Each Windows disk contains a hidden folder named Recycled (FAT/FAT32), or Recycler (NTFS). This folder is where Windows 9x and Windows NT/2000 keeps deleted files.
When a user deletes a file, the complete path, file name and date of deletion is stored in a hidden file called INFO or INFO2 (Windows 98/2000) in the Recycled/Recycler folder. The deleted file is renamed, using the following syntax:
D<original drive letter of file><#>.<original extension>
New file name:
Dc1.txt = (C drive, second file deleted, a .txt file)
INFO file path:
Each Windows drive will contain a Recycled/Recycler folder upon the first file deletion.
Note: ProDiscover® will parse the INFO/INFO2 File and interpret the results if desired. Just right click on any INFO or INFO2 file from Content View and choose "View as INFO".
ATA Hardware/Host Protected Areas (HPA).
ATA Specifications added the “Protected Area” as a means for PC distributors to ship diagnostic utilities with PCs. Simply put, the hardware protected area is an area of the hard drive that is not reported to the system BIOS and operating system. Because the protected area is not normally seen, most disk forensics imaging tools will not image this area. We have seen an emergence of new utilities available allowing PC users to take advantage of this “Protected Area” to store user data. One such utility is the commercial product AREA51.
In some cases forensics examiners can identify the use of the protected Protected Area by analyzing the boot partition which may contain boot options for the area. Current versions of AREA51 modify the boot partition by changing the boot loader to include pointers to the protected area.
Users can also detect the Use of an ATA Protected Area by doing a little disk math. Consider the following scenario:
The user is about to image a disk which is labeled, or they know has a CHS (Cylinder Head Sector) value of 16383/16/63. In this case to find out the total number of sectors which should be reported simply multiply (Cylinders x Heads x Sectors). In this case 16383 x 16 x 63 = 16,514,064 total sectors. If the user started an image of the disk and noticed it only reported 4,192,965 sectors then they would be missing around 6 gigs of data area depending on how many bytes were used in each sector. To establish the total disk size use total sectors x bytes (normally 512). In this case the disk should be 8.4 GB, but was reporting about 2 GB.
ProDiscover® includes a device driver that allows ProDiscover® to detect and look inside the Hardware Protected Area. When ProDiscover® is launched the device driver reads all Hardware Protected Area information from the disk to detect if the HPA is in use then sends a single command, "SET MAX ADDRESS (Volatile option) any disk added to the project. This process allows users to image the complete drive. In accordance with the HPA technical specifications, once the machine is power-cycled the drive is automatically returned to its original state.
Often ProDiscover® will automatically detect and add file system partitions within the HPA to your directly added disks so they may be viewed as a normal partition in Content-View or Cluster-View. Since the HPA technical specification does not specify where a file system starts or what type of file system resides within the HPA, ProDiscover® provides a tool for scanning the HPA to detect any file systems inside and adding the file system partition to the current project. All file systems added to a project from the HPA will have [HPA] appended in the tree-view to clearly identify their origin. See Using ProDiscover for specific steps and tasks involving the HPA.
Technology Pathways also provides a DOS utility application "PARemove.exe" that allows forensics examiners to remove the Hardware Protected Area permanently thereby enabling any other imaging tool to image all sectors of the disk. If the examiner suspects that the Hardware Protected Area has been utilized on the disk, they only need run PARemove.exe from a DOS boot disk to remove the HPA.
Alternate Data Streams in Windows NT/2000/XP.
Alternate Data Streams (ADS) have been available to Windows NT and 2000 systems ever since the first version of NTFS. ADS was originally created to allow Windows NT to support Macintosh computers which keeps some file information in Resource Forks.
While ADS was created for Mac file support, any user can utilize ADS to hide data or files within a system which uses NTFS formatted drives. It is easy to hide data with ADS and only requires a few steps as shown by the following:
Now try the same thing without appending the ADS to any file.
While ADS files are not viewable in Windows NT/2000 through normal file views, there are several utilities which allow you to detect the presence of ADS files. Unfortunately these utilities do not always detect the presence of all ADS files. In particular ADS files which have not been created as appended to a visible file are sometimes not reported. ProDiscover® detects and displays all ADS files and displays them in "Content View" highlighted in Red by default.
System $ meta files in Windows NT/2000/XP.
When viewing an NTFS partition in Content-view users will notice files not normally seen which all begin with $ and are highlighted in green by default. These files are NTFS meta files and contain a great deal of information about the file system.
Each metafile has an inode number and description as listed here:
Inode 0 $MFT Master File Table - An index of every file
Inode 1 $MFTMirr A backup copy of the first 4 records of the MFT
Inode 2 $LogFile Transactional logging file
Inode 3 $Volume Serial number, creation time, dirty flag
Inode 4 $AttrDef Attribute definitions
Inode 5 . (dot) Root directory of the disk
Inode 6 $Bitmap Contains volume's cluster map (in-use vs. free)
Inode 7 $Boot Boot record of the volume
Inode 8 $BadClus Lists bad clusters on the volume
Inode 9 $Quota NT Quota information
Inode 9 $Secure 2K Security descriptors used by the volume
Inode 10 $UpCase Table of uppercase characters used for collating
Inode 11 $Extend 2K A directory: $ObjId, $Quota, $Reparse, $UsnJrnl
A great deal of information about these files and the NTFS file system can be found online at http://linux-ntfs.sourceforge.net/ntfs/index.html
EXIF Meta Data found in JPG graphics files.
The Japanese Electronic Industry Development Association (JEIDA) created a standard for the storage of camera and image metadata in JPEG and TIFF files. Most digital camera manufacturers have implemented this standard and now store camera metadata along with the digital image. This metadata can potentially provide vital evidence to investigators such as when the picture was taken, what camera was used in capturing the image and in some cases, who took the image or where the image was captured.
The Tag tables in EXIF meta data provide a tremendous amount of potentially useful information if contained in the EXIF section of a JPEG file. While it is cumbersome to try to pull this data manually from the file, programs exist today to extract this data for the investigator. Programs such as EXIFutils or IMatch can be used to view this information. Technology Pathways forensic tool, ProDiscover will automatically extract and report this information for investigators if desired for all JPEG and TIFF files marked as evidence of interest. This can open up a whole new avenue for investigators and capture EXIF metadata in an evidentiary quality manner to be used in court at a latter date.
To view the EXIF meta data of a JPG or TIF file in ProDiscover simply right-click on any .jpg or .tif graphic file from content-view and select "View EXIF data"
Common timeline analysis techniques often focus on the Modified, Accessed, and Created, or MAC timestamps placed on files in the NTFS file system. Some investigations benefit by understanding how normal MAC times relate to lower level information such as when specific metadata attributes were changed.
Two metadata attributes of interest to investigators in the NTFS file system are the Master File Table (MFT) $STANDARD_INFO and $FILE_NAME. Both attributes contain their own entry last modified timestamps that are displayed by ProDiscover in the project report and in sortable columns in the content view work area. The MFT $STANDARD_INFO attribute contains general information about a file such as flags, last accessed, written, created times, owner, and security ID. The MFT $FILE_NAME attribute contains file name in Unicode, and also the last accessed, written and created times. MFT entry modified times can be found in the project report as "MFT STANDARD INFO entry modified:" and "MFT FILE NAME entry modified:" These values are listed in the content-view work area in columns as "MFT $STANDARD_INFO Modified" and "MFT $FILE_NAME Modified".