What`s New in Windows Forensics-Marsh-5-23

What's new in Windows Forensics ?
[email protected]
Today’s presentation will discuss “What’s new in Windows Forensics.”
Our focus will be on changes to the Windows Operating Systems
through Windows 7 and Windows Server 2008 R2.
Sorry no Windows 8 until next year…….
Recycle Bin
Directory Structure Changes
Public Folders
Microsoft Virtual Systems
File Virtualization
Symbolic Link
Registry Virtualization
Windows Side By Side (WinSxS)
Registry Changes - Additions
Change Journal
Transactional NTFS
Windows Index Search
Last Access Dates
Volume Shadow Copy
Windows Event Logs
Jump List
Volume Boot Record (VBR) moved to PS2048, NOT PS63
System Volume NOT encrypted:
 Boot Sector
 Boot Manager (bootmgr)
 Boot Configuration Data (BCD)
 MUI Files
 Font Files
 Boot Utilities
OS Volume Contains:
 Encrypted OS
 Encrypted Page File
 Encrypted Temp Files
 Encrypted Data
 Encrypted Hibernation File
 Encrypted Crash Dump Files
Windows 7 and Windows Server 2008 create a “system reserved” volume
during their installation, which allow you to setup BitLocker. In Vista you had
to create a separate 1.5 GB system volume before enabling BitLocker
Vista & Windows 2008 cannot unlock BitLocker
volumes created with Windows 7 or 2008 R2.
Must use Windows 7 or 2008 R2 to open (and image)
BitLocker volumes from Windows 7 or 2008 R2.
Physical view of boot sector for a BitLocker protected second partition:
 ëR-FVE-FS (EB 52 90 4E 54 46 53) Vista & Windows Server 2008
 ëX-FVE-FS (EB 58 90 2D 46 56 45 2D 46 53 2D) Windows 7 - Server 2008 R2
Viewed or imaged as a physical disk, BitLocker volumes is encrypted.
Viewed or imaged as a logical partitions, volumes appears decrypted
Approached at a PHYSICAL level, the BitLocker protected volume is ENCRYPTED.
Approached at the LOGICAL level, the BitLocker protected volume will unlocked—that is, appear DECRYPTED.
BitLocker To Go
Extended FAT file system
“a new file system that is better adapted to the growing needs of mobile
personal storage. The EXFAT file system not only handles large files, such
as those used for media storage, it enables seamless interoperability
between desktop PCs and devices such as portable media devices so that
files can easily be copied between desktop and device.”
Microsoft Virtual Systems
Microsoft Virtual system include:
• Virtual PC
• Hyper-V
Microsoft Virtual Systems
Virtual Hard Disks:
• Fixed virtual hard disk - storage allocated on creation
• Dynamic expanding virtual hard disk - initial size is 8 MB grows as need until
maximum size specified when created.
Microsoft Virtual Systems
Virtual Hard Disks:
• AVHD – Snapshot Differencing virtual hard disk – smaller initial size,
grows as need until it parent disk is full. Point in time of the current
running virtual system.
- Can be merged manually using Hyper-V Management Console.
- Can be rename the as VHD and them added to EnCase
Microsoft Virtual Systems
When work with Virtual systems you will have two sets of artifacts:
• Virtual System artifacts
• Host system artifacts
Virtual Systems Artifacts
Virtual PV:
• VMC - configuration like RAM, hard disk, network settings and undo disk
• VHD - virtual hard disk file.
• VUD – undo disk
• VSV – ram dump.
• VFD - virtual floppy disk file.
• VMCX - used by VPC for internal use only.
• Vpcbackup – Keeps backed up .vmc, for internal use only.
• XML - configuration details.
• BIN - saved state of memory.
• VSV - saved state of devices.
• VHD - virtual hard disk file.
• AVHD - differencing disk files used for virtual machine snapshots.
• VFD - virtual floppy disk file.
Host Systems Artifacts
File system metadata:
• file created time stamp would indicate when VHD or VM was
• last written time stamp would indicate last time VHD or VM
• Event Logs
Symbolic Link
Different than a hard link because it can point to files & folders and
objects on other volumes or network shares.
 A symbolic links is resolved differently than a directory
- Windows processes symbolic links on the local system,
even when they reference a location on a remote file
- Windows processes directory junctions that reference a
remote file server on the server itself.
 Symbolic links on a server can therefore refer to locations that
are only accessible from a client, like other client volumes,
whereas directory junctions cannot.
Page 17
Windows Side By Side (WinSxS)
The WinSxS folder replaces the “dllcache’ folder” or “i386” folder
found in older versions of Windows.
Files that appear in the WinSxS directory may not actual exist,
because they may simply be associated with a hard link that point to
a an actual file.
The WinSxS folder may contain old dll’s and library components.
Page 18
Change Journal
The USN Journal is a NTFS logging mechanism that logs various
transactions that occur on the file system.
** Disabled by default in Windows 2000, XP and Server 2003.
** Enabled by default in Vista, Windows 7 and Server 2008 (R2).
Creates a continuous log capturing file system changes. These
changes are written to an internal NTFS metadata file named
“$USNJRNL” and specifically into an alternate data stream of that file.
** PATH: C:\$Extend\$UsnJrnl·$J
Can be searched for filenames, date stamps an MFT record numbers.
Make sure you select Unicode when looking for specific filenames.
Change Journal
Transactional NTFS
$TxF works on top of NTFS to provides transaction logging.
 “Transactional NTFS (TxF) allows file operations on an NTFS file
system volume to be performed in a transaction.
 Related file system changes are treated and logged as a
 NTFS can then commit the changes if they are completed
 It can abort and roll back if they are not.
 TxF transactions increase application reliability by protecting data
integrity across failures and simplify application development by
greatly reducing the amount of error handling code.”
 They also provide another valuable source of forensic artifacts.
Transactional NTFS
Last Access Dates
The last access dates are no longer updated when a file is accessed.
 Key is that it is disabled by default.
This feature can be turned on or off via a registry key:
 Default NOT tracking
 Change to tracking ON
Windows Event Logs
No more .EVT files now they are .EVTX
 Event logs are not stored in \Windows\System32\config
 Old View
 Event log files Event logs are stored in
 New View
Windows Event Logs
Windows Event Logs
Windows Server 2003
Vista, Server 2008 (R2), Windows 7
Application and System log event id DID NOT change.
Security Log event id DID change.
System Event Log: “Self Healing” Event ID’s 130-133
Recycle Bin
 $Recycle.Bin is visible in Explorer (view hidden files).
 Per user store in a subfolder named with account SID.
 No more Info2 files.
 When a file is deleted—moved to the Recycle Bin—it generates two files
in the Recycle Bin.
 $I and $R files.
 $I or $R followed by several random characters, then original
extension. The random characters are the same for each $I/$R pair.
 $I file maintains the original name and path, as well as the deleted
 $R file retains the original file data stream and other attributes. The
name attribute is changed to $R******.ext.
Recycle Bin
Recycle Bin
Holding down shift key while pressing Delete will by pass Recycling Bin.
Can still be configured to be bypassed:
 HKEY_USER\”USER SID”\SOFTWARE\Microsoft\Windows\
Directory Structure Changes
Public Folders
Files or folders located under the “public” folder are accessible by
everyone. Note that the structure in a live machine is different that what
is seen from a forensic view.
File Virtualization
File virtualization redirects file writes from protected storage to peruser locations. This redirection is transparent to applications reading
from or writing to the per-user location.
 Part of User Access Control—Standard user cannot write to
certain protected folders.
C:\Program Files
C:\Program Data
 To allow standard user to function, any writes to protected folders
are “virtualized” and written to:
File Virtualization
File Virtualization
When Files Do and Do Not get Virtualized
 32-bit apps using administrative privileges do NOT get virtualized.
 32-bit applications written following new Windows application guidelines
do not need to be virtualized.
 64-bit applications must be written and signed following new Windows
application guidelines and do not need to be virtualized.
 Otherwise and attempt to write a file in C:\Program Files, it is silently
redirected to a Virtual Store directory for the located inside the current
user's account.
▫ To the application, things proceed as normal
▫ Application does not need knowledge of the redirection occurring.
 Multi-user systems, each user will have isolated, local copies of
redirected files.
Registry Virtualization
Registry virtualization enables registry write operations that have global impact
to be redirected to per-user locations. This redirection is transparent to
applications reading from or writing to the registry.
HKEY_LOCAL_MACHINE\SOFTWARE - Non-administrator writes are redirect:
Location of the registry hive file for the VirtualStore
Is NOT the user’s NTUSER.DAT
It is stored in the user’s UsrClass.dat
Investigation requires the investigator to examine at least two account specific
registry hive files for each user account.
Registry Virtualization
Disabled for the following:
 64-bit process.
 Non interactive process, such as services
 Process that impersonate a user
 Kernel Mode process such as drivers
 Keys excluded from virtualization
▫ HKEY_LOCAL_MACHINE\Software\Classes
▫ HKEY_LOCAL_MACHINE \Software\Microsoft\Windows
▫ HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT
Registry Changes and Additions
New Registry Hive files
 BCD in \Boot.
 Components in \Windows\System32\config.
Transaction support for the registry (TxR)
 Registry Transaction Logs allows applications to perform registry
operations in a transactional manner.
▫ Stored in the TxR subfolder in \Windows\System32\config with the
system registry hives.
▫ Typical scenario: software installation.
▫ Files copied to file system and information to the registry as a single
operation. In the event of failure, registry modification rolled back.
Jump Lists - Automatic Destinations
Jump Lists—new in Windows 7— Right click on a folder or application
it take you to a list of “recent or frequent” item are associate with a
users activities.
PATH: C:\Users\”user”\AppData\Roaming\Microsoft\Windows\Recent\
PATH: C:\Users\”user”\AppData\Roaming\Microsoft\Windows\Libraries
Page 39
The existence of a prefetch file indicates that the application named by the
prefetch file was run.
The creation date of a prefetch file can indicate when the named application was
first run.
The modification date of a prefetch file can indicate when the named application
was last run.
Windows Search Index
Windows Search Index uses the Extensible Storage Engine (ESE) to allow
applications to store and retrieve data via indexed and sequential access.
Example application include:
Windows Live Messenger: C:\Users\woany\AppData\Local\Microsoft\
Windows Live Contacts\{5dabbe1a-86f7-47af-92d9-8228549cb5d9}\DBStore
Desktop Search: C:\ProgramData\Microsoft\Search\Data\Applications\Windows
Volume Shadow Copy
Volume Shadow Copy
Windows File Protection (WFP) was implemented in 2000 and XP to attempt to
prevent programs from replacing critical systems Files.
 WFP silently restored an original copy of (DLL, EXE, SYS, OCX from a cached
Windows Resource Protection (WRP) replaced WFP in Vista. It added registry keys
and folders protection in addition to critical system files.
 WRP uses cached folder and discretionary access control list (DACL’s ) and
access control list (ACL’s) to protect resources.
 Volume Snapshots
▫ Manual
▫ Every 24 hours
▫ Before Windows updates
▫ unsigned drivers is installed
▫ an application calls Snapshot API.
Volume Shadow Copy
System Protection replaced WRP in Windows 7
 Uses cached folder and discretionary access control list (DACL’s )
and access control list (ACL’s) to protect resources.
 Volume Snapshots
▫ Manual
▫ Every 7 days
▫ Before Windows updates
▫ unsigned drivers is installed
▫ an application calls Snapshot API.
Volume Shadow Copy
Enabled by default on Vista and Windows 7,
Not enabled on Windows 2008 or 2008 R2.
Backups and Restores; Previous Versions
System Restore Points
Shadow copies reside in the System Volume Information folder.
 \System Volume Information\Syscache.hve
Do not contain a complete image of everything that was on the
volume at the time the shadow copy was made.
Forensic value:
 Provides a “snapshot” of a volume at a particular time.
 Can show how files have been altered.
 Can retain data that has later been deleted, wiped, or encrypted.
Volume Shadow Copy
vssadmin list shadows /for=[volume]:
Volume Shadow Copy
Volume Shadows can be mounted as a symbolic link:
Mklink /d C:\{name} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\
Volume Shadows can be mounted as a network share:
net share [name]=\\.\HarddiskVolumeShadowCopy#\
Thank you!
[email protected]

similar documents