What's new in Windows Forensics ? john.marsh@encase.com Today’s presentation will discuss “What’s new in Windows Forensics.” Our focus will be on changes to the Windows Operating Systems through Windows 7 and Windows Server 2008 R2. Sorry no Windows 8 until next year……. Agenda VBR Recycle Bin BitLocker. Directory Structure Changes ExFAT Public Folders Microsoft Virtual Systems File Virtualization Symbolic Link Registry Virtualization Windows Side By Side (WinSxS) Registry Changes - Additions Change Journal Superfetch Transactional NTFS Windows Index Search Last Access Dates Volume Shadow Copy Windows Event Logs Jump List NTFS Volume Boot Record (VBR) moved to PS2048, NOT PS63 Before (PS63) Now (PS2048) BitLocker System Volume NOT encrypted: Boot Sector Boot Manager (bootmgr) Boot Configuration Data (BCD) MUI Files Font Files Boot Utilities OS Volume Contains: Encrypted OS Encrypted Page File Encrypted Temp Files Encrypted Data Encrypted Hibernation File Encrypted Crash Dump Files BitLocker Windows 7 and Windows Server 2008 create a “system reserved” volume during their installation, which allow you to setup BitLocker. In Vista you had to create a separate 1.5 GB system volume before enabling BitLocker Vista & Windows 2008 cannot unlock BitLocker volumes created with Windows 7 or 2008 R2. Must use Windows 7 or 2008 R2 to open (and image) BitLocker volumes from Windows 7 or 2008 R2. BitLocker Physical view of boot sector for a BitLocker protected second partition: ëR-FVE-FS (EB 52 90 4E 54 46 53) Vista & Windows Server 2008 ëX-FVE-FS (EB 58 90 2D 46 56 45 2D 46 53 2D) Windows 7 - Server 2008 R2 Viewed or imaged as a physical disk, BitLocker volumes is encrypted. BitLocker Viewed or imaged as a logical partitions, volumes appears decrypted Approached at a PHYSICAL level, the BitLocker protected volume is ENCRYPTED. Approached at the LOGICAL level, the BitLocker protected volume will unlocked—that is, appear DECRYPTED. BitLocker To Go ExFAT Extended FAT file system “a new file system that is better adapted to the growing needs of mobile personal storage. The EXFAT file system not only handles large files, such as those used for media storage, it enables seamless interoperability between desktop PCs and devices such as portable media devices so that files can easily be copied between desktop and device.” http://msdn.microsoft.com/en-us/library/aa914353.aspx Microsoft Virtual Systems Microsoft Virtual system include: • Virtual PC • Hyper-V Microsoft Virtual Systems Virtual Hard Disks: • Fixed virtual hard disk - storage allocated on creation • Dynamic expanding virtual hard disk - initial size is 8 MB grows as need until maximum size specified when created. Microsoft Virtual Systems Virtual Hard Disks: • AVHD – Snapshot Differencing virtual hard disk – smaller initial size, grows as need until it parent disk is full. Point in time of the current running virtual system. - Can be merged manually using Hyper-V Management Console. - Can be rename the as VHD and them added to EnCase Microsoft Virtual Systems When work with Virtual systems you will have two sets of artifacts: • Virtual System artifacts • Host system artifacts Virtual Systems Artifacts Virtual PV: • VMC - configuration like RAM, hard disk, network settings and undo disk settings. • VHD - virtual hard disk file. • VUD – undo disk • VSV – ram dump. • VFD - virtual floppy disk file. • VMCX - used by VPC for internal use only. • Vpcbackup – Keeps backed up .vmc, for internal use only. Hyper-V: • XML - configuration details. • BIN - saved state of memory. • VSV - saved state of devices. • VHD - virtual hard disk file. • AVHD - differencing disk files used for virtual machine snapshots. • VFD - virtual floppy disk file. Host Systems Artifacts File system metadata: • file created time stamp would indicate when VHD or VM was created. • last written time stamp would indicate last time VHD or VM accessed. • Event Logs Symbolic Link Different than a hard link because it can point to files & folders and objects on other volumes or network shares. A symbolic links is resolved differently than a directory junction. - Windows processes symbolic links on the local system, even when they reference a location on a remote file server. - Windows processes directory junctions that reference a remote file server on the server itself. Symbolic links on a server can therefore refer to locations that are only accessible from a client, like other client volumes, whereas directory junctions cannot. Page 17 Windows Side By Side (WinSxS) The WinSxS folder replaces the “dllcache’ folder” or “i386” folder found in older versions of Windows. Files that appear in the WinSxS directory may not actual exist, because they may simply be associated with a hard link that point to a an actual file. The WinSxS folder may contain old dll’s and library components. Page 18 Change Journal The USN Journal is a NTFS logging mechanism that logs various transactions that occur on the file system. ** Disabled by default in Windows 2000, XP and Server 2003. ** Enabled by default in Vista, Windows 7 and Server 2008 (R2). Creates a continuous log capturing file system changes. These changes are written to an internal NTFS metadata file named “$USNJRNL” and specifically into an alternate data stream of that file. ** PATH: C:\$Extend\$UsnJrnl·$J Can be searched for filenames, date stamps an MFT record numbers. Make sure you select Unicode when looking for specific filenames. Change Journal Transactional NTFS $TxF works on top of NTFS to provides transaction logging. “Transactional NTFS (TxF) allows file operations on an NTFS file system volume to be performed in a transaction. Related file system changes are treated and logged as a “transaction.” NTFS can then commit the changes if they are completed successfully. It can abort and roll back if they are not. TxF transactions increase application reliability by protecting data integrity across failures and simplify application development by greatly reducing the amount of error handling code.” They also provide another valuable source of forensic artifacts. Transactional NTFS Last Access Dates The last access dates are no longer updated when a file is accessed. Key is that it is disabled by default. This feature can be turned on or off via a registry key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\ Default NOT tracking Change to tracking ON Windows Event Logs No more .EVT files now they are .EVTX Event logs are not stored in \Windows\System32\config Old View Event log files Event logs are stored in \Windows\System32\winevt\Logs. New View Windows Event Logs Windows Event Logs Windows Server 2003 Vista, Server 2008 (R2), Windows 7 Application and System log event id DID NOT change. Security Log event id DID change. System Event Log: “Self Healing” Event ID’s 130-133 Recycle Bin [Volume]:\$Recycle.Bin $Recycle.Bin is visible in Explorer (view hidden files). Per user store in a subfolder named with account SID. No more Info2 files. When a file is deleted—moved to the Recycle Bin—it generates two files in the Recycle Bin. $I and $R files. $I or $R followed by several random characters, then original extension. The random characters are the same for each $I/$R pair. $I file maintains the original name and path, as well as the deleted date. $R file retains the original file data stream and other attributes. The name attribute is changed to $R******.ext. Recycle Bin Recycle Bin Holding down shift key while pressing Delete will by pass Recycling Bin. Can still be configured to be bypassed: HKEY_USER\”USER SID”\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\BitBucket\volume\GUID\NukeOnDelete\o1h Directory Structure Changes Public Folders Files or folders located under the “public” folder are accessible by everyone. Note that the structure in a live machine is different that what is seen from a forensic view. File Virtualization File virtualization redirects file writes from protected storage to peruser locations. This redirection is transparent to applications reading from or writing to the per-user location. Part of User Access Control—Standard user cannot write to certain protected folders. C:\Windows C:\Program Files C:\Program Data To allow standard user to function, any writes to protected folders are “virtualized” and written to: C:\Users\[user]\AppData\Local\VirtualStore File Virtualization File Virtualization When Files Do and Do Not get Virtualized 32-bit apps using administrative privileges do NOT get virtualized. 32-bit applications written following new Windows application guidelines do not need to be virtualized. 64-bit applications must be written and signed following new Windows application guidelines and do not need to be virtualized. Otherwise and attempt to write a file in C:\Program Files, it is silently redirected to a Virtual Store directory for the located inside the current user's account. ▫ To the application, things proceed as normal ▫ Application does not need knowledge of the redirection occurring. Multi-user systems, each user will have isolated, local copies of redirected files. Registry Virtualization Registry virtualization enables registry write operations that have global impact to be redirected to per-user locations. This redirection is transparent to applications reading from or writing to the registry. HKEY_LOCAL_MACHINE\SOFTWARE - Non-administrator writes are redirect: KEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\ Location of the registry hive file for the VirtualStore Is NOT the user’s NTUSER.DAT It is stored in the user’s UsrClass.dat \Users\[user]\AppData\Local\Microsoft\Windows\UsrClass.dat Investigation requires the investigator to examine at least two account specific registry hive files for each user account. NTUSER.DAT UsrClass.dat Registry Virtualization Disabled for the following: 64-bit process. Non interactive process, such as services Process that impersonate a user Kernel Mode process such as drivers Keys excluded from virtualization ▫ HKEY_LOCAL_MACHINE\Software\Classes ▫ HKEY_LOCAL_MACHINE \Software\Microsoft\Windows ▫ HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT Registry Changes and Additions New Registry Hive files BCD in \Boot. Components in \Windows\System32\config. Transaction support for the registry (TxR) Registry Transaction Logs allows applications to perform registry operations in a transactional manner. ▫ Stored in the TxR subfolder in \Windows\System32\config with the system registry hives. ▫ Typical scenario: software installation. ▫ Files copied to file system and information to the registry as a single operation. In the event of failure, registry modification rolled back. Jump Lists - Automatic Destinations Jump Lists—new in Windows 7— Right click on a folder or application it take you to a list of “recent or frequent” item are associate with a users activities. PATH: C:\Users\”user”\AppData\Roaming\Microsoft\Windows\Recent\ AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-ms Libraries PATH: C:\Users\”user”\AppData\Roaming\Microsoft\Windows\Libraries Page 39 Superfetch Windows\prefetch The existence of a prefetch file indicates that the application named by the prefetch file was run. The creation date of a prefetch file can indicate when the named application was first run. The modification date of a prefetch file can indicate when the named application was last run. Windows Search Index Windows Search Index uses the Extensible Storage Engine (ESE) to allow applications to store and retrieve data via indexed and sequential access. Example application include: Windows Live Messenger: C:\Users\woany\AppData\Local\Microsoft\ Windows Live Contacts\{5dabbe1a-86f7-47af-92d9-8228549cb5d9}\DBStore Desktop Search: C:\ProgramData\Microsoft\Search\Data\Applications\Windows Volume Shadow Copy Volume Shadow Copy Windows File Protection (WFP) was implemented in 2000 and XP to attempt to prevent programs from replacing critical systems Files. WFP silently restored an original copy of (DLL, EXE, SYS, OCX from a cached folder. Windows Resource Protection (WRP) replaced WFP in Vista. It added registry keys and folders protection in addition to critical system files. WRP uses cached folder and discretionary access control list (DACL’s ) and access control list (ACL’s) to protect resources. Volume Snapshots ▫ Manual ▫ Every 24 hours ▫ Before Windows updates ▫ unsigned drivers is installed ▫ an application calls Snapshot API. Volume Shadow Copy System Protection replaced WRP in Windows 7 Uses cached folder and discretionary access control list (DACL’s ) and access control list (ACL’s) to protect resources. Volume Snapshots ▫ Manual ▫ Every 7 days ▫ Before Windows updates ▫ unsigned drivers is installed ▫ an application calls Snapshot API. Volume Shadow Copy Enabled by default on Vista and Windows 7, Not enabled on Windows 2008 or 2008 R2. Backups and Restores; Previous Versions System Restore Points Shadow copies reside in the System Volume Information folder. \System Volume Information\Syscache.hve Do not contain a complete image of everything that was on the volume at the time the shadow copy was made. Forensic value: Provides a “snapshot” of a volume at a particular time. Can show how files have been altered. Can retain data that has later been deleted, wiped, or encrypted. Volume Shadow Copy vssadmin list shadows /for=[volume]: Volume Shadow Copy Volume Shadows can be mounted as a symbolic link: Mklink /d C:\{name} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\ Volume Shadows can be mounted as a network share: net share [name]=\\.\HarddiskVolumeShadowCopy#\ Thank you! john.marsh@encase.com