OS Forensics is one of the categories in digital forensics. As MS Windows is the most popular OS in the world, we focus on Windows forensics and some important methods in this presentation.

1. WINDOWS FORENSICS
Hossein Yavari
June 09, 2022

2. W H A T I S O S ?

3. O S F o r e n s i c s

4. W H Y W I N D O W S ?

5. M S W I N D O W S
File System
Registry
Event Logs
File Extensions
Recycle Bin

6. Y o u s h o u l d b e f a m i l i a r w i t h b o t h t h e O S
a n d f i l e s y s t e m t o a c c e s s a n d m o d i f y
s y s t e m s e t t i n g s w h e n n e c e s s a r y i n t h e
i n v e s t i g a t i o n .

7. B O O T P R O C E S S
https://docs.microsoft.com/en-us/windows/client-management/images/boot-
sequence.png

9. D I S K D R I V E S https://www.enterprisestorageforum.com/hardware/ssd-vs-hdd/
Solid-state drives: Wear-leveling automatically overwrites the unallocated space!
Hard-disk drives: When data is deleted, only the references to it are removed!
Complex
Recovery

10. F I L E SY S T E M
A file system gives an OS a
road map to data on a disk.
The type of file system an OS
uses determines how data is
stored on the disk.

11. F I L E SY S T E M
https://www.geeksforgeeks.org/understanding-file-system/
✓ Partition is a logical division of
the physical drive.
✓ The smallest unit of space is
Sector.
✓ FS groups sectors into
Clusters.
✓ New files allocated to empty
clusters.

12. W I N D O W S F I L E S Y S T E M
➢ FAT 12,16,32: different
size of clusters
➢ Encryption is not
possible!
➢ Up to 4GB file size
➢ Faster than FAT
➢ Encryption
➢ Compression
➢ Up to 16TB file size

13. F I L E S Y S T E M F O R E N S I C
➢Contents
➢Metadata
➢Permissions
➢Last used
➢Create/Modify/Delete times
➢Shortcuts

14. W I N H E X

15. W E L C O M E T O E P I S O D E 2

16. W I N D O W S R E G I S T R Y

17. W H A T I S R E G I S T R Y ?
A database that stores hardware and software
configuration information, network connections,
user preferences including usernames and
passwords, installed programs, and setup
information.
Registry can contain valuable evidence for
investigative purposes.

18. R E G I S T R Y F I L E L O C A T I O N ✓ Registry isn’t simply one large file, but a set of
discrete files called hives.
✓ Each hive contains a Registry tree, which has
a key that serves as the root of the tree.
✓ Subkeys and their values reside beneath the
root.

19. R E G I S T R Y H K E Y S

20. E X A M I N I N G R E G I S T R Y

21. O S F O R E N S I C S

22. Q & A

23. R e f e r e n c e s
• Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations –
Standalone Book (6th Ed.) Publisher: Cengage Learning; 6th edition (April 17, 2018) ISBN-10 :
1337568945 ISBN-13 : 978-1337568944
• Altheide, C. (2011). Digital forensics with open source tools: Using open source platform tools for
performing computer forensics on target systems: Windows, MAC, Linux, Unix, Etc. Elsevier
Science & Technology Books

24. THANK YOU.
Fingerprint on CD