Upload
phamdiep
View
232
Download
1
Embed Size (px)
Citation preview
General thoughts
Windows forensics 2
Windows stores, like most OS, lots of data for various reasons (finding bugs, speedup, user services etc)
» Most of this information is in proprietary formats › These are typically binary formats, so re-engineering is a large factor!
» There is no “Windows”: Only Windows XP, XP SP 2, XP SP 3, Vista, 7, 8, 8.1, 10 CE, Embedded, Server 2008, 2008 R2, 2012… › Many of them store data differently!
Comparison: Linux
» Less variation, as few distributions are in widespread use › In total many more versions, but some standardization (LSB)
Much less than Windows, even accounting for the various versions
» Data is typically stored less OS-dependent, but rather more application-dependent!
Consequence: Individual investigation and comparison of knowledge with actual system is necessary!
What to look for: Typical aims
Windows forensics 3
Files:
» At rest: File was there
» Executed: Program was started
» Moving: File was moved from/to system; source/destination
Logs:
» Something happened. Metadata still exists, but no content. › Example: Proxy log File was requested at ??? by IP ???; but the actual file
content is not available (at least not in the log!)
» Was the SW installation performed correctly?
Content:
» Memory: Esp. keys and passwords or traces of files/activities
» Backups, deleted files …
Configuration:
» If “this” happens/happened, the system will/did do “that”
Example: Program execution
Windows forensics 4
A program was executed: When – or wasn’t it?
Where do we look for traces?
» UserAssist: Registry
» MRU (Most Recently Used): Registry (somewhere else)
» Application Compatibility Cache: Registry (somewhere else)
» Prefetch: Separate files
» Executable file itself (timestamps): For outside limit(s)
Result:
» We have numerous locations
» Not all are updated simultaneously (or always; e.g. prefetch!)
» We have to look in all places … … and then combine results to get the best possible picture
Note: We have no guarantee that we get all information
» Might run without traces (but never: Traces without running!)
Where to look
Windows forensics 5
Recycle bin: Deleted files (not necessarily actually gone)
Print spool files: Traces of printouts
Preview icons: What files were present some time ago
Prefetch: What files were executed
Swap/Hibernation file: Traces of memory content
Windows Registry: OS + application configuration & data
» Recent files: Opened some time before
» USB device history: Connected devices
» Restore points: Old versions of files & registry
Autoruns: What happens on booting the OS
Event log: Traces of all kinds of things that happened
Not covered here
Windows forensics 6
Desktop: Normal file folder (but see metadata info!)
» Similar: MyDocuments, Recent Files, …
Pinned files/Jump lists
» Similar to recently used files › C:\Users\username\AppData\Roaming\Microsoft\InternetExplorer\
QuickLaunch\UserPinned\TaskBar
Start menu entries
» Actually a directory structure in user folder + overlay of general configuration in a different directory
» See also Windows 8 Tiles
Volume Shadow Copies: Similar to Restore points
» Located under <Volume>\System Volume Information
Windows 8 Refresh / Restore points
» Themselves, as well as artifacts left after refreshing/restoring
Windows 8 file history: Automatic backups of user data/files
Windows forensic: Recycle bin
Windows forensics 7
When deleting files normally, they end up in the recycler
» Shift+DEL Deleted immediately › Special tools/file carving!
» Something in the recycler Generally deleted intentionally › These files are completely recoverable: Name, content etc.
Emptying the recycle bin:
» The saved files are actually deleted; just like normal files › Their directory entries within the recycler folder remain
› Their data remains on the disk until overwritten
» The INFO2 file (see later) is deleted and a new one created › Sometimes only shortened, i.e. the record numbers continue
Deleting a single file from the recycle bin
» Changes the first byte of the record in INFO2 file to '00' › Typically drive letter; recreatable from drive number in record!
Note: Removable media does not have a recycle bin!
Windows forensic: Recycle bin
Windows forensics 8
Physical changes on deleting "into" the recycler:
» File entry deleted from original directory › Remains there until overwritten!
» Modified/Last Access updated
» The long filename is deleted
» File entry created in recycler directory › D<original drive letter><#>.<original extension>
Dc1.txt: Second deleted file from drive C, had “txt” extension
Note: In the Windows Explorer you always see only your own files and the filenames from the INFO file!
› Subdirectory: User-SID
» Information added to recycler index file ("INFO"/"INFO2" file) › Includes deletion time, original location, recycle bin index
Index allows discovery of deletion order!
› Attention: Windows Vista replaced the INFO file with a separate file named similar as the one with the deleted data!
http://support.microsoft.com/kb/136517
Windows forensic: XP Recycle bin
Windows forensics 9
The INFO2 file structure
» Binary file
» Contains the file name twice: ASCII and Unicode
» 20 Byte file header; Bytes 12-13 (-15?) are record size › Record size is usually 2003 = 0x0320 = 800 Bytes
Record structure
» 260 Bytes: Original file name (ASCII), including path
» 4 Bytes: Record number (starting at 0)
» 4 Bytes: Drive number (00 = A, 01 = B, 02 = C, …)
» 8 Bytes: Deletion time (FILETIME format, UTC)
» 4 Bytes: Physical file size (=Bytes on disk!) › Therefore always multiples of cluster size
› Actual file size: See directory entry of the file itself
» 520 Bytes: Original file name (Unicode), including path
Windows forensic: XP Recycle bin
Windows forensics 10
Original filename: C:\Documents and Settings\SONNTAG.ADS-FIM\Desktop\ EURO Calculator & Info.URL
Record number: 1
Drive number: 2 (= C: )
Deletion time: 0063E71E:D605C801 (=1EE76300:01C805D6, =3.10.2007 15:57:37 UTC)
Physical file size: 0x00100000 (=0x00001000, = 4096 Bytes
Vista/7/8 - Recycle bin
Windows forensics 11
Directory is same (User-SID), but organisation within differs
» Each file is stored directly with a new filename: › $R<six random characters>.<original extension>
» Information on “real” filename (and additional data): › $I<six random characters>.<original extension>
Additional data stored: › File length: 544 Bytes
» Magic number
» Original file size › Byte order is reversed!
» Date and time of deletion › Windows 64 Bit hex value
Little endian
» Original file name › 520 Bytes = 260 characters
Max. path length!
Same!
Print spool files
Windows forensics 12
When printing documents they are not immediately sent to the printer but rather stored in a local file
» Which is then sent to the printer › And deleted after successful completion
» Attention: Users can configure within the printer properties that the data is sent immediately to the printer; this is rare!
» Note: This applies to local printers only! › Network printers will have this file created on the print server
Typical file formats for spooling are:
» RAW: Directly as the printer wants it, e.g. Postscript or some proprietary format › Device dependent
› Can be re-printed simply by sending it to a (similar!) printer again
» EMF: Enhanced Metafile Format (32 Bit version of WMF) › Device independent
› Viewer programs available
Print spool files
Windows forensics 13
For each print job two files are created
» SHD: Job metadata (owner, printer, print method, …)
» SPL: Job data (RAW or EMF)
Contents of the SHD file:
» Username, Name of user to notify
» Document name
» Printing time: SYSTEMTIME structure (=UTC!)
» Page count
» Windows version
» Job ID
» Priority
» Printer name + driver + mode
» Printing processor + format
» Computer name
Thumbnails: Thumbs.db
Windows forensics 14
Thumbs.db: Hidden file to store thumbnail images (previews) of the files in a folder
» At least, if the folder was viewed in "Thumbnail view" at SOME time in the past when the file was already there
» Can be deactivated (Default: enabled) in Explorer properties › "Do not cache thumbnails"
» Deleting images from the disk will not remove the thumbnail from Thumbs.db! › They will never be removed from it!
Only solution: Delete Thumbs.db file (then recreated with current images)!
File format: OLE2 Compound Document (MS Office)
What is stored: JPEG, BMP, GIF, HTM
Encrypted files will still have an unencrypted thumbnail! › If viewed in thumbnail view when they were not yet encrypted …
» However, this security flaw was fixed at some time
Thumbnails: Thumbs.db
Windows forensics 15
Attention:
» Windows Vista does no longer have this file generally › See below, only for special circumstances
» Win2K+NTFS: Thumbnails in ADS (FAT Thumbs.db!)
Before Windows XP: Contained also drive letter and path
» Windows ME, Win2K
Take care when copying directories to a USB stick:
» When copying the directory, the Thumbs.db file is copied too
» When copying all files, it is not copied (unless shown anyway)
Thumbs.db can be used to prove that images actually were (but not necessarily seen; see below) on a certain computer: The Thumbs.db file is still there, and the files (including the same Thumbs.db) have been found somewhere else!
Thumbnails: Vista/7/8
Windows forensics 16
They create thumbnails for files on different media types
» Including removable and network drives
» Including files in encrypted containers, e.g. TrueCrypt
» But NOT for files encrypted with EFS, unless the thumbcache directory is also encrypted! › Vista: Thumbnails are not deleted if file is encrypted by EFS later
Central cache for all directories per user in his folder » %USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer
Contains several files:
» Thumbcache_32{96,256,1024}.db › Individual thumbnails in the various sizes (32-1024 pixel)
» Thumbcache_idx.db: Central index for thumbnails › Required for finding the image in the cache files
» Thumbcache_sr.db: Unknown; constant content
Win 7: Last-modified field for each thumbnail removed
Thumbnails: Vista/7/8
Windows forensics 17
When a file is deleted, the cache entry will be deleted too (but not necessarily actually overwritten immediately!)
Thumbcache_??.db:
» Indirectly contains the filename: Hash+”.”+extension › The Windows Search database (Windows.edb) does contain the
ThumbnailCacheID too, so using this file we can also assign full filenames to the cache entries (Hash: Try all possible images and see if they match)!
› Hash: Volume GUID, FILEID (NTFS); extension, DOS last write (both >=Win7)
Windows >=8.1: Additional hash input: Precision loss between original last modified time and DOS modified time (as used in previous versions)
› Also: Size (depends on which thumbcache), checksums, offsets, image data
» JPG, PNG will remain, others are converted to BMP
» File carving: Entries (not file!) start with “CMMM”
Thumbcache_idx.db:
» ThumbnailCacheID + FILETIME when the original (!) file was created (Vista only)
Thumbnails: Vista/7/8
Windows forensics 18
Windows Vista/7/8:
» When accessing remote or mapped files, a Thumbs.db file is created in the remote folder › Note: This includes local directories accessed through UNC names
» Different file format than Windows XP
» Entries are not deleted when the file is deleted
Windows 8:
» Thumbs.db files will also be created for other kinds of access (=Explorer), but ONLY in directories under a user profile folder: C:\Users\<Username>\* › This does depend on the location, not on the user!
› Browsing another user’s folder will create the cache there
» Additional _16, _48, _WIDE files
Quick/Tassone/Choo, Forensic Analysis of Windows Thumbcache Files, Proceedings of 20th Americas Conference on Information Systems (AMCIS 2014), 7-10 August 2014 http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2429795
Thumbnails
Windows forensics 19
Confused?
» Brief overview:
Quick/Tassone/Choo, Forensic Analysis of Windows Thumbcache Files, Proceedings of 20th Americas Conference on Information Systems (AMCIS 2014), 7-10 August 2014 http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2429795 See also: https://thumbcacheviewer.github.io/
Thumbnails: Vista/7/8
Windows forensics 20
Attention!
» Thumbnails may be generated even when the folder has NOT been viewed in thumbnail (“Large Icons”) view! › If the “Details pane” is active, this is sufficient
At least for two files (two most recently modified ones, presumably)
» When pictures are accessed via a full UNC path and displayed in thumbnail view, a thumbs.db file is created in the folder in which the pictures resides › Only those pictures that were visible (many scrolling needed!)
› As the Thumbs.db file changed between OS (XP/Vista/7), based on this file you can identify the OS of the computer viewing them (not the one where the thumbs.db file is located!)
» Drag&Drop may also lead to thumbnails being created
Result: The presence of thumbnails does not necessarily mean, that the user has seen these pictures (or their
directory), only that they existed on the computer!
Parsonage: Under My Thumbs http://computerforensics.parsonage.co.uk/downloads/UnderMyThumbs.pdf
Windows prefetch
Windows forensics 21
Frequently (or recently) used applications are logged in a special folder: Speed up their start by noting which sectors from the disk will be required directly upon start
» These are then swapped in immediately, even if not at the start of the executable file
Stored in directory "C:\Windows\Prefetch"
» Naming: <Executable file name>-XXXXXXX.pf › XXXXX: Hash of location from where it was run
» Count of executing the program: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ UserAssist\{GUID}\Count › ROT-13 encoded!
› "Data": 5th byte -5 = Count of execution
» Maximum count (XP): 128 entries
» Contains also references to loaded modules
Windows prefetch
Windows forensics 22
When is it updated?
» XP: Boot time and application launch, 2003: Boot time (def.)
» Disabled for SSD disks by default
Attention: Prefetch is system-wide
» You cannot tell from the file which user executed it › But with MAC time this may be possible
If you know who was logged on at which time
› See also the UserAssist registry entries (previous slide; HKCU!)
Note the MAC times of the files:
» Created: Program was started for the first time
» Modified: Program was started for the "last" time › Attention: Prefetch files will not be updated after some time
Probably when windows decides it exactly knows what to do
» Accessed: Last run time of the program › Attention: No longer updated by default on Vista or later!
Disabling prefetch: http://msdn2.microsoft.com/en-us/library/ms940847.aspx
Windows prefetch
Windows forensics 23
.pf file content
» Filename: Offset 0x10
» Timestamp: FILETIME at offset 0x78 (XP)/0x80 (>=Vista)
» Run count: DWORD at offset 0x90 (XP)/0x98 (>=Vista)
» Magic number at start: 0x11 (XP)/0x17 (>=Vista) 0x00 0x00 0x00 “SCCA”; has no end marking
» List of files accessed in the first 10 minutes › Can be used to inspect suspected malware (what did they load) or media
files launched through double-clicking them
› Can provide information on paths no longer existing
Example: TrueCrypt volume, deleted executables etc.
Layout.ini: List of files used on booting
» Used for arranging files during defragmentation
» Unwanted programs started on booting?
Swap/Paging file
Windows forensics 24
Contains pages from the memory
» Not necessarily in a “useful” order!
» Data may remain there for a very long time as well › If this sector happens to not being used
Attention: Normal shutdown may delete, truncate, or overwrite the swap file!
» In important cases it is therefore necessary (after doing live analysis) to pull the plug, but not shutdown the system!
A hidden file (Linux: Partition!): C{D…}:\pagefile.sys
Typical application for file/data carving: Assembling a file/some content from numerous smaller parts
» Very difficult and unreliable, unless complete and in correct order (this is likely true only for very small files/data elements)!
Practical usage: Search for strings/regular expressions
Swap/Paging file
Windows forensics 25
Attention: Anything found in there is “unreliable"!
» You don't know when this information was put in there
» You don't know which user was logged in at that time
» The data might already have been on the disk when the paging file was created
The swap file need not be located in contiguous sectors
» There may be small "holes", which perhaps are not reused for a long time because they are so small › Good location for finding “old” file fragments
Hibernation file
Windows forensics 26
Similar to the swap file: Contains memory pages
» But here it is a complete image of the total memory!
» May be smaller or larger than the swap file
Can be used to recreate the last use of the computer
» Virtual machines come in handy for this
A hidden file: C:\Hiberfil.sys
Attention: The first block will always be overwritten with zeros after boot, so never wake up a hibernated computer without obtaining a forensic copy before!
» Rest of the file remains unchanged until the next hibernation
» So the state at a previous point in time might be recreated partly (computer won’t run, but memory might be “salvaged”)
The hibernation file is compressed: No plain text search
Hibernation file
Windows forensics 27
Very important in case of disk encryption: When the computer is running, the key is in the memory.
» Creating a memory dump will allow decrypting the disk
» Not necessarily booting The password is not recovered, only the cryptographic key. But a decrypted disk might allow (with some modifications) booting!
» When hibernated Hibernation file is encrypted itself, so it is not very useful then….
Other kinds of encryption, e.g. TrueCrypt containers
» Keys are in memory too
» Hibernation files are part of shadow copies too, so keys from containers opened weeks before might still be on the disk!
Password cracking/recovery software has special analysis functions to extract password/keys from it
The Windows Registry
Windows forensics 28
The Registry is similar to a file system:
» Hierarchical storage of data
» Keys = Directories
» Values = Files › Name, Data and Type (BINARY, DWORD, SZ, MULTI_SZ, EXPAND_SZ)
5 root keys exist:
» HKLM: HKEY_LOCAL_MACHINE (Computer-specific data)
» HKU: HKEY_USERS (User-specific data)
» HKCR: HKEY_CLASSES_ROOT (application settings, file associations, class registrations for COM objects) › Link to HKLM\Software\Classes
» HKCC: HKEY_CURRENT_CONFIG (Current hardware config.) › Link to HKLM\System\CurrentControlSet\Hardware Profiles\Current
» HKCU: HKEY_CURRENT_USER (Current user's data) › Link to HKU\<SID of current user>
Registry: Physical storage
Windows forensics 29
The Registry is logically a "single file"
» But parts are stored in different files or created dynamically
File locations:
» HKLM\SAM %SYSTEMROOT%\System32\config\SAM
» HKLM\Security %SYSTEMROOT%\System32\config\SECURITY
» HKLM\Software %SYSTEMROOT%\System32\config\software
» HKLM\System %SYSTEMROOT%\System32\config\system
» HKLM\Hardware Stored in memory only – not on disk!
» HKU\.Default %SYSTEMROOT%\System32\config\default
» HKU\<SID> %USERPROFILE%\NTUSER.DAT
» HKU\<SID>_Classes %USERPROFILE%\Local Settings\ Application Data\Microsoft\Windows\UsrClass.dat
User/… identifiers: SID
Windows forensics 30
SID = Security Identifier » S-1-0-0 (Nobody): A group with no members
» S-1-1-0 (Everyone): A group that includes all users
» S-1-2-0 (Local): Users who logged on locally
» S-1-2-1 (Console Logon): Users on the phys. console
» S-1-3-0 (Creator Owner): The user who created a new object
» S-1-3-1 (Creator Group): The primary group of the user who created a new object
» S-1-5-2 (Logon Network): Users logging on via network
» S-1-5-7 (Anonymous): Anonymous logged on users
» S-1-5-18 (Local System): The OS itself
» S-1-5-19 (Local Service): Service account
» S-1-5-20 (Network Service): Service account
» S-1-5-21-?????-500: Administrator
» S-1-5-32-544 (Administrators): Group of all administrators
Installation dependent (unique!)
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379649%28v=vs.85%29.aspx http://support.microsoft.com/kb/243330/en-us
Obtaining access to an account
Windows forensics 31
No password for a Windows account? Login might still be possible!
Passwords are stored as hashed values in the Registry (SAM)
Procedure:
» Obtain Password Reset CD
› Obviously possible also manually as well, just very complex (find registry on disk, find location in registry)
» Boot from this CD
» Let it overwrite the hash in the registry with a known one
› Can be anything, e.g. an empty password
» Shutdown and reboot in Windows
» Enter the password and log in
Drawback:
» Encrypted files will be “destroyed” by this!
› Why? EFS needs the actual password for decryption
› Merely “being” the user is insufficient!
Note: This technique is generic. It works the same way for Linux or any other application storing the passwords as hashes where they are accessible (potentially only “offline”!)
AutoRun
Windows forensics 32
AutoRun Programs
» Long list of locations in registry, e.g.
› HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run; \RunOnce
› HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ Run resp. \RunOnce
› Same under HKCU!
› Explorer hooks, like HKLM and HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
› Print monitors: HKLM\SYSTEM\CurrentControlSet\Print\Monitors
› Winlogon notifications
» Long list of locations outside the registry, e.g.
› “Startup” folder in start menu of user profile
› Scheduled tasks
» Problem: Things might be started from anywhere; no “authoritative list” from Microsoft available
Useful tool: AutoRuns from Microsoft
» Will show all locations that are currently known
http://technet.microsoft.com/en-en/sysinternals/bb963902
Autorunner
Windows forensics 33
Like AutoRun (based on it), but
» Runs on multiple user accounts in one go
» Parse LNK files to the actual file linked
» Allows specifying multiple drive mappings
› Different partitions were images to different files/mounted drives
» Can perform hash checks against VirusTotal
(http://www.woanware.co.uk/forensics/autorunner.html) http://www.chip.de/downloads/Autorunner_13007784.html
Installed software
Windows forensics 34
Software might be installed, although not visible as an icon on the desktop or in any start menu
» Registry keys are usually created during installation, but not always removed (although they should be) when the program is uninstalled › HKLM\SOFTWARE\Microsoft\Windows\C.V.\App Paths
› HKLM\SOFTWARE\Microsoft\Windows\C.V.\Uninstall
» Separate registry keys for application settings might exist too
Verification:
» Check for the actual executable at the contained path
» Check timestamp on registry key
Cross-verification: Search for all executable files
» Note: Will not work for all kinds of plugins!
RegRipper
Windows forensics 35
A tool to “rip” the registry
» Attention: Will not let you view open registry hives!
Use: Collection of registry keys with interesting values
» Very large collection, and provides explanations too
Example output (“listsoft” plugin only): » listsoft v.20080324
» (NTUSER.DAT) Lists contents of user's Software key
» listsoft v.20080324
» List the contents of the Software key in the NTUSER.DAT hive
» file, in order by LastWrite time.
» Tue May 14 14:55:56 2013Z Cygwin
» Thu Dec 20 16:35:24 2012Z X-Ways AG
» Mon Dec 17 16:35:28 2012Z Hewlett-Packard
» Mon Dec 17 16:26:05 2012Z Microsoft
» Mon Dec 17 16:06:55 2012Z AMD
» Mon Dec 17 16:06:55 2012Z Wow6432Node
» Mon Dec 17 16:06:51 2012Z ATI
» Mon Dec 17 15:13:03 2012Z JavaSoft
» Mon Dec 17 13:03:18 2012Z Realtek
Source: https://code.google.com/p/regripper/wiki/RegRipper Organizing the process: AutoRip (plugins are grouped into collections)
Recent files: MRU lists
Windows forensics 36
MRU = Most Recently Used
Usually stored within the registry
Common lists include:
» Start menu: HKCU Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
› Equivalent of %USERPROFILE%\Recent
="My Recent Documents"
› Includes both local and network files!
» Run box: HKCU Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
› In order of most recently added (not: Used)!
» Files (Common dialog box): HKCU\Software Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
» Typed URLs in IE: HKCU Software\Microsoft\InternetExplorer\TypedURLs
Recent files: MRU lists
Windows forensics 37
» Windows default search: HKCU Software\Microsoft\SearchAssistant\ACMru
› Subkey "5603": Search terms for folders and filenames
› Subkey "5604": Search terms for words/phrases within files
Note: MRU list locations depend heavily on the
» Windows version
» Software version
» Installed patches
» Program configuration!
» Use software on a copy of the evidence when using the program to identify the registry keys modified › E.g. SysInternals RegMon
Typically key names for other software are:
» Settings, MRU, Recent, Opened, …
Last opened application
Windows forensics 38
HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32\LastVisitedPidMRU (<Vista: LastVisitedMRU)
» Applications last used to access the files listed in OpenSavePidMRU (OpenSaveMRU)
» Contains path information as well
Running SW: App Compatibility
Windows forensics 39
Some applications might have problems running on newer version of Windows. These can be partially solved by replacing certain system functions by older versions (or in-memory patching, additional flags, …).
This is a database on disk, but the registry contains a cache of a number of items from it
» Drawback: Only some elements; format changed several times: XP – Vista/2008 – 7/2008R2
What is in there?
» Executables recently run
» Last modification time
» File was executed?
» File size
» Last time file was run
https://www.mandiant.com/blog/leveraging-application-compatibility-cache-forensic-investigations/
MUI cache
Windows forensics 40
When an application is started, the shell stores the application name in the registry
› Name: Multilingual User Interface Cache
» Content: “FileDescription” from resource of executable › Unfortunately nothing else
› Note: All are values in a single (few) keys Timestamp useless
» XP/2000/2003: › HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
» Vista/7/2008 › HKCU\Software\Classes\Local
Settings\Software\Microsoft\Windows\Shell\MuiCache
› HKCU\Software\Classes\Local Settings\MuiCache\**
https://www.mandiant.com/blog/execute/
File execution hints
Windows forensics 41
Other caches whether files were executed:
» HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ StartPage\ProgramsCache
» HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ StartPage2\ProgramsCache
» HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ StartPage2\ProgramsCacheTBP
» HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ StartPage2\ProgramsCacheSMP
https://tzworks.net/prototype_page.php?proto_id=19
Recent files
Windows forensics 42
Entries in "Recent", "Send to", "Start Menu", …
» Can prove the existence of files now deleted › Note: Usually not produced on creating/copying, but only on opening!
» Especially useful for removable media, e.g. USB sticks
Saved on the disk as ".LNK" files, i.e. shortcuts
These contain a lot of information:
» File location
» Type of disk (hard disk, removable media, CD, …)
» File attributes, length, …
» Icon information
» MAC times
May contain additional data
» Working directory, shell item ID, description, command line arguments, custom icon etc.
USB device history
Windows forensics 43
When a USB device is connected to a computer, this is "logged" within the registry
» I.e., configured and appropriate driver (if necessary) installed
» This information remains when the device is disconnected!
Note: Most USB storage devices possess a unique serial number
» So the exact item can be recognized, not only its class/manufa.! › Software: UVCView from Microsoft
Registry key: HKLM\System\ControlSet00?\Enum\USBSTOR
» Subkey: Vendor, Producer and Revision
» Sub-Subkey: Serial number (if existing; else generated)
» ParentIdPrefix: Corresponds to HKLM\System\MountedDevices
› Binary value!
See also software: USBDeview!
Excursion: Device installation
Windows forensics 44
XP: In “C:\Windows\setupapi.log” the first installation of a driver is logged
Win Vista, 7…: more complex, but more data
» C:\Windows\inf\setupapi.app.log: „Application“ installation › Still used for devices and not programs (“wrong” name)!
„…application software installations that are associated with device driver installations.”
» C:\Windows\inf\setupapi.dev.log: Device log › Containes e.g. unique Ids of USB devices
» C:\Windows\inf\setupapi.offline.log: Initial installation
» C:\Windows\setupact.log: Setup activities during installation
» C:\Windows\setuperr.log: Errors during installation
Never deleted, only exact source of first plugin times
Created by default, cannot be turned off via registry
Remains during an OS upgrade
https://msdn.microsoft.com/en-us/library/windows/hardware/ff550900%28v=vs.85%29.aspx
Windows forensics 45
Graphic shows which files are used for logging when
» Initial Windows installation
» The last section is the same as in “normal” use!
https://technet.microsoft.com/en-us/library/ee851579%28v=ws.10%29.aspx
Excursion: Device installation
Windows forensics 46
C:\Windows\inf\setupapi.app.log example » >>> [DIF_INSTALLDEVICE - ROOT\*ISATAP\0004]
>>> Section start 2015/07/20 08:06:42.086 cmd: C:\Windows\system32\svchost.exe -k netsvcs cci: NdisCoinst: Guid of the adapter is {E18371B6-A10D-48AA-BFB6-7902DE674188} cci: NdisCoinst: IfType 131, Characteristics 0x9, IsIrdaDevice 0, PhysicalMediaType 0, MediaType 15, IsBridge 0, FoundGuidInDownlevel 0, EnableDhcp 2 cci: NdisCoinst: Connection name is Local Area Connection* 11 cci: NdisCoinst: Allocated NetLuidIndex is 10 dvi: {Writing Device Properties} ! dvi: Device restart was skipped becasuse the DI_DONOTCALLCONFIGMG flag was set. <<< Section end 2015/07/20 08:06:42.149 <<< [Exit status: SUCCESS]
C:\Windows\inf\setupapi.dev.log example » >>> [Device Install (Hardware initiated) -
USBSTOR\Disk&Ven_Generic&Prod_External&Rev_2.10\5A383430335A445620202020&0] >>> Section start 2015/06/16 08:09:36.946
» … 300 lines log entries …
» ump: Server install process exited with code 0x00000000 08:09:37.440 <<< Section end 2015/06/16 08:09:37.455 <<< [Exit status: SUCCESS]
Real typo of Win !
Windows forensics 47
Vendor: TinyDisk (Case label: "extreMEmory USB 2.0 4GB")
Product: 2007-06-13, Rev. 0.00
Serial number: 000000000001E1
ParentIdPrefix: 7&362d04ba&0
» HKLM\System\MountedDevices: "\DosDevice\G:" \??\STORAGE#RemovableMedia#7&362d04ba&0&RM#{53f5630d-b6bf-11do-94f2-00a0c91efb8b}
USB device history: setupapi.log
Windows forensics 48
[2007/07/20 11:42:13 840.8 Driver Install]
#-019 Searching for hardware ID(s): usbstor\disktinydisk2007-06-13______0.00,usbstor\disktinydisk2007-06-13______,usbstor\disktinydisk,usbstor\tinydisk2007-06-13______0,tinydisk2007-06-13______0,usbstor\gendisk,gendisk
#-018 Searching for compatible ID(s): usbstor\disk,usbstor\raw
#-198 Command line processed: C:\WINDOWS\system32\services.exe
#I022 Found "GenDisk" in C:\WINDOWS\inf\disk.inf; Device: "Disk drive"; Driver: "Disk drive"; Provider: "Microsoft"; Mfg: "(Standard disk drives)"; Section name: "disk_install".
#I023 Actual install section: [disk_install.NT]. Rank: 0x00000006. Effective driver date: 07/01/2001.
#-166 Device install function: DIF_SELECTBESTCOMPATDRV.
#I063 Selected driver installs from section [disk_install] in "c:\windows\inf\disk.inf".
#I320 Class GUID of device remains: {4D36E967-E325-11CE-BFC1-08002BE10318}.
#I060 Set selected driver.
#I058 Selected best compatible driver.
#-166 Device install function: DIF_INSTALLDEVICEFILES.
#I124 Doing copy-only install of "USBSTOR\DISK&VEN_TINYDISK&PROD_2007-06-13&REV_0.00\000000000001E1&0".
#-166 Device install function: DIF_REGISTER_COINSTALLERS.
#I056 Coinstallers registered.
#-166 Device install function: DIF_INSTALLINTERFACES.
#-011 Installing section [disk_install.NT.Interfaces] from "c:\windows\inf\disk.inf".
#I054 Interfaces installed.
#-166 Device install function: DIF_INSTALLDEVICE.
#I123 Doing full install of "USBSTOR\DISK&VEN_TINYDISK&PROD_2007-06-13&REV_0.00\000000000001E1&0".
#I121 Device install of "USBSTOR\DISK&VEN_TINYDISK&PROD_2007-06-13&REV_0.00\000000000001E1&0" finished successfully.
Note: This file exists on Windows XP and earlier only!
Note: This file exists on Windows XP and earlier only!
USB device history: setupapi.dev.log
Windows forensics 49
>>> [Device Install (Hardware initiated) - USB\VID_13FD&PID_1340\5A383430335A445620202020]
>>> Section start 2015/06/16 08:09:36.665
ump: Creating Install Process: DrvInst.exe 08:09:36.665
ndv: Retrieving device info...
ndv: Setting device parameters...
ndv: Searching just Driver Store...
dvi: {Build Driver List} 08:09:36.680
dvi: Searching for hardware ID(s):
dvi: usb\vid_13fd&pid_1340&rev_0210
dvi: usb\vid_13fd&pid_1340
dvi: Searching for compatible ID(s):
dvi: usb\class_08&subclass_06&prot_50
dvi: usb\class_08&subclass_06
dvi: usb\class_08
cpy: Policy is set to make all digital signatures equal.
dvi: Enumerating INFs from path list 'C:\Windows\INF'
inf: Opened PNF: 'C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf' ([strings.0409])
dvi: Created Driver Node:
dvi: HardwareID - USB\Class_08&SubClass_06&Prot_50
dvi: InfName - C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf
dvi: DevDesc - USB Mass Storage Device
dvi: DrvDesc - USB Mass Storage Device
dvi: Provider - Microsoft
…..
Hex: Convert to ASCII = “Z8493ZDV” This is the serial number!
USB device history
Windows forensics 50
Last connection: HKLM\System\ControlSet00?\Control\DeviceClasses
» Subkey "{53f56307-b6bf-11d0-94f2-00a0c91efb8b}": Disks › Contains a subkey with the serial number included
» Subkey "{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}": Volumes › Contains a subkey with the ParentIdPrefix included
» The LastWrite Time of these keys is the date and time the device was last connected to the computer
Accessing the LastWrite time:
» Special tools, or
» Regedt32: Export as text and open in Notepad » Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-
94f2-00a0c91efb8b}\##?#USBSTOR#Disk&Ven_TinyDisk&Prod_2007-06-13&Rev_0.00#000000000001E1&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
» Class Name: <NO CLASS>
» Last Write Time: 21.12.2007 - 09:12
» Value 0
Registry: Owner information
Windows forensics 51
Owner/Organization: HKLM\Software\Microsoft\ Windows NT\CurrentVersion
» RegisteredOwner: Owner name
» RegisteredOrganization: Organization name
» ProductId: Product ID
» DigitalProductId: Contains encrypted license key (Bytes 52-66)
» InstallDate: Installation date (UNIX timestamp)
» SystemRoot: Windows installation directory
Last user:HKLM\Software\Microsoft\Windows NT\ CurrentVersion\Winlogon
» DefaultUserName: Last logged in user › When? Timestamp of key!
» DefaultDomainName: Last domain logged into
» DontDisplayLastUserName: Don't store information above
http://www.dagondesign.com/articles/windows-xp-product-key-recovery/ http://geekswithblogs.net/willemf/archive/2006/04/23/76125.aspx
Registry: Timezone information
Windows forensics 52
Data from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones is copied here
» ActiveTimeBias: Current Δ (0xffffff88 = -120 = 2 h E of GMT)
» DaylightBias: Delta during DST (= -60 = 1 h East of GMT)
» Daylight-/StandardStart: Should be SYSTEMTIME structure › Year, Month (1=Jan), Day of week (0=Sun), Week (5=last), Hour, Min, Sec,
ms (two bytes each); (doesn’t match above!)
Last Sunday in March at 02:00 – Last Sunday in October at 03:00
http://msdn.microsoft.com/en-us/library/ms725481%28v=vs.85%29.aspx http://msdn.microsoft.com/en-us/library/ms724950%28v=vs.85%29.aspx
Registry: Network shares
Windows forensics 53
"My Network Shares": List of shares within the LAN HKCU\Software\Microsoft\Windows\Current Version\ Explorer\ComputerDescriptions
» Allows reconstruction of a past view, i.e. what shares were accessed by the user
» Contains computers, shares (directories) and printers
» Value: Name = server/share/printer; Content = Description
Registry: WLANs
Windows forensics 54
When accessing a WLAN, its SSID is stored: HKLM\ Software\Microsoft\WZCSVC\Parameters\Interfaces
» Subkeys look like GUIDs with values for "ActiveSettings", "Static#000?", …
» The values for "#Static000?" contain the SSIDs at offset 0x14
IP address information for this connection (last only): HKLM\System\ControlSet00?\Services\Tcpip\Parameters\Interfaces
» Look for the same "GUID" key as of the WLAN!
» Dhcp*: Data on DHCP server, assigned address, netmask, default gateway, domain, nameservers, …
» LeaseObtainedTime/-TerminatesTime: Unix 23 Bit Timestamp › When the Address was received and what is the definite last time it could
have been used (but not: was used!)
Registry: Timestamps
Windows forensics 55
Every single registry key has a "LastWrite" time value
» Does NOT exist for registry values!
» Format: FILETIME
» Updated, when a registry value directly within this key is created, modified, or deleted
Win2K and WinXP registry editors are flawed › Regedit.exe, regedt32.exe
» Registry values with a name length of 256-259 characters are not shown › Values afterwards are suppressed as well
› Subkeys are inaccessible too
» But "reg.exe", the console registry tool, can show (and manipulate) such values!
http://search.cpan.org/~adamk/Win32-TieRegistry-0.25/TieRegistry.pm
Registry: Various data
Windows forensics 56
Thinking about shutting down a suspect's computer?
» First check: HKLM System\CurrentControlSet\Control\SessionManager\MemoryManagement\ClearPageFileAtShutdown
› Value "1": Paging file NOT deleted, but overwritten with zeros
HKLM\System\CurrentControlSet\Control\FileSystem\ NtfsDisableLastAccessUpdate
» Disables writing “last access timestamp” on the file system › Will still be changed on file modifications (i.e. writing to it), but not on
reading, accessing properties etc! Set to “1” by Default since Vista.
HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider
» Contains IE auto-complete passwords (encrypted)
» Content not directly accessible, not even with regedt32
» But can be read in live systems or by parsing the registry file
Substituting executed programs
Windows forensics 57
Allows hiding what programs were actually executed!
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options
» Create subkey with name of executable, e.g. "calc.exe"
» Create string with name "Debugger" and value of alternate program, e.g. "C:\Windows\notepad.exe"
» Typing "calc.exe" will then start the text editor › With "calc.exe" as parameter
or whatever the "original" file was, e.g. a .lnk file!
» Shows only the "original" program in history lists!
HKCR\{exe|com|bat}file\shell\open\command
» Default value contains command to execute ".exe" files › Similar for the explorer context menu:
HKCR\Drive\shell and HKCR\Folder\shell
Process information
Windows forensics 58
The task manager shows the current processes, but only little information is available; most is statistical in nature
So “live” monitoring of activities might be useful
» Active users on a server
» Especially software (=i.e. specific processes)
Additionally it is very useful in the forensic process
» “We assume that this happens to the timestamps, when a user performs this action.”
» Monitoring the system while doing it allows verifying whether this is really a result, and whether it stems from this action
Also useful: Registry diffs
» Copy registry Install software/perform action/… Copy registry Identify differences
Process information
Windows forensics 59
“Process Monitor” allows deep investigations:
» Realtime monitoring of all activity in file system, registry, network, and process (e.g. create child) of all processes › Needs serious filtering: Thousands of events per second!
› And starts logging immediately upon start (CTRL+E stops)…
» Attention: Will automatically exclude several elements: Itself (obviously!), but also Autoruns.exe, FASTIO operations, everything ending in “pagefile.sys”/”$Mft”/”$LogFile”/…, the System process, profiling events etc.
Typically of use if we need to find out:
» Who accesses some resource (file, registry key, …)
» What a specific process is doing
Attention: May slow down Windows when capturing!
Windows Sysinternals: Process Monitor http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
System restore points
Windows forensics 61
Stored under C:\System Volume Information
» Not accessible through Explorer, but by forensic tools! › Not even for the administrator!
Deleting a single one is very hard (but: “all” or “all but last” is easy)!
By default created every 24 hours & retained for 90 days › Registry: HKLM\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
» Also: Manually, before Windows update/SW installation…
» When reverting to a previous point, another restore point is created (to allow going "forward“ again) › Restoration is recorded in the system event log (Event ID 110)!
» Disabling them is possible › Less than 200MB free on system drive automatically disabled!
» Restoring is logged in the event log
Based on VSS (Volume Shadow Copy Service)
» Will create a copy if something changes Fast to create
» Maximum of 64 per volume
http://128.175.24.251/forensics/restorepoints.htm
System restore points
Windows forensics 62
Content:
» Files to restore (see change.log for original path/filename) › Documents (some), executables, …; Drivers and system files
› Typically not any user files!
At least, not if they are in the normal location / normal file formats
» Subfolder "snapshot": Registry files (SAM, Security, Software, System, .Default, NTUSER files, USRCLASS files)
Getting access:
» Run “cmd.exe” as Administrator
» “vssadmin list shadows“ shows all shadow copies
» “mklink /d c:\<directory> \\?\GLOBALROOT\Device\<ShadowName>\“ to create a symbolic link from <directory> to a specific shadow, which can then be investigated like a normal directory › Permission problems may still occur!
Changing permissions doesn’t work : Shadow copies are read-only
Event log
Windows forensics 63
Event logs are normal files
» Location: Specified in registry ( to allow relocation) › E.g. security: %SYSTEMROOT%\System32\config\SecEvent.Evt
» Can be recovered through file carving etc.
» Fixed size; configurable per log (typ. 512 kB – 16 MB)
Problem: Security logging is off by default
» Application and System are on by default
Clean shutdown: Offsets of oldest & newest entries written to header; a “clean” flag set (“dirty” when active)
» While in use, trailer (after current last entry) has data
» Common source of corruption in forensics (pulling plug!)
Event log
Windows forensics 64
>=Vista: More logs (Setup, Administrative tasks, …)
» File format changed (*.evt *.evtx): Binary XML › Much easier to parse!
» Logs are now separated into “channels” › Windows: Application, Security, System, Setup, ForwardedEvents
› Applications and Services: Many channels of individual applications or components
New version since Windows 10
» Mostly the same as since Vista ( backwards compatible!)
» Improvement: You can add your own XML data to an event
https://www.sans.org/reading-room/whitepapers/logging/evtx-windows-event-logging-32949
Event log
Windows forensics 65
Content:
» Each Event has an EventId, specifying its type › Examples: 528, 540 = Logon, 538 = Logoff
› Contains additional details
These change with Windows versions Use same or newer!
» Timestamp, …
» Record number: Used consecutively ( no record deletion!)
Inspection possible through windows
» Or LogParser: Allows SQL-like queries against the log! › And against various other file formats as well
Reliability of event logs: Quite good
» Modifications are difficult, but not impossible
» Deleting some elements is very hard
» But: Deleting the whole log is quite trivial
Windows forensics 66
Location: %SYSTEMROOT%\system32\LogFiles\Firewall\pfirewall.log
Logging is turned off by default
» Activating: Windows Firewall – Advanced Settings – Windows Firewall Properties – Logging
Separate: Event log
» Firewall rules and connection security rules changes
» I.e., configuration, but not the individual "problems"!
Internet Connection Firewall: Logs
Windows forensics 67
Log file format: See file header!
» #Version: 1.5 #Software: Microsoft Windows Firewall #Time Format: Local #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
Example: » 2012-08-23 11:11:09 ALLOW TCP 140.78.100.211 140.78.3.160 1735 80 0 - 0
0 0 - - - SEND
› Outgoing web request to JKU webserver
» 2012-08-23 11:11:19 ALLOW UDP fe80::a400:fe81: 4022:2a12 ff02::1:2 546 547 0 - - - - - - - SEND
› Outgoing DHCPv6 request ("Solicit")
» 2012-08-23 11:20:23 ALLOW ICMP 140.78.100.164 140.78.100.211 - - 0 - - - - 8 0 – RECEIVE
› Incoming ping request
Summary
Windows forensics 68
Especially the Registry is a treasure trove of information
» But the data is very well hidden under obscure names/IDs
» Special attention needs to be paid to how reliable the data is › Windows version, source of description of keys/values etc.!
› Try it out on a copy and monitor the changes made
E.g. using registry-diff software, sandboxing software
» Restore points contain previous versions of the registry
» But it is hard to know exactly what is there to be found!
Activity remnants may remain for a long time: Recycle bin records, print spool files, event log…
» Sometimes even forever (thumbs.db) unless explicitly removed!
Restricting the investigation is therefore very desirable
» Only a subset of data need then be searched for/through!
Thank you! Questions?
Thank you!
Any questions?
https://www.ins.jku.at
Windows forensics 69
Michael Sonntag
+43 (732) 2468 – 4137
S3 235 (Science park 3, 2nd floor)
Links
Windows forensics 70
Windows Recycle Bin: http://www.foundstone.com/us/resources/proddesc/rifiuti.htm
MRU locations: http://windowsxp.mvps.org/RegistryMRU.htm
Windows Spool Files http://www.undocprint.org/winspool/spool_files
Hurlbut, D.: Thumbs DB File Forensic Issues http://www.accessdata.com/media/en_US/print/papers/wp.Thumbs_DB_Files.en_us.pdf
USBDeview http://www.nirsoft.net/utils/usb_devices_view.html
System Restore Point Log Decoding http://www.ediscovery.co.nz/wip/srp.html
Links
Windows forensics 71
Murphey, Rick: Automated Windows event log forensics: http://www.dfrws.org/2007/proceedings/p92-murphey.pdf
LogParser: http://www.microsoft.com/germany/technet/ datenbank/articles/600371.mspx
Rob Faber: Windows log forensics: http://www.net-security. org/dl/insecure/INSECURE-Mag-16.pdf page 86
Rowe, Eric: Volume Shadow Copy and Registry Forensics http://montcs.bloomu.edu/~bobmon/DigFor/2012.HTCIA-conference/Talks/HTCIA%202012%20-%20VSC%20and%20Registry.pdf