Guide to Computer Forensics and Investigations Fourth EditionObjectivesObjectives (continued)Understanding File SystemsUnderstanding the Boot SequenceUnderstanding the Boot Sequence (continued)Slide 7Understanding Disk DrivesSlide 9Slide 10Understanding Disk Drives (continued)Exploring Microsoft File StructuresExploring Microsoft File Structures (continued)Disk PartitionsDisk Partitions (continued)Slide 16Slide 17Slide 18Slide 19Slide 20Master Boot RecordExamining FAT DisksExamining FAT Disks (continued)Slide 24Slide 25Slide 26Slide 27Slide 28Deleting FAT FilesExamining NTFS DisksExamining NTFS Disks (continued)Slide 32NTFS File SystemNTFS File System (continued)Slide 35MFT and File AttributesMFT and File Attributes (continued)Slide 38Slide 39Slide 40Slide 41Slide 42NTFS Data StreamsNTFS Compressed FilesNTFS Encrypting File System (EFS)EFS Recovery Key AgentDeleting NTFS FilesUnderstanding Whole Disk EncryptionUnderstanding Whole Disk Encryption (continued)Slide 50Examining Microsoft BitLockerExamining Third-Party Disk Encryption ToolsUnderstanding the Windows RegistryExploring the Organization of the Windows RegistryExploring the Organization of the Windows Registry (continued)Slide 56Examining the Windows RegistrySlide 58Examining the Windows Registry (continued)Slide 60Slide 61Slide 62Slide 63Understanding Microsoft Startup TasksStartup in Windows NT and LaterStartup in Windows NT and Later (continued)Slide 67Slide 68Startup in Windows 9x/MeStartup in Windows 9x/Me (continued)Understanding MS-DOS Startup TasksUnderstanding MS-DOS Startup Tasks (continued)Other Disk Operating SystemsOther Disk Operating Systems (continued)Understanding Virtual MachinesSlide 76Understanding Virtual Machines (continued)Creating a Virtual MachineCreating a Virtual Machine (continued)Slide 80Slide 81Slide 82Slide 83SummarySummary (continued)Slide 86Chapter 6Working with Windows and DOS SystemsGuide to Computer Forensicsand InvestigationsFourth EditionGuide to Computer Forensics and Investigations 2Objectives•Explain the purpose and structure of file systems•Describe Microsoft file structures•Explain the structure of New Technology File System (NTFS) disks•List some options for decrypting drives encrypted with whole disk encryptionGuide to Computer Forensics and Investigations 3Objectives (continued)•Explain how the Windows Registry works•Describe Microsoft startup tasks•Describe MS-DOS startup tasks•Explain the purpose of a virtual machineGuide to Computer Forensics and Investigations 4Understanding File Systems•File system–Gives OS a road map to data on a disk•Type of file system an OS uses determines how data is stored on the disk•A file system is usually directly related to an OS•When you need to access a suspect’s computer to acquire or inspect data–You should be familiar with the computer’s platformGuide to Computer Forensics and Investigations 5Understanding the Boot Sequence•Complementary Metal Oxide Semiconductor (CMOS)–Computer stores system configuration and date and time information in the CMOS•When power to the system is off•Basic Input/Output System (BIOS)–Contains programs that perform input and output at the hardware levelGuide to Computer Forensics and Investigations 6Understanding the Boot Sequence (continued)•Bootstrap process–Contained in ROM, tells the computer how to proceed–Displays the key or keys you press to open the CMOS setup screen•CMOS should be modified to boot from a forensic floppy disk or CDGuide to Computer Forensics and Investigations 7Understanding the Boot Sequence (continued)Guide to Computer Forensics and Investigations 8Understanding Disk Drives•Disk drives are made up of one or more platters coated with magnetic material•Disk drive components–Geometry–Head–Tracks–Cylinders–SectorsGuide to Computer Forensics and Investigations 9Guide to Computer Forensics and Investigations 10Guide to Computer Forensics and Investigations 11Understanding Disk Drives (continued)•Properties handled at the drive’s hardware or firmware level–Zoned bit recording (ZBR)–Track density–Areal density–Head and cylinder skewGuide to Computer Forensics and Investigations 12Exploring Microsoft File Structures•In Microsoft file structures, sectors are grouped to form clusters–Storage allocation units of one or more sectors•Clusters are typically 512, 1024, 2048, 4096, or more bytes each•Combining sectors minimizes the overhead of writing or reading files to a diskGuide to Computer Forensics and Investigations 13Exploring Microsoft File Structures (continued)•Clusters are numbered sequentially starting at 2 –First sector of all disks contains a system area, the boot record, and a file structure database•OS assigns these cluster numbers, called logical addresses•Sector numbers are called physical addresses•Clusters and their addresses are specific to a logical disk drive, which is a disk partitionGuide to Computer Forensics and Investigations 14Disk Partitions•A partition is a logical drive•FAT16 does not recognize disks larger than 2 MB–Large disks have to be partitioned•Hidden partitions or voids–Large unused gaps between partitions on a disk•Partition gap–Unused space between partitionsGuide to Computer Forensics and Investigations 15Disk Partitions (continued)•Disk editor utility can alter information in partition table–To hide a partition•Can examine a partition’s physical level with a disk editor:–Norton DiskEdit, WinHex, or Hex Workshop•Analyze the key hexadecimal codes the OS uses to identify and maintain the file systemGuide to Computer Forensics and Investigations 16Guide to Computer Forensics and Investigations 17Guide to Computer Forensics and Investigations 18Disk Partitions (continued)•Hex Workshop allows you to identify file headers–To identify file types with or without an extensionGuide to Computer Forensics and Investigations 19Guide to Computer Forensics and Investigations 20Guide to Computer Forensics and Investigations 21Master Boot Record•On Windows and DOS computer systems–Boot disk contains a file called the Master Boot Record (MBR)•MBR stores information about partitions on a disk and their locations, size, and other important items•Several software products can modify the MBR, such as PartitionMagic’s Boot MagicGuide to Computer Forensics and Investigations 22Examining FAT Disks•File Allocation Table (FAT)–File structure database