Dr.

Zunera Jalil
Email: zunera.jalil@mail.au.edu.pk
 Data Analysis for OS Forensics 2

• Forensic examiners perform data analysis to examine artifacts

left by perpetrators, hackers, viruses, and spyware.

• They scan deleted entries, swap or page files, spool files, and
RAM during this process.

• These collected artifacts can provide a wealth of information

with regard to how malicious actors tried to cover their tracks
and what they were doing to a system.
 What is Operating System Forensics? 3

• Operating System Forensics is the process of retrieving useful information

from the Operating System (OS) of the computer or mobile device in
question.
• The aim is to acquire empirical evidence against the perpetrator.
 The understanding of an OS and its file system is necessary to recover data for
computer investigations.
 The file system provides an operating system with a roadmap to data on the
hard disk & also identifies how hard drive stores data.
 There are many file systems introduced for different operating systems.
• FAT, exFAT, and NTFS for Windows OSs
• Ext2fs, or Ext3fs for Linux OSs.
 What is Operating System Forensics? 4

• Data and file recovery techniques for these file systems include data
carving, slack space, and data hiding
• Another important aspect of OS forensics is memory forensics, which
incorporates virtual memory, Windows memory, Linux memory, Mac OS
memory, memory extraction, and swap spaces.
• OS forensics also involves web browsing artifacts, such as messaging and
email artifacts.
• Most popular types of Operating Systems are Windows, Linux, Mac, iOS,
and Android.
 Windows Forensics 5

• Investigators can search out evidence by analyzing the following

important locations of the Windows:
1. Recycle Bin: This holds files that have been discarded by the user. When a
user deletes files, a copy of them is stored in recycle bin. This process is
called “Soft Deletion”. Recovering files from recycle bin can be a good
source of evidence.
2. Thumbs.db Files: These have images’ thumbnails that can provide
relevant information.
3. Browser History: Every Web Browser generates history files that contain
significant information. Microsoft Windows Explorer is the default web
browser for Windows OSs.
1. Other supported browsers are Opera, Mozilla Firefox, Google
Chrome, and Apple Safari.
 Windows Forensics 6

4. Print Spooling:
 This process occurs when a computer prints files in a Windows environment.
When a user sends a print command from a computer to the printer, the print
spooling process creates a “print job” to some files that remain in the queue
unless the print operation is completed successfully.
 Printer configuration is required to be set in either EMF mode or RAW mode.
• In a RAW mode, the print job merely provides a straight graphic dump of
itself.
• In an EMF mode, the graphics are converted into the EMF image format
(Microsoft Enhanced Metafile).
 These EMF files can be indispensable and can provide an empirical evidence
for forensic purposes.
 Windows Forensics 7

• The path to EMF files is:

For Windows NT and 2000:
Winnt\system32\spool\printers
For Windows XP/2003/Vista/2008/7/8/10:
Windows\system32\spool\printers

• OS forensic tools can automatically detect the path; there is no need to

define it
 Registry Forensics 8

5. Registry: Windows Registry holds a database of values and keys that give
useful pieces of information to forensic analysts.

 Windows Registry keeps most of the information pertaining policies, status etc.
in form of keys, sub keys and values.
 Windows registry can be worked upon by administrator through application
like ‘regedit’.
 Windows can also be supplied with a command like tool like ’reg’ to help
users work on registry.
 Registry contains hives under which sub keys are present. These hives play
important role in the overall functioning of the system.
 Registry Forensics 9

• Registry keys and associated files that encompasses user activities on the system.
 Registry Forensics 10

 An investigator can acquire quite a good deal of information by studying and

Analyzing Registry.
 Many tools can be very handy to get a good deal of analysis of registry entries.
 Registry entries can be used to acquire and analyze many important information
necessary for forensics analysis.
 Registry Forensics 11

 Registry can reveal information such as time zone, shares, audit policy,
wireless SSIDS, auto start locations, user login, activities, USB removable
devices, trusted devices, cache, cookie and history etc.
Registry Structure 12
 Registry Introduction 13

• Whenever you install a software program/application, a hardware or a

device driver for a newly connected hardware in Windows
 The initial configuration settings of these components are stored in registry
• A Windows component, hardware or a software, retrieves its registry
entries or keys, on every startup
 It also modifies the registry entries or keys corresponding to it, in its course of
execution
 Registry data are sorted as computer-specific data or user-specific data in
order to support multiple users
 Registry Introduction 14

• The registry is a hierarchical database with critical information

• Windows registry is a tree structure
 Each node in the tree is called a key
 Each key can contain both sub keys and data entries called values
 The keys / key values are used by Applications
• A key can have any number of values, and the values can be in any
form
 Registry Hives 15

• HKEY_CLASSES_ROOT
• HKEY_CURRENT_USER
• HKEY_LOCAL_MACHINE/SAM
• HKEY_LOCAL_MACHINE/SOFTWARE
• HKEY_LOCAL_MACHINE/SECURITY
• HKEY_LOCAL_MACHINE/SYSTEM
• HKEY_USERS
• HKEY_CURRENT_CONFIG
 Registry Hives 16

• A hive is a logical group of keys, sub-keys, and values in the registry that
has a set of supporting files containing backups of its data
• Most of the supporting files for the hives are in the
%SystemRoot%\System32\Config
• Each time a new user logs on to a computer, a new hive is created
• This is called the user profile hive
• A user's hive contains specific registry information pertaining to the user's
application settings, desktop, environment, network connections etc.
 located under the HKEY_USERS key
 Registry Hives 17

• The permanent parts of the registry are stored as a set of files called the
Hive Files.
• Locations for these files in the hive list sub key in
HKLM\SYSTEM\CurrentControlSet\Control.
• These files are saved in systemroot\System32\Config and updated with
each login.
 Registry Hives 18

• This stores four of the five keys in HKEY_LOCAL_MACHINE and one key in
HKEY_USERS:
 SAM Contains information stored in the key HKLM\SAM about the Security Accounts
Manager (SAM) service.
 SECURITY Contains the security information stored in the key HKLM\SECURITY.
 SOFTWARE Contains information stored in the key HKLM\SOFTWARE about the
computer's software configuration.
 SYSTEM Contains information stored in the HKLM\SYSTEM about the computer's
system configuration.
 DEFAULT Contains the default system information that is stored in the key
HKEY_USERS\.DEFAULT.

• HKEY_LOCAL_MACHINE\HARDWARE is not stored as a file, because it is

recreated each time the system starts.
HKEY_CLASSES_ROOT Hive 19
HKEY_CURRENT_USER Hive 20
HKEY_CURRENT_CONFIG Hive 21
HKEY_USERS Hive 22
HKEY_LOCAL_MACHINE Hive 23
HKEY_LOCAL_MACHINE /SAM Hive 24
HKEY_LOCAL_MACHINE/SOFTWARE Hive 25
HKEY_LOCAL_MACHINE/SECURITY Hive 26
HKEY_LOCAL_MACHINE/SYSTEM Hive 27
 Hive and their associated files 28

•HKEY_CURRENT_CONFIG – System, System.alt, System.log, System.sav

•HKEY_CURRENT_USER – Ntuser.dat, Ntuser.dat.log
•HKEY_LOCAL_MACHINE\SAM – Sam, Sam.log, Sam.sav
•HKEY_LOCAL_MACHINE\Security – Security, Security.log, Security.sav
•HKEY_LOCAL_MACHINE\Software – Software, Software.log, Software.sav
•HKEY_LOCAL_MACHINE\System – System, System.alt, System.log, System.sav
•HKEY_USER\.DEFAULT – Default, Default.log, Default.sav

In Windows NT and later, there are six files:

Ntuser.dat, System.dat, SAM.dat, Software.dat, Security.dat, and Default.dat.

When examining registry data from a suspect drive after you have made an acquisition
and are reviewing it in a forensics tool, you need to know the location of these files.
 Volatile Hives 29

Some hives are volatile - created when the system starts or user logs in
• HKEY_LOCAL_MACHINE\System\CurrentControlSet
• HKEY_CURRENT_USER
• HKEY_LOCAL_MACHINE\Hardware
Changes in Hive Files 30
 Path for Registry Files 31

Path for HKEY_CURRENT_USER file NTUSER.DAT

 Path for Registry Files 32

Path for HKEY_LOCAL_MACHINE files SAM, SYSTEM, SOFTWARE, SECURITY

Path for Registry Files 33
 Info of Interest in Registry 34

• Configuration settings
• Application settings
 Download directories
 Recently accessed files (images, movies, etc.)
 AutoStart locations
 Applications that start w/ little or NO user interaction
• Tracking info
 Attached USB devices (thumb drives, Ext HD, digital cameras)
 User activity MRUs
 Viewed documents or images
 Applications installed or launched (UserAssist keys)
 Info of Interest in Registry 35

• Basic information of system can be acquired.

• Computer Name, Time of Last Shutdown, Product Name, build etc,
Time zone settings, Wireless SSIDS, USB Device connected, user, MRU
Info of Interest in Registry 36
 Artifacts of Interest 37

• Computer name is the name that the user gives to its computer.
• is made once in the lifetime usage of the system
• can be used to trace various activities on network and internet carried by the
user.

• Time of last shutdown is the time at which the system was completely
shut down.
• can lead us to know the status of the user and time stamps of various files
• can co-relate to give an idea of the mental status of the suspect.

• Sometime user themselves create shared folders and applications for

others to use over local network or internet (remote desktops).
• This information can be traced out to find and analyse what kind of things or
information the user was trying to share and thus stamps of the shared files/folders
can also be analyzed
 Artifacts of Interest 38

• Audit policy information can be very useful as it can let us know about
what types of information/events an investigator should look for in the
event log.
• Service set identifications (SSIDs) maintained by Windows can be useful in
situations where unauthorized access is need to be investigated and IP addresses
needs to be traced
• USB devices connected to computer are also registered via PnP (plug
and play) manager.
 Artifacts of Interest 39

• Many applications maintain MRU lists

• a list of recently used files or opened/created files.
• search assistant MRU lists are also maintained by search
applications.
• MRU lists of connected systems etc. are also maintained.
• This information can of genuine help to understand victim’s state of
mind or condition just before the crime.
• System restore points can be studied to understand how and
when the user created back-ups.
• Restore points can be used to understand long back status of the
user work.
 WINDOWS Password Storage 40

• User and passwords in a window system are stored in either of two places:
1. SAM (Security Account Manager)
2. AD (Activity directory) SAM

1. Security Account Manager (SAM) is a database file in Windows XP, Windows Vista and
Windows 7 that stores users' passwords. It can be used to authenticate local and
remote users.

2. Active Directory is used to authenticate remote users. SAM uses cryptographic

measures to prevent forbidden users to gain access to the system.

• The user passwords are stored in a hashed format in a registry hive. This file
can be found in %SystemRoot%/system32/config/SAM
FIND it now?
 Applications Password Cracking 41

• Password cracker is a program that can assist users to obtain

unauthorized access to an application or resources.

• Can also help users to retrieve lost or forgotten passwords of

any application.

• Password cracking methods

• Brute force method
• Dictionary searches
• Rule based attack
• Password guessing
• Rainbow attack
 Applications Password Cracking 42

• Brute force attack

• Works by calculating every possible combination that could make up a password
and testing it to see if it is the correct password.
• As the password’s length increases, the amount of time, on average, to find the
correct password increases exponentially.
• Short passwords can usually be discovered quite quickly, but longer passwords may
take decades.
• Dictionary attack
• a technique for defeating a cipher or authentication mechanism by trying to
determine its decryption key or passphrase by trying hundreds or sometimes millions
of likely possibilities, such as words in a dictionary.
• is based on trying all the strings in a pre-arranged listing, typically derived from a list
of words such as in a dictionary (hence the phrase dictionary attack).
• Rule based attack
• The attackers has many/ some preoccupied information using which the set of rules
can be formed and then the possible searches can be narrowed down to a great
extent. This type of attack is the most powerful one.
 Applications Password Cracking 43

• Hybrid attack and password guessing

• It is also based on dictionary attack. In this if the old password is known than
concatenating it with other symbols can yield the right password. In case of guessing
the common passwords that are mostly used by novice users are used to crack
codes.
• Rainbow attack
• Any computer system that requires password authentication must contain a
database of passwords, either hashed or in plaintext, and various methods of
password storage exist. Tables are vulnerable to theft, storing the plaintext password
is dangerous. Most databases store cryptographic hash of a user's password in the
database.
• Rainbow tables are one tool is a Precomputed table for reversing cryptographic
hash functions , usually for cracking password hashes.
• Tables are usually used in recovering a Password (or credit card numbers, etc.) up to
a certain length consisting of a limited set of characters.
 Applications Password Cracking 44

Brute-force attacks and dictionary attacks are the simplest

methods available;

however these are not adequate for systems that use large
passwords.
 Password Recovery Tools 45

Office Password Recovery Toolbox is

Passware Kit Enterprise and Forensics can
software which recovers lost password to
recover the password of up to 150 different file
any Microsoft Office document
types.
effectively.
Others OSs Forensics
 Linux Forensics 47

• Linux is an open source, Unix-like, and elegantly designed operating system that is
compatible with personal computers, supercomputers, servers, mobile devices,
netbooks, and laptops.
• Unlike other OSs, Linux holds many file systems of the ext family, including ext2, ext3,
and ext4.
• Linux can provide an empirical evidence if the Linux-embedded machine is recovered
from a crime scene.
• Following folders and directories will be of interest for investigators:
 /etc [%SystemRoot%/System32/config]: This contains system configurations directory that
holds separate configuration files for each application.
 /var/log: This directory contains application logs and security logs. They are kept for 4-5
weeks.
 /home/$USER: This directory holds user data and configuration information.
 /etc/passwd: This directory has user account information.
 Linux Forensics 48

• Forensic specialists use a forensic toolkit to collect evidence from a Linux Operating
System.
• The toolkit comprises many tools such as Dmesg, Insmod, NetstatArproute, Hunter.O,
DateCat, P-cat, and NC
 Linux Forensics 49

• Helix is the distributor of the Knoppix Live Linux CD. It provides access to a Linux kernel,
hardware detections, and many other applications.
 Mac OS X Forensics 50

• Mac OS X is the UNIX-based operating system that contains a Mach 3

microkernel and a FreeBSD-based subsystem.
• Its user interface is Apple-like, whereas the underlying architecture is
UNIX-like.
• Mac OS X offers a novel technique to create a forensic duplicate.
• To do so, the perpetrator’s computer should be placed into a “Target
Disk Mode”.
• Using this mode, the forensic examiner creates a forensic duplicate of
perpetrator’s hard disk with the help of a Firewire cable connection
between the two PCs.
 Apple iOS Forensics 51

• Apple iOS is the UNIX-based operating system first released in 2007.

• It is a universal OS for all of Apple’s mobile devices, such as iPhone, iPod
Touch, and iPad.
• An iOS embedded device retrieved from a crime scene can be a rich
source of empirical evidence.
 Android Forensics 52

• Android is a Google’s open-source platform designed for mobile

devices.
• Widely used as the mobile operating system in the handsets industry.
• Android OS runs on a Linux-based kernel which supports core functions,
such as power management, network infrastructure, and device drivers.
• Android’s Software Development Kit (SDK) contains a very significant
tool for generic and forensic purposes, namely Android Debug Bridge
(ADB).
• ADB employs a USB connection between a computer and a mobile
device.
ANY QUESTIONS