Windows 7: Current Events in the World of Windows Forensics
Troy Larson Senior Forensic Program Manager Network Security, Microsoft Corp.
Microsoft Network Security Where Are We Now?
• Vista & Windows 2008 – BitLocker. – Format-Wipes the volume. – EXFAT. – Event Logging—format, system, scheme. – Virtual Folders & Registry. – Volume Shadow Copy. – Links, Hard and Symbolic. – Change Journal. – Recycle Bin. – Superfetch.
Microsoft Network Security Where Are We Now?
• Windows 7 & Window 2008 R2 – Updated BitLocker. – BitLocker To Go. – VHDs—Boot from, mount as “Disks.” – XP Mode. – Flash Media Enhancements. – Libraries, Sticky Notes, Jump Lists. – Service and Driver triggers. – I.E. 8, InPrivate Browsing, Tab and Session Recovery. – Even more Volume Shadow Copy.
Microsoft Network Security Digital Forensics Subject Matter Expertise “Stack”
Applications—e.g., I.E., etc.
OS Artifacts
File Systems NTFS, FAT32, EXFAT
Fvevol.sys
Mount, Partition & Volume Thanks to Eoghan Casey. Managers
“Disk”
Microsoft Network Security Windows 7“Disk”
Note disk signature: 2E140032
0x1b8-1bb
Microsoft Network Security Windows 7“Disk”
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 \DiskController\0\DiskPeripheral\0
Diskpart >Automount scrub
Microsoft Network Security Vista “Disk”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\ 1&19f7e59c&0&Signature2E140032Offset100000Length114FD00000
Microsoft Network Security Partitions and Volumes
Applications—e.g., I.E., etc. Virtual Hard Drives OS Artifacts • Create File Systems • Attach NTFS, FAT32, EXFAT • Detach Fvevol.sys • Delete Mount, Partition & Volume Managers
“Disk”
Microsoft Network Security BitLocker: Windows 7
During installing, Windows 7 creates a “System Reserved” volume—enabling set up of BitLocker.
In Vista, the System volume was generally 1.5 GB or more.
Microsoft Network Security BitLocker: Vista
• Physical level view of the header of the boot sector of a Vista BitLocker protected volume: – 0xEB 52 90 2D 46 56 45 2D 46 53 2D – ëR-FVE-FS-
Microsoft Network Security BitLocker: Windows 7
• Physical level view of the header of the boot sector of a Windows 7 BitLocker protected volume: – 0xEB 58 90 2D 46 56 45 2D 46 53 2D – ëX-FVE-FS-
Microsoft Network Security BitLocker: Windows 7
• Vista & Windows 2008 cannot unlock BitLocker volumes created with Windows 7 or 2008 R2. • Forensics tools may not recognize the new BitLocker volume header. • Must use Windows 7 or 2008 R2 to open (and image) BitLocker volumes from Windows 7 or 2008 R2.
Microsoft Network Security BitLocker Review or Imaging
FVEVOL.SYS sits Application underneath the file system driver and User Mode performs all encryption / Kernel Mode decryption. File System Driver • Once booted, Windows (and the user) sees no Fvevol.sys difference in experience. Volume Manager • The encryption / decryption happens at below the file system.
Microsoft Network Security BitLocker Review or Imaging
Application User Mode Kernel Mode
File System Driver
Fvevol.sys
Volume Manager
Microsoft Network Security BitLocker Review or Imaging
The “More/Less information” button will provide the BitLocker volume recovery key identification.
Microsoft Network Security BitLocker Review or Imaging
• BitLocker Recovery Key 783F5FF9-18D4-4C64-AD4A- CD3075CB8335.txt:
BitLocker Drive Encryption Recovery Key The recovery key is used to recover the data on a BitLocker protected drive.
To verify that this is the correct recovery key compare the identification with what is presented on the recovery screen.
Recovery key identification: 783F5FF9-18D4-4C Full recovery key identification: 783F5FF9-18D4-4C64-AD4A- CD3075CB8335
BitLocker Recovery Key: 528748-036938-506726-199056-621005-314512-037290-524293
Microsoft Network Security BitLocker Review or Imaging
Enter the recovery key exactly.
Microsoft Network Security BitLocker Review or Imaging
Viewed or imaged as part of a physical disk, BitLocker volumes appear encrypted.
Microsoft Network Security BitLocker Review or Imaging
To view a BitLocker volume as it appears in its unlocked state, address it as a logical volume.
Microsoft Network Security BitLocker Review or Imaging
Microsoft Network Security File Systems
Applications—e.g., I.E., etc.
OS Artifacts
File Systems NTFS, FAT32, EXFAT
Fvevol.sys
Mount, Partition & Volume Managers
“Disk”
Microsoft Network Security File Systems
Since Vista SP1, Format wipes while it formats. http://support.microsoft.com/kb/941961
Diskpart.exe > Clean all
Microsoft Network Security File Systems-Vista & Windows 7
• NTFS – Symbolic links to files, folders, and UNC paths. • Beware the “Application Data” recursion loop. • Cf. Link files. – Hard links are extensively used (\Winsxs). – Disabled by default: Update Last Access Date. – Enabled by default: The NTFS Change Journal ($USN:$J). • Transactional NTFS ($Tops:$T).
Microsoft Network Security File Systems-Vista & Windows 7 The volume header of an EXFAT volume.
Do your forensics tools read EXFAT?
Microsoft Network Security OS Artifacts
Applications—e.g., I.E., etc.
OS Artifacts
File Systems NTFS, FAT32, EXFAT
Fvevol.sys
Mount, Partition & Volume Managers
“Disk”
Microsoft Network Security OS Artifacts—Recycle.Bin • [Volume]:\$Recycle.Bin – $Recycle.Bin is visible in Explorer (view hidden files). – Per user store in a subfolder named with account SID. – No more Info2 files. – When a file is deleted—moved to the Recycle Bin—it generates two files in the Recycle Bin. – $I and $R files. • $I or $R followed by several random characters, then original extension. The random characters are the same for each $I/$R pair. • $I file maintains the original name and path, as well as the deleted date. • $R file retains the original file data stream and other attributes. The name attribute is changed to $R******.ext.
Microsoft Network Security OS Artifacts—Recycle.Bin
Note the deleted date (in blue).
Microsoft Network Security OS Artifacts—Recycle.Bin
Microsoft Network Security OS Artifacts—Folder Virtualization
– Part of User Access Control—Standard user cannot write to certain protected folders. • C:\Windows • C:\Program Files • C:\Program Data
– To allow standard user to function, any writes to protected folders are “virtualized” and written to C:\Users\[user]\AppData\Local\VirtualStore
Microsoft Network Security OS Artifacts—Registry Virtualization
• Virtualize (HKEY_LOCAL_MACHINE\SOFTWARE) • Non-administrator writes are redirect to: HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\
• Keys excluded from virtualization – HKEY_LOCAL_MACHINE\Software\Classes – HKEY_LOCAL_MACHINE \Software\Microsoft\Windows – HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT
Microsoft Network Security OS Artifacts—Registry Virtualization
• Location of the registry hive file for the VirtualStore – Is NOT the user’s NTUSER.DAT – It is stored in the user’s UsrClass.dat \Users\[user]\AppData\Local\Microsoft\Windows\UsrClass.dat • Investigation of Vista - Windows 2008 R2 requires the investigator to examine at least two account specific registry hive files for each user account. – NTUSER.DAT – UsrClass.dat
Microsoft Network Security OS Artifacts—Libraries
Microsoft Network Security OS Artifacts—Libraries
\Users\[account]\AppData\Roaming\Microsoft\Windows\Libraries.
Microsoft Network Security OS Artifacts—Libraries
Libraries are XML files.
Microsoft Network Security OS Artifacts—Libraries
Microsoft Network Security OS Artifacts—Shell
The “Recent” folder contains link files and two subfolders at \User\[Account]\AppData\Roaming\Microsoft\Windows\Recent.
Microsoft Network Security OS Artifacts—Shell
Microsoft Network Security OS Artifacts—Shell
“AutomaticDestination” files are in the Structured Storage file format.
Microsoft Network Security OS Artifacts—Shell
Microsoft Network Security OS Artifacts—Shell
Microsoft Network Security OS Artifacts—Chkdsk Logs \System Volume Information\Chkdsk
Microsoft Network Security OS Artifacts—Superfetch \Windows\Prefetch
Microsoft Network Security OS Artifacts—Volume Shadow Copy
• Volume shadow copies are bit level differential backups of a volume. – 16 KB blocks. – Copy on write. – Volume Shadow copy “files” are “difference” files. • The shadow copy service is enabled by default on Vista and Windows 7, but not on Windows 2008 or 2008 R2. • “Difference files” reside in the System Volume Information folder.
Microsoft Network Security OS Artifacts—Volume Shadow Copy
• Shadow copies are the source data for Restore Points and the Restore Previous Versions features. • Used in backup operations. • Shadow copies provide a “snapshot” of a volume at a particular time. • Shadow copies can show how files have been altered. • Shadow copies can retain data that has later been deleted, wiped, or encrypted.
Microsoft Network Security OS Artifacts—Volume Shadow Copy
Volume shadow copies do not contain a complete image of everything that was on the volume at the time the shadow copy was made.
Microsoft Network Security OS Artifacts—Volume Shadow Copy
The Volume Shadow Copy difference files are maintained in “\System Volume Information” along with other VSS data files, including a new registry hive.
Microsoft Network Security OS Artifacts—Volume Shadow Copy
\System Volume Information\Syscache.hve
Microsoft Network Security OS Artifacts—Volume Shadow Copy
Microsoft Network Security OS Artifacts—Volume Shadow Copy
Microsoft Network Security OS Artifacts—Volume Shadow Copy
vssadmin list shadows /for=[volume]:
Microsoft Network Security OS Artifacts—Volume Shadow Copy
Microsoft Network Security OS Artifacts—Volume Shadow Copy
Shadow copies can be exposed through symbolic links.
Mklink /d C:\{test-shadow} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\
Microsoft Network Security OS Artifacts—Volume Shadow Copy
Volume Shadows can be mounted directly as network shares.
net share testshadow=\\.\HarddiskVolumeShadowCopy11\
Microsoft Network Security OS Artifacts—Volume Shadow Copy
>psexec \\[computername] vssadmin list shadows /for=C:
>psexec \\[computername] net share testshadow=\\.\HarddiskVolumeShadowCopy20\
PsExec v1.94 - Execute processes remotely . . . testshadow was shared successfully. net exited on [computername] with error code 0.
>robocopy /S /R:1 /W:1 /LOG:D:\VSStestcopylog.txt \\[computername] \testshadow D:\vssTest
Log File : D:\VSStestcopylog.txt . . .
Microsoft Network Security OS Artifacts—Volume Shadow Copy
• Other ways to call shadow copies:
– \\localhost\C$\Users\troyla\Downloads ( Yesterday, July 20, 2009, 12:00 AM)
– \\localhost\C$\@GMT-2009.07.17-08.45.26\
– ?
Microsoft Network Security OS Artifacts—Volume Shadow Copy
Shadow copies can be imaged.
C:\Users\Troyla\Desktop\fau-1.3.0.2390a\fau\FAU.x64>dd if=\\.\HarddiskVolumeShadowCopy11 of=E:\shadow11.dd –localwrt
The VistaFirewall Firewall is active with exceptions.
Copying \\.\HarddiskVolumeShadowCopy11 to E:\shadow11.dd Output: E:\shadow11.dd 136256155648 bytes 129943+1 records in 129943+1 records out 136256155648 bytes written
Succeeded!
C:\Users\Troyla\Desktop\fau-1.3.0.2390a\fau\FAU.x64>
Microsoft Network Security OS Artifacts—Volume Shadow Copy Images of shadow copies can be opened in forensics tools and appear as logical volumes.
Microsoft Network Security OS Artifacts—Volume Shadow Copy
Data that has been deleted can be captured by shadow copies and available for retrieval in shadow copy images.
Microsoft Network Security OS Artifacts—Volume Shadow Copy
Every shadow copy data set should approximate the size of the original volume.
Amount of case data=(number of shadow copies) x (size of the volume)+(size of the volume).
10 shadow copies = 692 GB
Microsoft Network Security Applications—I.E. 8
Applications—e.g., I.E., etc.
OS Artifacts
File Systems NTFS, FAT32, EXFAT
Fvevol.sys
Mount, Partition & Volume Managers
“Disk”
Microsoft Network Security Applications—I.E. 8
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -private
Microsoft Network Security Applications—I.E. 8
Cache data appears to be written, then deleted.
Microsoft Network Security Applications—I.E. 8
Residual cache files from InPrivate browsing.
Microsoft Network Security Applications—I.E. 8
Tab and session recovery—a new source for historical browsing information.
\User\[Account]\AppData\Local\Microsoft\Internet Explorer\Recovery
Microsoft Network Security Applications—I.E. 8 Recovery file: Note the Structured Storage file format.
Microsoft Network Security Applications—I.E. 8
Microsoft Network Security © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Microsoft Network Security