Unit 5
Forensic Analysis
                    1
  General architecture of Operating system
Refer: Experiment -13
                                             2
Windows OS Architecture
                          3
Linux OS Architecture
                        4
The following is a high-level overview of the main layers of the Linux
architecture:
• Hardware layer: This is the bottommost layer of the Linux architecture and
  represents the physical hardware components of the computer, such as the
  processor, memory, and storage. The hardware layer is responsible for
  interacting with the various hardware devices and providing access to them
  for the rest of the operating system.
• Kernel layer: The kernel is the core of the operating system and is responsible
  for managing the resources of the computer, such as the CPU, memory, and
  I/O devices. It also provides services to the other components of the
  operating system and acts as the intermediary between the hardware and the
  software layers.
• System libraries layer: This layer consists of a set of libraries that provide
  functions for the applications to use. These libraries include system calls,
  which are used to invoke kernel functions, as well as other functions that
  perform tasks such as file manipulation, networking, and memory
  management.
                                                                                5
• System utilities layer: This layer consists of a set of programs that perform
  various system-level tasks, such as managing processes, controlling user
  accounts, and configuring system settings. These utilities are usually
  command-line programs that are invoked by the user or by other
  programs.
• Desktop environment layer: This layer is optional and is not present on all
  Linux systems. It provides a graphical user interface (GUI) that allows users
  to interact with the operating system using a mouse and keyboard. The
  most common desktop environments in Linux are Gnome, KDE, and Xfce.
• Applications layer: This is the topmost layer of the Linux architecture and
  consists of the various applications that run on the operating system. These
  can be anything from productivity software and games to web browsers
  and media players.
In summary, the Linux architecture is made up of a number of different
layers that work together to provide a stable and flexible operating system.
Each layer has a specific purpose and interacts with the other layers to
provide the functionality that users expect from an operating system.
                                                                              6
Macintosh or Mac OS Architecture
                                              macOS Ventura-2023
                                              macOS 14 Sonoma
                      https://www.apple.com/macos/ventura/
                                                                   7
  File system analysis
Refer: Experiment -7, 15
                           8
    Recreating FAT and NTFS partitions
                                                                  •   Download NTFS recovery software AOMEI Partition
•   Press Windows + R button and type Diskpart in the box.            Assistant and run it.
•   Type “list disk,” “select disk 1,” “attributes disk clear     •   Click Recover on the top pane, and then select
    readonly,” and “clean” to select and clear all data off the       Partition Recovery from the menu.
    disk.                                                         •   Select the disk containing deleted NTFS partition and
•   Then type format fs=fat32 to complete the process.                click Next.
•   Alternatively, you can use EaseUS Partition Master to         •   Select Fast Search. This is the recommended choice. It
    create a FAT32 partition in Windows 10. Here are the              takes less time.
    steps:                                                        •   Select the deleted partition to recover and click
•   Launch EaseUS Partition Master and shrink any partition           Proceed.1
    to find unallocated space.                                    •   Alternatively, you can try using TestDisk which is
•   Right-click on unallocated space and select Create.               excellent at rebuilding NTFS partitions. It’s available on
•   Choose the FAT32 File Format, set Partition Size, and             the Knoppix Linux distribution, so you can boot using
    click OK to finish the process.                                   the Knoppix Live CD and recover from there.
    Refer: Experiment-2                                                                                                        9
Analyzing Unallocated Partitions                                  Refer : Experiment -9,11
Analyzing unallocated partitions can be done by using the Disk Management tool in
Windows. Here are the steps:
• Press Windows key + X and select Disk Management.
• Right-click on the unallocated partition and select New Simple Volume.
• Follow the wizard to create a new partition.
• If you want to recover an unallocated partition, you can use the DiskPart command-line
  tool. Here are the steps:
• Search for “CMD” in the start bar and right-click to “Run as Administrator”.
• After entering “diskpart”, type the following commands in sequence:
    • list volume and press Enter.
    • select volume X (where X is the number of the unallocated partition) and press Enter.
    • extend filesystem and press Enter.
• After saving and exiting, check whether the unallocated partition is recovered.
                                                                                             10
Understanding Windows Registry
• The Windows Registry is a hierarchical database that stores low-level settings for the
 Microsoft Windows operating system and for applications that opt to use the registry.
• It contains information, settings, options, and other values for programs and hardware
 installed on all versions of Microsoft Windows operating systems.
• You can open the Registry Editor in Windows 10 by typing “regedit” in the search box on
 the taskbar and selecting the top result for Registry Editor (Desktop app) or by pressing
 and holding or right-clicking the Start button, then selecting Run. Enter “regedit” in the
 Open: box and select OK
    Refer: Experiment-2
                                                                                         11
Registry Analysis: Understanding Windows Registry
Analyzing the Windows Registry can be done by using the Registry
Editor tool in Windows. Here are the steps:
• Press Windows key + R and type “regedit” in the Run dialog box.
• Navigate to the registry key you want to analyze.
• Right-click on the key and select Export.
• Save the exported file to your preferred location.
• Open the exported file with a text editor or a registry analysis tool.
There are many registry analysis tools available online that can help
you analyze the Windows Registry. Some of them are free, while
others are paid. Here are some popular ones:
• RegScanner
• RegShot
• RegFromApp
• Process Monitor
                                                                           12
What are important artefacts related to user activities?
In the context of user activities, artifacts are the digital footprints that users
leave behind while interacting with a system. These artifacts can be used to
reconstruct user activities and provide insights into user behavior.
Some examples of important artifacts related to user activities are:
• Log files
• Browser history
• Cache files                                          Refer: Experiment -9,10
• Cookies
• Registry keys
Analyzing these artifacts can help you understand how users interact with
your system and identify areas for improvement
                                                                                13
User/Application Configurations and Preferences
• User/Application configurations
  and preferences are settings that
  users can customize to suit their
  needs and preferences. These
  settings can include things like
  font size, colour scheme,
  language preference, and more.
• Application configurations and
  preferences are usually stored in
  configuration files or in the
  Windows Registry.
                                      Refer: Experiment -12,13
                                                                 14
Attached Devices
Attached devices refer to any hardware devices
that are connected to your computer or mobile
device. Some examples of attached devices
include:
• USB drives
• External hard drives
• Printers
• Scanners
• Cameras
You can view a list of attached devices by opening
the Device Manager in Windows. Here are the
steps:
• Press Windows key + X and select Device
  Manager.
• Expand the category for the type of device you
  want to view.
• The list of attached devices will be displayed.
                                                     Refer: Experiment -14,15   15
Shared Locations
Shared locations refer to any folders or drives that are shared on a
network. When a folder or drive is shared, other users on the network
can access the contents of that folder or drive.
You can view a list of shared locations by opening File Explorer and
selecting Network. Here are the steps:
• Open File Explorer.
• Select Network from the left-hand menu.
• A list of shared locations will be displayed.
                          Refer: Experiment-11
                                                                   16
Here are the steps to share a folder on a Windows
computer:
1. Right-click on the folder you want to share and
   select Properties.
2. Click on the Sharing tab.
3. Click the Share button.
4. Select the users or groups you want to share the
   folder with.
5. Click the Add button.
6. Set the permission level for each user or group.
7. Click the Share button.
8. That’s it! The folder should now be shared with
   the selected users or groups.
                                                      17
Here are the steps to share a drive on a
Windows computer:
1. Open File Explorer.
2. Right-click on the drive you want to share
    and select Properties.
3. Click on the Sharing tab.
4. Click the Advanced Sharing button.
5. Check the box next to “Share this folder”.
6. Enter a share name for the drive.
7. Click the Permissions button.
8. Select the users or groups you want to share
    the drive with.
9. Set the permission level for each user or
    group.
10. Click OK.
                                                  18
               Recently Accessed Documents, Programs and Locations
Recently accessed documents, programs, and locations
refer to files, applications, and folders that you have
recently opened or accessed on your computer.
You can view a list of recently accessed documents and
programs by opening the Start menu and selecting
Recent Items. Here are the steps:
Click the Start button.
Select Recent Items.
You can view a list of recently accessed locations by
opening File Explorer and selecting Quick Access. Here
are the steps:
Open File Explorer.
Select Quick Access from the left-hand menu.
                 Refer: Experiment-9
                                                                     19
                          Installed Applications and Others from Windows Registry
Installed applications and other information can be
found in the Windows Registry. The Windows Registry is
a database that stores configuration settings and options
for Windows and many applications.
Here are the steps to view installed applications in the
Windows Registry:
• Press Windows key + R to open the Run dialog box.
• Type “regedit” (without quotes) and press Enter.
• Navigate to
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windo
  ws\CurrentVersion\Uninstall.
• A list of installed applications will be displayed.
                 Refer: Experiment-2,3
                                                                                    20
                         Event and Log Analysis: Introduction to Windows Events
Windows events are records of system activity that
are stored in the Windows Event Log. The Event
Log is a database that contains information about
hardware and software events that occur on your
computer.
Here are the steps to view Windows events:
• Press Windows key + X and select Event Viewer.
• Expand the category for the type of event you
  want to view.
• The list of events will be displayed.
           Refer: Experiment-2
                                                                                  21
                               Understanding Windows Events (Evt and Evtx Files)
    • Windows events are stored in files with the extension “.evt” or “.evtx”. These files can be viewed using the
      Event Viewer.
    • The “.evt” file format is used in older versions of Windows, while the “.evtx” file format is used in newer
      versions of Windows.
Refer: experiment -4
                                                                    Ref -https://observiq.com/                   22
                                    Analyzing Logs of Third-Party Applications
Analyzing logs of third-party applications can be
a complex process that varies depending on the
application. However, here are some general
steps you can follow:
• Locate the log files for the application. These
  files are usually stored in a specific folder or
  directory.
• Open the log files using a text editor or log
  viewer.
• Look for error messages or other information
  that may indicate a problem with the
  application.
• Use the information in the log files to
  troubleshoot issues with the application.
             Ref: Experiment -1,6
                                                                                 23
Log analysis at Microsoft Azure
                                  24