This document provides an overview of computer operating system artifacts that can be examined for digital forensics purposes. It discusses finding deleted data by examining the recycle bin and data recovery tools. It also covers examining the window registry, hibernation files, restore points and shadow copies, and understanding metadata. The document is compiled by Akash Mehta and provides details on each of these forensic analysis topics in 3 sentences or less.
2. Outline
Finding deleted data
Hibernating files
Examining window registry
Recycle bin operation
Understanding of metadata
Restore points and shadow copies
2
3. Finding deleted data
Definition: Operating System Forensics is the
process of retrieving useful information from
the Operating System (OS) of the computer or
mobile device in question. The aim of collecting
this information is to acquire empirical evidence
against the perpetrator.
3
4. Finding deleted data
Recovering deleted files is an important job of a data
forensic specialist, as an essential part of many
computer forensics investigations is retrieving deleted
files that could be used as evidence. Here, the data
forensics experts at Atlantic Data Forensics provide an
overview of the process of recovering deleted files for
both files deleted accidentally, and more serious cases
where data is purposefully deleted to hide evidence.
4
5. Finding deleted data
Deleted Files can be Retrieved from the Recycle
Bin
As 93% of information is stored on a digital domain, it is
common for files to be deleted accidentally, or for
seemingly unimportant documents to be deleted only to
become needed later on when the document no longer
exists as an original file. Deleted computer files can cause
inconvenience and stress for computer users, but luckily, it
is possible to retrieve many deleted files from the recycle
bin on a computer’s desktop. By searching through the
contents of your recycle bin, a temporary storage place for
deleted files until they are more permanently erased from a
desktop, you may be able to retrieve accidentally lost files.
5
6. Finding deleted data
Deleted Files can be Retrieved from the Recycle
Bin
If files are no longer stored in the recycle bin, there
are data recovery tools that can be utilized to
possibly retrieve lost data from a hard drive, as the
content of a deleted computer file is not always
permanently removed from the computer. Deleted
files or documents can be retrieved by a process of
scanning an entire hard drive and analyzing the file
system in order to successfully recover any lost
data, methods utilized by experienced data recovery
specialists, such as those at Atlantic Data Forensics.
6
7. Finding deleted data
Files are Often Damaged or Deleted to Remove
Evidence
Often, the work of a computer forensics expert includes the
retrieval of purposefully deleted files, documents, emails,
pictures and other digital content that was damaged as a
method of destroying evidence. The act of deleting
computer files in order to hide evidence of a crime is
common, yet the data is rarely ever deleted permanently.
At the simplest level, deleted files can be easily retrieved
by a computer forensics specialist if the file was merely
deleted from the computer—as mentioned above, deleted
files are hardly ever removed entirely from a computer’s
hard drive, especially on a Windows system, as deleted
7
8. Finding deleted data
Files are Often Damaged or Deleted to Remove
Evidence
While the process of retrieving digital evidence may
seem complex to the average computer user, data
recovery specialists have unique software and
forensic tools that allow them to retrieve damaged or
deleted computer files or to decipher information
surrounding encrypted data. It is important to consult
a computer forensics expert in the case that you
cannot retrieve lost files, or if you are involved in a
lawsuit in which digital data retrieval may be a
necessary part of an investigation.
8
9. Finding deleted data
Speak to a Computer Forensics Expert For Deleted,
Damaged or Encrypted File Retrieval
The process of recovering deleted files can range in
complexity - it can be as easy as searching through
a recycle bin or as complicated as using special
forensic tools to scan hard drives, analyze encrypted
files or recover purposefully damaged data. The
computer forensics and safe data recovery experts
at Atlantic Data Forensics have years of experience
retrieving lost files that could be used as evidence in
a legal investigation.
9
10. Hibernating files
Starting with Windows 2000, Microsoft introduced
the hibernation feature that allows the operating
system to store the current state of operation
when you turn off the computer, or the system
goes into sleep mode. When hibernation
everything from memory is copied to the disk in a
file called hiberfil.sys, when the computer is
restored, the system moves to the saved state.
Hibernation files are a good source of information
for digital forensic practitioners, as they store data
in RAM file without having to run special tools.
10
11. Hibernating files
Programs like Rekall Volatility and make it easy to
analyze the hibernation file in the same way as a
memory dump. The first file is a sleeping Windows
XP Mode format was documented Nicolas Ruff and
Matthieu Suiche the presentation in 2007. However,
in 2012, with the release of Windows 8 hibernation
file format has been changed, and all of the existing
methods of analysis have lost relevance.
At the end of September 2016 Mathieu Suiche
announces Hibr2Bin, which supports Windows 8, 8.1,
and 10. Hibr2Bin – a tool to convert Windows hibernation
file, in raw image memory, after which they can be
analyzed using a memory analysis tool.
11
12. Hibernating files
Hibernation file is no longer a reliable source of
information on the state of the machine. In older
versions of Windows, hibernation files can contain data
from several months or even years.
Collect the hibernation file on the machine is running at
the moment is largely useless as the power to the
machine resets the main part of the hibernation file.
Command disables / is normally used for Off remote
systems on the networks system that run down so will
contain no sleep mode data. Similarly, turning off The
system by turning off the power or “pulling the plug” will
not leave any data hibernation.
12
13. Hibernating files
It seems that the most common way to power
down systems are using a graphical interface.
System shutdown in a manner or by switching off /
S / hybrid. The team will have only partial data
hibernation. While the images may still contain
valuable forensic data, lack of User Land memory
limit analysis. Only a subset of core structures,
which still do not live in the liberated pages.
When turning off the system power, forcing
hibernation via team off / preserves the greatest
volume hibernation data.
13
14. Examining windows registry
In early versions of Windows, specific system files
used to stored information in directories consisting
information about default or user customized
application, security or software settings. Later,
user settings and other relevant information were
systematically encapsulated to a structured format
known as the Windows Registry. We can
summaries windows registry in a few simple facts:
Registries are Robust
Helps individual software communicate better
Stores data in a hierarchical structure to keep
14
15. Examining windows registry
Serves as an archive for collecting and storing
configuration settings.
Supports multiple users (User-specific data)
System Components are stored in main folders called
HIVE
The information is Time Stamped
15
16. Examining windows registry
About Windows REGISTRY
The Registry is a various levelled or we can say a
hierarchical database that stores low-level settings and
other information for the Microsoft Windows Operating
System and for applications that pick to utilize the registry.
From the point of installation of operating system, registries
are used. Kernel, Device Driver settings to the Hardware
and User Interface all settings are stored in the windows
registry.
When Programs and Applications are installed in the
system their configurations and default values are stored in
the registry although there are some applications which do
not utilize windows registry.
16
17. Examining windows registry
Importance of Registry in Windows Forensics
For a Forensic analyst, the Registry is a treasure box
of information. It is the database that contains the
default settings, user, and system defined settings in
windows computer. Registry serves as repository,
monitoring, observing and recording the activities
performed by the user in the computer. The Data is
stored in the main folders in a Tree like structure
which is called Hive and its subfolders are called
KEYS and SUBKEYS where each component’s
configuration is stored called VALUES. Some
Important aspects of Windows Registry are:
17
18. Examining windows registry
Windows Registry can be considered as a gold mine of
forensic evidence.
We can create new registries manually or we can modify
the ones that already exist.
Original files that contain registry values are stored in the
system directory itself.
Registry files are system protected and can not be
accessed by any user unless administration access is
provided.
For the investigation purpose, the forensic investigator
analyzes registry files via tools such as Registry Viewer,
Regshot, Registry Browser etc..
18
20. Examining windows registry
While acquiring registry files from the system we
need to use an Imaging tool which can obtain
system protected files because then only we can
access and analyze them with the help of registry
viewer. We can not obtain these files directly from
the system because they are currently being used
by the system to access registry editor. The
HKEY_CURRENT_USER data file is stored in a
file called NTUSER.DAT located at
“%SystemRoot%Users<UserName>”.
20
21. Recycle bin operation
When a file is deleted in the Microsoft Windows
operating system, it doesn’t delete it permanently;
it is stored in the recycle bin. If a user wants to
restore the deleted file from the recycle bin, it can
be done. If the user holds the shift key at the time
of deleting a file, then the file will be deleted
permanently without being stored in the recycle
bin. In this case, the file is moved to a hidden,
system folder where it is renamed and stored until
further instructions are given as to what is to
happen to the file.
21
22. Recycle bin operation
From the forensic point of view, the recycle bin is a gold
mine for gathering evidence, clues, etc. By analyzing the
recycle bin, we can recover useful data.
To understand how the information files are structured
and how the naming convention works, there must first
be an understanding of how the recycle bin works. When
a user “deletes” a file in Windows, the file itself is not
actually deleted. The file at this point is copied into the
recycle bin’s system folder, where it is held until the user
gives further instructions on what to do with the file. This
location varies, depending on the version of Windows the
user is running. The table below shows locations from
both past versions of Windows as well as Windows Vista.
22
23. Recycle bin operation
23
Here we will see how to analyze the INFO2 file for the Windows XP operating
system. First check out the Recycler folder on C drive. The Recycler folder is a
hidden directory, so we have to make some changes in the folder options to
view that directory.
24. Recycle bin operation
24
Open “Folder Options,” then select “Show hidden files and folders” under the
“Hidden files and folders” section. Uncheck “Hide protected operating system files”
and you are done.
25. Recycle bin operation
Once the changes have been made, browse the C drive
and you can see the Recycler folder clearly.
25
26. Recycle bin operation
Inside the Recycler folder, there’ll be a another folder with a
name like “S-1-5-21-1078081533-1957994488-1343024091-
1003″ or similar. This will be generated for every separate
user. In our case, we have only one user in this system; that’s
why we have only one.
26
27. Recycle bin operation
Now navigate to this directory via the command prompt and
type dir /a to view all files and folders. In the below figure we
can see there is an INFO2 file.
27
28. Recycle bin operation
Just extract that file to the different location. We can’t
normally open that file, so we will use a tool called Rifiuti.
Rifiuti is a recycle bin forensic analysis tool. Rifiuti, the
Italian word meaning “trash,” was developed to examine the
contents of the INFO2 file in the recycle bin.
Next put the INFO2 file inside the Rifiuti folder and run
rifiuti.exe via the command prompt.
28
29. Recycle bin operation
We can see the Rifiuti usage command after running the
rifiuti.exe. Now type in rifiuti.exe INFO2 >result.txt
29
30. Recycle bin operation
After running the command, the program will create a result.txt
file in the rifuiti folder.
30
Open the result.txt file.
31. Recycle bin operation
31
Now we can clearly see the details of every files. The deleted time of the file, from
which drive it was deleted, the drive number and the file size.
32. Understanding of metadata
Metadata is structured information that locates, explains,
and describes other data thus making it easier to retrieve,
manage, or use. In other words, metadata refers to
information about information or data about data.
The information about other data might include the author
of a particular data, the date the data was created, the
size of the file, and date modified. Such information
makes it easier to locate a particular document.
In addition to document files, metadata is also useful for
videos, images, spreadsheets, and web pages.
32
33. Understanding of metadata
How to Create Metadata
Metadata can be created by automated information
processing or manually. Automated metadata
creation is straightforward because it only displays
information such as file extension, file size, date of
creation, as well as who created the file or the author.
On the other hand, manual creation allows users to
input any relevant information describing a given file.
33
34. Understanding of metadata
Functions of Metadata
Allow people to:
Find resources by relevant criteria
Identify resources
Bring similar resources together
Distinguish different resources; and
Identify information location
34
35. Understanding of metadata
Examples of metadata include:
Administrative Metadata
Administrative metadata helps administering information
resources. Examples of administrative metadata include
location information, acquisition information, and
digitization selection criteria. The other forms of
administrative metadata include reproduction and rights
tracking and documentation of requirements for legal
access.
35
36. Understanding of metadata
Descriptive Metadata
Descriptive metadata is helps to describe related
information resources. Some examples of descriptive
metadata include differentiation between versions and
cataloging records. Other examples include specialized
indexes and annotations by users and creators.
36
37. Understanding of metadata
Technical Metadata
Technical metadata is information that shows how
metadata behaves or system functions. Such metadata
includes software and hardware documentation, technical
digitization information such as formats, scaling routines,
and compression ratios. Technical metadata also
involves tracking of system response times and security
and authentication data such as encryption keys and
passwords.
37
38. Understanding of metadata
Preservation Metadata
Preservation metadata helps in preservation and
management of information resources. These types of
metadata include documentation of the physical condition
of a given information and documentation actions needed
to preserve digital and physical versions of resources
such as data migration and refreshing. Preservation
metadata also involves documentation of changes that
occur during preservation or digitization.
38
39. Understanding of metadata
Use Metadata
Use metadata describes the type and level of use of
information resources. This type of data includes
circulation records, user and use tracking, and digital and
physical exhibition records. Use metadata also includes
content reuse, search logs, and multi-version information.
39
40. Restore points and shadow
copies
Shadow Copy (also known as Volume Snapshot
Service, Volume Shadow Copy Service or VSS) is a
technology included in Microsoft Windows that allows
taking manual or automatic backup copies or
snapshots of computer files or volumes, even when
they are in use.
It is implemented as a Windows service called
the Volume Shadow Copy service and requires the file
system to be NTFS in order to create and store
shadow copies: Shadow Copies can be created on
local and external volumes by any Windows
component that uses this technology.
40
41. Restore points and shadow
copies
Why Shadow Copies are important to Forensics
Windows Shadow Volumes can provide additional
data that otherwise would not be available.
They can allow a forensic investigator to recover
deleted files, and to learn what was taking place on a
system before he/she began the investigation.
They are an excellent tool for discovering data that
was previously deleted by a system user.
41
42. Restore points and shadow
copies
Limitations of Shadow Copies in forensic
investigations
Although Shadow Copies can provide forensic
investigators with files that have been deleted between
the time the Shadow Copy was made and the time the
investigation began, they only provide one previous
version of files.
If previous changes to files were made before the
Shadow Copy was created, those changes will not be
known.
Because Shadow Copies clone on a block-level rather
42
43. Restore points and shadow
copies
Additionally, the Shadow Copy service might be turned
off by the user, resulting in no Shadow Copies being
stored.
Other times, the disk space settings might be set too
low for multiple Shadow Copies to be saved, or even
for one Shadow Copy to be saved if it is larger than
what the settings allow.
Furthermore, Windows automatically overwrites
Shadow Copies when the disk space limit is reached,
so Shadow Copies should be an aid in a forensic
investigation, but they are not guaranteed as a means
to discover useful information.
43