Chapter 05 Homework Explain That View The Registry You Can

Guide to Computer Forensics and Investigations, Fifth Edition 5-1

Chapter 5

Working with Windows and CLI Systems

At a Glance

Instructor’s Manual Table of Contents

• Overview

• Objectives

• Teaching Tips

• Quick Quizzes

Guide to Computer Forensics and Investigations, Fifth Edition 5-2

Lecture Notes

Overview

This chapter reviews how data is stored and managed on Microsoft operating systems

(OSs). To become proficient in recovering data for computer investigations, you should

understand file systems and their OSs, including Windows and command-line interface

Chapter Objectives

• Explain the purpose and structure of file systems

• Describe Microsoft file structures

• Explain the structure of NTFS disks

Teaching Tips

Understanding File Systems

1. Explain that the file system gives an OS a road map to data on a disk. The type of file

2. Mention that when you need to access a suspect’s computer to acquire or inspect data,

Understanding the Boot Sequence

1. Mention that to ensure that you don’t contaminate or alter data on a suspect’s system,

you must know how to access and modify a PC’s Complementary Metal Oxide

2. Explain that a computer stores system configuration and date and time information in

3. Explain that the bootstrap process is contained in ROM and tells the computer how to

proceed when booting. It displays the key or keys you press to open the CMOS setup

screen. The CMOS should be modified if you want to boot from a CD/DVD drive. Use

Figure 5-1 to illustrate your explanation.

Understanding Disk Drives

1. Explain that disk drives are made up of one or more platters coated with magnetic

material.

2. Use Figures 5-2 and 5-3 to describe some of the disk drive components, including:

a. Geometry

3. Describe some of the properties handled at the drive’s hardware or firmware level,

including:

a. Zone bit recording (ZBR)

Solid-State Storage Devices

1. Describe the wear-leveling feature that is found in all flash memory devices. Explain

2. Point out that when dealing with solid-state devices, making a full forensic copy as soon

Exploring Microsoft File Structures

1. Explain that in Microsoft file structures, sectors are grouped to form clusters, which are

2. Mention that clusters are typically 512 bytes up to 32,000 bytes each. Combining

sectors minimizes the overhead of writing or reading files to a disk.

3. Explain that clusters are numbered sequentially starting at 0 in NTFS and 2 in FAT.

4. Explain that the OS assigns these cluster numbers, which are referred to as logical

Disk Partitions

1. Define a partition as a logical drive. Explain that Windows OSs can have three primary

partitions followed by an extended partition that can contain one or more logical drives.

2. Define hidden partitions or voids as large unused gaps between partitions on a disk

3. Explain that one way to examine a partition’s physical level is to use a disk editor, such

4. Use Figure 5-5 to show how to use Hex Workshop to identify file systems.

5. Mention that with tools such as Hex Workshop, you can also identify file headers to

Examining FAT Disks

and 2000.

2. Explain that a FAT database is typically written to a disk’s outermost track and contains

3. Describe the evolution of FAT versions using the following list:

a. FAT12

4. Mention that cluster sizes vary according to the hard disk size and file system. Use

Table 5-2 to illustrate your explanation.

5. Explain that Microsoft OSs allocate disk space for files by clusters. This practice results

7. Explain that when you run out of room for an allocated cluster, the OS allocates another

8. Explain that when the OS stores data in a FAT file system, it assigns a starting cluster

position to a file. Data for the file is written to the first sector of the first assigned

Deleting FAT Files

1. Explain that in the FAT file system, when a file is deleted, the directory entry is marked

2. Mention that the area of the disk where the deleted file resides becomes unallocated

disk space. This space is now available to receive new data from newly created files or

Guide to Computer Forensics and Investigations, Fifth Edition 5-6

Examining NTFS Disks

2. Improvements over FAT file systems include:

3. Explain that NTFS was Microsoft’s move toward a journaling file system. In NTFS,

everything written to the disk is considered a file.

5. Mention that NTFS results in much less file slack space. Clusters are smaller for smaller

disk drives. Use Table 5-3 to illustrate your explanation.

6. Mention that NTFS also uses Unicode, an international data format. Explain that

NTFS System Files

2. Explain that records in the MFT are referred to as metadata. Use Table 5-4 to illustrate

your explanation.

MFT and File Attributes

1. Mention that in the NTFS MFT, all files and folders are stored in separate records of

1024 bytes each.

2. Explain that each record contains file or folder information. This information is divided

4. Mention that files larger than 512 bytes are stored outside the MFT. An MFT record

provides cluster addresses where the file is stored on the drive’s partition. These

5. Explain that when a disk is created as an NTFS file structure, the OS assigns logical

6. Discuss the concept of a virtual cluster number (VCN). Point out that the value in

MFT Structures for File Data

1. Explain that the first section of an MFT record is the header that defines the size and

2. Use Figures 5-13 through 5-18 to discuss the attributes found after an MFT Header.

NTFS Alternate Data Streams

1. Define data streams as ways data can be appended to existing files. Data streams can

obscure valuable evidentiary data, intentionally or by coincidence.

2. Explain that in NTFS, a data stream becomes an additional file attribute and allows the

file to be associated with different applications. You can only tell whether a file has a

NTFS Compressed Files

1. Explain that NTFS provides compression similar to FAT DriveSpace 3, which is a

2. Mention that most computer forensics tools can uncompress and analyze compressed

Windows data.

NTFS Encrypting File System (EFS)

1. Explain that Encrypting File System (EFS) was introduced with Windows 2000 and

3. Mention that users can apply EFS to files stored on their local workstations or a remote

Guide to Computer Forensics and Investigations, Fifth Edition 5-8

EFS Recovery Key Agent

1. Explain that the Recovery Key Agent implements the recovery certificate, which is in

2. Describe how Windows administrators can recover a key using the following MS-DOS

commands:

a. cipher

Deleting NTFS Files

1. Explain that when a file is deleted in Windows NT and later, the OS renames it and

2. Discuss the steps that the OS takes when a file or folder is deleted in Windows or File

Explorer.

Resilient File System

1. Introduce students to Microsoft’s new file system: Resilient File System (ReFS). Point

2. Discuss the following features that are incorporated into ReFS’s design:

3. Mention that ReFS uses disk structures similar to the MFT in NTFS.

Quick Quiz 1

1. ____ refers to a disk’s structure of platters, tracks, and sectors.

2. In Microsoft file structures, sectors are grouped to form ____, which are storage

allocation units of one or more sectors.

3. True or False: The Master Boot Record (MBR) is located at sector 0 of the disk drive.

4. Of particular interest when you’re examining NTFS disks are ____, which are ways

data can be appended to existing files.

5. The purpose of the ____ is to provide a mechanism for recovering encrypted files under

EFS if there’s a problem with the user’s original private key.

Understanding Whole Disk Encryption

1. Mention that in recent years, there has been more concern about loss of personal

2. Explain that to help prevent loss of information, software vendors now provide whole

disk encryption. Current whole disk encryption tools offer the following features:

3. Explain that whole disk encryption tools encrypt each sector of a drive separately. Many

4. Mention that to examine an encrypted drive, you must decrypt it first, which means you

Examining Microsoft BitLocker

1. Mention that Microsoft BitLocker is available with Vista Enterprise and Ultimate

2. Describe the current hardware and software requirements, including:

a. A computer capable of running Windows Vista or later (non-home editions)

b. The TPM microchip, version 1.2 or newer

Guide to Computer Forensics and Investigations, Fifth Edition 5-10

Examining Third-Party Disk Encryption Tools

1. Describe some of the available third-party WDE utilities, including:

a. PGP Full Disk Encryption

Understanding the Windows Registry

1. Define the Windows Registry as a database that stores hardware and software

3. Explain that to view the Registry, you can use the Regedit (Registry Editor) program for

Exploring the Organization of the Windows Registry

1. Describe some of the following Registry terminology:

a. Registry

b. Registry Editor

2. Use Table 5-6 to describe how Registry files are organized in all Windows systems.

4. Use Table 5-7 to describe the Registry HKEYs and their functions.

Guide to Computer Forensics and Investigations, Fifth Edition 5-11

Examining the Windows Registry

Understanding Microsoft Startup Tasks

1. In this section, you will learn what files are accessed when Windows starts. Explain that

Startup in Windows 7 and Windows 8

1. Point out that this section covers desktop and laptop computers running Windows 8,

2. Explain that in Windows Vista and later, the boot process uses a boot configuration data

3. Point out that in Windows 8, the BCD contains the boot loader that initiates the

Startup in Windows NT and Later

1. Explain that all NTFS computers perform the following steps when the computer is

turned on:

a. Power-on self test (POST)

b. Initial startup

2. Explain that when Microsoft developed Vista, it updated the boot process to use the

new Extensible Firmware Interface (EFI) as well as the older BIOS system. Point out

that the Ntldr program in Windows XP used to load the OS has been replaced with these

three boot utilities:

3. Describe the startup Files for Windows XP, including:

a. NT Loader (NTLDR)

b. Boot.ini

Guide to Computer Forensics and Investigations, Fifth Edition 5-12

d. NTDetect.com

e. NTBootdd.sys

5. Explain that when you start a Windows XP NTFS workstation, several files are

accessed immediately. The last access date and time stamp for the files change to the

Understanding Virtual Machines

1. Explain that a virtual machine allows you to create a representation of another computer

2. Mention that a virtual machine recognizes components of the physical machine it’s

loaded on. The virtual OS is limited by the physical machine’s OS.

3. Explain that in digital forensics, virtual machines make it possible to restore a suspect

4. From a network forensics standpoint, you need to be aware of some potential issues,

Creating a Virtual Machine

1. Mention that some popular applications for creating virtual machines are VMware

3. Supply students with the ISO image needed to complete the activity starting on page

234 of the textbook. Remind students that virtual machines are limited by the host

Guide to Computer Forensics and Investigations, Fifth Edition 5-13

Quick Quiz 2

1. A single sign-on password, a fingerprint scan, or a token (USB device) are all examples

of the _____ feature found in whole disk encryption.

2. The _____ is a database in Windows that stores hardware and software configuration

information, network connections, user preferences (including usernames and

passwords), and setup information.

3. Specific branches located in HKEY_USER and HKEY_LOCAL_MACHINE are

known as _____.

4. ____ is the Windows XP OS kernel, located in the %system-root%\Windows\System32

folder.

5. A(n) ____ addresses the need for having a variety of resources by allowing you to

create a representation of another computer on an existing physical computer.

Class Discussion Topics

1. Mention at least three situations where Whole Disk Encryption (WED) solutions are

required.

2. What are the advantages of using the Registry instead of initialization (.ini) files?

Additional Projects

1. Ask your students to read this article that describes the Google file system:

2. Ask your students to use the Internet to read more about journaling file systems such as

NTFS, extfs2, and extfs3. Have them write a report with the most significant points,

Guide to Computer Forensics and Investigations, Fifth Edition 5-14

Additional Resources

1. File system:

2. BIOS:

3. Master boot record:

4. NTFS:

5. Encrypting File System:

7. BitLocker Drive Encryption Technical Overview:

Key Terms

➢ alternate data streams — Ways in which data can be appended to a file (intentionally

or not) and potentially obscure evidentiary data. In NTFS, alternate data streams

which is a hidden file, to determine the address (boot sector location) of each OS. See

also NT Loader (NTLDR).

➢ bootstrap process — Information contained in ROM that a computer accesses during

startup; this information tells the computer how to access the OS and hard drive.

➢ clusters — Storage allocation units composed of groups of sectors. Clusters are 512,

➢ Encrypting File System (EFS) — A public/private key encryption first used in

Windows 2000 on NTFS-formatted disks. The file is encrypted with a symmetric key,

and then a public/private key is used to encrypt the symmetric key.

➢ File Allocation Table (FAT) — The original Microsoft file structure database. It’s

written to the outermost track of a disk and contains information about each file stored

➢ head — The device that reads and writes data to a drive.

➢ head and cylinder skew — A method manufacturers use to minimize lag time. The

starting sectors of tracks are slightly offset from each other to move the read-write head.

➢ High Performance File System (HPFS) — The file system IBM uses for its OS/2

operating system.

➢ Info2 file — In Windows NT, 2000, and XP, the control file for the Recycle Bin. It

contains ASCII data, Unicode data, and date and time of deletion.

➢ NT Loader (NTLDR) — A program located in the root folder of the system partition

that loads the OS. See also Bootsect.dos.

➢ Ntoskrnl.exe — The kernel for the Windows NT family of OSs.

➢ one-time passphrase — A password used to access special accounts or programs

requiring a high level of security, such as a decryption utility for an encrypted drive.

driver’s license number.

➢ physical addresses — The actual sectors in which files are located. Sectors reside at

the hardware and firmware level.

➢ private key — In encryption, the key used to decrypt the file. The file owner keeps the

private key.

2012. It allows increased scalability for disk storage and improved features for data

recovery and error checking.

➢ sector — A section on a track, typically made up of 512 bytes.

➢ track density — The space between tracks on a disk. The smaller the space between

tracks, the more tracks on a disk. Older drives with wider track densities allowed the

as nonresident files. If the disk is highly fragmented, VCNs are assigned and list the

additional space needed to store the file. The LCN is a physical location on the NTFS

partition; VCNs are the offset from the previous LCN data run. See also data runs and

logical cluster numbers (LCNs).

➢ virtual hard disk (VHD) — A file representing a system’s hard drive that can be