The primary focus of today’s class was on the Windows registry and techniques for capturing and evaluating event logs. We spent a significant amount of time using different methods for pulling over a proprietary program from a target workstation and editing the registry on our forensic workstation to access the target data set. After going through this exercise I need to stress the importance of acquiring the computer. Registry editing is only one approach and the more we keep the more we will have to work with.
Guidance has developed one particularly interesting tool called File Recovery Using Block-Based Hash Analysis. The tool allows for the identification of target file(s) on a suspect drive when the Windows MFT records have been wiped. MFT records are best thought of as a table of contents for the files or file components that are resident on a drive. Without recovery of the MFT it is impossible reconstruct the location of a file or the component data sections that when combined create a file.
This is the scenario where File Recovery using Block-Based Hash Analysis may be useful. If an examiner has a copy of the file he/she is searching for and knows the likely sector settings for a target drive the tool creates a hash for segments or parts of the file and then searches the suspect drive for hash matches. The catch is that one must have a copy of the target file. Guidance Software reports that this technique has already been used successfully in UK prosecutions. I’m not sure of how applicable this tool is to the archival community but watching it run and reconstruct a file from dispersed drive sectors is cool to see…..and it works!