Chapter 17 ©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. Forensic Examination of Windows Systems

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 17.1 Root directory (skyways-getafix.doc, starts in cluster 184) ® FAT ® data in clusters (42 clusters × 512 bytes/clusters = 21,504 bytes).

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 17.2 Root directory of floppy diskette viewed using X-Ways Forensics.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 17.3 Example of SleuthKit viewing MFT entry with full details.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 17.4 Diagram of file with a logical size that is larger than its valid data length, leaving uninitialized space..

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 17.5 MFT entry with logical size and valid data length viewed using X-Ways Forensics..

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 17.6 Folder entries with 32-bit MS-DOS date-time stamps viewed in X-Ways. file shares.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 17.7 DCode used to convert 64-bit FILETIME date-time stamps from their hexadecimal representation..

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 17.8 The Sleuth Kit and Autopsy Forensic Browser being used to examine a FAT file system (checkmarks indicate files are deleted).

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 17.9 DataLifter being used to carve files from two blobs of unallocated space and one blob of file slack from a system.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE File slack of a recovered file viewed using EnCase.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE Internet Account Manager.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE A cookie created by MS Internet Explorer showing recent Mapquest searches viewed using CookieView (

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE FTK showing Word document as attachments (base 64 encoded).

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE Registry showing remote systems recently accessed using Telnet.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE Network Neighborhood on a Windows XP computer connected to a home network.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE Active network file shares.