Windows 7 Foreniscs

Windows
7:
Current Events in the World of
Windows Forensics
Harlan Carvey Troy Larson
Digital Crimes Consortium 2009

Introduc)on
•  The Digital Forensics Subject Ma4er Exper8se
Stack:
Applications—e.g.,
I.E., etc.
OS Artifacts
File Systems
NTFS, FAT32, ExFAT
Fvevol.sys
Mount, Partition & Volume
Managers
•  Thanks to Eoghan Casey.
“Disk”

Where Are We Now?
•  Vista & Windows 2008
–  BitLocker
–  Format-‐Wipes the volume.
–  ExFAT
–  Event Logging—format, system, scheme.
–  Virtual Folders & Registry
–  Volume Shadow Copy
–  Links, Hard and Symbolic
–  Change Journal
–  Recycle Bin
–  Superfetch

Where Are We Now?
•  Windows 7 & Window 2008 R2
–  New BitLocker.
–  BitLocker To Go
–  VHDs—Boot from, mount as “Disks.”
–  XP Mode.
–  Flash Media Enhancements.
–  Libraries, SXcky Notes, Jump Lists
–  Service and Driver triggers.
–  I.E. 8, InPrivate Browsing, Tab and Session Recovery
–  Volume Shadow Copy

“Disk”
I.E., etc.
OS Artifacts
File Systems
NTFS, FAT32, ExFAT
Fvevol.sys
Managers
“Disk”

Windows 7“Disk”
Note disk
signature:
2E140032
0x1b8-‐1bb

Windows 7“Disk”
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MulXfuncXonAdapter
\0\DiskController\0\DiskPeripheral\0

Vista “Disk”
Note disk
signature:
2E140032
0x1b8-‐1bb

Vista “Disk”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\
1&19f7e59c&0&Signature2E140032Offset100000Length114FD00000

ParXXons and Volumes
I.E., etc.
OS Artifacts
File Systems
NTFS, FAT32, ExFAT
Fvevol.sys
Managers
“Disk”

•  ACTIVE -‐ Mark the selected parXXon as acXve.
•  ADD -‐ Add a mirror to a simple volume.
•  ASSIGN -‐ Assign a drive le?er or mount point to the selected volume.
•  ATTRIBUTES -‐ Manipulate volume or disk a?ributes.
•  ATTACH -‐ A?aches a virtual disk file.
•  AUTOMOUNT -‐ Enable and disable automa)c moun)ng of basic volumes.
•  BREAK -‐ Break a mirror set.
•  CLEAN -‐ Clear the configuraXon informaXon, or all informaXon, off the disk.
•  COMPACT -‐ Afempts to reduce the physical size of the file.
•  CONVERT -‐ Convert between different disk formats.
•  CREATE -‐ Create a volume, par))on or virtual disk.
•  DELETE -‐ Delete an object.
•  DETAIL -‐ Provide details about an object.
•  DETACH -‐ Detaches a virtual disk file.
•  EXIT -‐ Exit DiskPart.
•  EXTEND -‐ Extend a volume.
•  EXPAND -‐ Expands the maximum size available on a virtual disk.
•  FILESYSTEMS -‐ Display current and supported file systems on the volume.

•  FORMAT -‐ Format the volume or par))on.
•  GPT -‐ Assign afributes to the selected GPT parXXon.
•  HELP -‐ Display a list of commands.
•  IMPORT -‐ Import a disk group.
•  INACTIVE -‐ Mark the selected parXXon as inacXve.
•  LIST -‐ Display a list of objects.
•  MERGE -‐ Merges a child disk with its parents.
•  ONLINE -‐ Online an object that is currently marked as offline.
•  OFFLINE -‐ Offline an object that is currently marked as online.
•  RECOVER -‐ Refreshes the state of all disks in the selected pack.
–  Afempts recovery on disks in the invalid pack, and resynchronizes mirrored volumes and RAID5 volumes that have stale
plex or parity data.
•  REM -‐ Does nothing. This is used to comment scripts.
•  REMOVE -‐ Remove a drive lefer or mount point assignment.
•  REPAIR -‐ Repair a RAID-‐5 volume with a failed member.
•  RESCAN -‐ Rescan the computer looking for disks and volumes.
•  RETAIN -‐ Place a retained parXXon under a simple volume.
•  SAN -‐ Display or set the SAN policy for the currently booted OS.
•  SELECT -‐ Shii the focus to an object.
•  SETID -‐ Change the parXXon type.
•  SHRINK -‐ Reduce the size of the selected volume.
•  UNIQUEID -‐ Displays or sets the GUID parXXon table (GPT) idenXfier or master boot record (MBR) signature
of a disk.

BitLocker—FVEVOL.sys
I.E., etc.
OS Artifacts
File Systems
NTFS, FAT32, ExFAT
Fvevol.sys
Managers
“Disk”

BitLocker: Vista
•  Physical level view of the header of the boot sector of
the second parXXon, the BitLocker protected volume:
–  0xEB 52 90 2D 46 56 45 2D 46 53 2D
–  ëR-‐FVE-‐FS-‐

BitLocker: Windows 7
•  Physical level view of the header of the boot sector of
the second parXXon, the BitLocker protected volume:
–  0xEB 58 90 2D 46 56 45 2D 46 53 2D
–  ëX-‐FVE-‐FS-‐

•  BitLocker in Windows 7 & Windows 2008 R2
is NOT compaXble with BitLocker in Vista &
Windows 2008.
•  Forensics tools may not recognize the new
BitLocker volume header.
•  Use Windows 7 or 2008 R2 to open (and
image) BitLocker volumes from Windows 7
or 2008 R2.


BitLocker

BitLocker

BitLocker Review or Imaging
  FVEVOL.SYS sits
underneath the file
system driver and
Application performs all
User Mode encrypXon /
Kernel Mode
decrypXon.
File System Driver •  Once booted, Vista
(and the user) sees
Fvevol.sys
no difference in
experience.
Volume Manager
•  The encrypXon /
decrypXon happens
at a lower level.

Application
User Mode
Kernel Mode
File System Driver
Fvevol.sys
Volume Manager





•  BitLocker Recovery Key 783F5FF9-‐18D4-‐4C64-‐AD4A-‐
CD3075CB8335.txt:
BitLocker Drive EncrypXon Recovery Key The recovery key is used to
recover the data on a BitLocker protected drive.
To verify that this is the correct recovery key compare the
idenXficaXon with what is presented on the recovery screen.
Recovery key idenXficaXon: 783F5FF9-‐18D4-‐4C

Full recovery key idenXficaXon: 783F5FF9-‐18D4-‐4C64-‐AD4A-‐
CD3075CB8335
BitLocker Recovery Key:

528748-‐036938-‐506726-‐199056-‐621005-‐314512-‐037290-‐524293









BitLocker To Go

BitLocker To Go

BitLocker To Go

BitLocker To Go

BitLocker To Go

BitLocker To Go

BitLocker To Go

BitLocker To Go

File Systems
I.E., etc.
OS Artifacts
File Systems
NTFS, FAT32, ExFAT
Fvevol.sys
Managers
“Disk”

File Systems
Format now wipes while it formats.

hfp://support.microsoi.com/kb/941961

File Systems

File Systems-‐Vista & Windows 7
•  NTFS
–  Symbolic links to files, folders, and UNC paths.
–  Hard links are extensively used
–  Disabled by default: Update Last Access Date
–  Enabled by default: The NTFS Change Journal.
•  TransacXonal NTFS (TxF)—InstallaXons,
patches, and as needed driver installaXons
(IR?).

•  TxF works on top of NTFS—
“TransacXonal NTFS (TxF) allows file operaXons on an
NTFS file system volume to be performed in a
transacXon. TxF transacXons increase applicaXon
reliability by protecXng data integrity across failures and
simplify applicaXon development by greatly reducing the
amount of error handling code.”
hfp://msdn.microsoi.com/en-‐us/library/bb968806(VS.85).aspx
•  Allows a related series of file system changes to be

treated and logged as a “transacXon.”
•  NTFS can then commit if the changes are completed
successfully, or abort and roll back if they are not.


•  New: The Extended FAT file system
“a new file system that is befer adapted to the growing
needs of mobile personal storage. The exFAT file system not
only handles large files, such as those used for media
storage, it enables seamless interoperability between
desktop PCs and devices such as portable media devices so
that files can easily be copied between desktop and
device.”
hfp://msdn.microsoi.com/en-‐us/library/aa914353.aspx

The volume header of an exFAT volume.

OS ArXfacts
I.E., etc.
OS Artifacts
File Systems
NTFS, FAT32, ExFAT
Fvevol.sys
Managers
“Disk”

OS ArXfacts—Recycle.Bin
•  [Volume]:\$Recycle.Bin
–  $Recycle.Bin is visible in Explorer (view hidden files).
–  Per user store in a subfolder named with account SID
–  No more Info2 files.
–  When a file is deleted—moved to the Recycle Bin—it
generates two files in the Recycle Bin.
–  $I and $R files.
•  $I or $R followed by several random characters, then original
extension. The random characters are the same for each $I/$R
pair.
•  $I file maintains the original name and path, as well as the
deleted date.
•  $R file retains the original file afributes, other than the name
afribute (which is changed to $R******.ext).

Note the deleted

date (in blue).



OS ArXfacts—Folder VirtualizaXon

OS ArXfacts—Folder VirtualizaXon
–  Part of User Access Control—Standard user cannot
write to certain protected folders.
•  C:\Windows
•  C:\Program Files
•  C:\Program Data
–  To allow standard user to funcXon, any writes to
protected folders are “virtualized” and wrifen to
C:\Users\[user]\AppData\Local\VirtualStore

OS ArXfacts—Registry VirtualizaXon

•  Virtualize (HKEY_LOCAL_MACHINE\SOFTWARE)
•  Non-‐administrator writes are redirect to:
HKEY_CURRENT_USER\Soiware\Classes\VirtualStore\MACHINE\SOFTWARE\
•  Keys excluded from virtualizaXon

–  HKEY_LOCAL_MACHINE\Soiware\Classes
–  HKEY_LOCAL_MACHINE \Soiware\Microsoi
\Windows
–  HKEY_LOCAL_MACHINE \Soiware\Microsoi
\Windows NT

•  LocaXon of the registry hive file for the
VirtualStore
–  Is NOT the user’s NTUSER.DAT
–  It is stored in the user’s UsrClass.dat
\Users\[user]\AppData\Local\Microsoi\Windows\UsrClass.dat
•  InvesXgaXon of Vista or Windows 2008
requires the invesXgator to examine at least
two account specific registry hive files for each
user account.
–  NTUSER.DAT
–  UsrClass.dat

OS ArXfacts—TransacXonal Registry
•  Related to TxF—also built on the Kernel
TransacXon Manager
•  See
hfp://msdn.microsoi.com/en-‐us/library/
cc303705.aspx
•  TxR allows applicaXons to perform registry
operaXons in a transacted manner.
–  Typical scenario: soiware installaXon.
–  Files copied to file system and informaXon to the
registry as a single operaXon.
–  In the event of failure, registry modificaXon rolled
back or discarded.


OS ArXfacts—Libraries




OS ArXfacts—Shell

OS ArXfacts—Shell

OS ArXfacts—Shell

OS ArXfacts—Shell

OS ArXfacts—Shell

OS ArXfacts—Shell

OS ArXfacts—Shell

OS ArXfacts—Chkdsk Logs

OS ArXfacts—Superfetch

OS ArXfacts—Superfetch
•  The existence of a prefetch file indicates that
the applicaXon named by the prefetch file was
run.
•  The crea1on date of a prefetch file can indicate

when the named applicaXon was first run.
•  The modifica1on date of a prefetch file can

indicate when the named applicaXon was last
run.

OS ArXfacts—Volume Shadow Copy
•  Volume shadow copies are bit level
differenXal backups of a volume.
–  16 KB blocks.
–  Copy on write.
•  The shadow copy service is enabled by
default on Vista and Windows 7, but not on
Windows 2008 or 2008 R2.
•  Shadow copies reside in the System Volume
Informa8on folder.

•  Shadow copies are the source data for Restore
Points and the Restore Previous Versions
features.
•  Used in can beoperaXons.
•  Shadow copies provide a “snapshot” of a
volume at a parXcular Xme.
•  Shadow copies can show how files have been
altered.
•  Shadow copies can retain data that has later
been deleted, wiped, or encrypted.







vssadmin list shadows /for=[volume]:


•  Mklink /d C:\{test-‐shadow} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\
Shadow copies can be exposed through

symbolic links.
Volume Shadows can be mounted directly as network
shares. net share testshadow=\\.\HarddiskVolumeShadowCopy11\

>psexec \\[computername] vssadmin list shadows /for=C:

>psexec \\[computername] net share testshadow=\\.\HarddiskVolumeShadowCopy20\
PsExec v1.94 -‐ Execute processes remotely

. . .
testshadow was shared successfully.
net exited on [computername] with error code 0.

>robocopy /S /R:1 /W:1 /LOG:D:\VSStestcopylog.txt \\[computername] \testshadow D:
\vssTest
Log File : D:\VSStestcopylog.txt

. . .

\\localhost\C$\Users\troyla\Downloads (Yesterday, July 20, 2009, 12:00 AM)
\\localhost\C$\@GMT-‐2009.07.17-‐08.45.26\

•  C:\Users\Troyla\Desktop\fau-‐1.3.0.2390a\fau\FAU.x64>dd if=
\\.\HarddiskVolumeShad
•  owCopy11 of=E:\shadow11.dd -‐-‐localwrt
•  The VistaFirewall Firewall is acXve with excepXons.
• 
•  Copying \\.\HarddiskVolumeShadowCopy11 to E:\shadow11.dd
•  Output: E:\shadow11.dd
•  136256155648 bytes
•  129943+1 records in
•  129943+1 records out
•  136256155648 bytes wrifen
• 
•  Succeeded!
• 
•  C:\Users\Troyla\Desktop\fau-‐1.3.0.2390a\fau\FAU.x64>

Images of shadow copies can be opened in
forensics tools and appear as logical volumes.

Deleted data is captured by shadow copies, and is

available for retrieval in shadow copy images.

Every shadow copy data set should approximate the size of the original
volume.
Amount of case data=(number of shadow copies) x (size of the
volume)+(size of the volume).

ApplicaXons—I.E. 8

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -‐private







© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or
other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows 7 Foreniscs

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Windows 7 Foreniscs

Hochgeladen von

Copyright:

Verfügbare Formate

Windows

Harlan Carvey Troy Larson

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

File System Driver

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Recovery key idenXﬁcaXon: 783F5FF9-­‐18D4-­‐4C

BitLocker Recovery Key:

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Format now wipes while it formats.

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

• Allows a related series of ﬁle system changes to be

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Note the deleted

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Digital Crimes Consortium 2009

Recovery key idenXﬁcaXon: 783F5FF9-‐18D4-‐4C

•  Allows a related series of ﬁle system changes to be

•  Keys excluded from virtualizaXon

•  The crea1on date of a prefetch ﬁle can indicate

•  The modiﬁca1on date of a prefetch ﬁle can

PsExec v1.94 -‐ Execute processes remotely

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -‐private