COMP 4027 Windows and Forensics

1
COMP 4027Windows and Forensics
2
MS File structures

• Need to understand MS file structures to know
  where files are stored in Windows
• Need to understand clusters, File Allocation
  Table (FAT) and NTFS
• Need to know how the OS stores data to know where
  files and parts of files may be hidden

3
Exploring Microsoft File Structures
1 - 4 Sectors grouped in Clusters Storage
allocation units of 512, 1024, 2048, 4096, or
more bytes. Logical Address Clusters are
numbered sequentially and number assigned by the
operating system. Sectors are Physical Address
Addresses that reside at the hardware or firmware
level.
4
Exploring Microsoft File Structures
Many hard disks are partitioned Partition A
logical drive on a disk. It can be the entire
disk or a portion thereof. Inner-Partition Gap
Partitions created with unused space or voids
between the primary partition and the first
logical partition. Can use an editor and edit
partition table to hide this gap
5
Exploring Microsoft File Structures
6
Exploring Microsoft File Structures
7
Exploring Microsoft File Structures
Master Boot Record (MBR) On Windows and DOS
computer systems, the boot disk file, which
contains information regarding the files on a
disk and their locations, size, and other
critical items.
8
Exploring Microsoft File Structures
File Allocation Table (FAT) The original file
structure database that Microsoft originally
designed for floppy disks. Prior to Windows NT
and 2000 It is written to the outermost track of
a disk and contains information about each file
stored on the drive. The variations are FAT12,
FAT16, and FAT32.
9
Exploring Microsoft File Structures
Cluster sizes vary according to size of disk and
file system
10
Exploring Microsoft File Structures

• Disk space is allocated by cluster
• Results in drive slack
• If you create a 5000 byte Word file then on a FAT
  16 1.6 GB disk then the OS reserves 1 cluster
• However in FAT 16 32,000 bytes allocated to your
  file 27,000 file slack
• 5000 byte file uses 10 sectors 5120 bytes so
  120 bytes spare as RAM slack where any info in
  RAM is put such as login ID, password etc

11
Exploring Microsoft File Structures
12
Exploring Microsoft File Structures

• Space provided to reduce fragmentation of file
• If file fills up the reserved 27000 bytes then
  another cluster is allocated producing more slack
  space
• As file grows clusters are chained together
  usually contiguous
• As files created, deleted etc then chain can be
  broken, fragmented lost

13
Exploring Microsoft File Structures
14
Exploring Microsoft File Structures
End-of-File Marker 0x0FFFFFFF. This code is
typically used with FAT file systems to show
where the file ends. When file is deleted only
reference to it is removed this area can
receive new data Unallocated Disk Space The area
of disk where the deleted file resides.
15
Examining NTFS Disks
New Technology File System Introduced when
Microsoft created Windows NT. NTFS is the primary
file system for Windows XP. NTFS uses security
features, allows for smaller cluster sizes, and
uses Unicode, which makes it a much more
versatile operating system. Much less slack
space Everything on the disk is a file
16
Examining NTFS Disks
Partition Boot Sector The first data set of an
NTFS disk. It starts at sector 0 of the disk
drive and it can be expanded up to 16
sectors. Master File Table Used by NTFS to
track files. Like FAT. It contains information
about the access rights, date and time stamps,
system attributes, and parts of the file. 12.5
of disk on creation and can be up to 50
17
Examining NTFS Disks
18
Examining NTFS Disks
Unicode A 16-bit character code representation
that is replacing ASCII. It is capable of
representing over 64,000 characters. American
Standard Code for Information Interchange (ASCII)
A coding scheme using 7 or 8 bits that assigns
numeric values up to 256 characters, including
letters, numerals, punctuation marks, control
characters, and other symbols.
19
Examining NTFS Disks
Meta-Data In NTFS, this refers to information
stored in the MFT.
20
Examining NTFS Disks
21
Examining NTFS Disks
22
Examining NTFS Disks
All files and folders have attributes (eg. Name,
security, data). Each attribute has a
code Resident Attributes When referring to MFT,
all attributes that are stored in the MFT of the
NTFS. Nonresident Attributes When referring to
MFT of the NTFS, all data that is stored in a
location separate from the MFT.
23
Examining NTFS Disks
24
Examining NTFS Disks
Logical Cluster Numbers (LCNs) Used by the MFT
of NTFS. It refers to a specific physical
location on the drive. Virtual Cluster Number
(VCN) When a file is saved in the NTFS, it is
assigned both a logical cluster number and a
virtual cluster number. The logical cluster is a
physical location, while the virtual cluster
consists of chained clusters.
25
Examining NTFS Disks
26
Examining NTFS Disks
Multiple Data Streams Ways in which data can be
appended to a file intentionally or not. In NTFS,
it becomes an additional data attribute of the
file.
27
Searching for evidence

• If metadata entry is unallocated then we can
  recover metadata links and properties
• May be out of sync if we are unsure whether data
  units are allocated to new files
• Very difficult to determine
• Compressed files are also a challenge since he
  tool used to recover the compressed file must
  support the same algorithm

28
Application level searching

• Many application files have a structure and
  signature type
• Data carving can be carried out where a chunk
  of data is searched for signatures of beginning
  and end of file eg standard jpg headers and
  footers
• Eg tool foremost has signatures and searches for
• Eg jpg y 200000 \xff\xd8 \xff\xd9

29
Examining NTFS Disks
Encrypted File System (EFS) Encryption first
used in Windows 2000 on NTFS formatted disks. If
a user encrypts a recovery certificate is
generated and sent to admin account otherwise
will automatically decrypt on use
30
Examining NTFS Disks

• EFS Recovery Agent Functions DOS commands
• CIPHER
• COPY
• EFSRECVER

31
Examining NTFS Disks

• Deleting files
• File is renamed and moved to recycle bin
• Windows stores info about path in Info2 file
• Files are permanently deleted in the same way as
  in FAT
• Associated clusters marked as free for new data
• BITMAP attribute updated to reflect deletion
• File attribute record marked as being available
• Andy linking nodes and VFN/LCN cluster removed
• Any link references removed

32
Understanding Microsoft Boot Tasks

• Need to understand boot tasks to know what might
  be altered if you had to boot up
• Windows XP, 2000, and NT Startup
• Power on self test
• Initial startup
• Boot loader
• Hardware detection and configuration
• Kernel loading
• User logon

33
Understanding Microsoft Boot Tasks
Windows XP startup NT Loader (NTLDR) Loads
Windows NT. It is located in the root folder of
the system partition. Reads boot.ini to display
booyt menu Runs Ntoskrnl.exe and Bootvid.dll,
Hal.dllamd device drviers
34
Understanding Microsoft Boot Tasks

• Boot.ini Specifies the Windows NT path
  installation.
• BootSect.dos Contains the address of the boot
  sector location of each operating system.
• NTDetect.com A command file that identifies
  hardware components during bootup and sends the
  information to NTLDR.

35
Understanding Microsoft Boot Tasks
NTBootdd.sys Device driver that allows access
to SCSI or ATA drives that are not related to the
BIOS. Ntoskrnl.exe The Windows NT operating
system kernel. It is located in the
Windows\System32 folder. Hal.dll Hardware
abstraction layer dynamic link library. It tells
the operating system kernel how to interface with
the hardware. Device Drivers Contain
instructions for the operating system for
hardware devices.
36
Understanding Microsoft Boot Tasks
37
Understanding Microsoft Boot Tasks

• When you start Win NT or older NTFS several file
  are immediately accessed and thus dates change to
  current date

38
Understanding Microsoft Boot Tasks
DOS Protected-Mode Interface (DPMI) Used by
many computer forensics tools that do not operate
in the Windows environment.
39
Understanding Microsoft Boot Tasks
40
Understanding Microsoft Boot Tasks

• Command.com Provides a prompt when booting to
  MS-DOS mode. User interface for the MS-DOS
  operating system. Contains the following
  commands
• DIR
• CD
• CLS
• DATE
• COPY
• DEL

41
Understanding Microsoft Boot Tasks

• MD
• PATH
• PROMPT
• RD
• SET
• TIME
• TYPE
• VER
• VOL

42
Understanding MS-DOS Startup Tasks
IO.SYS The first file loaded after the ROM
bootstrap loader finds the operating system.
This file allows for communication between the
computers BIOS and Hardware, and with MS-DOS
code. MSDOS.SYS A hidden text file that
contains startup options for Windows 9x. In
MS-DOS, this file is the operating system
kernel. CONFIG.SYS A text file that contains
commands that are typically run only at system
startup.
43
Understanding MS-DOS Startup Tasks
AUTOEXEC.BAT An automatically executed batch
file that contains customized commands and
settings for MS-DOS.
44
Understanding MS-DOS Startup Tasks
45
Summary

• The Microsoft operating systems used FAT12 and
  FAT16 on older systems such as MS-DOS, Windows
  3.X and Windows 9x.
• The Registry on older Windows OSs is used to keep
  a record of hardware attached, user preferences,
  network information, and installed software.
• The capacity of a hard disk is obtained by using
  the cylinders, heads, and sectors. To find the
  capacity of a disk, multiply the number of heads,
  sectors, and tracks.

46
Summary

• Clusters are used to accommodate large files.
  Sectors are grouped into clusters and clusters
  are chained to minimize the overhead of reading
  and writing files to a disk.
• The New Technology File System is more versatile
  because it uses the MFT to track information such
  as security items, the first 750 bytes of data,
  long and short filenames, and a list of
  nonresident attributes.
• File slack, RAM slack, and drive slack are all
  areas in which valuable information may reside on
  a drive.

47
Summary

• To be an effective computer forensics
  investigator, you need to maintain a library of
  older operating systems and applications.
• NTFS uses Unicode to store information. Unicode
  is an international code and uses a 16-bit
  configuration instead of an 8-bit configuration
  used by ASCII.
• Hexadecimal codes provide information about files
  and OSs. You can determine the file type by using
  various tools such as WinHex and Hex Workshop.

48
Summary

• NTFS uses inodes to link file attribute records
  to other file attribute records. Attributes fall
  into two categories resident and nonresident.
• NTFS can compress individual files, folders, or
  entire partitions. FAT16 can only compress entire
  volumes.