1 - Windows Forensics.pdf

The slides cover an introduction to Windows Forensics with a focus on Windows File Systems. Here’s a compact summary:

1. Computer and Forensics Overview:
   • Computers process data via instructions to produce information. The difference between Computer Forensics (analyzing computers as evidence) and Computational Forensics (using computers to analyze non-digital evidence) is clarified.
2. Boot Process:
   • Describes how the BIOS identifies devices and loads the operating system (OS) from the Master Boot Record (MBR).
3. Windows File Systems:
   • FAT and NTFS are the two main file systems, with NTFS being more modern, supporting larger file sizes, and more efficient but less compatible with other OSs.
4. NTFS (New Technology File System):
   • Contains crucial structures like $MFT (Master File Table), $Logfile, $Volume, $Secure (Access Control Lists), and File Attributes.
   • $MFT records each file with timestamps, filenames, and file data locations. It uses a combination of resident and non-resident attributes to store small and large files.
5. Forensic Artefacts:
   • $Logfile: Used for system stability and recovery, can be parsed for forensic investigations.
   • Alternate Data Streams (ADS): NTFS supports hiding data in alternate data streams, useful for both legitimate and illicit purposes.
   • Metadata: Key forensic data includes file system metadata (permissions, timestamps) and file metadata (embedded by applications).
6. File Deletion in NTFS:
   • Files are “deleted” by marking their space as unallocated but can still be recovered until overwritten.
7. Microsoft’s ReFS:
   • A resilient file system mainly for Windows Servers, designed for scalability and reliability.

This overview provides foundational knowledge in forensic analysis of Windows file systems, with practical applications in identifying and recovering digital evidence from NTFS structures.