Windows 7: Current Events in the World of Windows Forensics Troy Larson Senior Forensic Program Manager Network Security, Microsoft Corp.
Where Are We Now? Vista & Windows 2008 BitLocker. Format-Wipes the volume. EXFAT. Event Logging format, system, scheme. Virtual Folders & Registry. Volume Shadow Copy. Links, Hard and Symbolic. Change Journal. Recycle Bin. Superfetch.
Where Are We Now? Windows 7 & Window 2008 R2 Updated BitLocker. BitLocker To Go. VHDs Boot from, mount as Disks. XP Mode. Flash Media Enhancements. Libraries, Sticky Notes, Jump Lists. Service and Driver triggers. I.E. 8, InPrivate Browsing, Tab and Session Recovery. Even more Volume Shadow Copy.
Digital Forensics Subject Matter Expertise Stack Applications e.g., I.E., etc. OS Artifacts File Systems NTFS, FAT32, EXFAT Fvevol.sys Thanks to Eoghan Casey. Mount, Partition & Volume Managers Disk
Windows 7 Disk Note disk signature: 2E140032 0x1b8-1bb
Windows 7 Disk HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 \DiskController\0\DiskPeripheral\0 Diskpart >Automount scrub
Vista Disk HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\ 1&19f7e59c&0&Signature2E140032Offset100000Length114FD00000
Partitions and Volumes Applications e.g., I.E., etc. OS Artifacts File Systems NTFS, FAT32, EXFAT Fvevol.sys Mount, Partition & Volume Managers Virtual Hard Drives Create Attach Detach Delete Disk
BitLocker: Windows 7 During installing, Windows 7 creates a System Reserved volume enabling set up of BitLocker. In Vista, the System volume was generally 1.5 GB or more.
BitLocker: Vista Physical level view of the header of the boot sector of a Vista BitLocker protected volume: 0xEB 52 90 2D 46 56 45 2D 46 53 2D ër-fve-fs-
BitLocker: Windows 7 Physical level view of the header of the boot sector of a Windows 7 BitLocker protected volume: 0xEB 58 90 2D 46 56 45 2D 46 53 2D ëx-fve-fs-
BitLocker: Windows 7 Vista & Windows 2008 cannot unlock BitLocker volumes created with Windows 7 or 2008 R2. Forensics tools may not recognize the new BitLocker volume header. Must use Windows 7 or 2008 R2 to open (and image) BitLocker volumes from Windows 7 or 2008 R2.
BitLocker Review or Imaging User Mode Kernel Mode Application File System Driver Fvevol.sys Volume Manager FVEVOL.SYS sits underneath the file system driver and performs all encryption / decryption. Once booted, Windows (and the user) sees no difference in experience. The encryption / decryption happens at below the file system.
BitLocker Review or Imaging User Mode Kernel Mode Application File System Driver Fvevol.sys Volume Manager
BitLocker Review or Imaging The More/Less information button will provide the BitLocker volume recovery key identification.
BitLocker Review or Imaging BitLocker Recovery Key 783F5FF9-18D4-4C64-AD4A- CD3075CB8335.txt: BitLocker Drive Encryption Recovery Key The recovery key is used to recover the data on a BitLocker protected drive. To verify that this is the correct recovery key compare the identification with what is presented on the recovery screen. Recovery key identification: 783F5FF9-18D4-4C Full recovery key identification: 783F5FF9-18D4-4C64-AD4A- CD3075CB8335 BitLocker Recovery Key: 528748-036938-506726-199056-621005-314512-037290-524293
BitLocker Review or Imaging Enter the recovery key exactly.
BitLocker Review or Imaging Viewed or imaged as part of a physical disk, BitLocker volumes appear encrypted.
BitLocker Review or Imaging To view a BitLocker volume as it appears in its unlocked state, address it as a logical volume.
BitLocker Review or Imaging
File Systems Applications e.g., I.E., etc. OS Artifacts File Systems NTFS, FAT32, EXFAT Fvevol.sys Mount, Partition & Volume Managers Disk
File Systems Since Vista SP1, Format wipes while it formats. http://support.microsoft.com/kb/941961 Diskpart.exe > Clean all
File Systems-Vista & Windows 7 NTFS Symbolic links to files, folders, and UNC paths. Beware the Application Data recursion loop. Cf. Link files. Hard links are extensively used (\Winsxs). Disabled by default: Update Last Access Date. Enabled by default: The NTFS Change Journal ($USN:$J). Transactional NTFS ($Tops:$T).
File Systems-Vista & Windows 7 The volume header of an EXFAT volume. Do your forensics tools read EXFAT?
OS Artifacts Applications e.g., I.E., etc. OS Artifacts File Systems NTFS, FAT32, EXFAT Fvevol.sys Mount, Partition & Volume Managers Disk
OS Artifacts Recycle.Bin [Volume]:\$Recycle.Bin $Recycle.Bin is visible in Explorer (view hidden files). Per user store in a subfolder named with account SID. No more Info2 files. When a file is deleted moved to the Recycle Bin it generates two files in the Recycle Bin. $I and $R files. $I or $R followed by several random characters, then original extension. The random characters are the same for each $I/$R pair. $I file maintains the original name and path, as well as the deleted date. $R file retains the original file data stream and other attributes. The name attribute is changed to $R******.ext.
OS Artifacts Recycle.Bin Note the deleted date (in blue).
OS Artifacts Recycle.Bin
OS Artifacts Folder Virtualization Part of User Access Control Standard user cannot write to certain protected folders. C:\Windows C:\Program Files C:\Program Data To allow standard user to function, any writes to protected folders are virtualized and written to C:\Users\[user]\AppData\Local\VirtualStore
OS Artifacts Registry Virtualization Virtualize (HKEY_LOCAL_MACHINE\SOFTWARE) Non-administrator writes are redirect to: HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\ Keys excluded from virtualization HKEY_LOCAL_MACHINE\Software\Classes HKEY_LOCAL_MACHINE \Software\Microsoft\Windows HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT
OS Artifacts Registry Virtualization Location of the registry hive file for the VirtualStore Is NOT the user s NTUSER.DAT It is stored in the user s UsrClass.dat \Users\[user]\AppData\Local\Microsoft\Windows\UsrClass.dat Investigation of Vista - Windows 2008 R2 requires the investigator to examine at least two account specific registry hive files for each user account. NTUSER.DAT UsrClass.dat
OS Artifacts Libraries
OS Artifacts Libraries \Users\[account]\AppData\Roaming\Microsoft\Windows\Libraries.
OS Artifacts Libraries Libraries are XML files.
OS Artifacts Libraries
OS Artifacts Shell The Recent folder contains link files and two subfolders at \User\[Account]\AppData\Roaming\Microsoft\Windows\Recent.
OS Artifacts Shell
OS Artifacts Shell AutomaticDestination files are in the Structured Storage file format.
OS Artifacts Shell
OS Artifacts Shell
OS Artifacts Chkdsk Logs \System Volume Information\Chkdsk
OS Artifacts Superfetch \Windows\Prefetch
OS Artifacts Volume Shadow Copy Volume shadow copies are bit level differential backups of a volume. 16 KB blocks. Copy on write. Volume Shadow copy files are difference files. The shadow copy service is enabled by default on Vista and Windows 7, but not on Windows 2008 or 2008 R2. Difference files reside in the System Volume Information folder.
OS Artifacts Volume Shadow Copy Shadow copies are the source data for Restore Points and the Restore Previous Versions features. Used in backup operations. Shadow copies provide a snapshot of a volume at a particular time. Shadow copies can show how files have been altered. Shadow copies can retain data that has later been deleted, wiped, or encrypted.
OS Artifacts Volume Shadow Copy Volume shadow copies do not contain a complete image of everything that was on the volume at the time the shadow copy was made.
OS Artifacts Volume Shadow Copy The Volume Shadow Copy difference files are maintained in \System Volume Information along with other VSS data files, including a new registry hive.
OS Artifacts Volume Shadow Copy \System Volume Information\Syscache.hve
OS Artifacts Volume Shadow Copy
OS Artifacts Volume Shadow Copy
OS Artifacts Volume Shadow Copy vssadmin list shadows /for=[volume]:
OS Artifacts Volume Shadow Copy
OS Artifacts Volume Shadow Copy Shadow copies can be exposed through symbolic links. Mklink /d C:\{test-shadow} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\
OS Artifacts Volume Shadow Copy Volume Shadows can be mounted directly as network shares. net share testshadow=\\.\harddiskvolumeshadowcopy11\
OS Artifacts Volume Shadow Copy >psexec \\[computername] vssadmin list shadows /for=c: >psexec \\[computername] net share testshadow=\\.\harddiskvolumeshadowcopy20\ PsExec v1.94 - Execute processes remotely... testshadow was shared successfully. net exited on [computername] with error code 0. >robocopy /S /R:1 /W:1 /LOG:D:\VSStestcopylog.txt \\[computername] \testshadow D:\vssTest Log File : D:\VSStestcopylog.txt...
OS Artifacts Volume Shadow Copy Other ways to call shadow copies: \\localhost\c$\users\troyla\downloads ( Yesterday, July 20, 2009, 12:00 AM) \\localhost\c$\@gmt-2009.07.17-08.45.26\?
OS Artifacts Volume Shadow Copy Shadow copies can be imaged. C:\Users\Troyla\Desktop\fau-1.3.0.2390a\fau\FAU.x64>dd if=\\.\harddiskvolumeshadowcopy11 of=e:\shadow11.dd localwrt The VistaFirewall Firewall is active with exceptions. Copying \\.\HarddiskVolumeShadowCopy11 to E:\shadow11.dd Output: E:\shadow11.dd 136256155648 bytes 129943+1 records in 129943+1 records out 136256155648 bytes written Succeeded! C:\Users\Troyla\Desktop\fau-1.3.0.2390a\fau\FAU.x64>
OS Artifacts Volume Shadow Copy Images of shadow copies can be opened in forensics tools and appear as logical volumes.
OS Artifacts Volume Shadow Copy Data that has been deleted can be captured by shadow copies and available for retrieval in shadow copy images.
OS Artifacts Volume Shadow Copy Every shadow copy data set should approximate the size of the original volume. Amount of case data=(number of shadow copies) x (size of the volume)+(size of the volume). 10 shadow copies = 692 GB
Applications I.E. 8 Applications e.g., I.E., etc. OS Artifacts File Systems NTFS, FAT32, EXFAT Fvevol.sys Mount, Partition & Volume Managers Disk
Applications I.E. 8 "C:\Program Files (x86)\internet Explorer\iexplore.exe" -private
Applications I.E. 8 Cache data appears to be written, then deleted.
Applications I.E. 8 Residual cache files from InPrivate browsing.
Applications I.E. 8 Tab and session recovery a new source for historical browsing information. \User\[Account]\AppData\Local\Microsoft\Internet Explorer\Recovery
Applications I.E. 8 Recovery file: Note the Structured Storage file format.
Applications I.E. 8
2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.