Can Computer Investigations Survive Windows XP?

Executive Summary, Microsoft s latest operating system, has arrived and is now appearing on computers slated for forensic investigation. Computer forensics examiners are now using as a platform on which they conduct forensic analysis. This white paper will examine both as a platform utilized by an examiner for computer forensics investigations and as a subject file system for computer forensics analysis. There is some uncertainty regarding how to conduct a computer forensic analysis of an XP system. Some have speculated that may significantly hamper the ability to conduct computer forensic investigations. This paper will test this theory and will also propose as a viable choice as a forensic operating system. This study was conducted using EnCase software. EnCase is a fully integrated Windows-based computer forensic software application that provides investigators with means of analyzing all electronic data contained on computer drives for forensic evidence purposes. Introduction appears to be an improved operating system, touting increased stability, increased user friendliness, more features, and (of more importance to forensic investigators everywhere) increased security. The two main security issues with are the "secure erase" (otherwise termed "scrubbing") feature when deleting files and the built-in file-encryption feature. This analysis illustrates that a proper forensic analysis of an XP system requires a clear understanding of how and its NTFS file system works and stores data. Otherwise, those in the security industry may be confused by speculation and myths that have propagated with the release of the operating system. While comes in both a Home edition and Professional edition, these tests were conducted on the Professional edition alone, as the Home version is (for the most part) a stripped-down version of the Professional. Definition of terms used in this paper is available at the end of the document. Section 1 Tests: as a Forensics Platform Like any new operating system from Microsoft, needs both additional hard drive space than its predecessor (1.5 GB for a full install) and more RAM. Microsoft recommends that users have 128 MB of RAM installed on their computers. Most reports from the field recommend 256 MB, especially if one is going to take advantage of such features as support for multiple users. Keeping Microsoft s recommendation in mind, all tests were conducted on a typical midrange PC (Gateway GP7-600 P-III @ 600 MHz computer with 128 MB RAM), using EnCase v3.16. [Note: forensic examiners typically use high-end systems with substantial memory and data storage.]. White Paper 2

Investigative Methods To prepare for this portion of the study, an 8.4 GB drive was wiped, partitioned and formatted in NTFS (a requisite to take advantage of the file-encryption abilities in ). A substantial number of files were then copied to it; some were encrypted and others deleted to mimic the file patterns found on a typical XP hard drive. The hard drive was then connected via an IDE interface using a FastBloc (a physical write-block device manufactured by Guidance Software). The setup of the FastBloc unit in was simple. One is required to install a generic disk drive driver in Windows 98 and, but detected and installed the driver for the FastBloc quickly, with no browsing or prompting on our part. The next step was to acquire the drive physically in both Professional and Windows 2000 (SP2), once each with NO compression and once each with BEST compression. No compression : 15 minutes, 6 seconds : 14 minutes, 45 seconds Best compression : 30 minutes, 16 seconds : 30 minutes, 2 seconds XP acquired the test drive faster than in every test. EnCase Media Acquisition with FastBloc Compression: BEST Compression: NONE 0.00 10.00 20.00 30.00 40.00 Time (minutes) edges out 2000 in FastBloc acquisitions Having acquired an evidence file, XP was primed to be stressed some more. Next, a battery of EnCase 3.16 functions in both Professional (sp2) and Professional were run. Knowing XP's need for memory, it was speculated that would beat XP in every test, but this was not the case.. White Paper 3

Five more tests were conducted: Test 1: Evidence File Verification Evidence File Verification 10.3 minutes 10.1 minutes 0.00 2.00 4.00 6.00 8.00 10.00 12.00 14.00 Time (minutes) just defeats XP in evidence file verification Test 2: Hash Drive Command Hash Drive 10.6 minutes 10.5 minutes 0.00 2.00 4.00 6.00 8.00 10.00 12.00 14.00 Time (minutes) beats XP in the hash drive command. White Paper 4

Test 3: 1 Keyword Search 1 Keyword Search 15.75 minutes 16 minutes 0.00 5.00 10.00 15.00 20.00 Time (minutes) barely loses to XP in the 1-keyword Test 4: 10 Keyword Search 10 Keyword Search 102.5 minutes 60.75 minutes 0.00 20.00 40.00 60.00 80.00 100.00 120.00 Time (minutes) comes up strong in the 10-term keyword search Test 5: Page-Down in Gallery (While Previewing in FastBloc) Page down in Gallery while Previewing 8 seconds 6 seconds 0.00 0.10 0.20 0.30 0.40 0.50 0.60 0.70 0.80 0.90 1.00 Time (minutes) 2-second differential multiplied over and over again. White Paper 5

EnCase gallery view Results of the above five tests: As demonstrated above, barely beats in most of the tests, lagging behind in the one-term keyword search, but coming up strong in the ten-term keyword search. One of the most interesting results came from using the <Page Down> command while previewing graphics thumbnails on the test media. beat by a full two seconds. While this is not much time for one page down command, considering the potential number of times one is likely to tap the <Page Down> key during a preview, this time-differential increases dramatically. The above data shows that EnCase runs solidly on and, in some functions, even faster than on.. White Paper 6

Section II Forensic Analysis of Media Introduction Many computers are now shipping with Home or Professional editions. It is imperative for computer forensic professionals to familiarize themselves with this file system to know what to expect when an XP case arrives for examination. In this document we will identify 1) the technical aspects of the file system; 2) how files are stored and deleted; and 3) the rumored automatic data scrubbing feature. Creating, storing, and deleting data is the base function of all file systems. How the data is created, where it s stored and what occurs when it is deleted are questions that are constantly posed to investigators. Recovering data in each of the above stages is also a challenge. A number of concerns are raised when a new operating system is encountered. Investigators must determine how to proceed with investigations, where to look and what findings to expect. This white paper will address these concerns and cover the aforementioned data scrubbing. Many features of the NTFS file system are cited in this document. These features are not new to the NTFS file system and are therefore not explained thoroughly. The NTFS file system is a complicated file system. Testing Phases EnCase version 3.16 was used for all of the following tests, in which the basic functions of the s file system were examined. PHASE I FILE SYSTEM Professional edition (version 5.1, build 2600) was installed on a 4 GB drive that was previously wiped. During the install an administrator account was created. The computer was shut down and the hard drive imaged. By default, installs the NTFS file system; however, the FAT32 file system is also an option when installing XP. The NTFS system was installed and examined. The NTFS system files were examined first. These are the files installed during the format of an NTFS volume. They existed in the same manner as.. White Paper 7

System File Windows NT MFT X X X MFT Mirror X X X Log File X X X Volume X X X Attribute Def. Table X X X Root Filename Index X X X Cluster Bitmap X X X Partition Boot Sector X X X Bad Cluster File X X X Secure File - X X UpCase Table X X X Quota Table X - - The folder structure was as follows: $Extend, Documents and Settings, Program Files, Recycler, System Volume Information, and Windows. This is essentially the same as, except the Windows directory is now WINDOWS instead of WINNT. The structure of the Master File Table (MFT) was examined and some very minor changes were noted in the MFT records; otherwise the structure is exactly the same. Navigating through the MFT record headers and file attributes was straightforward as the techniques were the same as used with previous version of NTFS. The file data is stored both resident and non-resident, just as it is in all versions of NTFS. PHASE II FILE STORAGE Several tests were conducted to determine how files are stored in the, NTFS environment. was booted and three small text files were created on the volume. The drive was subsequently imaged and the three small files were examined. They were all stored as resident data in the MFT. was booted and five large image files were created. The drive was subsequently imaged and the images were examined. The files were all stored as non-resident data. The MFT data attribute contained pointers (data runs) to the data. Overall, the storage process behaves in the same way that it did in prior NTFS systems. This provided a good platform for testing the deletion process.. White Paper 8

PHASE III FILE DELETION The first step in the investigation of XP media was analyzing the process of resident file deletion. A series of tests were conducted in which resident files were created, recycled, and deleted from the recycler. EnCase was used to examine the results. The recycling process remains the same as with previous version of Windows in NTFS: the file s MFT record is recreated with a new recycle bin filename. The deletion process is the same as well; the MFT records containing the resident data remained in the MFT, marked for deletion, until overwritten by a new MFT record. As a final test for resident data 150 resident files were created on the volume. All were recycled and deleted. The drive was imaged and the evidence file opened with EnCase. EnCase properly undeleted all of the resident deleted files. A series of tests were conducted with non-resident files, which were created, recycled, and deleted from the recycler. EnCase was used to track the MFT records, data runs and the clusters occupied by the files during the testing process. When the files were recycled and deleted, the MFT records remained in the MFT, marked for deletion, until overwritten by a new MFT record. The data remained intact in the previously allocated clusters until overwritten by another file. The recycler process remains the same as with previous version of Windows in NTFS. As a final test for non-resident files, 150 files were created with non-resident data. All were recycled and deleted. The drive was imaged and opened with EnCase. EnCase properly undeleted all of the nonresident deleted files. Figure 1: Deleted files on an XP drive displayed by EnCase. White Paper 9

PHASE IV THE SCRUBBING FEATURE and XP now contain a scrubbing feature that has caused some worry and confusion. The feature is a command-line program included with Microsoft & XP that provides an alternate method for managing the EFS (Encrypting File System). The version of the cipher tool included with XP is intended to overwrite, or scrub data, obliterating residue of data within unallocated clusters. The program makes three passes of writes over unallocated space. The first pass is hex 00, the second hex FF and the last pass is random characters, making residual data underlying those clusters effectively impossible to recover. The cipher tool would appear to comply with the Department of Defense 5220.22-M disk-sanitizing standard, which states: "Non-Removable Rigid Disks" or hard drives must be sanitized for reuse by "Overwriting all addressable locations with a character, its complement, then a random character and verify." Tests were conducted in which the cipher tool was used to wipe all unallocated clusters from the root folder. After the program completed the wiping, the drives were imaged. Example Program Output: To remove as much data as possible, please close all other applications while running CIPHER. Writing 0x00..... Writing 0xFF...... Writing Random Numbers...... Results: All unallocated space was filled with random values (which greatly affected file compression in the evidence file); however, the cipher tool affected only the unallocated clusters and a very small portion of the MFT; 10-15 records were overwritten in the MFT, and the majority of the records marked for deletion went untouched). The utility does not affect other items of evidentiary interest on the typical NTFS partition, such as: file slack, registry files, the pagefile and file shortcuts. In terms of its anticipated end-user adoption, the cipher feature is a burdensome command-line utility that is difficult to find and operate. Notably, the cipher function is available on the Professional version, but included in the Home version of XP and. Despite some speculation, the function is not set by default or even selected for repeated execution on an ongoing basis. The cipher must be executed from a command-line each time the user wants to employ it. There is very little documentation supporting this feature, which is largely intended for programmers and system administrators for use in limited circumstances.. White Paper 10

CONCLUSIONS AND RECOMMENDATIONS is a valid forensic operating environment with similar performance results to. This examination of the file system demonstrates that the operating system will introduce new challenges for investigators. will introduce the NTFS file system into home computers. Investigators are just now reporting an increase in residential cases; however, most are still FAT 32 file systems. It is very likely that the near future will bring the NTFS file system into the forefront of computer forensic investigations. With the use of proper tools and examination methods, evidence can be located and explained. The scrubbing feature is a part of, but it is not all that it was initially thought to be. It is a command line tool that is difficult to use, time consuming and nothing more than a good wiping utility. The average computer user will not know how to use it, and even if it is used evidence artifacts still remain in certain system files. Because of the inherent complexity of file systems and their interaction with the operating system, all investigators who wish to properly examine and understand evidence found in the NTFS file system should obtain formal forensic based training on the NTFS file system. Guidance Software offers such training in the advanced computer forensics course. DEFINITION OF TERMS Deleted: EFS: Evidence File: MFT: Non-resident: Recycled: Resident: Shut Down: Wiped: A file deleted manually ( emptied ) from the Recycle Bin. Encrypting File System An EnCase evidence file. Master File Table Used to refer to a file that is too large to be stored in the MFT. Its disk location is stored in the MFT by one or more pointers to the data. A file placed in the Recycler. Used to refer to a file small enough to be stored with that file s MFT record. Will infer that the computer was shut down using the normal Windows Shut Down command. Space on a hard drive that has been overwritten with a hex character, typically \x00, but could be anything or even random characters.. White Paper 11

ABOUT THE AUTHORS Richard Keightley is a graduate of Kenyon College in Ohio and has been working with computers and networks for the past ten years. Rich is Senior Technical Services Specialist at Guidance Software and has been giving support and consultation to computer forensics investigators for the past two years. Kimberly Stone graduated from the University of California Los Angeles with a degree in computer science and has been working in programming and Web development for the past four years. Kimberly is a Junior Programmer at Guidance Software. CONTACT INFORMATION For more information, please contact: Guidance Software 572 E. Green St., Ste. 300 Pasadena, Ca 91101 Phone: (626) 229-9191 Email: info@encase.com www.encase.com. White Paper 12