This document provides an overview of analyzing the Windows NTFS file system for digital forensics investigations. It discusses the Master File Table (MFT) structure, how it tracks file metadata including timestamps, and how to recover deleted files. Tools for examining the MFT such as Velociraptor and WinHex are presented. Other Windows artifacts covered include Prefetch files, event logs, scheduled tasks, and volume shadow copies. The document provides technical details on these elements to help explain how Windows tracks files and how this data can be used for investigations.
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Similar to CNIT 152 12 Investigating Windows Systems (Part 1 of 3) (20)
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
5. NTFS and FAT
• FAT was the old
fi
le system used by MS-DOS,
Windows 95, Windows 9
8
• NTFS was the replacement
6. Master File Table
(MFT)
• De
fi
nes how disk space is allocated and
utilize
d
• How
fi
les are created and delete
d
• How metadata is stored and updated
7. MFT Contents
• Primary source of metadata in NTF
S
• Contains or references everything about a
fi
l
e
• Timestamp
s
• Siz
e
• Attributes (such as permissions
)
• Parent director
y
• Contents
8. The Evidence
• Each NTFS volume has its own MF
T
• Stored in the volume root as a
fi
le named $MF
T
• You need raw disk access to acquire $MF
T
• It's not accessible through Windows Explorer
or standard API calls
10. MFT Structure
• On a standard hard drive with 512-byte
sector
s
• A series of 1024-byte records or "entries
"
• One for each
fi
le and directory on a
volum
e
• First 16 entries are reserved for essential
NTFS artifact
s
• $MFT itself, $LogFile, and more
12. MFT Entry Contents
• Record type (
fi
le or directory
)
• Record # (integer
)
• Parent record
#
• Active/Inactive
fl
a
g
• Deleted
fi
les are inactiv
e
• Attributes (metadata)
15. Deleted Files
• Deleting a
fi
le causes its MFT record to be marked
"inactive
"
• Nothing else is changed, until this record is re-
use
d
• The
fi
le's contents and its metadata can be
recovere
d
• But NTFS will always re-use an existing MFT entry
before creating a new on
e
• So inactive entries only last for seconds or
minutes on the operating system volume
16. Timestamps
• MACE timestamp
s
• Modi
fi
ed, Accessed, Created, Entry Modi
fi
e
d
• An MFT entry will always have at least two
sets of attributes containing MACE
timestamp
s
• STANDARD_INFORMATION (also known as
$SIA or $SI
)
• FileName (also known as FNA, FILE_NAME,
or $FN)
17. •These are Standard
Information ($SI)
timestamp
s
•Create
d
•Accesse
d
•Modi
fi
e
d
•Entry Modi
fi
ed
timestamp not
visible in Windows
Explore
r
•Forensic tools like
SleuthKit, EnCase,
and FTK show it
19. Accessed Timestamp
• Versions of Windows after Windows XP no
longer update the Accessed timestamp by
defaul
t
• It can be enabled with a registry change, but
even when it's enabled, NTFS may delay
updates by up to an hou
r
• Link Ch 12a
20. $FN Timestamps
• Refer to the MFT entry for the
fi
lename itsel
f
• NTFS actually maintains multiple sets of
fi
le
name attribute
s
• Full, case-sensitive long
fi
lenam
e
• MS-DOS 8.3 short
fi
le name
21. Time-Stomping
• Only the $SI timestamps are available to user
applications through the Windows AP
I
• Programs can only alter those timestamp
s
• A processes called "time-stomping
"
• Setmace can alter all the timestamps (link Ch
12b
)
• Malware droppers and installers often
automate this process, inserting timestamps
from system
fi
les to hide in the timeline
22. $SI and $FN Timestamps
• $SI timestamps are easily altere
d
• $FN timestamps require a complex and indirect
process to modif
y
• Inconsistencies may remain between the $SI
and $FN timestamps
26. Data Runs
• $DATA attribute lists all clusters with the
fi
le's
content
s
• May not be contiguous (fragmented
fi
le
)
• Lists "data runs" that must be assembled
together to get the complete
fi
le
27. Resident Data
• MFT entry contains 1024 byte
s
• That's enough room to store complete data for
small
fi
les (up to 700 or 800 bytes) in the MF
T
• These are called "Resident
fi
les"
• Set the Resident
fl
ag in the MFT entry
28. MFT Slack Space
• MFT may contain leftovers from previously
resident dat
a
• This happens if a
fi
le was small enough to be
resident and then expanded to be too large to
remain resident
29. Alternate Data Streams
• Additional named $DATA attributes in a
fi
le's
MFT entr
y
• Each can point to an unique set of cluster run
s
• All the data streams share the same Standard
Information and Filename attribute
s
• So they all share the same timestamps
30.
31. Known Alternate Stream
Names
• Browsers append a stream to downloaded
fi
le
s
• Named Zone.Identi
fi
e
r
• Windows Explorer uses this data to determine
the origin of a
fi
le and enforce security controls
on i
t
• Link Ch 12c
37. Change Logs
• $LogFile tracks all transactions that change the
structure of a volum
e
• File or directory creation/copy/delet
e
• Changes to
fi
le metadata or INDX record
s
• $UsnJrnl (Update Sequence Number) journa
l
• Tracks less data but has a longer history
38. Volume Shadow Copies
• Automatically generated backups of Windows
fi
le
s
• Manage with the vssadmin and mklink
command-line tools (link Ch 12k)
39.
40. Shadow Copy
• A mirror of the volume's entire
fi
le system at the
time of the snapsho
t
• Available within the linked director
y
• Other tools:
42. File System Redirector
• Windows 32-bit on Windows 64-bit (WoW64
)
• Redirects some folders elsewhere when 32-bit
programs run on 64-bit Windows, lik
e
• %SYSTEMROOT%system32 redirects to
C:WindowsSysWOW6
4
• 32-bit tools may not see the whole
fi
le system
44. C:WindowsPrefetch
Contains
• NTOSBOOT-BooDFAAD.pf (system boot
prefetch) -- only
fi
le existing on Windows Server
by defaul
t
• Layout.ini (for disk defragmenter
)
• Appname-########.pf (up to 128 application-
speci
fi
c prefetch
fi
les)
45. Value
• A record of programs executed on a syste
m
• Even if the executable has been delete
d
• Shows when application was
fi
rst run, when it
most recently ran, and how many times it was
ru
n
• Also shows each component loaded
50. Types of Logs
• Core event logs in all Windows version
s
• Applicatio
n
• Errors and info from apps; antivirus and host-
based IPS log
s
• Syste
m
• Events from core Windows services; changes
in time, driver loads, network con
fi
guration
issue
s
• Securit
y
• Login and logoff attempts, changes to audit
policy
51. Acquiring Logs
• Log
fi
le locations are speci
fi
ed in this Registry
key:
HKLMSYSTEMCurrentControlSetServicesEventl
o
g
• For Vista and later, the logs are in these XML
fi
les:
52. Applications and Services
Logs
• EVTX
fi
les in %SYSTEMROOT%
System32WinevtLogs
• Logs for Task scheduler, Windows Firewall,
AppLocker, Terminal Services, User Access
Control
53. Event ID
• Each event is labelled with its Source and Event
ID numbe
r
• Good resource: eventid.ne
t
• Vista and later often have EventIDs that are 4096
larger than the EventID from Windows XP
58. Lateral Movement
• Attackers use stolen credentials to move from
system to syste
m
• Often use a common administrator accoun
t
• Or a domain or domain administrator account
63. Process Auditing
• Not on by defaul
t
• Turn it on in local audit policy or Group Polic
y
• Puts an event in the Security log every time a
process is executed or terminate
d
• Generates a lot of log events
64. Service Events
• System logs record every time a service starts
or stop
s
• A common persistence mechanism for malware
66. Suspicious Things
• Abnormal usernames using PsExe
c
• Known-bad service name
s
• Errors from malicious binaries that were
deleted, but still referenced by a service
67. Log Analysis Tips
• Check Application log for AV alert during period
of interes
t
• Increase log
fi
le sizes to retain a longer histor
y
• If log
fi
les in the old binary format are corrupt,
use FixEVT (link Ch 12m)
74. .job Files
• Con
fi
guration data for scheduled task
s
• One
fi
le per tas
k
• In %SYSTEMROOT%Tasks
• Files persist until shutdown or reboot of system
75. Task Scheduler Logs
• %SYSTEMROOT%TasksSchedLgU.tx
t
• Records start time and completion of task
s
• Also Event Logs, includin
g
• Microsoft-Windows-
TaskScheduler%4Operational.evt
x
• Security log
76. Analyzing .job Files
• A binary
fi
l
e
• Strings will show user information and
fi
le path