Windows Forensics


Published on

Few Aspects of Windows Forensics. Small things that we normally overlook

Published in: Education, Technology

Windows Forensics

  1. 1. ShriFew More Aspects of Forensics Boonlia Prince Komal Gmail : Facebook:!/ p?id=1701055902 or search for my mail id Twitter:
  2. 2. Recycle Bin AnalysisLocation of Recycle Bin file/ Files Operating System File Location System Windows 95/98/ME FAT32 C:RecycledINFO2 Windows NT/2K/XP NTFS C:Recycler<USER SID>INFO2 Windows Vista/ 7 NTFS C:$Recycle.Bin<USER SID>
  3. 3. Changes With Vista Windows XP/2K/NT/ME/ 98/95 Windows Vista/7
  4. 4. INFO2 File structure
  5. 5. INFO2 File structure Cont.
  6. 6. $ $ Deletion Time File Name File SizeWindowsVista / 7
  7. 7. The $I File Structure
  8. 8. Windows Prefetching
  9. 9. Basics of PrefetchingImplemented with Windows XPWindows Memory manager componentSuper fetch and ready boost with Windows vistaBoot V/S Application PrefetchingDemo for functioning of Prefetching
  10. 10. Prefetch file in Windows XP
  11. 11. Prefetch File in Vista and Windows 7
  12. 12. Thumbnails 96 X 96 pixel thumbnails Windows XPOption to choosethumbnail sizeanywhere on the slider Windows Vista and 7
  13. 13. Storage in Windows XP (Thumbs.db) Can not Identify the user who used it Deleted with the deletion of the folder Only 96 X 96 Pixel Thumbnails Tool: Thumbs_Viewer.exe Demo: Manually recreating thumbnail with hex editor
  14. 14. Thumbnails in Vista and Windows 7Central location for all thumbnails C:Users<USER>AppDataLocalMicrosoftWindowsExplorerCache files based on maximum pixel thumbnail 32 X 32 (Max) Pixel Thumbnail in thumbcache_32.dbIndex File to link Unique ID in Cache file to Windows Index C:ProgramDataMicrosoftSearchDataApplicationsWindowsWindows.edbGeneration of Thumbs.db in case of Access from network
  15. 15. Thumbnails in Vista and Windows 7 Entry In Thumbnail Cache file
  16. 16. Entries in Thumbcache_IDX, Thumbcache_32, Thumbcache_96, Thumbcache_256 files Thumbcache_IDX Thumbcache_32 Thumbcache_96 Thumbcache_256
  17. 17. Rebuilding the Cache Find filename Look up the data locationand path of the in ThumbCache_32 file and match the image file TuhumbnailCacheID Look up the data location Find in ThumbCache_96 file Take Data block,ThumbnailCac and match the Identify file type TuhumbnailCacheID heID for and reconstructWindows.edb Look up the data location Thumbnail in ThumbCache_256 file and match the TuhumbnailCacheID Find Corresponding Data location in Look up the data location cache files in in ThumbCache_1024 fileThumbcache_IDX and match the TuhumbnailCacheID Reconstruct Thumbnail
  18. 18. Windows Volume Shadow copyEver wonder how System Restore works? Volume shadow Copy services monitor system and changes Copies changed sectors in 16KB blocks and keep it in a file Copies on: Automatic schedule time, System restore point creation, installation of new package. Can carry data that has been deleted, wiped or encrypted later
  19. 19. Exploring Shadow Copies Explore with VSSadmin Mount with DOSDEV.exeLets share shadow copynet share shadow=.HarddiskVolumeShadowCopy5
  20. 20. Time Line analysis (Thanks to Rob lee for his awesome research) Basic Time line: (File system time line) File Time Time Modified Accessed Created Metadata System Stored as stored as Modified FAT Local Since Jan 1, Modified Accessed in Created in 1980 in multiple multiple of multiple of of 2 Day (Time 10 ms seconds ususally midnight) NTFS UTC 100 Neno Modified Accessed $MFT Date seconds (FILETIME) (FILE TIME) Modified Created since Jan 1, (Matadata (File Birth) 1601 changed) (FILETIME)Disable Last Access time:HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystemNtfsDisableLastAccessUpdate to 1.
  21. 21. Why Timeline analysisExtremely difficult for a malware to handle all timesAlmost impossible for attacker not to hide the time line evidencesSpread across system and multiple of time linesHelps in presenting the entire picture of all the happenings on the system
  22. 22. How Various times behave
  23. 23. Screen Taken from Rob Lee Presentation
  24. 24. Lets Use $FILENAME to avoid win32 API
  25. 25. File Timeline MRU File Download Browser History analysis (Open/Save/Run) Mail analysis Malware analysis Log AnalysisConducting an examination Program Prefetch Open/RunMRU Run MRU User Assist Execution Thumbnail Recycle Bin File Existance Search MRU analysis analysis Browser artifacts Shadow Copy First and last Volume name USB Keys USB Serials time used User who used it Path in MRU and Drive letter File Creation Thumbnails for Time line Shadow copy Recent file MRUs Lnk file analysis image and other and change analysis files Was A Security Regedit Registry key Registry slack execution Regedit Prefetch Shadow file descriptor on the keys deleted? Unallocated Recycle Bin Volume Shadow Recent file list File deletion space analysis copy and lnk Various MRUs Strings Time stamp Time line Execution of Check for neno Volume Shadow tempering analysis program second value copy System Backdoor Network Super time line Connection presence and compromise? forensics analysis analysis analysis Encryption Temp locations Page file analysis Various Memory analysis Rainbow tables LM Hash attack for decrypted attacks for key presence password attacks files
  26. 26. Questions?Gmail : boonlia@gmail.comFacebook:!/profile.php?id=1701055902 or search for my mail idboonliasecurity@gmail.comTwitter: