Guide to Computer Forensics and Investigations Fourth Edition

Chapter 6 Working with Windows and DOS Systems

Objectives
Explain the purpose and structure of file systems Describe Microsoft file structures Explain the structure of New Technology File System (NTFS) disks List some options for decrypting drives encrypted with whole disk encryption

Objectives (continued)
Explain how the Windows Registry works Describe Microsoft startup tasks Describe MS-DOS startup tasks Explain the purpose of a virtual machine

Understanding File Systems

Understanding File Systems

File system
Gives OS a road map to data on a disk

Type of file system an OS uses determines how data is stored on the disk A file system is usually directly related to an OS When you need to access a suspects computer to acquire or inspect data
You should be familiar with the computers platform

Understanding the Boot Sequence

Complementary Metal Oxide Semiconductor (CMOS)
Computer stores system configuration and date and time information in the CMOS
When power to the system is off

Basic Input/Output System (BIOS)

Contains programs that perform input and output at the hardware level

Understanding the Boot Sequence (continued)

Bootstrap process
Contained in ROM, tells the computer how to proceed Displays the key or keys you press to open the CMOS setup screen
Could be Delete, F2, F10, Ctrl+Alt+Insert, Ctrl+A, Ctrl+S, Ctrl+F1, or something else

CMOS should be modified to boot from a forensic floppy disk or CD

BIOS Setup Utility

Understanding Disk Drives

Disk drives are made up of one or more platters coated with magnetic material Disk drive components
Geometry Head Tracks Cylinders Sectors
Holds 512 bytes, you cannot read or write anything less than a sector

Understanding Disk Drives (continued)

Properties handled at the drives hardware or firmware level
Zoned bit recording (ZBR) (resizing sectors to compensate for distance from the center) Track density Areal density Head and cylinder skew

No Need for Multi-Path Erasure

On older disks, the space between tracks was wider, which allowed heads to wander This made it possible for specialists to retrieve data from previous writes to a platter, even after erasure
Using an electron microscope

On any IDE or SATA or later hard drive, this is impossible A single pass of zeroes erases all data on a disk so it cannot be recovered by any currently known technique

Exploring Microsoft File Structures

Exploring Microsoft File Structures

In Microsoft file structures, sectors are grouped to form clusters
Storage allocation units of one or more sectors

Clusters are typically 512, 1024, 2048, 4096, or more bytes each Combining sectors minimizes the overhead of writing or reading files to a disk

Exploring Microsoft File Structures (continued)

Clusters are numbered sequentially starting at 2
First sector of all disks contains a system area, the boot record, and a file structure database

OS assigns these cluster numbers, called logical addresses Sector numbers are called physical addresses Clusters and their addresses are specific to a logical disk drive, which is a disk partition

Disk Partitions
A partition is a logical drive FAT16 does not recognize disks larger than 2 GB
Note error on page 202 of textbook
It's 2 GB, not 2 MB

Large disks have to be partitioned

Hidden partitions or voids

Large unused gaps between partitions on a disk

Partition gap
Unused space between partitions

Disk Partitions (continued)

Disk editor utility can alter information in partition table
To hide a partition

Can examine a partitions physical level with a disk editor:

HxD, Norton DiskEdit, WinHex, or Hex Workshop

Analyze the key hexadecimal codes the OS uses to identify and maintain the file system

Demo: VM with Three Partitions

Partition Types
NTFS: 07 FAT: 06 FAT32: 0B

Viewing the Partition Table HxD

Start HxD, Extras, Open Disk, choose Physical Disk Partition Table starts at 0x1BE Partition Type field is at offset 0x04 in each record

Master Boot Record Structure

From Wikipedia Link Ch 6a

Partition Table Structure

From Wikipedia Link Ch 6a

Partition Mark at Start of Volume

Start HxD, Extras, Open Disk NTFS

FAT32

BMP File in HxD

Start HxD, File, Open BM at start indicates a BMP file

Word Doc File in HxD

Start HxD, File, Open Word 2003 Format uses these 7 bytes

.docx format is actually a Zip archive

See links Ch 6b, 6c

Master Boot Record

On Windows and DOS computer systems
Boot disk contains a file called the Master Boot Record (MBR)

MBR stores information about partitions on a disk and their locations, size, and other important items Several software products can modify the MBR, such as PartitionMagics Boot Magic

Examining FAT Disks

File Allocation Table (FAT)
File structure database that Microsoft originally designed for floppy disks Used before Windows NT and 2000

FAT database is typically written to a disks outermost track and contains:

Filenames, directory names, date and time stamps, the starting cluster number, and file attributes

FAT versions
FAT12, FAT16, FAT32, FATX (for Xbox), and VFAT

FAT Versions
FAT12for floppy disks, max size 16 MB FAT16allows hard disk sizes up to 2 GB FAT32 allows hard disk sizes up to 2 TB FATXFor Xbox media
The date stamps start at the year 2000, unlike the other FAT formats that start at 1980

VFAT (Virtual File Allocation Table)

Allows long file names on Windows (MS-DOS had 8.3 limitation)

Examining FAT Disks (continued)

Cluster sizes vary according to the hard disk size and file system This table is for FAT-16

Examining FAT Disks (continued)

Microsoft OSs allocate disk space for files by clusters
Results in drive slack
Unused space in a cluster between the end of an active file and the end of the cluster

Drive slack includes:

RAM slack and file slack

An unintentional side effect of FAT16 having large clusters was that it reduced fragmentation
As cluster size increased

Examining FAT Disks (continued)

Examining FAT Disks (continued)

When you run out of room for an allocated cluster
OS allocates another cluster for your file, which creates more slack space on the disk

As files grow and require more disk space, assigned clusters are chained together
The chain can be broken or fragmented

ProDiscover Showing Cluster Chain

Examining FAT Disks (continued)

When the OS stores data in a FAT file system, it assigns a starting cluster position to a file
Data for the file is written to the first sector of the first assigned cluster

When this first assigned cluster is filled and runs out of room
FAT assigns the next available cluster to the file

If the next available cluster isnt contiguous to the current cluster

File becomes fragmented

Deleting FAT Files

In Microsoft OSs, when a file is deleted
Directory entry is marked as a deleted file
With the HEX E5 () character replacing the first letter of the filename FAT chain for that file is set to 0

Data in the file remains on the disk drive Area of the disk where the deleted file resides becomes unallocated disk space
Available to receive new data from newly created files or other files needing more space

iClicker Questions

Which of these always contains 512 bytes?

A.Head

B.Track
C.Cylinder D.Sector E.Cluster

Which of these has a capacity that varies with partition size?

A.Head

B.Track
C.Cylinder D.Sector E.Cluster

Which file system has a maximum partition size of 2 GB?

A.FAT12

B.FAT16
C.FAT32 D.FATX E.VFAT

Which term describes padding added to data to make an integral multiple of 512 bytes?
A.Drive slack

B.RAM slack
C.File slack D.Fragmented E.Unallocated space

Examining NTFS Disks

New Technology File System (NTFS)
Introduced with Windows NT Recommended file system for Windows 200 Pro, XP, and later versions through Windows 7 at least

Improvements over FAT file systems

NTFS provides more information about a file NTFS gives more control over files and folders

NTFS was Microsofts move toward a journaling file system

Examining NTFS Disks (continued)

In NTFS, everything written to the disk is considered a file On an NTFS disk
First data set is the Partition Boot Sector Next is Master File Table (MFT)

NTFS results in much less file slack space Clusters are smaller for smaller disk drives NTFS also uses Unicode
An international data format

Examining NTFS Disks (continued)

Table 3 seems to be wrong (thanks to Richard Rosson for pointing this out) Correct cluster sizes are at link Ch 6d

NTFS File System

MFT contains information about all files on the disk
Including the system files the OS uses

In the MFT, the first 15 records are reserved for system files Records in the MFT are called metadata

NTFS File System (continued)

NTFS File System (continued)

MFT and File Attributes

In the NTFS MFT
All files and folders are stored in separate records of 1024 bytes each

Each record contains file or folder information

This information is divided into record fields containing metadata

A record field is referred to as an attribute ID File or folder information is typically stored in one of two ways in an MFT record:
Resident and nonresident

MFT and File Attributes (continued)

Files larger than 512 bytes are stored outside the MFT
MFT record provides cluster addresses where the file is stored on the drives partition
Referred to as data runs

Each MFT record starts with a header identifying it as a resident or nonresident attribute

Resident File in a MFT Record

Resident File Data in the MFT

This figure is a repeat of a portion of the previous one

Nonresident File's MFT Record

Skip Pages 216-223

MFT and File Attributes (continued)

When a disk is created as an NTFS file structure
OS assigns logical clusters to the entire disk partition

These assigned clusters are called logical cluster numbers (LCNs)

Become the addresses that allow the MFT to link to nonresident files on the disks partition

NTFS Data Streams

Data streams
Ways data can be appended to existing files Can obscure valuable evidentiary data, intentionally or by coincidence

In NTFS, a data stream becomes an additional file attribute

Allows the file to be associated with different applications

You can only tell whether a file has a data stream attached by examining that files MFT entry

Alternate Data Streams Demonstration

NTFS Compressed Files

NTFS provides compression similar to FAT DriveSpace 3 Under NTFS, files, folders, or entire volumes can be compressed Most computer forensics tools can uncompress and analyze compressed Windows data

NTFS Encrypting File System (EFS)

Encrypting File System (EFS)
Introduced with Windows 2000 Implements a public key and private key method of encrypting files, folders, or disk volumes

When EFS is used in Windows 2000

A recovery certificate is generated and sent to the local Windows administrator account

Users can apply EFS to files stored on their local workstations or a remote server

Error in Textbook
Page 225 Only Windows 2000 used the Administrator account as the default EFS Recovery Agent Windows XP and later versions have no EFS recovery agent by default
Links Ch 6e, 6f

Deleting NTFS Files

When a file is deleted in Windows XP, 2000, or NT
The OS renames it and moves it to the Recycle Bin

Can use the Del (delete) MS-DOS command

Eliminates the file from the MFT listing in the same way FAT does

Understanding Whole Disk Encryption

Understanding Whole Disk Encryption

In recent years, there has been more concern about loss of
Personal identity information (PII) and trade secrets caused by computer theft

Of particular concern is the theft of laptop computers and other handheld devices To help prevent loss of information, software vendors now provide whole disk encryption

Understanding Whole Disk Encryption (continued)

Current whole disk encryption tools offer the following features:
Preboot authentication Full or partial disk encryption with secure hibernation Advanced encryption algorithms Key management function A Trusted Platform Module (TPM) microchip to generate encryption keys and authenticate logins

Understanding Whole Disk Encryption (continued)

Whole disk encryption tools encrypt each sector of a drive separately Many of these tools encrypt the drives boot sector
To prevent any efforts to bypass the secured drives partition

To examine an encrypted drive, decrypt it first

Run a vendor-specific program to decrypt the drive

Examining Microsoft BitLocker

Available only with Vista/Win 7 Enterprise and Ultimate editions Hardware and software requirements
A computer capable of running Windows Vista/7 The TPM microchip, version 1.2 or newer A computer BIOS compliant with Trusted Computing Group (TCG) Two NTFS partitions; a 1.5 GB or 100 MB partition use just for BitLocker, and the partition containing Windows The BIOS configured so that the hard drive boots first before checking other bootable peripherals

Examining Third-Party Disk Encryption Tools

Some available third-party WDE utilities:
PGP Whole Disk Encryption Voltage SecureDisk Utimaco SafeGuard Easy Jetico BestCrypt Volume Encryption SoftWinter Sentry 2020 for Windows XP

Some available open-source encryption tools:

TrueCrypt CrossCrypt FreeOTFE

iClicker Questions

What is stored in these clusters?

A.Data run

B.Alternate Data stream

C.File slack D.Metadata E.Resident file data

Which of these is a hardware device used to encrypt a hard drive?

A.PII

B.EFS
C.TPM D.MFT E.FAT

Which of these should never be stored on a laptop without encryption?

A.PII

B.EFS
C.MBR D.MFT E.FAT

A small file contains only ten bytes of text on an NTFS volume. Where are those ten bytes stored?
A.MFT

B.Data run
C.Data stream D.FAT E.Drive slack

Understanding the Windows Registry

Understanding the Windows Registry

Registry
A database that stores hardware and software configuration information, network connections, user preferences, and setup information

For investigative purposes, the Registry can contain valuable evidence To view the Registry, you can use:
Regedit (Registry Editor) program for Windows 9x systems Regedt32 for Windows 2000 and XP

Exploring the Organization of the Windows Registry

Registry terminology:
Registry Registry Editor HKEY Key Subkey Branch Value Default value Hives

Exploring the Organization of the Windows Registry (continued)

Exploring the Organization of the Windows Registry (continued)

Understanding Microsoft Startup Tasks

Understanding Microsoft Startup Tasks

Learn what files are accessed when Windows starts This information helps you determine when a suspects computer was last accessed
Important with computers that might have been used after an incident was reported

Startup in Windows NT and Later

All Windows NT computers perform the following steps when the computer is turned on:
Power-on self test (POST) Initial startup Boot loader Hardware detection and configuration Kernel loading User logon

Startup Process for Windows Vista

Uses the new Extensible Firmware Interface ( EFI) as well as the older BIOS system. NT Loader (NTLDR) has been replaced by three boot utilities
Bootmgr.exedisplays list of operating systems Winload.exeloads kernel, HAL, and drivers Winresume.exerestarts Vista after hibernation

See link Ch 6g

Startup Files for Windows XP

NT Loader (NTLDR) Boot.ini BootSect.dos NTDetect.com NTBootdd.sys Ntoskrnl.exe Hal.dll Pagefile.sys Device drivers

Startup in Windows NT and Later (continued)

Windows XP System Files

Startup in Windows NT and Later (continued)

Contamination Concerns with Windows XP
When you start a Windows XP NTFS workstation, several files are accessed immediately
The last access date and time stamp for the files change to the current date and time

Destroys any potential evidence

That shows when a Windows XP workstation was last used

Startup in Windows 9x/Me

System files in Windows 9x/Me containing valuable information can be altered easily during startup Windows 9x and Windows Me have similar boot processes
With Windows Me you cant boot to a true MS-DOS mode

Windows 9x OSs have two modes:

DOS protected-mode interface (DPMI) Protected-mode GUI

Startup in Windows 9x/Me (continued)

The system files used by Windows 9x have their origin in MS-DOS 6.22
Io.sys communicates between a computers BIOS, the hardware, and the OS kernel
If F8 is pressed during startup, Io.sys loads the Windows Startup menu

Msdos.sys is a hidden text file containing startup options for Windows 9x Command.com provides a command prompt when booting to MS-DOS mode (DPMI)

Understanding MS-DOS Startup Tasks

Understanding MS-DOS Startup Tasks

Two files are used to configure MS-DOS at startup:
Config.sys
A text file containing commands that typically run only at system startup to enhance the computers DOS configuration

Autoexec.bat
A batch file containing customized settings for MSDOS that runs automatically

Io.sys is the first file loaded after the ROM bootstrap loader finds the disk drive

Understanding MS-DOS Startup Tasks (continued)

Msdos.sys is the second program to load into RAM immediately after Io.sys
It looks for the Config.sys file to configure device drivers and other settings

Msdos.sys then loads Command.com As the loading of Command.com nears completion, Msdos.sys looks for and loads Autoexec.bat

Other Disk Operating Systems

Control Program for Microprocessors (CP/M)
First nonspecific microcomputer OS Created by Digital Research in 1970 8-inch floppy drives; no support for hard drives

Digital Research Disk Operating System (DR-DOS)

Developed in 1988 to compete with MS-DOS Used FAT12 and FAT16 and had a richer command environment

Other Disk Operating Systems (continued)

Personal Computer Disk Operating System (PCDOS)
Created by Microsoft under contract for IBM PC-DOS works much like MS-DOS

Understanding Virtual Machines

Understanding Virtual Machines

Virtual machine
Allows you to create a representation of another computer on an existing physical computer

A virtual machine is just a few files on your hard drive

Must allocate space to it

A virtual machine recognizes components of the physical machine its loaded on

Virtual OS is limited by the physical machines OS

Understanding Virtual Machines (continued)

In computer forensics
Virtual machines make it possible to restore a suspect drive on your virtual machine
And run nonstandard software the suspect might have loaded

From a network forensics standpoint, you need to be aware of some potential issues, such as:
A virtual machine used to attack another system or network

Creating a Virtual Machine

Two popular applications for creating virtual machines
VMware and Microsoft Virtual PC

Using Virtual PC
You must download and install Virtual PC first

Creating a Virtual Machine (continued)

Creating a Virtual Machine (continued)

Creating a Virtual Machine (continued)

You need an ISO image of an OS
Because no OSs are provided with Virtual PC

Virtual PC creates two files for each virtual machine:

A .vhd file, which is the actual virtual hard disk A .vmc file, which keeps track of configurations you make to that disk

See what type of physical machine your virtual machine thinks its running
Open the Virtual PC Console, and click Settings

Creating a Virtual Machine (continued)

Creating a Virtual Machine (continued)

iClicker Questions

What file loads the kernel in Windows 7?

A.Ntldr

B.Bootmgr
C.Winload D.Boot.ini E.Io.sys

Which of these is a new technology to start computers, replacing the BIOS?

A.EFI

B.TPM
C.Ntldr D.HAL E.Winload

Which module shows the user a list of available operating systems on a Windows XP machine?
A.Bootmgr

B.Winload
C.Hal D.Config.sys E.Ntldr