Understanding-Examine- file-systems

Understanding Examine File Systems

Understanding Examine file systems is imperative to access to the file system data and to rebuild the file system events. File systems comprise of five sections, namely, file system data, content data, metadata, file name, and file system application data.

File system data

The file system data gives details about the file system structure, like file system and file system block size, number of allocated blocks etc.

1. Content data

This data has most of the information of the file system. It consists of the content of the file system.

2. Meta data

The Meta data of the file system generally provides information about content locations, file size and MAC timestamps.

3. Application data

The application data gives information about the File system journal Quota statistics.

All the above information of the file systems enables the investigator to collect a variety of data, which may contain potential evidences for solving the case.

Related Product : Computer Hacking Forensic Investigator | CHFI

Registry Settings

Registry values and settings have significant impacts on the subsequent forensic analysis and investigation. Although these settings are non-volatile themselves, but they affect how an investigator chooses to proceed while conducting an investigation or even whether he or she would continue with the investigation at all. There are several tools for collecting information from the registry. Reg.exe is a command line tool for accessing and managing the registry. Some of the important registry values to note down include:

Clear Page File At Shutdown

This particular registry value tells the operating system to clear the page file when the system is shut down. Since Windows uses virtual memory architecture, some memory used by processes will be paged out to the page file. When the system shuts down, the information within the page file remains on the hard drive and contains information such as decrypted passwords, portions of IM conversations, and other strings and bits of information that might provide important leads in an investigation. However, if the system clears the file during shutdown, there is a chance that the information may be deleted and then this valuable information will be more difficult to obtain.

Disable Last Access

Windows has the ability to disable the updating of the last access times on files. This feature is actually meant for performance enhancement, particularly on high-volume file servers. In case of normal workstations with desktops and laptops, this setting does not provide any noticeable improvement in performance.

Users can query or enable this setting via the fsutil command. For example, to query the setting, use this command: C:\>fsutil behavior query disablelastaccess

Fsutil

This command performs the tasks that are related to file allocation table (FAT) and NTFS file systems, such as managing reparse points, managing sparse files, or dismounting a volume. If it is used without parameters, fsutil displays a list of supported subcommands. The investigator must be logged on as an administrator or a member of the administrators group in order to use fsutil.

Auto Runs Tool

There are several areas of the registry (and the file system) referred to as autostart locations, because they provide a facility to automatically start applications, usually without any direct interaction from the user. Some of these locations will automatically start applications when the system boots, while others do so when a user logs in, and still others when the user takes a specific action. In such instances users start an application, and they are completely unaware that they have actually launched another hidden application.

Investigators can collect this information by two means: one by using the reg.exe tool, and the other with the AutoRuns tool.

AutoRuns is also a great tool for checking areas within the file system, such as scheduled tasks. Occasionally, administrators use scheduled tasks feature to provide themselves with elevated (i.e., system level) privileges, to perform tasks like viewing portions of the registry that are normally off limits even to administrators. An attacker who gains administrator-level access into the system may try to do something similar to this feature so that he can extend his presence on the system.

Another area of the registry that can provide valuable information in an investigation is the protected storage area. The protected storage holds information in an encrypted format in the registry. If an investigator acquires an image of the system, tools such as AccessData’s Forensic ToolKit (FTK) will decrypt and recover the information.

Also Read : Understand Network Information for Forensic Investigation

Microsoft Security ID

Microsoft Security ID refers to a unique identification number that Microsoft assigns to a Windows user account for granting the user access to a particular resource. In Windows, when a user logs on, the system gathers SID from the database and uses it as access token to identify the user in all the aspects of Windows security. This token consists of privileges granted to the user, based on which the system will allow or deny access.

Event Logs

Event logs are essential files within the file system. These files are changeable in nature. In fact, depending on how their configuration and events are audited, these files can change quite rapidly. Depending on the audit policies on the “victim” system and the investigators accessing it as the first responder, the system generates entries stored within the event logs. Use tools such as psloglist.exe to retrieve the event records.

PsLogList

PsLogList allows to login to remote systems in situations when current set of security credentials would not permit access to the Event Log. It retrieves message strings from the computer on which the event Jog resides. It shows the contents of the System Event Log on the local computer and allows formatting of Event Log records.

ESE Database File

Windows 10 has the Microsoft Edge browser as a built-in feature. It uses the Extensible Storage Engine (ESE), which is a data storage technology from Microsoft, made to store and retrieve data sequential access. This database storage helps the server to store various files, messages etc, and access folders, text messages, attachments, etc. for email service provision. These files have the extension .edb and can provide valuable case evidences in forensic investigations. The database is in the form of a B-Tree structure and has a hexadecimal file signature.

The database stores tables, categorized as FileCleanup, Folder, ReadingList, Rowld, MSysObjids, MSysObjects, FolderStash, MSysLocales, and MSysObjectsShadow. These tables contain information of all the applications stored and accessed from the system. This information can act as evidence in case of criminal incidents.

Connected Devices

1. DevCon

DevCon or Device Console, is a command-line tool that displays detailed information about devices on computers running Windows operating system. DevCon can be used to enable, disable, install, configure, and remove devices. It also performs device management functions on local computers and remote computers.

Features:

  • Display driver and device info
  • Search for devices
  • Change device settings
  • Restart the device or computer

2. Slack Space

Slack space, also called file slack, is the space generated between the end of the file stored and the end of the disk cluster. This happens when the size of the file currently written is less than that of the previous written file on the same cluster. In such cases, the residual data remains as it is, and may contain meaningful information when examined forensically.

It may be possible to use slack space to store data that one wants to hide without having knowledge of the underlying file system. In order to do that you just have to make a file smaller than the slack space present and use the rest of space to store the hidden data. This data will be invisible to the file system and remains the same until changed manually. However, creating new files that result in slack space is not the safest way to hide data.

3. Virtual Memory

X-Ways Forensics is a computer forensics tool that has the following features:

  • Access logical memory of running processes
  • Gather slack space, free space, inter-partition space, and generic text from drives and images
  • Ability to read partitioning and file system structures
  • Memory analysis for local RAM or memory dumps
  • Disk cloning and imaging

4. Hibernate Files

Windows operating system has two power management modes. First id the Sleep Mode, which keeps the system running in a low power state so that the user can instantaneously get back where he/she has paused working. The second power management mode is the Hibernate mode, which completely writes the memory as a hiberfil.sys file in HDD.

In the forensic point of view the hiberfil.sys file is a crucial source of evidence, as it consists of the crucial information of all programs, applications, files and processes that were running on the RAM at a given time.

Investigators can check if the user had enabled hibernate option by visiting the following registry key in the registry editor:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power.

The system stores the hiberfil.sys file in the default folder as a hidden file, which occupies the size similar to that of available RAM space in the system. The investigators can select the file and use tools, such as Hex editor to analyze it.

Pagefile.sys is a hidden file on the Windows operating system, which is used as virtual memory to expand the physic& memory of a system. To increase the RAM performance the system moves the least used “pages” of memory into pagefile.sys file to free the RAM space and pools in the running applications.

5. Page File

Page file stores information about inactive processes, recently opened files and documents. It also accesses applications, as well as sensitive data such as User Ids, passwords, etc. used in the system processes. The system stores pagefile.sys file in the system drive folder as a hidden file. Investigators can extract it by navigating to the location or using software tools and analyze it using Hex editors.

6. Windows Search Index

Windows Search index supports indexing for over 200 common file types by maintaining a record of all the documents. It &so allows the users to quickly access any document such as messages, calendar events, contacts, and media files.

Once the system index completes the initial scan of the PC, new files and email messages that arrive are indexed when the PC is idle—making the new files searchable shortly thereafter. After the initial scan, the system software updates the index continually, which can be used for monitoring the changes in the system.

7. Passware Search Index Examiner

Source: http://www.lostpassword.com

It makes all the data indexed by Windows Search accessible.

Key features include:

  • Lists all the emails, documents, spreadsheets, and other items indexed by Windows Desktop Search
  • Retrieves item properties, such as creation and modification dates, author, recipients, and summary content
  • Requires only one file from the target PC, a Windows Desktop Search Database (.edb)
  • Saves reports in common formats: XML, Comma Separated Values (.csv)

Questions related to this topic

  1. How do I turn an Access database into an application?
  2. Where user apps information is stored in Windows?
  3. Can files be stored in database?
  4. Can you run an Access database without access?

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment