CYBER FORENSICS UNIT-5

📌 Understanding File Systems

🔸 Meaning:
●​ A file system gives the Operating System (OS) a roadmap to data on a disk.
●​ It determines how data is stored, organized, and retrieved from a disk.

🔸 Why Important in Forensics:

●​ Investigators must understand how different OSs store files to effectively find,
recover, and analyze evidence.
●​ File systems are often specific to an OS but newer systems can sometimes read
older file systems (e.g., Linux reads Ext2fs, Ext3fs).

🔸 Key Point:
●​ Always be familiar with the target system’s OS and file system before attempting
data acquisition or inspection.

Understanding the Boot Sequence

🔸 Meaning:
●​ The boot sequence is the order of steps a computer follows when it powers on.
●​ It involves CMOS, BIOS, and boot device selection.

🔸 Important Concepts:

●​ CMOS (Complementary Metal Oxide Semiconductor):

○​ Stores system configuration, date, and time even when the system is off.
●​ BIOS (Basic Input/Output System):
 ○​ Contains low-level programs for hardware control.
●​ Bootstrap Process:
○​ Instructions in ROM that tell the computer how to start.
○​

🔸 Forensic Need:
●​ To avoid altering evidence, the system should boot from a forensic CD/DVD or
USB, not the internal hard drive.
●​ You can access the CMOS setup during the initial start-up by pressing a specific key
(like Delete, F2, F10 — depends on the vendor).
●​ Refer to system manuals or vendor websites for exact key and CMOS settings.

Understanding Disk Drives

🔸 Meaning:
●​ Disk drives are physical devices that store digital data on magnetic platters.
●​ Knowing disk structure helps investigators effectively locate and recover data.

🔸 Components of a Disk Drive:

🔸 Term 🔍 Meaning
Geometry The physical structure of platters, tracks, and sectors in a disk.

Head The device that reads and writes data to disk platters (one head per platter
side).

Tracks Concentric circles on a disk where data is stored.

Cylinders A column of tracks located in the same position on multiple platters.

Sectors Sections on a track, typically storing 512 bytes of data.

🔸 Calculation:
●​ Total storage = Number of Cylinders × Number of Heads × Number of Sectors ×
Bytes per Sector.

🔸 Use in Forensics:
●​ Helps in understanding how and where data is stored, deleted, or hidden on disk
drives.
📌 Quick Recap
✅ File System → Roadmap for OS to manage data.​
✅ Boot Sequence → Steps system follows at startup (CMOS, BIOS, Boot device).​
✅ Disk Drive Components → Geometry, Head, Tracks, Cylinders, Sectors — knowing
these helps track evidence.
📌 Exploring Microsoft File Structures
🔶 Meaning:​
Most personal computers use Microsoft file systems like FAT and NTFS.​
As a forensic investigator, it’s important to understand how these file systems store,
manage, and hide data, because evidence can be concealed within them.

Important Concepts
🔸 Clusters
●​ A cluster is the smallest unit of storage used by a file system to save files.
●​ It is made up of one or more sectors (typically 512 bytes each).
●​ Combining sectors into clusters reduces the overhead of managing files.

Example:

●​ A floppy disk has 1 sector per cluster.

●​ A hard disk usually has 4 or more sectors per cluster.

🔸 Logical and Physical Addresses

●​ Logical Address: Number assigned by the OS to clusters. It starts from 2 as the first
few sectors are reserved for system data.
●​ Physical Address: Actual location of sectors on the disk, starting from 0 up to the
last sector.

🔸Disk Partitions
●​ A partition divides a physical hard disk into multiple logical drives (like C:, D:).
●​ FAT16 can’t handle disks larger than 2 GB, so larger disks are split into smaller
partitions.
●​ Data can be hidden by creating:​

○​ Hidden partitions
○​ Partition gaps (unused space between partitions)

Detection Tools:

●​ Disk editors like Norton Disk Edit, WinHex, Hex Workshop help forensic experts to
view hidden areas and partition tables.

Hexadecimal Codes in Partition Table

Each partition type has a specific hexadecimal code in the partition table.​
Example codes:
 Code File System

01 DOS 12-bit FAT

04 DOS 16-bit FAT (<32 MB)

07 NTFS

0B FAT32

17 Hidden NTFS (Windows XP, etc)

81 Linux

Purpose: Helps identify and manage partitions during forensic investigation.

🔸File Headers (Signature Bytes)

●​ Every file has a unique file header (first few bytes) indicating its type.
●​ Even if a file extension is changed (e.g., .jpg to .txt), its header reveals its original
type.

Examples:

●​ Bitmap image (.bmp) → 42 4D (BM)

●​ Word document (.doc) → D0 CF 11 E0 A1 B1 1A E1

Tool Used:

●​ Hex Workshop to open and read file headers and verify file types.

📌 Topic 📖 Description 🛠️ Example/Tool

Cluster Smallest unit of storage (1 or more sectors). 512 bytes/sector.

Logical Address Address given by OS starting from 2. Cluster number 100 = 98 clusters
ahead.

Physical Address Actual location on disk (starts from 0). Sector 0, Sector 1, etc.
Partition Divides a disk into logical drives (C:, D:, E:). FAT16 max 2 GB.

Partition Gap Unused space between partitions. Hidden data can be stored here.

File Header (Signature) First bytes of file showing type, even if .bmp → 42 4D, .doc → D0 CF...
extension is changed.

Hexadecimal Codes Identify type of partition in partition table. 07 → NTFS, 0B → FAT32.

📌 Examining NTFS Disks

Disk Editors Tools to view hidden areas, partitions, and Norton Disk Edit, Hex Workshop.
headers.

🔶 Introduction to NTFS
●​ NTFS (New Technology File System) was introduced with Windows NT.
●​ Became the primary file system for Windows Vista and later.
●​ NTFS was partly based on HPFS (High Performance File System) from Microsoft’s
OS/2 project.
●​ Backward compatibility with HPFS existed in Windows NT but was removed in
Windows 2000.

🔶 Advantages of NTFS Over FAT

●​ Stores more file information:
○​ Security features
○​ File ownership
○​ File attributes
●​ Better control over files and folders
●​ Less file slack space (unused space within a cluster)
●​ Supports file compression and Encrypting File System (EFS) for encryption.

📋 Cluster Size Tables

📌 FAT16 Cluster Sizes
Drive Size Sectors/Cluster (FAT16) Cluster Size

0–32 MB 1 512 bytes

33–64 MB 2 1 KB

65–128 MB 4 2 KB
 129–255 MB 8 4 KB

256–511 MB 16 8 KB

512–1023 MB 32 16 KB

1024–2047 MB 64 32 KB

2048–4095 MB 128 64 KB

📌 NTFS Cluster Sizes

Drive Size Sectors/Cluster Cluster Size
(NTFS)

0–512 MB 1 512 bytes

512 MB–1 GB 2 1024 bytes (1 KB)

1–2 GB 4 2048 bytes (2 KB)

2–4 GB 8 4096 bytes (4 KB)

4–8 GB 16 8192 bytes (8 KB)

8–16 GB 32 16,384 bytes

16–32 GB 64 32,768 bytes

>32 GB 128 65,536 bytes

✅ Note:
NTFS uses smaller clusters even on large disks, reducing slack space and improving space
efficiency.

NTFS Disk Layout

1️⃣ Partition Boot Sector

●​ At sector 0 of the disk

●​ Stores boot information for starting the system

2️⃣ Master File Table (MFT)

●​ First file on an NTFS disk

●​ Created when the disk is formatted
●​ Takes 12.5% space initially, can grow to 50%
●​ Keeps details (metadata) of all files and folders

3️⃣ System Files + User Files

 ●​ All other system and user-created files are stored after the MFT

4️⃣ Clusters

●​ Actual areas where file data is saved

●​ NTFS uses cluster numbers (data runs) to locate file content

NTFS System Files (MFT Metadata Records)

Filename Record Position Description

$MFT 0 Main file table for all files and

folders

$MFTMirr 1 Backup of first 4 MFT records

$LogFile 2 Stores transaction log for

recovery

$Volume 3 Contains volume label and

info

$AttrDef 4 Attribute definitions table

. (Root) 5 Root folder of NTFS volume

$Bitmap 6 Map showing which clusters

are used

$Boot 7 Contains boot code

$BadClus 8 Tracks bad/unusable clusters

$Secure 9 Stores security descriptors

(ACLs)

$Upcase 10 Converts lowercase to

uppercase Unicode

$Extend 11 Optional extensions like

quotas

12–15 12–15 Reserved for future use

How NTFS Stores Files

●​ All files/folders have a 1024-byte record in MFT
●​ Data storage methods:
○​ Resident files:​
➝ Very small files (≤512 bytes) stored entirely inside MFT.
 ○​ Non-resident files:​
➝ Larger files (>512 bytes) stored outside MFT, with MFT containing cluster
addresses (data runs) pointing to their location.

📌 Topic 📑 Details
Full Form New Technology File System (NTFS)

Introduced With Windows NT

Primary File System In Windows Vista and later

Based On HPFS (High Performance File System) from OS/2 Project

HPFS Backward Available in Windows NT, removed from Windows 2000

Compatibility Onwards

📦 Position/Part 📑 Description
1️⃣ Partition Boot Sector At sector 0, stores boot information

2️⃣ Master File Table (MFT) First file, takes 12.5% initially (can grow to 50%), holds
metadata

3️⃣ System Files + User Files All OS system files and user-created files

4️⃣ Clusters Actual areas where file data is stored on the disk

📦 File Type 📏 Storage Method

Resident Files Small files (≤512 bytes) stored entirely inside MFT record

Non-Resident Larger files (>512 bytes) stored in clusters outside MFT, MFT contains
Files cluster addresses (data runs)
Understanding Whole Disk Encryption
🔶 What is Whole Disk Encryption?
●​ It means encrypting the entire hard drive, making all data unreadable without
proper authentication.
●​ Protects data in case of device theft or loss.

🔶 Why is Whole Disk Encryption Needed?

●​ Increasing cases of identity theft and data leaks.
●​ Protects important information like:
○​ Personal Identity Information (PII) — names, addresses, Social Security
numbers.
○​ Trade secrets — confidential business data that gives a competitive
advantage.
●​ Theft of devices like laptops and PDAs can cause:
○​ Identity theft.
○​ Credit card fraud.
○​ Loss of sensitive company information.
●​ Many states have made it legally mandatory to inform victims quickly if PII is
compromised.

🔶 Features of Whole Disk Encryption Tools

●​ Preboot Authentication — Requires login (password, fingerprint, or USB token)
before starting the system.
●​ Full or Partial Disk Encryption — Can encrypt the entire disk or selected parts.
●​ Secure Hibernation — Ensures data in hibernation is also encrypted.
●​ Uses advanced encryption algorithms like AES and IDEA.
●​ Key Management System — Allows password reset through a challenge-response
method.
●​ Trusted Platform Module (TPM) — A hardware chip that generates encryption keys
and authenticates logins.

📌 Microsoft BitLocker
🔶 What is BitLocker?
●​ Microsoft’s tool for whole disk encryption.
●​ Available only in Windows Vista Enterprise and Ultimate editions.

🔶 BitLocker Hardware & Software Requirements

●​ A computer capable of running Windows Vista.
●​ TPM microchip (version 1.2 or newer) installed in the system.
 ●​ BIOS compliant with Trusted Computing Group (TCG) standards.
●​ Two NTFS partitions:
○​ One for the operating system.
○​ One system partition with at least 1.5 GB space.

📌 Windows Registry
●​ BIOS must be configured to boot from the hard disk first, before any other device.

🔶 What is the Windows Registry?

●​ A database used by Windows OS to store:
○​ Hardware and software configuration
○​ Network connection settings
○​ User preferences (usernames, passwords)
○​ System setup information
●​ Introduced with Windows 95 (combined various .ini files).
●​ Still used and updated in Windows Vista and later.

🔶 Importance in Digital Forensics

●​ Registry can contain valuable evidence like
○​ Usernames and passwords
○​ Recently accessed files
○​ Installed programs
○​ System and network configurations
●​ Can be viewed using:
○​ Regedit (Windows 9x)
○​ Regedt32 (Windows 2000, XP, Vista)

Windows Registry Structure

🔷 Basic Terms to Remember:
●​ Registry — Collection of files with system & user data.
●​ Registry Editor — Tool to view/edit Registry (Regedit or Regedt32).
●​ HKEY — Top-level sections/categories in Registry (called handles for keys).
●​ Key — Folders under HKEY, can hold other keys or values.
●​ Subkey — A key inside another key (like subfolders).
●​ Branch — A key and all its subkeys and values.
●​ Value — Data stored inside a key (like file content).
●​ Default Value — Every key has one default value (can be empty).
●​ Hive — Special branches in Registry storing crucial system info.
 Major Registry Sections (HKEY categories)
●​ Windows 9x systems: 6 HKEY categories
●​ Windows 2000 & later: 5 HKEY categories

🔷 Important Hives:
●​ HKEY_LOCAL_MACHINE (HKLM)​
➝ Stores system-wide configuration​
➝ Important hives inside:
○​ SAM (Security Accounts Manager)
○​ Security
○​ Components
○​ System
●​ HKEY_USERS (HKU)​
➝ Stores user-specific data​
➝ Each user has a hive linked to Ntuser.dat

Understanding Microsoft Startup Tasks

When a Windows system starts, several system files and processes are executed.
For a forensic investigator, knowing which files were accessed and when is critical
for understanding user activity—especially if the system was used after a reported
incident.

Why It Matters in Forensics

• By checking file access timestamps, you can tell when the system was last used.

• Important for timeline analysis in cybercrime cases.

• BUT:Some versions like Windows XP overwrite timestamps, which can destroy

evidence.

Windows Startup Processes

1. Startup in Windows NT and Later (XP, 7, etc.)

When the computer is powered on:

1. POST (Power-On Self-Test) – Basic hardware check.

2. Initial Startup – BIOS/UEFI loads boot instructions.

3. Boot Loader – Loads boot files and OS kernel.

4. Hardware Detection and Configuration – Detects keyboard, mouse, etc.5.

Kernel Loading – Loads core part of OS.
6. User Logon – Login screen appears.

2. Windows Vista Startup

Vista replaced old boot methods with modern ones:

• Uses EFI (Extensible Firmware Interface) and BIOS.

• New boot files:

o bootmgr.exe: Displays OS list.

o winload.exe: Loads kernel, drivers, HAL.

o winresume.exe: Used when system resumes from hibernation.

3. Windows XP Startup Files

XP uses several key files:

• ntldr: Boot loader.

• boot.ini: Boot configuration.

• bootsect.dos: Compatibility with older systems.

• ntdetect.com: Detects hardware.

• ntbootdd.sys: Used for special controllers.

• ntoskrnl.exe: Kernel (core system).

• hal.dll: Hardware Abstraction Layer.

• pagefile.sys: Virtual memory file.

• Device drivers: Load system hardware.

4. Windows 9x/Me Startup (Older Versions)

• Based on MS-DOS 6.22.

• Uses two boot modes:

o DPMI (DOS Protected-Mode Interface)

o Protected-mode GUI
 Understanding MS-DOS Startup Tasks
When a computer runs MS-DOS (Microsoft Disk Operating System), it follows a
specific

sequence of files and commands to start the system and prepare it for use.

Key Startup Files in MS-DOS

1. IO.SYS

o First file loaded after the computer’s ROM locates the bootable disk.

o Acts as a bridge between BIOS and the operating system.

2. MSDOS.SYSo Second file loaded into memory.

o It looks for the CONFIG.SYS file to load drivers and settings.

o Loads the command-line shell: COMMAND.COM.

o Finally, it loads the AUTOEXEC.BAT file to apply user settings.

3. CONFIG.SYS

o Text file used to configure system devices like memory, keyboard, and mouse.

o Loaded only once at startup.

4. AUTOEXEC.BAT

o A batch script that runs automatically after startup.

o Sets up user preferences like path, date/time, language, etc.

5. COMMAND.COM

o Command-line interface that allows users to type and execute DOS commands.

o It’s the heart of the DOS user interface.

Summary of Boot Sequence in MS-DOS

IO.SYS → MSDOS.SYS → CONFIG.SYS → COMMAND.COM → AUTOEXEC.BAT

Each file plays a role in configuring, initializing, and customizing the system.

• Other Disk Operating Systems

Besides MS-DOS, a few other operating systems were used in early personal
computers:

1. CP/M (Control Program for Microcomputers)

• Developed in 1970 by Digital Research.

• Used for early microcomputers with 8-inch floppy disks.

• No support for hard disks.

• Laid the foundation for later systems like MS-DOS.

2. DR-DOS (Digital Research DOS)

• Released in 1988 to compete with MS-DOS.

• Supported FAT12 and FAT16 file systems.

• Offered better features and command support than MS-DOS.

3. PC-DOS (Personal Computer DOS)

• Created by Microsoft under contract with IBM.

• Designed to run IBM personal computers.

📌 What is a Virtual Machine (VM)?

• Functionally similar to MS-DOS, but with IBM-specific customizations.

●​ A computer inside a computer.

●​ Runs using software on a real computer.
●​ Can run different operating systems on one PC.
●​ Uses some space from real computer’s hard disk, RAM, and CPU.
●​ Works like a real computer (can use mouse, keyboard, etc).
●​ Can be paused or stopped anytime
●​ Power depends on the real computer’s hardware.

📌 Uses of Virtual Machines in Digital Forensics

●​ Helps open a suspect’s drive safely.
●​ Can run unknown or dangerous files without harming the real PC.
●​ Use forensic tools inside VM to check data and files.
●​ Everything inside VM can be saved as proof.
●​ Good for testing viruses or malware safely.
📌 Network & Security Warnings
●​ VMs can be used for hacking or attacking other systems.
●​ New technology — might have unknown security risks.

📌 Popular VM Software
●​ VMware
●​ Microsoft Virtual PC

📌 Important VM Files
●​ .vhd file — virtual hard disk (stores data)
●​ .vmc file — virtual machine settings​