Windows Forensics - Sonntag · PDF fileWindows forensics 2 ... File format: OLE2 Compound Document (MS Office) ... ›The Windows Search database (Windows.edb) does contain the

August 2015

Michael Sonntag

Windows Forensics

General thoughts

Windows forensics 2

Windows stores, like most OS, lots of data for various reasons (finding bugs, speedup, user services etc)

» Most of this information is in proprietary formats › These are typically binary formats, so re-engineering is a large factor!

» There is no “Windows”: Only Windows XP, XP SP 2, XP SP 3, Vista, 7, 8, 8.1, 10 CE, Embedded, Server 2008, 2008 R2, 2012… › Many of them store data differently!

Comparison: Linux

» Less variation, as few distributions are in widespread use › In total many more versions, but some standardization (LSB)

Much less than Windows, even accounting for the various versions

» Data is typically stored less OS-dependent, but rather more application-dependent!

Consequence: Individual investigation and comparison of knowledge with actual system is necessary!

What to look for: Typical aims

Windows forensics 3

Files:

» At rest: File was there

» Executed: Program was started

» Moving: File was moved from/to system; source/destination

Logs:

» Something happened. Metadata still exists, but no content. › Example: Proxy log File was requested at ??? by IP ???; but the actual file

content is not available (at least not in the log!)

» Was the SW installation performed correctly?

Content:

» Memory: Esp. keys and passwords or traces of files/activities

» Backups, deleted files …

Configuration:

» If “this” happens/happened, the system will/did do “that”

Example: Program execution

Windows forensics 4

A program was executed: When – or wasn’t it?

Where do we look for traces?

» UserAssist: Registry

» MRU (Most Recently Used): Registry (somewhere else)

» Application Compatibility Cache: Registry (somewhere else)

» Prefetch: Separate files

» Executable file itself (timestamps): For outside limit(s)

Result:

» We have numerous locations

» Not all are updated simultaneously (or always; e.g. prefetch!)

» We have to look in all places … … and then combine results to get the best possible picture

Note: We have no guarantee that we get all information

» Might run without traces (but never: Traces without running!)

Where to look

Windows forensics 5

Recycle bin: Deleted files (not necessarily actually gone)

Print spool files: Traces of printouts

Preview icons: What files were present some time ago

Prefetch: What files were executed

Swap/Hibernation file: Traces of memory content

Windows Registry: OS + application configuration & data

» Recent files: Opened some time before

» USB device history: Connected devices

» Restore points: Old versions of files & registry

Autoruns: What happens on booting the OS

Event log: Traces of all kinds of things that happened

Not covered here

Windows forensics 6

Desktop: Normal file folder (but see metadata info!)

» Similar: MyDocuments, Recent Files, …

Pinned files/Jump lists

» Similar to recently used files › C:\Users\username\AppData\Roaming\Microsoft\InternetExplorer\

QuickLaunch\UserPinned\TaskBar

Start menu entries

» Actually a directory structure in user folder + overlay of general configuration in a different directory

» See also Windows 8 Tiles

Volume Shadow Copies: Similar to Restore points

» Located under <Volume>\System Volume Information

Windows 8 Refresh / Restore points

» Themselves, as well as artifacts left after refreshing/restoring

Windows 8 file history: Automatic backups of user data/files

Windows forensic: Recycle bin

Windows forensics 7

When deleting files normally, they end up in the recycler

» Shift+DEL Deleted immediately › Special tools/file carving!

» Something in the recycler Generally deleted intentionally › These files are completely recoverable: Name, content etc.

Emptying the recycle bin:

» The saved files are actually deleted; just like normal files › Their directory entries within the recycler folder remain

› Their data remains on the disk until overwritten

» The INFO2 file (see later) is deleted and a new one created › Sometimes only shortened, i.e. the record numbers continue

Deleting a single file from the recycle bin

» Changes the first byte of the record in INFO2 file to '00' › Typically drive letter; recreatable from drive number in record!

Note: Removable media does not have a recycle bin!

Windows forensic: Recycle bin

Windows forensics 8

Physical changes on deleting "into" the recycler:

» File entry deleted from original directory › Remains there until overwritten!

» Modified/Last Access updated

» The long filename is deleted

» File entry created in recycler directory › D<original drive letter><#>.<original extension>

Dc1.txt: Second deleted file from drive C, had “txt” extension

Note: In the Windows Explorer you always see only your own files and the filenames from the INFO file!

› Subdirectory: User-SID

» Information added to recycler index file ("INFO"/"INFO2" file) › Includes deletion time, original location, recycle bin index

Index allows discovery of deletion order!

› Attention: Windows Vista replaced the INFO file with a separate file named similar as the one with the deleted data!

http://support.microsoft.com/kb/136517

Windows forensic: XP Recycle bin

Windows forensics 9

The INFO2 file structure

» Binary file

» Contains the file name twice: ASCII and Unicode

» 20 Byte file header; Bytes 12-13 (-15?) are record size › Record size is usually 2003 = 0x0320 = 800 Bytes

Record structure

» 260 Bytes: Original file name (ASCII), including path

» 4 Bytes: Record number (starting at 0)

» 4 Bytes: Drive number (00 = A, 01 = B, 02 = C, …)

» 8 Bytes: Deletion time (FILETIME format, UTC)

» 4 Bytes: Physical file size (=Bytes on disk!) › Therefore always multiples of cluster size

› Actual file size: See directory entry of the file itself

» 520 Bytes: Original file name (Unicode), including path

Windows forensic: XP Recycle bin

Windows forensics 10

Original filename: C:\Documents and Settings\SONNTAG.ADS-FIM\Desktop\ EURO Calculator & Info.URL

Record number: 1

Drive number: 2 (= C: )

Deletion time: 0063E71E:D605C801 (=1EE76300:01C805D6, =3.10.2007 15:57:37 UTC)

Physical file size: 0x00100000 (=0x00001000, = 4096 Bytes

Vista/7/8 - Recycle bin


Directory is same (User-SID), but organisation within differs

» Each file is stored directly with a new filename: › $R<six random characters>.<original extension>

» Information on “real” filename (and additional data): › $I<six random characters>.<original extension>

Additional data stored: › File length: 544 Bytes

» Magic number

» Original file size › Byte order is reversed!

» Date and time of deletion › Windows 64 Bit hex value

Little endian

» Original file name › 520 Bytes = 260 characters

Max. path length!

Same!

Print spool files


When printing documents they are not immediately sent to the printer but rather stored in a local file

» Which is then sent to the printer › And deleted after successful completion

» Attention: Users can configure within the printer properties that the data is sent immediately to the printer; this is rare!

» Note: This applies to local printers only! › Network printers will have this file created on the print server

Typical file formats for spooling are:

» RAW: Directly as the printer wants it, e.g. Postscript or some proprietary format › Device dependent

› Can be re-printed simply by sending it to a (similar!) printer again

» EMF: Enhanced Metafile Format (32 Bit version of WMF) › Device independent

› Viewer programs available

Print spool files


For each print job two files are created

» SHD: Job metadata (owner, printer, print method, …)

» SPL: Job data (RAW or EMF)

Contents of the SHD file:

» Username, Name of user to notify

» Document name

» Printing time: SYSTEMTIME structure (=UTC!)

» Page count

» Windows version

» Job ID

» Priority

» Printer name + driver + mode

» Printing processor + format

» Computer name

Thumbnails: Thumbs.db


Thumbs.db: Hidden file to store thumbnail images (previews) of the files in a folder

» At least, if the folder was viewed in "Thumbnail view" at SOME time in the past when the file was already there

» Can be deactivated (Default: enabled) in Explorer properties › "Do not cache thumbnails"

» Deleting images from the disk will not remove the thumbnail from Thumbs.db! › They will never be removed from it!

Only solution: Delete Thumbs.db file (then recreated with current images)!

File format: OLE2 Compound Document (MS Office)

What is stored: JPEG, BMP, GIF, HTM

Encrypted files will still have an unencrypted thumbnail! › If viewed in thumbnail view when they were not yet encrypted …

» However, this security flaw was fixed at some time

Thumbnails: Thumbs.db


Attention:

» Windows Vista does no longer have this file generally › See below, only for special circumstances

» Win2K+NTFS: Thumbnails in ADS (FAT Thumbs.db!)

Before Windows XP: Contained also drive letter and path

» Windows ME, Win2K

Take care when copying directories to a USB stick:

» When copying the directory, the Thumbs.db file is copied too

» When copying all files, it is not copied (unless shown anyway)

Thumbs.db can be used to prove that images actually were (but not necessarily seen; see below) on a certain computer: The Thumbs.db file is still there, and the files (including the same Thumbs.db) have been found somewhere else!

Thumbnails: Vista/7/8


They create thumbnails for files on different media types

» Including removable and network drives

» Including files in encrypted containers, e.g. TrueCrypt

» But NOT for files encrypted with EFS, unless the thumbcache directory is also encrypted! › Vista: Thumbnails are not deleted if file is encrypted by EFS later

Central cache for all directories per user in his folder » %USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer

Contains several files:

» Thumbcache_32{96,256,1024}.db › Individual thumbnails in the various sizes (32-1024 pixel)

» Thumbcache_idx.db: Central index for thumbnails › Required for finding the image in the cache files

» Thumbcache_sr.db: Unknown; constant content

Win 7: Last-modified field for each thumbnail removed



When a file is deleted, the cache entry will be deleted too (but not necessarily actually overwritten immediately!)

Thumbcache_??.db:

» Indirectly contains the filename: Hash+”.”+extension › The Windows Search database (Windows.edb) does contain the

ThumbnailCacheID too, so using this file we can also assign full filenames to the cache entries (Hash: Try all possible images and see if they match)!

› Hash: Volume GUID, FILEID (NTFS); extension, DOS last write (both >=Win7)

Windows >=8.1: Additional hash input: Precision loss between original last modified time and DOS modified time (as used in previous versions)

› Also: Size (depends on which thumbcache), checksums, offsets, image data

» JPG, PNG will remain, others are converted to BMP

» File carving: Entries (not file!) start with “CMMM”

Thumbcache_idx.db:

» ThumbnailCacheID + FILETIME when the original (!) file was created (Vista only)



Windows Vista/7/8:

» When accessing remote or mapped files, a Thumbs.db file is created in the remote folder › Note: This includes local directories accessed through UNC names

» Different file format than Windows XP

» Entries are not deleted when the file is deleted

Windows 8:

» Thumbs.db files will also be created for other kinds of access (=Explorer), but ONLY in directories under a user profile folder: C:\Users\<Username>\* › This does depend on the location, not on the user!

› Browsing another user’s folder will create the cache there

» Additional _16, _48, _WIDE files

Quick/Tassone/Choo, Forensic Analysis of Windows Thumbcache Files, Proceedings of 20th Americas Conference on Information Systems (AMCIS 2014), 7-10 August 2014 http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2429795

Thumbnails


Confused?

» Brief overview:

Quick/Tassone/Choo, Forensic Analysis of Windows Thumbcache Files, Proceedings of 20th Americas Conference on Information Systems (AMCIS 2014), 7-10 August 2014 http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2429795 See also: https://thumbcacheviewer.github.io/



Attention!

» Thumbnails may be generated even when the folder has NOT been viewed in thumbnail (“Large Icons”) view! › If the “Details pane” is active, this is sufficient

At least for two files (two most recently modified ones, presumably)

» When pictures are accessed via a full UNC path and displayed in thumbnail view, a thumbs.db file is created in the folder in which the pictures resides › Only those pictures that were visible (many scrolling needed!)

› As the Thumbs.db file changed between OS (XP/Vista/7), based on this file you can identify the OS of the computer viewing them (not the one where the thumbs.db file is located!)

» Drag&Drop may also lead to thumbnails being created

Result: The presence of thumbnails does not necessarily mean, that the user has seen these pictures (or their

directory), only that they existed on the computer!

Parsonage: Under My Thumbs http://computerforensics.parsonage.co.uk/downloads/UnderMyThumbs.pdf

Windows prefetch


Frequently (or recently) used applications are logged in a special folder: Speed up their start by noting which sectors from the disk will be required directly upon start

» These are then swapped in immediately, even if not at the start of the executable file

Stored in directory "C:\Windows\Prefetch"

» Naming: <Executable file name>-XXXXXXX.pf › XXXXX: Hash of location from where it was run

» Count of executing the program: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ UserAssist\{GUID}\Count › ROT-13 encoded!

› "Data": 5th byte -5 = Count of execution

» Maximum count (XP): 128 entries

» Contains also references to loaded modules

Windows prefetch


When is it updated?

» XP: Boot time and application launch, 2003: Boot time (def.)

» Disabled for SSD disks by default

Attention: Prefetch is system-wide

» You cannot tell from the file which user executed it › But with MAC time this may be possible

If you know who was logged on at which time

› See also the UserAssist registry entries (previous slide; HKCU!)

Note the MAC times of the files:

» Created: Program was started for the first time

» Modified: Program was started for the "last" time › Attention: Prefetch files will not be updated after some time

Probably when windows decides it exactly knows what to do

» Accessed: Last run time of the program › Attention: No longer updated by default on Vista or later!

Disabling prefetch: http://msdn2.microsoft.com/en-us/library/ms940847.aspx

Windows prefetch


.pf file content

» Filename: Offset 0x10

» Timestamp: FILETIME at offset 0x78 (XP)/0x80 (>=Vista)

» Run count: DWORD at offset 0x90 (XP)/0x98 (>=Vista)

» Magic number at start: 0x11 (XP)/0x17 (>=Vista) 0x00 0x00 0x00 “SCCA”; has no end marking

» List of files accessed in the first 10 minutes › Can be used to inspect suspected malware (what did they load) or media

files launched through double-clicking them

› Can provide information on paths no longer existing

Example: TrueCrypt volume, deleted executables etc.

Layout.ini: List of files used on booting

» Used for arranging files during defragmentation

» Unwanted programs started on booting?

Swap/Paging file


Contains pages from the memory

» Not necessarily in a “useful” order!

» Data may remain there for a very long time as well › If this sector happens to not being used

Attention: Normal shutdown may delete, truncate, or overwrite the swap file!

» In important cases it is therefore necessary (after doing live analysis) to pull the plug, but not shutdown the system!

A hidden file (Linux: Partition!): C{D…}:\pagefile.sys

Typical application for file/data carving: Assembling a file/some content from numerous smaller parts

» Very difficult and unreliable, unless complete and in correct order (this is likely true only for very small files/data elements)!

Practical usage: Search for strings/regular expressions

Swap/Paging file


Attention: Anything found in there is “unreliable"!

» You don't know when this information was put in there

» You don't know which user was logged in at that time

» The data might already have been on the disk when the paging file was created

The swap file need not be located in contiguous sectors

» There may be small "holes", which perhaps are not reused for a long time because they are so small › Good location for finding “old” file fragments

Hibernation file


Similar to the swap file: Contains memory pages

» But here it is a complete image of the total memory!

» May be smaller or larger than the swap file

Can be used to recreate the last use of the computer

» Virtual machines come in handy for this

A hidden file: C:\Hiberfil.sys

Attention: The first block will always be overwritten with zeros after boot, so never wake up a hibernated computer without obtaining a forensic copy before!

» Rest of the file remains unchanged until the next hibernation

» So the state at a previous point in time might be recreated partly (computer won’t run, but memory might be “salvaged”)

The hibernation file is compressed: No plain text search

Hibernation file


Very important in case of disk encryption: When the computer is running, the key is in the memory.

» Creating a memory dump will allow decrypting the disk

» Not necessarily booting The password is not recovered, only the cryptographic key. But a decrypted disk might allow (with some modifications) booting!

» When hibernated Hibernation file is encrypted itself, so it is not very useful then….

Other kinds of encryption, e.g. TrueCrypt containers

» Keys are in memory too

» Hibernation files are part of shadow copies too, so keys from containers opened weeks before might still be on the disk!

Password cracking/recovery software has special analysis functions to extract password/keys from it

The Windows Registry


The Registry is similar to a file system:

» Hierarchical storage of data

» Keys = Directories

» Values = Files › Name, Data and Type (BINARY, DWORD, SZ, MULTI_SZ, EXPAND_SZ)

5 root keys exist:

» HKLM: HKEY_LOCAL_MACHINE (Computer-specific data)

» HKU: HKEY_USERS (User-specific data)

» HKCR: HKEY_CLASSES_ROOT (application settings, file associations, class registrations for COM objects) › Link to HKLM\Software\Classes

» HKCC: HKEY_CURRENT_CONFIG (Current hardware config.) › Link to HKLM\System\CurrentControlSet\Hardware Profiles\Current

» HKCU: HKEY_CURRENT_USER (Current user's data) › Link to HKU\<SID of current user>

Registry: Physical storage


The Registry is logically a "single file"

» But parts are stored in different files or created dynamically

File locations:

» HKLM\SAM %SYSTEMROOT%\System32\config\SAM

» HKLM\Security %SYSTEMROOT%\System32\config\SECURITY

» HKLM\Software %SYSTEMROOT%\System32\config\software

» HKLM\System %SYSTEMROOT%\System32\config\system

» HKLM\Hardware Stored in memory only – not on disk!

» HKU\.Default %SYSTEMROOT%\System32\config\default

» HKU\<SID> %USERPROFILE%\NTUSER.DAT

» HKU\<SID>_Classes %USERPROFILE%\Local Settings\ Application Data\Microsoft\Windows\UsrClass.dat

User/… identifiers: SID


SID = Security Identifier » S-1-0-0 (Nobody): A group with no members

» S-1-1-0 (Everyone): A group that includes all users

» S-1-2-0 (Local): Users who logged on locally

» S-1-2-1 (Console Logon): Users on the phys. console

» S-1-3-0 (Creator Owner): The user who created a new object

» S-1-3-1 (Creator Group): The primary group of the user who created a new object

» S-1-5-2 (Logon Network): Users logging on via network

» S-1-5-7 (Anonymous): Anonymous logged on users

» S-1-5-18 (Local System): The OS itself

» S-1-5-19 (Local Service): Service account

» S-1-5-20 (Network Service): Service account

» S-1-5-21-?????-500: Administrator

» S-1-5-32-544 (Administrators): Group of all administrators

Installation dependent (unique!)

http://msdn.microsoft.com/en-us/library/windows/desktop/aa379649%28v=vs.85%29.aspx http://support.microsoft.com/kb/243330/en-us

Obtaining access to an account


No password for a Windows account? Login might still be possible!

Passwords are stored as hashed values in the Registry (SAM)

Procedure:

» Obtain Password Reset CD

› Obviously possible also manually as well, just very complex (find registry on disk, find location in registry)

» Boot from this CD

» Let it overwrite the hash in the registry with a known one

› Can be anything, e.g. an empty password

» Shutdown and reboot in Windows

» Enter the password and log in

Drawback:

» Encrypted files will be “destroyed” by this!

› Why? EFS needs the actual password for decryption

› Merely “being” the user is insufficient!

Note: This technique is generic. It works the same way for Linux or any other application storing the passwords as hashes where they are accessible (potentially only “offline”!)

AutoRun


AutoRun Programs

» Long list of locations in registry, e.g.

› HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run; \RunOnce

› HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ Run resp. \RunOnce

› Same under HKCU!

› Explorer hooks, like HKLM and HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers

› Print monitors: HKLM\SYSTEM\CurrentControlSet\Print\Monitors

› Winlogon notifications

» Long list of locations outside the registry, e.g.

› “Startup” folder in start menu of user profile

› Scheduled tasks

» Problem: Things might be started from anywhere; no “authoritative list” from Microsoft available

Useful tool: AutoRuns from Microsoft

» Will show all locations that are currently known

http://technet.microsoft.com/en-en/sysinternals/bb963902

Autorunner


Like AutoRun (based on it), but

» Runs on multiple user accounts in one go

» Parse LNK files to the actual file linked

» Allows specifying multiple drive mappings

› Different partitions were images to different files/mounted drives

» Can perform hash checks against VirusTotal

(http://www.woanware.co.uk/forensics/autorunner.html) http://www.chip.de/downloads/Autorunner_13007784.html

Installed software


Software might be installed, although not visible as an icon on the desktop or in any start menu

» Registry keys are usually created during installation, but not always removed (although they should be) when the program is uninstalled › HKLM\SOFTWARE\Microsoft\Windows\C.V.\App Paths

› HKLM\SOFTWARE\Microsoft\Windows\C.V.\Uninstall

» Separate registry keys for application settings might exist too

Verification:

» Check for the actual executable at the contained path

» Check timestamp on registry key

Cross-verification: Search for all executable files

» Note: Will not work for all kinds of plugins!

RegRipper


A tool to “rip” the registry

» Attention: Will not let you view open registry hives!

Use: Collection of registry keys with interesting values

» Very large collection, and provides explanations too

Example output (“listsoft” plugin only): » listsoft v.20080324

» (NTUSER.DAT) Lists contents of user's Software key

» listsoft v.20080324

» List the contents of the Software key in the NTUSER.DAT hive

» file, in order by LastWrite time.

» Tue May 14 14:55:56 2013Z Cygwin

» Thu Dec 20 16:35:24 2012Z X-Ways AG

» Mon Dec 17 16:35:28 2012Z Hewlett-Packard

» Mon Dec 17 16:26:05 2012Z Microsoft

» Mon Dec 17 16:06:55 2012Z AMD

» Mon Dec 17 16:06:55 2012Z Wow6432Node

» Mon Dec 17 16:06:51 2012Z ATI

» Mon Dec 17 15:13:03 2012Z JavaSoft

» Mon Dec 17 13:03:18 2012Z Realtek

Source: https://code.google.com/p/regripper/wiki/RegRipper Organizing the process: AutoRip (plugins are grouped into collections)

Recent files: MRU lists


MRU = Most Recently Used

Usually stored within the registry

Common lists include:

» Start menu: HKCU Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

› Equivalent of %USERPROFILE%\Recent

="My Recent Documents"

› Includes both local and network files!

» Run box: HKCU Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

› In order of most recently added (not: Used)!

» Files (Common dialog box): HKCU\Software Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

» Typed URLs in IE: HKCU Software\Microsoft\InternetExplorer\TypedURLs

Recent files: MRU lists


» Windows default search: HKCU Software\Microsoft\SearchAssistant\ACMru

› Subkey "5603": Search terms for folders and filenames

› Subkey "5604": Search terms for words/phrases within files

Note: MRU list locations depend heavily on the

» Windows version

» Software version

» Installed patches

» Program configuration!

» Use software on a copy of the evidence when using the program to identify the registry keys modified › E.g. SysInternals RegMon

Typically key names for other software are:

» Settings, MRU, Recent, Opened, …

Last opened application


HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32\LastVisitedPidMRU (<Vista: LastVisitedMRU)

» Applications last used to access the files listed in OpenSavePidMRU (OpenSaveMRU)

» Contains path information as well

Running SW: App Compatibility


Some applications might have problems running on newer version of Windows. These can be partially solved by replacing certain system functions by older versions (or in-memory patching, additional flags, …).

This is a database on disk, but the registry contains a cache of a number of items from it

» Drawback: Only some elements; format changed several times: XP – Vista/2008 – 7/2008R2

What is in there?

» Executables recently run

» Last modification time

» File was executed?

» File size

» Last time file was run

https://www.mandiant.com/blog/leveraging-application-compatibility-cache-forensic-investigations/

MUI cache


When an application is started, the shell stores the application name in the registry

› Name: Multilingual User Interface Cache

» Content: “FileDescription” from resource of executable › Unfortunately nothing else

› Note: All are values in a single (few) keys Timestamp useless

» XP/2000/2003: › HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache

» Vista/7/2008 › HKCU\Software\Classes\Local

Settings\Software\Microsoft\Windows\Shell\MuiCache

› HKCU\Software\Classes\Local Settings\MuiCache\**

https://www.mandiant.com/blog/execute/

File execution hints


Other caches whether files were executed:

» HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ StartPage\ProgramsCache

» HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ StartPage2\ProgramsCache

» HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ StartPage2\ProgramsCacheTBP

» HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ StartPage2\ProgramsCacheSMP

https://tzworks.net/prototype_page.php?proto_id=19

Recent files


Entries in "Recent", "Send to", "Start Menu", …

» Can prove the existence of files now deleted › Note: Usually not produced on creating/copying, but only on opening!

» Especially useful for removable media, e.g. USB sticks

Saved on the disk as ".LNK" files, i.e. shortcuts

These contain a lot of information:

» File location

» Type of disk (hard disk, removable media, CD, …)

» File attributes, length, …

» Icon information

» MAC times

May contain additional data

» Working directory, shell item ID, description, command line arguments, custom icon etc.

USB device history


When a USB device is connected to a computer, this is "logged" within the registry

» I.e., configured and appropriate driver (if necessary) installed

» This information remains when the device is disconnected!

Note: Most USB storage devices possess a unique serial number

» So the exact item can be recognized, not only its class/manufa.! › Software: UVCView from Microsoft

Registry key: HKLM\System\ControlSet00?\Enum\USBSTOR

» Subkey: Vendor, Producer and Revision

» Sub-Subkey: Serial number (if existing; else generated)

» ParentIdPrefix: Corresponds to HKLM\System\MountedDevices

› Binary value!

See also software: USBDeview!

Excursion: Device installation


XP: In “C:\Windows\setupapi.log” the first installation of a driver is logged

Win Vista, 7…: more complex, but more data

» C:\Windows\inf\setupapi.app.log: „Application“ installation › Still used for devices and not programs (“wrong” name)!

„…application software installations that are associated with device driver installations.”

» C:\Windows\inf\setupapi.dev.log: Device log › Containes e.g. unique Ids of USB devices

» C:\Windows\inf\setupapi.offline.log: Initial installation

» C:\Windows\setupact.log: Setup activities during installation

» C:\Windows\setuperr.log: Errors during installation

Never deleted, only exact source of first plugin times

Created by default, cannot be turned off via registry

Remains during an OS upgrade

https://msdn.microsoft.com/en-us/library/windows/hardware/ff550900%28v=vs.85%29.aspx


Graphic shows which files are used for logging when

» Initial Windows installation

» The last section is the same as in “normal” use!

https://technet.microsoft.com/en-us/library/ee851579%28v=ws.10%29.aspx

Excursion: Device installation


C:\Windows\inf\setupapi.app.log example » >>> [DIF_INSTALLDEVICE - ROOT\*ISATAP\0004]

>>> Section start 2015/07/20 08:06:42.086 cmd: C:\Windows\system32\svchost.exe -k netsvcs cci: NdisCoinst: Guid of the adapter is {E18371B6-A10D-48AA-BFB6-7902DE674188} cci: NdisCoinst: IfType 131, Characteristics 0x9, IsIrdaDevice 0, PhysicalMediaType 0, MediaType 15, IsBridge 0, FoundGuidInDownlevel 0, EnableDhcp 2 cci: NdisCoinst: Connection name is Local Area Connection* 11 cci: NdisCoinst: Allocated NetLuidIndex is 10 dvi: {Writing Device Properties} ! dvi: Device restart was skipped becasuse the DI_DONOTCALLCONFIGMG flag was set. <<< Section end 2015/07/20 08:06:42.149 <<< [Exit status: SUCCESS]

C:\Windows\inf\setupapi.dev.log example » >>> [Device Install (Hardware initiated) -

USBSTOR\Disk&Ven_Generic&Prod_External&Rev_2.10\5A383430335A445620202020&0] >>> Section start 2015/06/16 08:09:36.946

» … 300 lines log entries …

» ump: Server install process exited with code 0x00000000 08:09:37.440 <<< Section end 2015/06/16 08:09:37.455 <<< [Exit status: SUCCESS]

Real typo of Win !


Vendor: TinyDisk (Case label: "extreMEmory USB 2.0 4GB")

Product: 2007-06-13, Rev. 0.00

Serial number: 000000000001E1

ParentIdPrefix: 7&362d04ba&0

» HKLM\System\MountedDevices: "\DosDevice\G:" \??\STORAGE#RemovableMedia#7&362d04ba&0&RM#{53f5630d-b6bf-11do-94f2-00a0c91efb8b}

USB device history: setupapi.log


[2007/07/20 11:42:13 840.8 Driver Install]

#-019 Searching for hardware ID(s): usbstor\disktinydisk2007-06-13______0.00,usbstor\disktinydisk2007-06-13______,usbstor\disktinydisk,usbstor\tinydisk2007-06-13______0,tinydisk2007-06-13______0,usbstor\gendisk,gendisk

#-018 Searching for compatible ID(s): usbstor\disk,usbstor\raw

#-198 Command line processed: C:\WINDOWS\system32\services.exe

#I022 Found "GenDisk" in C:\WINDOWS\inf\disk.inf; Device: "Disk drive"; Driver: "Disk drive"; Provider: "Microsoft"; Mfg: "(Standard disk drives)"; Section name: "disk_install".

#I023 Actual install section: [disk_install.NT]. Rank: 0x00000006. Effective driver date: 07/01/2001.

#-166 Device install function: DIF_SELECTBESTCOMPATDRV.

#I063 Selected driver installs from section [disk_install] in "c:\windows\inf\disk.inf".

#I320 Class GUID of device remains: {4D36E967-E325-11CE-BFC1-08002BE10318}.

#I060 Set selected driver.

#I058 Selected best compatible driver.

#-166 Device install function: DIF_INSTALLDEVICEFILES.

#I124 Doing copy-only install of "USBSTOR\DISK&VEN_TINYDISK&PROD_2007-06-13&REV_0.00\000000000001E1&0".

#-166 Device install function: DIF_REGISTER_COINSTALLERS.

#I056 Coinstallers registered.

#-166 Device install function: DIF_INSTALLINTERFACES.

#-011 Installing section [disk_install.NT.Interfaces] from "c:\windows\inf\disk.inf".

#I054 Interfaces installed.

#-166 Device install function: DIF_INSTALLDEVICE.

#I123 Doing full install of "USBSTOR\DISK&VEN_TINYDISK&PROD_2007-06-13&REV_0.00\000000000001E1&0".

#I121 Device install of "USBSTOR\DISK&VEN_TINYDISK&PROD_2007-06-13&REV_0.00\000000000001E1&0" finished successfully.

Note: This file exists on Windows XP and earlier only!

Note: This file exists on Windows XP and earlier only!

USB device history: setupapi.dev.log


>>> [Device Install (Hardware initiated) - USB\VID_13FD&PID_1340\5A383430335A445620202020]

>>> Section start 2015/06/16 08:09:36.665

ump: Creating Install Process: DrvInst.exe 08:09:36.665

ndv: Retrieving device info...

ndv: Setting device parameters...

ndv: Searching just Driver Store...

dvi: {Build Driver List} 08:09:36.680

dvi: Searching for hardware ID(s):

dvi: usb\vid_13fd&pid_1340&rev_0210

dvi: usb\vid_13fd&pid_1340

dvi: Searching for compatible ID(s):

dvi: usb\class_08&subclass_06&prot_50

dvi: usb\class_08&subclass_06

dvi: usb\class_08

cpy: Policy is set to make all digital signatures equal.

dvi: Enumerating INFs from path list 'C:\Windows\INF'

inf: Opened PNF: 'C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf' ([strings.0409])

dvi: Created Driver Node:

dvi: HardwareID - USB\Class_08&SubClass_06&Prot_50

dvi: InfName - C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf

dvi: DevDesc - USB Mass Storage Device

dvi: DrvDesc - USB Mass Storage Device

dvi: Provider - Microsoft

…..

Hex: Convert to ASCII = “Z8493ZDV” This is the serial number!

USB device history


Last connection: HKLM\System\ControlSet00?\Control\DeviceClasses

» Subkey "{53f56307-b6bf-11d0-94f2-00a0c91efb8b}": Disks › Contains a subkey with the serial number included

» Subkey "{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}": Volumes › Contains a subkey with the ParentIdPrefix included

» The LastWrite Time of these keys is the date and time the device was last connected to the computer

Accessing the LastWrite time:

» Special tools, or

» Regedt32: Export as text and open in Notepad » Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-

94f2-00a0c91efb8b}\##?#USBSTOR#Disk&Ven_TinyDisk&Prod_2007-06-13&Rev_0.00#000000000001E1&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

» Class Name: <NO CLASS>

» Last Write Time: 21.12.2007 - 09:12

» Value 0

Registry: Owner information


Owner/Organization: HKLM\Software\Microsoft\ Windows NT\CurrentVersion

» RegisteredOwner: Owner name

» RegisteredOrganization: Organization name

» ProductId: Product ID

» DigitalProductId: Contains encrypted license key (Bytes 52-66)

» InstallDate: Installation date (UNIX timestamp)

» SystemRoot: Windows installation directory

Last user:HKLM\Software\Microsoft\Windows NT\ CurrentVersion\Winlogon

» DefaultUserName: Last logged in user › When? Timestamp of key!

» DefaultDomainName: Last domain logged into

» DontDisplayLastUserName: Don't store information above

http://www.dagondesign.com/articles/windows-xp-product-key-recovery/ http://geekswithblogs.net/willemf/archive/2006/04/23/76125.aspx

Registry: Timezone information


Data from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones is copied here

» ActiveTimeBias: Current Δ (0xffffff88 = -120 = 2 h E of GMT)

» DaylightBias: Delta during DST (= -60 = 1 h East of GMT)

» Daylight-/StandardStart: Should be SYSTEMTIME structure › Year, Month (1=Jan), Day of week (0=Sun), Week (5=last), Hour, Min, Sec,

ms (two bytes each); (doesn’t match above!)

Last Sunday in March at 02:00 – Last Sunday in October at 03:00

http://msdn.microsoft.com/en-us/library/ms725481%28v=vs.85%29.aspx http://msdn.microsoft.com/en-us/library/ms724950%28v=vs.85%29.aspx

Registry: Network shares


"My Network Shares": List of shares within the LAN HKCU\Software\Microsoft\Windows\Current Version\ Explorer\ComputerDescriptions

» Allows reconstruction of a past view, i.e. what shares were accessed by the user

» Contains computers, shares (directories) and printers

» Value: Name = server/share/printer; Content = Description

Registry: WLANs


When accessing a WLAN, its SSID is stored: HKLM\ Software\Microsoft\WZCSVC\Parameters\Interfaces

» Subkeys look like GUIDs with values for "ActiveSettings", "Static#000?", …

» The values for "#Static000?" contain the SSIDs at offset 0x14

IP address information for this connection (last only): HKLM\System\ControlSet00?\Services\Tcpip\Parameters\Interfaces

» Look for the same "GUID" key as of the WLAN!

» Dhcp*: Data on DHCP server, assigned address, netmask, default gateway, domain, nameservers, …

» LeaseObtainedTime/-TerminatesTime: Unix 23 Bit Timestamp › When the Address was received and what is the definite last time it could

have been used (but not: was used!)

Registry: Timestamps


Every single registry key has a "LastWrite" time value

» Does NOT exist for registry values!

» Format: FILETIME

» Updated, when a registry value directly within this key is created, modified, or deleted

Win2K and WinXP registry editors are flawed › Regedit.exe, regedt32.exe

» Registry values with a name length of 256-259 characters are not shown › Values afterwards are suppressed as well

› Subkeys are inaccessible too

» But "reg.exe", the console registry tool, can show (and manipulate) such values!

http://search.cpan.org/~adamk/Win32-TieRegistry-0.25/TieRegistry.pm

Registry: Various data


Thinking about shutting down a suspect's computer?

» First check: HKLM System\CurrentControlSet\Control\SessionManager\MemoryManagement\ClearPageFileAtShutdown

› Value "1": Paging file NOT deleted, but overwritten with zeros

HKLM\System\CurrentControlSet\Control\FileSystem\ NtfsDisableLastAccessUpdate

» Disables writing “last access timestamp” on the file system › Will still be changed on file modifications (i.e. writing to it), but not on

reading, accessing properties etc! Set to “1” by Default since Vista.

HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider

» Contains IE auto-complete passwords (encrypted)

» Content not directly accessible, not even with regedt32

» But can be read in live systems or by parsing the registry file

Substituting executed programs


Allows hiding what programs were actually executed!

HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options

» Create subkey with name of executable, e.g. "calc.exe"

» Create string with name "Debugger" and value of alternate program, e.g. "C:\Windows\notepad.exe"

» Typing "calc.exe" will then start the text editor › With "calc.exe" as parameter

or whatever the "original" file was, e.g. a .lnk file!

» Shows only the "original" program in history lists!

HKCR\{exe|com|bat}file\shell\open\command

» Default value contains command to execute ".exe" files › Similar for the explorer context menu:

HKCR\Drive\shell and HKCR\Folder\shell

Process information


The task manager shows the current processes, but only little information is available; most is statistical in nature

So “live” monitoring of activities might be useful

» Active users on a server

» Especially software (=i.e. specific processes)

Additionally it is very useful in the forensic process

» “We assume that this happens to the timestamps, when a user performs this action.”

» Monitoring the system while doing it allows verifying whether this is really a result, and whether it stems from this action

Also useful: Registry diffs

» Copy registry Install software/perform action/… Copy registry Identify differences

Process information


“Process Monitor” allows deep investigations:

» Realtime monitoring of all activity in file system, registry, network, and process (e.g. create child) of all processes › Needs serious filtering: Thousands of events per second!

› And starts logging immediately upon start (CTRL+E stops)…

» Attention: Will automatically exclude several elements: Itself (obviously!), but also Autoruns.exe, FASTIO operations, everything ending in “pagefile.sys”/”$Mft”/”$LogFile”/…, the System process, profiling events etc.

Typically of use if we need to find out:

» Who accesses some resource (file, registry key, …)

» What a specific process is doing

Attention: May slow down Windows when capturing!

Windows Sysinternals: Process Monitor http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Process information


System restore points


Stored under C:\System Volume Information

» Not accessible through Explorer, but by forensic tools! › Not even for the administrator!

Deleting a single one is very hard (but: “all” or “all but last” is easy)!

By default created every 24 hours & retained for 90 days › Registry: HKLM\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore

» Also: Manually, before Windows update/SW installation…

» When reverting to a previous point, another restore point is created (to allow going "forward“ again) › Restoration is recorded in the system event log (Event ID 110)!

» Disabling them is possible › Less than 200MB free on system drive automatically disabled!

» Restoring is logged in the event log

Based on VSS (Volume Shadow Copy Service)

» Will create a copy if something changes Fast to create

» Maximum of 64 per volume

http://128.175.24.251/forensics/restorepoints.htm

System restore points


Content:

» Files to restore (see change.log for original path/filename) › Documents (some), executables, …; Drivers and system files

› Typically not any user files!

At least, not if they are in the normal location / normal file formats

» Subfolder "snapshot": Registry files (SAM, Security, Software, System, .Default, NTUSER files, USRCLASS files)

Getting access:

» Run “cmd.exe” as Administrator

» “vssadmin list shadows“ shows all shadow copies

» “mklink /d c:\<directory> \\?\GLOBALROOT\Device\<ShadowName>\“ to create a symbolic link from <directory> to a specific shadow, which can then be investigated like a normal directory › Permission problems may still occur!

Changing permissions doesn’t work : Shadow copies are read-only

Event log


Event logs are normal files

» Location: Specified in registry ( to allow relocation) › E.g. security: %SYSTEMROOT%\System32\config\SecEvent.Evt

» Can be recovered through file carving etc.

» Fixed size; configurable per log (typ. 512 kB – 16 MB)

Problem: Security logging is off by default

» Application and System are on by default

Clean shutdown: Offsets of oldest & newest entries written to header; a “clean” flag set (“dirty” when active)

» While in use, trailer (after current last entry) has data

» Common source of corruption in forensics (pulling plug!)

Event log


>=Vista: More logs (Setup, Administrative tasks, …)

» File format changed (*.evt *.evtx): Binary XML › Much easier to parse!

» Logs are now separated into “channels” › Windows: Application, Security, System, Setup, ForwardedEvents

› Applications and Services: Many channels of individual applications or components

New version since Windows 10

» Mostly the same as since Vista ( backwards compatible!)

» Improvement: You can add your own XML data to an event

https://www.sans.org/reading-room/whitepapers/logging/evtx-windows-event-logging-32949

Event log


Content:

» Each Event has an EventId, specifying its type › Examples: 528, 540 = Logon, 538 = Logoff

› Contains additional details

These change with Windows versions Use same or newer!

» Timestamp, …

» Record number: Used consecutively ( no record deletion!)

Inspection possible through windows

» Or LogParser: Allows SQL-like queries against the log! › And against various other file formats as well

Reliability of event logs: Quite good

» Modifications are difficult, but not impossible

» Deleting some elements is very hard

» But: Deleting the whole log is quite trivial


Location: %SYSTEMROOT%\system32\LogFiles\Firewall\pfirewall.log

Logging is turned off by default

» Activating: Windows Firewall – Advanced Settings – Windows Firewall Properties – Logging

Separate: Event log

» Firewall rules and connection security rules changes

» I.e., configuration, but not the individual "problems"!

Internet Connection Firewall: Logs


Log file format: See file header!

» #Version: 1.5 #Software: Microsoft Windows Firewall #Time Format: Local #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

Example: » 2012-08-23 11:11:09 ALLOW TCP 140.78.100.211 140.78.3.160 1735 80 0 - 0

0 0 - - - SEND

› Outgoing web request to JKU webserver

» 2012-08-23 11:11:19 ALLOW UDP fe80::a400:fe81: 4022:2a12 ff02::1:2 546 547 0 - - - - - - - SEND

› Outgoing DHCPv6 request ("Solicit")

» 2012-08-23 11:20:23 ALLOW ICMP 140.78.100.164 140.78.100.211 - - 0 - - - - 8 0 – RECEIVE

› Incoming ping request

Summary


Especially the Registry is a treasure trove of information

» But the data is very well hidden under obscure names/IDs

» Special attention needs to be paid to how reliable the data is › Windows version, source of description of keys/values etc.!

› Try it out on a copy and monitor the changes made

E.g. using registry-diff software, sandboxing software

» Restore points contain previous versions of the registry

» But it is hard to know exactly what is there to be found!

Activity remnants may remain for a long time: Recycle bin records, print spool files, event log…

» Sometimes even forever (thumbs.db) unless explicitly removed!

Restricting the investigation is therefore very desirable

» Only a subset of data need then be searched for/through!

Thank you! Questions?

Thank you!

Any questions?

https://www.ins.jku.at


Michael Sonntag

[email protected]

+43 (732) 2468 – 4137

S3 235 (Science park 3, 2nd floor)

http://www.ins.jku.at



mailto:[email protected]

Links


Windows Recycle Bin: http://www.foundstone.com/us/resources/proddesc/rifiuti.htm

MRU locations: http://windowsxp.mvps.org/RegistryMRU.htm

Windows Spool Files http://www.undocprint.org/winspool/spool_files

Hurlbut, D.: Thumbs DB File Forensic Issues http://www.accessdata.com/media/en_US/print/papers/wp.Thumbs_DB_Files.en_us.pdf

USBDeview http://www.nirsoft.net/utils/usb_devices_view.html

System Restore Point Log Decoding http://www.ediscovery.co.nz/wip/srp.html

Links


Murphey, Rick: Automated Windows event log forensics: http://www.dfrws.org/2007/proceedings/p92-murphey.pdf

LogParser: http://www.microsoft.com/germany/technet/ datenbank/articles/600371.mspx

Rob Faber: Windows log forensics: http://www.net-security. org/dl/insecure/INSECURE-Mag-16.pdf page 86

Rowe, Eric: Volume Shadow Copy and Registry Forensics http://montcs.bloomu.edu/~bobmon/DigFor/2012.HTCIA-conference/Talks/HTCIA%202012%20-%20VSC%20and%20Registry.pdf