SlideShare a Scribd company logo

3170725_Unit-4.pptx

Download as PPTX, PDF
Y
YashPatel132112

This document provides an overview of computer operating system artifacts that can be examined for digital forensics purposes. It discusses finding deleted data by examining the recycle bin and data recovery tools. It also covers examining the window registry, hibernation files, restore points and shadow copies, and understanding metadata. The document is compiled by Akash Mehta and provides details on each of these forensic analysis topics in 3 sentences or less.

Engineering
1 of 43
Chapter 4:- COMPUTER OPERATING SYSTEM ARTIFACTS SUBJECT CODE: 3170725 Compiled By:- Akash Mehta
Outline  Finding deleted data  Hibernating files  Examining window registry  Recycle bin operation  Understanding of metadata  Restore points and shadow copies 2
Finding deleted data  Definition: Operating System Forensics is the process of retrieving useful information from the Operating System (OS) of the computer or mobile device in question. The aim of collecting this information is to acquire empirical evidence against the perpetrator. 3
Finding deleted data Recovering deleted files is an important job of a data forensic specialist, as an essential part of many computer forensics investigations is retrieving deleted files that could be used as evidence. Here, the data forensics experts at Atlantic Data Forensics provide an overview of the process of recovering deleted files for both files deleted accidentally, and more serious cases where data is purposefully deleted to hide evidence. 4
Finding deleted data Deleted Files can be Retrieved from the Recycle Bin As 93% of information is stored on a digital domain, it is common for files to be deleted accidentally, or for seemingly unimportant documents to be deleted only to become needed later on when the document no longer exists as an original file. Deleted computer files can cause inconvenience and stress for computer users, but luckily, it is possible to retrieve many deleted files from the recycle bin on a computer’s desktop. By searching through the contents of your recycle bin, a temporary storage place for deleted files until they are more permanently erased from a desktop, you may be able to retrieve accidentally lost files. 5
Finding deleted data Deleted Files can be Retrieved from the Recycle Bin If files are no longer stored in the recycle bin, there are data recovery tools that can be utilized to possibly retrieve lost data from a hard drive, as the content of a deleted computer file is not always permanently removed from the computer. Deleted files or documents can be retrieved by a process of scanning an entire hard drive and analyzing the file system in order to successfully recover any lost data, methods utilized by experienced data recovery specialists, such as those at Atlantic Data Forensics. 6
Finding deleted data Files are Often Damaged or Deleted to Remove Evidence Often, the work of a computer forensics expert includes the retrieval of purposefully deleted files, documents, emails, pictures and other digital content that was damaged as a method of destroying evidence. The act of deleting computer files in order to hide evidence of a crime is common, yet the data is rarely ever deleted permanently. At the simplest level, deleted files can be easily retrieved by a computer forensics specialist if the file was merely deleted from the computer—as mentioned above, deleted files are hardly ever removed entirely from a computer’s hard drive, especially on a Windows system, as deleted 7
Finding deleted data Files are Often Damaged or Deleted to Remove Evidence While the process of retrieving digital evidence may seem complex to the average computer user, data recovery specialists have unique software and forensic tools that allow them to retrieve damaged or deleted computer files or to decipher information surrounding encrypted data. It is important to consult a computer forensics expert in the case that you cannot retrieve lost files, or if you are involved in a lawsuit in which digital data retrieval may be a necessary part of an investigation. 8
Finding deleted data Speak to a Computer Forensics Expert For Deleted, Damaged or Encrypted File Retrieval The process of recovering deleted files can range in complexity - it can be as easy as searching through a recycle bin or as complicated as using special forensic tools to scan hard drives, analyze encrypted files or recover purposefully damaged data. The computer forensics and safe data recovery experts at Atlantic Data Forensics have years of experience retrieving lost files that could be used as evidence in a legal investigation. 9
Hibernating files  Starting with Windows 2000, Microsoft introduced the hibernation feature that allows the operating system to store the current state of operation when you turn off the computer, or the system goes into sleep mode. When hibernation everything from memory is copied to the disk in a file called hiberfil.sys, when the computer is restored, the system moves to the saved state.  Hibernation files are a good source of information for digital forensic practitioners, as they store data in RAM file without having to run special tools. 10
Hibernating files  Programs like Rekall Volatility and make it easy to analyze the hibernation file in the same way as a memory dump. The first file is a sleeping Windows XP Mode format was documented Nicolas Ruff and Matthieu Suiche the presentation in 2007. However, in 2012, with the release of Windows 8 hibernation file format has been changed, and all of the existing methods of analysis have lost relevance.  At the end of September 2016 Mathieu Suiche announces Hibr2Bin, which supports Windows 8, 8.1, and 10. Hibr2Bin – a tool to convert Windows hibernation file, in raw image memory, after which they can be analyzed using a memory analysis tool. 11
Hibernating files  Hibernation file is no longer a reliable source of information on the state of the machine. In older versions of Windows, hibernation files can contain data from several months or even years.  Collect the hibernation file on the machine is running at the moment is largely useless as the power to the machine resets the main part of the hibernation file.  Command disables / is normally used for Off remote systems on the networks system that run down so will contain no sleep mode data. Similarly, turning off The system by turning off the power or “pulling the plug” will not leave any data hibernation. 12
Hibernating files  It seems that the most common way to power down systems are using a graphical interface. System shutdown in a manner or by switching off / S / hybrid. The team will have only partial data hibernation. While the images may still contain valuable forensic data, lack of User Land memory limit analysis. Only a subset of core structures, which still do not live in the liberated pages.  When turning off the system power, forcing hibernation via team off / preserves the greatest volume hibernation data. 13
Examining windows registry  In early versions of Windows, specific system files used to stored information in directories consisting information about default or user customized application, security or software settings. Later, user settings and other relevant information were systematically encapsulated to a structured format known as the Windows Registry. We can summaries windows registry in a few simple facts:  Registries are Robust  Helps individual software communicate better  Stores data in a hierarchical structure to keep 14
Examining windows registry  Serves as an archive for collecting and storing configuration settings.  Supports multiple users (User-specific data)  System Components are stored in main folders called HIVE  The information is Time Stamped 15
Examining windows registry About Windows REGISTRY The Registry is a various levelled or we can say a hierarchical database that stores low-level settings and other information for the Microsoft Windows Operating System and for applications that pick to utilize the registry. From the point of installation of operating system, registries are used. Kernel, Device Driver settings to the Hardware and User Interface all settings are stored in the windows registry. When Programs and Applications are installed in the system their configurations and default values are stored in the registry although there are some applications which do not utilize windows registry. 16
Examining windows registry Importance of Registry in Windows Forensics For a Forensic analyst, the Registry is a treasure box of information. It is the database that contains the default settings, user, and system defined settings in windows computer. Registry serves as repository, monitoring, observing and recording the activities performed by the user in the computer. The Data is stored in the main folders in a Tree like structure which is called Hive and its subfolders are called KEYS and SUBKEYS where each component’s configuration is stored called VALUES. Some Important aspects of Windows Registry are: 17
Examining windows registry  Windows Registry can be considered as a gold mine of forensic evidence.  We can create new registries manually or we can modify the ones that already exist.  Original files that contain registry values are stored in the system directory itself.  Registry files are system protected and can not be accessed by any user unless administration access is provided.  For the investigation purpose, the forensic investigator analyzes registry files via tools such as Registry Viewer, Regshot, Registry Browser etc.. 18
Examining windows registry  Main Registry Hives  HKEY_CLASSES_ROOT  HKEY_CURRENT_USER  HKEY_LOCAL_MACHINE/SAM  HKEY_LOCAL_MACHINE/SOFTWARE  HKEY_LOCAL_MACHINE/SECURITY  HKEY_LOCAL_MACHINE/SYSTEM  HKEY_USERS  HKEY_CURRENT_CONFIG 19
Examining windows registry  While acquiring registry files from the system we need to use an Imaging tool which can obtain system protected files because then only we can access and analyze them with the help of registry viewer. We can not obtain these files directly from the system because they are currently being used by the system to access registry editor. The HKEY_CURRENT_USER data file is stored in a file called NTUSER.DAT located at “%SystemRoot%Users<UserName>”. 20
Recycle bin operation  When a file is deleted in the Microsoft Windows operating system, it doesn’t delete it permanently; it is stored in the recycle bin. If a user wants to restore the deleted file from the recycle bin, it can be done. If the user holds the shift key at the time of deleting a file, then the file will be deleted permanently without being stored in the recycle bin. In this case, the file is moved to a hidden, system folder where it is renamed and stored until further instructions are given as to what is to happen to the file. 21
Recycle bin operation  From the forensic point of view, the recycle bin is a gold mine for gathering evidence, clues, etc. By analyzing the recycle bin, we can recover useful data.  To understand how the information files are structured and how the naming convention works, there must first be an understanding of how the recycle bin works. When a user “deletes” a file in Windows, the file itself is not actually deleted. The file at this point is copied into the recycle bin’s system folder, where it is held until the user gives further instructions on what to do with the file. This location varies, depending on the version of Windows the user is running. The table below shows locations from both past versions of Windows as well as Windows Vista. 22
Recycle bin operation 23 Here we will see how to analyze the INFO2 file for the Windows XP operating system. First check out the Recycler folder on C drive. The Recycler folder is a hidden directory, so we have to make some changes in the folder options to view that directory.
Recycle bin operation 24 Open “Folder Options,” then select “Show hidden files and folders” under the “Hidden files and folders” section. Uncheck “Hide protected operating system files” and you are done.
Recycle bin operation  Once the changes have been made, browse the C drive and you can see the Recycler folder clearly. 25
Recycle bin operation  Inside the Recycler folder, there’ll be a another folder with a name like “S-1-5-21-1078081533-1957994488-1343024091- 1003″ or similar. This will be generated for every separate user. In our case, we have only one user in this system; that’s why we have only one. 26
Recycle bin operation  Now navigate to this directory via the command prompt and type dir /a to view all files and folders. In the below figure we can see there is an INFO2 file. 27
Recycle bin operation  Just extract that file to the different location. We can’t normally open that file, so we will use a tool called Rifiuti.  Rifiuti is a recycle bin forensic analysis tool. Rifiuti, the Italian word meaning “trash,” was developed to examine the contents of the INFO2 file in the recycle bin.  Next put the INFO2 file inside the Rifiuti folder and run rifiuti.exe via the command prompt. 28
Recycle bin operation We can see the Rifiuti usage command after running the rifiuti.exe. Now type in rifiuti.exe INFO2 >result.txt 29
Recycle bin operation After running the command, the program will create a result.txt file in the rifuiti folder. 30 Open the result.txt file.
Recycle bin operation 31 Now we can clearly see the details of every files. The deleted time of the file, from which drive it was deleted, the drive number and the file size.
Understanding of metadata  Metadata is structured information that locates, explains, and describes other data thus making it easier to retrieve, manage, or use. In other words, metadata refers to information about information or data about data.  The information about other data might include the author of a particular data, the date the data was created, the size of the file, and date modified. Such information makes it easier to locate a particular document.  In addition to document files, metadata is also useful for videos, images, spreadsheets, and web pages. 32
Understanding of metadata  How to Create Metadata Metadata can be created by automated information processing or manually. Automated metadata creation is straightforward because it only displays information such as file extension, file size, date of creation, as well as who created the file or the author. On the other hand, manual creation allows users to input any relevant information describing a given file. 33
Understanding of metadata  Functions of Metadata Allow people to:  Find resources by relevant criteria  Identify resources  Bring similar resources together  Distinguish different resources; and  Identify information location 34
Understanding of metadata  Examples of metadata include:  Administrative Metadata Administrative metadata helps administering information resources. Examples of administrative metadata include location information, acquisition information, and digitization selection criteria. The other forms of administrative metadata include reproduction and rights tracking and documentation of requirements for legal access. 35
Understanding of metadata  Descriptive Metadata Descriptive metadata is helps to describe related information resources. Some examples of descriptive metadata include differentiation between versions and cataloging records. Other examples include specialized indexes and annotations by users and creators. 36
Understanding of metadata  Technical Metadata Technical metadata is information that shows how metadata behaves or system functions. Such metadata includes software and hardware documentation, technical digitization information such as formats, scaling routines, and compression ratios. Technical metadata also involves tracking of system response times and security and authentication data such as encryption keys and passwords. 37
Understanding of metadata  Preservation Metadata Preservation metadata helps in preservation and management of information resources. These types of metadata include documentation of the physical condition of a given information and documentation actions needed to preserve digital and physical versions of resources such as data migration and refreshing. Preservation metadata also involves documentation of changes that occur during preservation or digitization. 38
Understanding of metadata  Use Metadata Use metadata describes the type and level of use of information resources. This type of data includes circulation records, user and use tracking, and digital and physical exhibition records. Use metadata also includes content reuse, search logs, and multi-version information. 39
Restore points and shadow copies  Shadow Copy (also known as Volume Snapshot Service, Volume Shadow Copy Service or VSS) is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use.  It is implemented as a Windows service called the Volume Shadow Copy service and requires the file system to be NTFS in order to create and store shadow copies: Shadow Copies can be created on local and external volumes by any Windows component that uses this technology. 40
Restore points and shadow copies  Why Shadow Copies are important to Forensics Windows Shadow Volumes can provide additional data that otherwise would not be available. They can allow a forensic investigator to recover deleted files, and to learn what was taking place on a system before he/she began the investigation. They are an excellent tool for discovering data that was previously deleted by a system user. 41
Restore points and shadow copies  Limitations of Shadow Copies in forensic investigations Although Shadow Copies can provide forensic investigators with files that have been deleted between the time the Shadow Copy was made and the time the investigation began, they only provide one previous version of files. If previous changes to files were made before the Shadow Copy was created, those changes will not be known. Because Shadow Copies clone on a block-level rather 42
Restore points and shadow copies  Additionally, the Shadow Copy service might be turned off by the user, resulting in no Shadow Copies being stored. Other times, the disk space settings might be set too low for multiple Shadow Copies to be saved, or even for one Shadow Copy to be saved if it is larger than what the settings allow.  Furthermore, Windows automatically overwrites Shadow Copies when the disk space limit is reached, so Shadow Copies should be an aid in a forensic investigation, but they are not guaranteed as a means to discover useful information. 43

Recommended

04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Computer forensic
Computer forensicComputer forensic
Computer forensicSinggih Prasetya
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics pptOECLIB Odisha Electronics Control Library
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 

Recommended

04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Computer forensic
Computer forensicComputer forensic
Computer forensicSinggih Prasetya
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics pptOECLIB Odisha Electronics Control Library
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensicsn|u - The Open Security Community
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicNovizul Evendi
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
File Carving
File CarvingFile Carving
File CarvingAakarsh Raj
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2Manu Mathew Cherian
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
Ediscovery 101
Ediscovery 101Ediscovery 101
Ediscovery 101Catherine A. Casey (CEDS)
 
Network forensics1
Network forensics1Network forensics1
Network forensics1Santosh Khadsare
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensicspranjal dutta
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
iCloud
iCloud iCloud
iCloud amanmanocha
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Online Data Storage
Online Data StorageOnline Data Storage
Online Data StorageSt Mary's College,Thrissur,Kerala
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Latest presentation
Latest presentationLatest presentation
Latest presentationAdetunji Adeoje
 
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...ijsrd.com
 

More Related Content

What's hot

L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 

What's hot (20)

Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
File Carving
File CarvingFile Carving
File Carving
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
Ediscovery 101
Ediscovery 101Ediscovery 101
Ediscovery 101
 
Network forensics1
Network forensics1Network forensics1
Network forensics1
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
 
iCloud
iCloud iCloud
iCloud
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Online Data Storage
Online Data StorageOnline Data Storage
Online Data Storage
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 

Similar to 3170725_Unit-4.pptx

An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...ijsrd.com
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
Understanding Memory in Computing part 1.pptx
Understanding Memory in Computing part 1.pptxUnderstanding Memory in Computing part 1.pptx
Understanding Memory in Computing part 1.pptxPravash Chandra Das
 
ResearchPaperITDF2435
ResearchPaperITDF2435ResearchPaperITDF2435
ResearchPaperITDF2435Manuel Garza
 
How to Recover Deleted Files on Windows 10/11?
How to Recover Deleted Files on Windows 10/11?How to Recover Deleted Files on Windows 10/11?
How to Recover Deleted Files on Windows 10/11?AffanIT1
 
What Are You Looking ForThe variety of operating systems, appli.docx
What Are You Looking ForThe variety of operating systems, appli.docxWhat Are You Looking ForThe variety of operating systems, appli.docx
What Are You Looking ForThe variety of operating systems, appli.docxalanfhall8953
 
When disk utility fails to fix Mac OS X file system corruption issues
When disk utility fails to fix Mac OS X file system corruption issuesWhen disk utility fails to fix Mac OS X file system corruption issues
When disk utility fails to fix Mac OS X file system corruption issuesdatarecovery osx
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxchristinemaritza
 
Computer Crime and Evidence!
Computer Crime and Evidence!Computer Crime and Evidence!
Computer Crime and Evidence!Timothy Babcock
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5sabtolinux
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsBense Tony
 
Linux data recovery
Linux data recoveryLinux data recovery
Linux data recoverylissy taylor
 

Similar to 3170725_Unit-4.pptx (20)

Latest presentation
Latest presentationLatest presentation
Latest presentation
 
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
Fs Ch 18
Fs Ch 18Fs Ch 18
Fs Ch 18
 
Understanding Memory in Computing part 1.pptx
Understanding Memory in Computing part 1.pptxUnderstanding Memory in Computing part 1.pptx
Understanding Memory in Computing part 1.pptx
 
ResearchPaperITDF2435
ResearchPaperITDF2435ResearchPaperITDF2435
ResearchPaperITDF2435
 
How to Recover Deleted Files on Windows 10/11?
How to Recover Deleted Files on Windows 10/11?How to Recover Deleted Files on Windows 10/11?
How to Recover Deleted Files on Windows 10/11?
 
What Are You Looking ForThe variety of operating systems, appli.docx
What Are You Looking ForThe variety of operating systems, appli.docxWhat Are You Looking ForThe variety of operating systems, appli.docx
What Are You Looking ForThe variety of operating systems, appli.docx
 
When disk utility fails to fix Mac OS X file system corruption issues
When disk utility fails to fix Mac OS X file system corruption issuesWhen disk utility fails to fix Mac OS X file system corruption issues
When disk utility fails to fix Mac OS X file system corruption issues
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
 
Computer Crime and Evidence!
Computer Crime and Evidence!Computer Crime and Evidence!
Computer Crime and Evidence!
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5Latihan8 comp-forensic-bab5
Latihan8 comp-forensic-bab5
 
Ten Myths About Deleted Files
Ten Myths About Deleted FilesTen Myths About Deleted Files
Ten Myths About Deleted Files
 
Ten Myths About Recovery Deleted Files
Ten Myths About Recovery Deleted FilesTen Myths About Recovery Deleted Files
Ten Myths About Recovery Deleted Files
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
Linux data recovery
Linux data recoveryLinux data recovery
Linux data recovery
 

Recently uploaded

(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).pptssuser5c9d4b1
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 

Recently uploaded (20)

(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 

3170725_Unit-4.pptx

  • 1. Chapter 4:- COMPUTER OPERATING SYSTEM ARTIFACTS SUBJECT CODE: 3170725 Compiled By:- Akash Mehta
  • 2. Outline  Finding deleted data  Hibernating files  Examining window registry  Recycle bin operation  Understanding of metadata  Restore points and shadow copies 2
  • 3. Finding deleted data  Definition: Operating System Forensics is the process of retrieving useful information from the Operating System (OS) of the computer or mobile device in question. The aim of collecting this information is to acquire empirical evidence against the perpetrator. 3
  • 4. Finding deleted data Recovering deleted files is an important job of a data forensic specialist, as an essential part of many computer forensics investigations is retrieving deleted files that could be used as evidence. Here, the data forensics experts at Atlantic Data Forensics provide an overview of the process of recovering deleted files for both files deleted accidentally, and more serious cases where data is purposefully deleted to hide evidence. 4
  • 5. Finding deleted data Deleted Files can be Retrieved from the Recycle Bin As 93% of information is stored on a digital domain, it is common for files to be deleted accidentally, or for seemingly unimportant documents to be deleted only to become needed later on when the document no longer exists as an original file. Deleted computer files can cause inconvenience and stress for computer users, but luckily, it is possible to retrieve many deleted files from the recycle bin on a computer’s desktop. By searching through the contents of your recycle bin, a temporary storage place for deleted files until they are more permanently erased from a desktop, you may be able to retrieve accidentally lost files. 5
  • 6. Finding deleted data Deleted Files can be Retrieved from the Recycle Bin If files are no longer stored in the recycle bin, there are data recovery tools that can be utilized to possibly retrieve lost data from a hard drive, as the content of a deleted computer file is not always permanently removed from the computer. Deleted files or documents can be retrieved by a process of scanning an entire hard drive and analyzing the file system in order to successfully recover any lost data, methods utilized by experienced data recovery specialists, such as those at Atlantic Data Forensics. 6
  • 7. Finding deleted data Files are Often Damaged or Deleted to Remove Evidence Often, the work of a computer forensics expert includes the retrieval of purposefully deleted files, documents, emails, pictures and other digital content that was damaged as a method of destroying evidence. The act of deleting computer files in order to hide evidence of a crime is common, yet the data is rarely ever deleted permanently. At the simplest level, deleted files can be easily retrieved by a computer forensics specialist if the file was merely deleted from the computer—as mentioned above, deleted files are hardly ever removed entirely from a computer’s hard drive, especially on a Windows system, as deleted 7
  • 8. Finding deleted data Files are Often Damaged or Deleted to Remove Evidence While the process of retrieving digital evidence may seem complex to the average computer user, data recovery specialists have unique software and forensic tools that allow them to retrieve damaged or deleted computer files or to decipher information surrounding encrypted data. It is important to consult a computer forensics expert in the case that you cannot retrieve lost files, or if you are involved in a lawsuit in which digital data retrieval may be a necessary part of an investigation. 8
  • 9. Finding deleted data Speak to a Computer Forensics Expert For Deleted, Damaged or Encrypted File Retrieval The process of recovering deleted files can range in complexity - it can be as easy as searching through a recycle bin or as complicated as using special forensic tools to scan hard drives, analyze encrypted files or recover purposefully damaged data. The computer forensics and safe data recovery experts at Atlantic Data Forensics have years of experience retrieving lost files that could be used as evidence in a legal investigation. 9
  • 10. Hibernating files  Starting with Windows 2000, Microsoft introduced the hibernation feature that allows the operating system to store the current state of operation when you turn off the computer, or the system goes into sleep mode. When hibernation everything from memory is copied to the disk in a file called hiberfil.sys, when the computer is restored, the system moves to the saved state.  Hibernation files are a good source of information for digital forensic practitioners, as they store data in RAM file without having to run special tools. 10
  • 11. Hibernating files  Programs like Rekall Volatility and make it easy to analyze the hibernation file in the same way as a memory dump. The first file is a sleeping Windows XP Mode format was documented Nicolas Ruff and Matthieu Suiche the presentation in 2007. However, in 2012, with the release of Windows 8 hibernation file format has been changed, and all of the existing methods of analysis have lost relevance.  At the end of September 2016 Mathieu Suiche announces Hibr2Bin, which supports Windows 8, 8.1, and 10. Hibr2Bin – a tool to convert Windows hibernation file, in raw image memory, after which they can be analyzed using a memory analysis tool. 11
  • 12. Hibernating files  Hibernation file is no longer a reliable source of information on the state of the machine. In older versions of Windows, hibernation files can contain data from several months or even years.  Collect the hibernation file on the machine is running at the moment is largely useless as the power to the machine resets the main part of the hibernation file.  Command disables / is normally used for Off remote systems on the networks system that run down so will contain no sleep mode data. Similarly, turning off The system by turning off the power or “pulling the plug” will not leave any data hibernation. 12
  • 13. Hibernating files  It seems that the most common way to power down systems are using a graphical interface. System shutdown in a manner or by switching off / S / hybrid. The team will have only partial data hibernation. While the images may still contain valuable forensic data, lack of User Land memory limit analysis. Only a subset of core structures, which still do not live in the liberated pages.  When turning off the system power, forcing hibernation via team off / preserves the greatest volume hibernation data. 13
  • 14. Examining windows registry  In early versions of Windows, specific system files used to stored information in directories consisting information about default or user customized application, security or software settings. Later, user settings and other relevant information were systematically encapsulated to a structured format known as the Windows Registry. We can summaries windows registry in a few simple facts:  Registries are Robust  Helps individual software communicate better  Stores data in a hierarchical structure to keep 14
  • 15. Examining windows registry  Serves as an archive for collecting and storing configuration settings.  Supports multiple users (User-specific data)  System Components are stored in main folders called HIVE  The information is Time Stamped 15
  • 16. Examining windows registry About Windows REGISTRY The Registry is a various levelled or we can say a hierarchical database that stores low-level settings and other information for the Microsoft Windows Operating System and for applications that pick to utilize the registry. From the point of installation of operating system, registries are used. Kernel, Device Driver settings to the Hardware and User Interface all settings are stored in the windows registry. When Programs and Applications are installed in the system their configurations and default values are stored in the registry although there are some applications which do not utilize windows registry. 16
  • 17. Examining windows registry Importance of Registry in Windows Forensics For a Forensic analyst, the Registry is a treasure box of information. It is the database that contains the default settings, user, and system defined settings in windows computer. Registry serves as repository, monitoring, observing and recording the activities performed by the user in the computer. The Data is stored in the main folders in a Tree like structure which is called Hive and its subfolders are called KEYS and SUBKEYS where each component’s configuration is stored called VALUES. Some Important aspects of Windows Registry are: 17
  • 18. Examining windows registry  Windows Registry can be considered as a gold mine of forensic evidence.  We can create new registries manually or we can modify the ones that already exist.  Original files that contain registry values are stored in the system directory itself.  Registry files are system protected and can not be accessed by any user unless administration access is provided.  For the investigation purpose, the forensic investigator analyzes registry files via tools such as Registry Viewer, Regshot, Registry Browser etc.. 18
  • 19. Examining windows registry  Main Registry Hives  HKEY_CLASSES_ROOT  HKEY_CURRENT_USER  HKEY_LOCAL_MACHINE/SAM  HKEY_LOCAL_MACHINE/SOFTWARE  HKEY_LOCAL_MACHINE/SECURITY  HKEY_LOCAL_MACHINE/SYSTEM  HKEY_USERS  HKEY_CURRENT_CONFIG 19
  • 20. Examining windows registry  While acquiring registry files from the system we need to use an Imaging tool which can obtain system protected files because then only we can access and analyze them with the help of registry viewer. We can not obtain these files directly from the system because they are currently being used by the system to access registry editor. The HKEY_CURRENT_USER data file is stored in a file called NTUSER.DAT located at “%SystemRoot%Users<UserName>”. 20
  • 21. Recycle bin operation  When a file is deleted in the Microsoft Windows operating system, it doesn’t delete it permanently; it is stored in the recycle bin. If a user wants to restore the deleted file from the recycle bin, it can be done. If the user holds the shift key at the time of deleting a file, then the file will be deleted permanently without being stored in the recycle bin. In this case, the file is moved to a hidden, system folder where it is renamed and stored until further instructions are given as to what is to happen to the file. 21
  • 22. Recycle bin operation  From the forensic point of view, the recycle bin is a gold mine for gathering evidence, clues, etc. By analyzing the recycle bin, we can recover useful data.  To understand how the information files are structured and how the naming convention works, there must first be an understanding of how the recycle bin works. When a user “deletes” a file in Windows, the file itself is not actually deleted. The file at this point is copied into the recycle bin’s system folder, where it is held until the user gives further instructions on what to do with the file. This location varies, depending on the version of Windows the user is running. The table below shows locations from both past versions of Windows as well as Windows Vista. 22
  • 23. Recycle bin operation 23 Here we will see how to analyze the INFO2 file for the Windows XP operating system. First check out the Recycler folder on C drive. The Recycler folder is a hidden directory, so we have to make some changes in the folder options to view that directory.
  • 24. Recycle bin operation 24 Open “Folder Options,” then select “Show hidden files and folders” under the “Hidden files and folders” section. Uncheck “Hide protected operating system files” and you are done.
  • 25. Recycle bin operation  Once the changes have been made, browse the C drive and you can see the Recycler folder clearly. 25
  • 26. Recycle bin operation  Inside the Recycler folder, there’ll be a another folder with a name like “S-1-5-21-1078081533-1957994488-1343024091- 1003″ or similar. This will be generated for every separate user. In our case, we have only one user in this system; that’s why we have only one. 26
  • 27. Recycle bin operation  Now navigate to this directory via the command prompt and type dir /a to view all files and folders. In the below figure we can see there is an INFO2 file. 27
  • 28. Recycle bin operation  Just extract that file to the different location. We can’t normally open that file, so we will use a tool called Rifiuti.  Rifiuti is a recycle bin forensic analysis tool. Rifiuti, the Italian word meaning “trash,” was developed to examine the contents of the INFO2 file in the recycle bin.  Next put the INFO2 file inside the Rifiuti folder and run rifiuti.exe via the command prompt. 28
  • 29. Recycle bin operation We can see the Rifiuti usage command after running the rifiuti.exe. Now type in rifiuti.exe INFO2 >result.txt 29
  • 30. Recycle bin operation After running the command, the program will create a result.txt file in the rifuiti folder. 30 Open the result.txt file.
  • 31. Recycle bin operation 31 Now we can clearly see the details of every files. The deleted time of the file, from which drive it was deleted, the drive number and the file size.
  • 32. Understanding of metadata  Metadata is structured information that locates, explains, and describes other data thus making it easier to retrieve, manage, or use. In other words, metadata refers to information about information or data about data.  The information about other data might include the author of a particular data, the date the data was created, the size of the file, and date modified. Such information makes it easier to locate a particular document.  In addition to document files, metadata is also useful for videos, images, spreadsheets, and web pages. 32
  • 33. Understanding of metadata  How to Create Metadata Metadata can be created by automated information processing or manually. Automated metadata creation is straightforward because it only displays information such as file extension, file size, date of creation, as well as who created the file or the author. On the other hand, manual creation allows users to input any relevant information describing a given file. 33
  • 34. Understanding of metadata  Functions of Metadata Allow people to:  Find resources by relevant criteria  Identify resources  Bring similar resources together  Distinguish different resources; and  Identify information location 34
  • 35. Understanding of metadata  Examples of metadata include:  Administrative Metadata Administrative metadata helps administering information resources. Examples of administrative metadata include location information, acquisition information, and digitization selection criteria. The other forms of administrative metadata include reproduction and rights tracking and documentation of requirements for legal access. 35
  • 36. Understanding of metadata  Descriptive Metadata Descriptive metadata is helps to describe related information resources. Some examples of descriptive metadata include differentiation between versions and cataloging records. Other examples include specialized indexes and annotations by users and creators. 36
  • 37. Understanding of metadata  Technical Metadata Technical metadata is information that shows how metadata behaves or system functions. Such metadata includes software and hardware documentation, technical digitization information such as formats, scaling routines, and compression ratios. Technical metadata also involves tracking of system response times and security and authentication data such as encryption keys and passwords. 37
  • 38. Understanding of metadata  Preservation Metadata Preservation metadata helps in preservation and management of information resources. These types of metadata include documentation of the physical condition of a given information and documentation actions needed to preserve digital and physical versions of resources such as data migration and refreshing. Preservation metadata also involves documentation of changes that occur during preservation or digitization. 38
  • 39. Understanding of metadata  Use Metadata Use metadata describes the type and level of use of information resources. This type of data includes circulation records, user and use tracking, and digital and physical exhibition records. Use metadata also includes content reuse, search logs, and multi-version information. 39
  • 40. Restore points and shadow copies  Shadow Copy (also known as Volume Snapshot Service, Volume Shadow Copy Service or VSS) is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use.  It is implemented as a Windows service called the Volume Shadow Copy service and requires the file system to be NTFS in order to create and store shadow copies: Shadow Copies can be created on local and external volumes by any Windows component that uses this technology. 40
  • 41. Restore points and shadow copies  Why Shadow Copies are important to Forensics Windows Shadow Volumes can provide additional data that otherwise would not be available. They can allow a forensic investigator to recover deleted files, and to learn what was taking place on a system before he/she began the investigation. They are an excellent tool for discovering data that was previously deleted by a system user. 41
  • 42. Restore points and shadow copies  Limitations of Shadow Copies in forensic investigations Although Shadow Copies can provide forensic investigators with files that have been deleted between the time the Shadow Copy was made and the time the investigation began, they only provide one previous version of files. If previous changes to files were made before the Shadow Copy was created, those changes will not be known. Because Shadow Copies clone on a block-level rather 42
  • 43. Restore points and shadow copies  Additionally, the Shadow Copy service might be turned off by the user, resulting in no Shadow Copies being stored. Other times, the disk space settings might be set too low for multiple Shadow Copies to be saved, or even for one Shadow Copy to be saved if it is larger than what the settings allow.  Furthermore, Windows automatically overwrites Shadow Copies when the disk space limit is reached, so Shadow Copies should be an aid in a forensic investigation, but they are not guaranteed as a means to discover useful information. 43