Windowsforensics

File System
• Created by the OS and has the following functions:
 To manage available storage space effectively.
 To index files.
 Provide operations such as coyting deleting……..

• To carry out its functions file Sys must:
 Provide a std format for naming.
 Link file name to actual data.
 Keep record all data storage allocated to a file.

FAT
• Most widely used.
• Works extensively with clusters and sectors.
• Smallest unit of space is Sector(512 bytes). E.g 60 GB HDD
will have 60x10(9)/512=117187500 or more than 117 million
sectors.
• FAT groups this sectors into clusters(also known ass allocation
units) and stores files clusterwise.
• Cluster is the smallest unit of space allocated to a file.
• New file always allocated to an empty cluster. Cluster size can
range from group of 4 sectors to groups of 64 or 128 sectors

FAT
• FAT sys has two major components:
 Directory entry for file:stores attributes such as name , size, start
cluster, date, etc. This entry is 32 bytes. (called metadata).
 FAT: Tracks cluster chaining. Every cluster of a file has FAT entry.

Winhex to recover data

File Systems: FAT
• FAT12, FAT16, FAT32
– different size of addressable cluster
• Common format for floppy disks (remember those?)
• Limited time/date information for FAT files
– Last write date/time is always available
– Creation date/time is optional and may not be available
– Last access DATE ONLY is optional and may not be available
• No security features

File Systems: Partitions
• Physical disk divided into logical partitions
• Logical partitions may not be mounted or may be in a format
the running O/S does not recognize (e.g., dual boot system)
• Formats:
– DOS (most common)
– Apple
– Solaris
– BSD
– RAID (can cause difficulties for investigators if disk slices have to be
reconstructed manually)

NTFS
New Technology File Sys
• Mores stable and secure, performs with greater speed.
• Used in Windows OS such as XP,Vista and Nw OS such as
Windows NT, 2000 , 2003 , ETC.
• Components:
 Master File Table :similar to directory entry in FAT.
 Bitmap : similar to FAT but does not contain cluster chaining info.

Winhex to recover data

File System Forensic Artifacts
• Active files
– contents (data blocks)
– metadata (owner, MAC times)
– permissions (ACLs)
– who is using it now (not in a static analysis)
• Deleted files
– full contents (sometimes, depends on usage)
– partial contents (via carving)
– metadata (sometimes, depends on O/S)
– deletion times

File Deletion: Windows
• FAT file deletion
– Directory entry has first character changed to 0xE5
– Directory entry contains first cluster number (index into FAT); this isn’t lost when file is
deleted
– Other FAT entries for file are cleared
• NTFS file deletion
– IN_USE flag on MFT entry for file is cleared
– Parent directory entry is removed and directory is re-sorted
– Data clusters marked as unallocated
– Filename is likely to be lost, but since MFT entry isn’t destroyed, file data may be
recoverable
– Dates aren’t lost
– Caveat: NTFS reuses MFT entries before creating new ones, so recoverable deleted
files are probably recently deleted ones

File Rename, Move
• When a file is renamed under Windows, old
directory entry is deleted and new one
created
• Starting cluster is the same for each
• Establishing that a user moved or renamed a
file can provide evidence that the user knew
of the file’s existence

Useful Files with
Forensic Content

Windows Shortcut Files
• In Desktop, Recent, etc. directories
• *.lnk files
• Give information about configuration of desktop
• Existence of desktop shortcuts (even if the shortcut files are
deleted) can…
• …establish that user knew of the existence of the files
• …establish that user organized files
• e.g., can be used to dismiss claims that child pornography or
illegal copies of software were “accidentally” downloaded in a
bulk download operation

Windows Recycle Bin
• Indirect file deletion facility
• Mimics functionality of a trashcan
– Place “garbage” into the can
– You can change your mind about the “garbage” and
remove it, until…
– …trash is emptied, then it’s “gone”
• Files are moved into a special directory
• Deleted only when user empties

Windows Recycle Bin: Closer Look
• In Win2K/XP, RECYCLER
• In 95/98, RECYCLED
• On dragging a file to recycle bin:
– File entry deleted from directory
– File entry created in recycle bin directory
– Data added to INFO/INFO2 file in the recycle bin
• INFO file contains critical info, including deletion time
• Presence of deletion info in INFO file generally indicates
that the file was intentionally deleted

INFO file: Closer Look
• INFO file is binary, but format is documented
• For each file in the recycle bin, contains:
– Original pathname of file
– Time and date of file deletion
– New pathname in the recycle bin
– Index in the recycle bin
– Can be used to establish the order in which files were deleted
• Popular commercial forensics packages parse INFO files
– e.g., Encase

Windows Print Spool Files
• *.spl, *.shd files
• .shd file contains information about the file being printed
• .spl file contains info to render the contents of the file to
be printed
• Presence of .shd files can be used in a similar fashion as
for shortcut files…
• …shows knowledge of existence of files and a deliberate
attempt to access (print) the contents of the file

Case Study:Registry Forensics
Case Study
– Department manager alleges that individual copied confidential information on
DVD.
– No DVD burner was issued or found.
– Laptop was analyzed.
– Found USB device entry in registry:
PLEXTOR DVDR PX-708A
– Found software key for Nero - Burning ROM in registry
– Therefore, looked for and found Nero compilation files (.nrc). Found other
compilation files, including ISO image files.
– Image files contained DVD-format and AVI format versions of copyrighted
movies.
Conclusion: No evidence that company information was burned to disk. However,
laptop was used to burn copyrighted material and employee had lied.

Case Study:Registry Forensics
Conclusion

No evidence that company information was burned
to disk. However, laptop was used to burn copyrighted
material and employee had lied.

Registry Hive

• The five most hierarchal folders are called hives and
begin with .HKEY (an abbreviation for Handle to a Key).
• Although five hives can be seen, only two of these are
actually real, HKEY_USERS (HKU) and
HKEY_LOCAL_MACHINE (HKLM).
• The other three are shortcuts or aliases to branches
within one of the two hives.

The structure of the Registry

• Click to edit Master text styles
– Second level
– Third level
• Fourth level
– Fifth level

Registry Hive

HKEY_CLASSES_ROOT (HKCR)
• Information stored here ensures that the correct
program opens when it is executed in Windows Explorer.
It also contains further details on drag-and-drop rules,
shortcuts,and information on the user interface. Alias for:
HKLMSoftwareClasses Although five hives can be seen,
only two of these are actually real, HKEY_USERS (HKU)
and HKEY_LOCAL_MACHINE (HKLM). The other three are
shortcuts or aliases to branches within one of the two
hives.

Registry Hive

HKEY_CURRENT_USER (HKCU)
• Contains configuration information for the user who is
currently logged into the system, including user.s
folders, screen colors, and Control Panel settings. Alias
for a user specific branch in HKEY_USERS. The generic
information usually applies to all users and is
HKU.DEFAULT.

Registry Hive

HKEY_LOCAL_MACHINE (HKLM)
• Contains machine hardware-specific information that
the operating system runs on.It includes a list of drives
mounted on the system and generic configurations of
installed hardware and applications.

Registry Hive

HKEY_USERS (HKU)
• Contains configuration information of all user profiles
on the system, which concerns application
configurations, and visual settings.
HKEY_CURRENT_CONFIG (HCU)
• Stores information about the systems current
configuration. Alias for:HKLMConfigprofile

• The Windows Registry1 is a hierarchal
database used to store information about the
system.
• The Registry takes the place of the
configuration files (config.sys, autoexec.bat,
win.ini, system.ini)
• The various hives or sections of the Registry
that are persistent on the system can be
found in files located in the %SYSTEMROOT
%system32config folder.

• Exception: The file that comprises the
configuration settings for a specific user is
found in that user’s ‘‘Documents and
Settings’’ folder.

The Registry as a log file

• ‘‘LastWrite’’ time: last modification time of a
file.
• The forensic analyst may have a copy of the
file, and the last modification time, but may
not be able to determine what was changed in
the file.

What’s in the Registry

• 1.Autostart locations
• 2.User activity

Autostart locations

• Used by a great many pieces of malware to
remain persistent on the victim system.
• Example:
HKEY_CURRENT_USERSoftwareMicros-
oftWindowsCurrentVersionRun

User activity


– Second level
– Third level
• Fourth level
– Fifth level

MRU
• MRU ( most recently used ) lists.
• There are a number of values named for
letters of the alphabet; in this case, from a
through g. The MRU List entry maintains a list
of which value has been most recently used.

USB removable storage

– Second level
– Third level
• Fourth level
– Fifth level

Device ID
• The device ID for a specific device identified.
• It should be noted that not all USB thumb
drives will have a serial number.

Wireless SSIDs

• SSIDs (service set identifiers)
• This shows you which wireless networks
you’ve connected to, and if you travel and
make use of the ubiquitous wireless hotspots,
you’ll see quite a few entries there.

Registry: A Wealth of Information
Information that can be recovered include:
– System Configuration
– Devices on the System
– User Names
– Personal Settings and Browser Preferences
– Web Browsing Activity
– Files Opened
– Programs Executed
– Passwords

Registry History
• Before the Windows Registry: (DOS,
Windows 3.x)
– INI files
– SYSTEM.INI – This file controlled all the hardware on
the computer system.
– WIN.INI – This file controlled all the desktop and
applications on the computer system.
• Individual applications also utilized their
own INI files that are linked to the WIN.INI.

Registry History: INI File Problems
• Proliferation of INI files.
• Other problems
– Slow access
– No standards
– Fragmented
– Lack of network support
– Size limitations

Registry History
• The Windows 3.x OS also contained a file
called REG.DAT.
• The REG.DAT was utilized to store
information about Object Link Embedding
(OLE) objects.

Registry History
• The Windows 9x/NT 3.5 Operating System is composed of the
following files:
– System.dat – Utilized for system settings. (Win 9x/NT)
– User.dat – One profile for each use with unique settings specific to the
user. (Win 9x/NT)
– Classes.dat – Utilized for program associations, context menus and file
types. (Win Me only)
• To provide redundancy, a back-up of the registry was made after
each boot of the computer system. These files are identified as:
– System.dao (Win 95)
– User.dao (Win 95)
– Rbxxx.cab (Windows 98/Me)

Registry History
• If there are numerous users on a computer
system, the following issues arise:
– The User.dat file for each individual will be different as
to the content.
– If all users on the computer system utilize the same
profile, the information will all be mingled in the
User.dat and will be difficult if not impossible to
segregate the data.
– On Windows 9.x systems, the User.dat file for the
default user is utilized to create the User.dat files for all
new profiles.

Registry Definition
• The Microsoft Computer Dictionary defines the
registry as:
– A central hierarchical database used in the Microsoft
Windows family of Operating Systems to store information
necessary to configure the system for one or more users,
applications and hardware devices.
– The registry contains information that Windows continually
references during operation, such as profiles for each user,
the applications installed on the computer and the types of
documents that each can crate, property sheet settings for
folders and application icons, what hardware exists on the
system and the ports that are being sued.

Registry Definition
• The registry was developed to overcome the
restrictions of the INI and REG.DAT files.
• The registry is composed of two pieces of
information:
– System-Wide Information – This is data about
software and hardware settings. This information
tends to be apply to all users of the computer.
– User Specific Information – This is data about an
individual configuration. This information is specific to
a user’s profile.

Registry Organization
• The Windows registry contains the
following:
– Hives are utilized by the registry to store data
on itself.
– Hives are stored in a variety of files that are
dependent on the Windows Operating System
that is being utilized.

Windows 9x Registry
Filename Location Content

system.dat C:Windows Protected storage
area for all users
All installed
programs and their
settings
System settings

user.dat C:Windows Most Recently
If there are multiple user Used (MRU) files
profiles, each user has an User preference
individual user.dat file in settings
windowsprofilesuser
account

Windows XP Registry
Filename Location Content
ntuser.dat Documents and Protected storage area
If there are multiple user Settingsuser account for user
profiles, each user has an Most Recently Used
individual user.dat file in (MRU) files
windowsprofilesuser User preference settings
account

Default Windowssystem32config System settings
SAM Windowssystem32config User account
management and security
settings

Security Windowssystem32config Security settings
Software Windowssystem32config All installed programs and
their settings
System Windowssystem32config System settings

• Root Keys
– HKEY_CLASSES_ROOT (HKCR)
– Contains information in order that the correct program opens when executing a file with
Windows Explorer.
– HKEY_CURRENT_USER (HKCU)
– Contains the profile (settings, etc) about the user that is logged in.
– HKEY_LOCAL_MACHINE (HKLM)
– Contains system-wide hardware settings and configuration information.
– HKEY_USERS (HKU)
– Contains the root of all user profiles that exist on the system.
– HKEY_CURRENT_CONFIG (HKCC)
– Contains information about the hardware profile used by the computer during start up.
• Sub Keys – These are essentially sub directories that exist under the
Root Keys.


– Second level
– Third level
• Fourth level
– Fifth level

Windows Security and Relative ID
• The Windows Registry utilizes a alphanumeric
combination to uniquely identify a security
principal or security group.
• The Security ID (SID) is used to identify the
computer system.
• The Relative ID (RID) is used to identity the
specific user on the computer system.
• The SID appears as:
– S-1-5-21-927890586-3685698554-67682326-1005

SID Examples

SID: S-1-0
Name: Null Authority
Description: An identifier authority.
– SID: S-1-0-0
Name: Nobody
Description: No security principal.
– SID: S-1-1
Name: World Authority
– SID: S-1-1-0
Name: Everyone
Description: A group that includes all users, even anonymous users and guests. Membership is
controlled by the operating system.
– SID: S-1-2
Name: Local Authority
– SID: S-1-3
Name: Creator Authority

SID
• Security ID
– NT/2000/XP/2003
– HKLM>SAM>Domains>Accounts>Aliases>Members
• This key will provide information on the computer identifier
– HKLM>SAM>Domains>Users
• This key will provide information in hexadecimal
– User ID
• Administrator – 500
• Guest – 501
– Global Groups ID
• Administrators – 512
• Users – 513
• Guest - 514

MRU

• To identify the Most Recently Used (MRU) files on a
suspect computer system:
– Windows 9x/Me
– User.dat
• Search should be made for MRU, LRU, Recent
– Windows NT/2000
– Ntuser.dat
• Search should be made for MRU, LRU, Recent
– Windows XP/2003
– HKU>UserSID>Software>Microsoft>Windows>
– CurrentVersion>Explorer>RecentDoc
– Select file extension and select item

Registry Forensics
• Registry keys have last modified time-stamp
– Stored as FILETIME structure
– like MAC for files
– Not accessible through reg-edit
– Accessible in binary.

Registry Forensics

• Registry Analysis:
– Perform a GUI-based live-system analysis.
– Easiest, but most likely to incur changes.
– Use regedit.
– Perform a command-line live-system analysis
– Less risky
– Use “reg” command.
– Remote live system analysis
– regedit allows access to a remote registry
– Superscan from Foundstone
– Offline analysis on registry files.
– Encase, FTK (Access data) have specialized tools
– regedit on registry dump.

Registry Forensics

Websites

Registry Forensics: NTUSER.DAT
• Internet Explorer
– IE auto logon and password
– IE search terms
– IE settings
– Typed URLs
– Auto-complete passwords

IE explorer Typed URLs

• MSN Messenger
– IM groups, contacts, …
– Location of message history files
– Location of saved contact list files

Last member name in MSN messenger

• Outlook express account passwords

Registry Forensics
• Yahoo messenger
– Chat rooms
– Alternate user identities
– Last logged in user
– Encrypted password
– Recent contacts
– Registered screen names

Registry Forensics
• System:
– Computer name
– Dynamic disks
– Install dates
– Last user logged in
– Mounted devices
– Windows OS product key
– Registered owner
– Programs run automatically
– System’s USB devices

Registry Forensics
USB Devices

Registry Forensics

• Networking
– Local groups
– Local users
– Map network drive MRU
– Printers

Registry Forensics
List of applications and filenames of the most
recent files opened in windows

Registry Forensics
Most recent saved (or copied) files

Registry Forensics
• System
– Recent documents
– Recent commands entered in Windows run box
– Programs that run automatically
– Startup software
– Good place to look for Trojans

Registry Forensics
• User Application Data
– Adobe products
– IM contacts
– Search terms in google
– Kazaa data
– Windows media player data
– Word recent docs and user info
– Access, Excel, Outlook, Powerpoint recent files

Registry Forensics Investigation

• Forensics tools allow registry investigation from image of drive
• Differences between life and offline view
– No HARDWARE hive (HKLM)
– Dynamic key, created at boot
– No virtual keys such as HKEY_CURRENT_USER
– Derived from SID key under HKEY_USERS
– Source file is NTUSER.DAT
– Do not confuse current and repair versions of registry files
– %SystemRoot%system32config (TRUE registry)
– %SystemRoot%repair (repair version of registry)


• Forensics search can reveal backups of
registry
– Intruders leave these behind when resetting
registry in order not to damage system

• Software Key
– Installed Software
– Registry keys are usually created with installation
– But not deleted when program is uninstalled
– Find them
• Root of the software key
– Beware of bogus names
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp Paths
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall
– If suspicious, use information from the registry to find the actual code
– Registry time stamps will confirm the file MAC data or show them to be altered


• Software Key
– Last Logon
– HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinLogon
– Logon Banner Text / Legal Notice
– HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinLogon
– Security Center Settings
– HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center
– HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicy
• If firewall logging is enabled, the log is typically at %SystemRoot%/pfirewall.log

• Analyze Restore Point Settings
– Restore points developed for Win ME / XP
– Restore point settings at
– HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionSystemRestore
– Restore points created every RPGlobalInterval value seconds (~every 24h)
– Retention period is RPLifeInterval seconds (default 90 days)
– Restore point taking in ON by default
– Restore points in System Volume Informationrestore…

• Aside: How to access restore points
– Restore points are protected from user, including
administrator
– Administrator can add her/himself to the access
list of the system volume directory
– Turn off “Use simple file sharing” in Control Panel 
Folder Options
– Click on “Properties” of the directory in Explorer and

• Restore point
– makes copies of important system and program files that
were added since the last restore points
– Files
• Stored in root of RP### folder
• Names have changed
• File extension is unchanged
• Name changes kept in change.log file
– Registry data
• in Snapshot folder
• Names have changed, but predictably so

• SID (security identifier)
– Well-known SIDs
– SID: S-1-0 Name: Null Authority
– SID: S-1-5-2 Name: Network
– S-1-5-21-2553256115-2633344321-4076599324-1006
– S string is SID
– 1 revision number
– 5 authority level (from 0 to 5)
– 21-2553256115-2633344321-4076599324 domain or local computer identifier
– 1006 RID – Relative identifier
• Local SAM resolves SID for locally authenticated users (not domain users)
– Use recycle bin to check for owners


Resolving local SIDs through the Recycle Bin
(life view)

• Protected Storage System Provider data
– Located in NTUSER.DATSoftwareMicrosoft
Protected Storage System Provider
– Various tools will reveal contents
– Forensically, AccessData Registry Viewer
– Secret Explorer
– Cain & Abel
– Protected Storage PassView v1.63

• MRU: Most Recently Used
– HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersio
nExlorerRunMRU
nExlorerMap Network Drive MRU
– HKEY_CURRENT_USERPrintersSettingsWizardConnectMRU
nExlorerComDlg32
– Programs and files opened by them
– Files opened and saved
– HKEY_CURRENT_USERSOFTWAREMicrosoftSearch AssistantACMru

• AutoRun Programs
– Long list of locations in registry
– Long list of locations outside the registry
– SystemDriveautoexec.bat
– SystemDriveconfig.exe
– Windirwininit.ini
– Windirwinstart.bat
– Windirwin.ini
– Windirsystem.ini
– Windirdosstart.bat
– Windirsystemautoexec.nt
– Windirsystemconfig.nt
– Windirsystem32autochk.exe

• Rootkit Enabler
– Attacker can use AppInit_DLL key to run own DLL.

Mining Thumbs.db

• Thumbs.db contains cached thumbnails of
the images in a folder.
• embedded data present in the Thumbs.db
file
• the images may have been deleted from
the directory but they may still be
available in the thumbs.db cache!

QUICK FTK DEMO

(“Point and click” digital
forensics)

FTK Screenshots: Investigation Begins

FTK Screenshots: Thumbnail View

An Investigative Sampler
• Impossible to illustrate many traditional forensics techniques in a short time
• Idea: quickly illustrate diversity of available techniques with a few examples
• Windows Registry
• Swap File
• Hibernation File
• Recycle Bin
• Print Spool Files
• Filesystem Internals
• File Carving
• Slack Space
• (similar structures on Linux, Mac OS X, etc.)

Windows Registry
• Can be a forensics goldmine
• Lots of information, fairly difficult to “clean”
• Usernames
• Internet history
• Program installation information
• Recently accessed files
• USB device history
• In this tutorial, just a few examples

Accessing Registry Files (Live)

Image the
machine

-- or –

Use “Obtain
Protected Files”
in the FTK
Imager

** VERY IMPORTANT **

“Select” key chooses
which control set is current,
which is “last known good”
configuration

SYSTEM file

Two Jumpdrive
Elite thumbdrives

750GB USB hard
drives (same type)

SYSTEM file

More Registry
• Other useful info obtainable from the registry:
– CPU type
– Network interface information
– IP addresses, default gateway, DHCP configuration, …
– Installed software
– Installed hardware
• Registry information “gotchas”
– redundant, undocumented information
– profile cloning on older versions of Windows (95/98)
– (e.g., typed URLs, browser history, My Documents, …)

Windowsforensics

More Related Content

What's hot

Viewers also liked

Similar to Windowsforensics

More from Santosh Khadsare

Recently uploaded

Windowsforensics