Collecting-Hidden-Partition-Information

Collecting Hidden Partition Information

Leave a Comment / CHFI, Knowledge Base / By

In this article explain Collecting Hidden Partition Information and diffrent types of hard disk partition and file formates.

1. Partition Logic

Partition Logic is a hard disk partitioning and data management tool. It can create, delete, erase, format, defragment, resize, copy, and move partitions and modify their attributes. It can copy entire hard disks from one to another.

2. Partition Find & Mount

Partition Find & Mount implements a new concept of deleted or lost partition recovery. It locates and mounts partitions into the system, thus making those lost partitions available. It will also work in case any Boot Record (including the Master Boot Record) is missing, damaged or overwritten.

3. Hidden ADS Streams

The ADS or alternate data stream is a NTFS file system feature, which helps users to find a file using alternate metadata information such as author title. It allows the files to have more than one stream of data, which are invisible to the windows explorer and require special took to view. The ADS offers ease in creating and accessing the additional streams, thus making it easy for the perpetrators to hide the data within the files and access them when required. Attackers can also store executable files in the ADS and execute them using the command line utility.

The ADS contains metadata including access timestamps, file attributes, etc. Investigators need to find the ADS and extract the information present in it. The system cannot modify the ADS data thus retrieving ADS data can offer raw details of the file and execution of malware.

Apart from using the above mentioned methods, investigators can also use software tools to identify ADS files and extract the additional streams.

Related Product : Computer Hacking Forensic Investigator | CHFI

Investigating ADS Streams: StremArmor

Stream Armor is the tool used to discover Hidden Alternate Data Streams (ADS) and clean them completely from system. In this tool, auto analysis is coupled with Online Threat Verification mechanism. It consists of a multi-threaded ADS scanner and a built in File Type Detection system.

Other Non-Volatile Information

1. Web Browser Cache

The web browser cache allows users to cache the contents of web pages locally, in order to speed future access to regularly visited sites. This can be done because, the downloaded content remains on the hard drive until deleted. However, the data remains in the unallocated space of the hard drive even after deleting the cache.

2. ChromeCacheView

ChromeCacheView is a small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all the files that are currently stored in the cache. For each cache file, the following information is displayed: URL, Content type, File size, Last accessed time, Expiration time, Server name, Server response, etc.

Cookies

Cookies are small packages of data made to track, validate, and maintain specific user information. Cookies may have an expiration date, after which the browser deletes it. The system can also delete the cookies without the need of an expiration date at the end of a user session. The users may also delete cookie data directly from the browser. However, even after deleting cookies, the data may remain in the unallocated space of the hard drive. The cookies can store data in encrypted form, mostly in an index.dat file, which includes the date and time information. The investigators can use this file to fetch any evidence regarding the incident.

1. ChromeCookiesView

ChromeCookiesView displays the list of all cookies stored by Google Chrome Web browser. It also allows deleting unwanted cookies and exporting the cookies into text/csv/html /xmlfile. For every cookie, the following information is displayed: Host Name, Path, Name, Value, Secure (Yes / No), HTTP Only Cookie (Yes/No), Last Accessed Time, Creation Time, Expiration Time.

Temporary Files

Programs and processes create temporary files when they cannot allocate enough memory for the tasks or when the program is working on a large set of data. In general, when a program terminates, the system deletes these temp files. However, some programs create temp files and leave them behind. These files contain information about all the system processes which can be useful to gather evidences in any forensic investigation.

Also Read : Understanding Examine File Systems

Windows Thumbnail Cache

Most operating systems use thumbnail feature to display images and other files on the folder for easy identification. Microsoft Windows OS use thumbnail cache to store thumbnail images that Windows Explorer use to produce the thumbnail view. The thumbnail cache will reduce the load on computer system by storing the smaller images in a single folder named thumbcache.db.

Images form strong evidences in various crimes, that’s why suspects delete these images to avoid getting caught. It is because of the fact that that the thumbnail of an image remains on a computer even after deleting the file itself. This helps the investigators to find if the suspect had deleted any files and it also gives a brief detail about the file that has been deleted.

Thumbcache Viewer

Thumbcache Viewer allows you to extract thumbnail images from the thumbcache_*.db and iconcache_*.db database files found on Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10. The program comes with both graphic user interface and command-line interface.

Windows Forensics Methodolgoy

Memory of a system refers to the storage space, where the system saves important data required for processing, such as application files, virtual memory, etc. This space contains files and metadata required for functioning of the in-built and external applications. Investigators can analyze this space to find the installed application, recent events, and other related data.

Virtual Hard Disk (VHD)

Virtual Hard disk is a disk image file format, which is having the functionalities similar to a typical hard drive. It stores contents including a file system, disk partitions, boot record, files, and folder.

Attackers use virtual drives to store malicious data. Data is readable only when the VHD is mounted; when un-mounted the contents of the VHD looks like a large unreadable file and the files are visible only through remounting. In such cases the forensic investigators use forensic tools to retrieve the information from the suspect virtual drives.

Questions related to this topic

  1. Where is Internet cache stored?
  2. What is a cache folder?
  3. How do I find cached images and files?
  4. Does clearing cache delete files?

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment