Guide to Computer Forensics

and Investigations
Fourth Edition

Chapter 6
Working with Windows and DOS
Systems
Working with Windows and DOS
Systems
 Understanding File Systems

• File system
– Gives OS a road map to data on a disk
• Type of file system an OS uses determines how
data is stored on the disk
• A file system is usually directly related to an OS
• When you need to access a suspect’s computer to
acquire or inspect data
– You should be familiar with the computer’s platform

Guide to Computer Forensics and Investigations 3

 Understanding the Boot Sequence

• Complementary Metal Oxide Semiconductor

(CMOS)
– Computer stores system configuration, date and time
information in the CMOS
• When power to the system is off
• Basic Input/Output System (BIOS)
– Contains programs that perform input and output at
the hardware level

Guide to Computer Forensics and Investigations 4

 Understanding the Boot Sequence
(continued)

• Bootstrap process
– Contained in ROM, tells the computer how to
proceed
– Displays the key or keys you press to open the
CMOS setup screen
• CMOS should be modified to boot from a forensic
floppy disk or CD

Guide to Computer Forensics and Investigations 5

 Understanding the Boot Sequence
(continued)

Guide to Computer Forensics and Investigations 6

 Understanding Disk Drives

• Disk drives are made up of one or more platters

coated with magnetic material
• Disk drive components
– Geometry (organisation of data on disk platters)
– Head
– Tracks
– Cylinders
– Sectors

Guide to Computer Forensics and Investigations 7

Guide to Computer Forensics and Investigations 8
Guide to Computer Forensics and Investigations 9
Understanding Disk Drives (continued)
• Properties handled at the drive’s hardware or
firmware level
– Zoned bit recording (ZBR) (increase data capacity,
more sectors per zone on outer tracks)
– Track density
– Areal density (amount of data that can be stored on
a given unit of physical space on storage media)
– Head and cylinder skew (The offset distance from
the start of the last track of the previous cylinder so
that the head has time to seek from cylinder to
cylinder and be at the start of the first track of the
new cylinder)
Guide to Computer Forensics and Investigations 10
 Exploring Microsoft File Structures

• In Microsoft file structures, sectors are grouped to

form clusters
– Storage allocation units of one or more sectors
• Clusters are typically 512, 1024, 2048, 4096, or
more bytes each
• Combining sectors minimizes the overhead of
writing or reading files to a disk

Guide to Computer Forensics and Investigations 11

 Exploring Microsoft File Structures
(continued)
• Clusters are numbered sequentially starting at 2
– First sector of all disks contains a system area, the
boot record, and a file structure database
• OS assigns these cluster numbers, called logical
addresses
• Sector numbers are called physical addresses
• Clusters and their addresses are specific to a
logical disk drive, which is a disk partition

Guide to Computer Forensics and Investigations 12

 Disk Partitions

• A partition is a logical drive

• FAT16 does not recognize disks larger than 2 GB
– Large disks have to be partitioned
• Hidden partitions or voids
– Large unused gaps between partitions on a disk
• Partition gap
– Unused space between partitions

Guide to Computer Forensics and Investigations 13

 Disk Partitions (continued)

• Disk editor utility can alter information in partition

table
– To hide a partition
• Can examine a partition’s physical level with a disk
editor:
– Norton DiskEdit, WinHex, or Hex Workshop
• Analyze the key hexadecimal codes the OS uses to
identify and maintain the file system

Guide to Computer Forensics and Investigations 14

Guide to Computer Forensics and Investigations 15
Guide to Computer Forensics and Investigations 16
 Disk Partitions (continued)

• Hex Workshop allows you to identify file headers

– To identify file types with or without an extension

Guide to Computer Forensics and Investigations 17

Guide to Computer Forensics and Investigations 18
Guide to Computer Forensics and Investigations 19
 Master Boot Record

• On Windows and DOS computer systems

– Boot disk contains a file called the Master Boot
Record (MBR)
• MBR stores information about partitions on a disk
and their locations, size, and other important items
• Several software products can modify the MBR,
such as PartitionMagic’s Boot Magic

Guide to Computer Forensics and Investigations 20

 Examining FAT Disks
• File Allocation Table (FAT)
– File structure database that Microsoft originally designed for floppy
disks
– Used before Windows NT and 2000
• FAT database is typically written to a disk’s outermost track and
contains:
– Filenames, directory names, date and time stamps, the starting cluster
number, and file attributes
• FAT versions
– FAT12, FAT16, FAT32, and VFAT
– FAT12 has a cluster size of 512 bytes to 8 kilobytes whereas FAT16
has cluster sizes ranging from 512 bytes to 64 kilobytes. FAT32 file
systems can support disc sizes up to two terabytes using cluster sizes
ranging from 512 bytes to 32 kilobytes.

Guide to Computer Forensics and Investigations 21

 Examining FAT Disks (continued)

• Cluster sizes vary according to the hard disk size

and file system

Guide to Computer Forensics and Investigations 22

 Examining FAT Disks (continued)
• Microsoft OSs allocate disk space for files by
clusters
– Results in drive slack
• Unused space in a cluster between the end of an
active file and the end of the cluster
• Drive slack includes:
– RAM slack and file slack
• An unintentional side effect of FAT16 having large
clusters was that it reduced fragmentation
– As cluster size increased

Guide to Computer Forensics and Investigations 23

 Examining FAT Disks (continued)

Guide to Computer Forensics and Investigations 24

 Examining FAT Disks (continued)

• When you run out of room for an allocated cluster

– OS allocates another cluster for your file, which
creates more slack space on the disk
• As files grow and require more disk space,
assigned clusters are chained together
– The chain can be broken or fragmented

Guide to Computer Forensics and Investigations 25

 Examining FAT Disks (continued)

Guide to Computer Forensics and Investigations 26

 Examining FAT Disks (continued)

• When the OS stores data in a FAT file system, it

assigns a starting cluster position to a file
– Data for the file is written to the first sector of the first
assigned cluster
• When this first assigned cluster is filled and runs
out of room
– FAT assigns the next available cluster to the file
• If the next available cluster isn’t contiguous to the
current cluster
– File becomes fragmented

Guide to Computer Forensics and Investigations 27

 Deleting FAT Files

• In Microsoft OSs, when a file is deleted

– Directory entry is marked as a deleted file
• With the HEX E5 (σ) character replacing the first letter
of the filename
• FAT chain for that file is set to 0
• Data in the file remains on the disk drive
• Area of the disk where the deleted file resides
becomes unallocated disk space
– Available to receive new data from newly created
files or other files needing more space

Guide to Computer Forensics and Investigations 28

 Examining NTFS Disks

• New Technology File System (NTFS)

– Introduced with Windows NT
– Primary file system for Windows Vista
• Improvements over FAT file systems
– NTFS provides more information about a file
– NTFS gives more control over files and folders
• NTFS was Microsoft’s move toward a journaling file
system

Guide to Computer Forensics and Investigations 29

 Examining NTFS Disks (continued)

• In NTFS, everything written to the disk is

considered a file
• On an NTFS disk
– First data set is the Partition Boot Sector
– Next is Master File Table (MFT)
• NTFS results in much less file slack space
• Clusters are smaller for smaller disk drives
• NTFS also uses Unicode
– An international data format

Guide to Computer Forensics and Investigations 30

 Examining NTFS Disks (continued)

Guide to Computer Forensics and Investigations 31

 NTFS File System

• MFT contains information about all files on the disk

– Including the system files the OS uses
• In the MFT, the first 15 records are reserved for
system files
• Records in the MFT are called metadata

Guide to Computer Forensics and Investigations 32

 NTFS File System (continued)

Guide to Computer Forensics and Investigations 33

 NTFS File System (continued)

Guide to Computer Forensics and Investigations 34

 MFT and File Attributes

• In the NTFS MFT

– All files and folders are stored in separate records of
1024 bytes each
• Each record contains file or folder information
– This information is divided into record fields
containing metadata
• A record field is referred to as an attribute ID
• File or folder information is typically stored in one of
two ways in an MFT record:
– Resident and nonresident

Guide to Computer Forensics and Investigations 35

 MFT and File Attributes (continued)

• Files larger than 512 bytes are stored outside the

MFT
– MFT record provides cluster addresses where the
file is stored on the drive’s partition
• Referred to as data runs
• Each MFT record starts with a header identifying it
as a resident or nonresident attribute

Guide to Computer Forensics and Investigations 36

Guide to Computer Forensics and Investigations 37
Guide to Computer Forensics and Investigations 38
Guide to Computer Forensics and Investigations 39
Guide to Computer Forensics and Investigations 40
 MFT and File Attributes (continued)

• When a disk is created as an NTFS file structure

– OS assigns logical clusters to the entire disk partition
• These assigned clusters are called logical cluster
numbers (LCNs)
– Become the addresses that allow the MFT to link to
nonresident files on the disk’s partition

Guide to Computer Forensics and Investigations 41

 NTFS Data Streams

• Data streams
– Ways data can be appended to existing files
– Can obscure valuable evidentiary data, intentionally
or by coincidence
• In NTFS, a data stream becomes an additional file
attribute
– Allows the file to be associated with different
applications
• You can only tell whether a file has a data stream
attached by examining that file’s MFT entry

Guide to Computer Forensics and Investigations 42

 NTFS Compressed Files

• NTFS provides compression similar to FAT

DriveSpace 3
• Under NTFS, files, folders, or entire volumes can
be compressed
• Most computer forensics tools can uncompress and
analyze compressed Windows data

Guide to Computer Forensics and Investigations 43

 NTFS Encrypting File System (EFS)

• Encrypting File System (EFS)

– Introduced with Windows 2000
– Implements a public key and private key method of
encrypting files, folders, or disk volumes
• When EFS is used in Windows Vista Business
Edition or higher, XP Professional, or 2000,
– A recovery certificate is generated and sent to the
local Windows administrator account
• Users can apply EFS to files stored on their local
workstations or a remote server

Guide to Computer Forensics and Investigations 44

 EFS Recovery Key Agent

• Recovery Key Agent implements the recovery

certificate
– Which is in the Windows administrator account
• Windows administrators can recover a key in
two ways: through Windows or from an
MS-DOS command prompt
• MS-DOS commands
– Cipher
– Copy
– Efsrecvr (used to decrypt EFS files)

Guide to Computer Forensics and Investigations 45

 Deleting NTFS Files

• When a file is deleted in Windows XP, 2000, or NT

– The OS renames it and moves it to the Recycle Bin
• Can use the Del (delete) MS-DOS command
– Eliminates the file from the MFT listing in the same
way FAT does

Guide to Computer Forensics and Investigations 46

Understanding Whole Disk Encryption

• In recent years, there has been more concern

about loss of
– Personal identity information (PII) and trade
secrets caused by computer theft
• Of particular concern is the theft of laptop
computers and other handheld devices
• To help prevent loss of information, software
vendors now provide whole disk encryption

Guide to Computer Forensics and Investigations 47

Understanding Whole Disk Encryption
(continued)

• Current whole disk encryption tools offer the

following features:
– Preboot authentication
– Full or partial disk encryption with secure hibernation
– Advanced encryption algorithms
– Key management function
– A Trusted Platform Module (TPM) microchip to
generate encryption keys and authenticate logins

Guide to Computer Forensics and Investigations 48

Understanding Whole Disk Encryption
(continued)

• Whole disk encryption tools encrypt each sector of

a drive separately
• Many of these tools encrypt the drive’s boot sector
– To prevent any efforts to bypass the secured drive’s
partition
• To examine an encrypted drive, decrypt it first
– Run a vendor-specific program to decrypt the drive

Guide to Computer Forensics and Investigations 49

 Examining Microsoft BitLocker

• Available only with Vista Enterprise and Ultimate

editions
• Hardware and software requirements
– A computer capable of running Windows Vista
– The TPM microchip, version 1.2 or newer
– A computer BIOS compliant with Trusted Computing
Group (TCG)
– Two NTFS partitions
– The BIOS configured so that the hard drive boots
first before checking other bootable peripherals

Guide to Computer Forensics and Investigations 50

Examining Third-Party Disk Encryption
Tools
• Some available third-party WDE utilities:
– PGP Whole Disk Encryption
– Voltage SecureDisk
– Utimaco SafeGuard Easy
– Jetico BestCrypt Volume Encryption
– SoftWinter Sentry 2020 for Windows XP
• Some available open-source encryption tools:
– TrueCrypt
– CrossCrypt
– FreeOTFE

Guide to Computer Forensics and Investigations 51

Understanding the Windows Registry

• Registry
– A database that stores hardware and software
configuration information, network connections, user
preferences, and setup information
• For investigative purposes, the Registry can
contain valuable evidence
• To view the Registry, you can use:
– Regedit (Registry Editor) program for Windows 9x
systems
– Regedt32 for Windows 2000 and XP

Guide to Computer Forensics and Investigations 52

 Exploring the Organization of the
Windows Registry
• Registry terminology:
– Registry
– Registry Editor
– HKEY
– Key
– Subkey
– Branch
– Value
– Default value
– Hives
Guide to Computer Forensics and Investigations 53
 Exploring the Organization of the
Windows Registry (continued)

Guide to Computer Forensics and Investigations 54

 Exploring the Organization of the
Windows Registry (continued)

Guide to Computer Forensics and Investigations 55

 Examining the Windows Registry

• Use ProDiscover Basic to extract System.dat and

User.dat from an image file

Guide to Computer Forensics and Investigations 56

Understanding Microsoft Startup Tasks

• Learn what files are accessed when Windows

starts
• This information helps you determine when a
suspect’s computer was last accessed
– Important with computers that might have been used
after an incident was reported

Guide to Computer Forensics and Investigations 57

 Startup in Windows NT and Later

• All NTFS computers perform the following steps

when the computer is turned on:
– Power-on self test (POST)
– Initial startup
– Boot loader
– Hardware detection and configuration
– Kernel loading
– User logon

Guide to Computer Forensics and Investigations 58

 Startup in Windows NT and Later
(continued)
• Startup Files for Windows XP:
– NT Loader (NTLDR)
– Boot.ini
– BootSect.dos
– NTDetect.com
– NTBootdd.sys
– Ntoskrnl.exe
– Hal.dll
– Pagefile.sys
– Device drivers

Guide to Computer Forensics and Investigations 59

 Startup in Windows NT and Later
(continued)

• Windows XP System Files

Guide to Computer Forensics and Investigations 60

 Startup in Windows NT and Later
(continued)

• Contamination Concerns with Windows XP

– When you start a Windows XP NTFS workstation,
several files are accessed immediately
• The last access date and time stamp for the files
change to the current date and time
– Destroys any potential evidence
• That shows when a Windows XP workstation was last
used

Guide to Computer Forensics and Investigations 61

 Understanding Virtual Machines

• Virtual machine
– Allows you to create a representation of another
computer on an existing physical computer
• A virtual machine is just a few files on your hard
drive
– Must allocate space to it
• A virtual machine recognizes components of the
physical machine it’s loaded on
– Virtual OS is limited by the physical machine’s OS

Guide to Computer Forensics and Investigations 62

Guide to Computer Forensics and Investigations 63
 Understanding Virtual Machines
(continued)

• In computer forensics
– Virtual machines make it possible to restore a
suspect drive on your virtual machine
• And run nonstandard software the suspect might have
loaded
• From a network forensics standpoint, you need to
be aware of some potential issues, such as:
– A virtual machine used to attack another system or
network

Guide to Computer Forensics and Investigations 64

 Creating a Virtual Machine

• Two popular applications for creating virtual

machines
– VMware and Microsoft Virtual PC
• Using Virtual PC
– You must download and install Virtual PC first

Guide to Computer Forensics and Investigations 65

Guide to Computer Forensics
and Investigations
Fourth Edition

Chapter 7
Current Computer Forensics
Tools
 Types of Computer Forensics Tools

• Hardware forensic tools

– Range from single-purpose components to complete
computer systems and servers
• Software forensic tools
– Types
• Command-line applications
• GUI applications
– Commonly used to copy data from a suspect’s disk
drive to an image file

Guide to Computer Forensics and Investigations 67

 Tasks Performed by Computer
Forensics Tools

• Five major categories:

– Acquisition
– Validation and discrimination
– Extraction
– Reconstruction
– Reporting

Guide to Computer Forensics and Investigations 68

 Tasks Performed by Computer
Forensics Tools (continued)
• Acquisition
– Making a copy of the original drive
• Acquisition subfunctions:
– Physical data copy
– Logical data copy
– Data acquisition format
– Command-line acquisition
– GUI acquisition
– Remote acquisition
– Verification

Guide to Computer Forensics and Investigations 69

 Tasks Performed by Computer
Forensics Tools (continued)

• Acquisition (continued)
– Two types of data-copying methods are used in
software acquisitions:
• Physical copying of the entire drive
• Logical copying of a disk partition
– The formats for disk acquisitions vary
• From raw data to vendor-specific proprietary
compressed data
– You can view the contents of a raw image file with
any hexadecimal editor

Guide to Computer Forensics and Investigations 70

Guide to Computer Forensics and Investigations 71
 Tasks Performed by Computer
Forensics Tools (continued)

• Acquisition (continued)
– Creating smaller segmented files is a typical feature
in vendor acquisition tools
– All computer forensics acquisition tools have a
method for verification of the data-copying process
• That compares the original drive with the image

Guide to Computer Forensics and Investigations 72

 Tasks Performed by Computer
Forensics Tools (continued)

• Validation and discrimination

– Validation
• Ensuring the integrity of data being copied
– Discrimination of data
• Involves sorting and searching through all
investigation data

Guide to Computer Forensics and Investigations 73

 Tasks Performed by Computer
Forensics Tools (continued)
• Validation and discrimination (continued)
– Subfunctions
• Hashing
– CRC-32, MD5, SHA - Secure Hash Algorithms
• Filtering
– Based on hash value sets
• Analyzing file headers
– Discriminate files based on their types
– National Software Reference Library (NSRL) has
compiled a list of known file hashes
• For a variety of OSs, applications, and images

Guide to Computer Forensics and Investigations 74

 Tasks Performed by Computer
Forensics Tools (continued)

Guide to Computer Forensics and Investigations 75

 Tasks Performed by Computer
Forensics Tools (continued)

• Validation and discrimination (continued)

– Many computer forensics programs include a list of
common header values
• With this information, you can see whether a file
extension is incorrect for the file type
– Most forensics tools can identify header values

Guide to Computer Forensics and Investigations 76

Guide to Computer Forensics and Investigations 77
 Tasks Performed by Computer
Forensics Tools (continued)

Guide to Computer Forensics and Investigations 78

 Tasks Performed by Computer
Forensics Tools (continued)

• Extraction
– Recovery task in a computing investigation
– Most demanding of all tasks to master
– Recovering data is the first step in analyzing an
investigation’s data

Guide to Computer Forensics and Investigations 79

 Tasks Performed by Computer
Forensics Tools (continued)
• Extraction (continued)
– Subfunctions
• Data viewing
• Keyword searching
• Decompressing
• Carving (finding hidden or deleted files from digital
media)
• Decrypting
• Bookmarking (tagging of web pages or links)
– Keyword search speeds up analysis for investigators

Guide to Computer Forensics and Investigations 80

Guide to Computer Forensics and Investigations 81
 Tasks Performed by Computer
Forensics Tools (continued)

Guide to Computer Forensics and Investigations 82

 Tasks Performed by Computer
Forensics Tools (continued)

• Extraction (continued)
– From an investigation perspective, encrypted files
and systems are a problem
– Many password recovery tools have a feature for
generating potential password lists
• For a password dictionary attack
– If a password dictionary attack fails, you can run a
brute-force attack

Guide to Computer Forensics and Investigations 83

 Tasks Performed by Computer
Forensics Tools (continued)

• Reconstruction
– Re-create a suspect drive to show what happened
during a crime or an incident
– Subfunctions
• Disk-to-disk copy
• Image-to-disk copy
• Partition-to-partition copy
• Image-to-partition copy

Guide to Computer Forensics and Investigations 84

 Tasks Performed by Computer
Forensics Tools (continued)

• Reconstruction (continued)
– Some tools that perform an image-to-disk copy:
• SafeBack
• SnapBack
• EnCase
• FTK Imager
• ProDiscover

Guide to Computer Forensics and Investigations 85

 Tasks Performed by Computer
Forensics Tools (continued)
• Reporting
– To complete a forensics disk analysis and
examination, you need to create a report
– Subfunctions
• Log reports
• Report generator
– Use this information when producing a final report for
your investigation

Guide to Computer Forensics and Investigations 86

 Tool Comparisons

Guide to Computer Forensics and Investigations 87

 Other Considerations for Tools

• Considerations
– Flexibility
– Reliability
– Expandability
– Keep a library with older version of your tools
• Create a software library containing older versions
of forensics utilities, OSs, and other programs

Guide to Computer Forensics and Investigations 88

 Computer Forensics Software Tools

• The following sections explore some options for

command-line and GUI tools in both Windows and
UNIX/Linux

Guide to Computer Forensics and Investigations 89

 Command-line Forensic Tools

• The first tools that analyzed and extracted data

from floppy disks and hard disks were MS-DOS
tools for IBM PC file systems
• Norton DiskEdit
– One of the first MS-DOS tools used for computer
investigations
• Advantage
– Command-line tools require few system resources
• Designed to run in minimal configurations

Guide to Computer Forensics and Investigations 90

Guide to Computer Forensics and Investigations 91
Guide to Computer Forensics and Investigations 92
Guide to Computer Forensics and Investigations 93
 Forensic Workstations

• Carefully consider what you need

• Categories
– Stationary
– Portable
– Lightweight
• Balance what you need and what your system can
handle

Guide to Computer Forensics and Investigations 94

 Forensic Workstations (continued)

• Police agency labs

– Need many options
– Use several PC configurations
• Private corporation labs
– Handle only system types used in the organization
• Keep a hardware library in addition to your software
library

Guide to Computer Forensics and Investigations 95

 Forensic Workstations (continued)

• Advantages
– Customized to your needs
– Save money
• Disadvantages
– Hard to find support for problems
– Can become expensive if careless
• Also need to identify what you intend to analyze

Guide to Computer Forensics and Investigations 96

 Using a Write-Blocker

• Write-blocker
– Prevents data writes to a hard disk
• Software-enabled blockers
– Software write-blockers are OS dependant
– Example: PDBlock from Digital Intelligence
• Hardware options
– Ideal for GUI forensic tools
– Act as a bridge between the suspect drive and the
forensic workstation

Guide to Computer Forensics and Investigations 97

 Using a Write-Blocker (continued)

• Can navigate to the blocked drive with any

application
• Discards the written data
– For the OS the data copy is successful
• Connecting technologies
– FireWire
– USB 2.0
– SCSI controllers

Guide to Computer Forensics and Investigations 98

 Validating and Testing Forensic
Software

• Make sure the evidence you recover and analyze

can be admitted in court
• Test and validate your software to prevent
damaging the evidence

Guide to Computer Forensics and Investigations 99

 Using National Institute of Standards
and Technology (NIST) Tools
(continued)
• Your lab must meet the following criteria
– Establish categories for computer forensics tools
– Identify computer forensics category requirements
– Develop test assertions
– Identify test cases
– Establish a test method
– Report test results
• Also evaluates drive-imaging tools using
– Forensic Software - Testing Support Tools (FS-TST)

Guide to Computer Forensics and Investigations 100

 Using National Institute of Standards
and Technology (NIST) Tools
(continued)
• National Software Reference Library (NSRL)
project
– Collects all known hash values for commercial
software applications and OS files
• Uses SHA-1 to generate a known set of digital
signatures called the Reference Data Set (RDS)
– Helps filtering known information
– Can use RDS to locate and identify known bad files

Guide to Computer Forensics and Investigations 101

 Using Validation Protocols

• Always verify your results

• Use at least two tools
– Retrieving and examination
– Verification
• Understand how tools work
• One way to compare results and verify a new tool is
by using a disk editor
– Such as Hex Workshop or WinHex

Guide to Computer Forensics and Investigations 102

Using Validation Protocols (continued)

• Disk editors
– Do not have a flashy interface
– Reliable tools
– Can access raw data
• Computer Forensics Examination Protocol
– Perform the investigation with a GUI tool
– Verify your results with a disk editor
– Compare hash values obtained with both tools

Guide to Computer Forensics and Investigations 103

 Case Study

https://eclipseforensics.com/3-famous-cases-solved-t
hrough-digital-forensics/

http://prateek-paranjpe.blogspot.com/p/cyber-forensic
s-case-studies.html

104