George Mason University 1

Week 03: Hard Drives, File Systems & Windows Artifacts

AGENDA
▪ Presentation Topics Questions?
▪ Assignment 1 questions?
▪ Lecture 3 –
▪ Hard Drives
▪ File Systems (part 1): FAT & NTFS
▪ Windows artifacts

2
3
LECTURE 3

Hard Drives, File Systems & Operating System

(Window)
❑ Hard drives
❑ HDDs vs SSD
❑ Associated digital forensic challenges
❑ Understand how data is stored
❑ Why you don’t power on devices at a crime scene

❑ File systems
❑ Understand basic anatomy of a file system and what it is
❑ Understand file system structure primarily associated with Windows OSs

❑ Finding Windows forensic artifacts

❑ Registry & Registry files
❑ Prefetch/Superfetch
❑ Browser History and E-mail
4
5
 6
http://diwakarpro.com/wp-content/uploads/parts.png
 ▪ Track – logical, concentric bands
where data is stored

▪ Sector – smallest addressable

storage unit on a track

▪ Cluster – group of sectors and is the

smallest unit of space a file is
assigned in a file system.

7
http://www.tldp.org/LDP/sag/html/hard-disk.html
 https://www.extremetech.com/extreme/210492-extremetech-explains-how-do-ssds-work
https://www.cactus-tech.com/assets/images/1/Detailed-SSD-Diagram-b8cdb421.png

8
SSD NAND Chips
Controller

9
https://www.cactus-tech.com/resources/blog/details/solid-state-drive-primer-7-controller-architecture-basic-overview
1. Power-On-Self-Test (POST) – checks basic system devices are functioning

2. BIOS* determines boot device (e.g. hard drive, USB, network, etc.)

3. First physical sector from the boot device (in 2) is loaded into memory
▪ Control transfers to OS, starting at this location

4. If boot device is a hard drive, Master Boot Record (MBR) is loaded

5. MBR loads Boot Sector (Partition Boot Sector)

10
 11
Image source: https://docs.microsoft.com/en-us/windows/client-management/img-boot-sequence
QUICK CHECK 1
1. Why are HDDs more prone to physical damage?
2. This feature helps preserves the life of SSDs.
a. What implications does the feature in 2 have on digital evidence?

3. This is the smallest addressable unit on a drive.

4. A group of sectors (usually 8) make up a _____; the smallest
assigned unit to a file.
5. SSDs write and read data in ______.
6. Why is not a good idea to boot up a device at the scene of a
crime?
12
13
▪ Logical method for organizing files on a medium
▪ Independent from the Operating System
▪ Some files systems are incompatible or have limited functionality with
particular OSs
▪ Basic compartments of a file system
▪ File system – mapping method (e.g. FAT, MFT, Superblock, etc.)
▪ Content – actual file content
▪ Metadata – information about the file (e.g. file size, timestamps, etc.)
▪ File name
▪ Application – non-essential features (e.g. journaling, file permissions,
etc.)
14
15
 Attribute FAT16 FAT32 exFAT

Designed for Old systems (1984) Old systems (1996) New devices (2006)
but more storage Flash Drives, SD cards

FAT Entry Size 16 bits 28 bits 64 bits

Max # of Clusters 65,524 67,092,481 4,294,967,285

Max Volume Size 2 GB (4 GB Win2K) 2 TB 2 TB

Max File Size 2 GB 4 GB 16 EB

Use Today IoT & SD cards IoT & SD cards Removable devices, cameras

16
Source:
https://social.technet.microsoft.com/wiki/contents/articles/67
71.the-fat-file-system.aspx
* Navigate here for important information – the BPB 17
 Finding the first cluster of content:
▪ Prepend the MSB to the LSB, where:
▪ MSB (Most Significant Bit) – always 0 for FAT
12/16 systems
▪ LSB (Least Significant Bit)

Example:
MSB = 0x2B; LSB = 0x56.
Therefore 1st data cluster is located at:
0x2B 56 = 11,094

https://upload.wikimedia.org/wikipedia/commons/thumb/6/60/Fat32_structure.svg/1200px-Fat32_structure.svg.png 18
Source: https://social.technet.microsoft.com/wiki/contents/articles/6771.the-fat-file-system.aspx
Source: https://social.technet.microsoft.com/wiki/contents/articles/6771.the-
fat-file-system.aspx https://upload.wikimedia.org/wikipedia/commons/thumb/6/60/Fat32_structure.svg/1200px-Fat32_structure.svg.png 19
▪ Supports Encrypted File System (EFS)
▪ Master File Table (MFT)
▪ Contains hidden system files
▪ Can contain small files (512 bytes or smaller) – resident
files
▪ MFT slack might contain evidence
▪ Read-only for Mac & Linux (some distros) OSs

20
* Byte Field Length Field Name
Offset

0x00 3 bytes Jump instruction

0x03 8 bytes OEM ID

* Source:
0x0B 25 bytes BPB
https://technet.microsoft.com/en-
us/library/cc781134(v=ws.10).aspx#w2k3tr_ntfs_how_rxtc 0x24 48 bytes Extended BPB
Go here for the BPB break down:
https://www.ntfs.com/ntfs-partition-boot-sector.htm 0x54 426 bytes Boostrap Code

0x01FE 2 bytes End of Sector Mark

NTFS Boot sector structure

21
* Root directory

* Source:
https://technet.microsoft.com/en-
us/library/cc781134(v=ws.10).aspx#w2k3tr_ntfs_how_rxtc

▪ $MFT – entry for the MFT itself

▪ $MFTMirr – contains at least the first 4 entries of the MFT
▪ $MFT
▪ $MFTMirr
▪ $LogFile
▪ $Volume
▪ Root directory (“.” entry 5) contains extents = continuous 22
data blocks (clusters) of directory/file’s content http://www.differencebetween.info/difference-between-fat32-and-ntfs
▪ Additional “hidden” data attached to a file
▪ XLSX file with ADS of type
“Zone.Identifier”

▪ PDF file with an file type ADS of

named “adsEx.txt”

▪ Note original file and file with

ADS are the same size!

▪ Unable to see data when viewing file by normal means

▪ To find ADSs in a directory from Windows CLI execute:
“C:\dir /r” command to find ADSs
▪ To read ADSs execute:
“C:\ notepad DFOR510_Fall2021_Syllabus_withADS.pdf:adsEx.txt” 23
▪ FAT – RAM slack contains data from system
▪ NTFS – RAM slack is zeroed out
▪ Cluster slack = File slack
▪ Drive Slack = RAM slack + Cluster/File Slack

24
http://kb.digital-detective.net/download/attachments/1343960/Cluster_and_RAM_Slack.png?version=1&modificationDate=1322147016032&api=v2
 FAT NTFS
▪ 0xE5 replaces first letter of file ▪ Filename is changed (e.g. $D03)
name in root directory and moved to Recycle Bin
▪ Recycle Bin will have folders for
each SID (i.e. user ID numbers)

▪ Data content is left until overwritten

▪ FAT/MFT updated to reflect the clusters as ‘free’

25
http://www.flexhex.com/docs/articles/img/file.png 26
QUICK CHECK 2
1. What is the primary purpose of a file system?
2. Name the mapping scheme for FAT file system? NTFS?
a. Where are the primary and secondary locations of these file system
(mapping) files/information
3. What happens to the file content when a file is deleted:
a. FAT?
b. NTFS?

4. T or F. Alternate Data Streams:

a. Are always used for malicious means
b. Change the size of the original file

5. Given an NTFS system with 4sectors/cluster and file lect2.pdf; where:

sector = 512bytes and lect2.pdf = 832byts. What is the:
a. File slack b. RAM slack c. Drive slack 27
29

Registry keys, hives and important files

▪ Database containing:
▪ Who logged in last
▪ Accessed files, programs, applications, Web sites, etc.
▪ Peripheral devices
▪ And more…

▪ Registry hives populated via Registry files

(Windows\System32\Config)
▪ Windows 9x/ME:
▪ User.dat ▪ System.dat

▪ Windows NT and newer:

▪ Ntuser.dat* ▪ Software.dat ▪ Default.dat
▪ Security.dat * Found at C:\Users\user-account\Desktop
▪ System.dat 30
▪ Database containing:
▪ Who logged in last
▪ Accessed files, programs, applications, Web sites, etc.
▪ Peripheral devices
▪ And more…

▪ Registry hives populated via Registry files

(Windows\System32\Config)
▪ Windows 9x/ME:
▪ User.dat ▪ System.dat

▪ Windows NT and newer:

▪ Ntuser.dat* ▪ Software.dat ▪ Default.dat
▪ System.dat ▪ Security.dat 31
* Found at C:\Users\user-account\Desktop
HKEY Description
HKEY_CLASS_ROOT Provides file type and file extension information, URL,
protocol, prefixes, and so forth
HKEY_CURRENT_USER Currently logged-on user’s setting
HKEY_LOCAL_MACHINE Installed hard/software information
HKEY_USERS Stores info for the currently logged-on user, only one key
HKEY_CURRENT_CONFIG Hardware configurations
HKEY_DYN_DATA Installed hard/software information(Windows 9x/ME only)

32
These files populate the Windows Registry Root Keys:
Filename & Path Description
Windows\system32\config\Default.dat Contains the computer’s system settings
Windows\system32\config\SAM.dat Holds user account management and security settings
Windows\system32\config\Security.dat Stores computer’s security settings
Windows\system32\config\Software.dat Has installed programs’ settings and associated usernames
and passwords
Windows\system32\config\System.dat Contains Additional computer system settings
Windows\system32\config\systemprofile Has additional NTUSER information

33
Filename & Path Description
Users\user-account\Ntuser.dat User-protected storage area; contains the list of most recently
used files and desktop configuration settings (shellbags)
C:\Users\user- More user configuration data (Shellbags)
account\AppData\Local\Microsoft\Windows\
UsrClass

Windows shellbags are used to track user preferences such as:

• GUI displays in Windows Explorer
• Which applications run/read what file extensions
• Most recently used (MRU)
• And more…

34
Hives
Values – name and data
Keys

Subkeys

Branch

NOTE:
This is a snapshot of an active (live) registry.
In a static (non-active) registry, there will NOT be a
HKEY_CURRENT_USER hive.
35
▪ Finding Security IDentifiers (SIDs):
▪ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList
▪ Every account has a unique SID (S-1-5-xxxxxxx – 50x, S-1-5-xxxxx-100x)
▪ Well-known SIDs can be found here (also located in Supplemental Material)

▪ Time Zone
▪ Analyzing non-active image, determine which ControlSet (001 or 002) to use:
▪ HKEY_LOCAL_MACHINE\SYSTEM \ControlSet00x\TimeZoneInformation
▪ HKEY_LOCAL_MACHINE\SYSTEM \Select\Current

▪ Externally mounted Universal Serial Bus (USB) drives

▪ HKEY_LOCAL_MACHINE\SYSTEM \ControlSet00x\Services\USBSTOR
▪ Yields list of other medium you may need to investigate
36
▪ HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x - Why are there 2?
▪ Redundancy feature to prevent Windows from not being able to
boot if there is a hardware change.
▪ When you have a successful bootup, the ControlSet that is newer, is
copied into the old one in order to keep them synced up.
▪ HKEY_LOCAL_MACHINE\ControlSet00x\Enum\USBSTOR vs
HKEY_LOCAL_MACHINE\ControlSet00x\Services\USBSTOR?
▪ …\Enum\USBSTOR – listing of all USB mounted devices that have
been connected to the system
▪ … \Services\USBSTOR – prevents USB storage devices from
connecting to your system
37
▪ Does system clock auto-adjust at Daylight Savings?
▪ HKEY_LOCAL_MACHINE\ControlSet001\Control\TimeZoneInform
ation\ DynamicDaylightTimeDisabled
▪ DynamicDaylightTimeDisabled = 0 – Automatic update
▪ DynamicDaylightTimeDisabled = 1 – Does NOT auto update

▪ How to determining if the system clock was altered.

▪ No registry key entry (per se) thus log analysis is needed
▪ Great article on verifying system clock can be found here

38
▪ SAM file
▪ Contains user’s password hash
▪ Use in tools to crack passwords (e.g. OrphCrack, Cain and Abel, John the
Ripper, etc.)
▪ Most Recently Used… (filenames, commands, etc.)
▪ HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
(Ntuser.dat)
▪ Checks what user executed from the Run (CMD) window (if enabled)

▪ Typed URLS
▪ HKCU\Software\Microsoft\Internet Explorer\TypedURLs (Ntuser.dat)
▪ Numbered from ‘url1 (most recently typed) – url25’

39
40
▪ Prefetch (Win XP) → Superfetch (Win Vista)→ SysMain (Win 10)
▪ Purpose: optimize OS by pre-loading application in RAM (caching
app’s code)

▪ Limited storage:
▪ Win XP & 7 – 128 pf
▪ Win 8 & 10 – 1024 pf
Are Prefetch/Superfetch files
▪ Naming convention: generated?
0 = disabled (no prefetch files)
▪ executable_name.pf

41
▪ Populated by: C:\Windows\Prefetch
▪ HKLM\SYSTEM\CurrentControlSet\Control\Session\Manager\
Memory Management\PrefetchParameters

▪ Information contained:
▪ Time of last execution, last modified (-10 seconds)
▪ Number of runs
▪ Device & file handles used by program (.dll)
▪ Time .pf was first created (- 10seconds)
▪ Win 8 & 10 – contains last 8 times of execution

42
 2 3 4 5
1

1. Prefetch file name 4. Number of times application was run

2. Executable file name 5. Last time(s) application ran
3. Path to executable file 6. List of dependencies used by
executable
43
44
 ▪ Browsers store data in their own folder/directory; usually found
▪ \Users\USERNAME\AppData\Roaming\<BROWSER> (Ntuser.dat)
▪ \Documents and Settings\USERNAME\Application Data\<BROWSER>

▪ General browser artifacts include:

▪ Cache ▪ Form values (Searches, Autofill)
▪ Cookies ▪ History
▪ Downloaded files ▪ Most visited sites
▪ Favorites/Bookmarks ▪ Screenshots
▪ Financial info ▪ Sessions
▪ Typed URLs
45
Read the following article: https://www.digitalforensics.com/blog/an-overview-of-web-browser-forensics/
▪ Most popular Desktop Client:
▪ Microsoft Outlook (.ost & .pst files)
▪ \Users\USERNAME\AppData\Local\Microsoft\Outlook (Ntuser.dat)
▪ Locate & extract .ost/.pst files from image
▪ View and analyze within a email client/reader (e.g. Outlook)

▪ Other e-mail clients

▪ Mozilla Thunderbird
▪ Postbox
▪ Windows Mail
▪ eM Client

▪ Important information is found in the e-mail header… more to come

46
QUICK CHECK 3
1. Explain what the Windows Registry is.
2. What is a SID?
a. Which Registry Hive and Key will find user SIDs?
3. Which registry file is unique for each user?
4. Where do we find Time Zone information?
5. This registry file contains the hash values of user passwords.
6. Which Registry Hive and Key can one find Most Recently Used
7. What is the purpose of Prefetch/Superfetch files?
a. How many are stored on a Windows 10 system?
47
UPCOMING…
▪ Due next week:
▪ Coding Bat (Strings-1 & List-1)
▪ Assignment 1
▪ Write up should include:
▪ Brief analysis of findings
▪ Snapshots
▪ Note any issues
▪ Submit write up (.pdf, .doc, etc) – NO .zip/.rar/compressed file
– on BB

▪ Read article on Browser history: https://www.digitalforensics.com/blog/an-overview-of-web-browser-forensics

48
 Download (into the SAME directory) nps-2009-jean.e01 and nps-2009-jean.e02
from blackboard or DigitalCorpora.
In Sleuthkit Autopsy (v4.19.1*) ▪ Select the .e01 file → Next
▪ “New Case File” → Fill in Case
Name → “Browse” to directory ▪ Deselect:
where .e01 files are located → ▪ Virtual Machine Extractor,
“Next”
▪ Android Analyzer,
▪ Enter “Case Number” →
▪ DJI Drone Analyzer,
▪ Leave Host info as is
▪ iOS Analyzer
▪ Select “Disk Image or VM file” →
“Next” ▪ Click “Next”
▪ Browse to .e01 and .e02 files ▪ Wait for Autopsy to finish parsing
and analyzing image
* - indicates version I will be using 49
 Download (in the SAME directory) nps-2009-jean.e01 and nps-2009-jean.e02 from blackboard or
Again, using nps-2009-jean.e01 and nps-2009-jean.e02
DigitalCorpora.

In FTK Imager (v4.2.0.13*)

▪ File Menu → “Add Evidence Item”
▪ Select “Image File” → “Next”
▪ Browse to.e01 and .e02 files
▪ Select the .e01 file → “Open” → “Finish”

* - indicates version I will be using 50

 ▪ What is the files system used?
▪ What user profiles/accounts do you see?
▪ What are their SIDs?
▪ Do they have administrative privileges?
▪ When was the spreadsheet m57biz.xlsx created? By whom?
▪ What is the file’s starting location on the drive?
▪ How do you think the m57biz.xlsx was extracted from Jean’s
computer?
▪ When was the last time EXCEL was executed?
▪ How about the Command Line interface (CLI)?
*Image source: https://digitalcorpora.org/corpora/scenarios/m57-jean
51
QUESTIONS

52
Textbooks:
▪ Carrier, B. (2005). File system forensic analysis. Upper Saddle River, NJ: Addison-Wesely
▪ Anson, S., Bunting, S., Johnson, R., & Pearson, S. (2012). Mastering Windows network forensics and
investigation. Hoboken, NJ: John Wiley & Sons, Inc

Bootstrap
https://neosmart.net/wiki/mbr-boot-process
https://www.marksei.com/bios-uefi-explained/
https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf
http://osxdaily.com/2018/08/25/visualizing-mac-startup-boot-process/
https://www.thegeekstuff.com/2011/02/linux-boot-process
https://www.techwalla.com/articles/the-five-steps-of-the-boot-sequence
https://www.lifewire.com/what-is-a-master-boot-record-mbr-2625936

FAT
http://www.forensicswiki.org/wiki/FAT
https://www.youtube.com/watch?v=V2Gxqv3bJCk
https://social.technet.microsoft.com/wiki/contents/articles/6771.the-fat-file-system.aspx

53
NTFS
https://technet.microsoft.com/en-us/library/cc781134(v=ws.10).aspx#w2k3tr_ntfs_how_rxtc
https://www.youtube.com/watch?v=xW5UwDztkX4 (22 min)
https://social.technet.microsoft.com/wiki/contents/articles/5375.windows-file-systems.aspx#FAT

Windows Registries
https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives
https://social.technet.microsoft.com/wiki/contents/articles/4557.windows-registry.aspx

APFS
https://www.lifewire.com/apple-apfs-file-system-4117093
https://developer.apple.com/documentation/foundation/file_system/about_apple_file_system
https://www.youtube.com/watch?v=9I7fg930Deg
https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf

54
Windows Registry Artifacts
https://docs.Microsoft.com
https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download (Cheat sheet)
https://www.digitalforensics.com/blog/an-overview-of-web-browser-forensics/ (Browser)
https://medium.com/@ismailtasdelen/windows-lnk-file-analysis-in-forensic-it-reviews-75b3dfd49f36 (.lnk Files)

Prefetch/Superfetch/SysMain
https://helpdeskgeek.com/help-desk/delete-disable-windows-prefetch/
https://winbuzzer.com/2020/03/14/windows-10-how-to-disable-enable-prefetch-and-superfetch-xcxwbt/

Tools
Prefetch analysis tools
Windows: https://www.nirsoft.net/utils/win_prefetch_view.html
*nix & Windows: https://tzworks.net/download_links.php

55
56
57
Source: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc781134(v=ws.10)?redirectedfrom=MSDN#w2k3tr_ntfs_how_rxtc 58