Week 5

Question 1

Window Version History (1)

Answer 1

Began as MS- DOS (disk operating
system)
▪ Command prompt only system
▪ 16-bit, very basic

Question 2

Window Version History (2)

Answer 2

First non-Mac OS with a graphical
user interface (GUI) was Windows 3.1
▪ Provided mouse-usage & click/drag, etc.

Question 3

Window Version History (3)

Answer 3

Progressed to Windows XP
▪ Allotted for higher volume of data
storage & more advanced capability

Question 4

Window Version History (4)

Answer 4

Windows Vista/Windows 8
▪ Re-organized file system structure & where
certain items are stored by default

Question 5

Window Version History (5)

Answer 5

Windows 10/11
▪ Integrated cloud-based applications,
storage
▪ MS OneDrive, etc.
▪ Virtual volumes in use Windows 11

Question 6

Window Version History (6)

Answer 6

Windows systems formatted in NTFS
▪ Allows for better tracking of files across systems
▪ Allows for higher capacity data storage
▪ Allows for recovery partitions

Question 7

What happens when Windows is Installed on a PC?

Answer 7

Drive is formatted in NTFS
▪ New Technology File System
 Drive is partitioned for Windows use
▪ Partitioning = dividing up the PHYSICAL
media into LOGICAL storage volumes
▪ System, Reserved & Primary partitions created
 Partitions
▪ System = Does not store user data, but computer will not boot without it
▪ Reserved = life preserver of the system (recovery)
▪ Primary = this is where the user data (i.e., good stuff) usually resides (EVIDENCE)

Question 8

Windows Disk Manager

Answer 8

This shows the logical partitions in each physical drive and the size of each disk.

Question 9

ROOT

Answer 9

The main/primary partition on a Windows
system

It is given the drive letter of C:/

Question 10

What are the main folders called and what are the sub-folders called?

Answer 10

Main folders = Parent
Sub-folders = child-object

Question 11

What does each drive plugged in after C:/ get?

Answer 11

Whatever the next letter is. The Alphabet starts from C here.

Question 12

True/False: Two drives cannot have the same letter in 1 system.

Answer 12

True

Question 13

What happens to the “child objects” when a “parent” folder is marked for
deletion?

Answer 13

They are also marked for deletion.

Question 14

When files are marked for deletion, are they actually deleted? Can they still be recovered? Is the data gone? What does this mean for analysis?

Answer 14

No, they aren’t deleted until much later, and that time isn’t actually known. They can still be recovered and an analyst could see when it was deleted because of the FAT.The data is not gone!

Question 15

“orphan files”

Answer 15

Files that somehow are on their own, with no parent, most likely due to an odd deletion scheme.

Question 16

What’s in a Windows File System?

Answer 16

Program Files
 Program Data (hidden)
 Windows Administrative files
 User files
▪ Organized by account name or Secure ID
(SID
▪ Have a “familiar” name and a name assigned
by Windows upon creation of account(s)
▪ This is known as a secure ID or SID
▪ Files organized into categories by file
extension
Windows User Secure ID (SID)
▪ Assigned by Windows upon initial account
creation
▪ SIDs are not recycled if a user account is
removed
▪ SIDs are Unique to one account over the life
span of the Windows Install
▪ SIDs help track ownership of files
▪ For home/stand-alone PCs, usually starts at
SID 1001, then 1002 & so on…
▪ For networked units, numbers can be much
higher
▪ Windows also has default SIDs for admin
accounts which start at SID 500, 501, etc

Question 17

There can be hidden files in Windows GUI.

Question 18

Parts of the Windows GUI

Answer 18

refer to image

Question 19

File Path

Answer 19

like GPS coordinates

Question 20

Hidden File

Answer 20

can contain valuable data

Question 21

Files/Folders most used on system due to default settings.

Answer 21

They have actual icons not folders because Windows is identifying the type of file and sorting.

Question 22

What are other potential areas of high
interest depending on scope of case?

Answer 22

pictures/videos

Question 24

NTUSER.DAT

Answer 24

Stores user-specific account data

Question 25

File Time Stamps in Windows - Three Categories

Answer 25

Creation, Modification & Access times

Question 26

File time stamps are not “absolute” or
gospel. They can depend on… (4)

Answer 26

The file system in use (i.e., FAT-32 vs. NTFS)
▪ The manner in which the file was created on
the system
▪ “Original” creation vs. copy
▪ The manner in which the file was copied to
the system
Click & drag vs. cut & past vs. right-click/copy
▪ If creation time post-dates modification
time, copy was generally at play

Question 27

What are the challenges with the Windows registry?

Answer 27

Encryption and Cloud Based Data Sources

Question 28

Encryption

Answer 28

 Most Windows versions come with Bitlocker
built-in, but NOT turned on
▪ Bitlocker is FULL-DISK encryption
▪ Drive must be formatted in NTFS
▪ Encrypts everything on the PHYSICAL drive
▪ Usually put in place from the start, but can be initiated or
removed at any time (carpet/furniture analogy)
▪ Most often used in work/enterprise environments
▪ Requires Bitlocker key or physical USB key
▪ What happens if you lose the key?
 Other tools can utilized FILE-BASED encryption, which
can be equally challenging

Question 29

Is Bitlocker easier to put in in the beginning or later?

Answer 29

Beginning (carpet-furniture analogy)

Question 30

How would we acquire an encrypted drive or
files if we don’t have the key so we can analyze them?

Answer 30

You would have to do a logical, LIVE collection. If the file is/drive is still open, then you wouldn’t need the key.

Question 31

Cloud Based Data Sources

Answer 31

Windows now utilizes Microsoft One
Drive by default
▪ Allows for syncing of data across devices
▪ Allows for cloud-based storage of files, documents, etc.
 Collection of cloud-based data
presents a challenge for digital
forensic analysts
 What is required to access cloud-based
data?
▪ Legal Authority/Permission
▪ Two-factor authentication

Question 32

Do you do a logical/physical acquisition for cloud-based data?

Answer 32

generally logical

Question 33

What is the Windows Registry?

Answer 33

The Windows Registry contains information, settings, options, and other values for programs and hardware installed on all versions of Microsoft Windows
operating systems. It is like the central nervous system.

Question 34

What does it contain?

Answer 34

System info like
Time zone setting information
▪ Software installed (if opted in)
▪ Boot dates/times & password information
▪ Connected devices & partition information
▪ Network connection information
IP address

AND USER DATA LIKE
▪ User accounts on the system including…
▪ User SIDs
▪ User “familiar” names
▪ Last logon & password entrance info
▪ Passwords themselves are usually obfuscated
▪ Most recently used (MRU) programs & files
▪ Prior existing user accounts (deleted but still in registry)

Question 35

Should you go looked through the Windows registry?

Answer 35

NO - it is a very sensitive intertwined system.

Question 36

What are Windows Registry Keys and how many are there?

Answer 36

Main files (or keys/hives) of interest in the
Windows registry. There are 5.

Question 37

SAM

Answer 37

(Security Accounts Manager) key:
Stores all account information across the
system

Question 38

Security Key

Answer 38

Maintains database of all
permissions & access across the system

Question 39

System Key

Answer 39

Tracks the settings on the
system, including the time zone settings,
installation and boot information, Windows
version and upgrade information, etc

Question 40

Software Key

Answer 40

Tracks all of the installed and
used software that opts-into the use of the
registry

Question 41

NTUser.dat

Answer 41

One is created/updated for each user on the system
▪ Activity here is tracked in the registry and on the
system by SID
▪ Just because a user is removed, doesn’t mean their
NTUser file is removed

Question 42

Registry Artifact Examples

Answer 42

Shows external memory devices with device-specific serial numbers

Shows MRU

Shows user account information and frequently used account

Question 43

Locard’s Exchange Principle

Answer 43

User/system interaction – “proof of life”, intent
 Interaction with other systems/devices
Absence of evidence is not evidence of absence…

Question 44

Toolmarks

Answer 44

 Impression left by contact of a “tool” on a “surface”
 Tool – user/actor behavior, use of program/application
 Surface – operating system, applications
 Impression – Registry keys, values (or lack thereof)

The use of a computer system can leave toolmarks inside the system.

Question 45

Core Concept - History

Answer 45

Available artifacts have increased with Windows versions/builds
Historical data may be available
 Persists beyond the removal of files/programs
 VSCs, hibernation file/memory dump
 Transaction logs, deleted data (within the hive file)
 Artifact constellations
Counter-Forensics
 Deleted data
 *Advanced topic

How far can you go back? depends on how long it’s been deleted. eventually stuff gets overwritten.

Question 46

Core Concepts - Time

Answer 46

Time stamps within the Registry
 Dates and time are recorded in a number of different
ways within the Registry – binary, strings, etc.
 Time stamped data applies to both “proof of life” and
intent, in that the timing, the “when” is often more telling
than the action itself
 When something occurred, in relation to other events,
can often be extremely important and provide significant
insight

CAN SEE IF A PERSON TOOK A CERTAIN ACTION

Question 47

Role of the Registry

Answer 47

Windows Version
 NT 4.0, Win2000, XP -> Win10, beyond
Configuration “Database”
Devices, Applications (MSOffice, Adobe, etc.)
System/application functionality
Persistence
User Information (can be persistent)
Tracking preferences and activity
Artifacts will persist beyond removal of an application
Persistence9
Volatile portions of the Registry (this can be purged)

Question 48

Virtual Folder Structure

Answer 48

A structure where it just looks like the folders are structured so we can understand it. It doesn’t actually look like that on the computer.

Structures: keys vs values vs data

“File System” KIND OF

Registry structure can be
thought of as a file system
Keys = folders
Values = files
Data = file contents

Deleted Data

Question 49

SanAir v. DAVE B.

Answer 49

Civil dispute over theft of company data

found a USB plug-in in the Windows Registry

Question 50

Shelby Case

Answer 50

Wife incidentally discovered videos of 20 year-old Au Paire
on husband’s computer

Go.zip
Yes.rar
These were the files that were archived and became main files of interest.

They found deleted files and metadata in the Windows Registry hits.

Also were able to see that the files were copied on different media (this has less metadata).

NEED TO LOOK AT ALL PARTS TO UNDERSTAND THE WHOLE STORY