First Looks: Basic Investigations of Windows Vista Lance Mueller lance.mueller@guidancesoftware.com Example Evidence File Please start EnCase load the sample Windows Vista EnCase evidence file. The Evidence file is located here: C:\Evidence\Mueller As we walk through the various changes and artifacts in Windows Vista, you are encouraged to examine these changes and explore the Vista evidence file. Please feel free to ask questions or make comments, I have 45 slides to present in 90 minutes, so you do the math ;) P A G E 1 Introduction Windows Vista is the new Microsoft Operating System that was released to the public at the beginning of 2007 This section is designed to give an overview of the new feature and differences with previous versions of Windows from the forensic perspective. There are many changes to the new Vista Operating System compared with Window XP or Windows 2000, many of them in the user interface. This presentation will not cover trivial UI changes if it does not have a direct impact on how a forensic exam is conducted. This presentation does not describe every possible change that effects forensic examinations, but rather it covers the most commons areas an examiner will encounter and explains what effect a particular Vista feature may have on conducting a forensic examination. P A G E 2 Agenda File System Changes NTFS Version & Structure Volume Boot Record Symbolic Links Last Access Times USNJRNL P A G E 3 Agenda Operating System Changes Vista Versions Directory Structure Changes Volume Shadow Service / Previous Version feature Registry Changes Virtualized Folders Recycle Bin Event Logs Windows Search Engine (Indexing) Public Folders Windows Photo Gallery Contact Manager Sleep Mode P A G E 4 Agenda Windows Mail Windows Firewall Thumbnail Cache ReadyBoost Accessing Physical Memory Other Relevant changes Bitlocker P A G E 5 NTFS Version NTFS Version OS Name OS Version Released Date NTFS v 1.2 Windows NT3.51 3.51 July 1993 NTFS v 1.2 Windows NT4.0 4.0 August 1996 NTFS 3.0 Windows 2000 5.0 February 2000 NTFS 3.1 Windows XP 5.1 September 2001 NTFS 3.1 Windows 2003 5.2 April 2003 NTFS 3.1 Windows Vista 6.0 November 2006 P A G E 6 NTFS Version P A G E 7 Volume Boot Record Common location for VBR using a hard drive with 63SPT. (PS63) New location of VBR in Vista (PS2048) P A G E 8 Symbolic Links Windows Vista now supports classic Unix-type Symbolic links. This is really an add-on feature to the already exiting reparse point feature of the NTFS file system. Reparse points were introduced in Windows 2000 and offered several unique features: Junctions – Allows a user to graft one folder in the file system tree onto another folder Hard Link – Allows a user to create multiple links to the same data. For all intent and purposes each link was the same as the original and impossible to tell which was the original. Mount Points – Allows a user to graft a volume onto an existing folder. Symbolic Link (Vista only) – The new Vista Symbolic link feature is different from a hard link as they can point to files & folders (Hard links can only point to files) as well as objects on other volumes or network shares. A default installation of Windows Vista has several occurrences of symbolic links which we will examine in the Operating System changes section further in this presentation. P A G E 9 Symbolic Links P A G E 10 Last Access Dates The last access dates in Windows Vista are no longer updated when a file is accessed. Microsoft explains that with all the new file system transactional journaling, it was somewhat of a performance hit, so they have disabled them by default. In Windows Vista, this feature is enabled by default. This feature can be turned off via a registry key. This default setting obviously has a severe impact on how some types of cases are analyzed and examiners should take great care when using these date stamps as part of their analysis. P A G E 11 $USNJRNL The USN Journal is a NTFS logging mechanism that logs various transactions that occur on the file system. This feature is available in Windows 2000, Windows XP and Windows 2003, but it is disabled by default. In Windows Vista, this feature in enabled by default, thus causing a verbose log to be created of various file system changes. These changes are written to an internal NTFS metadata file named “$USNJRNL” and specifically into an alternate data stream of that file. Various artifacts such as filenames, date stamps an MFT record numbers can be located in this journal and it should be inspected and or searched in Unicode when looking for specific filenames. P A G E 12 Operating System Versions Windows Windows Windows Windows Windows Windows Vista Version Vista Starter Home Basic Home Premi um Vista Business Vista Enterpri se Vista Ultimate 64bit Version N Y Y Y Y Y XP Comparison XP Starter XP Home XP Home XP Professional XP Professional N/A Feature availability of different Vista Versions: BitLocker – Enterprise & Ultimate (Enterprise only when member of domain) Windows Volume Shadow Service (VSS) – Business, Enterprise & Ultimate Encrypting File System (EFS) - Business, Enterprise & Ultimate Able to join domain - Business, Enterprise & Ultimate Remote Desktop server - Business, Enterprise & Ultimate Offline files and folder support - Business, Enterprise & Ultimate IIS Web Server - Business, Enterprise & Ultimate P A G E 13 Directory Structure Changes Windows Vista has changed many of the common directories we are accustomed to looking at when doing a forensic analysis. The biggest change is where the user profiles are stored. In Windows 2000, XP & 2003, the Documents and Settings folder is where each users profile is stored along with all their personal documents. In Windows Vista, the new path of C:\Users is now used. P A G E 14 Directory Structure Changes In the previous figure you can see several Junctions are now used to redirect to a different location, such as Documents and Settings folder and the Default User folder. C:\Documents & Settings ----------------> C:\Users (Junction) C:\Users\All Users -------------------> C:\ProgramData (Symbolic Link) C:\Users\Default Users --------------------> C:\Users\Default (Junction) P A G E 15 Directory Structure Changes Under each user folder, there are additional folders and Junction points. P A G E 16 Directory Structure Changes The following chart shows where each Junction shown in the previous figure points to: <username>\Application Data-> \<username>\AppData\Roaming <username>\Cookies->\<username>\AppData\Roaming\Microsoft\Windws\Cookies <username>\Local Settings->\<username>\AppData\Local <username>\My Documents->\<username>\Documents <username>\NetHood->\<username>\AppData\Roaming\Microsof\Windows\Network Shortcuts <username>\PrintHood->\<username>\AppData\Roaming\Microsof\Windows\Printer Shortcuts <username>\Recent->\<username>\AppData\Roaming\Microsof\Windows\Recent <username>\SendTo->\<username>\AppData\Roaming\Microsof\Windows\SendTo <username>\Start Menu->\<username>\AppData\Roaming\Microsoft\Windows\Start Menu <username>\Templates->\<username>\AppData\Roaming\Microsof\Windows\Templates P A G E 17 Directory Structure Changes Under the Documents folder there are three additional Junctions: <username>\Documents\My Music-> \<username>\Music <username>\Documents\My Picture-> \<username>\Pictures <username>\Documents\My Videos-> \<username>\Videos P A G E 18 In addition, the C:\Users\AppData\Local folder contains three additional Junctions. This folder structure is where the Internet history information is now stored. P A G E 19 Public Folders In Windows XP, a folder named All Users was located under the Documents & Settings folder which served as a structure that was accessible by all users. In Vista, this has been changed and is called ”Public”. Any files or folders located under the “public” folder are accessible by everyone. Note that the structure in a live machine is different that what is seen from a forensic view. P A G E 20 Volume Shadow Service / Previous Version The Volume Shadow Service was first introduced in Windows XP in a limited way and then further enhanced in Windows 2003 Server and its goal was to create copies of important files that could then be safely backed up without having file locking issues. It was off by default and only a limited number of files or directories could be shadowed in Windows 2003. P A G E 21 Volume Shadow Service / Previous Version The block level changes that are saved by the “previous version” feature are stored in the System Volume Information folder as part of a restore point. This data is not encrypted (absent bitlocker) and can be easily searched using the EnCase search feature. In the root of the “System Volume Information” folder, several files can be seen with GUIDs as the filename. P A G E 22 Registry Several new registry files have been added to Windows Vista. The following list represents all the registry hives on a default Vista system: C:\Boot\BCD C:\Windows\System32\config\RegBack\SECURITY C:\Windows\System32\config\RegBack\SOFTWARE C:\Windows\System32\config\RegBack\DEFAULT C:\Windows\System32\config\RegBack\SAM C:\Windows\System32\config\RegBack\COMPONENTS C:\Windows\System32\config\RegBack\SYSTEM C:\Windows\System32\config\BCD-Template C:\Windows\System32\config\COMPONENTS C:\Windows\System32\config\DEFAULT C:\Windows\System32\config\SAM C:\Windows\System32\config\SECURITY C:\Windows\System32\config\SOFTWARE C:\Windows\System32\config\SYSTEM C:\Windows\winsxs\x86_microsoft-windows-b..-bcdtemplateclient_31bf3856ad364e35_6.0.6000.16386_none_25edb26a062d63a9\BCD-Template P A G E 23 Registry The user’s NTUSER.DAT file is still located in the root of the user’s root folder (C:\Users\<username>). Notice that Windows Vista now uses the “REGBACK” folder instead of the “REPAIR” folder that Windows 2000/XP/2003 use for backup copies of the registry. P A G E 24 Registry virtualization Windows Vista now contains a feature called “registry virtualization” as part of a security enhancement. This feature ensures that users who are not administrators cannot write t certain parts of the registry, especially during software installation. If a program tries to write to a specific registry key that is protected, the installation program will be seamlessly redirected to a “virtual” registry key contained within the user’s personal registry hive (NTUSER.DAT). Any write attempt by a non administrator to the: HKEY_LOCAL_MACHINE\Software registry key(s) causes the system to redirect the write into a virtual store in the user’s profile: HKEY_USERS\<User SID>_Classes\VirtualStore\Machine\Software P A G E 25 Virtual Folders Virtualized folders works in the same manner as registry virtualization and prevents non administrators from writing or creating certain files/folders in system protected areas. When a normal user (non-administrator) tries to create or write to files in system areas (\windows, \Program Files, etc), the write operation is redirected to a different location even though it appears as though the file was created in the system folder. The written data is actually stored in a folder under the user’s profile: C:\Users\<username>\AppData\Local\VirtualStore\ The data written here is seamlessly overlaid into the folder where it was originally thought to be written to. P A G E 26 RECYCLE BIN The contents of the recycle bin has changed in Windows Vista and the name of the folder itself has changed to”$Recycle.bin”. The INFO2 file that is present in Windows 2000/XP/2003 has been removed. In Windows Vista, two files are created when a file is deleted into the recycle bin. Both file have the same random looking name, but the names are proceeded with a “$R” or “$I”. The file with the “$R” at the beginning of the name is actually the data of the deleted file. The file with the “$I” at the beginning of the name contains the path of where the file originally resided, as well as the date and time it was deleted. P A G E 27 RECYCLE BIN P A G E 28 RECYCLE BIN In addition, it is important to note that the user’s recycle bin is created the first time the user logs into their account, not the first time a file/folder is deleted as in Windows 2000/XP/2003. P A G E 29 Event Logs The Windows event logs have changed dramatically in Windows Vista. A new XML fie format is being used for the event logs and a new extension of “EVTX” is now used. The files are now located in: “C:\Windows\System32\winevt\Logs\” There are now approximately 30 different event logs that Windows Vista reports events to. Currently these logs can only be read by the native Windows Vista Event Viewer (eventvwr), although an EnCase EnScript is under development. P A G E 30 Windows Search Engine (Indexing) Windows Vista includes a new search engine and indexing feature. Indexing has been available since Windows 2000, but it was off by default. In Windows Vista, it is enabled by default. The new search feature is accessible from the Start Menu or any Windows Explorer window. P A G E 31 Windows Search Engine (Indexing) Users can now save their searches and review the results in real-time as the search results are updated as new files are added to the system. Saved searches are placed under the user’s profile: C:\Users\<username>\Searches The indexing service is used to quickly locate files by indexing the file’s metadata and contents (some filetypes). Microsoft Mail is included in the types of data that is indexed and available for searches. These indexes are located in the following location: “C:\ProgramData\Microsoft\Search\Data\Appliations\Windows\Projects\system Index\Indexer\CiFiles” Vista maintains several index files in this directory and these can be searched for keywords using the keyword search feature in EnCase. P A G E 32 Windows Photo Gallery The Windows Photo Galley is an application that is designed to make it easy to collect, categorize and edit your digital photos and videos. The Windows Photo Gallery can connect directly to digital devices such as cameras or removable media and then import the photos into the gallery. The photos that are imported into the gallery are stored into the user’s “Pictures” directory under their profile. P A G E 33 Contact Manager The new Windows Vista contact manager is an address book replacement and designed to contain commonly used contacts via email or phone. These contacts are XML files that are stored in a directory under the user’s profile, named “Contacts”. P A G E 34 Sleep Mode Sleep mode is a new feature in Windows Vista that allows quick booting and shutdown by keeping information in contents of memory using very low power consumption. The “Hibernate” and “Stand-by” modes used in Windows XP/2003 are no longer available and now only the Sleep mode is available. Sleep mode does not use the traditional Hiberfil.sys file and does not create any on-disk memory artifact. P A G E 35 Windows Mail Windows Mail is the Outlook Express replacement and it has been completely overhauled. P A G E 36 Windows Mail Mail is no longer stored in a DBX volume and it is instead stored in simple plain text EML files. The mail is stored under the user’s profile in the following location: C:\Users\<username>\AppData\Local\Microsoft\WindowsMail\Local Folders\ P A G E 37 Windows Mail One thing to note is that Windows Mail now has the ability to use encryption and digital signatures. Free secure email certificates are available for download and can be used to encrypt email messages. Email messages that are sent with the encryption flag set are encrypted before being placed in the outbox, so an examiner may find an email message in the Outbox where the body is encrypted and unreadable. The message headers though would be in plaintext. P A G E 38 Windows Firewall The windows firewall has been enhanced to no filter incoming and outgoing network connections. From a forensic perspective one of the most important elements of the firewall is the logging mechanism. The log is disabled by default, but if enabled, the logs are written to: “C:\windows\system32\LogFiles\Firewall\pfirewall.log” P A G E 39 Windows Firewall Firewall exceptions are stored in the SYSTEM registry. If a user or program creates an exception to allow a certain port to be open or allow certain outbound connections, these rules are stored here: C:\Windows\System32\config\SYSTEM\NTRegistry\CMICreateHive{C619BFE8-791A-4B77-922BF114AB570920}\ControlSet001\Services\SharedAccess\ Parameters\FirewallPolicy\FirewallRules\ P A G E 40 Thumbnail cache The thumbnail cache that is used in Windows XP/2003, named THUMBS.DB has been replaced with a centralized thumbs database named either “thumbcache_32.db”, “thumbcache_96.db” “thumbcache_256.db” or “thumbcache_1024.db”. These centralized caches now hold all thumbnails on the system, depending on their size. These caches are located in the directory of: “C:\Users\student\AppData\Local\ Microsoft\Windows\Explorer” P A G E 41 ReadyBoost ReadyBoost is a Microsoft feature which allows a user to add virtual memory by using a removable flash drive. This memory is then cached and used as an extension to installed physical memory. Flash memory is much faster than paging data to the pagefile on a hard disk and therefore his feature is a cheap alternative to adding memory to a system. Data that is written to the removable flash disk is encrypted using AES-128 encryption before being written to the flash disk. Therefore an examiner who recovers a flash disk used for ReadyBoost will not be able to decipher the data. P A G E 42 Accessing Physical Memory Accessing physical memory using DD is a common way of collecting volatile data (contents of RAM) before a system is shutdown and/or imaged. This procedure works in Windows 2000 & Windows XP, but does not in Windows 2003 & Windows Vista. This is because the \\.\PhysicalMemory Pipe is not accessible even from an administrator account. Therefore it is currently not possible to collect physical memory using the standard version of win32 DD.EXE. P A G E 43 Bitlocker Bitlocker is an enterprise class encryption utility that allows full drive encryption. The Bitlocker feature is only available in the Enterprise & Ultimate editions (Enterprise only when member of domain). P A G E 44 P A G E 45