Hibernation and NTFS

One basic rule when dealing with “hibernated” volumes is to never write anything to them from another operating system. Otherwise, when a hibernated operating system is resumed, there will be a difference between what is on a drive and what the operating system considers to be on that drive.

In Linux, the NTFS-3G driver is issuing the following error message when trying to mount a “hibernated” volume in the read-write mode:

Windows is hibernated, refused to mount.
The disk contains an unclean file system (0, 0).
Metadata kept in Windows cache, refused to mount.
Falling back to read-only mount because the NTFS partition is in an
unsafe state. Please resume and shutdown Windows fully (no hibernation
or fast restarting.)

But this rule isn’t enforced in the Windows world. An NTFS volume is automatically mounted in the read-write mode even if it belongs to a hibernated operating system.

Since the fast startup mode, which uses the hibernation feature to restore the state of the kernel and the loaded drivers, is enabled by default in Windows 8.1 & 10 installations running on most modern computers, such behavior can lead to data corruption in a dual-boot configuration or when a system drive is attached to another computer.

From a forensics perspective, this means that hibernation files may contain some important data.

Continue reading “Hibernation and NTFS”

The “Last Access” updates are almost back

The purpose of this post is to record the recent findings related to the NTFS “Last Access” updates in Windows 10.

According to ForensicsWiki:

In Windows Vista (presumably as of Windows XP SP3), NTFS no longer tracks the Last Access time of a file by default.

This is no longer the case in the recent versions of Windows 10.

Continue reading “The “Last Access” updates are almost back”

The CIT database and the Syscache hive

The purpose of this post is to record the recent findings related to artifacts of execution and artifacts of executables present in a system. No major details beyond what was posted on Twitter.

David Cowen began his public testing of Amcache artifacts found in Windows 10 operating systems in Forensic Lunch Test Kitchen 11/16/18 (be sure to watch newer videos on this topic).

During these tests, it was found that the Amcache hive may have artifacts for executables that weren’t executed at all. There were other interesting findings outlined in the videos, but I will not focus on them now.

Continue reading “The CIT database and the Syscache hive”

Exploring intermediate states of a registry hive using transaction log files

If you don’t know why transaction log files are important when dealing with registry hives from installations of Windows 8.1 & 10, please read this and this.

In this post, I will talk about an easy way to programmatically explore intermediate states of a registry hive using its transaction log files.

Continue reading “Exploring intermediate states of a registry hive using transaction log files”

Tools that recover deleted registry data don’t do the same job

A registry hive is very similar to a file system. In fact, there isn’t much difference between a file system and a registry hive except that the registry doesn’t follow usual file system naming rules.

Like a file system, a registry hive can contain deleted data, which is often recovered and used in digital forensics, incident response, and similar activities. But tools that recover such deleted data aren’t the same. And here is why.

Continue reading “Tools that recover deleted registry data don’t do the same job”