Windows “Artifacts”
Comp 199
Admin
● Current Events in information security – See web
● Questions?
Windows
● Why windows first? – Its still everywhere
● Book says 90% of desktop
● Others: 40% of all user computing
● Ubiquitous in workplace.
● As likely as any other system to have to be examined – Its sitting in front of you
Deleted Data
● As you know – Delete doesn't remove data – Just 'loses' where it is on the disk – Marks it available to overwrite. – Recoverable through 'file carving'
● Manually examine bits on sectors of hard drive – Look for file 'header' data – Impractical in large drives ● Have a tool do this for us – The way mostly done today – Tool range from free but obscure to ~$1000 (small business grade to thousands (enterprise grade) Low Power Modes
● Sleep vs Hibernation – Both power conservation modes
● Sleep – Conserve energy while able to get everything back ASAP – Small amount of electricty flowing through RAM
● Volitile/Working memory – nothing really saved ● Hibernation – Shuts down all the power, but saves state of computer (open programs, files etc)
– Writes a file called hiberfil.sys: on drive - recoverable Windows Registry ● The repository for configuration information – Old days: configuration files (.cfg) – Nearly all user config and preferences stored in registry now
● What does that tell us?
●
Windows Registry ● The repository for configuration information – Old days: configuration files (.cfg) – Nearly all user config and preferences stored in registry now
● What does that tell us?
● At least: where the user likes to store stuff
● What programs are used/installed.
● Recent searches using IE (not firefox) – Also includes lists of usb devices and hardware ids
● Anything connected to the computer recently.
● How does this help?
Print Spooling
● Printing description – Enhanced metadata – Spl (spool file) –
Recycle Bin
● Stuff that's sent to the trash can – Lots of users never bother emptying it – Often plenty to look through for such users.
● Bypass the recycle bin with
● Registry – NukeOnDelete – Look for this reg key to see if user is always deleting.
Metadata
● You did a project on this last week – But to review:
● Data about who worked on a file hidden in the file itself. – Often people/corporations want to remove it:
● legitimate
● Before making documents public – Don't want to have people pointing fingers at one employee who typed up the policy/finding etc. ● Lots of tools to scrub/mess with metadata these days.
Thumbnail Cache
● Windows makes small versions of your images – thumbs.db (older versions) – thumbcache.db (newer versions) – Retains thumbnails after originals deleted. – What sorts of stuff can this help with?
Most Recently Used
● You've all seen how windows tries to help you out – Look at menu – Folder full of shortcuts – Even if original is gone –
Backup data
● Restore points and shadow copies – Much like mac OS time machine – Can restore a system to a previous state (restore points) from data stored in shadow copies – http://www.sevenforums.com/tutorials/166102- shadow-copies-delete.html – http://encase-forensic-blog.guidancesoftwar e.com/2012/06/examining-volume-shadow-copie s-easy-way.html
– FAT filesystem
● If you have a flash/thumb drive – Chances are it has the FAT filesystem
● The filesystem that won't die. – The only fully specified, standards-compliant file system that Microsoft supports – So everyone else does too
FAT
● FAT begins at boot sector – Next sectors form FAT areas 1&2 (2 is a backup of one) – Contains the root folder and its contents – Files are in clusters of sectors. Multi-cluster files have the address of the next cluster as last part of current cluster – Final cluster contains end of file char
● 1048575
● Which is what? FAT
● FAT begins at boot sector – Next sectors form FAT areas 1&2 (2 is a backup of one) – Contains the root folder and its contents – Files are in clusters of sectors. Multi-cluster files have the address of the next cluster as last part of current cluster – Final cluster contains end of file char
● 1048575
● Which is what? ● 0xFFFFF NTFS
● File system on the vast majority of windows systems. – Reading your books description gives you an idea why NTFS drives are usually mounted read-only – Most information in the Master File Table
● MFT
● First 42 bytes are the header structure – The next 982 vary ● Based on header and MS secret sauce
● But header enough to find and read data Simple file carving tool
● Your book mentions fatback – Apparently was once quite good
● The internet says it has been replaced – And if you can't believe everything you see on the internet....
● Testdisk/photorec – Photorec is what we want – Command line tool
– Ignores file system – Just looks at disk. Photorec
● Originally written (apparently) to retrieve deleted pictures from phones – Will recover all file types it recognizes from disk – whether apparently deleted or not – Review of file deletion?
Reading and assignment
● Read chapter 4 to page 84 in the Altheide/Carvey book
● Get photorec and the demo file carving disk image to make sure it works. (see class website on the announcements page)
● Windows 8 users – this is the only system not known to work. Test it, if not, work using a USB drive on a win7 machine on campus.
Event Logging
● Like all modern operating systems – Windows logs a lot of stuff – See http://windows.microsoft.com/en-us/windows /what-information-event-logs-event-viewer# 1TC=windows-7 – Logins, application events, system warnings and errors – Windows NT through server 2003 used one log file format
● Including what popular version? – Windows Vista to current uses more complex format The older version's advantage
● The older version contains a binary header which includes a file size and a number of records – Each event record knows how long it is. – After a certain amount of time or number of new records, old ones are deleted – Sometimes there are deleted records that are still recoverable – What does this buy us?
Windows Prefetch Files
● User versions of windows from XP to present – Create prefetch files to speed application availability – C:\Windows\Prefetch
● Filename followed by hex number followed by extension pf
● File is binary
● But we know where some useful information is
The prefetch header
● Useful information in the prefetch header – The time last run (as unix time – 8 bytes) – The number of times run (4 bytes)
● How many times can the program be run before this data is useless? – Also includes file path to recently opened files – In what situations can this help us where the other tools we've looked at can't?
Hiding executables
● If the user is hiding a bad executable – They might ???? –
Hiding executables
● If the user is hiding a bad executable – They might rename it – Concatenate on some junk
● To mess with the hash – Anything else?
Executables
● Windows executables follow the “Portable executable” standard – That standard contains the original filename and version info as strings inside of the executable file. – Compare current name to original name
● Are they the same? Do nothing special
● Are they different? Look closer
Assignment
● Reading: finish chapter 4
● Project: lets look