Part 1: Computer Forensics Fundamentals | Module 3

Introduction

Computer forensics is the cornerstone of digital investigations. This part covers the fundamental concepts of operating system architecture and file systems that every forensic examiner must understand. We'll explore Windows, Linux, and macOS from a forensic perspective, focusing on where evidence resides and how to extract it.

📚 Learning Objectives

By the end of this part, you will understand the architecture of major operating systems, navigate their file system structures (NTFS, ext4, APFS), identify key forensic artifacts, and know where to look for evidence on each platform.

Windows Operating System Architecture

Microsoft Windows dominates the desktop market with over 70% market share, making it the most common target for forensic examination. Understanding Windows architecture is essential for any forensic practitioner.

Windows Architecture Layers

Windows Operating System Architecture

User Applications

System Processes

Services

↓

Windows API (Win32/Win64)

↓

Executive Services

Windows Kernel

↓

HAL (Hardware Abstraction Layer)

↓

Hardware

Key Windows Directories for Forensics

                            
# Critical Windows Forensic Locations

C:\Windows\System32\config\      # Registry Hives (SAM, SYSTEM, SOFTWARE, SECURITY)
C:\Windows\System32\winevt\Logs\  # Event Logs (.evtx files)
C:\Windows\Prefetch\              # Prefetch Files (.pf)
C:\Windows\System32\Tasks\        # Scheduled Tasks

# User Profile Locations
C:\Users\[username]\NTUSER.DAT           # User Registry Hive
C:\Users\[username]\AppData\Local\       # Local Application Data
C:\Users\[username]\AppData\Roaming\     # Roaming Application Data
C:\Users\[username]\AppData\Local\Microsoft\Windows\
    UsrClass.dat                          # User Class Registry

# Recent Activity Artifacts
C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Recent\
C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\
                            
                        

Windows Version Identification

Version	Build Number	Key Forensic Differences
Windows 7	7601	Jump Lists introduced, classic Event Logs
Windows 8/8.1	9200/9600	Modern apps, Windows Store cache
Windows 10	10240+	Timeline, Cortana, notification database
Windows 11	22000+	Enhanced security, Recall feature (newer builds)

NTFS File System

NTFS (New Technology File System) is the default file system for Windows since Windows NT. Understanding NTFS structure is critical for recovering deleted files, analyzing timestamps, and finding hidden data.

NTFS Architecture

NTFS Disk Structure

Boot Sector

MFT (Master File Table)

Data Area

MFT Mirror

Master File Table (MFT)

The MFT is the heart of NTFS. Every file and directory has at least one entry in the MFT. Each MFT entry is 1024 bytes and contains critical metadata.

⚠ Forensic Significance of MFT

The MFT retains entries for deleted files until the space is overwritten. The $MFT file can reveal deleted files, their original timestamps, and file locations even after deletion from the file system.

Key MFT Attributes

                            
# Important NTFS MFT Attributes

$STANDARD_INFORMATION (0x10)
    - Created, Modified, Accessed, Entry Modified timestamps
    - File permissions and flags
    # Note: These timestamps can be modified by user applications

$FILE_NAME (0x30)
    - File name (short and long names)
    - Parent directory reference
    - Created, Modified, Accessed, Entry Modified timestamps
    # Note: These timestamps are harder to manipulate - forensically reliable

$DATA (0x80)
    - Actual file content
    - Resident (small files stored in MFT) or Non-resident (cluster runs)

$INDEX_ROOT (0x90) / $INDEX_ALLOCATION (0xA0)
    - Directory indexes
    - Contains deleted file entries (I30 parsing)
                            
                        

NTFS Timestamps (MACB)

Timestamp	$STANDARD_INFO	$FILE_NAME
Modified	File content change	Rename/move operations
Accessed	Last access time	Directory listing access
Changed (MFT)	Attribute/metadata change	Metadata change
Born (Created)	File creation time	Entry creation time

NTFS Special Files for Forensics

📄

$MFT

Master File Table containing metadata for all files and folders. Critical for recovering deleted files and timeline analysis.

📋

$LogFile

Transaction log for NTFS journal. Can recover recent file operations and aid in crash recovery analysis.

🔍

$UsnJrnl

USN Change Journal tracking file system changes. Records file creations, deletions, modifications with timestamps.

🔒

$Secure

Security descriptors for all files. Contains ACLs and ownership information.

Alternate Data Streams (ADS)

NTFS supports multiple data streams per file. The default stream is unnamed, but additional named streams can hide data.

                            
# Detecting Alternate Data Streams
dir /r                          # List files with ADS
Get-Item -Path file.txt -Stream *  # PowerShell method

# Example of ADS
notepad.exe:hidden_stream.txt    # Hidden stream attached to notepad.exe

# Zone.Identifier ADS - Shows file download origin
file.exe:Zone.Identifier
    [ZoneTransfer]
    ZoneId=3                       # 3 = Internet zone
    ReferrerUrl=https://example.com
    HostUrl=https://example.com/file.exe
                            
                        

Linux Operating System Architecture

Linux systems are prevalent in servers, IoT devices, and increasingly in corporate environments. Understanding Linux architecture is essential for comprehensive forensic capability.

Linux Directory Structure

                            
# Key Linux Forensic Directories

/etc/                   # System configuration files
    /etc/passwd         # User accounts
    /etc/shadow         # Password hashes (requires root)
    /etc/group          # Group definitions

/var/log/              # System logs
    /var/log/auth.log   # Authentication logs (Debian/Ubuntu)
    /var/log/secure     # Authentication logs (RHEL/CentOS)
    /var/log/syslog     # System messages
    /var/log/wtmp       # Login records (binary)
    /var/log/btmp       # Failed login attempts (binary)
    /var/log/lastlog    # Last login info per user

/home/[user]/          # User home directories
    .bash_history       # Command history
    .bashrc             # Shell configuration
    .ssh/               # SSH keys and known hosts
    .local/share/Trash/ # User trash folder

/tmp/                   # Temporary files (volatile)
/root/                  # Root user home directory
                            
                        

Linux Timestamps

Linux traditionally uses three timestamps (MAC), but newer systems with ext4 support birth time.

🕑 Linux Timestamp Behavior

atime: Last access time (often disabled via noatime mount option for performance)
mtime: Last modification time (file content change)
ctime: Last change time (metadata change, cannot be set by user)
crtime: Creation time (ext4 only, requires special tools to view)

ext4 File System

ext4 (Fourth Extended Filesystem) is the default file system for most Linux distributions. It offers journaling, large file support, and improved performance over its predecessors.

ext4 Structure

ext4 File System Layout

Boot Block

Super Block

Block Group 0

Block Group 1

...

Block Group Contents

                            
# Each Block Group Contains:

Super Block Copy      # Backup of primary super block
Group Descriptors     # Block group metadata
Block Bitmap          # Tracks allocated/free blocks
Inode Bitmap          # Tracks allocated/free inodes
Inode Table           # Array of inode structures
Data Blocks           # Actual file data
                            
                        

ext4 Journaling

ext4 uses journaling to maintain file system integrity. The journal can contain forensic artifacts:

Journal Superblock: Journal configuration and sequence numbers
Descriptor Blocks: Transaction metadata
Data Blocks: Copies of changed blocks before commit
Commit Blocks: Transaction completion markers

💡 Forensic Tip

The ext4 journal (usually 128MB) can contain recent deleted file content and metadata. Tools like extundelete and ext4magic can recover data from the journal.

macOS Architecture

macOS is built on a Unix foundation (Darwin kernel) with a unique file system (APFS) and proprietary security features that affect forensic acquisition.

Key macOS Forensic Locations

                            
# macOS Critical Forensic Paths

/Users/[username]/                    # User home directory
/Users/[username]/Library/            # User application data
    Application Support/              # App-specific data
    Preferences/                      # .plist preference files
    Caches/                           # Application caches
    Logs/                             # Application logs

/private/var/log/                     # System logs
    system.log                        # Main system log
    install.log                       # Installation history

/private/var/db/                      # System databases
    dslocal/                          # Local directory service

/Library/                             # System-wide application data
/System/Library/                      # macOS system files

# Unified Logging (macOS 10.12+)
/private/var/db/diagnostics/         # Unified log files
/private/var/db/uuidtext/            # Log text strings
                            
                        

macOS Security Features Affecting Forensics

🔒

System Integrity Protection (SIP)

Restricts root access to protected system files. Must be disabled for full forensic access on live systems.

🔐

FileVault 2

Full-disk encryption using XTS-AES-128. Requires password or recovery key for decryption.

💻

T2/M1 Security Chip

Hardware encryption and Secure Boot. Can complicate forensic acquisition significantly.

🛠

Gatekeeper

Controls application execution based on code signing and notarization.

APFS File System

Apple File System (APFS) replaced HFS+ starting with macOS High Sierra (10.13). It's optimized for flash storage and includes modern features like snapshots and encryption.

APFS Structure

APFS Container and Volume Structure

APFS Container

↓

Volume 1 (System)

Volume 2 (Data)

Volume 3 (Recovery)

Preboot

APFS Key Features

Feature	Forensic Implications
Snapshots	Point-in-time copies may contain deleted/modified files from previous states
Clones	Space-efficient copies share data blocks; complicates origin analysis
Encryption	Per-file encryption with multiple keys; hardware-bound on T2/M1 Macs
Space Sharing	Multiple volumes share container space; requires container-level analysis
Nanosecond Timestamps	Higher precision timestamps for timeline analysis

⚠ APFS Forensic Challenges

APFS snapshots can be a goldmine for forensics but also complicate analysis. Time Machine creates regular snapshots that may contain evidence of deleted files. However, APFS encryption (especially on M1 Macs) can make acquisition extremely difficult without credentials.

File System Comparison

Feature	NTFS	ext4	APFS
Max File Size	16 EB	16 TB	8 EB
Journaling	Yes	Yes	Yes (Copy-on-Write)
Encryption	EFS (per-file)	LUKS (volume)	Native (per-file/volume)
Timestamp Precision	100 nanoseconds	1 nanosecond	1 nanosecond
Deleted File Recovery	MFT + $UsnJrnl	Journal + extundelete	Snapshots + FSEvents
ADS Support	Yes	Extended Attributes	Extended Attributes

📚 Key Takeaways

Windows NTFS stores critical evidence in MFT, $UsnJrnl, $LogFile, and Alternate Data Streams
NTFS has two sets of timestamps ($STANDARD_INFO and $FILE_NAME) - $FILE_NAME is harder to manipulate
Linux ext4 uses inodes, block groups, and journaling - deleted files can be recovered from the journal
macOS APFS features snapshots, clones, and native encryption - complicating forensic acquisition
Understanding file system structures is essential for recovering deleted files and analyzing timestamps
Each OS has specific locations for user data, logs, and system artifacts that forensic examiners must know