Computer forensics

1 Computer Architecture: Input Devices, Central

Processing Unit, Storage Devices and Output Devices.

computer engineering, computer architecture is a set of

rules and methods that describe the functionality,
organization, and implementation of computer systems.
The architecture of a system refers to its structure in
terms of separately specified components of that system
and their interrelationships.

Some definitions of architecture define it as describing

the capabilities and programming model of a computer but
not a particular implementation. In other definitions
computer architecture involves instruction set
architecture design, microarchitecture design, logic
design, and implementation.
Subcategories

The discipline of computer architecture has three main

subcategories:

Instruction set architecture (ISA): defines the machine

code that a processor reads and acts upon as well as the
word size, memory address modes, processor registers,
and data type.

Microarchitecture: also known as “computer

organization”, this describes how a particular processor
will implement the ISA. The size of a computer’s CPU
cache for instance, is an issue that generally has nothing
to do with the ISA.

Systems design: includes all of the other hardware

components within a computing system, such as data
processing other than the CPU (e.g., direct memory
access), virtualization, and multiprocessing.

There are other technologies in computer architecture.

The following technologies are used in bigger companies
like Intel, and were estimated in 2002 to count for 1% of
all of computer architecture:

Macroarchitecture: architectural layers more abstract

than microarchitecture

Assembly instruction set architecture: A smart assembler

may convert an abstract assembly language common to a
group of machines into slightly different machine language
for different implementations.

Programmer-visible macroarchitecture: higher-level

language tools such as compilers may define a consistent
interface or contract to programmers using them,
abstracting differences between underlying ISA, UISA, and
microarchitectures. For example, the C, C++, or Java
standards define different programmer-visible
macroarchitectures.

Microcode: microcode is software that translates

instructions to run on a chip. It acts like a wrapper around
the hardware, presenting a preferred version of the
hardware’s instruction set interface. This instruction
translation facility gives chip designers flexible options:
E.g. 1. A new improved version of the chip can use
microcode to present the exact same instruction set as
the old chip version, so all software targeting that
instruction set will run on the new chip without needing
changes. E.g. 2. Microcode can present a variety of
instruction sets for the same underlying chip, allowing it
to run a wider variety of software.

UISA: User Instruction Set Architecture, refers to one of

three subsets of the RISC CPU instructions provided by
PowerPC RISC Processors. The UISA subset, are those
RISC instructions of interest to application developers.
The other two subsets are VEA (Virtual Environment
Architecture) instructions used by virtualisation system
developers, and OEA (Operating Environment
Architecture) used by Operation System developers.

Pin architecture: The hardware functions that a

microprocessor should provide to a hardware platform,
e.g., the x86 pins A20M, FERR/IGNNE or FLUSH. Also,
messages that the processor should emit so that external
caches can be invalidated (emptied). Pin architecture
functions are more flexible than ISA functions because
external hardware can adapt to new encodings, or change
from a pin to a message. The term “architecture” fits,
because the functions must be provided for compatible
systems, even if the detailed method changes.

2 How Evidence Acquisition Works?

EVIDENCE ACQUISITION
Digital evidence, such as computer data, is fragile by
nature. Without proper handling, delicate coding can
sustain damage or be completely destroyed. Whether this
mishandling is accidental or intentional, any damage will
affect evidence credibility in court.

Digital evidence acquisition includes steps to ensure the

data is properly handled and preserved. Qualified
technicians follow specific standards for evidence
collection to maintain the validity of the material.
At Primeau Forensics, we know digital evidence can be
important in a court of law. Our team undergoes
exhaustive training on acquisition and preservation to
keep your digital evidence safe.
DEPARTMENT OF JUSTICE ON DIGITAL EVIDENCE
ACQUISITION
When dealing with digital evidence, the US Department of
Justice has outlined the following general forensic and
procedural principles.
• Any actions taken to secure and collect digital

evidence should not impact the evidence’s

integrity.
• Individuals examining digital evidence should

receive training.
• Activities to seize, examine, store or transfer digital

evidence should be recorded, preserved and

available for review.
Throughout these practices, the examiner should be
aware of the need to conduct an accurate and impartial
examination of the digital evidence

ACQUISITION AND AUTHENTICITY

For evidence to be useful in court, it must be authentic.
Authenticity encompasses evidence credibility and
determines if a judge can deem it admissible. Credibility is
achieved with proper acquisition methods and
an establishment of a chain of custody.
The proper acquisition methods ensure the digital
information isn’t modified in any way during collection.
The chain of custody proves that everyone who handled
the evidence did so properly. If someone mishandled
evidence, the data might have somehow changed, making
it unreliable in court.

At Primeau Forensics, we take multiple steps in

preserving digital evidence for court. Our digital evidence
recovery and gathering practices meet all standards
outlined in the scientific community, and we document the
chain of custody to ensure all evidence is credible and
authentic.
We use this attention to detail in all our cases, big and
small. Whether you’re involved with a civil case or a
criminal investigation, our acquisition process will ensure
the authenticity of your evidence.

CHAIN OF CUSTODY AND RECOVERY OF DIGITAL

EVIDENCE
Data acquisition is a form of ‘due diligence’ as it
establishes an authentic chain of custody and preserves
fragile evidence in multiple locations. In many cases, we
discover lost or deleted digital media during the data
acquisition process. When this happens during Primeau
Forensics’ acquisition process, we notify our clients and
identify a strategy for the newly found digital media. This
digital media can be in the form of chat logs, text
messages, email communication, and GPS positioning,
just to name a few.

PRESERVATION OF DIGITAL EVIDENCE

Upon acquiring evidence for your case, we’ll preserve it
properly. The preservation process involves making a copy
of the acquired evidence to perform forensic tests and
examinations. This practice ensures there is always an
original copy of data that has not been tampered with or
mishandled.

We follow the preservation standards outline by SWGDE,

and we can make evidence copies for various parties,
including law enforcement.

3 Introduction to Data Recovery And Carving

What is data recovery
Data recovery can be defined as a process of obtaining
the information located on a storage device that cannot
be accessed by the standard means due to its previous
deletion or certain damage to the digital medium. Different
approaches are used to regain the missing files, yet, only
on the condition that their content is present somewhere
within the storage. For instance, data recovery doesn't
cover the situations when a file has never been written to
a persistent storage, like documents that were created
but could not be eventually saved to the hard disk drive
due to a power failure. Also, none of the existing restore
methods can cope with the cases of permanent erasure
which occurs when some other information occupies its
storage space – under such circumstances, the lost files
can only be retrieved from an external backup.

In general, data recovery techniques are divided into two

types: software-based and ones involving the repair or
replacement of the damaged hardware components in a
laboratory setting. A software-based approach is
employed in the majority of cases and involves the use of
specialized utilities able to interpret the logical structure
of the problem storage, read out the required data and
deliver it to the user in a usable form for further copying.
Physical repairs are conducted by specialists in the most
severe instances, for example, when some mechanical or
electrical parts of the drive no longer work properly – in
this case, all the measures are directed towards a one-
time extraction of the critical content, without the
possibility of continued usage of the affected device.
The most typical cases of data loss
By and large, the overall success of a data rescue
procedure depends heavily on the choice of the right
method for retrieval and its timely application. That is why
it is highly important to understand the nature of the
particular loss instance and know what can be done in
each specific scenario. In contrast, the wrong actions can
lead to the irreversible destruction of the information.

The most common causes of data loss include:

• Accidental deletion of files or folders

Each file system acts differently when deleting a file.

For instance, in Windows the FAT file system marks
file directory entries as "unused" and destroys the
information about the allocation of the file (except for
the beginning of the file), in NTFS only the file entry is
marked as "unused", the record is deleted from the
directory and the disk space is also marked
as "unused"; most Linux/Unix file systems destroy the
file descriptor (information about the file location, file
type, file size, etc.) and mark the disk space
as "free".

The main purpose of file deletion is to release storage

space used by the file for storing a new file. For
performance reasons storage space is not wiped
immediately which makes the actual file content remain
on the disk until this storage space is reused for saving a
new file.

• File system formatting

File system formatting can be started by mistake, for

example, as a result of specifying a wrong disk
 partition or on account of mishandling a storage (e.g.
NAS devices usually format the internal storage after
an attempt to reconfigure RAID).

The formatting procedure creates empty file system

structures on the storage and overwrites any
information after that. If the types of the new and the
former file systems coincide, it destroys the existing
file system structures by overwriting them with new
ones; if the types of the file systems differ, the
structures are written to different locations and may
wipe the user’s content.

• Logical damage to the file system

Modern file systems have a high level of protection

against internal errors, yet, they often remain
helpless against hardware or software malfunctions.
Even a small piece of wrong content written to a
wrong location on the storage can cause the
destruction of file system structures, breaking file
system object links and making the file system non-
readable. Sometimes, this issue may occur due
to blackouts or hardware failures.

• Loss of information about a partition

This failure may occur because of a

failed "fdisk" operation or user's errors, which usually
result in the loss of information about the location
and size of a partition.

• Storage failure

If you suspect any physical issues with the storage

(e.g. the device doesn't boot, makes unusual noises,
overheats, faces problems with reading, etc.), it is
not recommended to perform any data recovery
 attempts on your own. You should take the storage
to a specialized.

If a failure has occurred to a RAID system (failure of

one drive in RAID 1 or RAID 5, failure of maximum two
drives in RAID 6, etc.), restoration is possible without
the missing drive, as the redundancy of RAID allows
recreating the content of a failed component.

How does data recovery software work?

The information remaining on an intact storage can
usually be recovered without professional help by means
of data specialized software. However, it is important to
keep in mind that no information is recoverable after being
overwritten. For this reason, nothing should be written to
the storage until the last file from it is rescued.

Most data recovery utilities operate using the algorithms

of metadata analysis, the method of raw recovery based
on the known content of files or a combination of the two
approaches.

Metadata is hidden service information contained within

the file system. Its analysis allows the software to locate
the principal structures on the storage that keep record of
the placement of files content, their properties and
directory hierarchy. After that, this information is
processed and used to restore the damaged file system.
This method is preferred over the raw recovery as it
allows obtaining files with their original names, folders,
date and time stamps. If the metadata wasn’t seriously
corrupted, it may be possible to reconstruct the entire
folder structure, depending on the specifics of the
mechanisms employed by the file system to get rid of
“unnecessary” items. Yet, such analysis cannot be
performed successfully when the crucial parts of
metadata are missing. That is why it is extremely
important to refrain from using file system repair tools or
initiating operations that may result in its modification
until the data is restored completely.

As a rule, when the desired result wasn’t achieved with

the help of metadata analysis, the search for files by their
known content it performed. In this case, the “known
content” doesn’t imply the entire raw content of a file,
only particular patterns that are typical for the files of the
given format and may indicate the beginning or the end of
the file. These patterns are referred to as “file signatures”
and can be used to determine whether a piece of data on
the storage belongs to a file of a recognized type. Files
recovered with this method receive an extension based on
the found signature, new names and get assigned to new
folders, usually created for files of different types. The
main limitation of this approach is that some files may
lack identifiable signatures or have only a signature
denoting the start of a file, making it hard to predict where
it ends, especially when its parts are not stored
consequently.

To get the lost files back with maximum efficiency, data

recovery software may use the described techniques
concurrently during a single scan launched on storage.
Other details depend mainly on the type of the type of
digital medium and can be found in the data recovery
solutions section.

File Carving is a procedure used in PC crime scene

investigation to extract information from a hard drive or
other storage devices without the help of the file system
table that created the original file in the first place. File
Carving is a strategy that assumes control over
documents in unallocated space with no data and is used
to recover information to play out a computerized clinical
examination. This process was initially called “design,”
which is a general term for removing organized
information from crude information, in light of the
particular attributes of the pattern of organization of the
stored information.

A forensic method that recoups documents is dependent

on the structure and contents of the files without the
appropriate file system metadata. File carving allows you
to recover files from unallocated space in any drive. The
area of the drive indicated by the file system structure
(file table) that does not hold any file system information
is called unallocated space.

Missing or damaged file system structures can affect the

entire drive. Simply put, many file systems do not delete
data when it is deleted. Instead, it simply eliminates the
knowledge of where it is from. Scanning raw bytes and
putting them in order is the basic process of File Carving.
This process is performed by examining the header (first
bytes) and footer (last bytes) of a file.
File carving is an excellent way to recover files and file
fragments when text is damaged or missing. It is often
used by professionals in troubleshooting to re-examine the
evidence. An example of the ban and the ability to
evacuate media occurred when the information was
removed from the camps of Osama Bin Laden during the
attack by the US Seals Navy. Forensics Investigators used
file recovery methods to recover data from the drives and
systems used in the camps.
File Carving Techniques
During the digital investigation, it is necessary to analyze
the different types of media. Applicable information can be
found on several storage devices and in the PC memory.
Various types of information might be broken down, for
example, email, electronic reports, framework logs, and
media records. File carving is a recovery technique where
only the contents and structure of the file are considered
rather than file metadata used in the organization of data
on the storage medium.

Below are some file carving terminologies to remember:

• Block – The smallest size of data units that can be

written to storage
• Header – The starting point of the file.
• Footer – The last bytes of the file.
• Fragment – One or several blocks are belonging to
a single file.
• Base-fragment – First fragment of file container,
the header of the file.
• Fragmentation point – The last block just before
fragmentation takes place. Multiple fragments in
any file results in several fragmentation points.

• Header-footer technique (or header-“maximum file

size”) – The basic strategy here is to carve files
based on title and handwriting or total files.
1. JPG or JPEG extension files – “\ xFF \ xD8” and “\
xFF \ xD9.”
 2. GIF – titled “\ x47 \ x49 \ x46 \ x38 \ x37 \ x61” and
“\ x00 \ x3B” footer.
3. PST: “! BDN” heading with no footers.
4. If the file system does not have a base, the
maximum number of files used in the carving
program.
• File structure-based carving

1. The internal layout of the file is used as a basic

technique.
2. Header, footer, ID strings, and size information are
basic elements.
• Content-based carving

Content structure is free (MBOX, HTML, XML)

• Characteristics of the material

1. Count characters
2. Text / language recognition
3. Black and white data list
4. Information entropy
5. Statistical characteristics (Chi2)
Carving a File (without using any tool)
Next, we will see how to carve a .jpeg file without using a
tool. First, we need to know the structure of the .jpeg file
(header and footer, etc.). To do this, we will open a .jpeg
image in the Hex editor to examine what the header and
footer of the .jpeg file look like.
Here, we found the file header ( FFD8FFE0). Now, to find
the footer, we will examine the last bytes in the file.

Here, we have the file footer or trailer (FFD9).

If you have a document with an image in it, you can carve
the image by knowing its header and footer.

Now, we have a word file with an image in it. We will

carve the image out using this technique.

The first thing we need to do is open this word document

with the Hex editor by clicking File >> Open.

Here, we can see a figure showing the word file’s data in

Hexadecimal form. As we already know, the .jpeg file has
a header value of FFD8FFE0, so we will search for the file
header by pressing Ctrl + F or Search >> File and entering
the known header value (selecting the hex value data type
is very important in this step).
We will find a signature value at Offset 14FD.
Next, we must search for a footer or trailer. We know that
the .jpeg file has a footer value of FFD9, so we will search
for the file footer by pressing Ctrl + F or Search >> File and
entering the known footer value (selecting the hex value
data type is very important.
We will find a footer value at Offset 2ADB.
Presently we have the header and footer of a jpeg
document, and, as we recently stated, between the
header and footer is the information of a jpeg record. Here
we duplicate the entire square of information with header
and footer and store it as another file.

Go to EDIT >> Select Block and enter both of the following

terms:
File Header Offset: 14FD
File Footer Offset: 2ADB
After entering these values, the entire .jpeg file will be
marked in blue. To save it as a dfile, copy it by right-
clicking and selecting Copy, or by pressing Ctrl + C. Next,
we will paste the information in a new file. A dialogue box
will appear, and we will click OK. Now, we are ready to
save the file by clicking File >> Save as or pressing Ctrl +
S. If you open this copied file, you will see the same image
as was in the original document. This is the basic
technique for carving media files.

4 Windows Os Architecture & File System Analysis

What is a file system?

Let's start with a simple definition:
A file system defines how files are named, stored,
and retrieved from a storage device.
Every time you open a file on your computer or smart
device, your operating system uses its file system
internally to load it from the storage device.

Or when you copy, edit, or delete a file, the file system

handles it under the hood.

Whenever you download a file or access a web page over

the Internet, a file system is involved too.

Why do we need a file system

Well, without a file system, the storage device would
contain a big chunk of data stored back to back, and the
operating system wouldn't be able to tell them apart.

The term file system takes its name from the old paper-
based data management systems, where we kept
documents as files and put them into directories.

Imagine a room with piles of papers scattered all over the

place.

A storage device without a file system would be in the

same situation - and it would be a useless electronic
device.

However, a file system changes everything:

A file system isn't just a bookkeeping feature, though.

Space management, metadata, data encryption, file

access control, and data integrity are the responsibilities
of the file system too.
Everything begins with partitioning
Storage devices must
be partitioned and formatted before the first use.
But what is partitioning?

Partitioning is splitting a storage device into

several logical regions, so they can be managed
separately as if they are separate storage devices.

We usually do partitioning by a disk management tool

provided by operating systems, or as a command-line tool
provided by the system's firmware (I'll explain what
firmware is).

A storage device should have at least one partition or

more if needed.

Why should we split the storage devices into multiple

partitions anyways?

The reason is that we don't want to manage the whole

storage space as a single unit and for a single purpose.
It's just like how we partition our workspace, to separate
(and isolate) meeting rooms, conference rooms, and
various teams.

For example, a basic Linux installation has three

partitions: one partition dedicated to the operating
system, one for the users' files, and an optional swap
partition.

A swap partition works as the RAM extension when RAM

runs out of space.

For instance, the OS might move a chunk of data

(temporarily) from RAM to the swap partition to free up
some space on the RAM.

Operating systems continuously use various memory

management techniques to ensure every process has
enough memory space to run.
File systems on Windows and Mac have a similar layout,
but they don't use a dedicated swap partition; Instead,
they manage to swap within the partition on which you've
installed your operating system.

On a computer with multiple partitions, you can install

several operating systems, and every time choose a
different operating system to boot up your system with.

The recovery and diagnostic utilities reside in dedicated

partitions too.

For instance, to boot up a MacBook in recovery mode, you

need to hold Command + R as soon as you restart (or turn
on) your MacBook. By doing so, you instruct the system's
firmware to boot up with a partition that contains the
recovery program.
Partitioning isn't just a way of installing multiple operating
systems and tools, though; It also helps us keep critical
system files apart from ordinary ones.

So no matter how many games you install on your

computer, it won't have any effect on the operating
system's performance - since they reside in different
partitions.

Back to the office example, having a call center and a

tech team in a common area would harm both teams'
productivity because each team has its own requirements
to be efficient.

For instance, the tech team would appreciate a quieter

area.

Some operating systems, like Windows, assign a drive

letter (A, B, C, or D) to the partitions. For instance,
the primary partition on Windows (on which Windows is
installed) is known as C:, or drive C.
In Unix-like operating systems, however, partitions appear
as ordinary directories under the root directory - we'll
cover this later.

In the next section, we'll dive deeper into partitioning and

get to know two concepts that will change your
perspective on file systems: system
firmware and booting.

Partitioning schemes, system firmware, and booting

When partitioning a storage device, we have two
partitioning methods

• Master boot record (MBR) Scheme

• GUID Partition Table (GPT) Scheme

Regardless of what partitioning scheme you choose, the

first few blocks on the storage device will always contain
critical data about your partitions.

The system's firmware uses these data structures to

boot up the operating system on a partition.
Wait, what is the system firmware? You may ask.

Here's an explanation:

A firmware is a low-level software embedded into

electronic devices to operate the device, or bootstrap
another program to do it.

Firmware exists in computers, peripherals (keyboards,

mice, and printers), or even electronic home appliances.

In computers, the firmware provides a standard interface

for complex software like an operating system to boot up
and work with hardware components.

However, on simpler systems like a printer, the firmware

is the operating system. The menu you use on your printer
is the interface of its firmware.

Hardware manufacturers make firmware based on two

specifications:

• Basic Input/Output (BIOS)

• Unified Extensible Firmware Interface (UEFI)
Firmwares - BIOS-based or UEFI-based - reside on a non-
volatile memory, like a flash ROM attached to the
motherboard.
When you press the power button on your computer, the
firmware is the first program to run.

The mission of the firmware (among other things) is to

boot up the computer, run the operating system, and pass
it the control of the whole system.

A firmware also runs pre-OS environments (with network

support), like recovery or diagnostic tools, or even a shell
to run text-based commands.

The first few screens you see before your Windows logo
appears are the output of your computer's firmware,
verifying the health of hardware components and the
memory.

The initial check is confirmed with a beep (usually on

PCs), indicating everything is good to go.

MBR partitioning and BIOS-based firmware

MBR partitioning scheme is a part of the BIOS
specifications and is used by BIOS-based firmware.

On MBR-partitioned disks, the first sector on the storage

device contains essential data to boot up the system.

This sector is called MBR.

MBR contains the following information:

 • The boot loader, which is a simple program (in
machine code) to initiate the first stage of the
booting process
• A partition table, which contains information about

your partitions.
BIOS-based firmware boots the system differently than
UEFI-based firmware.

Here's how it works:

Once the system is powered on, the BIOS firmware starts

and loads the boot loader program (contained in MBR)
onto memory. Once the program is on the memory, the
CPU begins executing it.

Having the boot loader and the partition table in a

predefined location like MBR enables BIOS to boot up the
system without having to deal with any file.

If you are curious about how the CPU executes the

instructions residing in the memory, you can read this
beginner-friendly and fun guide on how the CPU works.
The boot loader code in the MBR takes between 434 bytes
to 446 bytes of the MBR space (out of 512b). Additionally,
64 bytes are allocated to the partition table, which can
contain information about a maximum of four partitions.

446 bytes isn't big enough to accommodate too much

code, though. That said, sophisticated boot loaders
like GRUB 2 on Linux split their functionality into pieces or
stages.
The smallest piece of code known as the first-stage boot
loader is stored in the MBR. It's usually a simple program,
which doesn't require much space.
The responsibility of the first-stage boot loader is to
initiate the next (and more complicated) stages of the
booting process.

Immediately after the MBR, and before the first partition

starts, there's a small space, around 1MB, called the MBR
gap.
MBR gap can be used to place another piece of the boot
loader program if needed.

A boot loader, such as GRUB 2, uses the MBR gap to store

another stage of its functionality. GRUB calls this
the stage 1.5 boot loader, which contains a file system
driver.
Stage 1.5 enables the next stages of GRUB to understand
the concept of files, rather than loading raw instructions
from the storage device (like the first-stage boot loader).

The second stage boot loader, which is now capable of

working with files, can load the operating system's boot
loader file to boot up the respective operating system.

This is when the operating system's logo fades in...

Here's the layout of an MBR-partition storage device:

And if we magnify the MBR, its content would look like
this:

Although MBR is simple and widely supported, it has some

limitations 😑.

MBR's data structure limits the number of partitions to

only four primary partitions.
A common workaround is to make an extended partition
beside the primary partitions, as long as the total number
of partitions won't exceed four.
An extended partition can be split into multiple logical
partitions. Making extended partitions is different across
operating systems. Over this quick guide Microsoft
explains how it should be done on Windows.
When making a partition, you can choose between primary
and extended.

After this is solved, we'll encounter the second limitation.

Each partition can be a maximum of 2TiB
And wait, there's more!

The content of the MBR sector has no backup , meaning if

MBR gets corrupted due to an unexpected reason, we'll
have to find a way to recycle that useless piece of
hardware.

This is where GPT partitioning stands out .

GPT partitioning and UEFI-based firmware

The GPT partitioning scheme is more sophisticated than
MBR and doesn't have the limitations of MBR.
For instance, you can have as many partitions as your
operating system allows.

And every partition can be the size of the biggest storage

device available in the market - actually a lot more.

GPT is gradually replacing MBR, although MBR is still

widely supported across old PCs and new ones.

As mentioned earlier, GPT is a part of the UEFI

specification, which is replacing the good old BIOS.

That means that UEFI-based firmware uses a GPT-

partitioned storage device to handle the booting process.

Many hardware and operating systems now support UEFI

and use the GPT scheme to partition storage devices.

In the GPT partitioning scheme, the first sector of the

storage device is reserved for compatibility reasons with
BIOS-based systems. The reason is some systems might
still use a BIOS-based firmware but have a GPT-partitioned
storage device.

This sector is called Protective MBR. (This is where the

first-stage boot loader would reside in an MBR-partitioned
disk)
After this first sector, the GPT data structures are stored,
including the GPT header and the partition entries.
The GPT entries and the GPT header are backed up at the
end of the storage device, so they can be recovered if the
primary copy gets corrupted.

This backup is called Secondary GPT.

The layout of a GPT-partitioned storage device looks like
this:
In GPT, all the booting services (boot loaders, boot
managers, pre-os environments, and shells) live in a
dedicated partition called EFI System Partition (ESP),
which UEFI firmware can use.
ESP even has its own file system, which is a specific
version of FAT. On Linux, ESP resides under
the /sys/firmware/efi path.
If this path cannot be found on your system, then your
firmware is probably BIOS-based firmware.
To check it out, you can try to change the directory to the
ESP mount point, like so:

cd /sys/firmware/efi

UEFI-based firmware assumes that the storage device is

partitioned with GPT and looks up the ESP in the GPT
partition table.

Once the EFI partition is found, it looks for the configured

boot loader - usually, a file ending with .efi.
UEFI-based firmware gets the booting configuration
from NVRAM (a non-volatile RAM).
NVRAM contains the booting settings and paths to the
operating system boot loader files.

UEFI firmware can do a BIOS-style boot too (to boot the

system from an MBR disk) if configured accordingly.

You can use the parted command on Linux to see what

partitioning scheme is used for a storage device.

sudo parted -l
And the output would be something like this:
Based on the above output, the storage device's ID
is /dev/vda with a capacity of 172GB. The storage device
is partitioned based on GPT and has three partitions; The
second and third partitions are formatted based on the
FAT32 and EXT4 file systems respectively.
Having a BIOS GRUB partition implies the firmware is still
BIOS-based firmware.

Let's confirm that with the dmidecode command like so:

sudo dmidecode -t 0

And the output would be:

“# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 2.4 present.
”
Formatting partitions
When partitioning is done, the partitions should
be formatted.
Most operating systems allow you to format a partition
based on a set of file systems.

For instance, if you are formatting a partition on Windows,

you can choose between FAT32, NTFS, and exFAT file
systems.
Formatting involves the creation of various data
structures and metadata used to manage files within a
partition.
These data structures are one aspect of a file system.

Let's take the NTFS file system as an example.

When you format a partition to NTFS, the formatting
process places the key NTFS data structures and
the Master file table (MFT) on the partition.
Alright, let's get back file systems with our new
background about partitioning, formatting, and booting.

Architecture of file systems

A file system installed on an operating system consists of
three layers:

• Physical file system

• Virtual file system
• Logical file system
• These layers can be implemented as independent or
tightly coupled abstractions.

• When people talk about file systems, they refer to one

of these layers or all three as one unit.

• Although these layers are different across operating

systems, the concept is the same.

• The physical layer is the concrete implementation of

a file system; It's responsible for data storage and
retrieval and space management on the storage
device (or precisely: partitions).

• The physical file system interacts with the storage

hardware via device drivers.
• The next layer is the virtual file system or VFS.
• The virtual file system provides a consistent view of
various file systems mounted on the same operating
system.
• So does this mean an operating system can use
multiple file systems at the same time?
• The answer is yes!

• It's common for a removable storage medium to have

a different file system than that of a computer.

• For instance, on Windows (which uses NTFS as the

primary file system), a flash memory might have been
formatted to exFAT or FAT32.

• That said, the operating system should provide

a unified interface between computer programs (file
explorers and other apps that work with files) and the
different mounted file systems (such as NTFS, APFS,
ext4, FAT32, exFAT, and UDF).
• For instance, when you open up your file explorer
program, you can copy an image from an ext4 file
system and paste it over to your exFAT-formatted
flash memory - without having to know that files are
managed differently under the hood.

• This convenient layer between the user (you) and the

underlying file systems is provided by the VFS.

• A VFS defines a contract that all physical file

systems must implement to be supported by that
operating system.
• However, this compliance isn't built into the file
system core, meaning the source code of a file
system doesn't include support for every operating
system's VFS.

• Instead, it uses a file system driver to adhere to the

VFS rules of every file system. A driver is a program
that enables software to communicate with another
software or hardware.
 • Although VFS is responsible for providing a standard
interface between programs and various file systems,
computer programs don't interact with VFS directly.

On the other hand, VFS provides a bridge between the

logical layer (which programs interact with) and a set of
the physical layer of various file systems.

What does it mean to mount a file system?

On Unix-like systems, the VFS assigns a device ID (for
instance, dev/disk1s1) to each partition or removable
storage device.
Then, it creates a virtual directory tree and puts the
content of each device under that directory tree as
separate directories.
The act of assigning a directory to a storage device (under
the root directory tree) is called mounting, and the
assigned directory is called a mount point.
That said, on a Unix-like operating system, all partitions
and removable storage devices appear as if they are
directories under the root directory.
For instance, on Linux, the mounting points for a
removable device (such as a memory card), are usually
under the /media directory.
That said, once a flash memory is attached to the system,
and consequently, auto mounted at the default mounting
point (/media in this case), its content would be available
under the /media directory.
However, there are times you need to mount a file system
manually.

On Linux, it’s done like so:

mount /dev/disk1s1 /media/usb

In the above command, the first parameter is the device

ID (/dev/disk1s1), and the second parameter (/media/usb)
is the mount point.
Please note that the mount point should already exist as a
directory.

If it doesn’t, it has to be created first:

mkdir -p /media/usb
mount /dev/disk1s1 /media/usb

If the mount-point directory already contains files, those

files will be hidden for as long as the device is mounted.

Files metadata
File metadata is a data structure that contains data about
a file, such as:
• File size
 • Timestamps, like creation date, last accessed date,
and modification date
• The file's owner
• The file's mode (who can do what with the file)
• What blocks on the partition are allocated to the file
• and a lot more
Metadata isn’t stored with the file content, though.
Instead, it’s stored in a different place on the disk - but
associated with the file.

In Unix-like systems, the metadata is in the form of data

structures, called inode.
Inodes are identified by a unique number called the inode
number.
Inodes are associated with files in a table called inode
tables.
Each file on the storage device has an inode, which
contains information about it such as the time it was
created, modified, etc.

The inode also includes the address of the blocks

allocated to the file; On the other hand, where exactly it's
located on the storage device

In an ext4 inode, the address of the allocated blocks is

stored as a set of data structures called extents (within
the inode).
Each extent contains the address of the first data
block allocated to the file and the number of
the continuous blocks that the file has occupied.
Whenever you open a file on Linux, its name is first
resolved to an inode number.
Having the inode number, the file system fetches the
respective inode from the inode table.

Once the inode is fetched, the file system starts to

compose the file from the data blocks registered in the
inode.

You can use the df command with the -i parameter on

Linux to see the inodes (total, used, and free) in your
partitions:
df -i

The output would look like this:

udev 4116100 378 4115722 1% /dev

tmpfs 4118422 528 4117894 1% /run
/dev/vda1 6451200 175101 6276099 3% /
As you can see, the partition /dev/vda1 has a total
number of 6,451,200 inodes, of which 3% have been used
(175,101 inodes).
To see the inodes associated with files in a directory, you
can use the ls command with -il parameters.
ls -li
And the output would be:

1303834 -rw-r--r-- 1 root www-data 2502 Jul 8 2019 wp-

links-opml.php
1303835 -rw-r--r-- 1 root www-data 3306 Jul 8 2019 wp-
load.php
1303836 -rw-r--r-- 1 root www-data 39551 Jul 8 2019 wp-
login.php
1303837 -rw-r--r-- 1 root www-data 8403 Jul 8 2019 wp-
mail.php
1303838 -rw-r--r-- 1 root www-data 18962 Jul 8 2019 wp-
settings.php
The first column is the inode number associated with each
file.

The number of inodes on a partition is decided when you

format a partition. That said, as long as you have free
space and unused inodes, you can store files on your
storage device.

It's unlikely that a personal Linux OS would run out of

inodes. However, enterprise services that deal with a
large number of files (like mail servers) have to manage
their inode quota smartly.

On NTFS, the metadata is stored differently, though.

NTFS keeps file information in a data structure called

the Master File Table (MFT).
Every file has at least one entry in MFT, which contains
everything about it, including its location on the storage
device - similar to the inodes table.

On most operating systems, you can grab metadata via

the graphical user interface.

For instance, when you right-click on a file on Mac OS, and

select Get Info (Properties in Windows), a window
appears with information about the file. This information is
fetched from the respective file’s metadata.

“Information On this Website:

https://www.freecodecamp.org/news/file-systems-
architecture-explained/
”
5 What is event and log analysis

Introduction

In an event of a forensic investigation, Windows Event

Logs serve as the primary source of evidence as the
operating system logs every system activities. Windows
Event Log analysis can help an investigator draw a
timeline based on the logging information and the
discovered artifacts. The information that needs to be
logged depends upon the audit features that are turned on
which means that the event logs can be turned off with the
administrative privileges. From the forensic point of view,
the Event Logs catch a lot of data.

• The Windows Event Logs are used in forensics to

reconstruct a timeline of events.

• The main three components of event logs are:

• Application

• System

• Security

• On Windows Operating System, Logs are saved in

root location %System32%\winevt\Logs in a binary
format.

• Offline event log file size can be set by the user

 • When Maximum Log size is reached:

• Oldest Events are Overwritten

• Archive the Logs when full

• If do not wish to overwrite the events, clear logs

manually

In light of the research done, an event logging application

was developed utilizing C# and the Microsoft .NET
framework. RSA and AES encryption and HMAC hash are
used to enhance the integrity of the data. The application
is divided into three segments, an event logger which
monitors particular records and folders inside a PC and
notifies to the data archiving framework in an XML format,
and an event viewer that shows the events in a readable
format to the user.

Relevance

Due to the increasing number of computers and easily

available internet connection, the crimes involving
computers are increasing rapidly. Keeping this in mind, the
researchers always try to find new and effective ways to
find the evidence that can be presented in the court of law
to prove or disprove the case.

Windows event logs were not considered accountable

proof before some of the cases that were solved with the
help of Windows Event Logs. The purpose of this post is to
analyze Windows Event Logs for Artifacts from the
Forensic perspective. How windows event logs are stored,
how they can be useful in a forensic investigation and
what are the tools that are used to analyze the Windows
event logs. This post also covers some of the
vulnerabilities that need to be considered before analysis.

Windows Event Logs

The purpose of this document is to break down Microsoft

Windows event logs for artifacts that might be important
to an investigator. How are specialists utilizing Windows
event logs in forensic examinations? How do investigators
approach the different sorts of breaches when gathering
information from Windows event logs? What are the best
procedures to analyze Windows event logs?

The Windows event logs are records filling in as a

placeholder of all events on a computer machine, Network
or Servers. This incorporates logs on particular events on
the system, an application or the operating system. The
Windows Event Logs help in recreating the timeline of
events in order to assist an investigation. The type of
events that are recorded can be any occurrence that
affects the system:

• An Incorrect Login Attempt,

 • A Hack, Breach, System Settings Modification,

• An Application Failure,

• System Failure etc.

All these events are logged in the

“%System32%/Winevt/Log”. All Windows events
incorporate data on the event, for example, the date and
time, source, fault type, and a Unique ID for the event type.

The event logs contain an abundance of data, which

enables an administrator to investigate and manage the
system. The event Viewer utility on the Windows helps in
analysis of the events on that machine. But for the
forensic analysis, the investigator has to acquire the
offline files of event logs which then will be analyzed by
using third-party tools.

Main Event Logs

System Log

The System Log records events that are logged by the

Operating System segments. These events are frequently
pre-established by the working OS itself. System log files
may contain data about hardware changes, device drivers,
system changes, and all activities related to the machine.
Because of increasing number of threats against networks
and systems, the security logs variety has increased
greatly.

Security Log

The Security Log contains Logon/Logoff activity and other

activities related to windows security. These events are
specified by the system’s audit policy. The security log is
the best and last option to detect and investigate
attempted and/or successful unauthorized activity. Event
logs can also be used to troubleshoot problems in the
system.

Application Log

The Application Log records application related events

that are installed in the system. This records the errors
that occur in an application, informational events, and
warnings from the software applications. Using the
Application log we can troubleshoot any software problem
that prevents it from either logging in or functioning
properly.

Other Important Event Logs

Some other windows event logs that should be monitored

besides three main Event Logs:

• Directory Service Events — Domain controllers

record any Active Directory changes.
 • File Replication Service Events — For File
Replication service events; Sysvol changes

• DNS Events — DNS servers record DNS specific

events

Windows Event Log Vulnerabilities

• It is possible to disable the event log service in

Windows

• Important data can be modified such as Date and

Time, Computer Name, and Usernames

• Event logs from one machine can be transplanted

into another machine

• When the logs are generated, the time stamp uses

internal host clock which can affect logs if it is
inaccurate.

To modify the event log involves having access to the

Security Event Log record and after that, the information
contained inside can be altered. Consequently, if the Event
Log records could be monitored for any duplicating,
written work or erasing then one might say that it is
possible to underline the possible attack on the integrity of
its information.

By using the Windows Registry, we can observe if the

Event Logs had been changed or disabled. Based on these
discoveries the system can be designed to be resilient or
invulnerable. It will prohibit any physical access to the
event logs and will likewise create a hash signature that
will highlight if any changes have been made.

Solutions For Vulnerability

• Restrict the Physical Access to any Outsider

• Store Daily Backup of the System Logs

• Time Stamping vulnerability can be solved by using

a single time-stamping device in a network which
can increase the accuracy and integrity of the
events.

• A Public Key Infrastructure server is used to

authenticate the system users so that the fake
events cannot be injected.

List of Tools Used to Parse Event Logs

• LogParser

• Event Log Explorer

• ManageEngine Event Log Analyzer

• LOGAlyze

• SolarWinds Event & Log Manager

• NetVizura EventLog Analyzer

• GrayLog
 • LogCheck

Forensic Procedures to Acquire Windows Event Logs

The Windows Event Logs are stored in Binary XML format

in the system which is unreadable to the user without any
proper tool. However, Windows has a built-in feature that
converts the events into a readable format which helps in
troubleshooting any problem that occurs in the system.
These logs are stored in the Hard Drive and are Non-
Volatile which means they can be accessed even if the
machine is powered off.

In Windows 10 Operating System, by default, the event

logs are stored in the directory
“%Windows%System32/Winevt/Logs” which can be
changed by the user by modifying Windows Registry
Location
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\EventLog”. Whereas, in Windows XP, Event logs are
stored at “%Windows%System32/config/*.evt”.
Conclusion

Windows Event Logs are very essential from the Digital

Forensic perspective because they store each and every
event that happens in the Operating System. When a
system is compromised by an unauthenticated user, it
takes several steps and procedures to get access to the
system. These steps can be used to trace back to the
suspect. The incident response team is responsible for
capturing the important artifacts for further analysis.
Event logs are stored in offline physical files in the system
root directory.

The Event Logs are categorized into different categories

such as application, system, and security with different
levels of severity. Other events such as network events
are also logged in their separate files in the system. These
files can be obtained manually or by using other utility
tools. The importance and analysis procedures are
described in the second part of this document. In the next
part of this document, we have described some of the
most important points of interest with event log IDs that
are helpful when investigating for potential pieces of
evidence in the compromised system.