Security Resource Hub
Digital Forensics

Topic 2: Forensics for OS and File Systems

Complete & Continue Next Lesson Learn More

Forensics for Windows

In digital forensics on Windows operating systems, several crucial aspects and file systems must be considered.

Windows operating systems, including Windows 10 and 11, utilize the New Technology File System (NTFS) as the default file system. NTFS offers several significant features for digital forensics, such as access control, encryption, and journaling.

One of the critical challenges in Windows digital forensics is the proliferation of user data and system artifacts. Windows systems generate many log files, registry entries, and temporary files, which can contain valuable information for forensic analysis. Navigating this data requires expertise and a thorough understanding of the Windows file system structures. It often involves extracting and analyzing volatile data from live systems, such as active processes, network connections, and system memory. This volatile data can provide real-time insights into system activities and potential security incidents.

Working with Windows File Systems

Windows uses the New Technology File System (NTFS) as its default file system. Understanding the intricacies of NTFS is crucial for forensic analysis. NTFS features log files, master file tables (MFT), and attribute lists, all of which hold valuable information for forensic investigators. A partition is a logical drive, and a Windows OS can have up to three primary partitions followed by an extended partition. The Master Boot Record (MBR) stores information about partitions on a disk. The FAT is structured so that each file and directory is allocated with a data structure called directory entry, which consists of the filename, size, starting address of the file, and other related metadata.

  • Artifact Analysis: Various artifacts within the Windows file system are examined to reconstruct events and activities. These artifacts may include system registries, event logs, link files, prefetch data, and volume shadow copies. Each can yield critical information about user activities, program execution, file access, and system changes.

  • Data Recovery: Deleted files, temporary files, and remnants of previously accessed data can be crucial in reconstructing events and understanding user behavior. Advanced forensic tools and techniques are employed to recover, carve, and analyze such data from the Windows file system.

  • Timestamp Analysis: File timestamps such as creation, modification, and access times can provide a timeline of events, aiding investigators in establishing a sequence of activities and identifying potential indicators of tampering or manipulation.

Understanding Forensics in MacOS

MacOS primarily utilizes the Apple File System (APFS), which creates data storage and retrieval complexities. The structure of APFS and its impact on data acquisition are crucial for forensic experts. Features like FileVault (full-disk encryption) further complicate the forensic process.

  • Volatile Data and Incident Response: Volatile data in MacOS, such as running processes, network connections, and system logs, holds significant value in a forensic investigation. Rapid and efficient collection of volatile data is essential for incident response and analysis of live systems.

  • HFS+ and APFS: HFS+ has been the standard file system for MacOS for many years. However, with the introduction of macOS High Sierra in 2017, Apple introduced the APFS as the default file system for solid-state drives.

  • File Recovery and Metadata: The structure of HFS+ and APFS impacts the way data is stored, deleted, and potentially recoverable. Examining the system metadata, such as file creation dates, access times, and user actions, can provide critical evidence in a forensic investigation.

  • Artifacts and System Logs: MacOS maintains an array of artifacts and system logs, including internet history, application usage data, user preferences, and system logs, all of which can offer insights into user behavior and system activities.

Forensics For Linux

Several important considerations must be made when performing forensics on Linux file systems. Linux file systems, such as ext4, XFS, and Btrfs, have data structures and storage mechanisms that differ from those in Windows or macOS environments.

Unix and Linux have four components defining the file system

  • Boot block: Contains bootstrap code and has only one boot block 

  • Superblock: Specifies disk geometry available space, tracks all nodes and manages the FS.

  • Inode block: first data after superblock, assigned every file allocation unit.

  • Data Block: where directories and files are stored.

Working with Linux File Systems

In the Linux file system, a hard link is a pointer that allows accessing the same file by different filenames. File content is stored in blocks, which are groups of consecutive sectors. Metadata for each file and directory is stored in a data structure called an Inode. The file's name is stored in a directory entry structure with a pointer to the Inodes. Each Inode can store the addresses of the first 12 blocks that a file has allocated. If a file needs more than 12 blocks, a block is allocated to store the remaining addresses. 

  • File System Analysis: Forensic analysis of Linux file systems often starts with understanding the specific file system. This includes identifying key data structures, such as inodes, block allocation maps, and journaling mechanisms. Tools like The Sleuth Kit and Autopsy are used for file system analysis and can provide insight into file metadata, timestamps, and deleted file recovery.

  • Data Recovery: Linux file systems store data in a way that may require specialized techniques for recovery. Understanding how file deletion and overwriting work in a Linux environment is crucial. Utilities like extundelete and photorec are designed to specifically target ext-based file systems, aiding in recovering deleted files.

  • Timeline Analysis: Understanding the timeline of file system events is pivotal in forensic investigations. Timesketch, an open-source tool, can create visual timelines of file activity, assisting in reconstructing events and file manipulation.

  • Artifact Analysis: Various artifacts, from shell history and logs to user and application data, can be examined using tools like plaso and log2timeline, which can provide crucial insights into system usage and potential security breaches.

Understanding Forensics in Virtual Machines

Challenges in VM Forensics

  • Isolation: Each VM is isolated from the host and other VMs, making accessing and analyzing data across different systems challenging.

  • Dynamic State: VMs can be easily cloned, paused, and resumed, leading to dynamic and rapidly changing states that make it difficult to capture and preserve evidence.

  • Data Encryption: VMs can use encrypted file systems, adding a layer of complexity to data acquisition and analysis.

Opportunities in VM Forensics

  • Snapshotting: VMs support taking snapshots, allowing investigators to analyze a VM's state at different points in time and aid in reconstructing events.

  • Centralized Management: VM management platforms provide centralized logs and monitoring data for forensic analysis.

  • Resource Isolation: VMs can help isolate specific resources for analysis without affecting the rest of the system.

Forensic Best Practices in VMs

  • Documentation: Detailed documentation of the VM configuration, including virtual hardware specifications and network settings [Record hash values of these files], is crucial for forensic analysis.

  • Chain of Custody: Establishing and maintaining a transparent chain of custody for VM images and related evidence is essential for maintaining the investigation's integrity