CSC414 / ME Forensic Overview: Editions Covered in this lecture: System Win95 to Win98 - Fundamentals - Windows 95b and WinME - Windows 95 OEM Service Release 2 (OSR2) - Not available for purchase, pre-installed by manufacturer - - Windows 98SE Digital Forensics Center Department of Computer Science and Statics THINK BIG WE DO - Windows ME (Millennium Edition) Windows is an by itself U R I - Does not need DOS underneath http://www.forensics.cs.uri.edu

File System System Features

Windows 95 Forensic Issues - Virtual FAT (VFAT) - More data to analyze! - Easier to restore an image of a seized computer on different hardware - FAT16 with long support - DOS 6.22 Boot diskette cannot read - Different drivers are needed for support on other system FAT32 file systems - People used more descriptive and - Easier with "Add new hardware wizard" accurate file names - Need WIN95 OSR2 or later boot - Can reconfigure system automatically Windows 95b (OSR2) diskette for FAT32 Registry introduced - Introduced FAT32 - Setting about the computer and programs - Larger partitions and better use of - Gold mine of forensic information disk space User profiles - Up to 2 TB addressable in single - Multiple users on a computer partition - Can determine which user downloaded files or ran a program

User Interface

Shortcuts - .lnk file - Program Groups - any programs and files - Quick list of many installed programs - can indicate frequently used programs, files and web sites - Recent Document Groups - Useful in retracing steps in the use of the computer - Lots of good forensic information - Start-up Group - Favorites, Typed URLS, History, Cache, Cookies - Can be run when computer starts up - Typed URLs show intent - Programs for clearing Internet cache - Many ways to show where they have been - Auto clean utilities that run automatically on start or Many additional user activity files available - index.dat files, though binary, have information Recycle Bin Recycle Bin

User can mark files for deletion When moved to Recycle Bin, a file is - File is moved to the Recycle Bin - moved to the C:\Recycled directory - Files are not deleted until Recycle Bin - renamed to a generic name - is emptied - for example, readme.txt becomes DC1.txt - is full (based on number of in Recycle Bin) - File extension stays same - older files are deleted (FIFO) - Windows Explorer does not show actual file name in Recycle Bin but shows original - can be set in Properties of Recycle Bin - INFO2 file holds original file location info for restore purposes - Users can restore files in Recycle Bin before it is emptied - Moving a file does not change the sectors it uses on the disk - When user empties Recycle Bin - Only the name or the directory entry are changed - Only file directory entry is overwritten - File data still exists on the disk

Networking Networking more common and easier Forensic Overview: - Mapped drives Win95 to Win98 and - Remote data storage - Permissions WinME Forensic Issues - Where is the data? - Local, on-site or somewhere else Digital Forensics Center - Can cause warrant issues Department of Computer Science and Statics THINK BIG WE DO - Is a supplemental warrant required - If not sure, segregate data so that it is not co-mingled with data on the local drive U R I - Prevents evidence being lost in a suppression hearing http://www.forensics.cs.uri.edu