Podcast
Questions and Answers
What is the primary purpose of the EFS recovery certificate?
What is the primary purpose of the EFS recovery certificate?
Where is the recovery key stored when EFS is used on a network?
Where is the recovery key stored when EFS is used on a network?
What commands can a Windows administrator use to recover an encrypted EFS file?
What commands can a Windows administrator use to recover an encrypted EFS file?
Under which circumstances can EFS recovery become problematic?
Under which circumstances can EFS recovery become problematic?
Signup and view all the answers
What is contained in the boot configuration data (BCD) store during the Windows 10 boot process?
What is contained in the boot configuration data (BCD) store during the Windows 10 boot process?
Signup and view all the answers
Which factor is crucial for an investigator when examining Windows startup processes?
Which factor is crucial for an investigator when examining Windows startup processes?
Signup and view all the answers
Which of the following devices is NOT explicitly mentioned as part of the Windows 10 boot process?
Which of the following devices is NOT explicitly mentioned as part of the Windows 10 boot process?
Signup and view all the answers
What can users apply EFS to in their configuration?
What can users apply EFS to in their configuration?
Signup and view all the answers
What is the primary purpose of file system analysis?
What is the primary purpose of file system analysis?
Signup and view all the answers
Which layer of forensic analysis involves examining storage locations on devices like hard disks and flash drives?
Which layer of forensic analysis involves examining storage locations on devices like hard disks and flash drives?
Signup and view all the answers
What structures help determine the organization of data on a disk in a file system?
What structures help determine the organization of data on a disk in a file system?
Signup and view all the answers
How does the BIOS receive power to perform input and output operations?
How does the BIOS receive power to perform input and output operations?
Signup and view all the answers
What is the maximum storage limit typically supported by CHS addressing?
What is the maximum storage limit typically supported by CHS addressing?
Signup and view all the answers
Which component should be used to avoid altering evidentiary data when examining a hard disk?
Which component should be used to avoid altering evidentiary data when examining a hard disk?
Signup and view all the answers
What are Logical Block Addresses (LBA) primarily used for?
What are Logical Block Addresses (LBA) primarily used for?
Signup and view all the answers
What must an investigator do during the bootstrap process to examine data without contamination?
What must an investigator do during the bootstrap process to examine data without contamination?
Signup and view all the answers
Which file system component is responsible for defining how files are created, read, and written?
Which file system component is responsible for defining how files are created, read, and written?
Signup and view all the answers
What is the role of the UEFI in a computer’s architecture?
What is the role of the UEFI in a computer’s architecture?
Signup and view all the answers
Which of the following best describes a track on a hard disk?
Which of the following best describes a track on a hard disk?
Signup and view all the answers
What information can be found through volume analysis?
What information can be found through volume analysis?
Signup and view all the answers
Which programming feature is primarily associated with the application layer analysis?
Which programming feature is primarily associated with the application layer analysis?
Signup and view all the answers
What does CHS addressing rely on for locating data on a disk?
What does CHS addressing rely on for locating data on a disk?
Signup and view all the answers
What is the primary reason data in solid-state storage devices may be lost after deletion?
What is the primary reason data in solid-state storage devices may be lost after deletion?
Signup and view all the answers
How does a solid-state drive maintain data integrity during reads and writes?
How does a solid-state drive maintain data integrity during reads and writes?
Signup and view all the answers
Which component of a solid-state drive tracks the addresses of deleted data?
Which component of a solid-state drive tracks the addresses of deleted data?
Signup and view all the answers
What is a common characteristic of clusters in Microsoft file structures?
What is a common characteristic of clusters in Microsoft file structures?
Signup and view all the answers
Which of the following partitioning systems allows for one extended partition containing multiple logical drives?
Which of the following partitioning systems allows for one extended partition containing multiple logical drives?
Signup and view all the answers
What does the logical address of a cluster do in a file system?
What does the logical address of a cluster do in a file system?
Signup and view all the answers
Which tool can be used to examine and analyze hidden partitions and their structures?
Which tool can be used to examine and analyze hidden partitions and their structures?
Signup and view all the answers
Which file system feature allows hiding data by creating large unused gaps?
Which file system feature allows hiding data by creating large unused gaps?
Signup and view all the answers
What limits the maximum addressable storage space with a Master Boot Record (MBR)?
What limits the maximum addressable storage space with a Master Boot Record (MBR)?
Signup and view all the answers
In which scenario is it crucial to make a full forensic copy of a solid-state drive?
In which scenario is it crucial to make a full forensic copy of a solid-state drive?
Signup and view all the answers
What is the purpose of the File Allocation Table (FAT) in Microsoft file systems?
What is the purpose of the File Allocation Table (FAT) in Microsoft file systems?
Signup and view all the answers
Which file system allows for a more complex data structure than the Master Boot Record?
Which file system allows for a more complex data structure than the Master Boot Record?
Signup and view all the answers
What technique can be used to hide incriminating evidence on a disk?
What technique can be used to hide incriminating evidence on a disk?
Signup and view all the answers
What is the main purpose of the FAT file structure on disks?
What is the main purpose of the FAT file structure on disks?
Signup and view all the answers
Which FAT version supports the largest disk partitions, up to 16 exabytes?
Which FAT version supports the largest disk partitions, up to 16 exabytes?
Signup and view all the answers
What is a key feature of the NTFS file system compared to FAT?
What is a key feature of the NTFS file system compared to FAT?
Signup and view all the answers
What happens to a deleted file in the FAT file system?
What happens to a deleted file in the FAT file system?
Signup and view all the answers
In NTFS, what does the Master File Table (MFT) primarily store?
In NTFS, what does the Master File Table (MFT) primarily store?
Signup and view all the answers
How does NTFS handle file transactions in the event of a system failure?
How does NTFS handle file transactions in the event of a system failure?
Signup and view all the answers
What is drive slack in the context of file allocation?
What is drive slack in the context of file allocation?
Signup and view all the answers
Which of the following is true about the cluster sizes in FAT32?
Which of the following is true about the cluster sizes in FAT32?
Signup and view all the answers
What identifies the first 15 records in the NTFS Master File Table (MFT)?
What identifies the first 15 records in the NTFS Master File Table (MFT)?
Signup and view all the answers
What does the term 'nonresident' refer to in NTFS?
What does the term 'nonresident' refer to in NTFS?
Signup and view all the answers
Which command creates an alternate data stream in NTFS?
Which command creates an alternate data stream in NTFS?
Signup and view all the answers
What is typically located at sector 0 of an NTFS disk?
What is typically located at sector 0 of an NTFS disk?
Signup and view all the answers
What allows NTFS to manage security and access control for files?
What allows NTFS to manage security and access control for files?
Signup and view all the answers
What contributes to fragmentation in file storage on a disk?
What contributes to fragmentation in file storage on a disk?
Signup and view all the answers
Study Notes
Disk and File System Analysis
- Investigators must understand the structure and purpose of file systems, as well as Microsoft file structures and startup tasks.
- This analysis involves understanding how data is stored and managed in Microsoft operating systems, including legacy and modern Windows.
- The analysis also explores how files are structured and managed, including clusters, FAT, and NTFS systems.
Layers of Forensic Analysis
- Storage media analysis: Examines non-volatile storage like hard disks and flash drives, focusing on partitions or volumes, which are collections of storage locations for user/application access.
- Volume analysis: Analyzes data at the volume level to determine the location of file systems, hidden data, and other relevant data.
- File system analysis: Investigates the structures that allow an application to create, read, and write files. This includes identifying files, recovering deleted files, and finding hidden data.
- Application layer analysis: Examines the structure of each file based on the application or OS that created it, determining the appropriate program for analysis.
Understanding File Systems
- An OS uses file systems to access data on a disk. The specific file system determines how data is stored.
- The boot sequence is essential to understand how an OS operates and how data is accessed and modified during the startup process.
Understanding the Boot Sequence
- The CMOS stores system configuration and date/time information when the system is powered off.
- The BIOS or EFI contains programs that manage input and output at the hardware level. BIOS is designed for x86 computers and uses MBR disks, while EFI is designed for x64 computers and uses GPT disks.
- UEFI (Unified Extensible Firmware Interface) was developed by Intel to standardize the interface between a computer's firmware and the OS.
- When starting a system, booting into a forensically configured CD/DVD/USB drive is recommended to avoid overwriting or altering data on the hard disk.
Hard Disk Geometry
- Head: The device that reads and writes data on a drive.
- Track: Concentric circles on a disk platter.
- Cylinder: A column of tracks on disk platters.
- Sector: A section on a track.
Tracks, Sectors, Clusters, Cylinders
- Sectors are wedge-shaped areas on a track, typically holding 512 bytes of data.
- A collection of sectors is known as a cluster or block.
- Cylinders are formed by all tracks in the same vertical position.
CHS Addressing
- CHS addressing identifies sectors by their track, head, and sector number.
- Sectors are numbered sequentially, starting at 1.
- The first sector has a CHS address of 0, 0, 1.
Logical Block Addresses (LBA)
- LBA uses a single address (starting at 0) to refer to sectors.
- LBA 0 corresponds to CHS 0, 0, 1.
- To convert from CHS to LBA, the number of heads per cylinder and sectors per track are needed.
Solid-State Storage Devices (SSD)
- SSDs pose challenges for investigators due to wear-leveling, which continuously shifts data to ensure even wear on memory cells.
- Deleted data on SSDs might be lost forever if not recovered promptly.
- Memory cells are designed for a limited number of reads and writes (P/E cycles), and when a cell reaches its limit, it can no longer retain data.
SSD: Wear-Leveling and Garbage Collection
- SSDs use a garbage collector to keep track of deleted data and overwrite unallocated cells with a value of 1, making data recovery more challenging.
- Creating a full forensic copy as quickly as possible is crucial for solid-state devices to recover data from unallocated disk space.
Exploring Microsoft File Structures
- Understanding Microsoft file systems is essential for investigators examining Windows and DOS computers.
- File systems determine how data is stored, including clusters, FAT, and NTFS.
Clusters
- Clusters are groups of sectors, ranging from 512 bytes to 32,000 bytes.
- The number of sectors in a cluster depends on the disk size.
- Cluster numbers are assigned sequentially, starting at 0 in NTFS and 2 in FAT.
Finding Hidden Data
- Disk editors can be used to examine a partition's physical level, view file headers, and analyze hex codes that identify and maintain the file system.
- This is known as partition/volume analysis, which involves examining data structures and partition tables.
Disk Partitions
- Hard disks are divided into logical drives (partitions or volumes), each containing a group of clusters.
- Partition tables describe the starting and ending sectors of each partition and its type.
- Windows can accommodate three primary partitions and an extended partition that can contain additional logical drives.
Hidden Partitions
- Data can be hidden by creating hidden partitions or using unused space between partitions (partition gap).
- Disk editors can be used to access both hidden and unused areas.
- Hidden data can also be created by declaring a smaller disk size than the actual drive size.
Partition Tables
- The partition table is located in the Master Boot Record (MBR) at sector 0 of the disk, specifically designed for legacy PCs.
- The MBR contains the disk layout, including the primary partitions and extended partition.
- The partition table can be examined using a hex editor like WinHex.
Partition Analysis Steps
-
- Identify the disk type: Determine if it's a MBR or GPT disk.
-
- Find and examine the partition table: Identify partitions and their starting/ending sectors.
-
- Analyze specific partitions: Examine data structures and specific files within each partition.
-
- Document findings: Record all information found in the partition table and data structures.
-
- Consider hidden areas: Look for potential hidden partitions or unused space.
GPT (GUID Partition Table)
- Designed for larger storage devices exceeding the MBR's 1 TiB limit.
- More complex than MBR and uses a GUID (Globally Unique Identifier) for each partition.
Key File System Structures
- File Allocation Table (FAT): Used in older versions of Windows and provides a map of where data is stored on a disk.
- NT File System (NTFS): Used in newer versions of Windows and features enhanced security, data recovery, and file system management.
Partition Analysis
- To find partition tables, an investigator should first locate them
- Then, process the data structures to identify the layout to determine the offset of a partition.
- Not all sectors need to be assigned to a partition, and they may contain data from a previous file system or that the suspect was trying to hide
- Conduct consistency checks to determine where else evidence could be located besides in each partition by checking the last partition's starting location and comparing it with the end of its parent partition.
- To identify the OS on an unknown disk, use a hex editor such as WinHex.
Examining the Disk
- To explore a disk in WinHex, launch the program and click Tools, Open Disk from the menu to see a list of logical drives.
- Click the C drive (or the working drive) and click OK.
FAT-based Disks
- FAT is the file structure database used to organize files on a disk so the OS can find the files it needs.
- FAT is found on the disk's outermost track and contains filenames, directory names, date and time stamps, starting cluster number, and file attributes (archive, hidden, etc.).
- There are three current versions of FAT: FAT16, FAT32, and exFAT.
- FAT16 was used on older Microsoft OSs like Windows 95 and Windows NT 3.5 and 4.0 and supports a maximum storage capacity of 4 GB.
- FAT32 can access larger capacity drives.
- exFAT was developed for mobile personal storage devices like flash memory devices and memory sticks, and its file system can store very large files like digital images, videos, and audio files.
- Cluster sizes vary according to the hard disk size and file system. In FAT32 file systems, cluster sizes are determined by the OS, and they can range from 1 sector consisting of 512 bytes to 128 sectors of 64 KB.
- Drive Slack: Microsoft OS allocates disk space for files by clusters, and this results in drive slack (unused space in a cluster between the end of an active file's content and the end of the cluster).
- Drive slack includes RAM slack (found mainly in older Microsoft OS) and file slack. In newer Windows OS, when data is written to disk, the remaining RAM slack is zeroed out and contains no RAM data.
NTFS-based Disks
- NTFS was introduced with Windows NT and is still the main file system in Windows 10.
- Each generation of Windows since NT has included minor changes in NTFS configuration and features.
- NTFS offers substantial improvements over FAT file systems as it provides more information about a file, including security features, file ownership, and other file attributes.
- NTFS is an attempt to have a journaling file system; The system keeps track of transactions such as file deleting or saving.
- This journaling feature is helpful because it records a transaction before the system carries it out, and in a case of power failure or other interruption, the system can either complete the transaction or go back to the last good setting.
NTFS-based Disks (Cntd)
- On an NTFS disk, the first data set is the Partition Boot Sector, which starts at sector 0 of the disk and can expand to 16 sectors.
- Immediately after the Partition Boot Sector is the Master File Table (MFT) which is the first file on the disk.
- An MFT file is created at the same time a disk partition is formatted as an NTFS volume, and it consumes about 12.5% of the disk when it's created.
- As data is added, the MFT can expand to take up 50% of the disk.
- An important advantage of NTFS over FAT is that it results in much less file slack space.
NTFS-based Disks "System files"
- Because everything on an NTFS disk is a file, the first file, the MFT, contains information about all files on the disk, including the system files the OS uses.
- In the MFT, the first 15 records are reserved for system files.
- Records in the MFT are referred to as metadata.
NTFS-based Disks – MFT and File Attributes
- In the NTFS MFT, all files and folders are stored in separate records of 1024 bytes each with each record containing file or folder info.
- The info is divided into record fields containing metadata about the file or folder and the file's data or links to the file's data.
- A record field is referred to as an attribute ID.
- File or folder info is stored in one of two ways in the MFT record: resident and nonresident.
- For files of 512 bytes or less, all file metadata and data are stored in the MFT record, and this type of record is called a resident file.
- For files larger than 512 bytes, the file or folder's MFT record provides cluster addresses (called data runs) where the file is stored on the drive's partition, and this type of record is referred to as nonresident.
NTFS-based Disks – MFT and File Attributes (Cntd)
- Each MFT record starts with a header identifying it as a resident or nonresident attribute, the first 4 bytes for all MFT records are FILE.
- The header info contains additional data specifying where the first attribute ID starts, which is typically at offset 0x14 from the beginning of the record.
- Each attribute ID has a length value in hex defining where it ends and where the next attribute starts.
- The length value is located 4 bytes from the attribute ID.
NTFS Alternate Data Streams
- NTFS Alternate Data Streams append data to existing files, and they can obscure valuable evidentiary data, intentionally or by coincidence.
- An alternate data stream becomes an additional file attribute and allows the file to be associated with different applications.
- Alternate data streams are important from a forensics point of view.
NTFS Encrypting File System (EFS)
- EFS is an optional built-in encryption feature included with NTFS.
- EFS uses public-key cryptography to encrypt files, folders, or disk volumes (partitions).
- Only the owner or user who encrypted the data can access encrypted files.
- When EFS is used in Windows 2000 and later, a recovery certificate is generated and sent to the local Windows administrator account.
- The recovery key is stored in one of two places: When a network user initiates EFS, it is sent to the local domain server's administrator account; On a standalone workstation, it is sent to the local admin account, which can be an issue if the suspect machine's local admin account is the same as the suspect's account.
- Users can apply EFS to files stored on their local workstations or a remote server.
EFS Recovery Key Agent
- The Recovery Key Agent implements the recovery certificate, which is in the Windows administrator account.
- Windows administrators can recover a key in two ways: through Windows, or from a command prompt using either of the following two commands: cipher and copy.
- To recover an encrypted EFS file, a user can e-mail it or copy the file to the administrator. The administrator can then run the Recovery Key Agent function to restore the file.
Understanding Microsoft Startup Tasks
-
Windows 10 Boot processes are designed to run on multiple devices such as desktops, laptops, tablets, and smartphones.
-
The boot process uses a boot configuration data (BCD) store, where for desktops and laptops, a BCD Registry file in the \Boot\Bcd folder is maintained to control the boot process.
-
An investigator must learn what files are accessed when Windows starts as it helps him determine when a suspect's computer was last accessed.
-
It is particularly important with computers that might have been used after an incident was reported.
-
For additional information on Windows boot processes, refer to Insight of Operating System booting process – Windows 10 by Vinit Pandey.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
This quiz covers the fundamentals of disk and file system analysis, focusing on the structure and management of files in Microsoft operating systems. Key topics include storage media analysis, volume analysis, and file system structures like FAT and NTFS. Understand how to identify files, recover deleted data, and navigate the complexities of modern and legacy Windows environments.