The Working with Windows and CLI Systems lab provides you with the instructions and devices to develop your hands on skills in the following topics.
- Disk Partitions
- Deleting NTFS Files
- Examining the Windows Registry
- Hands-On Project 5-1
- Hands-On Project 5-2
- Hands-On Project 5-3
- Hands-On Project 5-4
Exercise 1 - Disk Partitions
One way to examine a partition’s physical level is to use a disk editor, such as Hex Workshop or Hex Workshop. These tools enable you to view file headers and other critical parts of a file.
Both tasks involve analyzing the key hexadecimal codes the OS uses to identify and maintain the file system. Table 5-1 lists the hexadecimal codes in a partition table and identifies some common file system structures.
In some instances, you might need to identify the OS on an unknown disk. When the operating system has been identified, it will be easier for data forensics to determine the applicable tool to read the data in the disk volum.
Exercise 2 - Deleting NTFS Files
Typically, you use Windows or File Explorer to delete files from a disk. When a file is deleted in Windows NT and later, the OS renames it and moves it to the Recycle Bin. Another method is using the del (delete) MS-DOS command. This method doesn’t rename and move the file to the Recycle Bin, but it eliminates the file from the Master File Table - MFT listing in the same way FAT does.
When you delete a file in Windows or File Explorer, you can restore it from the Recycle Bin.
Exercise 3 - Examining the Windows Registry
Some forensics tools, such as ProDiscover, X-Ways Forensics, OSForensics, and FTK, have built-in or add-on Registry viewers. For this next activity, your company’s Legal Department has asked you to search for any references in the Favorites folder in Internet Explorer of a user named Denise Robbins.
For this exercise, you use OSForensics to examine Denise Robbins’ NTUser.dat file. If you find any items of interest, add them to an OSForensics case report that you can give to the paralegal. The following steps explain how to generate a case report in OSForensics.