Networking 978-0123742681 Chapter 17 Quiz

Unlock access to all the studying documents.

View Full Document

Chapter 17

Digital Evidence on Windows Systems

On completion of this chapter, the student will:

– Be aware that Windows-based systems will comprise the majority of cases.

– Recognize that powerful forensic tools are not a substitute for knowledge and experience

and in each of the following areas:

o File systems

o Data recovery

– Be aware of the workings of each of the file systems covered.

Chapter Guide

The Windows environment is complex and poses a number of challenges for the forensic

examiner (FE). Some issues include:

– Invasive characteristics of the Windows environment (invasive because it does not

mount disks read-only).

– The way Windows file system(s) are implemented.

– No facility in the Windows environment for mounting a hard drive as Read-Only.

– The location, organization, and content of Windows system log files.

File systems

Windows supports a variety of file systems. Floppy disks are formatted FAT12 (each entry in

the FAT is 12 bits). Hard drives may be formatted FAT16, FAT32, or NTFS. The FE must be

sufficiently familiar with all supported file systems so that inconsistencies can be recognized.

look like and where data can be hidden in each

file system is essential to successfully examining Windows media.

NTFS uses a different method, storing file information in the Master File Table (MFT) using a

B-Tree (binary tree) structure. Deleted files may be more difficult to recover because NTFS

creates entries as needed and reuses entries before creating new ones, making it more likely that

a new file will overwrite an existing one. The data may be intact, but the file system references

may be lost.

Overview of Digital Evidence Processing Tools

Forensic-recovery activities commonly carried out include:

In those cases where a large number of drives must be examined for specific information, the

results of keyword searching will indicate which drives contain relevant information. WinHex

Forensic, EnCase, DiskSearch Pro, and Linux have the capability to search for keywords.

When notable data is found, then that media beco

Media can be examined either logically (accessed through the BIOS) or physically (accessed

directly). Both methods have strengths and weaknesses and the choice is dependent on the

circumstances. Logical access utilizes file structures, so file data is more easily examined.

However, logical access may miss some data. Physical access, on the other hand, is more likely

to get all available data. However, the interpretation of findings is more difficult due to absence

Data Recovery

Although automated tools exist for recovering data, the FE must understand the fundamental

underlying principles. Knowing how to manually recover damaged FATs and directories requires

a level of understanding sufficient to enable the FE to explain the relevant processes to the court.

Dealing with Password Protection and Encryption

FEs are often required to overcome password protection and/or encryption. Hex editors like

WinHex can sometimes be used to remove a password from a file. A variety of tools are

available, both validated and unvalidated, for password cracking and can be found on the

Internet. Test before using on an actual case.

Encryption is another issue the FE must deal with. There are many levels of encryption, some

much more secure than others. In the case where the level of encryption is measured in millions

Log Files

No matter how incriminating the data found on a computer, it is necessary for the FE to associate

that data with a suspect. There are many instances where the defense

could have accessed the target system. Log files are used by the FE to attempt to determine who

was responsible for creating a particular piece of evidence.

File System Traces

Windows systems create a trail of events that are very difficult to completely eliminate. It takes

a thorough understanding of system events to hide all traces of a particular act. A great deal of

information can be derived from these traces. Date-time stamps of objects may substantiate or

Registry

Windows stores configuration and usage information in the Registry. Regedit and Regedt32 are

tools to view and modify the Windows Registry. Among other useful things to be gleaned from

Internet Traces

Systems connected to the Internet usually contain a wide variety of relevant data. Websites

– Web Browsing

The date-time stamp of an Internet cache file corresponds to the date and time that the

determine the origin of such files. Browsers maintain a database of sites visited that

remains intact when the cache files are deleted. This database (netscape.hst for

– Usenet Access

Usenet readers store all the URLs that have been accessed, as well as which Usenet

– E-mail

E-mail contents and header information can provide the FE with a great deal of

information. It is necessary to have software that can read various proprietary e-mail

– Other Applications

Internet messengers such as AOL IM, Yahoo! Pager, and others are a good source for

investigative leads. Peer-to-peer file sharing programs may retain information on the

– Network Storage

Indicators of remote storage are definitely of interest to the FE. With the proliferation

of wireless home networks, it is conceivable that a suspect might be using his

store pornographic images. File backup

Program Analysis

There are times when a controlled experiment with a malicious program may provide insights on

where to look for evidence on a case system. Recreating an intrusion on a test system will

Multiple Choice Questions

1. Which of the following issues is NOT one that a forensic examiner faces when dealing

with Windows-based media?

2. Forensically acceptable alternatives to using a Windows Evidence Acquisition Boot Disk

include all but which of the following?

3. The standard Windows environment supports all of the following file systems EXCEPT

______.

4. forensic examiners often ________ the media to

make sure it contains data relevant to the investigation.

5. Media can be accessed for examination either ________ or ________ . (Choose two)

6. 6. Which of the following software tools is NOT used for data recovery?

7. You find the following deleted file on a floppy disk. How many clusters does this file

occupy?

Name .Ext ID Size Date Time Cluster 76 A R S H D V

_REENF~1 DOC Erased 19968 5-08-03 2:34 pm 275 A – – – – –

8. Log files are used by the forensic examiner to __________.

9. The Windows NT Event log Appevent.evt:

10.

11. File system traces include all of the following EXCEPT:

12. When a file is moved within a volume, the Last Accessed Date Time:

13. Internet traces may be found in which of the following categories?

14. The Windows NT Event log Secevent.evt:

15.

alt.binaries.hacking.utilities! 1-8905,8912,8921,8924,8926,8929,8930,8932

True or False Questions

1. Given their widespread use and simple structure, FAT file systems are a good starting

point for forensic analysts to understand file systems and recovery of deleted data.

2. Usenet readers store all the URLs that have been accessed, but do not record which

Usenet newsgroups have been accessed and joined.

3. The Windows environment is invasive and poses a challenge to forensic examiners.

4. With the correct CMOS setting, it is possible to mount a hard drive as Read-Only in the

Windows environment.

5. EnCase provides the means to create a Windows Evidence Acquisition Boot Disk to

allow for network acquisition of an evidence drive.

6. Windows evidentiary media must be acquired and examined with Windows-based

examination software.

7. NTFS time represents time as the number of 100-nanosecond intervals since January 1,

1601 00:00:00 UTC.

8. In FAT32 file systems both the directory and FAT entries are updated when a file is

deleted.

9. EnCase can recover deleted files but does not have the capability of recovering deleted

directories.

10. In the Windows environment, simply opening a file to read, without writing it back to

disk, can change the date-time stamp.

11. In NTFS, when a file is deleted from a directory, the last modified and accessed date-time

stamps of the parent directory listing are updated.

12. The MD5 hashing algorithm is no longer considered to be a reliable method for

determining whether two blocks of text are identical.

13. A forensic examiner would use logical access to examine media if the file and directory

structures were to be analyzed.

14. where the beginning and end of a file are

located, and the block of data spanning the two locations is copied to a new file, with the

appropriate extension.

15. Just like Windows NT, Windows 98 has event logs that record system activities.

Essay Questions

For each of the following questions, develop discussion notes and be prepared to discuss your

findings.

1. Is it necessary for forensic examiners to understand how data is stored by various types of

file systems? Explain why or why not. Support your answer with examples.

Scenario

You are the digital forensic examiner at a pre-trial session with the judge and opposing counsel.

You have been asked to explain the various methods that data is stored and erased in the

Windows environment. Your discussion should include concepts such as slack space,