File Systems

This category contains 32 posts

Windows Search forensics

Analyzing the Windows (Desktop) Search Extensible Storage Engine database by Joachim Metz Summary While some may curse Windows Vista for all its changes, for us forensic investigators it also introduced new interesting ‘features’. One is the integration of Windows (Desktop) Search into the operating system. Most corporations have been reluctant to adopt Vista, however … Continue reading

EnCase file copying and Windows Short File Names

First published May 2010 By Lee Hui Jing, EnCe Edited by Sarah Khadijah Taylor ABSTRACT A couple of months ago, one of my clients, an Investigating Officer from a Law Enforcement Agency, had requested me to extract some of the files from an image copy of a hard disk. The total number of files to … Continue reading

Timeline Analysis – A One Page Guide

First published February 2010 by Darren Quick Comments and suggestions may be sent to Prepare The scope of the request determines the data to be collected, such as within a specific timeframe, and data of relevance such as specific documents, pictures or video. Can be from multiple computers, other digital data holdings, or other … Continue reading

Shrinking the gap: carving NTFS-compressed files

First published October 2009 Recovering deleted NTFS-compressed files By Joachim Metz Hoffmann Investigations 1.0 Joachim Metz September 2, 2009 Initial version. Summary An important part of digital forensic investigation is the recovery of data, particulary files. The recovery of data and files highly depends on the recovery tooling used. This paper focusses on a … Continue reading

Simple Steganography on NTFS when using the NSRL

First published October 2009 Adam Hurwitz Business Intelligence Associates, Inc. 39 Broadway, NYC, NY 10006 Abstract NTFS is structured so that there can be a physical separation of the data that comprises a file and the properties or metadata of the file. One side-effect of this is that when a file is hashed on … Continue reading

Linux for computer forensic investigators: «pitfalls» of mounting file systems

First published October 2009 by Suhanov Maxim ITDefence.Ru Introduction Forensic Linux distribution is a customized Linux distribution that is commonly used to complete different tasks during computer forensics investigations. These distributions are often used to complete the following tasks: – Quick preview of various data storage devices (for example, to determine installed operating system); – … Continue reading

Apple Property List: Comparing the Mac OS X Property List to the Windows Registry

First published April 2009 Dennis Browning Champlain College Burlington, VT Abstract This paper will introduce the Property Lists in the Apple OS X and compare them to the Microsoft Windows Registry. Also within this paper we will examine how important some of the Property List can be to an examination. Examples of crucial information … Continue reading

Forensic Analysis of the Microsoft Windows Vista Recycle Bin

First published May 2008 By Mitchell Machor 1/22/2008 (click here for a PDF version of this paper) – 1 – Introduction Contrary to due belief, when a file is deleted on a Microsoft operating system, it still exists on the computer. It is hidden away in a location commonly known as the Recycle Bin. … Continue reading

Potential Impacts of Windows Vista on Digital Investigations

First published December 2007 by Christopher Hargreaves and Howard Chivers Paper received 30th April, 2007. C.J.Hargreaves, Cranfield University, Defence Academy of the United Kingdom, Shrivenham, SN6 8SW (+44 (0)1793 785753; e-mail:, Cranfield University, Defence Academy of the United Kingdom, Shrivenham, SN6 8SW (+44(0)1793 785656; e-mail: From Proceedings of Advances in Computer Security and … Continue reading

A Forensic Analysis Of The Windows Registry

First published November 2007 Derrick J. Farmer Champlain College Burlington, Vermont (click here for a revised, quick reference PDF version of this paper) AbstractThis paper will introduce the Microsoft Windows Registry database and explain how critically important a registry examination is to computer forensics experts. In essence, the paper will discuss various types of … Continue reading

Windows Vista – notes for forensic examiners (part two)

This article was first published in 2007 at and is reprinted with permission by Jamie Morris Forensic Focus ( Intro In part one of this series [ref 1] we looked at the different editions of Vista available and discussed the various encryption and backup features which might be of interest to forensic examiners. In … Continue reading

Windows Vista – notes for forensic examiners (part one)

This article was first published in 2007 at and is reprinted with permission by Jamie Morris Forensic Focus ( Intro While the fundamental principles of computer forensics remain largely unchallenged, the landscape upon which investigators operate is constantly changing. A combination of new technologies and changing habits of use means that forensic examiners must … Continue reading

Dissecting NTFS Hidden Streams

First published July 2006 by Chetan Gupta NII Consulting, Mumbai   Cyber Forensics is all about finding data where it is not supposed to exist. It is about keeping the mind open, thinking like the evil attacker and following the trails taking into account any potential source of evidence. After the analyst has created … Continue reading

Forensic Analysis of the Windows Registry

First published April 2006 Lih Wern Wong School of Computer and Information Science, Edith Cowan University Abstract Windows registry contains lots of information that are of potential evidential value or helpful in aiding forensic examiners on other aspects of forensic analysis. This paper discusses the basics of Windows XP registry and its structure, data … Continue reading

Evidentiary Value of Link Files

First published March 2006 by Nathan Weilbacher I have been reading the posts in Forensic Focus for about a year now and on many occasions I have followed with great interest the threads of discussion on many topics. There are many people posting that have offered suggestions and ideas that have directly influenced the direction … Continue reading

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,301 other followers