Chapter 5. Windows Forensic Analysis

Ryan D. Pittman and Dave Shaver

Introduction209

Windows, Windows Everywhere210

NTFS Overview215

Forensic Analysis of the NTFS Master File Table (MFT)223

Metadata230

Artifacts of User Activities235

Deletion and Destruction of Data273

Windows Internet and Communications Activities279

Windows Process Memory285

BitLocker and Encrypting File System (EFS)287

RAIDs and Dynamic Disks292

Cases299

References299

Introduction

Despite the proliferation and growing popularity of other user interfaces, such as Macintosh OS X and Ubuntu (a flavor of Linux), Microsoft's Windows operating systems remain the most popular in the world. In fact, sources have reported that over 90% of the computers in use today are running ...

Get Handbook of Digital Forensics and Investigation now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Handbook of Digital Forensics and Investigation by

Ryan D. Pittman and Dave Shaver

Contents

Introduction

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly