Name: Análisis Forense en Windows - NTFS y MFT (Análisis Forense 2.1)
Uploaded: 2021-12-10T17:49:05.000Z
Duration: 12 min 15 s
Description: Enlace a la presentación: https://drive.google.com/file/d/1Ys9FqZCmtnfG_TPRyR8L9__IeP2qxqdB/view?usp=sharing Este vídeo es parte de un curso del módulo Análisis Forense Informático del curso de especialización de Ciberseguridad. Para acceder al curso completo las listas de reproducción están en: https://www.youtube.com/channel/UCHi9ylF9fHvt4DB55_1IZaw/playlists

Análisis Forense en Windows - NTFS y MFT (Análisis Forense 2.1)

Analysis of Forensic Techniques in Windows

Importance of Windows in Forensic Analysis

Windows is the most widely used operating system, holding 32% of total devices and 75% of desktop computers, making it a primary focus for forensic analysis.

The emphasis on desktop systems is due to their prevalence; thus, understanding Windows forensic techniques is crucial as they yield significant information from RAM dumps.

Environment Variables and Security Risks

Environment variables exist across all operating systems and are critical in forensic analysis due to their potential as attack vectors.

A common attack involves manipulating the PATH variable, which indicates where executable files are located. This can lead to executing malicious programs without full path specifications.

Exploiting the PATH Variable

By altering the PATH variable, attackers can redirect execution to harmful programs disguised as legitimate applications.

Changing this seemingly innocuous variable allows for substitution of standard program executions with malicious ones that may compromise security.

NTFS File System Insights

NTFS (New Technology File System) is the file system used by most Windows installations; understanding its structure is vital for forensic investigations.

The Master File Table (MFT) contains comprehensive information about all files and directories within an NTFS volume.

Data Recovery Challenges in NTFS

Deleted files remain in the MFT with a marked bit indicating deletion; thus, recovery may still be possible even after deletion.

Attributes within the MFT change based on file actions (e.g., modification or access), complicating data analysis during investigations.

Anomalies in File Content Storage

Files can appear empty (zero bytes), yet still contain data stored within the MFT headers, leading to potential misinterpretations during analysis.

The design of NTFS presents both advantages and challenges for forensic analysts; some features facilitate investigation while others introduce unnecessary complexity.

Conclusion on NTFS Design Implications

Certain aspects of how NTFS stores data seem counterintuitive, raising questions about efficiency versus complexity in forensic contexts.