SlideShare a Scribd company logo

Computer Forensics Working with Windows and DOS Systems

Jyothishmathi Institute of Technology and Science Karimnagar
Jyothishmathi Institute of Technology and Science Karimnagar

Working with Windows and DOS Systems: understanding file systems, exploring Microsoft File Structures, Examining NTFS disks, Understanding whole disk encryption, windows registry, Microsoft startup tasks, MS-DOS startup tasks, virtual machines

Technology
1 of 24
Download to read offline
Computer Forensics-Working with Windows and DOS Systems Dr R Jegadeesan Prof-CSE Jyothishmathi Institute of Technology and Science, Karimnagar
2 Working with Windows and DOS Systems Understanding file systems • File system – Gives OS a road map to data on a disk • Type of file system an OS uses determines how data is stored on the disk • A file system is usually directly related to an OS • When you need to access a suspect’s computer to acquire or inspect data – You should be familiar with the computer’s platform
3 Working with Windows and DOS Systems Understanding the Boot Sequence • Complementary Metal Oxide Semiconductor (CMOS) – Computer stores system configuration and date and time information in the CMOS • When power to the system is off • Basic Input/Output System (BIOS) – Contains programs that perform input and output at the hardware level
4 Working with Windows and DOS Systems Understanding the Boot Sequence • Bootstrap process – Contained in ROM, tells the computer how to proceed – Displays the key or keys you press to open the CMOS setup screen • CMOS should be modified to boot from a forensic floppy disk or CD
5 Working with Windows and DOS Systems Exploring Microsoft File Structures • In Microsoft file structures, sectors are grouped to form clusters – Storage allocation units of one or more sectors • Clusters are typically 512, 1024, 2048, 4096, or more bytes each • Combining sectors minimizes the overhead of writing or reading files to a disk
6 Working with Windows and DOS Systems Exploring Microsoft File Structures • Clusters are numbered sequentially starting at 2 – First sector of all disks contains a system area, the boot record, and a file structure database • OS assigns these cluster numbers, called logical addresses • Sector numbers are called physical addresses • Clusters and their addresses are specific to a logical disk drive, which is a disk partition
7 Working with Windows and DOS Systems Exploring Microsoft File Structures Master Boot Record • On Windows and DOS computer systems – Boot disk contains a file called the Master Boot Record (MBR) • MBR stores information about partitions on a disk and their locations, size, and other important items • Several software products can modify the MBR, such as PartitionMagic’s Boot Magic
8 Working with Windows and DOS Systems Examining NTFS Disks • New Technology File System (NTFS) – Introduced with Windows NT – Primary file system for Windows Vista • Improvements over FAT file systems – NTFS provides more information about a file – NTFS gives more control over files and folders • NTFS was Microsoft’s move toward a journaling file system
9 Working with Windows and DOS Systems Examining NTFS Disks • In NTFS, everything written to the disk is considered a file • On an NTFS disk – First data set is the Partition Boot Sector – Next is Master File Table (MFT) • NTFS results in much less file slack space • Clusters are smaller for smaller disk drives • NTFS also uses Unicode – An international data format
10 Working with Windows and DOS Systems Examining NTFS Disks NTFS File System • MFT contains information about all files on the disk – Including the system files the OS uses • In the MFT, the first 15 records are reserved for system files • Records in the MFT are called metadata
11 Working with Windows and DOS Systems Understanding Whole Disk Encryption • In recent years, there has been more concern about loss of – Personal identity information (PII) and trade secrets caused by computer theft • Of particular concern is the theft of laptop computers and other handheld devices • To help prevent loss of information, software vendors now provide whole disk encryption
12 Working with Windows and DOS Systems Understanding Whole Disk Encryption • Current whole disk encryption tools offer the following features: – Preboot authentication – Full or partial disk encryption with secure hibernation – Advanced encryption algorithms – Key management function – A Trusted Platform Module (TPM) microchip to generate encryption keys and authenticate logins
13 Working with Windows and DOS Systems Understanding Whole Disk Encryption • Whole disk encryption tools encrypt each sector of a drive separately • Many of these tools encrypt the drive’s boot sector – To prevent any efforts to bypass the secured drive’s partition • To examine an encrypted drive, decrypt it first – Run a vendor-specific program to decrypt the drive
14 Working with Windows and DOS Systems Windows Registry • Registry – A database that stores hardware and software configuration information, network connections, user preferences, and setup information • For investigative purposes, the Registry can contain valuable evidence • To view the Registry, you can use: – Regedit (Registry Editor) program for Windows 9x systems – Regedt32 for Windows 2000 and XP
15 Working with Windows and DOS Systems Windows Registry • Registry terminology: – Registry – Registry Editor – HKEY – Key – Subkey – Branch – Value – Default value – Hives
16 UNIT 5:Working with Windows and DOS Systems Windows Registry fig. Registry File locations and purposes
17 Working with Windows and DOS Systems Understanding Microsoft Startup Tasks • Learn what files are accessed when Windows starts • This information helps you determine when a suspect’s computer was last accessed – Important with computers that might have been used after an incident was reported
18 Working with Windows and DOS Systems Understanding Microsoft Startup Tasks • All NTFS computers perform the following steps when the computer is turned on: – Power-on self test (POST) – Initial startup – Boot loader – Hardware detection and configuration – Kernel loading – User logon
19 Working with Windows and DOS Systems Understanding Microsoft Startup Tasks • Startup Files for Windows XP: – NT Loader (NTLDR) – Boot.ini – BootSect.dos – NTDetect.com – NTBootdd.sys – Ntoskrnl.exe – Hal.dll – Pagefile.sys – Device drivers
20 Working with Windows and DOS Systems Understanding Microsoft Startup Tasks • Contamination Concerns with Windows XP – When you start a Windows XP NTFS workstation, several files are accessed immediately • The last access date and time stamp for the files change to the current date and time – Destroys any potential evidence • That shows when a Windows XP workstation was last used
21 Working with Windows and DOS Systems Understanding Virtual Machines • Virtual machine – Allows you to create a representation of another computer on an existing physical computer • A virtual machine is just a few files on your hard drive – Must allocate space to it • A virtual machine recognizes components of the physical machine it’s loaded on – Virtual OS is limited by the physical machine’s OS
22 Working with Windows and DOS Systems Understanding Virtual Machines • In computer forensics – Virtual machines make it possible to restore a suspect drive on your virtual machine • And run nonstandard software the suspect might have loaded • From a network forensics standpoint, you need to be aware of some potential issues, such as: – A virtual machine used to attack another system or network
23 Working with Windows and DOS Systems Understanding Virtual Machines • Two popular applications for creating virtual machines – VMware and Microsoft Virtual PC • Using Virtual PC – You must download and install Virtual PC first
24 Working with Windows and DOS Systems Thank you

Recommended

computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolsN.Jagadish Kumar
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Jyothishmathi Institute of Technology and Science Karimnagar
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation Jyothishmathi Institute of Technology and Science Karimnagar
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 

Recommended

computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolsN.Jagadish Kumar
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Jyothishmathi Institute of Technology and Science Karimnagar
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation Jyothishmathi Institute of Technology and Science Karimnagar
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Windows Registry
Windows RegistryWindows Registry
Windows Registryprimeteacher32
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools Jyothishmathi Institute of Technology and Science Karimnagar
 
Email investigation
Email investigationEmail investigation
Email investigationAnimesh Shaw
 
Understanding computer investigation
Understanding computer investigationUnderstanding computer investigation
Understanding computer investigationOnline
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensicsn|u - The Open Security Community
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsgaurang17
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
data hiding techniques.ppt
data hiding techniques.pptdata hiding techniques.ppt
data hiding techniques.pptMuzamil Amin
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)AltheimPrivacy
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Windows Forensics- Introduction and Analysis
Windows Forensics- Introduction and AnalysisWindows Forensics- Introduction and Analysis
Windows Forensics- Introduction and AnalysisDon Caeiro
 
Lecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file systemLecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file systemAlchemist095
 

More Related Content

What's hot

Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Email investigation
Email investigationEmail investigation
Email investigationAnimesh Shaw
 
Understanding computer investigation
Understanding computer investigationUnderstanding computer investigation
Understanding computer investigationOnline
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsgaurang17
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
data hiding techniques.ppt
data hiding techniques.pptdata hiding techniques.ppt
data hiding techniques.pptMuzamil Amin
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)AltheimPrivacy
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 

What's hot (20)

CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Windows Registry
Windows RegistryWindows Registry
Windows Registry
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
Email investigation
Email investigationEmail investigation
Email investigation
 
Understanding computer investigation
Understanding computer investigationUnderstanding computer investigation
Understanding computer investigation
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
data hiding techniques.ppt
data hiding techniques.pptdata hiding techniques.ppt
data hiding techniques.ppt
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Network forensic
Network forensicNetwork forensic
Network forensic
 

Similar to Computer Forensics Working with Windows and DOS Systems

Windows Forensics- Introduction and Analysis
Windows Forensics- Introduction and AnalysisWindows Forensics- Introduction and Analysis
Windows Forensics- Introduction and AnalysisDon Caeiro
 
Lecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file systemLecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file systemAlchemist095
 
Selecting and Installing Operating System
Selecting and Installing Operating SystemSelecting and Installing Operating System
Selecting and Installing Operating SystemAmir Villas
 
Dheeraj chugh -_presentation_on_ms-dos
Dheeraj chugh -_presentation_on_ms-dosDheeraj chugh -_presentation_on_ms-dos
Dheeraj chugh -_presentation_on_ms-dosREXY J
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 
Computer Architecture - Software - Lesson 13 - Printers, Mac OS and Linux - E...
Computer Architecture - Software - Lesson 13 - Printers, Mac OS and Linux - E...Computer Architecture - Software - Lesson 13 - Printers, Mac OS and Linux - E...
Computer Architecture - Software - Lesson 13 - Printers, Mac OS and Linux - E...Eric Vanderburg
 
chapter05 - Operating System.pdf
chapter05 - Operating System.pdfchapter05 - Operating System.pdf
chapter05 - Operating System.pdfsatonaka3
 
01. Introduction.ppt
01. Introduction.ppt01. Introduction.ppt
01. Introduction.pptwarlord56
 
Module 13 - Troubleshooting
Module 13 - TroubleshootingModule 13 - Troubleshooting
Module 13 - TroubleshootingT. J. Saotome
 
Case study of BtrFS: A fault tolerant File system
Case study of BtrFS: A fault tolerant File systemCase study of BtrFS: A fault tolerant File system
Case study of BtrFS: A fault tolerant File systemKumar Amit Mehta
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 

Similar to Computer Forensics Working with Windows and DOS Systems (20)

Windows Forensics- Introduction and Analysis
Windows Forensics- Introduction and AnalysisWindows Forensics- Introduction and Analysis
Windows Forensics- Introduction and Analysis
 
Lecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file systemLecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file system
 
Selecting and Installing Operating System
Selecting and Installing Operating SystemSelecting and Installing Operating System
Selecting and Installing Operating System
 
Cos413day3
Cos413day3Cos413day3
Cos413day3
 
Managing Files
Managing FilesManaging Files
Managing Files
 
Dheeraj chugh -_presentation_on_ms-dos
Dheeraj chugh -_presentation_on_ms-dosDheeraj chugh -_presentation_on_ms-dos
Dheeraj chugh -_presentation_on_ms-dos
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
windows.pptx
windows.pptxwindows.pptx
windows.pptx
 
Lecture 1
Lecture 1Lecture 1
Lecture 1
 
Computer Architecture - Software - Lesson 13 - Printers, Mac OS and Linux - E...
Computer Architecture - Software - Lesson 13 - Printers, Mac OS and Linux - E...Computer Architecture - Software - Lesson 13 - Printers, Mac OS and Linux - E...
Computer Architecture - Software - Lesson 13 - Printers, Mac OS and Linux - E...
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
chapter05 - Operating System.pdf
chapter05 - Operating System.pdfchapter05 - Operating System.pdf
chapter05 - Operating System.pdf
 
01. Introduction.ppt
01. Introduction.ppt01. Introduction.ppt
01. Introduction.ppt
 
File000128
File000128File000128
File000128
 
Ms dos
Ms dosMs dos
Ms dos
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systems
 
Module 13 - Troubleshooting
Module 13 - TroubleshootingModule 13 - Troubleshooting
Module 13 - Troubleshooting
 
Case study of BtrFS: A fault tolerant File system
Case study of BtrFS: A fault tolerant File systemCase study of BtrFS: A fault tolerant File system
Case study of BtrFS: A fault tolerant File system
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Embedded system - embedded system programming
Embedded system - embedded system programmingEmbedded system - embedded system programming
Embedded system - embedded system programming
 

More from Jyothishmathi Institute of Technology and Science Karimnagar

More from Jyothishmathi Institute of Technology and Science Karimnagar (20)

JAVA PROGRAMMING- GUI Programming with Swing - The Swing Buttons
JAVA PROGRAMMING- GUI Programming with Swing - The Swing ButtonsJAVA PROGRAMMING- GUI Programming with Swing - The Swing Buttons
JAVA PROGRAMMING- GUI Programming with Swing - The Swing Buttons
 
JAVA PROGRAMMING - The Collections Framework
JAVA PROGRAMMING - The Collections Framework JAVA PROGRAMMING - The Collections Framework
JAVA PROGRAMMING - The Collections Framework
 
JAVA PROGRAMMING- Exception handling - Multithreading
JAVA PROGRAMMING- Exception handling - MultithreadingJAVA PROGRAMMING- Exception handling - Multithreading
JAVA PROGRAMMING- Exception handling - Multithreading
 
JAVA PROGRAMMING – Packages - Stream based I/O
JAVA PROGRAMMING – Packages - Stream based I/O JAVA PROGRAMMING – Packages - Stream based I/O
JAVA PROGRAMMING – Packages - Stream based I/O
 
Java programming -Object-Oriented Thinking- Inheritance
Java programming -Object-Oriented Thinking- InheritanceJava programming -Object-Oriented Thinking- Inheritance
Java programming -Object-Oriented Thinking- Inheritance
 
WEB TECHNOLOGIES JavaScript
WEB TECHNOLOGIES JavaScriptWEB TECHNOLOGIES JavaScript
WEB TECHNOLOGIES JavaScript
 
WEB TECHNOLOGIES JSP
WEB TECHNOLOGIES JSPWEB TECHNOLOGIES JSP
WEB TECHNOLOGIES JSP
 
WEB TECHNOLOGIES Servlet
WEB TECHNOLOGIES ServletWEB TECHNOLOGIES Servlet
WEB TECHNOLOGIES Servlet
 
WEB TECHNOLOGIES XML
WEB TECHNOLOGIES XMLWEB TECHNOLOGIES XML
WEB TECHNOLOGIES XML
 
WEB TECHNOLOGIES- PHP Programming
WEB TECHNOLOGIES- PHP ProgrammingWEB TECHNOLOGIES- PHP Programming
WEB TECHNOLOGIES- PHP Programming
 
Compiler Design- Machine Independent Optimizations
Compiler Design- Machine Independent OptimizationsCompiler Design- Machine Independent Optimizations
Compiler Design- Machine Independent Optimizations
 
COMPILER DESIGN Run-Time Environments
COMPILER DESIGN Run-Time EnvironmentsCOMPILER DESIGN Run-Time Environments
COMPILER DESIGN Run-Time Environments
 
COMPILER DESIGN- Syntax Directed Translation
COMPILER DESIGN- Syntax Directed TranslationCOMPILER DESIGN- Syntax Directed Translation
COMPILER DESIGN- Syntax Directed Translation
 
COMPILER DESIGN- Syntax Analysis
COMPILER DESIGN- Syntax AnalysisCOMPILER DESIGN- Syntax Analysis
COMPILER DESIGN- Syntax Analysis
 
COMPILER DESIGN- Introduction & Lexical Analysis:
COMPILER DESIGN- Introduction & Lexical Analysis: COMPILER DESIGN- Introduction & Lexical Analysis:
COMPILER DESIGN- Introduction & Lexical Analysis:
 
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail SecurityCRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
CRYPTOGRAPHY & NETWORK SECURITY- Cryptographic Hash Functions
CRYPTOGRAPHY & NETWORK SECURITY- Cryptographic Hash FunctionsCRYPTOGRAPHY & NETWORK SECURITY- Cryptographic Hash Functions
CRYPTOGRAPHY & NETWORK SECURITY- Cryptographic Hash Functions
 
CRYPTOGRAPHY & NETWOK SECURITY- Symmetric key Ciphers
CRYPTOGRAPHY & NETWOK SECURITY- Symmetric key CiphersCRYPTOGRAPHY & NETWOK SECURITY- Symmetric key Ciphers
CRYPTOGRAPHY & NETWOK SECURITY- Symmetric key Ciphers
 
CRYPTOGRAPHY & NETWORK SECURITY
CRYPTOGRAPHY & NETWORK SECURITYCRYPTOGRAPHY & NETWORK SECURITY
CRYPTOGRAPHY & NETWORK SECURITY
 

Recently uploaded

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Recently uploaded (20)

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 

Computer Forensics Working with Windows and DOS Systems

  • 1. Computer Forensics-Working with Windows and DOS Systems Dr R Jegadeesan Prof-CSE Jyothishmathi Institute of Technology and Science, Karimnagar
  • 2. 2 Working with Windows and DOS Systems Understanding file systems • File system – Gives OS a road map to data on a disk • Type of file system an OS uses determines how data is stored on the disk • A file system is usually directly related to an OS • When you need to access a suspect’s computer to acquire or inspect data – You should be familiar with the computer’s platform
  • 3. 3 Working with Windows and DOS Systems Understanding the Boot Sequence • Complementary Metal Oxide Semiconductor (CMOS) – Computer stores system configuration and date and time information in the CMOS • When power to the system is off • Basic Input/Output System (BIOS) – Contains programs that perform input and output at the hardware level
  • 4. 4 Working with Windows and DOS Systems Understanding the Boot Sequence • Bootstrap process – Contained in ROM, tells the computer how to proceed – Displays the key or keys you press to open the CMOS setup screen • CMOS should be modified to boot from a forensic floppy disk or CD
  • 5. 5 Working with Windows and DOS Systems Exploring Microsoft File Structures • In Microsoft file structures, sectors are grouped to form clusters – Storage allocation units of one or more sectors • Clusters are typically 512, 1024, 2048, 4096, or more bytes each • Combining sectors minimizes the overhead of writing or reading files to a disk
  • 6. 6 Working with Windows and DOS Systems Exploring Microsoft File Structures • Clusters are numbered sequentially starting at 2 – First sector of all disks contains a system area, the boot record, and a file structure database • OS assigns these cluster numbers, called logical addresses • Sector numbers are called physical addresses • Clusters and their addresses are specific to a logical disk drive, which is a disk partition
  • 7. 7 Working with Windows and DOS Systems Exploring Microsoft File Structures Master Boot Record • On Windows and DOS computer systems – Boot disk contains a file called the Master Boot Record (MBR) • MBR stores information about partitions on a disk and their locations, size, and other important items • Several software products can modify the MBR, such as PartitionMagic’s Boot Magic
  • 8. 8 Working with Windows and DOS Systems Examining NTFS Disks • New Technology File System (NTFS) – Introduced with Windows NT – Primary file system for Windows Vista • Improvements over FAT file systems – NTFS provides more information about a file – NTFS gives more control over files and folders • NTFS was Microsoft’s move toward a journaling file system
  • 9. 9 Working with Windows and DOS Systems Examining NTFS Disks • In NTFS, everything written to the disk is considered a file • On an NTFS disk – First data set is the Partition Boot Sector – Next is Master File Table (MFT) • NTFS results in much less file slack space • Clusters are smaller for smaller disk drives • NTFS also uses Unicode – An international data format
  • 10. 10 Working with Windows and DOS Systems Examining NTFS Disks NTFS File System • MFT contains information about all files on the disk – Including the system files the OS uses • In the MFT, the first 15 records are reserved for system files • Records in the MFT are called metadata
  • 11. 11 Working with Windows and DOS Systems Understanding Whole Disk Encryption • In recent years, there has been more concern about loss of – Personal identity information (PII) and trade secrets caused by computer theft • Of particular concern is the theft of laptop computers and other handheld devices • To help prevent loss of information, software vendors now provide whole disk encryption
  • 12. 12 Working with Windows and DOS Systems Understanding Whole Disk Encryption • Current whole disk encryption tools offer the following features: – Preboot authentication – Full or partial disk encryption with secure hibernation – Advanced encryption algorithms – Key management function – A Trusted Platform Module (TPM) microchip to generate encryption keys and authenticate logins
  • 13. 13 Working with Windows and DOS Systems Understanding Whole Disk Encryption • Whole disk encryption tools encrypt each sector of a drive separately • Many of these tools encrypt the drive’s boot sector – To prevent any efforts to bypass the secured drive’s partition • To examine an encrypted drive, decrypt it first – Run a vendor-specific program to decrypt the drive
  • 14. 14 Working with Windows and DOS Systems Windows Registry • Registry – A database that stores hardware and software configuration information, network connections, user preferences, and setup information • For investigative purposes, the Registry can contain valuable evidence • To view the Registry, you can use: – Regedit (Registry Editor) program for Windows 9x systems – Regedt32 for Windows 2000 and XP
  • 15. 15 Working with Windows and DOS Systems Windows Registry • Registry terminology: – Registry – Registry Editor – HKEY – Key – Subkey – Branch – Value – Default value – Hives
  • 16. 16 UNIT 5:Working with Windows and DOS Systems Windows Registry fig. Registry File locations and purposes
  • 17. 17 Working with Windows and DOS Systems Understanding Microsoft Startup Tasks • Learn what files are accessed when Windows starts • This information helps you determine when a suspect’s computer was last accessed – Important with computers that might have been used after an incident was reported
  • 18. 18 Working with Windows and DOS Systems Understanding Microsoft Startup Tasks • All NTFS computers perform the following steps when the computer is turned on: – Power-on self test (POST) – Initial startup – Boot loader – Hardware detection and configuration – Kernel loading – User logon
  • 19. 19 Working with Windows and DOS Systems Understanding Microsoft Startup Tasks • Startup Files for Windows XP: – NT Loader (NTLDR) – Boot.ini – BootSect.dos – NTDetect.com – NTBootdd.sys – Ntoskrnl.exe – Hal.dll – Pagefile.sys – Device drivers
  • 20. 20 Working with Windows and DOS Systems Understanding Microsoft Startup Tasks • Contamination Concerns with Windows XP – When you start a Windows XP NTFS workstation, several files are accessed immediately • The last access date and time stamp for the files change to the current date and time – Destroys any potential evidence • That shows when a Windows XP workstation was last used
  • 21. 21 Working with Windows and DOS Systems Understanding Virtual Machines • Virtual machine – Allows you to create a representation of another computer on an existing physical computer • A virtual machine is just a few files on your hard drive – Must allocate space to it • A virtual machine recognizes components of the physical machine it’s loaded on – Virtual OS is limited by the physical machine’s OS
  • 22. 22 Working with Windows and DOS Systems Understanding Virtual Machines • In computer forensics – Virtual machines make it possible to restore a suspect drive on your virtual machine • And run nonstandard software the suspect might have loaded • From a network forensics standpoint, you need to be aware of some potential issues, such as: – A virtual machine used to attack another system or network
  • 23. 23 Working with Windows and DOS Systems Understanding Virtual Machines • Two popular applications for creating virtual machines – VMware and Microsoft Virtual PC • Using Virtual PC – You must download and install Virtual PC first
  • 24. 24 Working with Windows and DOS Systems Thank you