Week 5 Flashcards

1
Q

Window Version History (1)

A

Began as MS- DOS (disk operating
system)
▪ Command prompt only system
▪ 16-bit, very basic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Window Version History (2)

A

First non-Mac OS with a graphical
user interface (GUI) was Windows 3.1
▪ Provided mouse-usage & click/drag, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Window Version History (3)

A

Progressed to Windows XP
▪ Allotted for higher volume of data
storage & more advanced capability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Window Version History (4)

A

Windows Vista/Windows 8
▪ Re-organized file system structure & where
certain items are stored by default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Window Version History (5)

A

Windows 10/11
▪ Integrated cloud-based applications,
storage
▪ MS OneDrive, etc.
▪ Virtual volumes in use Windows 11

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Window Version History (6)

A

Windows systems formatted in NTFS
▪ Allows for better tracking of files across systems
▪ Allows for higher capacity data storage
▪ Allows for recovery partitions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What happens when Windows is Installed on a PC?

A

Drive is formatted in NTFS
▪ New Technology File System
 Drive is partitioned for Windows use
▪ Partitioning = dividing up the PHYSICAL
media into LOGICAL storage volumes
▪ System, Reserved & Primary partitions created
 Partitions
▪ System = Does not store user data, but computer will not boot without it
▪ Reserved = life preserver of the system (recovery)
▪ Primary = this is where the user data (i.e., good stuff) usually resides (EVIDENCE)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Windows Disk Manager

A

This shows the logical partitions in each physical drive and the size of each disk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

ROOT

A

The main/primary partition on a Windows
system

It is given the drive letter of C:/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the main folders called and what are the sub-folders called?

A

Main folders = Parent
Sub-folders = child-object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does each drive plugged in after C:/ get?

A

Whatever the next letter is. The Alphabet starts from C here.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

True/False: Two drives cannot have the same letter in 1 system.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What happens to the “child objects” when a “parent” folder is marked for
deletion?

A

They are also marked for deletion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When files are marked for deletion, are they actually deleted? Can they still be recovered? Is the data gone? What does this mean for analysis?

A

No, they aren’t deleted until much later, and that time isn’t actually known. They can still be recovered and an analyst could see when it was deleted because of the FAT.The data is not gone!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

“orphan files”

A

Files that somehow are on their own, with no parent, most likely due to an odd deletion scheme.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What’s in a Windows File System?

A

Program Files
 Program Data (hidden)
 Windows Administrative files
 User files
▪ Organized by account name or Secure ID
(SID
▪ Have a “familiar” name and a name assigned
by Windows upon creation of account(s)
▪ This is known as a secure ID or SID
▪ Files organized into categories by file
extension
Windows User Secure ID (SID)
▪ Assigned by Windows upon initial account
creation
▪ SIDs are not recycled if a user account is
removed
▪ SIDs are Unique to one account over the life
span of the Windows Install
▪ SIDs help track ownership of files
▪ For home/stand-alone PCs, usually starts at
SID 1001, then 1002 & so on…
▪ For networked units, numbers can be much
higher
▪ Windows also has default SIDs for admin
accounts which start at SID 500, 501, etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

There can be hidden files in Windows GUI.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Parts of the Windows GUI

A

refer to image

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

File Path

A

like GPS coordinates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Hidden File

A

can contain valuable data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Files/Folders most used on system due to default settings.

A

They have actual icons not folders because Windows is identifying the type of file and sorting.

22
Q

What are other potential areas of high
interest depending on scope of case?

A

pictures/videos

24
Q

NTUSER.DAT

A

Stores user-specific account data

25
File Time Stamps in Windows - Three Categories
Creation, Modification & Access times
26
File time stamps are not “absolute” or gospel. They can depend on… (4)
The file system in use (i.e., FAT-32 vs. NTFS) ▪ The manner in which the file was created on the system ▪ “Original” creation vs. copy ▪ The manner in which the file was copied to the system Click & drag vs. cut & past vs. right-click/copy ▪ If creation time post-dates modification time, copy was generally at play
27
What are the challenges with the Windows registry?
Encryption and Cloud Based Data Sources
28
Encryption
 Most Windows versions come with Bitlocker built-in, but NOT turned on ▪ Bitlocker is FULL-DISK encryption ▪ Drive must be formatted in NTFS ▪ Encrypts everything on the PHYSICAL drive ▪ Usually put in place from the start, but can be initiated or removed at any time (carpet/furniture analogy) ▪ Most often used in work/enterprise environments ▪ Requires Bitlocker key or physical USB key ▪ What happens if you lose the key?  Other tools can utilized FILE-BASED encryption, which can be equally challenging
29
Is Bitlocker easier to put in in the beginning or later?
Beginning (carpet-furniture analogy)
30
How would we acquire an encrypted drive or files if we don’t have the key so we can analyze them?
You would have to do a logical, LIVE collection. If the file is/drive is still open, then you wouldn't need the key.
31
Cloud Based Data Sources
Windows now utilizes Microsoft One Drive by default ▪ Allows for syncing of data across devices ▪ Allows for cloud-based storage of files, documents, etc.  Collection of cloud-based data presents a challenge for digital forensic analysts  What is required to access cloud-based data? ▪ Legal Authority/Permission ▪ Two-factor authentication
32
Do you do a logical/physical acquisition for cloud-based data?
generally logical
33
What is the Windows Registry?
The Windows Registry contains information, settings, options, and other values for programs and hardware installed on all versions of Microsoft Windows operating systems. It is like the central nervous system.
34
What does it contain?
System info like Time zone setting information ▪ Software installed (if opted in) ▪ Boot dates/times & password information ▪ Connected devices & partition information ▪ Network connection information IP address AND USER DATA LIKE ▪ User accounts on the system including… ▪ User SIDs ▪ User “familiar” names ▪ Last logon & password entrance info ▪ Passwords themselves are usually obfuscated ▪ Most recently used (MRU) programs & files ▪ Prior existing user accounts (deleted but still in registry)
35
Should you go looked through the Windows registry?
NO - it is a very sensitive intertwined system.
36
What are Windows Registry Keys and how many are there?
Main files (or keys/hives) of interest in the Windows registry. There are 5.
37
SAM
(Security Accounts Manager) key: Stores all account information across the system
38
Security Key
Maintains database of all permissions & access across the system
39
System Key
Tracks the settings on the system, including the time zone settings, installation and boot information, Windows version and upgrade information, etc
40
Software Key
Tracks all of the installed and used software that opts-into the use of the registry
41
NTUser.dat
One is created/updated for each user on the system ▪ Activity here is tracked in the registry and on the system by SID ▪ Just because a user is removed, doesn’t mean their NTUser file is removed
42
Registry Artifact Examples
Shows external memory devices with device-specific serial numbers Shows MRU Shows user account information and frequently used account
43
Locard’s Exchange Principle
User/system interaction – “proof of life”, intent  Interaction with other systems/devices Absence of evidence is not evidence of absence…
44
Toolmarks
 Impression left by contact of a “tool” on a “surface”  Tool – user/actor behavior, use of program/application  Surface – operating system, applications  Impression – Registry keys, values (or lack thereof) The use of a computer system can leave toolmarks inside the system.
45
Core Concept - History
Available artifacts have increased with Windows versions/builds Historical data may be available  Persists beyond the removal of files/programs  VSCs, hibernation file/memory dump  Transaction logs, deleted data (within the hive file)  Artifact constellations Counter-Forensics  Deleted data  *Advanced topic How far can you go back? depends on how long it's been deleted. eventually stuff gets overwritten.
46
Core Concepts - Time
Time stamps within the Registry  Dates and time are recorded in a number of different ways within the Registry – binary, strings, etc.  Time stamped data applies to both “proof of life” and intent, in that the timing, the “when” is often more telling than the action itself  When something occurred, in relation to other events, can often be extremely important and provide significant insight CAN SEE IF A PERSON TOOK A CERTAIN ACTION
47
Role of the Registry
Windows Version  NT 4.0, Win2000, XP -> Win10, beyond Configuration “Database” Devices, Applications (MSOffice, Adobe, etc.) System/application functionality Persistence User Information (can be persistent) Tracking preferences and activity Artifacts will persist beyond removal of an application Persistence9 Volatile portions of the Registry (this can be purged)
48
Virtual Folder Structure
A structure where it just looks like the folders are structured so we can understand it. It doesn't actually look like that on the computer. Structures: keys vs values vs data "File System" KIND OF Registry structure can be thought of as a file system Keys = folders Values = files Data = file contents Deleted Data
49
SanAir v. DAVE B.
Civil dispute over theft of company data found a USB plug-in in the Windows Registry
50
Shelby Case
Wife incidentally discovered videos of 20 year-old Au Paire on husband’s computer Go.zip Yes.rar These were the files that were archived and became main files of interest. They found deleted files and metadata in the Windows Registry hits. Also were able to see that the files were copied on different media (this has less metadata). NEED TO LOOK AT ALL PARTS TO UNDERSTAND THE WHOLE STORY