x33 of the MFT header in the update sequence array field are where the actual values for these bytes are stored. The end of the MFT record is indicated by the hexadecimal values FF FF FF FF at the end of the record
Attribute 0x30: File Name
For files with filenames of eight or fewer characters, the MFT record has only one attribute 0x30 If a filename is longer than eight characters, there are two attribute 0x30s • At offset 0x04 and 0x05 from the beginning of attribute 0x30—The size of attribute 0x30. • At offset 0x5A from the 0x30 attribute's starting position—The short filename; note that it's in Unicode. • At offset 0x20 to 0x27—The file's create date and time; all dates and times are stored in Win32 Filetime format. • At offset 0x28 to 0x2F—The last modified date and time for the file. • At offset 0x30 to 0x37—The last access date and time. • At offset 0x38 to 0x3F—The record update date and time. The following are fields of interest for the long filename attribute 0x30: • At offset 0x04 and 0x05 from the beginning of attribute 0x30—The size of attribute 0x30. • At offset 0x5A from the 0x30 attribute's starting position—The long filename; note that it's in Unicode. • At offset 0x20 to 0x27—The file's create date and time; all dates and times are stored in Win32 Filetime format. • At offset 0x28 to 0x2F—The last modified date and time for the file. • At offset 0x30 to 0x37—The last access date and time. • At offset 0x38 to 0x3F—The record update date and time.
Boot Sequence
For tablets and smartphones, it's best to review vendors' documentation. you must know how to access and modify Complementary Metal Oxide Semiconductor (CMOS), BIOS, Extensible Firmware Interface (EFI), and Unified Extensible Firmware Interface (UEFI) settings you must make sure it boots to a forensically configured CD, DVD, or flash drive you access the CMOS setup by monitoring the computer during the bootstrap process to identify the correct key or keys to use
Hal.dll
Hardware Abstraction Layer (HAL) dynamic link library allows the OS kernel to communicate with the computer's hardware.
Master File Table (MFT)
Immediately after the Partition Boot Sector is similar to FAT in earlier Microsoft OSs, is the first file on the disk created at the same time a disk partition is formatted as an NTFS volume and usually consumes about 12.5% of the disk when it's created can expand to take up 50% of the disk results in much less file slack space also uses Unicode, an international data format
Understanding Microsoft Startup Tasks
In some investigations, you must preserve data on the disk exactly as the suspect last used it. Any access to a computer system after it was used for illicit purposes alters your disk evidence altering disk data lessens its evidentiary quality considerably accessing a suspect computer incorrectly could make the digital evidence corrupt and less credible for litigation
UEFI
Intel defines the interface between a computer's firmware and the OS
BitLocker
Microsoft Microsoft's utility for protecting drive data available in Windows Vista Enterprise and Ultimate editions, Windows 7 and 8 Professional and Enterprise editions, and Windows Server 2008 and 2012 Guidance Software Encase can decrypt BitLocker drives - the process can take a lot of time can encrypt only NTFS drives
clusters
Microsoft OSs allocate disk space for files by
Understanding Virtual Machines
More companies are turning to virtualization to reduce the cost of hardware purchases you might need a virtual server to view legacy systems you might need to forensically examine suspects' virtual machines. Virtual machines enable you to run another OS on an existing physical computer Typically, a virtual machine consists of several files - The two main files are the configuration file containing hardware settings, such as RAM, network configurations, port settings, and so on, and the virtual hard disk file, which contains the boot loader program, OS files, and users' data files. Another reason for using a virtual machine in an investigation is to emulate actions taken by a suspect or even by malware. Several forensics analysis tools can convert a forensic image to an ISO image or a virtual hard disk (VHD) file, It performs all the tasks the OS running on the physical computer can, up to a certain point. the guest OS (the one running on a virtual machine) is limited by the host computer's OS virtual machines make it possible to restore a suspect drive on a virtual machine and run nonstandard software the suspect might have loaded need to be aware of some potential issues, such as a virtual machine used to attack another system or network
Partition Boot Sector
On an NTFS disk, the first data set is the starts at sector [0] of the disk and can expand to 16 sectors
disk editor
One way to examine a partition's physical level is to use you can access these hidden or empty areas of the disk. WinHex or Hex Workshop enable you to view file headers and other critical parts of a file.
thirdparty WDE utilities
PGP Full Disk Encryption Voltage SecureFile Jetico BestCrypt Volume Encryption TrueCrypt
metadata.
Records in the MFT
Resilient File System
Resilient File System (ReFS). designed to address very large data storage needs • Maximized data availability • Improved data integrity • Designed for scalability outgrowth of NTFS designed to provide a large-scale data storage access capability. intended only for data storage can't be used as a boot drive. uses disk structures similar to the MFT in NTFS storage engine uses a B1-tree sort method for fast access to large data sets. uses a method called "allocate-onwrite" that copies updates of data files to new locations
physical addresses
Sector numbers, however, are referred to as because they reside at the hardware or firmware level and go from address 0
Examining the Windows Registry
Some forensics tools have built-in or add-on Registry viewers. An extensive amount of information is stored in the Registry With Registry data, you can ascertain when users went online, when they accessed a printer, and many other events
Attribute 0x10: Standard Information
Standard Information attribute • At offset 0x38 from the beginning of the MFT record—The start of attribute 0x10. • At offset 0x04 and 0x05 from the beginning of attribute 0x10—Size of the 0x10 attribute. • At offset 0x18 to 0x1F—The file's create date and time; all dates and times are stored in the Win32 Filetime format. • At offset 0x20 to 0x27—The last modified date and time for the file. • At offset 0x28 to 0x2F—The last access date and time. • At offset 0x30 to 0x2F—The record access date and time.
logical addresses
The OS assigns these cluster numbers, which are referred to as point to relative cluster positions
unallocated disk space
The area of the disk where the deleted file resides free disk space now available to receive new data from newly created files or other files needing more space as they grow Most forensics tools can recover data still residing in this area
data runs
The file or folder's MFT record provides cluster addresses where the file is stored on the drive's partition These cluster addresses are called
FAT12
This version is used specifically for floppy disks, so it has a limited amount of storage space. It was originally designed for MS-DOS 1.0, the first Microsoft OS, used for floppy disk drives and drives up to 16 MB.
FAT16
To handle larger disks, Microsoft developed FAT16, which is still used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.5 and 4.0. FAT16 supports disk partitions with a maximum storage capacity of 4 GB. unintentional side effect: allowing large clusters was that it reduced fragmentation as cluster size increased. This increased cluster size resulted in inefficient use of disk space
whole disk encryption
To help prevent loss of information creates new challenges in examining and recovering data from drives. WDE tools encrypt each sector of a drive separately - encrypt the drive's boot sector to prevent any efforts to bypass the secured drive's partition To examine an encrypted drive, you must decrypt it first you must run a vendor-specific program to decrypt the drive Many vendors use a bootable CD or USB drive that prompts for a one-time passphrasw The biggest drawback to decrypting a drive is the several hours required to read, decrypt, and write each sector.
NTFS Compressed Files
To improve data storage on disk drives, NTFS provides compression similar to FAT Drive- Space 3 With FAT16, you can compress only a volume compressed data is displayed normally when you view it in Windows Explorer typically you work from an image of a compressed disk, folder, or file Most forensics tools can uncompress and analyze compressed Windows data, including data compressed with the Lempel-Ziv-Huffman forensics tools might have difficulty with thirdparty compression utilities, such as the .rar format
Deleting NTFS Files
Typically, you use Windows or File Explorer to delete files from a disk When a file is deleted in Windows NT and later, the OS renames it and moves it to the Recycle Bin Another method is using the del (delete) MS-DOS command. - doesn't rename and move the file to the Recycle Bin, but it eliminates the file from the MFT listing in the same way FAT does.
MFT and File Attributes
When Microsoft introduced NTFS, the way the OS stores data on disks changed substantially ll files and folders are stored in separate records of 1024 bytes each Each record contains file or folder information This information is divided into record fields containing metadata about the file or folder and the file's data or links to the file's data File or folder information is typically stored in one of two ways in an MFT record: resident and nonresident For very small files, about 512 bytes or less, all file metadata and data are stored in the MFT record Files larger than 512 bytes are stored outside the MFT Each MFT record starts with a header identifying it as a resident or nonresident attribute
Deleting FAT Files
When a file is deleted in Windows Explorer or with the MS-DOS delete command, the OS inserts a HEX E5 (0xE5) in the filename's first letter position in the associated directory entry. - tells the OS that the file is no longer available and a new file can be written to the same cluster location the only modifications made are that the directory entry is marked as a deleted file, with the HEX E5 character replacing the first letter of the filename, and the FAT chain for that file is set to 0 The data in the file remains on the disk drive.
virtual cluster number (VCN)
When data is first written to nonresident files, an LCN address is assigned to the file in the attribute 0x80 field of the MFT. This LCN becomes the file's what listed as zero: VCN(0). If there's not enough space at VCN(0)'s location because of excessive disk fragmentation another data run is added The value in VCN(0) is the first cluster for the file (cluster's actual LCN) VCN(1) and other VCNs are the offset of the cluster's number from the previous VCN cluster position in the data run are also signed integers so that if the next largest unused disk space is at a lower address than the previous one, the lower value address can be computed by simply adding a negative number to the VCN
FAT32
When disk technology improved and disks larger than 2 GB were developed, Microsoft released FAT32, which can access larger drives.
Contamination Concerns with Windows XP
When you start a Windows XP NTFS workstation, several files are accessed immediately When any of these or other related OS files are accessed at startup, the last access date and time stamp for the files changes to the current date and time This change destroys any potential evidence that shows when a Windows XP workstation was last used
Startup in Windows 7 and Windows 8
Windows 8 is a multiplatform OS that can run on desktops, laptops, tablets, and smartphones. All Windows 8 boot processes are designed to run on multiple devices boot process uses a boot configuration data (BCD) store. a BCD Registry file in the nBootnBcd folder is maintained to control the boot process. To access this file, you use the BCD Editor; Regedit and Regedt32 aren't associated with this file. the BCD contains the boot loader that initiates the system's bootstrap process To access the Advanced Boot Options menu during the bootstrap process, press F8 or F12 when the system is starting - Safe Mode (or Enable Safe Mode, in Windows 8), Enable boot logging, or Disable Driver Signature Enforcement. To access the computer's firmware to modify the boot priority order, press F2 or Delete
Ntoskrnl.exe
Windows XP OS kernel
HKEY
Windows splits the Registry into categories with the prefix HKEY_. Windows 9x systems have six HKEY categories and Windows 2000 and later have five. Windows programmers refer to the "H" as the handle for the key
The first sector of all disks contains
a system area, the boot record, and a file structure database
Hives
are specific branches in HKEY_USER and HKEY_LOCAL_MACHINE. Hive branches in HKEY_LOCAL_MACHINEnSoftware are SAM, Security, Components, and System. For HKEY_USER, each user account has its own hive link to Ntuser.dat.
drive slack
composed of the unused space in a cluster between the end of an active file's content and the end of the cluster Drive slack includes RAM slack (found mainly in older Microsoft OSs) and file slack
CMOS
computer stores system configuration and date and time information in the what when power to the system is off The key you press to access this depends on the computer's BIOS
Tracks
concentric circles on a disk platter where data is located follow a numbering scheme starting from 0
Device drivers
contain instructions for the OS for hardware devices, such as the keyboard, mouse, andvideocard
bootstrap process
contained in ROM tells the computer how to proceed
BIOS or EFI
contains programs that perform input and output at the hardware level designed for specific firmware
EFI
designed for x64 computers and uses GUID Partition Table (GPT)- formatted disks.
BIOS
designed for x86 computers and typically used on disk drives with Master Boot Records (MBR).
NTBootdd.sys
device driver that allows the OS to communicate with SCSI or ATA drives that aren't related to the BIOS runs in privileged processor mode with direct access to hardware and system data
File Allocation Table (FAT)
file structure database that Microsoft designed for floppy disks. used to organize files on a disk so that the OS can find the files it needs other OSs, such as Linux and Macintosh, can format, read, and write to FAT storage devices such as USB drives and SD cards typically written to a disk's outermost track and contains filenames, directory names, date and time stamps, the starting cluster number, and file attributes three current versions of FAT—FAT16, FAT32, and exFAT
Interpreting a Data Run
first data run for a nonresident attribute 0x80 field starts at offset 0x40 from the beginning of the attribute Data runs have three components: The first component declares how many bytes in the attribute field are needed to store the values for the second and third components The second component stores the number of clusters assigned to the data run, and the third component contains the starting cluster address value (the LCN or the VCN).
file system
gives an OS a road map to data on a disk. determines how data is stored on the disk so that you can access and modify system settings when necessary
zone bit recording (ZBR), track density, areal density
handled at the drive's hardware or firmware level how most manufacturers deal with a platter's inner tracks having a smaller circumference (and, therefore, less space to store data) than its outer tracks Grouping tracks by zones ensures that all tracks hold the same amount of data
EFS Recovery Key Agent
implements the recovery certificate, which is in the Windows administrator account. Windows administrators can recover a key in two ways: through Windows or from an MS-DOS command prompt To recover an encrypted EFS file, a user can e-mail it or copy the file to the administrator.
Registry
initialization (.ini) files database that stores hardware and software configuration information, network connections, user preferences (including usernames and passwords), and setup information can contain valuable evidence To view the Registry, you can use the Regedit (Registry Editor) program f you can use the Edit, Find menu command in Registry Editor to locate entries that might contain trace evidence You can also use the Registry to determine the most recently accessed files and peripheral devices. you should explore the Registry of all Windows systems be careful not to alter any Registry setting to avoid corrupting the system
NT File System (NTFS)
introduced when Microsoft created Windows NT and is still the main file system in Windows 8. Each generation of Windows since NT has included minor changes in NTFS configuration and features partially based on, and incorporated many features from, Microsoft's project for IBM with the OS/2 operating system offers substantial improvements over FAT file systems more information about a file you also have more control over files and folders (directories) Microsoft's move toward a journaling file system journaling feature is helpful because it records a transaction before the system carries it out everything written to the disk is considered a file
cylinder
is a column of tracks on two or more disk platters. Typically, each platter has two surfaces: top and bottom.
When the OS stores data in a FAT file system
it assigns a starting cluster position to a file Data for the file is written to the first sector of the first assigned cluster. When this first assigned cluster is filled and runs out of room, FAT assigns the next available cluster to the file. On rare occasions, such as a system failure or sabotage, these cluster chains can break
partition
logical drive Windows OSs can have three primary these followed by an extended partition that can contain one or more logical drives. Someone who wants to hide data on a hard disk can create hidden ones large unused gaps between partitions on a disk drive.
Disk drives
made up of one or more platters coated with magnetic material, and data is stored on platters in a particular way typically stores 512 bytes per sector
wear-leveling
memory cells shift data at the physical level to other cells that have had fewer reads and writes continuously The purpose of shifting (or rotating) data from one memory cell to another is to make sure all memory cells on the flash drive wear evenly When they reach their defined limits, they can no longer retain data when data is rotated to another memory cell, the old memory cell addresses are listed in a firmware file called a "garbage collector." At some point, the flash drive's firmware erases data in unallocated cells by overwriting the value of 1 in all cells
Startup Files for Windows XP
most startup files for Windows XP are in the root folder of the system partition NT Loader (Ntldr) loads the OS - reads the Boot.ini file, which displays a boot menu Boot.ini runs Ntoskrnl.exe and reads Bootvid.dll, Hal.dll, and startup device drivers. Boot.ini specifies the Windows XP path installation and contains options for selecting the Windows version If a system has multiple boot OSs, including older ones such as Windows 9x or DOS, Ntldr reads BootSect.dos When the boot selection is made, Ntldr runs NTDetect.com - 16-bit real-mode program that queries the system for device and configuration data - passes its findings to Ntldr
Value
name and value in a key; it's similar to a file and its data content.
Master Boot Record (MBR)
partition table is in the located at sector 0 of the disk drive 0x1BE
Geometry
refers to a disk's logical structure of platters, tracks, and sectors To determine the total number of addressable bytes on a disk, multiply the number of cylinders by the number of heads (actually tracks) and by the number of sectors (groups of 512 or more bytes) - cylinder, head, and sector (CHS) calculation
Areal density
refers to the number of bits in one square inch of a disk platter includes the unused space between tracks
sector
section on a track, usually made up of 512 bytes
clusters
sectors are grouped to form these storage allocation units of one or more sectors. range from 512 bytes up to 32,000 bytes each Combining sectors minimizes the overhead of writing or reading files to a disk. The OS groups one or more sectors into this The number of sectors in this varies according to the disk size. numbered sequentially, starting at 0 in NTFS and 2 in FAT
Startup in Windows NT and Later
some minor differences in how certain system start files function, but they accomplish the same orderly startup Any computer using NTFS performs the following steps when the computer is turned on: • Power-on self test (POST) • Initial startup • Boot loader • Hardware detection and configuration • Kernel loading • User logon
When you run out of room for an allocated cluster
the OS allocates another cluster for your file. As files grow and require more disk space, assigned clusters are chained together
Startup Files for Windows Vista
the boot process to use the new Extensible Firmware Interface (EFI) as well as the older BIOS system. EFI boot firmware is designed to provide better protection against malware than BIOS does The Ntldr program in Windows XP used to load the OS has been replaced with these three boot utilities: - Bootmgr.exe - Winload.exe - Winresume.exe includes the BCD editor for modifying boot options and updating the BCD registry file BCD store replaces the Windows XP Boot.ini file
MFT Structures for File Data
the data is displayed in little endian format, meaning it's read from right to left The first section of an MFT record is the header that defines the size and starting position of the first attribute Following the header are attributes that are specific for the file type, such as an application file or a data file. MFT records for directories and system files have additional attributes that don't appear in a file MFT record
head
the device that reads and writes data to a drive. There are two heads per platter that read and write the top and bottom sides
Track density
the space between each track. As with old vinyl records, the smaller the space between each track, the more tracks you can place on the platter
partition gap.
unused space between partitions It's possible to create a partition, add data to it, and then remove references to the partition so that it can be hidden in Windows
Head and cylinder skew
used to improve disk performance. As the read-write head moves from one track to another, starting sectors are offset to minimize lag time
NTFS Encrypting File System
uses public key and private key methods of encrypting files, folders, or disk volumes (partitions). Only the owner or user who encrypted the data can access encrypted files The owner holds the private key, and the public key is held by a certification authority, a recovery certificate is generated and sent to the local Windows administrator accoun The purpose of the recovery certificate is to provide a mechanism for recovering files encrypted with EFS The recovery key is stored in one of two places Users can apply EFS to files stored on their local workstations or a remote server
NTFS Alternate Data Streams
ways data can be appended to existing files can obscure valuable evidentiary data, intentionally or by coincidence becomes an additional file attribute and allows the file to be associated with different application remains one data unit store information about a file in an alternate data stream If you perform a keyword search and retrieve a file associated with a keyword, you might not be able to open the alternate data stream isn't displayed when you open a file in a text editor. The only way you can tell whether a file has an alternate data stream attached is by examining the file's MFT record entry.
Solid-State Storage Devices
wear-leveling making a full forensic copy as soon as possible is crucial in case you need to recover data from unallocated disk space. If you let the USB drive sit and write no additional data to it, wear-leveling automatically overwrites the unallocated space. have an internal power source for memory cells (both allocated and unallocated) so that they can preserve data
logical cluster numbers (LCNs)
when a disk is created as an NTFS file structure, the OS assigns logical clusters to the entire disk partition sequentially numbered from the beginning of the disk partition, starting with the value 0. become the addresses that allow the MFT to link to nonresident files (files outside the MFT) on the disk's partition
Windows XP System Files
you need to examine the core OS files that Windows XP, 2000, and NT use
MFT Header Fields
• At offset 0x00—The MFT record identifier FILE; the letter F is at offset 0. • At offset 0x1C to 0x1F—Size of the MFT record; the default is 0x400 (1024) bytes, or two sectors. • At offset 0x14—Length of the header, which indicates where the next attribute starts; it's typically 0x38 bytes. • At offset 0x32 and 0x33—The update sequence array, which stores the last 2 bytes of the first sector of the MFT record. It's used only when MFT data exceeds 512 bytes. The update sequence array is used as a checksum for record integrity validation
Whole disk encryption tools offer the following features that forensics examiners should be aware of
• Preboot authentication, such as a single sign-on password, fingerprint scan, or token (USB device) • Full or partial disk encryption with secure hibernation, such as activating a passwordprotected screen saver • Advanced encryption algorithms, such as Advanced Encryption Standard (AES) and International Data Encryption Algorithm (IDEA) • Key management function that uses a challenge-and-response method to reset passwords or passphrases
These three commands are available from the MS-DOS command prompt:
• cipher • copy • efsrecvr (used to decrypt EFS files) cipher and efsrecvr work only on NTFS systems running Windows 2000 Professional, XP Professional, Vista Business Edition, and 7 and 8 Professional and Enterprise editions
