Windows “Artifacts” Comp 199 Admin ● Current Events in information security – See web ● Questions? Windows ● Why windows first? – Its still everywhere ● Book says 90% of desktop ● Others: 40% of all user computing ● Ubiquitous in workplace. ● As likely as any other system to have to be examined – Its sitting in front of you Deleted Data ● As you know – Delete doesn't remove data – Just 'loses' where it is on the disk – Marks it available to overwrite. – Recoverable through 'file carving' ● Manually examine bits on sectors of hard drive – Look for file 'header' data – Impractical in large drives ● Have a tool do this for us – The way mostly done today – Tool range from free but obscure to ~$1000 (small business grade to thousands (enterprise grade) Low Power Modes ● Sleep vs Hibernation – Both power conservation modes ● Sleep – Conserve energy while able to get everything back ASAP – Small amount of electricty flowing through RAM ● Volitile/Working memory – nothing really saved ● Hibernation – Shuts down all the power, but saves state of computer (open programs, files etc) – Writes a file called hiberfil.sys: on drive - recoverable Windows Registry ● The repository for configuration information – Old days: configuration files (.cfg) – Nearly all user config and preferences stored in registry now ● What does that tell us? ● Windows Registry ● The repository for configuration information – Old days: configuration files (.cfg) – Nearly all user config and preferences stored in registry now ● What does that tell us? ● At least: where the user likes to store stuff ● What programs are used/installed. ● Recent searches using IE (not firefox) – Also includes lists of usb devices and hardware ids ● Anything connected to the computer recently. ● How does this help? Print Spooling ● Printing description – Enhanced metadata – Spl (spool file) – Recycle Bin ● Stuff that's sent to the trash can – Lots of users never bother emptying it – Often plenty to look through for such users. ● Bypass the recycle bin with <shift><delete> ● Registry – NukeOnDelete – Look for this reg key to see if user is always deleting. Metadata ● You did a project on this last week – But to review: ● Data about who worked on a file hidden in the file itself. – Often people/corporations want to remove it: ● legitimate ● Before making documents public – Don't want to have people pointing fingers at one employee who typed up the policy/finding etc. ● Lots of tools to scrub/mess with metadata these days. Thumbnail Cache ● Windows makes small versions of your images – thumbs.db (older versions) – thumbcache.db (newer versions) – Retains thumbnails after originals deleted. – What sorts of stuff can this help with? Most Recently Used ● You've all seen how windows tries to help you out – Look at menu – Folder full of shortcuts – Even if original is gone – Backup data ● Restore points and shadow copies – Much like mac OS time machine – Can restore a system to a previous state (restore points) from data stored in shadow copies – http://www.sevenforums.com/tutorials/166102- shadow-copies-delete.html – http://encase-forensic-blog.guidancesoftwar e.com/2012/06/examining-volume-shadow-copie s-easy-way.html – FAT filesystem ● If you have a flash/thumb drive – Chances are it has the FAT filesystem ● The filesystem that won't die. – The only fully specified, standards-compliant file system that Microsoft supports – So everyone else does too FAT ● FAT begins at boot sector – Next sectors form FAT areas 1&2 (2 is a backup of one) – Contains the root folder and its contents – Files are in clusters of sectors. Multi-cluster files have the address of the next cluster as last part of current cluster – Final cluster contains end of file char ● 1048575 ● Which is what? FAT ● FAT begins at boot sector – Next sectors form FAT areas 1&2 (2 is a backup of one) – Contains the root folder and its contents – Files are in clusters of sectors. Multi-cluster files have the address of the next cluster as last part of current cluster – Final cluster contains end of file char ● 1048575 ● Which is what? ● 0xFFFFF NTFS ● File system on the vast majority of windows systems. – Reading your books description gives you an idea why NTFS drives are usually mounted read-only – Most information in the Master File Table ● MFT ● First 42 bytes are the header structure – The next 982 vary ● Based on header and MS secret sauce ● But header enough to find and read data Simple file carving tool ● Your book mentions fatback – Apparently was once quite good ● The internet says it has been replaced – And if you can't believe everything you see on the internet.... ● Testdisk/photorec – Photorec is what we want – Command line tool – Ignores file system – Just looks at disk. Photorec ● Originally written (apparently) to retrieve deleted pictures from phones – Will recover all file types it recognizes from disk – whether apparently deleted or not – Review of file deletion? Reading and assignment ● Read chapter 4 to page 84 in the Altheide/Carvey book ● Get photorec and the demo file carving disk image to make sure it works. (see class website on the announcements page) ● Windows 8 users – this is the only system not known to work. Test it, if not, work using a USB drive on a win7 machine on campus. Event Logging ● Like all modern operating systems – Windows logs a lot of stuff – See http://windows.microsoft.com/en-us/windows /what-information-event-logs-event-viewer# 1TC=windows-7 – Logins, application events, system warnings and errors – Windows NT through server 2003 used one log file format ● Including what popular version? – Windows Vista to current uses more complex format The older version's advantage ● The older version contains a binary header which includes a file size and a number of records – Each event record knows how long it is. – After a certain amount of time or number of new records, old ones are deleted – Sometimes there are deleted records that are still recoverable – What does this buy us? Windows Prefetch Files ● User versions of windows from XP to present – Create prefetch files to speed application availability – C:\Windows\Prefetch ● Filename followed by hex number followed by extension pf ● File is binary ● But we know where some useful information is The prefetch header ● Useful information in the prefetch header – The time last run (as unix time – 8 bytes) – The number of times run (4 bytes) ● How many times can the program be run before this data is useless? – Also includes file path to recently opened files – In what situations can this help us where the other tools we've looked at can't? Hiding executables ● If the user is hiding a bad executable – They might ???? – Hiding executables ● If the user is hiding a bad executable – They might rename it – Concatenate on some junk ● To mess with the hash – Anything else? Executables ● Windows executables follow the “Portable executable” standard – That standard contains the original filename and version info as strings inside of the executable file. – Compare current name to original name ● Are they the same? Do nothing special ● Are they different? Look closer Assignment ● Reading: finish chapter 4 ● Project: lets look .