Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Vista Forensics


Published on

Published in: Technology
  • Windows 7 already changed things - but this is still an extremely useful presentation for Vista users.
    Are you sure you want to  Yes  No
    Your message goes here

Vista Forensics

  1. 1. Vista Forensics (Before Windows 7 Changes Things) Troy Larson Microsoft Corporation
  2. 2. Operating System Artifacts <ul><li>Recycle Bin. </li></ul><ul><li>EFS. </li></ul><ul><li>Default folders. </li></ul><ul><li>Virtual Folders. </li></ul><ul><li>Virtual Registry. </li></ul><ul><li>Pstore. </li></ul><ul><li>TxR. </li></ul><ul><li>Superfetch. </li></ul><ul><li>Thumbscache. </li></ul><ul><li>Event logs. </li></ul><ul><li>Setupapi.log. </li></ul><ul><li>VSS. </li></ul>File Systems Fvevol.sys Volume Manager Application Artifacts OS Artifacts
  3. 3. The New Recycle Bin <ul><li>[Volume]:$Recycle.Bin </li></ul><ul><ul><li>$Recycle.Bin is visible in Explorer (view hidden files). </li></ul></ul><ul><ul><li>Per user store in a subfolder named with account SID </li></ul></ul><ul><ul><li>No more Info2 files. </li></ul></ul><ul><ul><li>When a file is deleted—moved to the Recycle Bin—it generates two files in the Recycle Bin. </li></ul></ul><ul><ul><li>$I and $R files. </li></ul></ul><ul><ul><ul><li>$I or $R followed by several random characters, then original extension. The random characters are the same for each $I/$R pair. </li></ul></ul></ul><ul><ul><ul><li>$I file maintains the original name and path, as well as the deleted date. </li></ul></ul></ul><ul><ul><ul><li>$R file retains the original file attributes, other than the name attribute (which is changed to $R******.ext). </li></ul></ul></ul>
  4. 4. The New Recycle Bin
  5. 5. The New Recycle Bin Note the deleted date (in blue). $MFT FRS of $IWYOWJ2.docx
  6. 6. The New Recycle Bin $MFT FRS of $RWYOWJ2.docx
  7. 7. The New Recycle Bin First cluster of $RWYOWJ2.docx
  8. 8. EFS Enhancements <ul><li>EFS keys can now be stored on Smartcards. </li></ul><ul><ul><li>Much harder to crack. </li></ul></ul><ul><ul><li>Get the Smartcard. </li></ul></ul><ul><li>EFS encryption of the page file. </li></ul><ul><ul><li>On boot , Vista generates a random AES-256 key and uses it to encrypt the page file. </li></ul></ul><ul><ul><li>This key is never written to disk. </li></ul></ul><ul><ul><li>When the system is shutdown, the key is gone (because it was only ever stored in RAM). </li></ul></ul>HKEY_LOCAL_MACHINESYSTEMControlSet001ControlFileSystemNtfsEncryptPagingFile If value=1 the page file is encrypted.
  9. 9. Default Folder Organization The legacy folders are junction links to the new folders. To navigate, follow the links.
  10. 10. Default Folder Organization <ul><li>Windows uses the Local and LocalLow folders for application data that does not roam with the user. (Usually this data is either machine specific or too large to roam.) </li></ul><ul><li>The AppDataLocal folder in Windows Vista is the same as the Documents and Settings username Local SettingsApplication Data folder in Windows XP. </li></ul><ul><li>Windows uses the Roaming folder for application specific data, such as custom dictionaries, which are machine independent and should roam with the user profile. </li></ul>
  11. 11. Default Folder Organization <ul><li>Webdav--Web-based Distributed Authoring and Versioning. </li></ul>
  12. 12. Special Folders: IE Protected Mode IE Protected Mode
  13. 13. File and Folder Virtualization <ul><li>User Access Control: </li></ul><ul><li>Non-administrative writes to </li></ul><ul><li>Windows </li></ul><ul><li>Program Files </li></ul><ul><li>Program Data </li></ul><ul><li>Are written to %LOCALAPPDATA%VirtualStore </li></ul><ul><li>(Excluded binary executables: .exe, .dll, .sys.) </li></ul>UAC References
  14. 14. File and Folder Virtualization
  15. 15. Registry Virtualization <ul><li>Virtualize (HKEY_LOCAL_MACHINESOFTWARE) </li></ul><ul><li>Non-administrator writes are redirect to: HKEY_CURRENT_USERSoftwareClassesVirtualStoreMACHINESOFTWARE </li></ul><ul><li>Keys excluded from virtualization </li></ul><ul><ul><li>HKEY_LOCAL_MACHINESoftwareClasses </li></ul></ul><ul><ul><li>HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows </li></ul></ul><ul><ul><li>HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows NT </li></ul></ul>
  16. 16. Registry Virtualization The virtualized registry entries are stored here.
  17. 17. Registry Virtualization <ul><li>Location of the registry hive file for the VirtualStore </li></ul><ul><ul><li>Is NOT the user’s NTUSER.DAT </li></ul></ul><ul><ul><li>It is stored in the user’s UsrClass.dat </li></ul></ul><ul><ul><li>Users[user]AppDataLocalMicrosoftWindowsUsrClass.dat </li></ul></ul><ul><li>Investigation of Vista or Windows 2008 requires the investigator to examine at least two account specific registry hive files for each user account. </li></ul><ul><ul><li>NTUSER.DAT </li></ul></ul><ul><ul><li>UsrClass.dat </li></ul></ul>
  18. 18. Pstore-Protected Storage <ul><li>Windows 2000, XP, and Windows 2003 </li></ul><ul><ul><li>Pstore used to store passwords for Internet Explorer and Outlook Express. </li></ul></ul><ul><li>HKEY_CURRENT_USERSoftwareMicrosoftProtected Storage System Provider </li></ul><ul><li>Vista and Windows 2008 </li></ul><ul><ul><li>Pstore is only available for read-only operations. </li></ul></ul><ul><ul><li>Deprecated in favor of stronger data protection. </li></ul></ul><ul><ul><ul><li>CryptProtectData and CryptUnprotectData </li></ul></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul>
  19. 19. Transactional Registry <ul><li>Related to TxF—also built on the Kernel Transaction Manager </li></ul><ul><li>See </li></ul><ul><li>TxR allows applications to perform registry operations in a transacted manner. </li></ul><ul><ul><li>Typical scenario: software installation. </li></ul></ul><ul><ul><li>Files copied to file system and information to the registry as a single operation. </li></ul></ul><ul><ul><li>In the event of failure, registry modification rolled back or discarded. </li></ul></ul>
  20. 20. Transactional Registry
  21. 21. Superfetch <ul><li>Successor to Prefetch; still housed at C:WindowsPrefetch. </li></ul><ul><li>Superfetch consists of database and prefetch files. </li></ul><ul><li>Collects and mines page usage data from the kernel. </li></ul><ul><li>Eliminates demand paging by having useful pages already in memory and maintained there. </li></ul><ul><li>Uses idle disk periods to bring valuable files and pages into memory in anticipation of user demand. </li></ul><ul><li>May not be enabled on Windows 2008. </li></ul>
  22. 22. Superfetch <ul><li>Prefetch file contain information about files and other resources that should be loaded on boot or application start. </li></ul><ul><li>System boot prefetch file: </li></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><li>Application prefetch file: </li></ul><ul><ul><li> </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><li>Path hashes can be identical across systems (but not always). </li></ul><ul><li>Can reveal data files and dependencies. </li></ul>
  23. 23. Superfetch <ul><li>Ramifications of prefetch files: </li></ul><ul><ul><li>The existence of a prefetch file indicates that the application named by the prefetch file was run . </li></ul></ul><ul><ul><li>The creation date of a prefetch file can indicate when the named application was first run . </li></ul></ul><ul><ul><li>The modification date of a prefetch file can indicate when the named application was last run . </li></ul></ul><ul><li>Examination of prefetch file internals can reveal the other facts about an application: </li></ul><ul><ul><li>When the application was last run, and </li></ul></ul><ul><ul><li>How many times the application has been run. </li></ul></ul>
  24. 24. Superfetch
  25. 25. Superfetch <ul><li>Prefetch files maintain a list of directories and files whose pages are to be loaded when the application is run. </li></ul>
  26. 26. Superfetch
  27. 27. Thumbcache
  28. 28. Thumbcache <ul><li>C:UsersusernameAppDataLocalMicrosoftWindowsExplorer </li></ul><ul><li>The thumbnail cache is now tied to a user account. Each account profile maintains its own thumbnail cache. </li></ul><ul><li>Created by Explorer when presenting “picture” icons. </li></ul><ul><li>File format is different from the previous thumbs.db file. </li></ul>
  29. 29. Thumbcache <ul><ul><li>The thumbnail cache folders ending with numbers contain embedded images. </li></ul></ul><ul><ul><li>Thumbcache_1024.db and thumbcache_256.db contain jpeg images. </li></ul></ul><ul><ul><li>Thumbcache_96.db and thumbcache_32.db contain bitmap images. </li></ul></ul><ul><ul><li>Thumbcache_idx.db is the index. </li></ul></ul>
  30. 30. Thumbcache <ul><li>Identify and carve out images. </li></ul><ul><li>Note CMMM record header. </li></ul>
  31. 31. Thumbcache <ul><li>Identify and carve out images. </li></ul><ul><li>Note CMMM record header. </li></ul>
  32. 32. Thumbcache
  33. 33. Thumbcache <ul><li>There is always the easier way . . . </li></ul>
  34. 34. Event Logs <ul><li>New event log file format. </li></ul><ul><li>Event log files now have .evtx extension. </li></ul><ul><li>Event logs are stored in C:WindowsSystem32winevtLogs </li></ul><ul><li>Log files will open in event viewer by clicking on them. </li></ul>
  35. 35. Event Logs <ul><li>Note the use of the standard Windows file time format. Other information is available from raw logs. </li></ul>
  36. 36. Event Logs <ul><li>Security audit events for Microsoft Windows Server 2008 and Microsoft Windows Vista </li></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>int for(ensic){blog;} </li></ul></ul><ul><ul><ul><li>http:// / </li></ul></ul></ul>
  37. 37. Setupapi.log The location of the setupapi.log file has been changed. The new location is:
  38. 38. Volume Shadow Copy <ul><li>Volume shadow copies are bit level differential backups of a volume. </li></ul><ul><ul><li>16 KB blocks. </li></ul></ul><ul><li>Typically, shadow copies are created when a system boots up. Can be created at other times. </li></ul><ul><li>The shadow copy service is enabled by default on Vista, but not on Windows 2008. </li></ul><ul><li>Shadow copies reside in the System Volume Information folder. </li></ul>
  39. 39. Volume Shadow Copy <ul><li>Shadow copies are the source data for Restore Points and the Restore Previous Versions features. </li></ul><ul><li>Shadow copies provide a “snapshot” of a volume at a particular time. </li></ul><ul><li>Shadow copies can show how files have been altered. </li></ul><ul><li>Shadow copies can retain data that has later been deleted, wiped, or encrypted. </li></ul>
  40. 40. Volume Shadow Copy
  41. 41. Volume Shadow Copy
  42. 42. Volume Shadow Copy
  43. 43. Volume Shadow Copy vssadmin list shadows /for=[volume]:
  44. 44. Volume Shadow Copy
  45. 45. Volume Shadow Copy Shadow copies can be exposed through symbolic links.
  46. 46. Volume Shadow Copy Mklink /d C:{test-shadow} GLOBALROOTDeviceHarddiskVolumeShadowCopy3
  47. 47. Volume Shadow Copy Shadow copy is addressed as GLOBALROOTDeviceHarddiskVolumeShadowCopy3
  48. 48. Volume Shadow Copy
  49. 49. Volume Shadow Copy
  50. 50. Volume Shadow Copy Shadow copies can be mounted as volumes using dosdev.exe.
  51. 51. Volume Shadow Copy Dosdev y: GLOBALROOTDeviceHarddiskVolumeShadowCopy2
  52. 52. Volume Shadow Copy Shadow copy is addressed as GLOBALROOTDeviceHarddiskVolumeShadowCopy2
  53. 53. Volume Shadow Copy
  54. 54. Volume Shadow Copy <ul><li>Volume Shadows can be mounted directly as network shares. </li></ul>
  55. 55. Volume Shadow Copy <ul><li>net share testshadow=HarddiskVolumeShadowCopy11 </li></ul>
  56. 56. Volume Shadow Copy <ul><li>Shadow copy is addressed as HarddiskVolumeShadowCopy11 </li></ul>
  57. 57. Volume Shadow Copy
  58. 58. Volume Shadow Copy
  59. 59. Volume Shadow Copy
  60. 60. Volume Shadow Copy <ul><li>  </li></ul><ul><li>> psexec computername] vssadmin list shadows  /for=C: </li></ul><ul><li>   </li></ul><ul><li>> psexec computername] net share testshadow=HarddiskVolumeShadowCopy20 </li></ul><ul><li>  </li></ul><ul><li>PsExec v1.94 - Execute processes remotely </li></ul><ul><ul><li>. . . </li></ul></ul><ul><li>  testshadow was shared successfully. </li></ul><ul><li>net exited on [computername] with error code 0. </li></ul><ul><li>   </li></ul><ul><li>> robocopy /S /R:1 /W:1 /LOG:D:VSStestcopylog.txt computername] estshadow D:vssTest </li></ul><ul><li>  </li></ul><ul><li>  Log File : D:VSStestcopylog.txt </li></ul><ul><li>. . . </li></ul>
  61. 61. Volume Shadow Copy Shadow copies can be imaged.
  62. 62. Volume Shadow Copy dd.Exe –v if= HarddiskVolumeShadowCopy4 of=K:shadow4.dd --localwrt
  63. 63. Volume Shadow Copy Shadow copy is addressed as HarddiskVolumeShadowCopy4
  64. 64. Volume Shadow Copy Images of shadow copies can be opened in forensics tools and appear as logical volumes.
  65. 65. Volume Shadow Copy
  66. 66. Volume Shadow Copy Compare the imaged version to the mounted shadow copy.
  67. 67. Volume Shadow Copy Deleted data is captured by shadow copies, and is available for retrieval in shadow copy images.
  68. 68. Volume Shadow Copy Every shadow copy data set should approximate the size of the original volume. Thus, a conundrum: How to gather all the shadow copy data? Amount of case data=(number of shadow copies) x (size of the volume)+(size of the volume).
  69. 69. Volume Shadow Copy <ul><li>Shadow copies break if the physical location of their files is changed in the volume. </li></ul><ul><li>Vista/2008 shadow copies are only recognized by Vista/2008. </li></ul><ul><li>Must have an image that mounts on Vista/2008 and preserves the physical location of the shadow copy files. </li></ul><ul><li>How to collect viable disk images for shadow copy retrieval? </li></ul>
  70. 70. Volume Shadow Copy <ul><li>Hyper-V will create a VHD from a physical disk. </li></ul>
  71. 71. Volume Shadow Copy <ul><li>Mount VHDs with vhdmount.exe (Microsoft Virtual Server 2005 R2). </li></ul>Vhdmount /m “E:VSSTest.vhd”
  72. 72. Volume Shadow Copy
  73. 73. Volume Shadow Copy <ul><li>Disk images  Encase Physical Disk Emulator. </li></ul><ul><li>New SOP for Vista? </li></ul><ul><ul><li>Create two evidentiary images: </li></ul></ul><ul><ul><ul><li>Standard bit-stream image (e.g., dd.exe). </li></ul></ul></ul><ul><ul><ul><li>Image to a VHD through Hyper-V. </li></ul></ul></ul>
  74. 74. Finally