File structure analysis and examining the windows registry

1. College of Technological Innovation
MSIT 10, CIT 530 Cyber Forensics
Lab 5:
File Structure Analysis & Examine the Windows Registry
Supervised by:
Dr. Farkhund Iqbal Ms. Mona Bader
Prepared by:
Musaab Hasan Zayed Balbahaith Abdulrahman Sabbagh
M80006988@zu.ac.ae M80007225@zu.ac.ae M80007043@zu.ac.ae
September 28, 2016

2. List of Figures
Figure 1: A file was created on the flash disk with the following paragraph......3
Figure 2: WinHex used to open the flash disk..................................................................3
Figure 3: A "Security" word searched on the flash disk...............................................4
Figure 4: the display result for the searched word........................................................4
Figure 5: the text file was deleted..........................................................................................5
Figure 6: A "Security" word searched on the flash disk after deleted....................5
Figure 7: the display result for the searched word after deleting the file...........6
Figure 8: a Quick format have been applied on the flash disk...................................6
Figure 9: A "Security" word searched on the flash disk after a quick format
applied...............................................................................................................................................7
Figure 10: a full format have been applied on the flash disk.....................................7
Figure 11: A "Security" word searched on the flash disk after a full format
applied...............................................................................................................................................8
Figure 12: A "security" word was not found.....................................................................8
Figure 13: finding the repeating pattern of F6.................................................................9
Figure 14: the second appearance of the pattern F6....................................................9
Figure 15: A search on the acquired image of windows 98 have been applied
............................................................................................................................................................ 10
Figure 16: Content search applied for the system.dat & user.dat......................... 10
............................................................................................Figure 17: Registry files extracted
............................................................................................................................................................ 11
Figure 18: finding the key word "superior" and searching for whole
occurrence .................................................................................................................................... 11
Figure 19: Copying the Key Name for the key word "superior" in text file....... 12
Figure 20: finding the key word "superior" & “denise” and searching for
whole occurrence and copying the Key in text file Name........................................ 12
Figure 21: Deleting the redundant folder names and saving the final file........ 13

3. Executive Summary
On the first part a located data on a disk was investigated using WinHex regardless of how the operating
system render it. A few scenarios have been applied to test the existence of the file using different
methods. On the second part a windows registry have been used to extract System.dat & User.dat on
the image file and searching on those files for specific information then copy the registry path to a text
file.
Part 1 : File Structure Analysis
Phase1 : setup
Figure 1: A file was created on the flash disk with the following paragraph.
Phase2 : Opening and searching the flash disk
Figure 2: WinHex used to open the flash disk

4. Figure 3: A "Security" word searched on the flash disk
Figure 4: the display result for the searched word
Result 1: the word was found on the flash disk since the file already existed
on the flash and wasn’t deleted.

5. Phase3 : Opening and searching the flash disk after a delete
Figure 5: the text file was deleted
Figure 6: A "Security" word searched on the flash disk after deleted

6. Figure 7: the display result for the searched word after deleting the file
Result 2: the word was found on the flash disk after deleting the file since the
file still on the original place except it is not readily viewable or accessible.
Phase4 : Opening and searching the flash disk after a Quick format
Figure 8: a Quick format have been applied on the flash disk

7. Figure 9: A "Security" word searched on the flash disk after a quick format applied
Result 3: the word was found on the flash disk after applying a quick format
since it’s not checking the bad sector and the volume of the drive can be re-
built to gain access to the deleted files again.
Phase5 : Opening and searching the flash disk after a full format
Figure 10: a full format have been applied on the flash disk

8. Figure 11: A "Security" word searched on the flash disk after a full format applied
Figure 12: A "security" word was not found
Result 4: the word was not found on the flash disk after applying a full format
since its checks the bad sectors also on the disk.

9. Figure 13: finding the repeating pattern of F6
Figure 14: the second appearance of the pattern F6

10. Part2 : Examine the Windows Registry
Figure 15: A search on the acquired image of windows 98 have been applied
Figure 16: Content search applied for the system.dat & user.dat

11. Figure 17: Registry files extracted
Figure 18: finding the key word "superior" and searching for whole occurrence

12. Figure 19: Copying the Key Name for the key word "superior" in text file
Figure 20: finding the key word "superior" & “denise” and searching for whole occurrence and copying the Key
in text file Name

13. Figure 21: