1 Lecture 7 Forensic Analysis of Windows Systems (contd.) Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu http://jjcweb.jjay.cuny.edu/ssengupta/ Fall 2010 2 What we will cover today Forensic analysis of Windows systems – Registry – Time zone – Print Spool 3 Windows Registry What is the registry? – Think of it as a large database of settings and information – Settings for – computer, – applications, – services, – security and – Users Microsoft Defn. – “A central hierarchical database used to store information that is necessary to configure the system for one or more users, applications and hardware devices.” 4 Registry Files The Window’s registry is a repository for configuration information – On Windows 95/98, the registry is comprised of files – windows\system.dat, windows\user.dat, etc – On Windows NT/2000 onward, – several hive files located in systemroot\system32\config, – ntuser.dat The registry contains information about many aspects of the system in “separate compartments” – It can be viewed using “regedit” or regedt32 from command line – It can be viewed using EnCase 5 A snapshot of Registry using regedit 6 Registry Hives Windows Registry – four main system hives – – – – Software (HKEY_LOCAL_MACHINE\Software) System (HKEY_LOCAL_MACHINE\System) Security (HKEY_LOCAL_MACHINE\Security) SAM (HKEY_LOCAL_MACHINE\SAM) – Often clubbed as HKLM User hive – HKEY_USERS\... – HKU 7 HIVES Subtree Filename HKEY_LOCAL_MACHINE\System Windows\system32\config\System HKEY_LOCAL_MACHINE\Software Windows\system32\config\Software HKEY_LOCAL_MACHINE\Security Windows\system32\config\Security HKEY_LOCAL_MACHINE\SAM Windows\system32\config\SAM Subtree Filename HKU\[…] NTUSER.DAT (in \documents and settings…) One for each user 8 User Hive When Windows loads a user profile, the OS loads the hive file into the HKEY_USER subtree For the current user, – Windows links HKEY_CURRENT_USER (HKCU) to HKU\SID Use EnCase to mount your NTUSER.dat – Find the homepage for Internet explorer for this user account 9 Closing a mounted Registry Hive Closing a mounted registry hive is important! – If you mount all the hives and saved your case, it will take a long time for the case to open next time – A mounted hive does use extra RAM from your computer How to close? – Select the “Devices” tab – You will see the mounted hives in the table pane – Right-click on the hive and select “Close” 10 Time Zone information When conducting forensic investigation on a computer – It is critical to determine the time zone settings of hard drives that have the Windows OS installed How to understand time zone settings – Use Registry information – Which Hive contains this info? 11 System Registry Hive Mount the System 12 System Hive 13 Now a pause and look into the System Hive There are lot of folders and possibly lot of “ControlSet” folders What are these ControlSet folders? – A control set contains system configuration information such as device drivers and services – Several instances of control sets when viewing the Registry – Some are duplicates or mirror images of others and some are unique – Depending on how often you change system settings or have problems with the settings you choose – A typical installation of Windows may contain two/four – – – – \ControlSet001 \ControlSet002 \CurrentControlSet \Clone 14 ControlSet folders A typical installation of Windows may contain two/four – – – – \ControlSet001 \ControlSet002 \CurrentControlSet \Clone – ControlSet001 may be the last control set you booted with – ControlSet002 could be what is known as the last known good control set, or the control set that last successfully booted Windows – The CurrentControlSet subkey is just a pointer to one of the ControlSetXXX keys – Clone is a clone of CurrentControlSet, and is created each time you boot your computer How will you know which folder is for what? – In order to better understand how these control sets are used, we need to access another subkey: “Select” 15 Select Select is also under the SYSTEM key Select contains the following values: – – – – Current Default Failed LastKnownGood Each of these values contain a REG_DWORD data type and refer to specifically to a control set – For example, if the Current value is set to 0x1, then CurrentControlSet is pointing to ControlSet001 – Failed refers to a control set that was unable to boot Windows NT successfully – The Default value usually agrees with Current 16 Viewing Select 17 Viewing Select 18 Time zone information 19 Time zone information 20 Time zone information Bias – Minutes offset from GMT for the time zone setting (32 bit int) – E.g., 300 ActiveTimeBias – Minutes offset from GMT for the current time setting (32 bit int) – E.g., 240 DaylightBias – Minutes offset from the Bias for DST settings (32 bit int) – E.g., -60 StandardBias – Minutes offset from the Bias for the standard time (usually 0) DaylightName – Name of the time zone DST setting (Unicode) StandardName – Name of the standard time zone setting (Unicode) 21 Time zone information DaylightStart, StandardStart: Format: 8 fields: – each field is a 16 bit integer (2 bytes) – 2-byte pad (00 00) Month Week Hour Minutes Secdonds Millisec Day 22 Printing Printing involves a spooling process whereby the sending of data to a printer is delayed – The delay allows the application program to continue to be responsive to the user – The printing takes place in the background Print spooling is accomplished by creating temporary files that contain both the data to be printed and sufficient information to complete the print job – Files with extensions .SPL and .SHD are created for each job – .SHD file is a ‘shadow’ file that contains information about the print job including owner, the printer, the name of the file printed and the printing method (EMF or RAW) – In RAW format, the .SPL file contains the data to be printed – In EMF format, the .SPL file contains the name of the file printed, the method and a list of files that contain the data to be printed – .SHD, .SPL files are deleted after the print job completes 23 Printing (Continued) In Windows, the spool files are kept in – <system folder>\system32\spool\printers The .SPL and .SHD files contain the name of the file to be printed including its fully qualified path – The path may suggest that other media containing evidence exist If the original file that the user printed does not exist on the seized evidence, the file may be found in enhanced metafile format While in Hex view, locate the letters “EMF” in the right part of view pane – Starting from the byte just prior to “E” select 41 bytes backwards – Right-click on the highlighted area and view it as a picture 24 Case Example: Print Spooler Files Print spooler evidence was the only evidence in a counterfeiting case in Orange County, California. Department of Consumer Affairs examiners arrested a suspect for selling counterfeit state license certificates and seized his computer. Although the examiner had seized some of the counterfeit certificates from victims, they were unable to locate evidence on the computer. When the examiner requested a second view from the California Department of Insurance, Fraud Division, the Computer Forensic Team identified several deleted enhanced metafiles that exactly matched the paper copies that had been seized during the investigation. The only evidence present on the drive was the enhanced metafiles. The defendant was convicted at trial. 25 NTFS Log File An artifact unique to an NTFS volume is the $LOGFILE – created during the formatting of an NTFS volume $LOGFILE keep track of transactions and enable NTFS to recover from system crashes – transaction: set of operations that cause a change to file system data or to a volume’s directory structure – The operations are treated as a set, or transaction, for the purpose of maintaining the integrity of the volume if a system failure occurs – E.g. To delete a file, necessary steps ($BITMAP file change to show clusters as unallocated, MFT record marked as deleted, deletion of index entry) are recorded in the $LOGFILE so that each step in a transaction can be executed again or each step can be undone if problem arises – If a crash occurs, NTFS can recreate any transactions that completed and can undo or complete partially completed transactions 26 NTFS Log File (Continued) $LOGFILE is maintained by NTFS and its MAC times are not updated Any information found in this file was put there because a transaction occurred This carries weight since it verifies that the file was in some way used on the computer It is common to locate several file names in the $LOGFILE that no longer exist anywhere else on the volume – The recovery of file names with their associated dates and times can be relevant evidence 27 NTFS Log File (Continued) $LogFiles structuring is not entirely clear outside MS! Some of the information that may be located in the $LOGFILE – Index entries – Index entries are folder entries – Each entry describes one file including its name and MAC times – Copy of MFT record – MFT records all begin with ‘File’ followed by a hex value usually ‘2a’ – These records are located by searching the $LOGFILE for this repeating pattern – Link files – Link files can be located by searching for the link files header within the $LOGFILE 28 NTFS Log File (Continued) Some general made-easy info about $LogFile – The logging area consists of a sequence of 4KB log records – Magic number is “RCRD” – The logrecord contains a sequence of variable sized records – Similarly for the “restart” area – Magic number is “RSTR”