Windows 7: Current Events in the World of Windows Forensics

Transcription

1 Windows 7: Current Events in the World of Windows Forensics Troy Larson Senior Forensic Program Manager Network Security, Microsoft Corp.

2 Where Are We Now? Vista & Windows 2008 BitLocker. Format-Wipes the volume. EXFAT. Event Logging format, system, scheme. Virtual Folders & Registry. Volume Shadow Copy. Links, Hard and Symbolic. Change Journal. Recycle Bin. Superfetch.

3 Where Are We Now? Windows 7 & Window 2008 R2 Updated BitLocker. BitLocker To Go. VHDs Boot from, mount as Disks. XP Mode. Flash Media Enhancements. Libraries, Sticky Notes, Jump Lists. Service and Driver triggers. I.E. 8, InPrivate Browsing, Tab and Session Recovery. Even more Volume Shadow Copy.

4 Digital Forensics Subject Matter Expertise Stack Applications e.g., I.E., etc. OS Artifacts File Systems NTFS, FAT32, EXFAT Fvevol.sys Thanks to Eoghan Casey. Mount, Partition & Volume Managers Disk

5 Windows 7 Disk Note disk signature: 2E x1b8-1bb

6 Windows 7 Disk HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 \DiskController\0\DiskPeripheral\0 Diskpart >Automount scrub

7 Vista Disk HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\ 1&19f7e59c&0&Signature2E140032Offset100000Length114FD00000

8 Partitions and Volumes Applications e.g., I.E., etc. OS Artifacts File Systems NTFS, FAT32, EXFAT Fvevol.sys Mount, Partition & Volume Managers Virtual Hard Drives Create Attach Detach Delete Disk

9 BitLocker: Windows 7 During installing, Windows 7 creates a System Reserved volume enabling set up of BitLocker. In Vista, the System volume was generally 1.5 GB or more.

10 BitLocker: Vista Physical level view of the header of the boot sector of a Vista BitLocker protected volume: 0xEB D D D ër-fve-fs-

11 BitLocker: Windows 7 Physical level view of the header of the boot sector of a Windows 7 BitLocker protected volume: 0xEB D D D ëx-fve-fs-

12 BitLocker: Windows 7 Vista & Windows 2008 cannot unlock BitLocker volumes created with Windows 7 or 2008 R2. Forensics tools may not recognize the new BitLocker volume header. Must use Windows 7 or 2008 R2 to open (and image) BitLocker volumes from Windows 7 or 2008 R2.

13 BitLocker Review or Imaging User Mode Kernel Mode Application File System Driver Fvevol.sys Volume Manager FVEVOL.SYS sits underneath the file system driver and performs all encryption / decryption. Once booted, Windows (and the user) sees no difference in experience. The encryption / decryption happens at below the file system.

14 BitLocker Review or Imaging User Mode Kernel Mode Application File System Driver Fvevol.sys Volume Manager

15 BitLocker Review or Imaging The More/Less information button will provide the BitLocker volume recovery key identification.

16 BitLocker Review or Imaging BitLocker Recovery Key 783F5FF9-18D4-4C64-AD4A- CD3075CB8335.txt: BitLocker Drive Encryption Recovery Key The recovery key is used to recover the data on a BitLocker protected drive. To verify that this is the correct recovery key compare the identification with what is presented on the recovery screen. Recovery key identification: 783F5FF9-18D4-4C Full recovery key identification: 783F5FF9-18D4-4C64-AD4A- CD3075CB8335 BitLocker Recovery Key:

17 BitLocker Review or Imaging Enter the recovery key exactly.

18 BitLocker Review or Imaging Viewed or imaged as part of a physical disk, BitLocker volumes appear encrypted.

19 BitLocker Review or Imaging To view a BitLocker volume as it appears in its unlocked state, address it as a logical volume.

20 BitLocker Review or Imaging

21 File Systems Applications e.g., I.E., etc. OS Artifacts File Systems NTFS, FAT32, EXFAT Fvevol.sys Mount, Partition & Volume Managers Disk

22 File Systems Since Vista SP1, Format wipes while it formats. Diskpart.exe > Clean all

23 File Systems-Vista & Windows 7 NTFS Symbolic links to files, folders, and UNC paths. Beware the Application Data recursion loop. Cf. Link files. Hard links are extensively used (\Winsxs). Disabled by default: Update Last Access Date. Enabled by default: The NTFS Change Journal ($USN:$J). Transactional NTFS ($Tops:$T).

24 File Systems-Vista & Windows 7 The volume header of an EXFAT volume. Do your forensics tools read EXFAT?

25 OS Artifacts Applications e.g., I.E., etc. OS Artifacts File Systems NTFS, FAT32, EXFAT Fvevol.sys Mount, Partition & Volume Managers Disk

26 OS Artifacts Recycle.Bin [Volume]:\$Recycle.Bin $Recycle.Bin is visible in Explorer (view hidden files). Per user store in a subfolder named with account SID. No more Info2 files. When a file is deleted moved to the Recycle Bin it generates two files in the Recycle Bin. $I and $R files. $I or $R followed by several random characters, then original extension. The random characters are the same for each $I/$R pair. $I file maintains the original name and path, as well as the deleted date. $R file retains the original file data stream and other attributes. The name attribute is changed to $R******.ext.

27 OS Artifacts Recycle.Bin Note the deleted date (in blue).

28 OS Artifacts Recycle.Bin

29 OS Artifacts Folder Virtualization Part of User Access Control Standard user cannot write to certain protected folders. C:\Windows C:\Program Files C:\Program Data To allow standard user to function, any writes to protected folders are virtualized and written to C:\Users\[user]\AppData\Local\VirtualStore

30 OS Artifacts Registry Virtualization Virtualize (HKEY_LOCAL_MACHINE\SOFTWARE) Non-administrator writes are redirect to: HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\ Keys excluded from virtualization HKEY_LOCAL_MACHINE\Software\Classes HKEY_LOCAL_MACHINE \Software\Microsoft\Windows HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT

31 OS Artifacts Registry Virtualization Location of the registry hive file for the VirtualStore Is NOT the user s NTUSER.DAT It is stored in the user s UsrClass.dat \Users\[user]\AppData\Local\Microsoft\Windows\UsrClass.dat Investigation of Vista - Windows 2008 R2 requires the investigator to examine at least two account specific registry hive files for each user account. NTUSER.DAT UsrClass.dat

32 OS Artifacts Libraries

33 OS Artifacts Libraries \Users\[account]\AppData\Roaming\Microsoft\Windows\Libraries.

34 OS Artifacts Libraries Libraries are XML files.

35 OS Artifacts Libraries

36 OS Artifacts Shell The Recent folder contains link files and two subfolders at \User\[Account]\AppData\Roaming\Microsoft\Windows\Recent.

37 OS Artifacts Shell

38 OS Artifacts Shell AutomaticDestination files are in the Structured Storage file format.

39 OS Artifacts Shell

40 OS Artifacts Shell

41 OS Artifacts Chkdsk Logs \System Volume Information\Chkdsk

42 OS Artifacts Superfetch \Windows\Prefetch

43 OS Artifacts Volume Shadow Copy Volume shadow copies are bit level differential backups of a volume. 16 KB blocks. Copy on write. Volume Shadow copy files are difference files. The shadow copy service is enabled by default on Vista and Windows 7, but not on Windows 2008 or 2008 R2. Difference files reside in the System Volume Information folder.

44 OS Artifacts Volume Shadow Copy Shadow copies are the source data for Restore Points and the Restore Previous Versions features. Used in backup operations. Shadow copies provide a snapshot of a volume at a particular time. Shadow copies can show how files have been altered. Shadow copies can retain data that has later been deleted, wiped, or encrypted.

45 OS Artifacts Volume Shadow Copy Volume shadow copies do not contain a complete image of everything that was on the volume at the time the shadow copy was made.

46 OS Artifacts Volume Shadow Copy The Volume Shadow Copy difference files are maintained in \System Volume Information along with other VSS data files, including a new registry hive.

47 OS Artifacts Volume Shadow Copy \System Volume Information\Syscache.hve

48 OS Artifacts Volume Shadow Copy

49 OS Artifacts Volume Shadow Copy

50 OS Artifacts Volume Shadow Copy vssadmin list shadows /for=[volume]:

51 OS Artifacts Volume Shadow Copy

52 OS Artifacts Volume Shadow Copy Shadow copies can be exposed through symbolic links. Mklink /d C:\{test-shadow} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\

53 OS Artifacts Volume Shadow Copy Volume Shadows can be mounted directly as network shares. net share testshadow=\\.\harddiskvolumeshadowcopy11\

54 OS Artifacts Volume Shadow Copy >psexec \\[computername] vssadmin list shadows /for=c: >psexec \\[computername] net share testshadow=\\.\harddiskvolumeshadowcopy20\ PsExec v Execute processes remotely... testshadow was shared successfully. net exited on [computername] with error code 0. >robocopy /S /R:1 /W:1 /LOG:D:\VSStestcopylog.txt \\[computername] \testshadow D:\vssTest Log File : D:\VSStestcopylog.txt...

55 OS Artifacts Volume Shadow Copy Other ways to call shadow copies: \\localhost\c$\users\troyla\downloads ( Yesterday, July 20, 2009, 12:00 AM) \\localhost\c$\@gmt \?

56 OS Artifacts Volume Shadow Copy Shadow copies can be imaged. C:\Users\Troyla\Desktop\fau a\fau\FAU.x64>dd if=\\.\harddiskvolumeshadowcopy11 of=e:\shadow11.dd localwrt The VistaFirewall Firewall is active with exceptions. Copying \\.\HarddiskVolumeShadowCopy11 to E:\shadow11.dd Output: E:\shadow11.dd bytes records in records out bytes written Succeeded! C:\Users\Troyla\Desktop\fau a\fau\FAU.x64>

57 OS Artifacts Volume Shadow Copy Images of shadow copies can be opened in forensics tools and appear as logical volumes.

58 OS Artifacts Volume Shadow Copy Data that has been deleted can be captured by shadow copies and available for retrieval in shadow copy images.

59 OS Artifacts Volume Shadow Copy Every shadow copy data set should approximate the size of the original volume. Amount of case data=(number of shadow copies) x (size of the volume)+(size of the volume). 10 shadow copies = 692 GB

60 Applications I.E. 8 Applications e.g., I.E., etc. OS Artifacts File Systems NTFS, FAT32, EXFAT Fvevol.sys Mount, Partition & Volume Managers Disk

61 Applications I.E. 8 "C:\Program Files (x86)\internet Explorer\iexplore.exe" -private

62 Applications I.E. 8 Cache data appears to be written, then deleted.

63 Applications I.E. 8 Residual cache files from InPrivate browsing.

64 Applications I.E. 8 Tab and session recovery a new source for historical browsing information. \User\[Account]\AppData\Local\Microsoft\Internet Explorer\Recovery

65 Applications I.E. 8 Recovery file: Note the Structured Storage file format.

66 Applications I.E. 8

67 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.