Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Guide to Computer Forensics and Investigations, Fifth Edition 5-1
Chapter 5
Working with Windows and CLI Systems
At a Glance
Instructor’s Manual Table of Contents
• Overview
• Objectives
• Teaching Tips
• Quick Quizzes
Guide to Computer Forensics and Investigations, Fifth Edition 5-2
Lecture Notes
Overview
This chapter reviews how data is stored and managed on Microsoft operating systems
(OSs). To become proficient in recovering data for computer investigations, you should
understand file systems and their OSs, including Windows and command-line interface
Chapter Objectives
• Explain the purpose and structure of file systems
• Describe Microsoft file structures
• Explain the structure of NTFS disks
Teaching Tips
Understanding File Systems
1. Explain that the file system gives an OS a road map to data on a disk. The type of file
2. Mention that when you need to access a suspect’s computer to acquire or inspect data,
Understanding the Boot Sequence
1. Mention that to ensure that you don’t contaminate or alter data on a suspect’s system,
you must know how to access and modify a PC’s Complementary Metal Oxide
2. Explain that a computer stores system configuration and date and time information in
3. Explain that the bootstrap process is contained in ROM and tells the computer how to
proceed when booting. It displays the key or keys you press to open the CMOS setup
screen. The CMOS should be modified if you want to boot from a CD/DVD drive. Use
Figure 5-1 to illustrate your explanation.
Understanding Disk Drives
1. Explain that disk drives are made up of one or more platters coated with magnetic
material.
2. Use Figures 5-2 and 5-3 to describe some of the disk drive components, including:
a. Geometry
3. Describe some of the properties handled at the drive’s hardware or firmware level,
including:
a. Zone bit recording (ZBR)
Solid-State Storage Devices
1. Describe the wear-leveling feature that is found in all flash memory devices. Explain
2. Point out that when dealing with solid-state devices, making a full forensic copy as soon
Exploring Microsoft File Structures
1. Explain that in Microsoft file structures, sectors are grouped to form clusters, which are
2. Mention that clusters are typically 512 bytes up to 32,000 bytes each. Combining
sectors minimizes the overhead of writing or reading files to a disk.
3. Explain that clusters are numbered sequentially starting at 0 in NTFS and 2 in FAT.
4. Explain that the OS assigns these cluster numbers, which are referred to as logical
Disk Partitions
1. Define a partition as a logical drive. Explain that Windows OSs can have three primary
partitions followed by an extended partition that can contain one or more logical drives.
2. Define hidden partitions or voids as large unused gaps between partitions on a disk
3. Explain that one way to examine a partition’s physical level is to use a disk editor, such
4. Use Figure 5-5 to show how to use Hex Workshop to identify file systems.
5. Mention that with tools such as Hex Workshop, you can also identify file headers to
Examining FAT Disks
and 2000.
2. Explain that a FAT database is typically written to a disk’s outermost track and contains
3. Describe the evolution of FAT versions using the following list:
a. FAT12
4. Mention that cluster sizes vary according to the hard disk size and file system. Use
Table 5-2 to illustrate your explanation.
5. Explain that Microsoft OSs allocate disk space for files by clusters. This practice results
7. Explain that when you run out of room for an allocated cluster, the OS allocates another
8. Explain that when the OS stores data in a FAT file system, it assigns a starting cluster
position to a file. Data for the file is written to the first sector of the first assigned
Deleting FAT Files
1. Explain that in the FAT file system, when a file is deleted, the directory entry is marked
2. Mention that the area of the disk where the deleted file resides becomes unallocated
disk space. This space is now available to receive new data from newly created files or
Guide to Computer Forensics and Investigations, Fifth Edition 5-6
Examining NTFS Disks
2. Improvements over FAT file systems include:
3. Explain that NTFS was Microsoft’s move toward a journaling file system. In NTFS,
everything written to the disk is considered a file.
5. Mention that NTFS results in much less file slack space. Clusters are smaller for smaller
disk drives. Use Table 5-3 to illustrate your explanation.
6. Mention that NTFS also uses Unicode, an international data format. Explain that
NTFS System Files
2. Explain that records in the MFT are referred to as metadata. Use Table 5-4 to illustrate
your explanation.
MFT and File Attributes
1. Mention that in the NTFS MFT, all files and folders are stored in separate records of
1024 bytes each.
2. Explain that each record contains file or folder information. This information is divided
4. Mention that files larger than 512 bytes are stored outside the MFT. An MFT record
provides cluster addresses where the file is stored on the drive’s partition. These
5. Explain that when a disk is created as an NTFS file structure, the OS assigns logical
6. Discuss the concept of a virtual cluster number (VCN). Point out that the value in
MFT Structures for File Data
1. Explain that the first section of an MFT record is the header that defines the size and
2. Use Figures 5-13 through 5-18 to discuss the attributes found after an MFT Header.
NTFS Alternate Data Streams
1. Define data streams as ways data can be appended to existing files. Data streams can
obscure valuable evidentiary data, intentionally or by coincidence.
2. Explain that in NTFS, a data stream becomes an additional file attribute and allows the
file to be associated with different applications. You can only tell whether a file has a
NTFS Compressed Files
1. Explain that NTFS provides compression similar to FAT DriveSpace 3, which is a
2. Mention that most computer forensics tools can uncompress and analyze compressed
Windows data.
NTFS Encrypting File System (EFS)
1. Explain that Encrypting File System (EFS) was introduced with Windows 2000 and
3. Mention that users can apply EFS to files stored on their local workstations or a remote
Guide to Computer Forensics and Investigations, Fifth Edition 5-8
EFS Recovery Key Agent
1. Explain that the Recovery Key Agent implements the recovery certificate, which is in
2. Describe how Windows administrators can recover a key using the following MS-DOS
commands:
a. cipher
Deleting NTFS Files
1. Explain that when a file is deleted in Windows NT and later, the OS renames it and
2. Discuss the steps that the OS takes when a file or folder is deleted in Windows or File
Explorer.
Resilient File System
1. Introduce students to Microsoft’s new file system: Resilient File System (ReFS). Point
2. Discuss the following features that are incorporated into ReFS’s design:
3. Mention that ReFS uses disk structures similar to the MFT in NTFS.
Quick Quiz 1
1. ____ refers to a disk’s structure of platters, tracks, and sectors.
2. In Microsoft file structures, sectors are grouped to form ____, which are storage
allocation units of one or more sectors.
3. True or False: The Master Boot Record (MBR) is located at sector 0 of the disk drive.
4. Of particular interest when you’re examining NTFS disks are ____, which are ways
data can be appended to existing files.
5. The purpose of the ____ is to provide a mechanism for recovering encrypted files under
EFS if there’s a problem with the user’s original private key.
Understanding Whole Disk Encryption
1. Mention that in recent years, there has been more concern about loss of personal
2. Explain that to help prevent loss of information, software vendors now provide whole
disk encryption. Current whole disk encryption tools offer the following features:
3. Explain that whole disk encryption tools encrypt each sector of a drive separately. Many
4. Mention that to examine an encrypted drive, you must decrypt it first, which means you
Examining Microsoft BitLocker
1. Mention that Microsoft BitLocker is available with Vista Enterprise and Ultimate
2. Describe the current hardware and software requirements, including:
a. A computer capable of running Windows Vista or later (non-home editions)
b. The TPM microchip, version 1.2 or newer
Guide to Computer Forensics and Investigations, Fifth Edition 5-10
Examining Third-Party Disk Encryption Tools
1. Describe some of the available third-party WDE utilities, including:
a. PGP Full Disk Encryption
Understanding the Windows Registry
1. Define the Windows Registry as a database that stores hardware and software
3. Explain that to view the Registry, you can use the Regedit (Registry Editor) program for
Exploring the Organization of the Windows Registry
1. Describe some of the following Registry terminology:
a. Registry
b. Registry Editor
2. Use Table 5-6 to describe how Registry files are organized in all Windows systems.
4. Use Table 5-7 to describe the Registry HKEYs and their functions.
Guide to Computer Forensics and Investigations, Fifth Edition 5-11
Examining the Windows Registry
Understanding Microsoft Startup Tasks
1. In this section, you will learn what files are accessed when Windows starts. Explain that
Startup in Windows 7 and Windows 8
1. Point out that this section covers desktop and laptop computers running Windows 8,
2. Explain that in Windows Vista and later, the boot process uses a boot configuration data
3. Point out that in Windows 8, the BCD contains the boot loader that initiates the
Startup in Windows NT and Later
1. Explain that all NTFS computers perform the following steps when the computer is
turned on:
a. Power-on self test (POST)
b. Initial startup
2. Explain that when Microsoft developed Vista, it updated the boot process to use the
new Extensible Firmware Interface (EFI) as well as the older BIOS system. Point out
that the Ntldr program in Windows XP used to load the OS has been replaced with these
three boot utilities:
3. Describe the startup Files for Windows XP, including:
a. NT Loader (NTLDR)
b. Boot.ini
Guide to Computer Forensics and Investigations, Fifth Edition 5-12
d. NTDetect.com
e. NTBootdd.sys
5. Explain that when you start a Windows XP NTFS workstation, several files are
accessed immediately. The last access date and time stamp for the files change to the
Understanding Virtual Machines
1. Explain that a virtual machine allows you to create a representation of another computer
2. Mention that a virtual machine recognizes components of the physical machine it’s
loaded on. The virtual OS is limited by the physical machine’s OS.
3. Explain that in digital forensics, virtual machines make it possible to restore a suspect
4. From a network forensics standpoint, you need to be aware of some potential issues,
Creating a Virtual Machine
1. Mention that some popular applications for creating virtual machines are VMware
3. Supply students with the ISO image needed to complete the activity starting on page
234 of the textbook. Remind students that virtual machines are limited by the host
Guide to Computer Forensics and Investigations, Fifth Edition 5-13
Quick Quiz 2
1. A single sign-on password, a fingerprint scan, or a token (USB device) are all examples
of the _____ feature found in whole disk encryption.
2. The _____ is a database in Windows that stores hardware and software configuration
information, network connections, user preferences (including usernames and
passwords), and setup information.
3. Specific branches located in HKEY_USER and HKEY_LOCAL_MACHINE are
known as _____.
4. ____ is the Windows XP OS kernel, located in the %system-root%\Windows\System32
folder.
5. A(n) ____ addresses the need for having a variety of resources by allowing you to
create a representation of another computer on an existing physical computer.
Class Discussion Topics
1. Mention at least three situations where Whole Disk Encryption (WED) solutions are
required.
2. What are the advantages of using the Registry instead of initialization (.ini) files?
Additional Projects
1. Ask your students to read this article that describes the Google file system:
2. Ask your students to use the Internet to read more about journaling file systems such as
NTFS, extfs2, and extfs3. Have them write a report with the most significant points,
Guide to Computer Forensics and Investigations, Fifth Edition 5-14
Additional Resources
1. File system:
2. BIOS:
3. Master boot record:
4. NTFS:
5. Encrypting File System:
7. BitLocker Drive Encryption Technical Overview:
Key Terms
➢ alternate data streams — Ways in which data can be appended to a file (intentionally
or not) and potentially obscure evidentiary data. In NTFS, alternate data streams
which is a hidden file, to determine the address (boot sector location) of each OS. See
also NT Loader (NTLDR).
➢ bootstrap process — Information contained in ROM that a computer accesses during
startup; this information tells the computer how to access the OS and hard drive.
➢ clusters — Storage allocation units composed of groups of sectors. Clusters are 512,
➢ Encrypting File System (EFS) — A public/private key encryption first used in
Windows 2000 on NTFS-formatted disks. The file is encrypted with a symmetric key,
and then a public/private key is used to encrypt the symmetric key.
➢ File Allocation Table (FAT) — The original Microsoft file structure database. It’s
written to the outermost track of a disk and contains information about each file stored
➢ head — The device that reads and writes data to a drive.
➢ head and cylinder skew — A method manufacturers use to minimize lag time. The
starting sectors of tracks are slightly offset from each other to move the read-write head.
➢ High Performance File System (HPFS) — The file system IBM uses for its OS/2
operating system.
➢ Info2 file — In Windows NT, 2000, and XP, the control file for the Recycle Bin. It
contains ASCII data, Unicode data, and date and time of deletion.
➢ NT Loader (NTLDR) — A program located in the root folder of the system partition
that loads the OS. See also Bootsect.dos.
➢ Ntoskrnl.exe — The kernel for the Windows NT family of OSs.
➢ one-time passphrase — A password used to access special accounts or programs
requiring a high level of security, such as a decryption utility for an encrypted drive.
driver’s license number.
➢ physical addresses — The actual sectors in which files are located. Sectors reside at
the hardware and firmware level.
➢ private key — In encryption, the key used to decrypt the file. The file owner keeps the
private key.
2012. It allows increased scalability for disk storage and improved features for data
recovery and error checking.
➢ sector — A section on a track, typically made up of 512 bytes.
➢ track density — The space between tracks on a disk. The smaller the space between
tracks, the more tracks on a disk. Older drives with wider track densities allowed the
as nonresident files. If the disk is highly fragmented, VCNs are assigned and list the
additional space needed to store the file. The LCN is a physical location on the NTFS
partition; VCNs are the offset from the previous LCN data run. See also data runs and
logical cluster numbers (LCNs).
➢ virtual hard disk (VHD) — A file representing a system’s hard drive that can be
