Published on

Published in: Education
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Windows Forensics
  2. 2. File SystemsQuick overview
  3. 3. File System• Created by the OS and has the following functions:  To manage available storage space effectively.  To index files.  Provide operations such as coyting deleting……..• To carry out its functions file Sys must:  Provide a std format for naming.  Link file name to actual data.  Keep record all data storage allocated to a file.
  4. 4. FAT• Most widely used.• Works extensively with clusters and sectors.• Smallest unit of space is Sector(512 bytes). E.g 60 GB HDD will have 60x10(9)/512=117187500 or more than 117 million sectors.• FAT groups this sectors into clusters(also known ass allocation units) and stores files clusterwise.• Cluster is the smallest unit of space allocated to a file.• New file always allocated to an empty cluster. Cluster size can range from group of 4 sectors to groups of 64 or 128 sectors
  5. 5. FAT• FAT sys has two major components:  Directory entry for file:stores attributes such as name , size, start cluster, date, etc. This entry is 32 bytes. (called metadata).  FAT: Tracks cluster chaining. Every cluster of a file has FAT entry. Winhex to recover data
  6. 6. File Systems: FAT• FAT12, FAT16, FAT32 – different size of addressable cluster• Common format for floppy disks (remember those?)• Limited time/date information for FAT files – Last write date/time is always available – Creation date/time is optional and may not be available – Last access DATE ONLY is optional and may not be available• No security features
  7. 7. File Systems: Partitions• Physical disk divided into logical partitions• Logical partitions may not be mounted or may be in a format the running O/S does not recognize (e.g., dual boot system)• Formats: – DOS (most common) – Apple – Solaris – BSD – RAID (can cause difficulties for investigators if disk slices have to be reconstructed manually)
  8. 8. NTFS New Technology File Sys• Mores stable and secure, performs with greater speed.• Used in Windows OS such as XP,Vista and Nw OS such as Windows NT, 2000 , 2003 , ETC.• Components:  Master File Table :similar to directory entry in FAT.  Bitmap : similar to FAT but does not contain cluster chaining info. Winhex to recover data
  9. 9. File System Forensic Artifacts• Active files – contents (data blocks) – metadata (owner, MAC times) – permissions (ACLs) – who is using it now (not in a static analysis)• Deleted files – full contents (sometimes, depends on usage) – partial contents (via carving) – metadata (sometimes, depends on O/S) – deletion times
  10. 10. File Deletion: Windows• FAT file deletion – Directory entry has first character changed to 0xE5 – Directory entry contains first cluster number (index into FAT); this isn’t lost when file is deleted – Other FAT entries for file are cleared• NTFS file deletion – IN_USE flag on MFT entry for file is cleared – Parent directory entry is removed and directory is re-sorted – Data clusters marked as unallocated – Filename is likely to be lost, but since MFT entry isn’t destroyed, file data may be recoverable – Dates aren’t lost – Caveat: NTFS reuses MFT entries before creating new ones, so recoverable deleted files are probably recently deleted ones
  11. 11. File Rename, Move• When a file is renamed under Windows, old directory entry is deleted and new one created• Starting cluster is the same for each• Establishing that a user moved or renamed a file can provide evidence that the user knew of the file’s existence
  12. 12. Useful Files withForensic Content
  13. 13. Windows Shortcut Files• In Desktop, Recent, etc. directories• *.lnk files• Give information about configuration of desktop• Existence of desktop shortcuts (even if the shortcut files are deleted) can…• …establish that user knew of the existence of the files• …establish that user organized files• e.g., can be used to dismiss claims that child pornography or illegal copies of software were “accidentally” downloaded in a bulk download operation
  14. 14. Windows Recycle Bin• Indirect file deletion facility• Mimics functionality of a trashcan – Place “garbage” into the can – You can change your mind about the “garbage” and remove it, until… – …trash is emptied, then it’s “gone”• Files are moved into a special directory• Deleted only when user empties
  15. 15. Windows Recycle Bin: Closer Look• In Win2K/XP, RECYCLER• In 95/98, RECYCLED• On dragging a file to recycle bin: – File entry deleted from directory – File entry created in recycle bin directory – Data added to INFO/INFO2 file in the recycle bin• INFO file contains critical info, including deletion time• Presence of deletion info in INFO file generally indicates that the file was intentionally deleted
  16. 16. INFO file: Closer Look• INFO file is binary, but format is documented• For each file in the recycle bin, contains: – Original pathname of file – Time and date of file deletion – New pathname in the recycle bin – Index in the recycle bin – Can be used to establish the order in which files were deleted• Popular commercial forensics packages parse INFO files – e.g., Encase
  17. 17. Windows Print Spool Files• *.spl, *.shd files• .shd file contains information about the file being printed• .spl file contains info to render the contents of the file to be printed• Presence of .shd files can be used in a similar fashion as for shortcut files…• …shows knowledge of existence of files and a deliberate attempt to access (print) the contents of the file
  18. 18. Registry Forensics
  19. 19. Case Study:Registry ForensicsCase Study – Department manager alleges that individual copied confidential information on DVD. – No DVD burner was issued or found. – Laptop was analyzed. – Found USB device entry in registry: PLEXTOR DVDR PX-708A – Found software key for Nero - Burning ROM in registry – Therefore, looked for and found Nero compilation files (.nrc). Found other compilation files, including ISO image files. – Image files contained DVD-format and AVI format versions of copyrighted movies.Conclusion: No evidence that company information was burned to disk. However,laptop was used to burn copyrighted material and employee had lied.
  20. 20. Case Study:Registry ForensicsConclusion No evidence that company information was burnedto disk. However, laptop was used to burn copyrightedmaterial and employee had lied.
  21. 21. Registry Hive• The five most hierarchal folders are called hives and begin with .HKEY (an abbreviation for Handle to a Key).• Although five hives can be seen, only two of these are actually real, HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM).• The other three are shortcuts or aliases to branches within one of the two hives.
  22. 22. The structure of the Registry• Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level
  23. 23. Registry HiveHKEY_CLASSES_ROOT (HKCR)• Information stored here ensures that the correct program opens when it is executed in Windows Explorer. It also contains further details on drag-and-drop rules, shortcuts,and information on the user interface. Alias for: HKLMSoftwareClasses Although five hives can be seen, only two of these are actually real, HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM). The other three are shortcuts or aliases to branches within one of the two hives.
  24. 24. Registry HiveHKEY_CURRENT_USER (HKCU)• Contains configuration information for the user who is currently logged into the system, including user.s folders, screen colors, and Control Panel settings. Alias for a user specific branch in HKEY_USERS. The generic information usually applies to all users and is HKU.DEFAULT.
  25. 25. Registry HiveHKEY_LOCAL_MACHINE (HKLM)• Contains machine hardware-specific information that the operating system runs on.It includes a list of drives mounted on the system and generic configurations of installed hardware and applications.
  26. 26. Registry HiveHKEY_USERS (HKU)• Contains configuration information of all user profiles on the system, which concerns application configurations, and visual settings.HKEY_CURRENT_CONFIG (HCU)• Stores information about the systems current configuration. Alias for:HKLMConfigprofile
  27. 27. • The Windows Registry1 is a hierarchal database used to store information about the system.• The Registry takes the place of the configuration files (config.sys, autoexec.bat, win.ini, system.ini)• The various hives or sections of the Registry that are persistent on the system can be found in files located in the %SYSTEMROOT %system32config folder.
  28. 28. • Exception: The file that comprises the configuration settings for a specific user is found in that user’s ‘‘Documents and Settings’’ folder.
  29. 29. The Registry as a log file• ‘‘LastWrite’’ time: last modification time of a file.• The forensic analyst may have a copy of the file, and the last modification time, but may not be able to determine what was changed in the file.
  30. 30. What’s in the Registry• 1.Autostart locations• 2.User activity
  31. 31. Autostart locations• Used by a great many pieces of malware to remain persistent on the victim system.• Example: HKEY_CURRENT_USERSoftwareMicros- oftWindowsCurrentVersionRun
  32. 32. User activity• Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level
  33. 33. MRU• MRU ( most recently used ) lists.• There are a number of values named for letters of the alphabet; in this case, from a through g. The MRU List entry maintains a list of which value has been most recently used.
  34. 34. USB removable storage• Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level
  35. 35. Device ID• The device ID for a specific device identified.• It should be noted that not all USB thumb drives will have a serial number.
  36. 36. Wireless SSIDs• SSIDs (service set identifiers)• This shows you which wireless networks you’ve connected to, and if you travel and make use of the ubiquitous wireless hotspots, you’ll see quite a few entries there.
  37. 37. Registry: A Wealth of InformationInformation that can be recovered include: – System Configuration – Devices on the System – User Names – Personal Settings and Browser Preferences – Web Browsing Activity – Files Opened – Programs Executed – Passwords
  38. 38. Registry History• Before the Windows Registry: (DOS, Windows 3.x) – INI files – SYSTEM.INI – This file controlled all the hardware on the computer system. – WIN.INI – This file controlled all the desktop and applications on the computer system.• Individual applications also utilized their own INI files that are linked to the WIN.INI.
  39. 39. Registry History: INI File Problems• Proliferation of INI files.• Other problems – Slow access – No standards – Fragmented – Lack of network support – Size limitations
  40. 40. Registry History• The Windows 3.x OS also contained a file called REG.DAT.• The REG.DAT was utilized to store information about Object Link Embedding (OLE) objects.
  41. 41. Registry History• The Windows 9x/NT 3.5 Operating System is composed of the following files: – System.dat – Utilized for system settings. (Win 9x/NT) – User.dat – One profile for each use with unique settings specific to the user. (Win 9x/NT) – Classes.dat – Utilized for program associations, context menus and file types. (Win Me only)• To provide redundancy, a back-up of the registry was made after each boot of the computer system. These files are identified as: – System.dao (Win 95) – User.dao (Win 95) – (Windows 98/Me)
  42. 42. Registry History• If there are numerous users on a computer system, the following issues arise: – The User.dat file for each individual will be different as to the content. – If all users on the computer system utilize the same profile, the information will all be mingled in the User.dat and will be difficult if not impossible to segregate the data. – On Windows 9.x systems, the User.dat file for the default user is utilized to create the User.dat files for all new profiles.
  43. 43. Registry Definition• The Microsoft Computer Dictionary defines the registry as: – A central hierarchical database used in the Microsoft Windows family of Operating Systems to store information necessary to configure the system for one or more users, applications and hardware devices. – The registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can crate, property sheet settings for folders and application icons, what hardware exists on the system and the ports that are being sued.
  44. 44. Registry Definition• The registry was developed to overcome the restrictions of the INI and REG.DAT files.• The registry is composed of two pieces of information: – System-Wide Information – This is data about software and hardware settings. This information tends to be apply to all users of the computer. – User Specific Information – This is data about an individual configuration. This information is specific to a user’s profile.
  45. 45. Registry Organization• The Windows registry contains the following: – Hives are utilized by the registry to store data on itself. – Hives are stored in a variety of files that are dependent on the Windows Operating System that is being utilized.
  46. 46. Windows 9x Registry Filename Location Contentsystem.dat C:Windows Protected storage area for all users All installed programs and their settings System settingsuser.dat C:Windows Most RecentlyIf there are multiple user Used (MRU) filesprofiles, each user has an User preferenceindividual user.dat file in settingswindowsprofilesuseraccount
  47. 47. Windows XP Registry Filename Location Contentntuser.dat Documents and Protected storage areaIf there are multiple user Settingsuser account for userprofiles, each user has an Most Recently Usedindividual user.dat file in (MRU) fileswindowsprofilesuser User preference settingsaccountDefault Windowssystem32config System settingsSAM Windowssystem32config User account management and security settingsSecurity Windowssystem32config Security settingsSoftware Windowssystem32config All installed programs and their settingsSystem Windowssystem32config System settings
  48. 48. Registry Organization• Root Keys – HKEY_CLASSES_ROOT (HKCR) – Contains information in order that the correct program opens when executing a file with Windows Explorer. – HKEY_CURRENT_USER (HKCU) – Contains the profile (settings, etc) about the user that is logged in. – HKEY_LOCAL_MACHINE (HKLM) – Contains system-wide hardware settings and configuration information. – HKEY_USERS (HKU) – Contains the root of all user profiles that exist on the system. – HKEY_CURRENT_CONFIG (HKCC) – Contains information about the hardware profile used by the computer during start up.• Sub Keys – These are essentially sub directories that exist under the Root Keys.
  49. 49. Registry Organization• Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level
  50. 50. Windows Security and Relative ID• The Windows Registry utilizes a alphanumeric combination to uniquely identify a security principal or security group.• The Security ID (SID) is used to identify the computer system.• The Relative ID (RID) is used to identity the specific user on the computer system.• The SID appears as: – S-1-5-21-927890586-3685698554-67682326-1005
  51. 51. SID Examples SID: S-1-0Name: Null AuthorityDescription: An identifier authority. – SID: S-1-0-0 Name: Nobody Description: No security principal. – SID: S-1-1 Name: World Authority Description: An identifier authority. – SID: S-1-1-0 Name: Everyone Description: A group that includes all users, even anonymous users and guests. Membership is controlled by the operating system. – SID: S-1-2 Name: Local Authority Description: An identifier authority. – SID: S-1-3 Name: Creator Authority Description: An identifier authority.
  52. 52. SID• Security ID – NT/2000/XP/2003 – HKLM>SAM>Domains>Accounts>Aliases>Members • This key will provide information on the computer identifier – HKLM>SAM>Domains>Users • This key will provide information in hexadecimal – User ID • Administrator – 500 • Guest – 501 – Global Groups ID • Administrators – 512 • Users – 513 • Guest - 514
  53. 53. MRU• To identify the Most Recently Used (MRU) files on a suspect computer system: – Windows 9x/Me – User.dat • Search should be made for MRU, LRU, Recent – Windows NT/2000 – Ntuser.dat • Search should be made for MRU, LRU, Recent – Windows XP/2003 – HKU>UserSID>Software>Microsoft>Windows> – CurrentVersion>Explorer>RecentDoc – Select file extension and select item
  54. 54. Registry Forensics• Registry keys have last modified time-stamp – Stored as FILETIME structure – like MAC for files – Not accessible through reg-edit – Accessible in binary.
  55. 55. Registry Forensics• Registry Analysis: – Perform a GUI-based live-system analysis. – Easiest, but most likely to incur changes. – Use regedit. – Perform a command-line live-system analysis – Less risky – Use “reg” command. – Remote live system analysis – regedit allows access to a remote registry – Superscan from Foundstone – Offline analysis on registry files. – Encase, FTK (Access data) have specialized tools – regedit on registry dump.
  56. 56. Registry Forensics Websites
  57. 57. Registry Forensics: NTUSER.DAT• Internet Explorer – IE auto logon and password – IE search terms – IE settings – Typed URLs – Auto-complete passwords
  58. 58. Registry Forensics: NTUSER.DAT IE explorer Typed URLs
  59. 59. Registry Forensics: NTUSER.DAT• MSN Messenger – IM groups, contacts, … – Location of message history files – Location of saved contact list files
  60. 60. Registry Forensics: NTUSER.DATLast member name in MSN messenger
  61. 61. Registry Forensics: NTUSER.DAT• Outlook express account passwords
  62. 62. Registry Forensics• Yahoo messenger – Chat rooms – Alternate user identities – Last logged in user – Encrypted password – Recent contacts – Registered screen names
  63. 63. Registry Forensics• System: – Computer name – Dynamic disks – Install dates – Last user logged in – Mounted devices – Windows OS product key – Registered owner – Programs run automatically – System’s USB devices
  64. 64. Registry Forensics
  65. 65. Registry Forensics USB Devices
  66. 66. Registry Forensics• Networking – Local groups – Local users – Map network drive MRU – Printers
  67. 67. Registry ForensicsList of applications and filenames of the mostrecent files opened in windows
  68. 68. Registry ForensicsMost recent saved (or copied) files
  69. 69. Registry Forensics• System – Recent documents – Recent commands entered in Windows run box – Programs that run automatically – Startup software – Good place to look for Trojans
  70. 70. Registry Forensics• User Application Data – Adobe products – IM contacts – Search terms in google – Kazaa data – Windows media player data – Word recent docs and user info – Access, Excel, Outlook, Powerpoint recent files
  71. 71. Registry Forensics Investigation• Forensics tools allow registry investigation from image of drive• Differences between life and offline view – No HARDWARE hive (HKLM) – Dynamic key, created at boot – No virtual keys such as HKEY_CURRENT_USER – Derived from SID key under HKEY_USERS – Source file is NTUSER.DAT – Do not confuse current and repair versions of registry files – %SystemRoot%system32config (TRUE registry) – %SystemRoot%repair (repair version of registry)
  72. 72. Registry Forensics Investigation• Forensics search can reveal backups of registry – Intruders leave these behind when resetting registry in order not to damage system
  73. 73. Registry Forensics Investigation• Software Key – Installed Software – Registry keys are usually created with installation – But not deleted when program is uninstalled – Find them • Root of the software key – Beware of bogus names • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp Paths • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall – If suspicious, use information from the registry to find the actual code – Registry time stamps will confirm the file MAC data or show them to be altered
  74. 74. Registry Forensics Investigation• Software Key – Last Logon – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinLogon – Logon Banner Text / Legal Notice – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinLogon – Security Center Settings – HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center – HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicy • If firewall logging is enabled, the log is typically at %SystemRoot%/pfirewall.log
  75. 75. Registry Forensics Investigation
  76. 76. Registry Forensics Investigation• Analyze Restore Point Settings – Restore points developed for Win ME / XP – Restore point settings at – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSystemRestore – Restore points created every RPGlobalInterval value seconds (~every 24h) – Retention period is RPLifeInterval seconds (default 90 days) – Restore point taking in ON by default – Restore points in System Volume Informationrestore…
  77. 77. Registry Forensics Investigation• Aside: How to access restore points – Restore points are protected from user, including administrator – Administrator can add her/himself to the access list of the system volume directory – Turn off “Use simple file sharing” in Control Panel  Folder Options – Click on “Properties” of the directory in Explorer and
  78. 78. Registry Forensics Investigation• Restore point – makes copies of important system and program files that were added since the last restore points – Files • Stored in root of RP### folder • Names have changed • File extension is unchanged • Name changes kept in change.log file – Registry data • in Snapshot folder • Names have changed, but predictably so
  79. 79. Registry Forensics Investigation• SID (security identifier) – Well-known SIDs – SID: S-1-0 Name: Null Authority – SID: S-1-5-2 Name: Network – S-1-5-21-2553256115-2633344321-4076599324-1006 – S string is SID – 1 revision number – 5 authority level (from 0 to 5) – 21-2553256115-2633344321-4076599324 domain or local computer identifier – 1006 RID – Relative identifier• Local SAM resolves SID for locally authenticated users (not domain users) – Use recycle bin to check for owners
  80. 80. Registry Forensics Investigation Resolving local SIDs through the Recycle Bin (life view)
  81. 81. Registry Forensics Investigation• Protected Storage System Provider data – Located in NTUSER.DATSoftwareMicrosoft Protected Storage System Provider – Various tools will reveal contents – Forensically, AccessData Registry Viewer – Secret Explorer – Cain & Abel – Protected Storage PassView v1.63
  82. 82. Registry Forensics Investigation• MRU: Most Recently Used – HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersio nExlorerRunMRU – HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersio nExlorerMap Network Drive MRU – HKEY_CURRENT_USERPrintersSettingsWizardConnectMRU – HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersio nExlorerComDlg32 – Programs and files opened by them – Files opened and saved – HKEY_CURRENT_USERSOFTWAREMicrosoftSearch AssistantACMru
  83. 83. Registry Forensics Investigation
  84. 84. Registry Forensics Investigation
  85. 85. Registry Forensics Investigation
  86. 86. Registry Forensics Investigation• AutoRun Programs – Long list of locations in registry – Long list of locations outside the registry – SystemDriveautoexec.bat – SystemDriveconfig.exe – Windirwininit.ini – Windirwinstart.bat – Windirwin.ini – Windirsystem.ini – Windirdosstart.bat – Windirsystemautoexec.nt – Windirsystemconfig.nt – Windirsystem32autochk.exe
  87. 87. Registry Forensics Investigation• Rootkit Enabler – Attacker can use AppInit_DLL key to run own DLL.
  88. 88. Mining Thumbs.db• Thumbs.db contains cached thumbnails of the images in a folder.• embedded data present in the Thumbs.db file• the images may have been deleted from the directory but they may still be available in the thumbs.db cache!
  89. 89. QUICK FTK DEMO(“Point and click” digital forensics)
  90. 90. FTK Screenshots: New Case
  91. 91. FTK Screenshots: Investigation Begins
  92. 92. FTK Screenshots: Case Summary
  93. 93. FTK Screenshots: Thumbnail View
  94. 94. An Investigative Sampler• Impossible to illustrate many traditional forensics techniques in a short time• Idea: quickly illustrate diversity of available techniques with a few examples• Windows Registry• Swap File• Hibernation File• Recycle Bin• Print Spool Files• Filesystem Internals• File Carving• Slack Space• (similar structures on Linux, Mac OS X, etc.)
  95. 95. Windows Registry• Can be a forensics goldmine• Lots of information, fairly difficult to “clean”• Usernames• Internet history• Program installation information• Recently accessed files• USB device history• In this tutorial, just a few examples
  96. 96. Accessing Registry Files (Live)Image themachine-- or –Use “ObtainProtected Files”in the FTKImager
  97. 97. FTK Registry Viewer
  98. 98. NTUSER.dat file
  99. 99. NTUSER.dat file
  100. 100. NTUSER.dat file
  101. 101. NTUSER.dat file
  102. 102. NTUSER.dat file
  103. 103. NTUSER.dat file
  104. 104. SAM file
  105. 105. SOFTWARE file
  106. 106. SOFTWARE file
  107. 107. ** VERY IMPORTANT **“Select” key chooseswhich control set is current,which is “last known good”configuration SYSTEM file
  108. 108. SYSTEM file
  109. 109. Two JumpdriveElite thumbdrives750GB USB harddrives (same type) SYSTEM file
  110. 110. More Registry• Other useful info obtainable from the registry: – CPU type – Network interface information – IP addresses, default gateway, DHCP configuration, … – Installed software – Installed hardware• Registry information “gotchas” – redundant, undocumented information – profile cloning on older versions of Windows (95/98) – (e.g., typed URLs, browser history, My Documents, …)