© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION PART III © phyZick/Shutterstock © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Branches of Digital Forensics © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION CHAPTER 8 Windows Forensics 193 CHAPTER 9 Linux Forensics 223 © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION CHAPTER 10 Mac OS ForensicsNOT FOR 253 SALE OR DISTRIBUTION CHAPTER 11 Email Forensics 271 CHAPTER 12 Mobile Forensics 291 © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION CHAPTER 13 NOTNetwork FOR SALE Forensics OR DISTRIBUTION313 CHAPTER 14 Memory Forensics 343 © Jones & BartlettCHAPTER Learning, 15 Trends LLC and Future Directions© Jones 361 & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning,© Jones LLC & Bartlett Learning LLC, an Ascend Learning© Jones Company. & NOT Bartlett FOR SALE Learning, OR DISTRIBUTION. LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning,© Jones LLC & Bartlett Learning LLC, an Ascend Learning© Jones Company. & NOT Bartlett FOR SALE Learning, OR DISTRIBUTION. LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION CHAPTER © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE8 OR DISTRIBUTION Windows Forensics © phyZick/Shutterstock © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALEICROSOFT OR WINDOWS DISTRIBUTION IS A UBIQUITOUS operating system. It isNOT difficult FOR to imagine SALE you OR DISTRIBUTION working in digital forensics and not routinely encountering Windows machines. There- Mfore, it is important that you be very familiar with conducting forensics on Windows machines. In this chapter, you will learn how to perform forensic examination of a Windows © Jones & Bartlettcomputer. Learning, That includes LLC examining the Registry, the© Jonesindex.dat, & the Bartlett swap file, Learning, and more. LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Chapter© Jones 8 Topics & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC This chapterNOT coversFOR the SALE following OR topics DISTRIBUTION and concepts: NOT FOR SALE OR DISTRIBUTION • The details of Windows • Evidence in volatile data © Jones & Bartlett• The Windows Learning, swap fi le LLC © Jones & Bartlett Learning, LLC NOT FOR SALE• Windows OR logs DISTRIBUTION NOT FOR SALE OR DISTRIBUTION • Windows directories • Data stored in index.dat • Windows Registry © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION Chapter 8 Goals NOT FOR SALE OR DISTRIBUTION When you complete this chapter, you will be able to: • Understand the workings of the Windows operating system • © Gather Jones evidence & fromBartlett the Registry Learning, LLC © Jones & Bartlett Learning, LLC • NOT Retrieve FOR evidence SALE from logs OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION • Examine directories for evidence • Check the index.dat fi le for evidence © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 193 © Jones & Bartlett Learning,© Jones LLC & Bartlett Learning LLC, an Ascend Learning© Jones Company. & NOT Bartlett FOR SALE Learning, OR DISTRIBUTION. LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 194 PART III | Branches of Digital Forensics Windows© Jones &Details Bartlett Learning, LLC © Jones & Bartlett Learning, LLC BeforeNOT delving FOR deeply SALE into OR Windows DISTRIBUTION forensics, it is a good idea to get a betterNOT idea FOR of the SALE OR DISTRIBUTION operating system itself. In this section, you learn about the history of Windows and its struc- ture. This gives you a context within which to learn Windows forensics. For deeper coverage of Windows internals, refer to the book Windows Sysinternals Administrator’s Reference by © Jones &Mark Bartlett E. Russinovich Learning, and AaronLLC Margosis. © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Windows History The first version of Windows to gain widespread use was version 3.1, released in 1992. It was then that the Windows system became widely popular. At that time, Windows was a © Jones & Bartlett Learning,graphical LLC user interface (GUI), and not© Jonesreally an &operating Bartlett system. Learning, The operating LLC system NOT FOR SALE OR DISTRIBUTIONwas Disk Operating System (DOS). WindowsNOT FOR provided SALE a visual OR interfaceDISTRIBUTION for interacting with the operating system by means of mouse clicks, rather than typing in DOS commands. During the early 1990s, you could use other, non-Microsoft user interfaces to work with DOS. You could also install Windows on systems running some non-Microsoft operating systems, such as Dr. DOS (an alternative to DOS). There were also several competing operat- ing ©systems Jones for &PCs, Bartlett including Learning, OS2 and OS2 LLC Warp from IBM. © Jones & Bartlett Learning, LLC ForNOT servers FOR and SALE serious OR professionals, DISTRIBUTION Microsoft had Windows NT VersionsNOT 3.1, FOR 3.51, SALE and OR DISTRIBUTION 4.0, which were widely used. Each version had both workstation and server editions. The NT version of Windows was widely considered more stable and more secure than Windows 3.1. The release of Windows 95 in 1995 marked a change in Windows. At this point, the und er- © Jones &lying Bartlett operating Learning, system and LLC the GUI—a point-and-click user© Jones interface—were & Bartlett fused Learning, into one LLC single, coherent product. This meant that you could not choose some non-Windows GUI. NOT FOR SALEShortly afterOR theDISTRIBUTION release of Windows 95, Windows NT 4.0NOT was FORreleased. SALE Many OR consider DISTRIBUTION Windows 98 just an intermediate step, an improvement on Windows 95. The interface looked very much the same as Windows 95, but the performance was vastly improved. Windows 95 and 98 used the FAT32 file system. © Jones & Bartlett Learning,Windows LLC 2000 was widely considered© Jones a major &improvement Bartlett Learning, in the Windows LLC line. Ess- NOT FOR SALE OR DISTRIBUTIONentially, the days of separate NT and WindowsNOT FOR lines SALEwere over. OR Now DISTRIBUTION there would simply be different editions of Windows 2000. There were editions for home users, for professional users, and for servers. The differences among the editions were primarily in the features available and the capacity, such as how much random access memory (RAM) could be addressed. Windows 2000 was also the version of Windows wherein Microsoft began to recommend© Jones NTFS & Bartlettover FAT32 Learning, as a file system. LLC © Jones & Bartlett Learning, LLC WindowsNOT FOR XP was SALE the next OR milestone DISTRIBUTION for Microsoft, and Windows ServerNOT 2003 FOR was SALE OR DISTRIBUTION released the same year. This marked a return to the approach of having a separate server and desktop system (unlike Windows 2000). The interface was not very different, but there were structural improvements. Windows Vista and Windows 7 did not have significantly different user interfaces from © Jones & XP.Bartlett There were Learning, feature changes LLC and additional capabilities,© Jones but essentially & Bartlett the interface Learning, was LLC NOT FOR SALEmoderately OR tweaked DISTRIBUTION with each version. The same can beNOT said ofFOR the relationshipSALE OR between DISTRIBUTION © Jones & Bartlett Learning,© Jones LLC & Bartlett Learning LLC,