Windows “Artifacts”

Comp 199

Admin

● Current Events in information security – See web

● Questions?

Windows

● Why windows first? – Its still everywhere

● Book says 90% of desktop

● Others: 40% of all user computing

● Ubiquitous in workplace.

● As likely as any other system to have to be examined – Its sitting in front of you

Deleted Data

● As you know – Delete doesn't remove data – Just 'loses' where it is on the disk – Marks it available to overwrite. – Recoverable through 'file carving'

● Manually examine bits on sectors of hard drive – Look for file 'header' data – Impractical in large drives ● Have a tool do this for us – The way mostly done today – Tool range from free but obscure to ~$1000 (small business grade to thousands (enterprise grade) Low Power Modes

● Sleep vs Hibernation – Both power conservation modes

● Sleep – Conserve energy while able to get everything back ASAP – Small amount of electricty flowing through RAM

● Volitile/Working memory – nothing really saved ● Hibernation – Shuts down all the power, but saves state of computer (open programs, files etc)

– Writes a file called hiberfil.sys: on drive - recoverable Windows Registry ● The repository for configuration information – Old days: configuration files (.cfg) – Nearly all user config and preferences stored in registry now

● What does that tell us?

●

Windows Registry ● The repository for configuration information – Old days: configuration files (.cfg) – Nearly all user config and preferences stored in registry now

● What does that tell us?

● At least: where the user likes to store stuff

● What programs are used/installed.

● Recent searches using IE (not firefox) – Also includes lists of usb devices and hardware ids

● Anything connected to the computer recently.

● How does this help?

Print Spooling

● Printing description – Enhanced metadata – Spl (spool file) –

Recycle Bin

● Stuff that's sent to the trash can – Lots of users never bother emptying it – Often plenty to look through for such users.

● Bypass the recycle bin with

● Registry – NukeOnDelete – Look for this reg key to see if user is always deleting.

Metadata

● You did a project on this last week – But to review:

● Data about who worked on a file hidden in the file itself. – Often people/corporations want to remove it:

● legitimate

● Before making documents public – Don't want to have people pointing fingers at one employee who typed up the policy/finding etc. ● Lots of tools to scrub/mess with metadata these days.

Thumbnail Cache

● Windows makes small versions of your images – thumbs.db (older versions) – thumbcache.db (newer versions) – Retains thumbnails after originals deleted. – What sorts of stuff can this help with?

Most Recently Used

● You've all seen how windows tries to help you out – Look at menu – Folder full of shortcuts – Even if original is gone –

Backup data

● Restore points and shadow copies – Much like mac OS time machine – Can restore a system to a previous state (restore points) from data stored in shadow copies – http://www.sevenforums.com/tutorials/166102- shadow-copies-delete.html – http://encase-forensic-blog.guidancesoftwar e.com/2012/06/examining-volume-shadow-copie s-easy-way.html

– FAT filesystem

● If you have a flash/thumb drive – Chances are it has the FAT filesystem

● The filesystem that won't die. – The only fully specified, standards-compliant file system that Microsoft supports – So everyone else does too

FAT

● FAT begins at boot sector – Next sectors form FAT areas 1&2 (2 is a backup of one) – Contains the root folder and its contents – Files are in clusters of sectors. Multi-cluster files have the address of the next cluster as last part of current cluster – Final cluster contains end of file char

● 1048575

● Which is what? FAT

● FAT begins at boot sector – Next sectors form FAT areas 1&2 (2 is a backup of one) – Contains the root folder and its contents – Files are in clusters of sectors. Multi-cluster files have the address of the next cluster as last part of current cluster – Final cluster contains end of file char

● 1048575

● Which is what? ● 0xFFFFF NTFS

● File system on the vast majority of windows systems. – Reading your books description gives you an idea why NTFS drives are usually mounted read-only – Most information in the Master File Table

● MFT

● First 42 bytes are the header structure – The next 982 vary ● Based on header and MS secret sauce

● But header enough to find and read data Simple file carving tool

● Your book mentions fatback – Apparently was once quite good

● The internet says it has been replaced – And if you can't believe everything you see on the internet....

● Testdisk/photorec – Photorec is what we want – Command line tool

– Ignores file system – Just looks at disk. Photorec

● Originally written (apparently) to retrieve deleted pictures from phones – Will recover all file types it recognizes from disk – whether apparently deleted or not – Review of file deletion?

Reading and assignment

● Read chapter 4 to page 84 in the Altheide/Carvey book

● Get photorec and the demo file carving disk image to make sure it works. (see class website on the announcements page)

● Windows 8 users – this is the only system not known to work. Test it, if not, work using a USB drive on a win7 machine on campus.

Event Logging

● Like all modern operating systems – Windows logs a lot of stuff – See http://windows.microsoft.com/en-us/windows /what-information-event-logs-event-viewer# 1TC=windows-7 – Logins, application events, system warnings and errors – Windows NT through server 2003 used one log file format

● Including what popular version? – Windows Vista to current uses more complex format The older version's advantage

● The older version contains a binary header which includes a file size and a number of records – Each event record knows how long it is. – After a certain amount of time or number of new records, old ones are deleted – Sometimes there are deleted records that are still recoverable – What does this buy us?

Windows Prefetch Files

● User versions of windows from XP to present – Create prefetch files to speed application availability – C:\Windows\Prefetch

● Filename followed by hex number followed by extension pf

● File is binary

● But we know where some useful information is

The prefetch header

● Useful information in the prefetch header – The time last run (as unix time – 8 bytes) – The number of times run (4 bytes)

● How many times can the program be run before this data is useless? – Also includes file path to recently opened files – In what situations can this help us where the other tools we've looked at can't?

Hiding executables

● If the user is hiding a bad executable – They might ???? –

Hiding executables

● If the user is hiding a bad executable – They might rename it – Concatenate on some junk

● To mess with the hash – Anything else?

Executables

● Windows executables follow the “Portable executable” standard – That standard contains the original filename and version info as strings inside of the executable file. – Compare current name to original name

● Are they the same? Do nothing special

● Are they different? Look closer

Assignment

● Reading: finish chapter 4

● Project: lets look