Disk and File System Forensics Analysis
49 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is the primary purpose of the EFS recovery certificate?

  • To recover files encrypted with EFS when the original key is lost (correct)
  • To store encrypted files in the cloud
  • To encrypt files on behalf of the user
  • To prevent unauthorized access to files
  • Where is the recovery key stored when EFS is used on a network?

  • On a remote server managed by the user
  • On the user's local workstation
  • On the local domain server’s administrator account (correct)
  • In the Windows event log
  • What commands can a Windows administrator use to recover an encrypted EFS file?

  • backup and save
  • recover and restore
  • encrypt and decrypt
  • cipher and copy (correct)
  • Under which circumstances can EFS recovery become problematic?

    <p>When the suspect’s local admin account matches the user’s account</p> Signup and view all the answers

    What is contained in the boot configuration data (BCD) store during the Windows 10 boot process?

    <p>Files necessary for controlling the booting process</p> Signup and view all the answers

    Which factor is crucial for an investigator when examining Windows startup processes?

    <p>Knowing which files were accessed when the system started</p> Signup and view all the answers

    Which of the following devices is NOT explicitly mentioned as part of the Windows 10 boot process?

    <p>Smartwatches</p> Signup and view all the answers

    What can users apply EFS to in their configuration?

    <p>Files stored on local workstations or remote servers</p> Signup and view all the answers

    What is the primary purpose of file system analysis?

    <p>To find files and recover deleted files</p> Signup and view all the answers

    Which layer of forensic analysis involves examining storage locations on devices like hard disks and flash drives?

    <p>Storage media analysis</p> Signup and view all the answers

    What structures help determine the organization of data on a disk in a file system?

    <p>Tracks and sectors</p> Signup and view all the answers

    How does the BIOS receive power to perform input and output operations?

    <p>From the power supply unit</p> Signup and view all the answers

    What is the maximum storage limit typically supported by CHS addressing?

    <p>8.1 GB</p> Signup and view all the answers

    Which component should be used to avoid altering evidentiary data when examining a hard disk?

    <p>Forensically configured CD/DVD/USB drive</p> Signup and view all the answers

    What are Logical Block Addresses (LBA) primarily used for?

    <p>To identify sectors using a single address</p> Signup and view all the answers

    What must an investigator do during the bootstrap process to examine data without contamination?

    <p>Access CMOS setup using the correct key(s)</p> Signup and view all the answers

    Which file system component is responsible for defining how files are created, read, and written?

    <p>File structure</p> Signup and view all the answers

    What is the role of the UEFI in a computer’s architecture?

    <p>To define the interface between firmware and the OS</p> Signup and view all the answers

    Which of the following best describes a track on a hard disk?

    <p>A concentric circle on a disk platter</p> Signup and view all the answers

    What information can be found through volume analysis?

    <p>Location of the file system and hidden data</p> Signup and view all the answers

    Which programming feature is primarily associated with the application layer analysis?

    <p>File structure specifics</p> Signup and view all the answers

    What does CHS addressing rely on for locating data on a disk?

    <p>Position of sectors in a track</p> Signup and view all the answers

    What is the primary reason data in solid-state storage devices may be lost after deletion?

    <p>The wear-leveling feature causes data references to be removed.</p> Signup and view all the answers

    How does a solid-state drive maintain data integrity during reads and writes?

    <p>By continuously shifting data to less used memory cells.</p> Signup and view all the answers

    Which component of a solid-state drive tracks the addresses of deleted data?

    <p>Garbage collector.</p> Signup and view all the answers

    What is a common characteristic of clusters in Microsoft file structures?

    <p>Clusters group sectors to form larger data storage units.</p> Signup and view all the answers

    Which of the following partitioning systems allows for one extended partition containing multiple logical drives?

    <p>Master Boot Record (MBR).</p> Signup and view all the answers

    What does the logical address of a cluster do in a file system?

    <p>Indicates the relative position of a cluster in the sequence.</p> Signup and view all the answers

    Which tool can be used to examine and analyze hidden partitions and their structures?

    <p>Disk Editor utility.</p> Signup and view all the answers

    Which file system feature allows hiding data by creating large unused gaps?

    <p>Partitioning.</p> Signup and view all the answers

    What limits the maximum addressable storage space with a Master Boot Record (MBR)?

    <p>1 TiB.</p> Signup and view all the answers

    In which scenario is it crucial to make a full forensic copy of a solid-state drive?

    <p>As soon as relevant data is deleted.</p> Signup and view all the answers

    What is the purpose of the File Allocation Table (FAT) in Microsoft file systems?

    <p>To track the location of files on the disk.</p> Signup and view all the answers

    Which file system allows for a more complex data structure than the Master Boot Record?

    <p>New Technology File System (NTFS).</p> Signup and view all the answers

    What technique can be used to hide incriminating evidence on a disk?

    <p>Utilizing a smaller declared size than the actual drive size.</p> Signup and view all the answers

    What is the main purpose of the FAT file structure on disks?

    <p>To organize files so the OS can locate them efficiently</p> Signup and view all the answers

    Which FAT version supports the largest disk partitions, up to 16 exabytes?

    <p>exFAT</p> Signup and view all the answers

    What is a key feature of the NTFS file system compared to FAT?

    <p>Ability to offer enhanced metadata for files</p> Signup and view all the answers

    What happens to a deleted file in the FAT file system?

    <p>Deleted files can often be recovered until overwritten</p> Signup and view all the answers

    In NTFS, what does the Master File Table (MFT) primarily store?

    <p>Metadata about all files on the disk</p> Signup and view all the answers

    How does NTFS handle file transactions in the event of a system failure?

    <p>It reverts to the last successful transaction</p> Signup and view all the answers

    What is drive slack in the context of file allocation?

    <p>Unused space within a cluster after a file's data</p> Signup and view all the answers

    Which of the following is true about the cluster sizes in FAT32?

    <p>They can range from 512 bytes to 64 KB</p> Signup and view all the answers

    What identifies the first 15 records in the NTFS Master File Table (MFT)?

    <p>System files used by the operating system</p> Signup and view all the answers

    What does the term 'nonresident' refer to in NTFS?

    <p>Files larger than 512 bytes that store data outside of MFT</p> Signup and view all the answers

    Which command creates an alternate data stream in NTFS?

    <p>C: est text_string &gt; myfile.txt:stream_name</p> Signup and view all the answers

    What is typically located at sector 0 of an NTFS disk?

    <p>Partition Boot Sector</p> Signup and view all the answers

    What allows NTFS to manage security and access control for files?

    <p>File ownership attributes</p> Signup and view all the answers

    What contributes to fragmentation in file storage on a disk?

    <p>Deletion and expansion of files over time</p> Signup and view all the answers

    Study Notes

    Disk and File System Analysis

    • Investigators must understand the structure and purpose of file systems, as well as Microsoft file structures and startup tasks.
    • This analysis involves understanding how data is stored and managed in Microsoft operating systems, including legacy and modern Windows.
    • The analysis also explores how files are structured and managed, including clusters, FAT, and NTFS systems.

    Layers of Forensic Analysis

    • Storage media analysis: Examines non-volatile storage like hard disks and flash drives, focusing on partitions or volumes, which are collections of storage locations for user/application access.
    • Volume analysis: Analyzes data at the volume level to determine the location of file systems, hidden data, and other relevant data.
    • File system analysis: Investigates the structures that allow an application to create, read, and write files. This includes identifying files, recovering deleted files, and finding hidden data.
    • Application layer analysis: Examines the structure of each file based on the application or OS that created it, determining the appropriate program for analysis.

    Understanding File Systems

    • An OS uses file systems to access data on a disk. The specific file system determines how data is stored.
    • The boot sequence is essential to understand how an OS operates and how data is accessed and modified during the startup process.

    Understanding the Boot Sequence

    • The CMOS stores system configuration and date/time information when the system is powered off.
    • The BIOS or EFI contains programs that manage input and output at the hardware level. BIOS is designed for x86 computers and uses MBR disks, while EFI is designed for x64 computers and uses GPT disks.
    • UEFI (Unified Extensible Firmware Interface) was developed by Intel to standardize the interface between a computer's firmware and the OS.
    • When starting a system, booting into a forensically configured CD/DVD/USB drive is recommended to avoid overwriting or altering data on the hard disk.

    Hard Disk Geometry

    • Head: The device that reads and writes data on a drive.
    • Track: Concentric circles on a disk platter.
    • Cylinder: A column of tracks on disk platters.
    • Sector: A section on a track.

    Tracks, Sectors, Clusters, Cylinders

    • Sectors are wedge-shaped areas on a track, typically holding 512 bytes of data.
    • A collection of sectors is known as a cluster or block.
    • Cylinders are formed by all tracks in the same vertical position.

    CHS Addressing

    • CHS addressing identifies sectors by their track, head, and sector number.
    • Sectors are numbered sequentially, starting at 1.
    • The first sector has a CHS address of 0, 0, 1.

    Logical Block Addresses (LBA)

    • LBA uses a single address (starting at 0) to refer to sectors.
    • LBA 0 corresponds to CHS 0, 0, 1.
    • To convert from CHS to LBA, the number of heads per cylinder and sectors per track are needed.

    Solid-State Storage Devices (SSD)

    • SSDs pose challenges for investigators due to wear-leveling, which continuously shifts data to ensure even wear on memory cells.
    • Deleted data on SSDs might be lost forever if not recovered promptly.
    • Memory cells are designed for a limited number of reads and writes (P/E cycles), and when a cell reaches its limit, it can no longer retain data.

    SSD: Wear-Leveling and Garbage Collection

    • SSDs use a garbage collector to keep track of deleted data and overwrite unallocated cells with a value of 1, making data recovery more challenging.
    • Creating a full forensic copy as quickly as possible is crucial for solid-state devices to recover data from unallocated disk space.

    Exploring Microsoft File Structures

    • Understanding Microsoft file systems is essential for investigators examining Windows and DOS computers.
    • File systems determine how data is stored, including clusters, FAT, and NTFS.

    Clusters

    • Clusters are groups of sectors, ranging from 512 bytes to 32,000 bytes.
    • The number of sectors in a cluster depends on the disk size.
    • Cluster numbers are assigned sequentially, starting at 0 in NTFS and 2 in FAT.

    Finding Hidden Data

    • Disk editors can be used to examine a partition's physical level, view file headers, and analyze hex codes that identify and maintain the file system.
    • This is known as partition/volume analysis, which involves examining data structures and partition tables.

    Disk Partitions

    • Hard disks are divided into logical drives (partitions or volumes), each containing a group of clusters.
    • Partition tables describe the starting and ending sectors of each partition and its type.
    • Windows can accommodate three primary partitions and an extended partition that can contain additional logical drives.

    Hidden Partitions

    • Data can be hidden by creating hidden partitions or using unused space between partitions (partition gap).
    • Disk editors can be used to access both hidden and unused areas.
    • Hidden data can also be created by declaring a smaller disk size than the actual drive size.

    Partition Tables

    • The partition table is located in the Master Boot Record (MBR) at sector 0 of the disk, specifically designed for legacy PCs.
    • The MBR contains the disk layout, including the primary partitions and extended partition.
    • The partition table can be examined using a hex editor like WinHex.

    Partition Analysis Steps

      1. Identify the disk type: Determine if it's a MBR or GPT disk.
      1. Find and examine the partition table: Identify partitions and their starting/ending sectors.
      1. Analyze specific partitions: Examine data structures and specific files within each partition.
      1. Document findings: Record all information found in the partition table and data structures.
      1. Consider hidden areas: Look for potential hidden partitions or unused space.

    GPT (GUID Partition Table)

    • Designed for larger storage devices exceeding the MBR's 1 TiB limit.
    • More complex than MBR and uses a GUID (Globally Unique Identifier) for each partition.

    Key File System Structures

    • File Allocation Table (FAT): Used in older versions of Windows and provides a map of where data is stored on a disk.
    • NT File System (NTFS): Used in newer versions of Windows and features enhanced security, data recovery, and file system management.

    Partition Analysis

    • To find partition tables, an investigator should first locate them
    • Then, process the data structures to identify the layout to determine the offset of a partition.
    • Not all sectors need to be assigned to a partition, and they may contain data from a previous file system or that the suspect was trying to hide
    • Conduct consistency checks to determine where else evidence could be located besides in each partition by checking the last partition's starting location and comparing it with the end of its parent partition.
    • To identify the OS on an unknown disk, use a hex editor such as WinHex.

    Examining the Disk

    • To explore a disk in WinHex, launch the program and click Tools, Open Disk from the menu to see a list of logical drives.
    • Click the C drive (or the working drive) and click OK.

    FAT-based Disks

    • FAT is the file structure database used to organize files on a disk so the OS can find the files it needs.
    • FAT is found on the disk's outermost track and contains filenames, directory names, date and time stamps, starting cluster number, and file attributes (archive, hidden, etc.).
    • There are three current versions of FAT: FAT16, FAT32, and exFAT.
    • FAT16 was used on older Microsoft OSs like Windows 95 and Windows NT 3.5 and 4.0 and supports a maximum storage capacity of 4 GB.
    • FAT32 can access larger capacity drives.
    • exFAT was developed for mobile personal storage devices like flash memory devices and memory sticks, and its file system can store very large files like digital images, videos, and audio files.
    • Cluster sizes vary according to the hard disk size and file system. In FAT32 file systems, cluster sizes are determined by the OS, and they can range from 1 sector consisting of 512 bytes to 128 sectors of 64 KB.
    • Drive Slack: Microsoft OS allocates disk space for files by clusters, and this results in drive slack (unused space in a cluster between the end of an active file's content and the end of the cluster).
    • Drive slack includes RAM slack (found mainly in older Microsoft OS) and file slack. In newer Windows OS, when data is written to disk, the remaining RAM slack is zeroed out and contains no RAM data.

    NTFS-based Disks

    • NTFS was introduced with Windows NT and is still the main file system in Windows 10.
    • Each generation of Windows since NT has included minor changes in NTFS configuration and features.
    • NTFS offers substantial improvements over FAT file systems as it provides more information about a file, including security features, file ownership, and other file attributes.
    • NTFS is an attempt to have a journaling file system; The system keeps track of transactions such as file deleting or saving.
    • This journaling feature is helpful because it records a transaction before the system carries it out, and in a case of power failure or other interruption, the system can either complete the transaction or go back to the last good setting.

    NTFS-based Disks (Cntd)

    • On an NTFS disk, the first data set is the Partition Boot Sector, which starts at sector 0 of the disk and can expand to 16 sectors.
    • Immediately after the Partition Boot Sector is the Master File Table (MFT) which is the first file on the disk.
    • An MFT file is created at the same time a disk partition is formatted as an NTFS volume, and it consumes about 12.5% of the disk when it's created.
    • As data is added, the MFT can expand to take up 50% of the disk.
    • An important advantage of NTFS over FAT is that it results in much less file slack space.

    NTFS-based Disks "System files"

    • Because everything on an NTFS disk is a file, the first file, the MFT, contains information about all files on the disk, including the system files the OS uses.
    • In the MFT, the first 15 records are reserved for system files.
    • Records in the MFT are referred to as metadata.

    NTFS-based Disks – MFT and File Attributes

    • In the NTFS MFT, all files and folders are stored in separate records of 1024 bytes each with each record containing file or folder info.
    • The info is divided into record fields containing metadata about the file or folder and the file's data or links to the file's data.
    • A record field is referred to as an attribute ID.
    • File or folder info is stored in one of two ways in the MFT record: resident and nonresident.
    • For files of 512 bytes or less, all file metadata and data are stored in the MFT record, and this type of record is called a resident file.
    • For files larger than 512 bytes, the file or folder's MFT record provides cluster addresses (called data runs) where the file is stored on the drive's partition, and this type of record is referred to as nonresident.

    NTFS-based Disks – MFT and File Attributes (Cntd)

    • Each MFT record starts with a header identifying it as a resident or nonresident attribute, the first 4 bytes for all MFT records are FILE.
    • The header info contains additional data specifying where the first attribute ID starts, which is typically at offset 0x14 from the beginning of the record.
    • Each attribute ID has a length value in hex defining where it ends and where the next attribute starts.
    • The length value is located 4 bytes from the attribute ID.

    NTFS Alternate Data Streams

    • NTFS Alternate Data Streams append data to existing files, and they can obscure valuable evidentiary data, intentionally or by coincidence.
    • An alternate data stream becomes an additional file attribute and allows the file to be associated with different applications.
    • Alternate data streams are important from a forensics point of view.

    NTFS Encrypting File System (EFS)

    • EFS is an optional built-in encryption feature included with NTFS.
    • EFS uses public-key cryptography to encrypt files, folders, or disk volumes (partitions).
    • Only the owner or user who encrypted the data can access encrypted files.
    • When EFS is used in Windows 2000 and later, a recovery certificate is generated and sent to the local Windows administrator account.
    • The recovery key is stored in one of two places: When a network user initiates EFS, it is sent to the local domain server's administrator account; On a standalone workstation, it is sent to the local admin account, which can be an issue if the suspect machine's local admin account is the same as the suspect's account.
    • Users can apply EFS to files stored on their local workstations or a remote server.

    EFS Recovery Key Agent

    • The Recovery Key Agent implements the recovery certificate, which is in the Windows administrator account.
    • Windows administrators can recover a key in two ways: through Windows, or from a command prompt using either of the following two commands: cipher and copy.
    • To recover an encrypted EFS file, a user can e-mail it or copy the file to the administrator. The administrator can then run the Recovery Key Agent function to restore the file.

    Understanding Microsoft Startup Tasks

    • Windows 10 Boot processes are designed to run on multiple devices such as desktops, laptops, tablets, and smartphones.

    • The boot process uses a boot configuration data (BCD) store, where for desktops and laptops, a BCD Registry file in the \Boot\Bcd folder is maintained to control the boot process.

    • An investigator must learn what files are accessed when Windows starts as it helps him determine when a suspect's computer was last accessed.

    • It is particularly important with computers that might have been used after an incident was reported.

    • For additional information on Windows boot processes, refer to Insight of Operating System booting process – Windows 10 by Vinit Pandey.

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    Description

    This quiz covers the fundamentals of disk and file system analysis, focusing on the structure and management of files in Microsoft operating systems. Key topics include storage media analysis, volume analysis, and file system structures like FAT and NTFS. Understand how to identify files, recover deleted data, and navigate the complexities of modern and legacy Windows environments.

    More Like This

    Quiz
    5 questions

    Quiz

    CelebratedWatermelonTourmaline avatar
    CelebratedWatermelonTourmaline
    Use Quizgecko on...
    Browser
    Browser