COMP 4027 Windows and Forensics
MS File structures Need to understand MS file structures to know where files are stored in Windows Need to understand clusters, File Allocation Table (FAT) and NTFS Need to know how the OS stores data to know where files and parts of files may be hidden
Exploring Microsoft File Structures Sectors grouped in Clusters – Storage allocation units of 512, 1024, 2048, 4096, or more bytes. Logical Address – Clusters are numbered sequentially and number assigned by the operating system. Sectors are Physical Address – Addresses that reside at the hardware or firmware level.
Exploring Microsoft File Structures Many hard disks are partitioned Partition – A logical drive on a disk. It can be the entire disk or a portion thereof. Inner-Partition Gap – Partitions created with unused space or voids between the primary partition and the first logical partition. Can use an editor and edit partition table to hide this gap
Exploring Microsoft File Structures
Master Boot Record (MBR) – On Windows and DOS computer systems, the boot disk file, which contains information regarding the files on a disk and their locations, size, and other critical items.
Exploring Microsoft File Structures File Allocation Table (FAT) – The original file structure database that Microsoft originally designed for floppy disks. Prior to Windows NT and 2000 It is written to the outermost track of a disk and contains information about each file stored on the drive. The variations are FAT12, FAT16, and FAT32.
Exploring Microsoft File Structures Cluster sizes vary according to size of disk and file system
Exploring Microsoft File Structures Disk space is allocated by cluster Results in drive slack If you create a 5000 byte Word file then on a FAT GB disk then the OS reserves 1 cluster However in FAT 16 32,000 bytes allocated to your file = 27,000 file slack 5000 byte file uses 10 sectors = 5120 bytes so 120 bytes spare as RAM slack where any info in RAM is put such as login ID, password etc
Exploring Microsoft File Structures
Space provided to reduce fragmentation of file If file fills up the reserved bytes then another cluster is allocated producing more slack space As file grows clusters are chained together usually contiguous As files created, deleted etc then chain can be broken, fragmented lost
Exploring Microsoft File Structures
End-of-File Marker – 0x0FFFFFFF. This code is typically used with FAT file systems to show where the file ends. When file is deleted only reference to it is removed – this area can receive new data Unallocated Disk Space –The area of disk where the deleted file resides.
Examining NTFS Disks New Technology File System – Introduced when Microsoft created Windows NT. NTFS is the primary file system for Windows XP. NTFS uses security features, allows for smaller cluster sizes, and uses Unicode, which makes it a much more versatile operating system. Much less slack space Everything on the disk is a file
Examining NTFS Disks Partition Boot Sector – The first data set of an NTFS disk. It starts at sector [0] of the disk drive and it can be expanded up to 16 sectors. Master File Table – Used by NTFS to track files. Like FAT. It contains information about the access rights, date and time stamps, system attributes, and parts of the file. 12.5% of disk on creation and can be up to 50%
Examining NTFS Disks
Unicode – A 16-bit character code representation that is replacing ASCII. It is capable of representing over 64,000 characters. American Standard Code for Information Interchange (ASCII) – A coding scheme using 7 or 8 bits that assigns numeric values up to 256 characters, including letters, numerals, punctuation marks, control characters, and other symbols.
Examining NTFS Disks Meta-Data – In NTFS, this refers to information stored in the MFT.
Examining NTFS Disks
All files and folders have attributes (eg. Name, security, data). Each attribute has a code Resident Attributes – When referring to MFT, all attributes that are stored in the MFT of the NTFS. Nonresident Attributes – When referring to MFT of the NTFS, all data that is stored in a location separate from the MFT.
Examining NTFS Disks
Logical Cluster Numbers (LCNs) – Used by the MFT of NTFS. It refers to a specific physical location on the drive. Virtual Cluster Number (VCN) – When a file is saved in the NTFS, it is assigned both a logical cluster number and a virtual cluster number. The logical cluster is a physical location, while the virtual cluster consists of chained clusters.
Examining NTFS Disks
Multiple Data Streams – Ways in which data can be appended to a file intentionally or not. In NTFS, it becomes an additional data attribute of the file.
Searching for evidence If metadata entry is unallocated then we can recover metadata – links and properties May be out of sync if we are unsure whether data units are allocated to new files Very difficult to determine Compressed files are also a challenge since he tool used to recover the compressed file must support the same algorithm
Application level searching Many application files have a structure and signature type Data carving can be carried out where a chunk of data is searched for signatures of beginning and end of file eg standard jpg headers and footers Eg tool foremost has signatures and searches for –Eg jpg y \xff\xd8 \xff\xd9
Examining NTFS Disks Encrypted File System (EFS) – Encryption first used in Windows 2000 on NTFS formatted disks. If a user encrypts a recovery certificate is generated and sent to admin account – otherwise will automatically decrypt on use
Examining NTFS Disks EFS Recovery Agent Functions – DOS commands -CIPHER -COPY -EFSRECVER
Examining NTFS Disks Deleting files –File is renamed and moved to recycle bin –Windows stores info about path in Info2 file –Files are permanently deleted in the same way as in FAT Associated clusters marked as free for new data $BITMAP attribute updated to reflect deletion File attribute record marked as being available Andy linking nodes and VFN/LCN cluster removed Any link references removed
Understanding Microsoft Boot Tasks Need to understand boot tasks to know what might be altered if you had to boot up Windows XP, 2000, and NT Startup -Power on self test -Initial startup -Boot loader -Hardware detection and configuration -Kernel loading -User logon
Understanding Microsoft Boot Tasks Windows XP startup NT Loader (NTLDR) – Loads Windows NT. It is located in the root folder of the system partition. Reads boot.ini to display booyt menu Runs Ntoskrnl.exe and Bootvid.dll, Hal.dllamd device drviers
Understanding Microsoft Boot Tasks Boot.ini – Specifies the Windows NT path installation. BootSect.dos – Contains the address of the boot sector location of each operating system. NTDetect.com – A command file that identifies hardware components during bootup and sends the information to NTLDR.
Understanding Microsoft Boot Tasks NTBootdd.sys – Device driver that allows access to SCSI or ATA drives that are not related to the BIOS. Ntoskrnl.exe – The Windows NT operating system kernel. It is located in the Windows\System32 folder. Hal.dll – Hardware abstraction layer dynamic link library. It tells the operating system kernel how to interface with the hardware. Device Drivers – Contain instructions for the operating system for hardware devices.
Understanding Microsoft Boot Tasks
When you start Win NT or older NTFS several file are immediately accessed and thus dates change to current date
Understanding Microsoft Boot Tasks DOS Protected-Mode Interface (DPMI) – Used by many computer forensics tools that do not operate in the Windows environment.
Understanding Microsoft Boot Tasks
Command.com – Provides a prompt when booting to MS-DOS mode. User interface for the MS-DOS operating system. Contains the following commands: -DIR -CD -CLS -DATE -COPY -DEL
Understanding Microsoft Boot Tasks -MD -PATH -PROMPT -RD -SET -TIME -TYPE -VER -VOL
Understanding MS-DOS Startup Tasks IO.SYS – The first file loaded after the ROM bootstrap loader finds the operating system. This file allows for communication between the computers BIOS and Hardware, and with MS- DOS code. MSDOS.SYS – A hidden text file that contains startup options for Windows 9x. In MS-DOS, this file is the operating system kernel. CONFIG.SYS – A text file that contains commands that are typically run only at system startup.
Understanding MS-DOS Startup Tasks AUTOEXEC.BAT – An automatically executed batch file that contains customized commands and settings for MS-DOS.
Understanding MS-DOS Startup Tasks
Summary -The Microsoft operating systems used FAT12 and FAT16 on older systems such as MS-DOS, Windows 3.X and Windows 9x. -The Registry on older Windows OSs is used to keep a record of hardware attached, user preferences, network information, and installed software. -The capacity of a hard disk is obtained by using the cylinders, heads, and sectors. To find the capacity of a disk, multiply the number of heads, sectors, and tracks.
Summary -Clusters are used to accommodate large files. Sectors are grouped into clusters and clusters are chained to minimize the overhead of reading and writing files to a disk. -The New Technology File System is more versatile because it uses the MFT to track information such as security items, the first 750 bytes of data, long and short filenames, and a list of nonresident attributes. -File slack, RAM slack, and drive slack are all areas in which valuable information may reside on a drive.
Summary -To be an effective computer forensics investigator, you need to maintain a library of older operating systems and applications. -NTFS uses Unicode to store information. Unicode is an international code and uses a 16- bit configuration instead of an 8-bit configuration used by ASCII. -Hexadecimal codes provide information about files and OSs. You can determine the file type by using various tools such as WinHex and Hex Workshop.
Summary -NTFS uses inodes to link file attribute records to other file attribute records. Attributes fall into two categories: resident and nonresident. -NTFS can compress individual files, folders, or entire partitions. FAT16 can only compress entire volumes.