Disk based Forensics Analysis

Abstract

Today computer systems have become integral part of our life. Its penetration in personal and organizational level has increased rapidly in last couple of years. Majority of data is now present in digital form which includes personal data like photos and videos, government documents, secrete and confidential reports of organizations, etc. This change in technology is also adopted by criminals to perform their illegal activities. Use of computers for performing crimes has increased therefore it has become necessary for investigator to collect and process evidences from suspect’s computer. Windows 7 has become mainstream operating system for users and thus its forensics investigation is becoming important. There are various places in Windows 7 which can be used in forensics analysis; some of the areas of interest are windows registry and the underlying NTFS file system. Registry contains valuable information that can be helpful for the forensics analysis. Registry contains the basic information like date when Operating System installed, owner name and the advanced information such as the software installed on system, history of recently used documents and so on, which will help the analyst to decide the way of further analysis of system depending on the its environment. The NTFS file system is native file system for Microsoft’s Windows 7 which is used to manage files present on disk. Suspect can hide data in the file system using its Alternate Data Streams feature. He/She can also remove evidence present on disk by deleting files containing evidences. It is important for forensic investigator to get back the evidences from hidden and deleted files by suspect. In this paper we have proposed and implemented tool that will be useful for performing forensics analysis of windows 7 registry, underlying NTFS file systems Alternate Data Streams and recovery of deleted files. This tool will helps in saving efforts and time of investigator in its investigation.