Week 5 Flashcards
Window Version History (1)
Began as MS- DOS (disk operating
system)
▪ Command prompt only system
▪ 16-bit, very basic
Window Version History (2)
First non-Mac OS with a graphical
user interface (GUI) was Windows 3.1
▪ Provided mouse-usage & click/drag, etc.
Window Version History (3)
Progressed to Windows XP
▪ Allotted for higher volume of data
storage & more advanced capability
Window Version History (4)
Windows Vista/Windows 8
▪ Re-organized file system structure & where
certain items are stored by default
Window Version History (5)
Windows 10/11
▪ Integrated cloud-based applications,
storage
▪ MS OneDrive, etc.
▪ Virtual volumes in use Windows 11
Window Version History (6)
Windows systems formatted in NTFS
▪ Allows for better tracking of files across systems
▪ Allows for higher capacity data storage
▪ Allows for recovery partitions
What happens when Windows is Installed on a PC?
Drive is formatted in NTFS
▪ New Technology File System
Drive is partitioned for Windows use
▪ Partitioning = dividing up the PHYSICAL
media into LOGICAL storage volumes
▪ System, Reserved & Primary partitions created
Partitions
▪ System = Does not store user data, but computer will not boot without it
▪ Reserved = life preserver of the system (recovery)
▪ Primary = this is where the user data (i.e., good stuff) usually resides (EVIDENCE)
Windows Disk Manager
This shows the logical partitions in each physical drive and the size of each disk.
ROOT
The main/primary partition on a Windows
system
It is given the drive letter of C:/
What are the main folders called and what are the sub-folders called?
Main folders = Parent
Sub-folders = child-object
What does each drive plugged in after C:/ get?
Whatever the next letter is. The Alphabet starts from C here.
True/False: Two drives cannot have the same letter in 1 system.
True
What happens to the “child objects” when a “parent” folder is marked for
deletion?
They are also marked for deletion.
When files are marked for deletion, are they actually deleted? Can they still be recovered? Is the data gone? What does this mean for analysis?
No, they aren’t deleted until much later, and that time isn’t actually known. They can still be recovered and an analyst could see when it was deleted because of the FAT.The data is not gone!
“orphan files”
Files that somehow are on their own, with no parent, most likely due to an odd deletion scheme.
What’s in a Windows File System?
Program Files
Program Data (hidden)
Windows Administrative files
User files
▪ Organized by account name or Secure ID
(SID
▪ Have a “familiar” name and a name assigned
by Windows upon creation of account(s)
▪ This is known as a secure ID or SID
▪ Files organized into categories by file
extension
Windows User Secure ID (SID)
▪ Assigned by Windows upon initial account
creation
▪ SIDs are not recycled if a user account is
removed
▪ SIDs are Unique to one account over the life
span of the Windows Install
▪ SIDs help track ownership of files
▪ For home/stand-alone PCs, usually starts at
SID 1001, then 1002 & so on…
▪ For networked units, numbers can be much
higher
▪ Windows also has default SIDs for admin
accounts which start at SID 500, 501, etc
There can be hidden files in Windows GUI.
Parts of the Windows GUI
refer to image
File Path
like GPS coordinates
Hidden File
can contain valuable data
Files/Folders most used on system due to default settings.
They have actual icons not folders because Windows is identifying the type of file and sorting.
What are other potential areas of high
interest depending on scope of case?
pictures/videos
NTUSER.DAT
Stores user-specific account data
File Time Stamps in Windows - Three Categories
Creation, Modification & Access times
File time stamps are not “absolute” or
gospel. They can depend on… (4)
The file system in use (i.e., FAT-32 vs. NTFS)
▪ The manner in which the file was created on
the system
▪ “Original” creation vs. copy
▪ The manner in which the file was copied to
the system
Click & drag vs. cut & past vs. right-click/copy
▪ If creation time post-dates modification
time, copy was generally at play
What are the challenges with the Windows registry?
Encryption and Cloud Based Data Sources
Encryption
Most Windows versions come with Bitlocker
built-in, but NOT turned on
▪ Bitlocker is FULL-DISK encryption
▪ Drive must be formatted in NTFS
▪ Encrypts everything on the PHYSICAL drive
▪ Usually put in place from the start, but can be initiated or
removed at any time (carpet/furniture analogy)
▪ Most often used in work/enterprise environments
▪ Requires Bitlocker key or physical USB key
▪ What happens if you lose the key?
Other tools can utilized FILE-BASED encryption, which
can be equally challenging
Is Bitlocker easier to put in in the beginning or later?
Beginning (carpet-furniture analogy)
How would we acquire an encrypted drive or
files if we don’t have the key so we can analyze them?
You would have to do a logical, LIVE collection. If the file is/drive is still open, then you wouldn’t need the key.
Cloud Based Data Sources
Windows now utilizes Microsoft One
Drive by default
▪ Allows for syncing of data across devices
▪ Allows for cloud-based storage of files, documents, etc.
Collection of cloud-based data
presents a challenge for digital
forensic analysts
What is required to access cloud-based
data?
▪ Legal Authority/Permission
▪ Two-factor authentication
Do you do a logical/physical acquisition for cloud-based data?
generally logical
What is the Windows Registry?
The Windows Registry contains information, settings, options, and other values for programs and hardware installed on all versions of Microsoft Windows
operating systems. It is like the central nervous system.
What does it contain?
System info like
Time zone setting information
▪ Software installed (if opted in)
▪ Boot dates/times & password information
▪ Connected devices & partition information
▪ Network connection information
IP address
AND USER DATA LIKE
▪ User accounts on the system including…
▪ User SIDs
▪ User “familiar” names
▪ Last logon & password entrance info
▪ Passwords themselves are usually obfuscated
▪ Most recently used (MRU) programs & files
▪ Prior existing user accounts (deleted but still in registry)
Should you go looked through the Windows registry?
NO - it is a very sensitive intertwined system.
What are Windows Registry Keys and how many are there?
Main files (or keys/hives) of interest in the
Windows registry. There are 5.
SAM
(Security Accounts Manager) key:
Stores all account information across the
system
Security Key
Maintains database of all
permissions & access across the system
System Key
Tracks the settings on the
system, including the time zone settings,
installation and boot information, Windows
version and upgrade information, etc
Software Key
Tracks all of the installed and
used software that opts-into the use of the
registry
NTUser.dat
One is created/updated for each user on the system
▪ Activity here is tracked in the registry and on the
system by SID
▪ Just because a user is removed, doesn’t mean their
NTUser file is removed
Registry Artifact Examples
Shows external memory devices with device-specific serial numbers
Shows MRU
Shows user account information and frequently used account
Locard’s Exchange Principle
User/system interaction – “proof of life”, intent
Interaction with other systems/devices
Absence of evidence is not evidence of absence…
Toolmarks
Impression left by contact of a “tool” on a “surface”
Tool – user/actor behavior, use of program/application
Surface – operating system, applications
Impression – Registry keys, values (or lack thereof)
The use of a computer system can leave toolmarks inside the system.
Core Concept - History
Available artifacts have increased with Windows versions/builds
Historical data may be available
Persists beyond the removal of files/programs
VSCs, hibernation file/memory dump
Transaction logs, deleted data (within the hive file)
Artifact constellations
Counter-Forensics
Deleted data
*Advanced topic
How far can you go back? depends on how long it’s been deleted. eventually stuff gets overwritten.
Core Concepts - Time
Time stamps within the Registry
Dates and time are recorded in a number of different
ways within the Registry – binary, strings, etc.
Time stamped data applies to both “proof of life” and
intent, in that the timing, the “when” is often more telling
than the action itself
When something occurred, in relation to other events,
can often be extremely important and provide significant
insight
CAN SEE IF A PERSON TOOK A CERTAIN ACTION
Role of the Registry
Windows Version
NT 4.0, Win2000, XP -> Win10, beyond
Configuration “Database”
Devices, Applications (MSOffice, Adobe, etc.)
System/application functionality
Persistence
User Information (can be persistent)
Tracking preferences and activity
Artifacts will persist beyond removal of an application
Persistence9
Volatile portions of the Registry (this can be purged)
Virtual Folder Structure
A structure where it just looks like the folders are structured so we can understand it. It doesn’t actually look like that on the computer.
Structures: keys vs values vs data
“File System” KIND OF
Registry structure can be
thought of as a file system
Keys = folders
Values = files
Data = file contents
Deleted Data
SanAir v. DAVE B.
Civil dispute over theft of company data
found a USB plug-in in the Windows Registry
Shelby Case
Wife incidentally discovered videos of 20 year-old Au Paire
on husband’s computer
Go.zip
Yes.rar
These were the files that were archived and became main files of interest.
They found deleted files and metadata in the Windows Registry hits.
Also were able to see that the files were copied on different media (this has less metadata).
NEED TO LOOK AT ALL PARTS TO UNDERSTAND THE WHOLE STORY