Gcfi6e Im Ch05

Guide to Computer Forensics and Investigations, Sixth Edition 5-1
Chapter 5
Working with Windows and CLI Systems
At a Glance
Instructor’s Manual Table of Contents

 Overview
 Objectives
 Teaching Tips
 Quick Quizzes
 Class Discussion Topics
 Additional Projects
 Additional Resources
 Key Terms
© 2019 Cengage Learning. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for school-approved
learning management system or classroom use.
Lecture Notes
Overview
This chapter reviews how data is stored and managed on Microsoft operating systems
(OSs). To become proficient in recovering data for digital investigations, you should
understand file systems and their OSs, including legacy and current OSs. In this chapter,
students examine the tasks an OS performs when it starts so they can avoid altering
evidence when examining data on a drive. They also learn how to use a virtual
environment to further analyze Windows digital evidence.
Chapter Objectives
 Explain the purpose and structure of file systems
 Describe Microsoft file structures
 Explain the structure of NTFS disks
 List some options for decrypting drives encrypted with whole disk encryption
 Explain how the Windows Registry works
 Describe Microsoft startup tasks
 Explain the purpose of a virtual machine
Teaching Tips
Understanding File Systems
1. Explain that the file system gives an OS a road map to data on a disk. The type of file
system an OS uses determines how data is stored on the disk.
2. Mention that when you need to access a suspect’s computer to acquire or inspect data,
you should be familiar with the computer’s OS and file system.
Understanding the Boot Sequence
1. Mention that to ensure that you don’t contaminate or alter data on a suspect’s system,
you must know how to access and modify a PC’s Complementary Metal Oxide
Semiconductor (CMOS), BIOS, Extensible Firmware Interface (EFI), and Unified
Extensible Firmware Interface (UEFI) settings.
Teaching Point your students to http://computer.howstuffworks.com/bios.htm for a more

Tip detailed explanation of how BIOS works.
2. Explain that a computer stores system configuration and date and time information in
the CMOS when power to the system is off. The system BIOS or EFI contains programs
that perform input and output at the hardware level.
3. Mention that when a subject’s computer starts, you must make sure it boots to a
forensically configured CD, DVD, or USB drive, as described in Chapters 1 and 3,
because booting to the hard disk overwrites and changes evidentiary data.
4. Explain that the bootstrap process is contained in ROM and tells the computer how to
proceed when booting. It displays the key or keys you press to open the CMOS setup
screen. The CMOS should be modified if you want to boot from a CD/DVD drive. Use
Figure 5-1 to illustrate your explanation.
Teaching
Read more about CMOS at: https://www.lifewire.com/what-is-cmos-2625826.
Tip
Understanding Disk Drives
1. Explain that disk drives are made up of one or more platters coated with magnetic
material.
2. Use Figures 5-2 and 5-3 to describe some of the disk drive components, including:
a. Geometry
b. Head
c. Tracks
d. Cylinders
e. Sectors
3. Describe some of the properties handled at the drive’s hardware or firmware level,
including:
a. Zone bit recording (ZBR)
b. Track density
c. Areal density
d. Head and cylinder skew
Solid-State Storage Devices
1. Describe the wear-leveling feature that is found in all flash memory devices. Explain
that the purpose of shifting data from one memory cell to another is to make sure all
memory cells on the flash drive wear evenly.
2. Point out that when dealing with solid-state devices, making a full forensic copy as soon
as possible is crucial in case you need to recovery data from unallocated disk space.
3. Explain that all solid-state drives have an internal power source for memory cells (both
allocated and unallocated) so that they can preserve data.
4. Mention that for mobile device forensics, this feature is extremely important, especially
if a suspect deleted relevant messages, for example, just before the device was seized
and taken into evidence.
Exploring Microsoft File Structures
1. Explain that in Microsoft file structures, sectors are grouped to form clusters, which are
storage allocation units of one or more sectors.
2. Mention that clusters are typically 512 bytes up to 32,000 bytes each. Combining
sectors minimizes the overhead of writing or reading files to a disk.
3. Explain that clusters are numbered sequentially starting at 0 in NTFS and 2 in FAT.
The first sector of all disks contains a system area, the boot record, and a file structure
database.
4. Explain that the OS assigns these cluster numbers, which are referred to as logical
addresses. Sector numbers are referred to as physical addresses. Clusters and their
addresses are specific to a logical disk drive, which is a disk partition.
Disk Partitions
1. Define a partition as a logical drive. Explain that Windows OSs can have three primary
partitions followed by an extended partition that can contain one or more logical drives.
2. Define hidden partitions or voids as large unused gaps between partitions on a disk
drive. A partition gap is the unused space between partitions. A disk editor utility could
be used to alter information in the disk’s partition table to hide a partition.
3. Explain that one way to examine a partition’s physical level is to use a disk editor, such
as WinHex or Hex Workshop. The tasks involve analyzing the key hexadecimal codes
the OS uses to identify and maintain the file system. Use Table 5-1 to illustrate your
explanation.
4. Explain that the partition table is in the Master Boot Record (MBR), located at sector 0
of the disk drive. Use Figure 5-4 to illustrate your explanation.
5. Use Figure 5-5 to show how to use WinHex to identify file systems.
6. Mention that with tools such as WinHex, you can also identify file headers to determine
the file types, with or without an extension. Use Figures 5-6 and 5-7 to illustrate your
explanation.
Examining FAT Disks
1. Define File Allocation Table (FAT) as the file structure database that Microsoft
designed for floppy disks.
2. Explain that a FAT database is typically written to a disk’s outermost track and contains
filenames, directory names, date and time stamps, the starting cluster number, and file
attributes.
3. Describe the evolution of FAT versions using the following list:

a. FAT12
b. FAT16
c. FAT32
d. exFAT
e. VFAT
4. Mention that cluster sizes vary according to the hard disk size and file system. Use
Table 5-2 to illustrate your explanation.
5. Explain that Microsoft OSs allocate disk space for files by clusters. This practice results
in drive slack, composed of the unused space in a cluster between the end of an active
file’s content and the end of the cluster. Drive slack includes RAM slack and file slack.
Use Figure 5-8 to illustrate your explanation.
6. Mention that an unintentional side effect of FAT16 allowing large clusters was that it
reduced fragmentation as cluster size increased.
7. Explain that when you run out of room for an allocated cluster, the OS allocates another
cluster for your file. As files grow and require more disk space, assigned clusters are
chained together. The chain can be broken or fragmented.
8. Explain that when the OS stores data in a FAT file system, it assigns a starting cluster
position to a file. Data for the file is written to the first sector of the first assigned
cluster. When this first assigned cluster is filled and runs out of room, FAT assigns the
next available cluster to the file. If the next available cluster isn’t contiguous to the
current cluster, the file becomes fragmented.
Teaching For a more complete description of the File Allocation Table (FAT), visit:
Tip http://www.tavi.co.uk/phobos/fat.html.
Deleting FAT Files
1. Explain that in the FAT file system, when a file is deleted, the directory entry is marked
as a deleted file with the HEX E5 character replacing the first letter of the filename, and
the FAT chain for that file is set to 0. The data in the file remains on the disk drive.
2. Mention that the area of the disk where the deleted file resides becomes unallocated
disk space. This space is now available to receive new data from newly created files or
other files needing more space.
Examining NTFS Disks
1. Explain that New Technology File System (NTFS) was introduced with Windows NT,
and is still the primary file system in Windows 10.
2. Improvements over FAT file systems include:

a. NTFS provides more information about a file
b. With NTFS, you also have more control over files and folders
3. Explain that NTFS was Microsoft’s move toward a journaling file system. In NTFS,
everything written to the disk is considered a file.
4. Explain that on an NTFS disk, the first data set is the Partition Boot Sector.
Immediately after the Partition Boot Sector is the Master File Table (MFT). The MFT,
similar to FAT in earlier Microsoft OSs, is the first file on the disk.
5. Mention that NTFS results in much less file slack space. Clusters are smaller for smaller
disk drives. Use Table 5-3 to illustrate your explanation.
6. Mention that NTFS (and VFAT for long filenames) also uses Unicode, an international
data format. Explain that Unicode uses an 8-bit, a 16-bit, or a 32-bit configuration,
known as UTF-8 (Unicode Transformation Format), UTF-16, and UTF-32.
NTFS System Files
1. Explain that the MFT contains information about all files on the disk, including the
system files the OS uses. In the MFT, the first 15 records are reserved for system files.
2. Explain that records in the MFT are called metadata. Use Table 5-4 to show different
metadata records in the MFT.
MFT and File Attributes
1. Mention that in the NTFS MFT, all files and folders are stored in separate records of
1024 bytes each.
2. Explain that each record contains file or folder information. This information is divided
into record fields containing metadata. A record field is referred to as an attribute ID.
Use Table 5-5 to illustrate your explanation.
3. Explain that file or folder information is typically stored in one of two ways in an MFT
record: resident and nonresident.
4. Mention that files larger than 512 bytes are stored outside the MFT. An MFT record
provides cluster addresses where the file is stored on the drive’s partition. These
addresses are referred to as data runs. Each MFT record starts with a header identifying
it as a resident or nonresident attribute. Use Figures 5-10 through 5-12 to illustrate your
explanation.
5. Explain that when a disk is created as an NTFS file structure, the OS assigns logical
clusters to the entire disk partition. These assigned clusters are called logical cluster
numbers (LCNs). LCNs become the addresses that allow the MFT to link to nonresident
files on the disk’s partition.
6. Discuss the concept of a virtual cluster number (VCN). Point out that the value in
VCN(0) is the first cluster for the file; this value is the cluster’s actual LCN. VCNs are
also signed integers so that if the next largest unused disk space is at a lower address
than the previous VCN, the lower value address can be computed by simply adding a
negative number to the VCN.
MFT Structures for File Data
1. Explain that the first section of an MFT record is the header that defines the size and
starting position of the first attribute. Point out that following the header are attributes
that are specific for the file type.
2. Use Figures 5-13 through 5-18 to discuss the attributes found after an MFT Header.
3. Explain how to interpret a data run. Use Figures 5-19 through 5-23 in your explanation.
NTFS Alternate Data Streams
1. Define alternate data streams as ways data can be appended to existing files. Data
streams can obscure valuable evidentiary data, intentionally or by coincidence.
2. Explain that in NTFS, an alternate data stream becomes an additional file attribute and
allows the file to be associated with different applications. You can only tell whether a
file has a data stream attached by examining that file’s MFT record entry. Use Figures
5-24 and 5-25 in your explanation.
NTFS Compressed Files
1. Explain that NTFS provides compression similar to FAT DriveSpace 3, which is a

Windows 98 compression utility. With NTFS, you can compress files, folders, or entire
volumes.
2. Mention that most forensics tools can uncompress and analyze compressed Windows
data.
NTFS Encrypting File System
1. Explain that Encrypting File System (EFS) was introduced with Windows 2000 and
implements public key and private key methods of encrypting files, folders, or disk
volumes.
2. Explain that when EFS is used in Windows 2000 and later, a recovery certificate is
generated and sent to the local Windows administrator account.
3. Mention that users can apply EFS to files stored on their local workstations or a remote
server.
EFS Recovery Key Agent
1. Explain that the Recovery Key Agent implements the recovery certificate, which is in
the Windows administrator account. Windows administrators can recover a key in two
ways: through Windows or from a command prompt.
2. Describe how Windows administrators can recover a key using the following
commands:
a. cipher
b. copy
Deleting NTFS Files
1. Explain that when a file is deleted in Windows NT and later, the OS renames it and
moves it to the Recycle Bin. Another method is using the del (delete) MS-DOS
command. This method eliminates the file from the MFT listing in the same way FAT
does.
2. Discuss the steps that the OS takes when a file or folder is deleted in Windows or File
Explorer.
Resilient File System
1. Introduce students to Microsoft’s new file system: Resilient File System (ReFS). Point
out that it was introduced in Windows Server 2012 and is designed to address very large
data storage needs (such as cloud storage).
2. Discuss the following features that are incorporated into ReFS’s design:
a. Maximized data availability
b. Improved data integrity
c. Designed for scalability
3. Mention that ReFS uses disk structures similar to the MFT in NTFS. Its storage engine
uses a B+-tree sort method for fast access to large data sets.
Quick Quiz 1
1. ____ refers to a disk’s structure of platters, tracks, and sectors.
Answer: Geometry
2. In Microsoft file structures, sectors are grouped to form ____, which are storage
allocation units of one or more sectors.
Answer: clusters
3. True or False: The Master Boot Record (MBR) is located at sector 0 of the disk drive.
Answer: True
4. Of particular interest when you’re examining NTFS disks are ____, which are ways
data can be appended to existing files.
Answer: alternate data streams
5. The purpose of the ____ is to provide a mechanism for recovering encrypted files under
EFS if there’s a problem with the user’s original private key.
Answer: recovery certificate
Understanding Whole Disk Encryption
1. Mention that in recent years, there has been more concern about loss of personal
identity information (PII) and trade secrets caused by computer theft. Of particular
concern is the theft of laptop computers and other handheld devices.
2. Explain that to help prevent loss of information, software vendors now provide whole
disk encryption. Current whole disk encryption tools offer the following features:
a. Preboot authentication
b. Full or partial disk encryption with secure hibernation
c. Advanced encryption algorithms
d. Key management function
3. Explain that whole disk encryption tools encrypt each sector of a drive separately. Many
of these tools encrypt the drive’s boot sector to prevent any efforts to bypass the secured
drive’s partition.
4. Mention that to examine an encrypted drive, you must decrypt it first, which means you
must run a vendor-specific program to decrypt the drive.
Examining Microsoft BitLocker
1. Mention that Microsoft BitLocker is available with Vista Enterprise and Ultimate
editions, Windows 7, 8, and 10 Professional and Enterprise editions, and Windows
Server 2008 and later.
2. Describe the current hardware and software requirements, including:

a. A computer capable of running Windows Vista or later (non-home editions)
b. The TPM microchip, version 1.2 or newer
c. A computer BIOS compliant with Trusted Computing Group (TCG)
d. Two NTFS partitions and an active system volume with available space
e. The BIOS configured so that the hard drive boots first before checking other
bootable peripherals
For more information about BitLocker, visit:

Teaching
https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-
Tip
overview.
Examining Third-Party Disk Encryption Tools
1. Describe some of the available third-party WDE utilities, including:

a. Endpoint Encryption
b. Voltage SecureFile
c. Jetico BestCrypt Volume Encryption
Understanding the Windows Registry
1. Define the Windows Registry as a database that stores hardware and software
configuration information, network connections, user preferences, and setup
information.
2. Mention that for investigative purposes, the Registry can contain valuable evidence.
3. Explain that to view the Registry, you can use the Regedit (Registry Editor) program for
Windows 9x systems, and Regedt32 for Windows 2000, XP, and Vista. Mention that
for Windows 7 and 8, both Regedit and Regedit 32 are available.
Exploring the Organization of the Windows Registry
1. Describe some of the following Registry terminology:

a. Registry
b. Registry Editor
c. HKEY
d. Key
e. Subkey
f. Branch
g. Value
h. Default value
i. Hives
2. Use Table 5-6 to describe how Registry files are organized in all Windows systems.
3. Use Figure 5-26 to explain how to use the Windows XP Registry Editor to view
HKEYs.
4. Use Table 5-7 to describe the Registry HKEYs and their functions.
Mention that one of the easiest ways to examine the Registry is to load an image
Teaching
of a Windows machine into AccessData FTK and then click File, Registry
Tip
Viewer.
Examining the Windows Registry
1. Use Figures 5-27 through 5-30 to describe how to use OSForensics to examine Registry
files.
Understanding Microsoft Startup Tasks
1. In this section, you will learn what files are accessed when Windows starts. Explain that
this information helps determine when a suspect’s computer was last accessed, which is
particularly important with computers that might have been used after an incident was
reported.
Startup in Windows 7, Windows 8, and Windows 10
1. Point out that this section covers desktop and laptop computers running Windows 10,
although Windows Vista, 7 and 8 are very similar.
2. Explain that in Windows Vista and later, the boot process uses a boot configuration data
(BCD) store. Mention that for desktops and laptops, a BCD Registry file is maintained
to control the boot process. Explain that to access this file, you use the BCD Editor.
3. Point out that in Windows 8 and 10, the BCD contains the boot loader that initiates the
system’s bootstrap process when Windows starts. Press F8 or F12 to access the
Advanced Boot Options menu during the bootstrap process.
Startup in Windows NT and Later
1. Explain that all NTFS computers perform the following steps when the computer is
turned on:
a. Power-on self test (POST)

b. Initial startup
c. Boot loader
d. Hardware detection and configuration
e. Kernel loading
f. User logon
2. Explain that when Microsoft developed Vista, it updated the boot process to use the
new Extensible Firmware Interface (EFI) as well as the older BIOS system. Point out
that the Ntldr program in Windows XP used to load the OS has been replaced with these
three boot utilities:
a. Bootmgr.exe
b. Winload.exe
c. Winresume.exe
3. Describe the startup Files for Windows XP, including:

a. NT Loader (NTLDR)
b. Boot.ini
c. BootSect.dos
d. NTDetect.com
e. NTBootdd.sys
f. Ntoskrnl.exe
g. Hal.dll
h. Pagefile.sys
i. Device drivers
4. Use Table 5-8 to describe the Windows XP system files.
5. Explain that when you start a Windows XP NTFS workstation, several files are
accessed immediately. The last access date and time stamp for the files change to the
current date and time. This change destroys any potential evidence that shows when a
Windows XP workstation was last used.
Understanding Virtual Machines
1. Explain that virtual machines enable you to run another OS on an existing physical
computer (known as the host computer) by emulating a computer’s hardware
environment. A virtual machine consists of several files. Use Figure 5-31 to illustrate
your explanation.
2. Mention that a virtual machine recognizes components of the host machine it’s loaded
on. The guest OS is limited by the host computer’s OS.
3. Explain that in digital forensics, virtual machines make it possible to restore a suspect
drive on your virtual machine and run nonstandard software the suspect might have
loaded.
4. From a network forensics standpoint, you need to be aware of some potential issues,
such as a virtual machine used to attack another system or network.
Creating a Virtual Machine
1. Mention that some popular applications for creating virtual machines are VMware
Server, VMware Player and VMware Workstation, Oracle VM VirtualBox, Microsoft
Virtual PC, and HyperV (available in current versions of Windows Server).
2. Use Figures 5-32 through 5-34 to describe how to create a new virtual machine with
VirtualBox.
3. Supply students with the ISO image needed to complete the activity starting on page
250 of the textbook. Remind students that virtual machines are limited by the host
computer they are loaded on.
Quick Quiz 2
1. A single sign-on password, a fingerprint scan, or a token (USB device) are all examples
of the _____ feature found in whole disk encryption.
Answer: preboot authentication
2. The _____ is a database in Windows that stores hardware and software configuration
information, network connections, user preferences (including usernames and
passwords), and setup information.
Answer: Registry
3. Specific branches located in HKEY_USER and HKEY_LOCAL_MACHINE are

known as _____.
Answer: hives
4. ____ is the Windows XP OS kernel, located in the system-root\Windows\System32

folder.
Answer: Ntoskrnl.exe
1. A(n) ____ enables you to run another OS on an existing physical computer (known as
the host computer) by emulating a computer’s hardware environment.
Answer: virtual machine
Class Discussion Topics

1. Mention at least three situations where Whole Disk Encryption (WED) solutions are
required.
2. What are the advantages of using the Registry instead of initialization (.ini) files?
Explain your answers.
Additional Projects
1. Ask your students to read this article that describes the Google file system:
http://computer.howstuffworks.com/internet/basics/google-file-system.htm. Have them
write a report summarizing the most significant points.
2. Ask your students to use the Internet to read more about journaling file systems such as
NTFS, extfs2, and extfs3. Have them write a report with the most significant points,
including the primary advantages and disadvantages of journaling file systems.
Additional Resources
1. File system:
http://searchstorage.techtarget.com/definition/file-system
2. BIOS:
https://www.howtogeek.com/179789/htg-explains-what-is-bios-and-when-should-i-use-
it/
3. Master boot record:

http://technet.microsoft.com/en-us/library/cc976786.aspx
4. NTFS:
http://technet.microsoft.com/en-us/library/cc781134%28v=ws.10%29.aspx
5. Encrypting File System:

https://technet.microsoft.com/en-us/library/cc700811.aspx
6. EFS - Encrypting File System. Encrypted Files and Folders (NTFS ver 3.0 and newer):
www.ntfs.com/ntfs-encrypted.htm
7. BitLocker Drive Encryption Technical Overview:

http://technet.microsoft.com/en-us/library/dd835565%28v=ws.10%29.aspx
Key Terms
 alternate data streams — Ways in which data can be appended to a file (intentionally
or not) and potentially obscure evidentiary data. In NTFS, alternate data streams
become an additional file attribute.
 American Standard Code for Information Interchange (ASCII) — An 8-bit coding

scheme that assigns numeric values to up to 256 characters, including letters, numerals,
punctuation marks, control characters, and other symbols.
 areal density — The number of bits per square inch of a disk platter.
 attribute ID — In NTFS, an MFT record field containing metadata about the file or
folder and the file’s data or links to the file’s data.
 Boot.ini — A file that specifies the Windows path installation and a variety of other
startup options.
 BootSect.dos — If a machine has multiple booting OSs, NTLDR reads BootSect.dos,
which is a hidden file, to determine the address (boot sector location) of each OS. See
also NT Loader (NTLDR).
 bootstrap process — Information contained in ROM that a computer accesses during
startup; this information tells the computer how to access the OS and hard drive.
 clusters — Storage allocation units composed of groups of sectors. Clusters are 512,
1024, 2048, or 4096 bytes each.
 cylinder — A column of tracks on two or more disk platters.
 data runs — Cluster addresses where files are stored on a drive’s partition outside the
MFT record. Data runs are used for nonresident MFT file records.
 device drivers — Files containing instructions for the OS for hardware devices, such as
the keyboard, mouse, and video card.
 drive slack — Unused space in a cluster between the end of an active file and the end
of the cluster. It can contain deleted files, deleted e-mail, or file fragments. Drive slack
is made up of both file slack and RAM slack. See also file slack and RAM slack.
 Encrypting File System (EFS) — A public/private key encryption first used in
Windows 2000 on NTFS-formatted disks. The file is encrypted with a symmetric key,
and then a public/private key is used to encrypt the symmetric key.
 File Allocation Table (FAT) — The original Microsoft file structure database. It’s
written to the outermost track of a disk and contains information about each file stored
on the drive. PCs use the FAT to organize files on a disk so that the OS can find the
files it needs. The variations are FAT12, FAT16, and FAT32.
 file slack — The unused space created when a file is saved. If the allocated space is
larger than the file, the remaining space is slack space and can contain passwords, logon
IDs, file fragments, and deleted e-mails.
 file system — The way files are stored on a disk; gives an OS a road map to data on a
disk.
 geometry — A disk drive’s internal organization of platters, tracks, and sectors.
 Hal.dll — The Hardware Abstraction Layer dynamic link library allows the OS kernel
to communicate with hardware.
 head — The device that reads and writes data to a drive.
 head and cylinder skew — A method manufacturers use to minimize lag time. The
starting sectors of tracks are slightly offset from each other to move the read-write head.
 High Performance File System (HPFS) — The file system IBM uses for its OS/2
operating system.
 Info2 file — In Windows NT, 2000, and XP, the control file for the Recycle Bin. It
contains ASCII data, Unicode data, and date and time of deletion.
 ISO image — A bootable file that can be copied to CD or DVD; typically used for
installing operating systems. It can also be read by virtualization software when creating
a virtual boot disk.
 logical addresses — When files are saved, they are assigned to clusters, which the OS
numbers sequentially starting at 2. Logical addresses point to relative cluster positions,
using these assigned cluster numbers.
 logical cluster numbers (LCNs) — Numbers the MFT uses to refer to a specific
physical location on a disk partition. LCNs become the addresses that allow the MFT to
read and write data to the disk’s nonresident attribute area. See also virtual cluster
number (VCN).
 Master Boot Record (MBR) — On Windows and DOS computer systems, this boot
disk file contains information about partitions on a disk and their locations, size, and
other important items.
 Master File Table (MFT) — NTFS uses this database to store and link to files. It
contains information about access rights, date and time stamps, system attributes, and
other information about files.
 metadata — In NTFS, this term refers to information stored in the MFT. See also
Master File Table (MFT).
 NTBootdd.sys — A device driver that allows the OS to communicate with SCSI or
ATA drives that aren’t related to the BIOS.
 NTDetect.com — A 16-bit program that identifies hardware components during startup
and sends the information to NTLDR.
 NT File System (NTFS) — The file system Microsoft created to replace FAT. NTFS
uses security features, allows smaller cluster sizes, and uses Unicode, which makes it a
more versatile system. NTFS is used mainly on newer OSs, starting with Windows NT.
 NT Loader (NTLDR) — A program located in the root folder of the system partition
that loads the OS. See also Bootsect.dos.
 Ntoskrnl.exe — The kernel for the Windows NT family of OSs.
 one-time passphrase — A password used to access special accounts or programs
requiring a high level of security, such as a decryption utility for an encrypted drive.
This passphrase can be used only once, and then it expires.
 Pagefile.sys — At startup, data and instruction code are moved in and out of this file to
optimize the amount of physical RAM available during startup.
 partition — A logical drive on a disk. It can be the entire disk or part of the disk.
 Partition Boot Sector — The first data set of an NTFS disk. It starts at sector [0] of the
disk drive and can expand up to 16 sectors.
 partition gap — Unused space or void between the primary partition and the first
logical partition.
 personal identity information (PII) — Any information that can be used to create
bank or credit card accounts, such as name, home address, Social Security number, and
driver’s license number.
 physical addresses — The actual sectors in which files are located. Sectors reside at
the hardware and firmware level.
 private key — In encryption, the key used to decrypt the file. The file owner keeps the
private key.
 public key — In encryption, the key used to encrypt a file; it’s held by a certificate
authority, such as a global registry, network server, or company such as VeriSign.
 RAM slack — The unused space between the end of the file (EOF) and the end of the
last sector used by the active file in the cluster. Any data residing in RAM at the time
the file is saved, such as logon IDs and passwords, can appear in this area, whether the
information was saved or not. RAM slack is found primarily in older Microsoft OSs.
 recovery certificate — A method NTFS uses so that a network administrator can
recover encrypted files if the file’s user/creator loses the private key encryption code.
 Registry — A Windows database containing information about hardware and software
configurations, network connections, user preferences, setup information, and other
critical information.
 Resilient File System (ReFS) — A new file system developed for Windows Server
2012. It allows increased scalability for disk storage and improved features for data
recovery and error checking.
 sector — A section on a track, typically made up of 512 bytes.
 track density — The space between tracks on a disk. The smaller the space between
tracks, the more tracks on a disk. Older drives with wider track densities allowed the
heads to wander.
 tracks — Concentric circles on a disk platter where data is stored.
 unallocated disk space — Partition disk space that isn’t allocated to a file. This space
might contain data from files that have been deleted previously.
 Unicode — A character code representation that’s replacing ASCII. It’s capable of
representing more than 64,000 characters and non-European-based languages.
 UTF-8 (Unicode Transformation Format) — One of three formats Unicode uses to
translate languages for digital representation.
 virtual cluster number (VCN) — When a large file is saved in NTFS, it’s assigned a
logical cluster number specifying a location on the partition. Large files are referred to
as nonresident files. If the disk is highly fragmented, VCNs are assigned and list the
additional space needed to store the file. The LCN is a physical location on the NTFS
partition; VCNs are the offset from the previous LCN data run. See also data runs and
logical cluster numbers (LCNs).
 virtual hard disk (VHD) — A file representing a system’s hard drive that can be
booted in a virtualization application and allows running a suspect’s computer in a
virtual environment.
 virtual machines — Enable you to run another OS on an existing physical computer
(known as the host computer) by emulating a computer’s hardware environment.
 wear-leveling — An internal firmware feature used in solid-state drives that ensures
even wear of read/writes for all memory cells.
 zone bit recording (ZBR) — The method most manufacturers use to deal with a
platter’s inner tracks being shorter than the outer tracks. Grouping tracks by zones
ensures that all tracks hold the same amount of data.

Gcfi6e Im Ch05

Uploaded by

Copyright:

Available Formats

Gcfi6e Im Ch05

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Gcfi6e Im Ch05

Uploaded by

Copyright:

Available Formats

Guide to Computer Forensics and Investigations, Sixth Edition 5-1

Instructor’s Manual Table of Contents

 Class Discussion Topics

Understanding the Boot Sequence

Teaching Point your students to http://computer.howstuffworks.com/bios.htm for a more

Understanding Disk Drives

Solid-State Storage Devices

Exploring Microsoft File Structures

Examining FAT Disks

3. Describe the evolution of FAT versions using the following list:

Deleting FAT Files

Examining NTFS Disks

2. Improvements over FAT file systems include:

NTFS System Files

MFT and File Attributes

MFT Structures for File Data

NTFS Alternate Data Streams

NTFS Compressed Files

1. Explain that NTFS provides compression similar to FAT DriveSpace 3, which is a

NTFS Encrypting File System

EFS Recovery Key Agent

Deleting NTFS Files

Resilient File System

Understanding Whole Disk Encryption

Examining Microsoft BitLocker

2. Describe the current hardware and software requirements, including:

For more information about BitLocker, visit:

Examining Third-Party Disk Encryption Tools

1. Describe some of the available third-party WDE utilities, including:

Understanding the Windows Registry

Exploring the Organization of the Windows Registry

1. Describe some of the following Registry terminology:

Examining the Windows Registry

Understanding Microsoft Startup Tasks

Startup in Windows 7, Windows 8, and Windows 10

Startup in Windows NT and Later

a. Power-on self test (POST)

3. Describe the startup Files for Windows XP, including:

4. Use Table 5-8 to describe the Windows XP system files.

Understanding Virtual Machines

Creating a Virtual Machine

3. Specific branches located in HKEY_USER and HKEY_LOCAL_MACHINE are

4. ____ is the Windows XP OS kernel, located in the system-root\Windows\System32

Class Discussion Topics

3. Master boot record:

5. Encrypting File System:

7. BitLocker Drive Encryption Technical Overview:

 American Standard Code for Information Interchange (ASCII) — An 8-bit coding

You might also like