Your SlideShare is downloading. ×
  • Like
  • Save
Vista Forensics
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Vista Forensics

  • 6,686 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Windows 7 already changed things - but this is still an extremely useful presentation for Vista users.
    Forensics
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
6,686
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
1
Likes
12

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Vista Forensics (Before Windows 7 Changes Things) Troy Larson Microsoft Corporation
  • 2. Operating System Artifacts
    • Recycle Bin.
    • EFS.
    • Default folders.
    • Virtual Folders.
    • Virtual Registry.
    • Pstore.
    • TxR.
    • Superfetch.
    • Thumbscache.
    • Event logs.
    • Setupapi.log.
    • VSS.
    File Systems Fvevol.sys Volume Manager Application Artifacts OS Artifacts
  • 3. The New Recycle Bin
    • [Volume]:$Recycle.Bin
      • $Recycle.Bin is visible in Explorer (view hidden files).
      • Per user store in a subfolder named with account SID
      • No more Info2 files.
      • When a file is deleted—moved to the Recycle Bin—it generates two files in the Recycle Bin.
      • $I and $R files.
        • $I or $R followed by several random characters, then original extension. The random characters are the same for each $I/$R pair.
        • $I file maintains the original name and path, as well as the deleted date.
        • $R file retains the original file attributes, other than the name attribute (which is changed to $R******.ext).
  • 4. The New Recycle Bin
  • 5. The New Recycle Bin Note the deleted date (in blue). $MFT FRS of $IWYOWJ2.docx
  • 6. The New Recycle Bin $MFT FRS of $RWYOWJ2.docx
  • 7. The New Recycle Bin First cluster of $RWYOWJ2.docx
  • 8. EFS Enhancements
    • EFS keys can now be stored on Smartcards.
      • Much harder to crack.
      • Get the Smartcard.
    • EFS encryption of the page file.
      • On boot , Vista generates a random AES-256 key and uses it to encrypt the page file.
      • This key is never written to disk.
      • When the system is shutdown, the key is gone (because it was only ever stored in RAM).
    HKEY_LOCAL_MACHINESYSTEMControlSet001ControlFileSystemNtfsEncryptPagingFile If value=1 the page file is encrypted.
  • 9. Default Folder Organization The legacy folders are junction links to the new folders. To navigate, follow the links.
  • 10. Default Folder Organization
    • Windows uses the Local and LocalLow folders for application data that does not roam with the user. (Usually this data is either machine specific or too large to roam.)
    • The AppDataLocal folder in Windows Vista is the same as the Documents and Settings username Local SettingsApplication Data folder in Windows XP.
    • Windows uses the Roaming folder for application specific data, such as custom dictionaries, which are machine independent and should roam with the user profile.
  • 11. Default Folder Organization
    • Webdav--Web-based Distributed Authoring and Versioning.
  • 12. Special Folders: IE Protected Mode IE Protected Mode http://msdn.microsoft.com/en-us/library/bb250462.aspx
  • 13. File and Folder Virtualization
    • User Access Control:
    • Non-administrative writes to
    • Windows
    • Program Files
    • Program Data
    • Are written to %LOCALAPPDATA%VirtualStore
    • (Excluded binary executables: .exe, .dll, .sys.)
    UAC References http://msdn.microsoft.com/en-us/library/bb756883.aspx
  • 14. File and Folder Virtualization
  • 15. Registry Virtualization
    • Virtualize (HKEY_LOCAL_MACHINESOFTWARE)
    • Non-administrator writes are redirect to: HKEY_CURRENT_USERSoftwareClassesVirtualStoreMACHINESOFTWARE
    • Keys excluded from virtualization
      • HKEY_LOCAL_MACHINESoftwareClasses
      • HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows
      • HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows NT
  • 16. Registry Virtualization The virtualized registry entries are stored here.
  • 17. Registry Virtualization
    • Location of the registry hive file for the VirtualStore
      • Is NOT the user’s NTUSER.DAT
      • It is stored in the user’s UsrClass.dat
      • Users[user]AppDataLocalMicrosoftWindowsUsrClass.dat
    • Investigation of Vista or Windows 2008 requires the investigator to examine at least two account specific registry hive files for each user account.
      • NTUSER.DAT
      • UsrClass.dat
  • 18. Pstore-Protected Storage
    • Windows 2000, XP, and Windows 2003
      • Pstore used to store passwords for Internet Explorer and Outlook Express.
    • HKEY_CURRENT_USERSoftwareMicrosoftProtected Storage System Provider
    • Vista and Windows 2008
      • Pstore is only available for read-only operations.
      • Deprecated in favor of stronger data protection.
        • CryptProtectData and CryptUnprotectData
      • http://msdn.microsoft.com/en-us/library/bb432403(VS.85).aspx
      • http://www.nirsoft.net/articles/ie7_passwords.html
  • 19. Transactional Registry
    • Related to TxF—also built on the Kernel Transaction Manager
    • See http://msdn.microsoft.com/en-us/library/cc303705.aspx
    • TxR allows applications to perform registry operations in a transacted manner.
      • Typical scenario: software installation.
      • Files copied to file system and information to the registry as a single operation.
      • In the event of failure, registry modification rolled back or discarded.
  • 20. Transactional Registry
  • 21. Superfetch
    • Successor to Prefetch; still housed at C:WindowsPrefetch.
    • Superfetch consists of database and prefetch files.
    • Collects and mines page usage data from the kernel.
    • Eliminates demand paging by having useful pages already in memory and maintained there.
    • Uses idle disk periods to bring valuable files and pages into memory in anticipation of user demand.
    • May not be enabled on Windows 2008.
  • 22. Superfetch
    • Prefetch file contain information about files and other resources that should be loaded on boot or application start.
    • System boot prefetch file:
        • NTOSBOOT-B00DFAAD.pf
    • Application prefetch file:
      • APPLICATIONNAME.EXT-PATHHASH.pf
        • POWERPNT.EXE-2EEF88AA.pf
        • IEXPLORE.EXE-2D97EBE6.pf
    • Path hashes can be identical across systems (but not always).
    • Can reveal data files and dependencies.
  • 23. Superfetch
    • Ramifications of prefetch files:
      • The existence of a prefetch file indicates that the application named by the prefetch file was run .
      • The creation date of a prefetch file can indicate when the named application was first run .
      • The modification date of a prefetch file can indicate when the named application was last run .
    • Examination of prefetch file internals can reveal the other facts about an application:
      • When the application was last run, and
      • How many times the application has been run.
  • 24. Superfetch
  • 25. Superfetch
    • Prefetch files maintain a list of directories and files whose pages are to be loaded when the application is run.
  • 26. Superfetch
  • 27. Thumbcache
  • 28. Thumbcache
    • C:UsersusernameAppDataLocalMicrosoftWindowsExplorer
    • The thumbnail cache is now tied to a user account. Each account profile maintains its own thumbnail cache.
    • Created by Explorer when presenting “picture” icons.
    • File format is different from the previous thumbs.db file.
  • 29. Thumbcache
      • The thumbnail cache folders ending with numbers contain embedded images.
      • Thumbcache_1024.db and thumbcache_256.db contain jpeg images.
      • Thumbcache_96.db and thumbcache_32.db contain bitmap images.
      • Thumbcache_idx.db is the index.
  • 30. Thumbcache
    • Identify and carve out images.
    • Note CMMM record header.
  • 31. Thumbcache
    • Identify and carve out images.
    • Note CMMM record header.
  • 32. Thumbcache
  • 33. Thumbcache
    • There is always the easier way . . .
  • 34. Event Logs
    • New event log file format.
    • Event log files now have .evtx extension.
    • Event logs are stored in C:WindowsSystem32winevtLogs
    • Log files will open in event viewer by clicking on them.
  • 35. Event Logs
    • Note the use of the standard Windows file time format. Other information is available from raw logs.
  • 36. Event Logs
    • Security audit events for Microsoft Windows Server 2008 and Microsoft Windows Vista
        • http://www.microsoft.com/downloads/details.aspx?FamilyID=82e6d48f-e843-40ed-8b10-b3b716f6b51b&DisplayLang=en
      • int for(ensic){blog;}
        • http:// computer.forensikblog.de/en/topics/windows/vista_event_log /
  • 37. Setupapi.log The location of the setupapi.log file has been changed. The new location is: C:WindowsINFsetupapi.dev.log
  • 38. Volume Shadow Copy
    • Volume shadow copies are bit level differential backups of a volume.
      • 16 KB blocks.
    • Typically, shadow copies are created when a system boots up. Can be created at other times.
    • The shadow copy service is enabled by default on Vista, but not on Windows 2008.
    • Shadow copies reside in the System Volume Information folder.
  • 39. Volume Shadow Copy
    • Shadow copies are the source data for Restore Points and the Restore Previous Versions features.
    • Shadow copies provide a “snapshot” of a volume at a particular time.
    • Shadow copies can show how files have been altered.
    • Shadow copies can retain data that has later been deleted, wiped, or encrypted.
  • 40. Volume Shadow Copy
  • 41. Volume Shadow Copy
  • 42. Volume Shadow Copy
  • 43. Volume Shadow Copy vssadmin list shadows /for=[volume]:
  • 44. Volume Shadow Copy
  • 45. Volume Shadow Copy Shadow copies can be exposed through symbolic links.
  • 46. Volume Shadow Copy Mklink /d C:{test-shadow} GLOBALROOTDeviceHarddiskVolumeShadowCopy3
  • 47. Volume Shadow Copy Shadow copy is addressed as GLOBALROOTDeviceHarddiskVolumeShadowCopy3
  • 48. Volume Shadow Copy
  • 49. Volume Shadow Copy
  • 50. Volume Shadow Copy Shadow copies can be mounted as volumes using dosdev.exe.
  • 51. Volume Shadow Copy Dosdev y: GLOBALROOTDeviceHarddiskVolumeShadowCopy2
  • 52. Volume Shadow Copy Shadow copy is addressed as GLOBALROOTDeviceHarddiskVolumeShadowCopy2
  • 53. Volume Shadow Copy
  • 54. Volume Shadow Copy
    • Volume Shadows can be mounted directly as network shares.
  • 55. Volume Shadow Copy
    • net share testshadow=HarddiskVolumeShadowCopy11
  • 56. Volume Shadow Copy
    • Shadow copy is addressed as HarddiskVolumeShadowCopy11
  • 57. Volume Shadow Copy
  • 58. Volume Shadow Copy
  • 59. Volume Shadow Copy
  • 60. Volume Shadow Copy
    •  
    • > psexec computername] vssadmin list shadows  /for=C:
    •   
    • > psexec computername] net share testshadow=HarddiskVolumeShadowCopy20
    •  
    • PsExec v1.94 - Execute processes remotely
      • . . .
    •   testshadow was shared successfully.
    • net exited on [computername] with error code 0.
    •   
    • > robocopy /S /R:1 /W:1 /LOG:D:VSStestcopylog.txt computername] estshadow D:vssTest
    •  
    •   Log File : D:VSStestcopylog.txt
    • . . .
  • 61. Volume Shadow Copy Shadow copies can be imaged.
  • 62. Volume Shadow Copy dd.Exe –v if= HarddiskVolumeShadowCopy4 of=K:shadow4.dd --localwrt
  • 63. Volume Shadow Copy Shadow copy is addressed as HarddiskVolumeShadowCopy4
  • 64. Volume Shadow Copy Images of shadow copies can be opened in forensics tools and appear as logical volumes.
  • 65. Volume Shadow Copy
  • 66. Volume Shadow Copy Compare the imaged version to the mounted shadow copy.
  • 67. Volume Shadow Copy Deleted data is captured by shadow copies, and is available for retrieval in shadow copy images.
  • 68. Volume Shadow Copy Every shadow copy data set should approximate the size of the original volume. Thus, a conundrum: How to gather all the shadow copy data? Amount of case data=(number of shadow copies) x (size of the volume)+(size of the volume).
  • 69. Volume Shadow Copy
    • Shadow copies break if the physical location of their files is changed in the volume.
    • Vista/2008 shadow copies are only recognized by Vista/2008.
    • Must have an image that mounts on Vista/2008 and preserves the physical location of the shadow copy files.
    • How to collect viable disk images for shadow copy retrieval?
  • 70. Volume Shadow Copy
    • Hyper-V will create a VHD from a physical disk.
  • 71. Volume Shadow Copy
    • Mount VHDs with vhdmount.exe (Microsoft Virtual Server 2005 R2).
    Vhdmount /m “E:VSSTest.vhd”
  • 72. Volume Shadow Copy
  • 73. Volume Shadow Copy
    • Disk images  Encase Physical Disk Emulator.
    • New SOP for Vista?
      • Create two evidentiary images:
        • Standard bit-stream image (e.g., dd.exe).
        • Image to a VHD through Hyper-V.
  • 74. Finally