Download to read offline
Uploaded byHossein Yavari
Windows Forensics
The document discusses Windows forensics, emphasizing the importance of understanding the operating system and file systems for investigative purposes. It covers aspects like disk drives, file systems, and the Windows registry, detailing their roles in data recovery and forensic analysis. Key topics include file system characteristics, registry structure, and references for further reading on the subject.
More Related Content
![20220621235219D5782_2 Key Technical Concepts[DONE].pptx](https://cdn.slidesharecdn.com/ss_thumbnails/20220621235219d57822keytechnicalconceptsdone-250330144819-9a1d7bdd-thumbnail.jpg?width=640&height=640&fit=bounds)
![First Responders Course- Session 1 - Digital and Other Evidence [2004]](https://cdn.slidesharecdn.com/ss_thumbnails/publiccopy-1-digitalandotherevidence-130419070259-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
Windows Forensics
- 1.
- 2. W H AT I S O S ?
- 3. O S Fo r e n s i c s
- 4. W H YW I N D O W S ?
- 5. M S WI N D O W S File System Registry Event Logs File Extensions Recycle Bin
- 6. Y o us h o u l d b e f a m i l i a r w i t h b o t h t h e O S a n d f i l e s y s t e m t o a c c e s s a n d m o d i f y s y s t e m s e t t i n g s w h e n n e c e s s a r y i n t h e i n v e s t i g a t i o n .
- 7. B O OT P R O C E S S https://docs.microsoft.com/en-us/windows/client-management/images/boot- sequence.png
- 9. D I SK D R I V E S https://www.enterprisestorageforum.com/hardware/ssd-vs-hdd/ Solid-state drives: Wear-leveling automatically overwrites the unallocated space! Hard-disk drives: When data is deleted, only the references to it are removed! Complex Recovery
- 10. F I LE SY S T E M A file system gives an OS a road map to data on a disk. The type of file system an OS uses determines how data is stored on the disk.
- 11. F I LE SY S T E M https://www.geeksforgeeks.org/understanding-file-system/ ✓ Partition is a logical division of the physical drive. ✓ The smallest unit of space is Sector. ✓ FS groups sectors into Clusters. ✓ New files allocated to empty clusters.
- 12. W I ND O W S F I L E S Y S T E M ➢ FAT 12,16,32: different size of clusters ➢ Encryption is not possible! ➢ Up to 4GB file size ➢ Faster than FAT ➢ Encryption ➢ Compression ➢ Up to 16TB file size
- 13. F I LE S Y S T E M F O R E N S I C ➢Contents ➢Metadata ➢Permissions ➢Last used ➢Create/Modify/Delete times ➢Shortcuts
- 14. W I NH E X
- 15. W E LC O M E T O E P I S O D E 2
- 16. W I ND O W S R E G I S T R Y
- 17. W H AT I S R E G I S T R Y ? A database that stores hardware and software configuration information, network connections, user preferences including usernames and passwords, installed programs, and setup information. Registry can contain valuable evidence for investigative purposes.
- 18. R E GI S T R Y F I L E L O C A T I O N ✓ Registry isn’t simply one large file, but a set of discrete files called hives. ✓ Each hive contains a Registry tree, which has a key that serves as the root of the tree. ✓ Subkeys and their values reside beneath the root.
- 19. R E GI S T R Y H K E Y S
- 20. E X AM I N I N G R E G I S T R Y
- 21. O S FO R E N S I C S
- 22.
- 23. R e fe r e n c e s • Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations – Standalone Book (6th Ed.) Publisher: Cengage Learning; 6th edition (April 17, 2018) ISBN-10 : 1337568945 ISBN-13 : 978-1337568944 • Altheide, C. (2011). Digital forensics with open source tools: Using open source platform tools for performing computer forensics on target systems: Windows, MAC, Linux, Unix, Etc. Elsevier Science & Technology Books
- 24.