Forensic Science

Chapter 5: Working with Windows and CLI Systems

5.1: Understanding File Systems

File System: Gives an OS a road map to data on a disk.
- The type of file system an OS uses determines how data is stored on the disk.
- When you need to access a suspect’s computer to acquire or inspect data related to your investigation, you should be familiar with both the computer’s OS and file system so that you can access and modify system settings when necessary.

Understanding the Boot Sequence

To ensure that you don’t contaminate or alter data on a suspect’s system, you must know how to access and modify Complementary Metal Oxide Semiconductor (CMOS), BIOS, Extensible Firmware Interface (EFI), and Unified Extensible Firmware Interface (UEFI) settings.
A computer stores system configuration and date and time information in the CMOS when power to the system is off.
The system BIOS or EFI contains programs that perform input and output at the hardware level.
BIOS is designed for x86 computers and is typically used on disk drives with Master Boot Records (MBRs).
EFI is designed for x64 computers and uses GUID Partition Table (GPT)–formatted disks.
In an effort to reduce the relationship with firmware, Intel developed UEFI, which defines the interface between a computer’s firmware and the OS.
Bootstrap Process: Tells the computer how to proceed.

Understanding Disk Drives

Geometry: Refers to a disk’s logical structure of platters, tracks, and sectors.
Head: The device that reads and writes data to a drive.
Tracks: Concentric circles on a disk platter where data is located.
Cylinder: A column of tracks on two or more disk platters.
Sector: A section on a track, usually made up of 512 bytes.
Zone Bit Recording (ZBR): It is how most manufacturers deal with a platter’s inner tracks having a smaller circumference (and, therefore, less space to store data) than its outer tracks.
Track density: The space between each track.
Areal density: The number of bits in one square inch of a disk platter.
Head and cylinder skew: Used to improve disk performance.

Solid-State Storage Devices

Flash memory storage devices used in USB drives, laptops, tablets, and cell phones can be a challenge for digital forensics examiners because if deleted data isn’t recovered immediately, it might be lost forever.
The reason is a feature all flash memory devices have: wear-leveling.
When data is deleted on a hard drive, only the references to it are removed, which leaves the original data in unallocated disk space.
USB drives and other solid-state drive systems are different, in that memory cells shift data at the physical level to other cells that have had fewer reads and write continuously.
The purpose of shifting data from one memory cell to another is to make sure all memory cells on the flash drive wear evenly.
Memory cells are designed to perform only 10,000 to 100,000 reads/writes, depending on the manufacturer’s design.
- When they reach their defined limits, they can no longer retain data.
- When you attempt to connect to the device, you get an access failure message.
When data is rotated to another memory cell, the old memory cell addresses are listed in a firmware file called a “garbage collector.”
When dealing with solid-state devices, making a full forensic copy as soon as possible is crucial in case you need to recover data from unallocated disk space.

5.2: Exploring Microsoft File Structures

Clusters: Storage allocation units of one or more sectors. It range from 512 bytes up to 32,000 bytes each.
- Clusters are numbered sequentially, starting at 0 in NTFS and 2 in FAT.
The first sector of all disks contains a system area, the boot record, and a file structure database.
Logical Addresses: Cluster numbers.
Physical Addresses: Sector numbers.

Disk Partitions

Partition: A logical drive.
Partition Gap: The unused space between partitions.

Hexadecimal codes in the partition table

Hexadecimal code	File system
01	DOS 12-bit FAT (floppy disks)
04	DOS 12-bit FAT (floppy disks)
05	Extended partition
06	DOS 16-bit FAT for partitions larger than 32 MB
07	NTFS and exFAT
08	AIX bootable partition
09	AIX data partition
0B	DOS 32-bit FAT
0C	DOS 32-bit FAT for interrupt 13 support
0F	Extended Partition with Logical Block Address (LBA)
17	Hidden NTFS partition (XP and earlier)
1B	Hidden FAT32 partition
1E	Hidden VFAT partition
3C	Partition Magic recovery partition
66–69	Novell partitions
81	Linux
82	Linux swap partition (can also be associated with Solaris partitions)
83	Linux native file systems (Ext2, Ext3, Ext4, Reiser, Xiafs)
86	FAT16 volume/stripe set (Windows NT)
87	High Performance File System (HPFS) fault-tolerant mirrored partition or NTFS volume/stripe set
A5	FreeBSD and BSD/386
A6	OpenBSD
A9	NetBSD
C7	Typical of a corrupted NTFS volume/stripe set
EB	BeOS

Examining FAT Disks

File Allocation Table (FAT): The file structure database that Microsoft designed for floppy disks.
- It’s used to organize files on a disk so that the OS can find the files it needs.
FAT12: This version is used specifically for floppy disks, so it has a limited amount of storage space.
- It was originally designed for MS-DOS 1.0, the first Microsoft OS, used for floppy disk drives and drives up to 16 MB.
FAT16: It supports disk partitions with a maximum storage capacity of 4 GB.
- Developed by Microsoft to handle larger disks, it is still used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 and Windows NT 3.5 and 4.0.
FAT32: When disk technology improved and disks larger than 2 GB were developed, Microsoft released FAT32, which can access larger drives.
exFAT: Developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks.
- The exFAT file system can store very large files, such as digital images, video, and audio files.
VFAT: Developed to handle files with more than eight-character filenames and three-character extensions; introduced with Windows 95.
Drive Slack: Composed of the unused space in a cluster between the end of an active file’s content and the end of the cluster.
- RAM Slack: The portion of the last sector used in the last assigned cluster.
- File Slack: The remaining sectors in the last assigned cluster.
Unallocated Disk Space: The area of the disk where the deleted file resides.

5.3: Examining NTFS Disks

NT File System (NTFS) was introduced when Microsoft created Windows NT and is still the main file system in Windows 10.
The NTFS design was partially based on, and incorporated many features from, Microsoft’s project for IBM with the OS/2 operating system; in this OS, the file system was High Performance File System (HPFS).
NTFS offers substantial improvements over FAT file systems. It provides more information about a file, including security features, file ownership, and other file attributes.
NTFS was Microsoft’s move toward a journaling file system. The system keeps track of transactions such as file deleting or saving.
Partition Boot Sector: The first data set on an NTFS disk.
Master File Table: The first file on an NTFS disk.
- It is created at the same time a disk partition is formatted as an NTFS volume and usually consumes about 12.5% of the disk when it’s created.
Unicode: An international data format.
- It uses an 8-bit (UTF-8), 16-bit (UTF-16) or a 32-bit (UTF-32) configuration.
For Western-language alphabetic characters, UTF-8 is identical to ASCII.

NTFS System Files

Metadata: Records in the MFT.

Metadata records in the MFT

Filename	System file	Record Position	Description
`$Mft`	MFT	0	Base file record for each folder on the NTFS volume; other record positions in the MFT are allocated if more space is needed.
`$MftMirr`	MFT 2	1	The first four records of the MFT are saved in this position.
`$LogFile`	Log file	2	Previous transactions are stored here to allow recovery after a system failure in the NTFS volume.
`$Volume`	Volume	3	Information specific to the volume, such as label and version, is stored here.
`$AttrDef`	Attribute definitions	4	A table listing attribute names, numbers, and definitions.
`$`	Root filename index	5	This is the root folder on the NTFS volume.
`$Bitmap`	Boot sector	6	A map of the NTFS partition shows which clusters are in use and which are available.
`$Boot`	Boot sector	7	Used to mount the NTFS volume during the bootstrap process; additional code is listed here if it’s the boot drive for the system.
`$BadClus`	Bad cluster file	8	For clusters that have unrecoverable errors, an entry of the cluster location is made in this file.
`$Secure`	Security file	9	Unique security descriptors for the volume are listed in this file.
`$Upcase`	Upcase table	10	Converts all lowercase characters to uppercase Unicode characters for the NTFS volume.
`$Extend`	NTFs extension file	11	Optional extensions are listed here, such as quotas, object identifiers, and reparse point data.
		12–15	Reserved for future use.

MFT and File Attributes

Attribute ID: A record field.
File or folder information is typically stored in one of two ways in an MFT record: resident and nonresident.
- Resident Files: All information stored in the MFT record.
- Nonresident Files: All information stored outside MFT record.
Logical Cluster Numbers (LCNs): Are sequentially numbered from the beginning of the disk partition, starting with the value 0.
- It becomes the addresses that allow the MFT to link to nonresident files on the disk partitions.
When data is first written to nonresident files, an LCN address is assigned to the file in the attribute 0x80 field of the MFT. This LCN becomes the file’s virtual cluster number (VCN).

Attributes in the MFT

Attribute ID	Name	Purpose
0x10	`$Standard Information`	This field contains data on file creation, alterations, MFT changes, read dates and times, and DOS file permissions.
0x20	`$Attribute_List`	Attributes that don’t fit in the MFT (nonresident attributes) are listed here along with their locations.
0x30	`$File_Name`	The long and short names for a file are contained here. Up to 255 Unicode bytes are available for long filenames.
0x40	`$Object_ID`	Ownership and who has access rights to the file or folder are listed here. Every MFT record is assigned a unique GUID.
0x50	`$Security_Descriptor`	Contains the access control list (ACL) for the file.
0x60	`$Volume_Name`	The volume-unique file identifier is listed here. Not all files need this unique identifier.
0x70	`$Volume_Information`	This field indicates the version and state of the volume.
0x80	`$Data`	File data for resident files or data runs for nonresident files.
0x90	`$Index_Root`	Implemented for use of folders and indexes.
0xA0	`$Index_Allocation`	Implemented for use of folders and indexes.
0xB0	`$Bitmap`	A bitmap indicating cluster status, such as which clusters are in use and which are available.
0xC0	`$Reparse_Point`	This field is used for volume mount points and Installable File System (IFS) filter drivers.
0xD0	`$EA_lnformation`	For use with OS/2 HPFS.
0xE0		For use with OS/2 HPFS.
0x100	`$Logged_Utility_Stream`	This field is used by Encrypting File System (EFS) in Windows 2000 and later.

NTFS Alternate Data Streams

Alternate Data Streams: Are ways data can be appended to existing files.
When you’re examining a disk, be aware that alternate data streams can obscure valuable evidentiary data, intentionally or by coincidence.

NTFS Compressed Files

To improve data storage on disk drives, NTFS provides compression similar to FAT DriveSpace 3, a Windows 98 compression utility.
With NTFS, you can compress files, folders, or entire volumes. With FAT16, you can compress only a volume.
During an investigation, typically you work from an image of a compressed disk, folder, or file.
Most forensics tools can uncompress and analyze compressed Windows data, including data compressed with the Lempel-Ziv-Huffman (LZH) algorithm and in formats such as PKZip, WinZip, and GNU gzip. However, .rar files have exemptions.

NTFS Encrypting File System

Encrypting File System (EFS): added by Microsoft as optional built-in encryption to NTFS when they introduced Windows 2000.
EFS uses public key and private key methods of encrypting files, folders, or disk volumes (partitions).
When EFS is used in Windows 2000 and later, a recovery certificate is generated and sent to the local Windows administrator account.
The purpose of the recovery certificate is to provide a mechanism for recovering files encrypted with EFS if there’s a problem with the user’s original private key.
The recovery key is stored in one of two places.
- When a network user initiates EFS, the recovery key is sent to the local domain server’s administrator account.
- On a stand-alone workstation, the recovery key is sent to the local administrator account.

EFS Recovery Key Agent

The Recovery Key Agent implements the recovery certificate, which is in the Windows administrator account.
Windows administrators can recover a key in two ways:
- Through Windows; or
- From a command prompt.
These two commands are available from a command prompt: cipher and copy.
Encrypted files aren’t part of the FAT12, FAT16, or FAT32 file systems, so cipher command works only on NTFS systems running Windows 2000 Professional or later.
The copy command, however, works in both FAT and NTFS.
To recover an encrypted EFS file, a user can e-mail it or copy the file to the administrator, who can then run the Recovery Key Agent function to restore the file.

Deleting NTFS Files

When you delete a file in Windows or File Explorer, you can restore it from the Recycle Bin. The OS takes the following steps when you delete a file or a folder in Windows or File Explorer:
- Windows changes the filename and moves the file to a subdirectory with a unique identity in the Recycle Bin.
- Windows stores information about the original path and filename in the Info2 file, which is the control file for the Recycle Bin. It contains ASCII data, Unicode data, and the date and time of deletion for each file or folder.
NTFS files deleted at a command prompt function much like FAT files. The OS performs the following tasks:
- The associated clusters are designated as free—that is, marked as available for new data.
- The $Bitmap file attribute in the MFT is updated to reflect the file’s deletion, showing that this space is available.
- The file’s record in the MFT is marked as being available.
- VCN/LCN cluster locations linked to deleted nonresident files are then removed from the original MFT record.
- A run-list is maintained in the MFT of all cluster locations on the disk for nonresident files. When the list of links is deleted, any reference to the links is lost.

Resilient File System

ReFS is designed to address very large data storage needs, such as the cloud.
The following features are incorporated into ReFS’s design:
- Maximized data availability
- Improved data integrity
- Designed for scalability
ReFS is an outgrowth of NTFS designed to provide a large-scale data storage access capability. It’s intended only for data storage, so as of this writing, it can’t be used as a boot drive.
It uses a method called “allocate-on-write” that copies updates of data files to new locations; similar to shadow paging, it prevents overwriting the original data files.

5.4: Understanding Whole Disk Encryption

Loss of personal identity information (PII) and trade secrets caused by computer theft has become more of a concern.
Company PII might consist of employees’ full names, home addresses, and Social Security numbers. With this information, criminals could easily apply for credit card accounts in these employees’ names.
Whole disk encryption tools offer the following features that forensics examiners should be aware of:
- Preboot authentication; such as a single sign-on password, fingerprint scan, or token (USB device)
- Full or partial disk encryption with secure hibernation; such as activating a password-protected screen saver
- Advanced encryption algorithms; such as Advanced Encryption Standard (AES) and International Data Encryption Algorithm (IDEA)
- Key management function that uses a challenge-and-response method to reset passwords or passphrases

Examining Microsoft BitLocker

BitLocker: Microsoft’s utility for protecting drive data.
Guidance Software Encase can decrypt BitLocker drives, although the process can take a lot of time.
BitLocker’s current hardware and software requirements are as follows:
- A computer capable of running Windows Vista or later (non-home editions).
- The Trusted Platform Module (TPM) microchip, version 1.2 or newer.
- A computer BIOS compliant with Trusted Computing Group (TCG).
- Two NTFS partitions for the OS and an active system volume with available space.
- The BIOS configured so that the hard drive boots first before checking the CD/ DVD drive or other bootable peripherals.

Examining Third-Party Disk Encryption Tools

Endpoint Encryption can be used on PCs, laptops, and removable media to secure an entire disk volume. This tool works in Windows Server 2008 and later and Windows 7 and later.
Voltage SecureFile is designed for an enterprise computing environment.
Jetico BestCrypt Volume Encryption provides WDE for older MS-DOS and current Windows systems.

5.5: Understanding the Windows Registry

Registry: A database that stores hardware and software configuration information, network connections, user preferences, and setup information.

Exploring the Organization of the Windows Registry

Terminologies

Registry: A hierarchical database containing system and user information.
Registry Editor: A Windows utility for viewing and modifying data in the Registry.
- There are two Registry Editors: Regedit and Regedt32.
HKEY: Windows splits the Registry into categories with the prefix HKEY_.
Key: Folders in each HKEY. Keys can contain other key folders or values.
Subkey: A key displayed under another key, similar to a subfolder in Windows or File Explorer.
Branch: A key and its contents, including subkeys.
Value: A name and value in a key; it’s similar to a file and its data content.
Default value: All keys have a default value that may or may not contain data.
Hives: These are specific branches in HKEY_USER and HKEY_LOCAL_MACHINE.

Registry file locations and purposes

Filename and location	Purpose of file
`Users\user-account\Ntuser.dat`	User-protected storage area; contains the list of most recently used files and desktop configuration settings
`Windows\system32\config\Default.dat`	Contains the computer’s system settings
`Windows\system32\config\SAM.dat`	Contains user account management and security settings
`Windows\system32\config\Security.dat`	Contains the computer’s security settings
`Windows\system32\config\Software.dat`	Contains installed programs’ settings and associated usernames and passwords.
`Windows\system32\config\System.dat`	Contains additional computer system settings
`Windows\system32\config\systemprofile`	Contains additional NTUSER information

Registry HKEYs and their functions

HKEY	Function
`HKEY_CLASSES_ROOT`	A symbolic link to `HKEY_LOCAL_MACHINE\SOFTWARE\Classes` ; provides file type and file extension information, URL protocol prefixes, and so forth.
`HKEY_CURRENT_USER`	A symbolic link to HKEY_USERS; stores settings for the currently logged-on user.
`HKEY_LOCAL_MACHINE`	Contains information about installed hardware and software.
`HKEY_USERS`	Stores information for the currently logged-on user; only one key in this HKEY is linked to HKEY_CURRENT_USER.
`HKEY_CURRENT_CONFIG`	A symbolic link to `HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Hardware ProfileVxxxx` (with xxxx representing the current hardware profile); contains hardware configuration settings
`HKEY_DYN_DATA`	Used only in `Windows 9x/Me` systems; stores hardware configuration settings.

5.6: Understanding Microsoft Startup Tasks

Startup in Windows 7, Windows 8, and Windows 10

Since Windows Vista, Microsoft has changed its approach to OS boot processes.
All Windows 8 and 10 boot processes are designed to run on multiple devices, ranging from desktop or laptop systems to tablets and smartphones.
In Windows Vista and later, the boot process uses a boot configuration data (BCD) store.
For desktops and laptops (BIOS-designed systems), a BCD Registry file in the \Boot\Bcd folder is maintained to control the boot process.
In Windows 8 and 10, the BCD contains the boot loader that initiates the system’s bootstrap process when Windows starts.

Startup in Windows NT and Later

Any computer using NTFS performs the following steps when the computer is turned on:
- Power-on self-test (POST)
- Initial startup
- Boot loader
- Hardware detection and configuration • Kernel loading
- User log-on

Startup Files for Windows Vista

Bootmgr.exe: The Windows Boot Manager program controls boot flow and allows booting multiple OSs, such as booting Vista along with XP.
Winload.exe: The Windows Vista OS loader installs the kernel and the Hardware Abstraction Layer (HAL) and loads memory with the necessary boot drivers.
Winresume.exe: This tool restarts Vista after the OS goes into hibernation mode.

Startup Files for Windows XP

NT Loader (Ntldr) loads the OS.
When the system is powered on, Ntldr reads the Boot.ini file, which displays a boot menu.
After you select the mode to boot to, Boot.ini runs Ntoskrnl.exe and reads Bootvid.dll, Hal.dll, and startup device drivers.
Boot.ini specifies the Windows XP path installation and contains options for selecting the Windows version.
If a system has multiple boot OSs, including older ones such as Windows 9x or DOS, Ntldr reads BootSect.dos (a hidden file), which contains the address of each OS.
When the boot selection is made, Ntldr runs NTDetect.com, a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr.
- This program identifies components and values on the computer system, such as the following:
  - CMOS time and date value
  - Buses attached to the motherboard, such as Industry Standard Architecture (ISA) or Peripheral Component Interconnect (PCI)
  - Disk drives connected to the system
  - Mouse input devices connected to the system
  - Parallel ports connected to the system
NTBootdd.sys: The device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS.
Ntoskrnl.exe: The Windows XP OS kernel, located in the systemroot\Windows\ System32 folder.
Hal.dll: The Hardware Abstraction Layer (HAL) dynamic link library, located in the systemroot\Windows\System32 folder.
At startup, data and instruction code are moved in and out of the Pagefile.sys file to optimize the amount of physical RAM available.
Device drivers contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the systemroot\Windows\System32\ Drivers folder.

Windows XP System Files

Filename	Description
`Ntoskrnl.exe`	The XP executable and kernel.
`Ntkrnlpa.exe`	The physical address support program for accessing more than 4 GB of physical RAM.
`Hal.dll`	The Hardware Abstraction Layer
`Win32k.sys`	The kernel-mode portion of the Win32 subsystem.
`Ntdll.dll`	System service dispatch stubs to executable functions and internal support functions.
`Kernel32.dll`	Core Win32 subsystem DLL file
`Advapi32.dll`	Core Win32 subsystem DLL file
`User32.dll`	Core Win32 subsystem DLL file
`Gdi32.dll`	Core Win32 subsystem DLL file

5.7: Understanding Virtual Machines

As an investigator, you might need a virtual server to view legacy systems, and you might need to forensically examine suspects’ virtual machines.
Virtual machines enable you to run another OS on an existing physical computer by emulating a computer’s hardware environment.
A virtual machine consists of several files. The two main files are:
- Configuration File: Contains hardware settings, such as RAM, network configurations, port settings, and so on.
- Virtual Hard Disk File: Contains the boot loader program, OS files, and users’ data files.
Another reason for using a virtual machine in an investigation is to emulate actions taken by a suspect or even by malware.
Several forensics analysis tools can convert a forensic image to an ISO image or a virtual hard disk (VHD) file, which enables you to run a suspect’s computer in a virtual environment.
A virtual machine acts like any other computer but with a twist: It performs all the tasks the OS running on the physical computer can, do up to a certain point.
The virtual machine recognizes the hardware components of the host computer it’s loaded on.
The guest OS is limited by the host computer’s OS, which might block certain operations.
In digital forensics, virtual machines make it possible to restore a suspect drive on a virtual machine and run nonstandard software the suspect might have loaded, for example.
- You can browse through the drive’s contents, and then go back to the forensic image and test the items you found.