Question

• Explain the purpose and structure of files systems
• Describe Microsoft files systems
• Explain the structure of NTFS disks
• List some options for decrypting drives encrypted with whole disk encryption
• Explain how Windows registry works
• Describe Microsoft start-up tasks
• Explain the purpose of a virtual machine
• Describe available digital software forensics tools
• List some considerations for digital forensics hardware tools
• Describe methods for validating and testing forensics tools

Answer 1

A file system is the way in which files are named and where they are placed logically for storge and retrieval. Without a file system, stored information wouldn't be isolated into individual files and would be difficult to identify and retrieve. As data capacities increase, the organization and accessibility of individual files are becoming even more important in data storage.

Purpose of a File System:

• Data Creation
• Data modification
• Last date of Access
• Backup

Structure of File system:

Microsoft File System:

Resilient File System(ReFS) condenamed "Protogon", is a Microsoft propietary file system introduced with Windows Server 2012 with the intent of becoming the "next generation" file system after NTFS.ReFS was designed to overcome problems that had become significant over the years since NTFS was cinceived, which are related to how data storage requirements had changed.The key design advantages of ReFS include automatic integrity checking and data scrubbing, removal of the need for running chkdsk, protection against data degradation, built in handling of hard disk drive failure and redundancy, integration of RAID functionality, a switch to copy/aloocate on write for data and meta data updates, handling of very long paths and filenames, and storage virtualization and pooling, including almost arbitrarily sized logical volumes.

How Windows Registry works?

The registry contain information used by windows and your programs. The registry helps the operating system manage the computer, it helps program to use the computer's resources, and it provides a location for keeping custom settings you make in both Windos and the programs. For Example,When you change the Windows desktop, the changes are stored in the Registry. when you see a list of recently opened file that list is stored inthe registry and changes you make to the status bar in wordthey are kept in the registry too.The Registry is essentially a database. Its information is stored on disk for the most part, through dynamic information also exists in the computer's memory. All the information is organized by using a structure similar to folders in the file storage system. The top level of the Registry contains hives, each of which starts with the curious word HKEY.

Microsoft Startup Task:

Purpose of Virtual Machine:

Available Digital Software:

• SANS SIFT: 64-bit base system, Auto-DFIR package update and customization,Cross compatibility with Linux and Windows, Expanded filesystem support, Option to install the standalone system.
• CrowdStrike CrowdResponse: Comes with three modules- directory listening, active running module and YARA processing module. Displays application resource information, Verifies the digital signature of the process executable, Scans memory, loaded module files, and on disk files of all currently running processes.
• The Sleuth Kit: Displys system events through a graphical interface, Offers registry, LNK Files,and EMAIL analyses, supports most common file formats,Ectract data from SMS, call logs,contacts, tango and words with friends and analyses the same.
• FTK Imager: Comes with Data Preview capability to preview files/folders as well as content in it, Supports Image Mounting, Uses multicore CPUs to parallerize actions, Accesses a shared case database , so a single central database is enough for a single case.

Digital Forensic Hardware Toos:

• Cellebrite UFED Touch 2
• Branded Tablet Cellebrite UFED Touch2 or UFED 4PC
• UFED Physical Aalyzer
• MSAB XRY/MSAB XRYField
• MSAB XRY Kiosk
• Rusolut

Methoda for Validating and Testing Forensic TOOLS: