Windows Vista is the new Microsoft Operating System that was released to the public at the beginning of 2007
This section is designed to give an overview of the new feature and differences with previous versions of Windows from the forensic perspective.
There are many changes to the new Vista Operating System compared with Window XP or Windows 2000, many of them in the user interface.
This presentation will not cover trivial UI changes if it does not have a direct impact on how a forensic exam is conducted. This presentation does not describe every possible change that effects forensic examinations, but rather it covers the most commons areas an examiner will encounter and explains what effect a particular Vista feature may have on conducting a forensic examination.
NTFS Version November 2006 6.0 Windows Vista NTFS 3.1 April 2003 5.2 Windows 2003 NTFS 3.1 September 2001 5.1 Windows XP NTFS 3.1 February 2000 5.0 Windows 2000 NTFS 3.0 August 1996 4.0 Windows NT4.0 NTFS v 1.2 July 1993 3.51 Windows NT3.51 NTFS v 1.2 Released Date OS Version OS Name NTFS Version
Windows Vista now supports classic Unix-type Symbolic links. This is really an add-on feature to the already exiting reparse point feature of the NTFS file system. Reparse points were introduced in Windows 2000 and offered several unique features:
Junctions – Allows a user to graft one folder in the file system tree onto another folder
Hard Link – Allows a user to create multiple links to the same data. For all intent and purposes each link was the same as the original and impossible to tell which was the original.
Mount Points – Allows a user to graft a volume onto an existing folder.
Symbolic Link (Vista only) – The new Vista Symbolic link feature is different from a hard link as they can point to files & folders (Hard links can only point to files) as well as objects on other volumes or network shares.
A default installation of Windows Vista has several occurrences of symbolic links which we will examine in the Operating System changes section further in this presentation.
The last access dates in Windows Vista are no longer updated when a file is accessed. Microsoft explains that with all the new file system transactional journaling, it was somewhat of a performance hit, so they have disabled them by default.
In Windows Vista, this feature is enabled by default. This feature can be turned off via a registry key. This default setting obviously has a severe impact on how some types of cases are analyzed and examiners should take great care when using these date stamps as part of their analysis.
The USN Journal is a NTFS logging mechanism that logs various transactions that occur on the file system. This feature is available in Windows 2000, Windows XP and Windows 2003, but it is disabled by default. In Windows Vista, this feature in enabled by default, thus causing a verbose log to be created of various file system changes. These changes are written to an internal NTFS metadata file named “$USNJRNL” and specifically into an alternate data stream of that file. Various artifacts such as filenames, date stamps an MFT record numbers can be located in this journal and it should be inspected and or searched in Unicode when looking for specific filenames.
Windows Vista has changed many of the common directories we are accustomed to looking at when doing a forensic analysis. The biggest change is where the user profiles are stored. In Windows 2000, XP & 2003, the Documents and Settings folder is where each users profile is stored along with all their personal documents. In Windows Vista, the new path of C:Users is now used.
In Windows XP, a folder named All Users was located under the Documents & Settings folder which served as a structure that was accessible by all users. In Vista, this has been changed and is called ”Public”. Any files or folders located under the “public” folder are accessible by everyone. Note that the structure in a live machine is different that what is seen from a forensic view.
The Volume Shadow Service was first introduced in Windows XP in a limited way and then further enhanced in Windows 2003 Server and its goal was to create copies of important files that could then be safely backed up without having file locking issues. It was off by default and only a limited number of files or directories could be shadowed in Windows 2003.
The block level changes that are saved by the “previous version” feature are stored in the System Volume Information folder as part of a restore point. This data is not encrypted (absent bitlocker) and can be easily searched using the EnCase search feature. In the root of the “System Volume Information” folder, several files can be seen with GUIDs as the filename.
Windows Vista now contains a feature called “registry virtualization” as part of a security enhancement. This feature ensures that users who are not administrators cannot write t certain parts of the registry, especially during software installation. If a program tries to write to a specific registry key that is protected, the installation program will be seamlessly redirected to a “virtual” registry key contained within the user’s personal registry hive (NTUSER.DAT).
Any write attempt by a non administrator to the: HKEY_LOCAL_MACHINESoftware registry key(s) causes the system to redirect the write into a virtual store in the user’s profile:
Virtualized folders works in the same manner as registry virtualization and prevents non administrators from writing or creating certain files/folders in system protected areas. When a normal user (non-administrator) tries to create or write to files in system areas (windows, Program Files, etc), the write operation is redirected to a different location even though it appears as though the file was created in the system folder. The written data is actually stored in a folder under the user’s profile:
The data written here is seamlessly overlaid into the folder where it was originally thought to be written to.
The contents of the recycle bin has changed in Windows Vista and the name of the folder itself has changed to”$Recycle.bin”.
The INFO2 file that is present in Windows 2000/XP/2003 has been removed.
In Windows Vista, two files are created when a file is deleted into the recycle bin. Both file have the same random looking name, but the names are proceeded with a “$R” or “$I”. The file with the “$R” at the beginning of the name is actually the data of the deleted file. The file with the “$I” at the beginning of the name contains the path of where the file originally resided, as well as the date and time it was deleted.
The Windows event logs have changed dramatically in Windows Vista. A new XML fie format is being used for the event logs and a new extension of “EVTX” is now used. The files are now located in:
There are now approximately 30 different event logs that Windows Vista reports events to. Currently these logs can only be read by the native Windows Vista Event Viewer (eventvwr), although an EnCase EnScript is under development.
Users can now save their searches and review the results in real-time as the search results are updated as new files are added to the system. Saved searches are placed under the user’s profile:
The indexing service is used to quickly locate files by indexing the file’s metadata and contents (some filetypes). Microsoft Mail is included in the types of data that is indexed and available for searches.
These indexes are located in the following location:
The Windows Photo Galley is an application that is designed to make it easy to collect, categorize and edit your digital photos and videos. The Windows Photo Gallery can connect directly to digital devices such as cameras or removable media and then import the photos into the gallery. The photos that are imported into the gallery are stored into the user’s “Pictures” directory under their profile.
The new Windows Vista contact manager is an address book replacement and designed to contain commonly used contacts via email or phone. These contacts are XML files that are stored in a directory under the user’s profile, named “Contacts”.
Sleep mode is a new feature in Windows Vista that allows quick booting and shutdown by keeping information in contents of memory using very low power consumption. The “Hibernate” and “Stand-by” modes used in Windows XP/2003 are no longer available and now only the Sleep mode is available. Sleep mode does not use the traditional Hiberfil.sys file and does not create any on-disk memory artifact.
One thing to note is that Windows Mail now has the ability to use encryption and digital signatures. Free secure email certificates are available for download and can be used to encrypt email messages. Email messages that are sent with the encryption flag set are encrypted before being placed in the outbox, so an examiner may find an email message in the Outbox where the body is encrypted and unreadable. The message headers though would be in plaintext.
The windows firewall has been enhanced to no filter incoming and outgoing network connections. From a forensic perspective one of the most important elements of the firewall is the logging mechanism. The log is disabled by default, but if enabled, the logs are written to:
The thumbnail cache that is used in Windows XP/2003, named THUMBS.DB has been replaced with a centralized thumbs database named either “thumbcache_32.db”, “thumbcache_96.db” “thumbcache_256.db” or “thumbcache_1024.db”. These centralized caches now hold all thumbnails on the system, depending on their size. These caches are located in the directory of:
ReadyBoost is a Microsoft feature which allows a user to add virtual memory by using a removable flash drive. This memory is then cached and used as an extension to installed physical memory. Flash memory is much faster than paging data to the pagefile on a hard disk and therefore his feature is a cheap alternative to adding memory to a system.
Data that is written to the removable flash disk is encrypted using AES-128 encryption before being written to the flash disk. Therefore an examiner who recovers a flash disk used for ReadyBoost will not be able to decipher the data.
Accessing physical memory using DD is a common way of collecting volatile data (contents of RAM) before a system is shutdown and/or imaged. This procedure works in Windows 2000 & Windows XP, but does not in Windows 2003 & Windows Vista. This is because the PhysicalMemory Pipe is not accessible even from an administrator account. Therefore it is currently not possible to collect physical memory using the standard version of win32 DD.EXE.
Bitlocker is an enterprise class encryption utility that allows full drive encryption. The Bitlocker feature is only available in the Enterprise & Ultimate editions (Enterprise only when member of domain).