CHS Calculation:
- 1024 \text{ cylinders} \times 32 \text{ heads} \times 63 \text{ sectors} = 2,064,384 \text{ sectors}
- 512 \text{ bytes per sector}
- 1,056,964,608 \text{ or } 1.056 \text{ GB}

4K Sector Size Technology

Data on storage devices (HDDs and SSDs) is formatted into a small logical block called a Sector.
Improves format efficiency
More robust error correction

Many kinds of Physical Interfaces

ATA, SATA, SCSI, SSD

Understanding Solid State Drive (SSD)

SSD: A non-volatile storage device made of NAND flash memory chips for data storage.
Benefits over HDDs include speed and performance.

Solid State Drive (cont’d)

An SSD drive contains neither an actual disk nor a drive motor.

Solid State Drive (cont'd)

Types of SSDs:
- SLC (Single-level cell): 1 bit of data per cell, fastest writing speed, longest service life (P/E Cycle is approximately 50,000 to 100,000).
- MLC (Multi-level cell): 2 bits of data per cell, writing speed < SLC, average service life (P/E Cycle is approximately 3,000 to 10,000).
- TLC (Triple-level cell): 3 bits of data per cell, writing speed < MLC, has less than half of MLC's service life (P/E Cycle is approximately 500 to 1,000).
- QLC (Quad-level cell): 4 bits of data per cell, slowest writing speed, shortest service life, currently under development.

Exploring Microsoft File Structures

In Microsoft file structures, sectors are grouped to form clusters.
Clusters: Storage allocation units of one or more sectors.
Cluster sizes range from 512 bytes up to 32,000 bytes each.

Exploring Microsoft File Structures (cont'd)

FAT Overview
HPFS Overview
NTFS Overview

Disk Partitions

Partition: A logical drive.
Windows OSs can have three primary partitions followed by an extended partition that can contain one or more logical drives.
Primary partition: Stores OS, system area, etc.
Extended partition: Stores data and files stored on the disk.
Master Boot Record (MBR): Offset 0x1BE
Hidden partitions or voids: Large unused gaps between partitions on a disk.
Partition gap: Unused space between partitions.

Disk Partitions (cont'd)

Table of hexadecimal codes in the partition table for different file systems (FAT, NTFS, Linux, etc.).

Disk Partitions (cont'd)

Hexadecimal Conversion Table
- Shows a conversion table between Binary, Decimal, and Hexadecimal values.

Binary Conversion

Binary to Decimal Conversion equation:
- (1 X 128) + (0 X 64) + (1 X 32) + (1 X 16) + (1 X 8) + (1 X 4) + (1 X 2) + (1 X 1) = 128 + 0 + 32 + 16 + 8 + 4 + 2 + 1 = 191
Hex Conversion equation:
- (7 X 4,096) + (13 X 256) + (10 X 16) + (2 X 1) = 28,672 + 3,328 + 160 + 2 = 32,162

WinHex Partition Table Example

Shows a WinHex display of hard disk partitions, including their names, file systems, start sectors, sizes, and attributes.
Lists partition offsets and file system codes.

Examining FAT Disks

File Allocation Table (FAT): File structure database that Microsoft originally designed for floppy disks.
FAT database is typically written to a disk’s outermost track and contains:
- Filenames, directory names, date and time stamps, the starting cluster number, and file attributes.
Three current FAT versions:
- FAT16, FAT32, and exFAT (used by Xbox game systems).

Examining FAT Disks (cont’d)

Cluster sizes vary according to the hard disk size and file system.

Side Effect of FAT Disks

Diagram illustrating file slack space and RAM slack on a FAT disk.

Side effect of FAT Disks (cont’d)

When you run out of room for an allocated cluster, the OS allocates another cluster for your file, which creates more slack space on the disk.

Structure of a FAT Volume

Diagram showing the structure of a FAT volume, including the partition, boot sector, FAT1, FAT2, root folder, and other files.
Differences between the FAT systems
- bytes per cluster within file system, allocation table, cluster limit.

Examining NTFS Disks

NT File System (NTFS): Introduced with Windows NT.
Primary file system for Windows 8.
Improvements over FAT file systems:
- NTFS provides more information about a file.
- NTFS gives more control over files and folders.
NTFS was Microsoft’s move toward a journaling file system.
- It records a transaction before the system carries it out.

Examining NTFS Disks (cont'd)

Diagram showing the structure of an NTFS disk, including the partition boot sector, Master File Table, system files, and file area.

Examining NTFS Disks (cont'd)

The MFT is a relational database that consists of information related to the files and the file attributes.
The rows consist of file records, and the columns consist of file attributes.
It has information on every file on the NTFS volume, including information about itself.
It has 16 records reserved for system files.
For small folders, a standard representation of the Master File Table (MFT) structure, highlighting the standard information, file or directory name, data or index, and unused space.

Examining NTFS Disks (cont'd)

Table of cluster sizes in an NTFS disk based on drive size.
- Includes Drive Size, Sectors per cluster and Cluster size.

Windows File System Comparison Chart

Comprehensive chart comparing FAT12, FAT16, FAT32, FAT64, and NTFS file systems.
- Includes Max Introduced Size, Max File Size, Max Filename Length, and Volume Size

NTFS WinHex Example

Shows a WinHex display of an NTFS file system.

NTFS File System

Table of metadata records in the MFT, including system file names, record positions, and descriptions.
Includes $Mft, $MftMirr, $LogFile, and $Volume.

NTFS File System (cont.)

Table of metadata records in the MFT, including system file names, record positions, and descriptions.
Includes $AttrDef, Root filename index, $Bitmap, $Boot.

NTFS File System Attributes

Table showing attributes in the MFT, including attribute ID and purpose.
Includes $Standard Information, $AttributeList, $FileName, $ObjectID, $SecurityDescriptor.

Examining MFT

Screenshot of AccessData FTK Imager showing the file list of the MFT, including system files such as $MFT, $AttrDef, $BadClus, and $Bitmap.

MFT Structures for FileData

For the header of all MFT records, the record fields of interest are as follows:
- At offset 0x00 - the MFT record identifier FILE
- At offset 0x1C to 0x1F - size of the MFT record
- At offset 0x14 - length of the header (indicates where the next attribute starts)
- At offset 0x32 and 0x33 - the update sequence array, which stores the last 2 bytes of the first sector of the MFT record

MFT Structures for File Data (cont'd)

Shows an example of an MFT header with annotations for the MFT record identifier, length of the MFT record header, and size of the entire MFT record.
Highlights the update sequence array.

MFT and File Attributes

Illustrates a nonresident file in an MFT record with annotations.

MFT and File Attributes (cont'd)

Shows data run components with annotations for the starting position of each data run, end of the data run marker, and checksum for the first sector.

MFT and File Attributes (cont'd)

Explains the structure of the first data run with an LCN address, including the starting LCN address, bytes needed to store the number of clusters assigned to this data run, and the number of clusters assigned to this data run.

NTFS Alternate DataStreams

Alternate data streams: Ways data can be appended to existing files.
Can obscure valuable evidentiary data, intentionally or by coincidence.
In NTFS, an alternate data stream becomes an additional file attribute.

More About NTFSFiles

NTFS provides compression similar to FAT DriveSpace 3 (a Windows 98 compression utility).
Encrypting File System (EFS): Introduced with Windows 2000.
- Implements a public key and private key method of encrypting files, folders, or disk volumes.

Resilient File System

Resilient File System (ReFS)
- Microsoft newest file system
- Designed to maximize data availability
- Scale efficiently to large data sets across diverse workloads
- Provide data integrity

Disk Encryption

Whole Disk Encryption
- Disk encryption software
- Disk encryption hardware
  - Preboot authentication
  - Full or partial disk encryption with secure hibernation
  - Advanced encryption algorithms
  - Key management function

Disk Encryption (cont'd)

Illustrates symmetric and asymmetric encryption algorithms.

Disk Encryption (cont'd)

Shows an example of Device encryption on windows.

Disk Encryption (cont'd)

Shows an example of BitLocker Drive Encryption tool on windows.

Examining Third-PartyDisk Encryption Tools

Some available third-party WDE utilities:
- Endpoint Encryption
- VoltageSecureFile
- Jetico BestCrypt Volume Encryption

Examining Third-Party Disk Encryption Tools (Cont'd)

Trusted Private Key
- Shared parameters (TPG) Server
  - Alice
  - Bob
    Bob gets private key from TPG server
  - Encrypted email

Microsoft WindowsRegistry

Registry: A database that stores hardware and software configuration information, network connections, user preferences, and setup information.
Tools with built-in or add-on Registry viewers:
- X-Ways Forensics
- OSForensics
- Forensic Explorer
- FTK Imager

Microsoft Windows Registry (Cont'd)

Hives
- HKEYCLASSESROOT
- HKEYCURRENTUSER
- HKEYLOCALMACHINE
- HKEY_USERS
- HKEYCURRENTCONFIG

Microsoft Windows Registry (Cont'd)

Illustrates registry keys, subkeys, data types, and data values.

Microsoft Windows Log Files

Shows an example of primary Windows log files viewable on computer management.

Microsoft Windows Applications and Processes

Shows an example of Windows Task Manager.

Startup in Windows NT and Later

Startup Files for WindowsVista:
- The Ntldr program in Windows XP used to load the OS has been replaced with these three boot utilities:
  - Bootmgr.exe
  - Winload.exe
  - Winresume.exe

Startup in Windows NT and Later (cont’d)

Contamination Concerns with Windows XP
- When you start a Windows XP NTFS workstation, several files are accessed immediately
- Destroys any potential evidence

Understanding Virtual Machines

Virtual machines
In digital forensics
- Virtual machines make it possible to restore a suspect drive on your virtual machine
- And run nonstandard software the suspect might have loaded
From a network forensics standpoint, you need to be aware of some potential issues, such as:
- A virtual machine used to attack another system or network

Collecting Volatile and Non-Volatile Information on Windows OS

Coding

Collecting Volatile Information: System Time

date command
- C:/>date.cmd
- C:/>date /t
- C:/>date
- C:/>echo %date%
time command
- C:/>time /t
- C:/>time
- C:/>echo %time%
- C:/>echo %date%-%time%

Collecting Volatile Information: Logged-on users

You can determine who is using resources on your local computer with the "net" command ("net session"), but, there is no built-in way to determine who is using the resources of a remote computer.
- PsLoggedOn is an applet that displays both the locally logged-on users and users logged on via resources for either the local computer or a remote one.
- net session [\\<ComputerName>] [/delete] [/list]
- net file [ID [/close]]

Collecting Volatile Information: Windows Crash Dump

The windows crash dump file includes the content of a computer’s memory when the crash happens, so it shows information about stop messages, loaded drives and processor
- Checking crash dumps are important for investigators to check internal error or a remote attacker
- DumpChk (the Microsoft Crash Dump File Checker tool) is a program that performs a quick analysis of a crash dump file. This tool enables you to see summary information about what the dump file contains. You can use DumpChk to find dump files that are corrupt and can't be opened by a debugger.
  - DumpChk [-y SymbolPath] DumpFile

Collecting Volatile Information: Logged-on users

logonsessions command lists all currently active logon sessions, where you can specify processes running with –p option

Collecting Volatile Information: Network Data

netstat [-a] [-b] [-e] [-n] [-o] [-p <Protocol>] [- r] [-s] [<interval>]
- Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, this command displays active TCP connections.
- netstat -e –s
  - Display statistics for both the Ethernet and all protocols
- netstat -s -p tcp udp
  - Display statistics for TCP and UDP protocols
- Netstat –o 10
  - Display active TCP connections and process IDs every 10 sec

Collecting Volatile Information: Process Data

Pslist displays information about all the processes.
- Provides a table describing various parameters for pslist and their descriptions.

Collecting Volatile Information: Process Data

listdlls [-r] [-v | -u] [processname|pid] listdlls [-r] [-v] [-d dllname]
handle [[-a [-l]] [-v|-vt] [-u] | [-c <handle> [-y]] | [-s]] [-p <process>|<pid>] [name]
tasklist [/s <computer> [/u [<domain>][<username> [/p <password>]]]] [{/m <module> | /svc | /v}] [/fo {table | list | csv}] [/nh] [/fi <filter> [/fi <filter> [ ... ]]]
tasklist /s srvmain: list processes on the remote computer using logged-on user account

Collecting Volatile Information: Network Status

ipconfig [/allcompartments] [/all] [/renew [<adapter>]] [/release [<adapter>]] [/renew6[<adapter>]] [/release6 [<adapter>]] [/flushdns] [/displaydns] [/registerdns] [/showclassid <adapter>]
- Display all current TCP/IP network configuration values and refreshes DHCP and DNS settings
- Ipconfig
  - Display the basic TCP/IP configuration for all adapters
- Ipconfig /all
  - Display full TCP/IP configuration for all adapters
- Ipconfig /renew Local Area Connection
- Ipconfig /flishdns
- Ipconfig /showclassid Local*
- ipconfig /setclassid Local Area Connection TEST

Collecting Volatile Information: Network Status

PromiscDetect promiscdetect.exe
- Checks if your network adapter is in promiscuous mode or not, if a sniffer is running on the computer
Promqry
- Detects network interfaces running in promiscuous mode

Collecting Volatile Information: Command History and Shared Information

Doskey [/history]
- Recalls previously entered command-line commands in cmd
  - E.g. C:/>WINDOWS/system32>doskey /history
net share
- Manages shared resources
  - Displays information about all shared resources on the local computer
  - e.g. net share list=“c:\photos list”

Volatility Framework

The Volatility framework is a powerful open-source tool that supports memory analysis for Windows, Linux, and MacOS. It is written in Python and is available under the GNU General Public License.
- It extracts digital artifacts from RAM independently and provides various types of analysis, such as process listing, network connections, and registry hives.
- However, investigators can acquire RAM dumps from the computing using FTK Imager and Belkasoft RAM Capturer.

Volatility Framework

In order to process RAM dump analysis using Volatility,
- first need to find the dump profile using, and then specify the OS profile,
- and the plist plugin to check the processes
- and pstree plugin to show the parent process with the child processes running under that
- Finally, you can use malfind in order to find malicious intention
  - volatility.exe –f <imagefile> imageinfo
  - Volatility.exe –f <imgefile> --profile=<OS Profile> plist
  - Volatility.exe –f <imgefile> --profile=<OS Profile> pstree
  - Volatility.exe –f <imgefile> --profile=<OS Profile> malfind –p <Pid number>

Collecting Non-Volatile Information: File Systems

dir [<drive>:][<path>][<filename>] [...] [/p] [/q] [/w] [/d] [/a[[:]<attributes>]][/o[[:]<sortorder>]] [/t[[:]<timefield>]] [/s] [/b] [/l] [/n] [/x] [/c] [/4] [/r]
dir /s/w/o/p/a:-d lists the root directory, subdirectories, and files in the root directory, including extensions
dir /o:d examine the date and time of the OS installation

Collecting Non-Volatile Information: .edb Files

Example for ESE Databases:
- contacts.edb: stores contacts information in Microsoft live products
- WLCalendarStore.edb: stores calendar information in MWLM
- Mail.MSMessageStore: stores messages in MWLM
- Windows.edb: stores index information by Win OS
C:\Windows\SoftwareDistribution\DataStore \DataStore.edb

Collecting Non-Volatile Information: .edb Files

Forensic investigators need to extract data relating to deleted, tampered, or encrypted files, etc., which can be found underC:\ProgramData\Microsoft\Search\Data\Applications\Windows

Collecting Non-Volatile Information: Connected Devices

devcon listclass <class> <port> can display detailed information about devices on computers running Windows. You can also use DevCon to enable, disable, install, configure, and remove devices.
DriveLetterview

DFIR: Memory Forensics Analysis Tools

MemProcFS is one of the powerful tools for advanced memory forensics which allows to mounts raw memory images as virtual file systems. (https://github.com/ufrisk/MemProcFS)
- MemProcFS.exe –device <path of memory dump file> -forensic 1
- All artifacts will be saved under directory M:\
You can perform remote memory analysis using MemProcFS by
- 1: Leechagent.exe –remoteinstall <remote machine>
- 2: Memprocfs.exe –device <memory acquisition device> - remote <protocol>://<authentication>:<hostname> - remotefs –mount <drivename>

DFIR: Memory Forensics Analysis Tools

Velociraptor is a powerful tool for memory forensics analysis for digital forensics and incident response (DFIR), where it extracts volatile system states such as running processes and identifies malicious activities. (https://docs.velociraptor.app/docs/forensic/)
- It allows direct access to process memory and supports YARA rules for scanning.
- It uses “pslist()” to obtain suspicious processes
- Run the following velociraptor query language (VQL) to identify running elevated commands shells SELECT * FROM pslist() WHERE TokenIsElevated

Collecting Non-Volatile Information: Others

Slack spaces
Hidden Files
Hidden Partitions
Temporary Files
History Files
Cookies
Metadata
….

Summary

When booting a suspect’s computer, using boot media, such as forensic boot CDs or USB drives, you must ensure that disk evidence isn’t altered.
The Master Boot Record (MBR) stores information about partitions on a disk.
To find a hard disk’s capacity, use the cylinders, heads, and sectors (CHS) calculation.
NTFS is more versatile because it uses the Master File Table (MFT) to track file information.
Records in the MFT contain attribute IDs that store metadata about files.
In NTFS, alternate data streams can obscure information that might be of evidentiary value.

Summary

File slack, RAM slack, and drive slack are areas in which valuable information can reside on a drive.
NTFS can encrypt data with EFS and BitLocker.
NTFS can compress files, folders, or volumes.
Windows Registry keeps a record of attached hardware, user preferences, network connections, and installed software.
Virtualization software enables you to run other OSs on a host computer.

Note