Thesis Final Submitted
Total Page:16
File Type:pdf, Size:1020Kb
TRACING FORENSIC ARTEFACTS FROM USB-BOUND COMPUTING ENVIRONMENTS ON WINDOWS HOSTS. JAN COLLIE A submission presented in partial fulfilment of the requirements of the University of South Wales/Prifysgol De Cymru for the degree of Doctor of Philosophy NOVEMBER 2015 1 ABSTRACT This thesis proposes that it is possible to extract and analyse artefacts of potential evidential interest from host systems where miniature computing environments have been run from USB connectable devices. The research focuses on Windows systems and includes a comparison of the results obtained following traditional ‘static’ forensic data collection after conducting a range of user initiated activities. Four software products were evaluated during this research cycle, all of which could be used as anti- forensic tools - associated advertising claims that use of the software will either leave ‘no trace’ of user activity or no ‘personal data’ on a host system. It is shown that the USB-bound environments reviewed create numerous artefacts in both live and unallocated space on Windows hosts which will remain available to the digital forensic examiner after system halt. These include multiple references to identified software and related processes as well as user activity in Registry keys and elsewhere. Artefacts related to program use and data movements will also be retained in live memory (RAM) and it is recommended that this is captured and analysed. Where this is not possible, relevant information originally held in RAM may be written to disk on system shut down and hibernation, opening further opportunities to the analyst. This study builds on existing knowledge within digital forensic science and expands it in three ways. Firstly, it presents and explains a previously overlooked artefact which aids investigations involving the unauthorized use of both connected and connectable devices on Windows hosts. Secondly, it explores how portable virtualisation software interacts with host systems - a relatively unchartered field of enquiry. Finally, it informs research into antiforensics by showing that, despite its ability to cover and wipe its tracks, portable virtualisation software does leave traces of user-related activity on host systems which can greatly assist a digital forensic enquiry. By means of the methodology set out in this thesis, it is possible to uncover these traces in RAM dumps and by conducting a targeted analysis of static hard drives. 2 Table of Contents CHAPTER 1. ............................................................................................................................. 7 INTRODUCTION ............................................................................................................................... 7 1.1 Overview .................................................................................................................................................. 7 1.2 The problem area .................................................................................................................................. 8 1.3. Scope of Study .................................................................................................................................... 10 1.4 Aims, Objectives and Hypothesis ................................................................................................ 13 1.5 Methodology overview .................................................................................................................... 14 1.6 OriGinal contribution to knowledge .......................................................................................... 15 1.7 Structure of the Thesis ..................................................................................................................... 15 1.8 Chapter Summary .............................................................................................................................. 17 CHAPTER 2 ............................................................................................................................ 19 BACKGROUND ............................................................................................................................... 19 Table 1: Table of topic areas anD relevancies to the research proGram ................... 19 2.1 Virtualisation and Virtual Machines (VMs) ............................................................................ 20 FiGure 1: Virtualisation conceptualizeD ............................................................................... 20 2.2 Virtualisation TechnoloGies for USBs ........................................................................................ 22 2.3 Windows Memory Handling ......................................................................................................... 26 2.4 Windows artefacts ............................................................................................................................. 28 2.5 Current Best Practice Guides for forensic practitioners ................................................... 29 2.6. Chapter Summary ............................................................................................................................. 32 CHAPTER 3. ........................................................................................................................... 33 EXPERIMENTS ............................................................................................................................... 33 3.1 Restatement of Hypothesis and aims ........................................................................................ 33 3.2 Research methodology .................................................................................................................... 33 FiGure 2: Research Methodology Graphic ............................................................................ 35 FiGure 3: Test Disk preparation .............................................................................................. 37 FiGure 4: Test operating systems ........................................................................................... 38 FiGure 5: Test vPC applications and Windows compatibility ....................................... 39 FiGure 6: Taxonomy of artefacts for analysis ..................................................................... 43 FiGure 7: IDentification system for test vPCs & Windows OSs During experimentation .......................................................................................................................... 45 3.3 Experimentation ................................................................................................................................. 45 FiGure 8: Experiment A1 ........................................................................................................... 46 FiGure 9: Experiment A2 ........................................................................................................... 46 FiGure 10: Experiment A3 ......................................................................................................... 47 3.4 Results overview ................................................................................................................................ 47 3.5 Chapter summary .............................................................................................................................. 49 CHAPTER 4. ........................................................................................................................... 51 THE ICONCACHE DATABASE .................................................................................................... 51 4.1 Background .......................................................................................................................................... 51 3 4.2 Synopsis of findings .......................................................................................................................... 53 4.3 Research Method ................................................................................................................................ 55 Table 2. Forensic tools useD DurinG experimentation ................................................... 56 4.4 Experimentation ............................................................................................................................... 56 Table 3. Details of experiments DeviseD ............................................................................. 57 4.5 Icon caching mechanisms in Windows ..................................................................................... 59 FiGure 11: Icons storeD in Shell32.Dll .................................................................................. 60 FiGure 12: Shell32.Dll and storeD icon properties ............................................................ 60 Table 4 : Numbers of icons in the IconCache.db on first creation by version of WinDows OS ................................................................................................................................... 61 Table 5: Basic file siGnature for IconCache.Db in WinDows XP, Vista anD 7 ............ 62 Table 6: Sample Differences in IconCache.Db file siGnature in WinDows XP, Vista anD 7 ................................................................................................................................................. 62 4.6 Experimental results .......................................................................................................................