Windows forensics, part 1

Question 1

Explain the bootup process

Answer 1

When booting up a computer, the (hard coded ROM) BIOS firmware runs self tests, identifies connected devices and then locates the operating system on one of these devices

Question 2

What two file systems are there for windows?

Answer 2

NTFS - modern and efficient

FAT - old and simple

Question 3

What is the max file size for NTFS and FAT?

Answer 3

NTFS - 16 TB

FAT - 4 GB

Question 4

What is FAT?

Answer 4

File Allocation Table, that allocated files in “data areas”, compatible file system for most operating systems.

DOSDATETIME, accesstime: 1 day
write time: 2 seconds
create time: 10 millieseconds (local time)

Question 5

What is NTFS?

Answer 5

New Technolohies File System, a table that allocates files in “data areas”/ unallocated space

FILETIME,
access time: up to 1 hour
Write time: 100 nanoseconds
Create time: 100 nanoseconds (UTC)

Question 6

What is $MFT in NTFS?

Answer 6

The master file table, functions like a table of contents for data in the Volume

Question 7

What is the $Logfile in NTFS?

Answer 7

a transaction log, used for restoring system to a consistent state. Transactions are recorded as complete or not

Question 8

What is the $Volume in NTFS?

Answer 8

a resident in MFT, only contains attributes, volume lables and ID.

note. might appear empty in forensic tools

Question 9

What is the $Secure in NTFS?

Answer 9

Access control list, read-write-execute permissions.

Details of ownership and access information in the $DATA attribute

Question 10

What is Standard Information Attribute (SIA) in NTFS $MFT?

Answer 10

A resident attribute identifier, contains (and updates) information about the date and timestamps displayed by Windows and most forensic tools.

extra:
Starts with hexadecimal sequence 10 00 00 00

Question 11

What is Filename Attribute (FNA) in NTFS $MFT?

Answer 11

like SIA, also a resident attrubute. Containing reference to parent folder, filename, the file´s physical and logical size.
Usually not updated through system usage.

extra:
Starts with hexadecimal sequence 30 00 00 00

Question 12

What is Data Attribute (DA) in NTFS $MFT?

Answer 12

An important attribute which holds the actual data (resident data) or point to the location were data resides (non resident data).

extra:
Starts with hexadecimal sequence 80 00 00 00

Question 13

What is the difference between resident and non-resident data?

Answer 13

files smaller than 600 bytes are treated as resident data, DA points to the location for files bigger than 600 bytes

Question 14

Whats is.. 1. Data compression

2. Sparse files .. in NTFS?

Answer 14

1. NTFS can simply compress data and store it, to decompress it automatically when used
2. Allocates non-zero data, it does not allocate “zero data”, instead number of zeros are specified in sparse file

Question 15

What is Reparse Points in NTFS?

Answer 15

points to files or folders that act as links, contains timestamps, source and taget location. Hence useful for forensic investigators

Question 16

What kinds of metadata is there?

Answer 16

File System metadata & File Metadata

Question 17

What happens with file Deletion in NTFS?

Answer 17

Remove file and file data from MFT, the file is unallocated from the MFT.
$Bitmap then record the space as allocated
$Logfile and other records are updated as well

Until overwritten, carving to the examiners rescue