What is Operating system forensics?

Definition: Operating System Forensics is the process of retrieving useful information from

the Operating System (OS) of the computer or mobile device in question. The aim of
collecting this information is to acquire empirical evidence against the perpetrator.
Overview: The understanding of an OS and its file system is necessary to recover data for
computer investigations. The file system provides an operating system with a roadmap to data
on the hard disk. The file system also identifies how hard drive stores data. There are many
file systems introduced for different operating systems, such as FAT, exFAT, and NTFS for
Windows Operating Systems (OSs), and Ext2fs, or Ext3fs for Linux OSs. Data and file
recovery techniques for these file systems include data carving, slack space, and data hiding.
Another important aspect of OS forensics is memory forensics, which incorporates virtual
memory, Windows memory, Linux memory, Mac OS memory, memory extraction, and swap
spaces. OS forensics also involves web browsing artifacts, such as messaging and email
artifacts. Some indispensable aspects of OS forensics are discussed in subsequent sections.

What are the types of Operating systems?

The most popular types of Operating Systems are Windows, Linux, Mac, iOS, and Android.

Windows

Windows is a widely used OS designed by Microsoft. The file systems used by Windows
include FAT, exFAT, NTFS, and ReFS. Investigators can search out evidence by analyzing
the following important locations of the Windows:

 Recycle Bin: This holds files that have been discarded by the user. When a user deletes files,
a copy of them is stored in recycle bin. This process is called “Soft Deletion.” Recovering
files from recycle bin can be a good source of evidence.

 Registry: Windows Registry holds a database of values and keys that give useful pieces of
information to forensic analysts. For example, see the table below that provides registry keys
 and associated files that encompasses user activities on the system.

  NTFS, which stands for NT file system and the New Technology File System, is the file
system that the Windows NT operating system (OS) uses for storing and retrieving files on
hard disk drives (HDDs) and solid-state drives (SSDs). NTFS is the Windows NT equivalent
of the Windows 95 file allocation table (FAT) and the OS/2 High Performance File System
(HPFS). However, NTFS offers several improvements over FAT and HPFS in terms of
performance, extendibility and security.
NTFS is one type of file system. File systems are generally differentiated by the OS and the
type of drive they are being used with. Today, there is also a distributed file system (DFS)
where files are stored across multiple servers but is accessed and handled as if it were stored
locally. A DFS enables multiple users to easily share data and files on a network and provides
redundancy.

Microsoft Windows and some removable storage devices use NTFS to organize, name and
store files. NTFS is an option for formatting SSDs -- where its speed is particularly useful --
HDDs, USBs and micro SD cards that are used with Windows.
Depending on the storage capacity of the device, the OS used and the type of drive, a
different file system may be preferable, such as FAT32 or Extended FAT (exFAT). Each file
system has benefits and drawbacks. For example, security and permissions are more
advanced with NTFS than exFAT and FAT32. On the other hand, FAT32 and exFAT work
better with non-Windows OSes, such as Mac and Linux.

NTFS features

One distinguishing characteristic of NTFS, compared with FAT, is that it allows for file
permissions and encryption. Notable features of NTFS include the following:

 Organizational efficiency. NTFS uses a b-tree directory scheme to keep track of file

clusters. This is significant because it allows for efficient sorting and organization of
files.

 Accessible data. It stores data about a file's clusters and other data in the MFT, not just in
an overall governing table as with FAT.

 File size. NTFS supports very large files.

 User permissions. It has an access control list that lets a server administrator control who
can access specific files.

 Compression. Integrated file compression shrinks file sizes and provides more storage

space.

 Unicode file naming. Because it supports file names based on Unicode, NTFS has a
more natural file-naming convention and allows for longer file names with a wider array
of characters. Non-Unicode naming conventions sometimes require translation.

 Secure. NTFS provides security for data on removable and nonremovable disks.

 Requires less storage. It has support for sparse files that replaces empty information --
long strings of zeros -- with metadata that takes up a smaller volume of storage space.

 Easy volume access. NTFS uses mounted volumes, meaning disk volumes can be
accessed as normal folders in the file system.
Boot process: Booting is the process of starting or resetting the computer when the user turns
the system on. The process includes getting both the hardware and software ready and
running. The booting process is of two types:
 Cold booting: The process happening when we first turn on the computer. Also called as
hard boot, this happens when user completely cuts the power supply to the system.
 Warm booting is the process happening when we reset the computer. In this process, the
user restarts the system via operating system.
During the process of booting, the computer loads the operating system to its memory or
RAM and prepares it for use. During initialization, the system switches on the BIOS and
loads it onto the ROM. BIOS stores the first instruction, which is the command to perform
the power-on self-test (POST). Under POST, the system checks the BIOS chip and CMOS
RAM.

Windows Boot Process

Windows XP, Vista, and 7 OSs power on and start up using the traditional BIOS-MBR
method. Whereas, the Microsoft operating systems starting with Windows 8 and later
versions will use either traditional BIOS-MBR method or newer UEFI-GPT method
according to the user choice.

Below is process that occurs within the system when switched ON.
1. When the user switches the system ON, CPU sends a Power Good signal to motherboard
and checks for computer’s BIOS firmware.
2. BIOS starts a Power-On Self-Test (POST) which checks if all the hardware required for
system boot are available and load all the firmware settings from nonvolatile memory on
the motherboard.
3. If POST is successful, add-on adapters perform a self-test for integration with the system.
4. The pre-boot process will complete with POST, detecting a valid system boot disk.
5. After POST, the computer’s firmware scans boot disk and loads the master boot
record (MBR), which search for basic boot information in Boot Configuration Data
(BCD),
6. MBR triggers Bootmgr.exe, which locates Windows loader (Winload.exe) on the
Windows boot partition and triggers Winload.exe.
7. Windows loader loads the OS kernel ntoskrnl.exe.
8. Once the Kernel starts running, the Windows loader loads HAL.DLL, boot-class device
drivers marked as BOOT START and the SYSTEM registry hive into the memory.
9. Kernel passes the control of boot process to the Session Manager Process (5MSS.exe),
which loads all other registry hives and drivers required to configure Win32 subsystem
run
10. Session Manager Process triggers Winfogon.exe, which presents the user logon screen
for user authorization.
11. Session Manager Process initiates Service control manager, which starts all the services,
rest of the non-essential device drivers, the security subsystem L5ASS.EXE and Group
policy scripts.
12. Once user logs in, Windows creates a session for the user.
13. Service control manager starts the Explorer.exe and initiates the Desktop Window
Manager (DMW) process, which set the desktop for the user.
File metadata: In the world of digital forensics, metadata is the data and information that is
part of or attached to some other more obvious piece of data. We usually think of metadata
being associated with a particular file. Every file on a computer has some amount of metadata
associated with it. The amount, type and usefulness of that data depends on the type of file
and the type of investigation.
Metadata, often described as data about data, allows digital or computer forensic investigators
to understand the history of a particular electronic file, including when the file was created,
modified and accessed, among other information that can be used to describe the file. The file
can be in any digital format, ranging from a document file to a spreadsheet, image, video and
audio, as well as web pages.
Just like a regular investigator would follow a paper trail, which is a series of written
evidence, computer forensic investigators would follow a digital trail instead. This means
reviewing digital data and their metadata, the unique identifying markers associated with
each digital file, to look for evidence that can help a legal argument.

Common types of metadata

There are three main types of metadata:
 Descriptive metadata is about the contents of a file and usually contains the author,
title, abstract and keywords.
 Structural metadata is about the relationship between different data and how they are
being put together.
 Administrative metadata is about ownership, rights management and other technical
information such as what program was used.

What is Hashing?
Hashing is an algorithm that calculates a fixed-size bit string value from a file. A file
basically contains blocks of data. Hashing transforms this data into a far shorter fixed-length
value or key which represents the original string. The hash value can be considered the
distilled summary of everything within that file.
A good hashing algorithm would exhibit a property called the avalanche effect, where the
resulting hash output would change significantly or entirely even when a single bit or byte of
data within a file is changed. A hash function that does not do this is considered to have poor
randomization, which would be easy to break by hackers.
A hash is usually a hexadecimal string of several characters. Hashing is also a unidirectional
process so you can never work backwards to get back the original data.
A good hash algorithm should be complex enough such that it does not produce the same
hash value from two different inputs. If it does, this is known as a hash collision. A hash
algorithm can only be considered good and acceptable if it can offer a very low chance of
collision.
Types of Hashing
There are many different types of hash algorithms such as RipeMD, Tiger, xxhash and more,
but the most common type of hashing used for file integrity checks are MD5, SHA-2 and
CRC32.
MD5 - An MD5 hash function encodes a string of information and encodes it into a 128-bit
fingerprint. MD5 is often used as a checksum to verify data integrity. However, due to its
age, MD5 is also known to suffer from extensive hash collision vulnerabilities, but it’s still
one of the most widely used algorithms in the world.
SHA-2 – SHA-2, developed by the National Security Agency (NSA), is a cryptographic hash
function. SHA-2 includes significant changes from its predecessor, SHA-1. The SHA-2
family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512
bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.
CRC32 – A cyclic redundancy check (CRC) is an error-detecting code often used for
detection of accidental changes to data. Encoding the same data string using CRC32 will
always result in the same hash output, thus CRC32 is sometimes used as a hash algorithm for
file integrity checks. These days, CRC32 is rarely used outside of Zip files and FTP servers.