06 - Microsoft File Systems and The Windows Registry

#filesystem #forensics

Class: CYBR-405

Notes:

Artifacts of Interest: MFT

What is an MFT?
- Master File Table
What does the MFT do?
- Indexes files, just keep tracks of them

The $I30 System File

This is directory-level artifact persistence.

Evidence exists in more than just the MFT.
Directory structures themselves retain historical data.
When the number of new files or subfolders increases in a folder, Windows creates an I30 file to store the additional new files' or folders' information
The I30 files contain useful artifacts for an investigation
- The I30 file may contain residual information of its name, size, and date-time values for a deleted file
- Listings for deleted files are relocated to the end of the $$ 130$ file

Experienced CTF Users:

Now, Let's watch a Dive-In video using a tool to extract the I30 file and view files
https://youtu.be/XzoYNOIJ37s?si=alMiG4xvN9to3K45\&t=283

Notes:

The MFT won't show deleted files, but this will!
Using the Sleuth Kit (awesome forensic investigation tools) -> FTK imager
Hex signature:
- 494E4458 (INDX)
You will see deleted files with a red X
- FTK Imager detects that there are $I30 indexes in the disk
You can recover these files
Need to use INDXParse.py but need to have python installed
- Specify -c for csv output
- And give file: ../I30
MACB timestamps -> format to show this data
You will use -d to find entries in the slack space

$UsnJrnl System File

The Update Sequence Number Journal logs file system changes.

Think of it as: A change log for NTFS. It records: File created; File deleted; File renamed; File modified
Why it's powerful:
- Even if the file is gone, the journal may show: That it existed When it changed What kind of change occurred (Create-Delete-Change - with timestamps)
$UsnJrnl answers the "WHEN" and "WHAT happened" questions very well. Holds 20 days max

CTF Users: C:\Windows\system32> fsutil usn readjournal c:

The Update Sequence Number Journal ($UsnJrnl) provides a log of actions performed on a file
Figure 6-31 Hexadecimal view of a $J file

Pasted image 20260216092600.png|500

Notes:

It does the same thing, file created/deleted/modified
You can find files in this way
This will help also prove that there where files once

Artifacts of Interest: Registry

"It is really a database"

Understanding the Windows Registry

Registry is a database that stores hardware and software configuration information, network connections, user preferences, and setup information
The Registry can contain valuable evidence for an investigation
Viewing the Registry files from a static acquisition requires special tools such as FTK Registry Viewer, Autopsy, X-Ways Forensics, and others

Notes:

Contains the glue for your OS
Uses a set of keys and values stored in folders
It does have a lot of great things stored in it
Most forensics tools with thake care of looking for things in it
Each key has a data value
- It could be binary, text, hex, or other stuff
It has all sorts of information
- Software execution
- Hardware (USBs, etc...)

Data Types in the Registry

The Registry is a hierarchical structured database that contains the following data types:
- Keys that are like folders on a disk partition
- Subkeys are like sub-folders that contain values like data and reference to files
The data types found in keys and subkeys are shown in Table 6-11 in the text (next slide)
The Registry is not just configuration... it's behavioral evidence.
- It shows what programs ran.
- It shows USB devices connected.
- It shows user preferences.
- Registry hives must be parsed with specialized tools.

Registry Organization

Pasted image 20260216093117.png

Registry is structured like folders and subfolders
- Keys=Folders
- Values = data entries
Contains:
- System configuration
- User activity
- Software Execution
- Device History (USB, etc.)

Exploring the Organization of the Windows Registry

File name and location	Purpose of file
Users\user-account\Ntuser.dat	User-protected storage area; contains the list of most recently used files and desktop configuration settings
Windows\system32\config\Default.dat	Contains the computer's system settings
Windows\system32\config\SAM.dat	Contains user account management and security settings
Windows\system32\config\Security.dat	Contains the computer's security settings
Windows\system32\config\Software.dat	Contains installed programs' settings and associated usernames and passwords
Windows\system32\config\System.dat	Contains additional computer system settings
Windows\system32\config\systemprofile	Contains additional ntuser information

User Assist

UserAssist tracks:

Programs a user has executed via GUI.
Important:
- Stored under NTUSER.DAT (user hive)
- Entries are ROT13 encoded
Why investigators love it:
- Shows what applications a user launched
- Often includes run count
- Includes timestamps

This answers:

WHO used WHAT program and WHEN.

https://www.youtube.com/shorts/0CkIo3FAW_U

Notes:

Includes what applications were run
Shows timestamps
ROT13 cypher:
- Returns each letter on the alphabet shifted by 13 positions
- Takes the modulo operation (the remainder)

Artifacts of Interest: Links

Shortcuts in your desktop

LNKs

This is one of the best Windows artifacts.

A .Ink file can contain:

Original file path
Timestamps
Volume serial number
Network share info
Sometimes MAC address

Even if:

The original file is gone
The USB drive is removed
The LNK may remain

Provides:

Same Name (generally)
Location when it was open
Date First Open (created)
Date Last Open (modified)

Notes:

In some CTFs, they put the flag in the shortcut!
The file didn't exists but the link did, and you could get the flag from it

LNK files are one of the best tools for the forensic investigator because they show which files a user accessed and when even if the file is no longer on the computer

LNK files can be found in multiple locations

Shortcuts
LNK Files
Jumplist
Web Browsers

Artifacts of Interest: Prefetch

Preload things on memory to make things faster

Prefetch

To help reduce the time it takes to load an application into memory in Windows, Microsoft has implemented the Prefetch function
- The first time an application is run, the OS will create a prefetch file for it
- The next time the application is run, Windows preloads the necessary links to other data or executable files into memory
The contents of a prefetch file can reveal the following:
- When an application was installed, how many times the application had been run, dates and time it was run, and data that was accessed by the application

Prefetch is: execution evidence.

Windows creates a .pf file the first time a program runs.
Prefetch contains:
- Program name
- Hash of path
- Last 8 run times
- Run count
- Files accessed by program
Prefetch proves execution on that system.

Notes:

Prefetch can give you some execution proof to prove that a service ran.
Prefetch can be disabled.
Server versions of Windows often have it off.

Artifacts of Interest: Logs

Tell you who logs in and logs out, and when

Event Logs

Logs maintain a historical record of things that happen on a computer or other information system.

Most computers (OS) have several different types of event logs but the 4 that are used the most often:

Application - what a program does
System - what the computer does
Security - logins/logoffs
Office Alerts - Office Documents

Security log is often most important:

Logons
Logoffs
Failed Attempts
Privilege use

This answers: WHO logged in and WHEN

Browser Logs

Each web browser keeps a set of activity logs which contain

URL of web pages visited
Date and times of visit
Number of times visited (not always accurate)
Downloaded items
Cached passwordslcredentials

And some record file activity -

Name of file
Location
Dateltime viewed

Pasted image 20260216094052.png|600

Notes:

On CTFs you always need to check browser history if you are given access to a browser session
You can find a flag there!

Browser History Logs

Location	File Name
C:\Users[username]\AppData\Local\Google\Chrome\User Data\Default\History	History (sqlite)
C:\Users[username]\AppData\Roaming\Mozilla\Firefox\Profiles[profile folder name]	places.sqlite
C:\Users[username]\AppData\Local\Microsoft\Edge\User Data\Default	History (sqlite)
SQLite (battle field tested):
https://www.youtube.com/shorts/2vx6FTvzRCI

Notes:

SQLite is lightweight and easy to use
It is not a gigantic database of information but you can do queries very quick and easy
In SQLite even with lots of records it will still be relatively fast

Artifacts of Interest: Memory

When you lose power, you lose volatile information

RAM Acquisition

Now we move into volatile memory.
RAM capture contains:

Running processes
Open files
Encryption keys
Passwords
Network connections

Memory is:

Unstructured
Time-sensitive

Important: If you power off a system, you lose this.

Notes:

Memory is unstructured and time-sensitive
Clipboard more than likely is gone after a restart

Pasted image 20260216094554.png|600

Don't worry about this, there are tools to make this easy

Hiberfil\Pagefile.sys

Hiberfil.sys:

Snapshot of RAM when system hibernates.

Pagefile.sys:

Virtual memory spillover.
May contain historical artifacts.

Why investigators care:

These can contain remnants of:
- Chat messages
- Passwords
- Decrypted content
- Browser fragments

Artifacts of Interest: Shadow

Restore from a point in time

Volume Shadow Snapshots

Windows automatically creates restore points.

These are snapshots in time.

They may contain:
- Older versions of files
- Deleted files
- Historical registry states

This is extremely valuable for: Timeline reconstruction.

https://www.youtube.com/shorts/gAMaeyLOKYY

Notes:

Volume Shadow Copies is a backup mechanism for Windows but it is also a gold mine for forensics investigators
We have to get things back up and running as quickly as possible, sometimes they do not care about forensics!

Recycle Bin

Deleted files go to: $Recycle.Bin

Windows:

Renames file
Stores metadata

Artifacts include:

Original Path
Deletion Time
File Size

Even if user empties recycle bin:

Data remnants may still exist is MFT or unallocated spaces

Investigative Questions

This is Forensics

EVERYTHING ties back to:

Who
What
When
Where
Why
How

Each artifact answers different pieces of that puzzle.

EVERYTHING ties back to:

MFT → What existed
$UsnJrnl → What changed and when
Registry → What user did
LNK → What user accessed
Prefetch → What executed
Event Logs → Who logged in
Browser Logs → What user browsed
Memory → What was active
Shadow Copies → What changed over time

BitLocker

BitLocker / Whole Disk Encryption

Personal identity information (PII) and trade secrets caused by computer theft has become more of a concern
Whole disk encryption tools offer the following features:
- Preboot authentication
- Full or partial disk encryption with secure hibernation
- Advanced encryption algorithms
- Key management function
To examine an encrypted drive, decrypt it first

Notes:

IT people sometimes use the same kind of encryption for every piece of information
In order to do this you need to have the Trusted Platform Module (TPM) that makes encryption random keys
Getting more critical nowadays
CloudFlare generates a key based on the location of bubbles in a big lava lamp!
Yes, there are tools to try to bypass this encryption but it is hard.

Examining Microsoft BitLocker

BitLocker is Microsoft's utility for protecting drive data
Hardware and software requirements are as follows:
- A computer capable of running Windows Vista or later
- The TPM microchip, version 1.2 or newer
- A computer BIOS compliant with Trusted Computing Group (TCG)
- Two NTFS partitions
- The BIOS configured so that the hard drive boots first before checking other bootable peripherals

Examining Third-Party Dick Encryption Tools

BitLocker can only encrypt NTFS drives
If you want to encrypt a FAT drive, you need a third-party solution
Available third-party WDE utilities include the following:
- BROADCOM
- Endpoint Encryption
- Jetico BestCrypt Volume Encryption