- Lance Mueller Photography

advertisement
First Looks: Basic Investigations of Windows Vista
Lance Mueller
lance.mueller@guidancesoftware.com
Example Evidence File
 Please start EnCase load the sample Windows Vista EnCase
evidence file.
 The Evidence file is located here:
 C:\Evidence\Mueller
 As we walk through the various changes and artifacts in Windows
Vista, you are encouraged to examine these changes and explore
the Vista evidence file.
 Please feel free to ask questions or make comments, I have 45
slides to present in 90 minutes, so you do the math ;)
P A G E
1
Introduction
 Windows Vista is the new Microsoft Operating System that was
released to the public at the beginning of 2007
 This section is designed to give an overview of the new feature and
differences with previous versions of Windows from the forensic
perspective.
 There are many changes to the new Vista Operating System
compared with Window XP or Windows 2000, many of them in the
user interface.
 This presentation will not cover trivial UI changes if it does not have
a direct impact on how a forensic exam is conducted. This
presentation does not describe every possible change that effects
forensic examinations, but rather it covers the most commons areas
an examiner will encounter and explains what effect a particular
Vista feature may have on conducting a forensic examination.
P A G E
2
Agenda
 File System Changes
 NTFS Version & Structure
 Volume Boot Record
 Symbolic Links
 Last Access Times
 USNJRNL
P A G E
3
Agenda
 Operating System Changes





Vista Versions
Directory Structure Changes
Volume Shadow Service / Previous Version feature
Registry Changes
Virtualized Folders




Recycle Bin
Event Logs
Windows Search Engine (Indexing)
Public Folders
 Windows Photo Gallery
 Contact Manager
 Sleep Mode
P A G E
4
Agenda
 Windows Mail
 Windows Firewall
 Thumbnail Cache
 ReadyBoost
 Accessing Physical Memory
 Other Relevant changes
 Bitlocker
P A G E
5
NTFS Version
NTFS Version
OS Name
OS Version
Released Date
NTFS v 1.2
Windows NT3.51
3.51
July 1993
NTFS v 1.2
Windows NT4.0
4.0
August 1996
NTFS 3.0
Windows 2000
5.0
February 2000
NTFS 3.1
Windows XP
5.1
September 2001
NTFS 3.1
Windows 2003
5.2
April 2003
NTFS 3.1
Windows Vista
6.0
November 2006
P A G E
6
NTFS Version
P A G E
7
Volume Boot Record
Common location for
VBR using a hard
drive with 63SPT.
(PS63)
New location of
VBR in Vista
(PS2048)
P A G E
8
Symbolic Links
 Windows Vista now supports classic Unix-type Symbolic links. This is really an
add-on feature to the already exiting reparse point feature of the NTFS file system.
Reparse points were introduced in Windows 2000 and offered several unique
features:
 Junctions – Allows a user to graft one folder in the file system tree onto another
folder
 Hard Link – Allows a user to create multiple links to the same data. For all
intent and purposes each link was the same as the original and impossible to tell
which was the original.
 Mount Points – Allows a user to graft a volume onto an existing folder.
 Symbolic Link (Vista only) – The new Vista Symbolic link feature is different
from a hard link as they can point to files & folders (Hard links can only point
to files) as well as objects on other volumes or network shares.
 A default installation of Windows Vista has several occurrences of symbolic
links which we will examine in the Operating System changes section further in
this presentation.
P A G E
9
Symbolic Links
P A G E
10
Last Access Dates
 The last access dates in Windows Vista are no longer updated when a file is
accessed. Microsoft explains that with all the new file system transactional
journaling, it was somewhat of a performance hit, so they have disabled them by
default.
 In Windows Vista, this feature is enabled by default. This feature can be turned off
via a registry key. This default setting obviously has a severe impact on how some
types of cases are analyzed and examiners should take great care when using these
date stamps as part of their analysis.
P A G E
11
$USNJRNL
 The USN Journal is a NTFS logging mechanism that logs various
transactions that occur on the file system. This feature is available in
Windows 2000, Windows XP and Windows 2003, but it is disabled by
default. In Windows Vista, this feature in enabled by default, thus causing a
verbose log to be created of various file system changes. These changes are
written to an internal NTFS metadata file named “$USNJRNL” and
specifically into an alternate data stream of that file. Various artifacts such
as filenames, date stamps an MFT record numbers can be located in this
journal and it should be inspected and or searched in Unicode when looking
for specific filenames.
P A G E
12
Operating System Versions
Windows
Windows
Windows
Windows
Windows
Windows
Vista Version
Vista Starter
Home Basic
Home Premi um
Vista Business
Vista Enterpri se
Vista Ultimate
64bit Version
N
Y
Y
Y
Y
Y
XP Comparison
XP Starter
XP Home
XP Home
XP Professional
XP Professional
N/A
 Feature availability of different Vista Versions:
 BitLocker – Enterprise & Ultimate (Enterprise only when member of domain)
 Windows Volume Shadow Service (VSS) – Business, Enterprise & Ultimate
 Encrypting File System (EFS) - Business, Enterprise & Ultimate
 Able to join domain - Business, Enterprise & Ultimate
 Remote Desktop server - Business, Enterprise & Ultimate
 Offline files and folder support - Business, Enterprise & Ultimate
 IIS Web Server - Business, Enterprise & Ultimate
P A G E
13
Directory Structure Changes
 Windows Vista has changed many of the common directories we are accustomed
to looking at when doing a forensic analysis. The biggest change is where the
user profiles are stored. In Windows 2000, XP & 2003, the Documents and
Settings folder is where each users profile is stored along with all their personal
documents. In Windows Vista, the new path of C:\Users is now used.
P A G E
14
Directory Structure Changes
 In the previous figure you can see several Junctions are now used to redirect
to a different location, such as Documents and Settings folder and the
Default User folder.
 C:\Documents & Settings ----------------> C:\Users (Junction)
 C:\Users\All Users
-------------------> C:\ProgramData (Symbolic Link)
 C:\Users\Default Users --------------------> C:\Users\Default (Junction)
P A G E
15
Directory Structure Changes
 Under each user folder, there are additional
folders and Junction points.
P A G E
16
Directory Structure Changes
 The following chart shows where each Junction shown in the previous figure points to:
 <username>\Application Data-> \<username>\AppData\Roaming
 <username>\Cookies->\<username>\AppData\Roaming\Microsoft\Windws\Cookies
 <username>\Local Settings->\<username>\AppData\Local
 <username>\My Documents->\<username>\Documents
 <username>\NetHood->\<username>\AppData\Roaming\Microsof\Windows\Network Shortcuts
 <username>\PrintHood->\<username>\AppData\Roaming\Microsof\Windows\Printer Shortcuts
 <username>\Recent->\<username>\AppData\Roaming\Microsof\Windows\Recent
 <username>\SendTo->\<username>\AppData\Roaming\Microsof\Windows\SendTo
 <username>\Start Menu->\<username>\AppData\Roaming\Microsoft\Windows\Start Menu
 <username>\Templates->\<username>\AppData\Roaming\Microsof\Windows\Templates
P A G E
17
Directory Structure Changes
 Under the Documents folder there are three additional Junctions:
 <username>\Documents\My Music-> \<username>\Music
 <username>\Documents\My Picture-> \<username>\Pictures
 <username>\Documents\My Videos-> \<username>\Videos
P A G E
18
 In addition, the
C:\Users\AppData\Local folder
contains three additional Junctions.
This folder structure is where the
Internet history information is now
stored.
P A G E
19
Public Folders
 In Windows XP, a folder named All Users was located under the Documents &
Settings folder which served as a structure that was accessible by all users. In
Vista, this has been changed and is called ”Public”. Any files or folders located
under the “public” folder are accessible by everyone. Note that the structure in a
live machine is different that what is seen from a forensic view.
P A G E
20
Volume Shadow Service / Previous Version
 The Volume Shadow Service was first introduced in Windows XP in a
limited way and then further enhanced in Windows 2003 Server and its goal
was to create copies of important files that could then be safely backed up
without having file locking issues. It was off by default and only a limited
number of files or directories could be shadowed in Windows 2003.
P A G E
21
Volume Shadow Service / Previous Version
 The block level changes that are saved by the “previous version” feature are
stored in the System Volume Information folder as part of a restore point.
This data is not encrypted (absent bitlocker) and can be easily searched
using the EnCase search feature. In the root of the “System Volume
Information” folder, several files can be seen with GUIDs as the filename.
P A G E
22
Registry
 Several new registry files have been added to Windows Vista. The following list
represents all the registry hives on a default Vista system:















C:\Boot\BCD
C:\Windows\System32\config\RegBack\SECURITY
C:\Windows\System32\config\RegBack\SOFTWARE
C:\Windows\System32\config\RegBack\DEFAULT
C:\Windows\System32\config\RegBack\SAM
C:\Windows\System32\config\RegBack\COMPONENTS
C:\Windows\System32\config\RegBack\SYSTEM
C:\Windows\System32\config\BCD-Template
C:\Windows\System32\config\COMPONENTS
C:\Windows\System32\config\DEFAULT
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SECURITY
C:\Windows\System32\config\SOFTWARE
C:\Windows\System32\config\SYSTEM
C:\Windows\winsxs\x86_microsoft-windows-b..-bcdtemplateclient_31bf3856ad364e35_6.0.6000.16386_none_25edb26a062d63a9\BCD-Template
P A G E
23
Registry
 The user’s NTUSER.DAT file is still located in the root of the user’s root
folder (C:\Users\<username>).
 Notice that Windows Vista now uses the “REGBACK” folder instead of the
“REPAIR” folder that Windows 2000/XP/2003 use for backup copies of the
registry.
P A G E
24
Registry virtualization
 Windows Vista now contains a feature called “registry virtualization” as
part of a security enhancement. This feature ensures that users who are not
administrators cannot write t certain parts of the registry, especially during
software installation. If a program tries to write to a specific registry key
that is protected, the installation program will be seamlessly redirected to a
“virtual” registry key contained within the user’s personal registry hive
(NTUSER.DAT).
 Any write attempt by a non administrator to the:
HKEY_LOCAL_MACHINE\Software registry key(s) causes the system to
redirect the write into a virtual store in the user’s profile:
 HKEY_USERS\<User SID>_Classes\VirtualStore\Machine\Software
P A G E
25
Virtual Folders
 Virtualized folders works in the same manner as registry virtualization and
prevents non administrators from writing or creating certain files/folders in
system protected areas. When a normal user (non-administrator) tries to
create or write to files in system areas (\windows, \Program Files, etc), the
write operation is redirected to a different location even though it appears as
though the file was created in the system folder. The written data is actually
stored in a folder under the user’s profile:
 C:\Users\<username>\AppData\Local\VirtualStore\
 The data written here is seamlessly overlaid into the folder where it was
originally thought to be written to.
P A G E
26
RECYCLE BIN
 The contents of the recycle bin has changed in Windows Vista and the name
of the folder itself has changed to”$Recycle.bin”.
 The INFO2 file that is present in Windows 2000/XP/2003 has been
removed.
 In Windows Vista, two files are created when a file is deleted into the
recycle bin. Both file have the same random looking name, but the names
are proceeded with a “$R” or “$I”. The file with the “$R” at the beginning
of the name is actually the data of the deleted file. The file with the “$I” at
the beginning of the name contains the path of where the file originally
resided, as well as the date and time it was deleted.
P A G E
27
RECYCLE BIN
P A G E
28
RECYCLE BIN
 In addition, it is important to note that the user’s recycle bin is created the
first time the user logs into their account, not the first time a file/folder is
deleted as in Windows 2000/XP/2003.
P A G E
29
Event Logs
 The Windows event logs have changed dramatically in Windows Vista. A
new XML fie format is being used for the event logs and a new extension of
“EVTX” is now used. The files are now located in:
 “C:\Windows\System32\winevt\Logs\”
There are now approximately 30
different event logs that Windows
Vista reports events to. Currently these
logs can only be read by the native
Windows Vista Event Viewer
(eventvwr), although an EnCase
EnScript is under development.
P A G E
30
Windows Search Engine (Indexing)
 Windows Vista includes a new search engine and indexing feature. Indexing
has been available since Windows 2000, but it was off by default. In
Windows Vista, it is enabled by default.
 The new search feature is accessible from the Start Menu or any Windows
Explorer window.
P A G E
31
Windows Search Engine (Indexing)
 Users can now save their searches and review the results in real-time as the search
results are updated as new files are added to the system. Saved searches are placed
under the user’s profile:
 C:\Users\<username>\Searches
 The indexing service is used to quickly locate files by indexing the file’s metadata
and contents (some filetypes). Microsoft Mail is included in the types of data that is
indexed and available for searches.
 These indexes are located in the following location:
 “C:\ProgramData\Microsoft\Search\Data\Appliations\Windows\Projects\system
Index\Indexer\CiFiles”
 Vista maintains several index files in this directory and these can be searched for
keywords using the keyword search feature in EnCase.
P A G E
32
Windows Photo Gallery
 The Windows Photo Galley is an
application that is designed to make it
easy to collect, categorize and edit your
digital photos and videos. The Windows
Photo Gallery can connect directly to
digital devices such as cameras or
removable media and then import the
photos into the gallery. The photos that
are imported into the gallery are stored
into the user’s “Pictures” directory under
their profile.
P A G E
33
Contact Manager
 The new Windows Vista contact manager is an address book replacement
and designed to contain commonly used contacts via email or phone. These
contacts are XML files that are stored in a directory under the user’s profile,
named “Contacts”.
P A G E
34
Sleep Mode
 Sleep mode is a new feature in Windows Vista that allows quick booting
and shutdown by keeping information in contents of memory using very
low power consumption. The “Hibernate” and “Stand-by” modes used in
Windows XP/2003 are no longer available and now only the Sleep mode is
available. Sleep mode does not use the traditional Hiberfil.sys file and does
not create any on-disk memory artifact.
P A G E
35
Windows Mail
 Windows Mail is the Outlook Express replacement and it has been
completely overhauled.
P A G E
36
Windows Mail
 Mail is no longer stored in a DBX volume and it is instead stored in simple
plain text EML files. The mail is stored under the user’s profile in the
following location:
 C:\Users\<username>\AppData\Local\Microsoft\WindowsMail\Local
Folders\
P A G E
37
Windows Mail
 One thing to note is that Windows Mail now has the ability to use
encryption and digital signatures. Free secure email certificates are available
for download and can be used to encrypt email messages. Email messages
that are sent with the encryption flag set are encrypted before being placed
in the outbox, so an examiner may find an email message in the Outbox
where the body is encrypted and unreadable. The message headers though
would be in plaintext.
P A G E
38
Windows Firewall
 The windows firewall has been enhanced to no filter incoming and outgoing
network connections. From a forensic perspective one of the most important
elements of the firewall is the logging mechanism. The log is disabled by
default, but if enabled, the logs are written to:
 “C:\windows\system32\LogFiles\Firewall\pfirewall.log”
P A G E
39
Windows Firewall
 Firewall exceptions are stored in the SYSTEM registry. If a user or program
creates an exception to allow a certain port to be open or allow certain
outbound connections, these rules are stored here:
 C:\Windows\System32\config\SYSTEM\NTRegistry\CMICreateHive{C619BFE8-791A-4B77-922BF114AB570920}\ControlSet001\Services\SharedAccess\
Parameters\FirewallPolicy\FirewallRules\
P A G E
40
Thumbnail cache
 The thumbnail cache that is used in
Windows XP/2003, named
THUMBS.DB has been replaced with
a centralized thumbs database named
either “thumbcache_32.db”,
“thumbcache_96.db”
“thumbcache_256.db” or
“thumbcache_1024.db”. These
centralized caches now hold all
thumbnails on the system, depending
on their size. These caches are located
in the directory of:
 “C:\Users\student\AppData\Local\
Microsoft\Windows\Explorer”
P A G E
41
ReadyBoost
 ReadyBoost is a Microsoft feature which allows a user to add virtual
memory by using a removable flash drive. This memory is then cached and
used as an extension to installed physical memory. Flash memory is much
faster than paging data to the pagefile on a hard disk and therefore his
feature is a cheap alternative to adding memory to a system.
 Data that is written to the removable flash disk is encrypted using AES-128
encryption before being written to the flash disk. Therefore an examiner
who recovers a flash disk used for ReadyBoost will not be able to decipher
the data.
P A G E
42
Accessing Physical Memory
 Accessing physical memory using DD is a common way of collecting
volatile data (contents of RAM) before a system is shutdown and/or imaged.
This procedure works in Windows 2000 & Windows XP, but does not in
Windows 2003 & Windows Vista. This is because the \\.\PhysicalMemory
Pipe is not accessible even from an administrator account. Therefore it is
currently not possible to collect physical memory using the standard version
of win32 DD.EXE.
P A G E
43
Bitlocker
 Bitlocker is an enterprise class encryption utility that allows full drive
encryption. The Bitlocker feature is only available in the Enterprise &
Ultimate editions (Enterprise only when member of domain).
P A G E
44
P A G E
45
Download