Ultimately, in a forensic examination, we are investigating the action of a Person Almost every event or action on a system is the result of a user either doing something Many events change the state of the Operating System (OS) OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world

1. Operating system Forensics
Importance of operating system forensics
• Ultimately, in a forensic examination, we are investigating the action of a Person
• Almost every event or action on a system is the result of a user either doing something
• Many events change the state of the Operating System (OS)
• OS Forensics helps understand how system changes correlate to events resulting from the
action of somebody in the real world
Goal: Extract and interpret data of investigative value from computers running Windows operating
systems
There are many versions of windows out there:
Some of the older versions are outdated and are no longer used: Windows 9x, NT, ME, 2000, XP
Windows boot sequence
Windows startup: Why relevant for forensics?
1. Interrupt the boot process to view and document the CMOS configuration
2. Explain which files were altered in the startup process
E.g., if an evidentiary system was accidentally booted, demonstrate that no user-created files were
modified
3. Determine which version of the OS was running and when was installed
4. Examine the startup process for signs of tampering
E.g., important when investigating malware
Startup in Windows NT and later
All NTFS computers perform the following steps when the computer is turned on:

2. Contamination concerns with Windows:
• When you start a Windows XP NTFS workstation, several files are accessed immediately
The last access date and time stamp for the files change to the current date and time.
• May destroy any potential evidence.
E.g., that shows when a Windows workstation was last used.
• Determining which files are changed upon startup and shutdown can be done using some
forensic tools.
Relevant Windows data structures:
NTFS
Windows Registry
Windows Event Log
Windows Registry:
The Registry is the heart and soul of Windows OSes and a wealth of information can be recovered:
• System configuration
• Devices on the system
• User names
• Personal settings and browser preferences
• Web browsing activity
• Files opened
• Programs executed
• Passwords
Registry access activity
• Virtually everything done in Windows refers to or is recorded into the Registry
The RegMon program can be used to display registry activity in real time

3. • Registry access barely remains idle: the registry is referenced in one way or another with
every action taken by the user
Windows Event Log
Whenever an event, such as a user logging on or off, occurs, the operating system logs the event.
An event can be any occurrence that the OS or a program wants to keep track of or alert the user
about.
Windows has a centralized log service to allow apps and OS to report events that have taken place:
• Application (example: Database message)
• System (example: driver failure)
• Security (example: Logon attempt, file access)
Example of detailed event tracking:
Detailed Event tracking can include the following events:
#528 – Successful Login (The user authenticate to the system)
#592 – A new process has been created (application is launched)
#560 – Object Open (a file is requested)
#567 – Object Access (the file is modified and saved)
#564 – Object Deleted
#562 – Handle Closed (the file has been closed)
#593 – A Process Has Exited (the application was terminated)
Windows artifacts of user activities:
Volatile information
• Open network connections
• Running processes
Non-volatile information
• Hidden files
• Slack space
• Swap files
• Index.dat files
• Windows Search index
• Unallocated clusters
• Unused partitions
• Hidden partitions
• Registry settings
• Windows event logs

4. Operating System Forensics Tool:
PassMark OSForensics:
PassMark OSForensics allows you to identify suspicious files and activity with hash matching,
drive signature comparisons, e-mails, memory and binary data.
It lets you extract forensic evidence from computers quickly with advanced file searching and
indexing and enables this data to be managed effectively.
Features
Discover Forensic Evidence Faster
• Find files faster, search by filename, size and time
• Search within file contents using the Zoom search engine
• Search through email archives from Outlook, ThunderBird, Mozilla and more
• Recover and search deleted files
• Uncover recent activity of website visits, downloads and logins
• Collect detailed system information
• Password recovery from web browsers, decryption of office documents
• Discover and reveal hidden areas in your hard disk
• Browse Volume Shadow copies to see past versions of files
Platforms:
Windows XP SP3, Vista, Win 7, Win 8, Win 10, Server 2000, 2003, 2008, 2012. Available for both
32-bit and 64-bit platforms.
Requirements:
Minimum 1GB of RAM. (4GB+ recommended)
200MB of free disk space, or can be run from USB drive
DEMO:
Scenario:
Artifact: Physical Pendrive (Transcend 8 GB Pendrive)
Software used: PassMark OSForensics
Goal:
1) To extract the image and do live forensics
2) Identify the deleted files and pictures used for committing cyber crime.

5. Fig1.0, PassMark OSForensics Dashboard

6. Fig 1.1, Create a New Case

7. Fig 1.2, Provide Case details and Target location for forensics image.

8. Fig 1.3, Target location created Successfully.
Fig 1.4, Select the option ‘Deleted File Search’ in the Dashboard.

9. Fig 1.5, Select the target partition i.e. Transcend Pendrive and click on Search as show in the figure.
Fig 1.6, Current files and folders
available inside the Artifact (Physical
Pendrive).
Fig 1.7,
Identified the
deleted files
and folders in
the Pendrive.

10. Fig 1.8, Analysing a deleted image file.
Fig 1.9, Analysing a deleted text document file.