Post on 22-May-2020
1
Vista Log ForensicsDr. Rich Murphey, ACS
BackgroundCase Study
EngagementPreliminary ReportFinal Report
Vista Event LoggingLogging ServiceVista Event EncodingUndocumented Internals
Event Log AnalysisRecoveryCorrelationInterpretation
Shadow Copy Services
Provider CProvider CProvider BProvider B
Provider AProvider A
ControllerController
Log filesLog files
ControllerController
…
ConsumerConsumer
Real time delivery
Logged Events
Session 1
Buffers
Session 2 Session 64
Events
EventsEnable/Disable Session Control
ConsumerConsumer
Windows Kernel
Repair
Correlate
Recover
2
Acknowledgements
Shouts out to:MD5, CaesarHTAFednaughtyDT
Thanks to:Jerlyn Mardis, ACSJosh Pennell, IO Active Matthew Geiger, CERT
Dedicated to: BitMonk (HTA/Ad Hoc)
3
Special Thanks To
Sponsor:
ForensicsIn-depth Analysis, Expert Witness
Data RecoveryComplex RAID, Exotic File Systems
ConsultingInformation Security This is not:
Legal AdviceSuitable for testimony
4
Rich MurpheyExperience:Rice University
Ph.D. Electrical and Computer Engineering
UTMB Med. SchoolFaculty, Physiology & Biophysics
Pentasafe SecurityChief Scientist
Applied Cognitive Soln.Chief ScientistExpert WitnessCISSP, ACE, EnCE
An Author of:
GNU GraphicsAsterisk VOIP
See “Authors”
FreeBSDFounding Core Team
XFree86man xorg | grep Rich
5
For More Info
C. R. Murphey, “Automated Windows Event Log Forensics,” Digital Investigation, August 2007
A peer-reviewed paper on anew tool for automating XPlog recovery and analysis
Digital Forensic Research Workshop, 8/13/07HTCIA National 8/27/07
6
Roadmap
BackgroundCase Study
EngagementPreliminary ResultsRevised Scope
Vista Event LoggingEventsLogging ServiceUndocumented Internals
Event Log AnalysisRecoveryCorrelationReport
Shadow Copy Services
Provider CProvider CProvider BProvider B
Provider AProvider A
ControllerController
Log filesLog files
ControllerController
…
ConsumerConsumer
Real time delivery
Logged Events
Session 1
Buffers
Session 2 Session 64
Events
EventsEnable/Disable Session Control
ConsumerConsumer
Windows Kernel
Repair
Correlate
Recover
7
Case Study Steps
Step 1: Define Preliminary ScopeDefine feasibility of the engagement.
Step 2: Preliminary ReportUncover and mitigate surprises.Define capability to answer questions.
Step 3: Final ReportIn-depth coverage.Adapt methods to answer questions.
8
1st Hurdle: Define a Scope
Officer/Director callsSomething bad happened….Possible contract violation.Outgoing transfer of proprietary documents.
#1: Define a scope of work.Can we identify file transfer?Examine hard drivesEmail attachmentsFile transfer, uploadsAnything else?
9
2nd Hurdle: Preliminary ReportGood news:
We know what to look for.Well defined keywords, file names
#2: Preliminary ReportD:\OfInterest.doc
In unallocated space….Bad News:
IT deleted the user profile, and gave laptop to a new employee,six months ago,after they reformatted and reinstalled Windows Vista.
10
Shortcuts
Shortcuts may contain IDs, label, sizeA snapshot of file’s attributes, media’s attributes
Shortcut File
Read-onlyFile attributes
N/ALast access time (UTC)11/3/2006 10:12:34 AMLast write time (UTC)11/11/2006 3:21:14 PMCreation time (UTC)1643743File sizeE2C3-F184Volume Serial NumberNov 11 2006Volume LabelCD-ROMVolume TypeD:\OfInterest.docLocal Path
Link target information
11
3rd Hurdle: Final Report
How to identify outgoing file transfer?
Data carve for file path, time….
Where to find time stamps?Event logsInternet historyShortcutsAny where else?
12
Roadmap
BackgroundCase Study
EngagementPreliminary ResultsRevised Scope
Vista Event LoggingEventsLogging ServiceUndocumented Internals
Event Log AnalysisRecoveryCorrelationReport
Shadow Copy Services
Provider CProvider CProvider BProvider B
Provider AProvider A
ControllerController
Log filesLog files
ControllerController
…
ConsumerConsumer
Real time delivery
Logged Events
Session 1
Buffers
Session 2 Session 64
Events
EventsEnable/Disable Session Control
ConsumerConsumer
Windows Kernel
Repair
Correlate
Recover
13
Shortcuts
Shortcuts may contain IDs, label, sizeA snapshot of file’s attributes, media’s attributes
Shortcut File
Read-onlyFile attributes
N/ALast access time (UTC)11/3/2006 10:12:34 AMLast write time (UTC)11/11/2006 3:21:14 PMCreation time (UTC)1643743File sizeE2C3-F184Volume Serial NumberNov 11 2006Volume LabelCD-ROMVolume TypeD:\OfInterest.docLocal Path
Link target information
14
Event Logging
Windows Vista/2008Time, SID, Source, Severity, MessageMore than 50 logs by default.
C:/Windows/system32/winevt/Logs/Application.evtxHardwareEvents.evtxInternet Explorer.evtxSecurity.evtxSetup.evtxSystem.evtx…. 50 more!
15
hardware interfaces (buses, I/O devices, interrupts, interval timers, DMA, memory cache control, etc., etc.)
System Service Dispatcher
Task ManagerExplorer
SvcHost.ExeWinMgt.Exe
SpoolSv.Exe
ServiceControl Mgr.LSASS
Object
Mgr.
WindowsUSER,
GDIFileSystemC
ache
I/O Mgr
Environment Subsystems
UserUserApplicationApplication
Subsystem DLLs
OS/2
System Processes Services Applications
SystemThreads
UserMode
KernelMode
Windows
NTDLL.DLL
Device &File Sys.Drivers
WinLogon
Session Manager
Services.Exe
POSIX
Plug andPlay M
gr.
Power
Mgr.
SecurityR
eferenceM
onitor
VirtualM
emory
Processes&
Threads
LocalProcedure
Call Graphics
Drivers
KernelHardware Abstraction Layer (HAL)
(kernel mode callable interfaces)
Component Architecture
Configura-tion M
gr(registry)
PDC 06
Events
Backward Compatibility Occurs Here
17
Vista Event Logging5% CPU for 20K events/sec, 200K w/TransactionsLogging and WMI are now just layers on top of ETW Unified: kernel/app, tracing/logging, remote/local
Provider CProvider CProvider BProvider B
Provider AProvider A
Log filesLog files
ControllerController
…
ConsumerConsumer
Real time delivery
Logged Events
Session 1
Buffers
Session 2 Session 64
Events
EventsEnable/Disable Session Control
ConsumerConsumer
Windows Kernel
PDC 06
18
Vista Logging Service High performance tracing
Event Tracing for Windows (ETW)Events from both apps and kernel
Events are forwarded to a Collector Serviceand stored in local log for consumption
Buffered in kernelDynamically enable/disableNo reboot or restart
Selected events are delivered as they arriveChoose either push or pull subscription
Provider CProvider C
Provider BProvider B
Provider AProvider A
ControllerController
Log filesLog files
ControllerController
…
ConsumerConsumer
Real time delivery
Logged Events
Session 1
Buffers
Session 2 Session 64
Events
EventsEnable/Disable Session Control
ConsumerConsumer
Windows Kernel
19
Vista EventsEvents are XML!
Standards encodingSystem: standard propertiesEventData: app. defined
Get events via:Query live logs & log filesSubscribe to live logsFilter using XPath
Internals:New, different encodingArbitrary structure defined by each application
<Event><System>
<Provider Name="CD Burning Service" /><EventID>310</EventID><Level>2</Level> <Version>0</Version><TimeCreated SystemTime="2006-02-
28T21:51:44.754Z" /><EventRecordID>7664</EventRecordID><Channel>Application</Channel> <Computer>Desktop9237</Computer> <Security UserID="S-1-...-1003" />
</System><EventData>
<data name=“control”>Service Started.
</data></EventData>
</Event>
PDC 06Events are encoded not as XML, but rather BXML!
20
Vista Events
<Event><System>
<Provider Name="CD Burning Service" /><EventID>310</EventID><Level>2</Level> <Version>0</Version><TimeCreated SystemTime="2006-02-
28T21:51:44.754Z" /><EventRecordID>7664</EventRecordID><Channel>Application</Channel> <Computer>Desktop9237</Computer> <Security UserID="S-1-...-1003" />
</System><EventData>
<data name=“control”>Service Started.
</data></EventData>
</Event>
PDC 06
Record Header
Section Descriptor
Section Header
Section Body
Section Header
Section Body
Section Header
Section Body
Section Descriptor
Section Descriptor
On the outside On the inside
21
Undocumented Event StructureRecord header
Common attributesTimestamp, severityNumber of sections
Section descriptorsSourceOffset, length
Section headersSpecifies encoding of body
Section bodyevent specific data
Record Header
Section Descriptor
Section Header
Section Body
Section Header
Section Body
Section Header
Section Body
Section Descriptor
Section Descriptor
22
Binary XMLBXML (Binary eXtensible Markup Lang.)
A binary serialization of an XML document.developed by CubeWerx for OpenGIS Consortium.Higher performance in both space and time.
More compact.String table for tags and values.Gzip whole doc or just body.Avoids resource exhaustion of DOM.
10 to 100 times faster to parse.100 times faster for dense numeric data due to binary encoding of numbers alone.
http://www.cubewerx.com
23
What is BXML?Serialized numbers begins a one byte code that identifies the data type.
byte enum ValueType {BoolCode = 0xF0, // boolean valueByteCode = 0xF1, // 'byte' numeric valueIntCode = 0xF4, // 'int' numeric value
}
IntNum { // 32-bit integer valueValueType type = IntCode;int num; // value
}http://www.cubewerx.com
24
What is BXML?XML tags are serialized as a byte code for the type of tag, followed by a reference to the tag name in the string table.
ContentElementToken { // <element>TokenType type = ContentElementCode; Count stringRef; // index of
element name}
ElementEndToken { // </element>TokenType type = ElementEndCode;
}http://www.cubewerx.com
25
What is BXML?Strings are preceeded by their length.String tables are preceeded by type code and table size.
String { // raw character stringCount byteLength; // length in bytesbyte chars[byteLength]; // characters in proper encoding
}
StringTableToken { // string table (fragment)TokenType type = StringTableCode;Count nStrings; // number of stringsString strings[nStrings]; // values
}
26
Why the changes?
Performance, scalability, and securityNew event publishing API
Schematized, discoverable, structured eventsUnified API
logging uses tracing framework
Logging is asynchronous Does not block the application
Log size limit removed limited only by disk space
Record Header
Section Descriptor
Section Header
Section Body
Section Header
Section Body
Section Header
Section Body
Section Descriptor
Section Descriptor
27
Vista EventsXML events have rich information
XP Events have flat structure, no parameter namesFiltering and Subscriptions – XPath
Event[System/EventID=101]
Select events - filter out noise<QueryList>
<Query><Select>Event[System/Provider=Foo]</Select><Suppress>Event[System/Level>2]</Suppress>
</Query></QueryList>
Filter across live logs, files, Vista, and XPSubscribe to a custom view of events centrallyIntegrates with existing tools
Triggering ActionsAssociate a task with an event with a single click
28
Vista Log Signature
Vista Log Signature4K Header starts with “ElfFile”
Each 64K block starts with “ElfChnk”
Size: 1024 + 4 = 1028 K bytes
29
Registering a Provider
Providers are sources of the eventsIdentified by unique GUID and nameSpecifies the location of resources for decoding<provider name="Microsoft-Windows-Demonstration"
guid="{12345678-d6ef-4962-83d5-123456789012}“
resourceFileName="wevtsvc.dll"
messageFileName="wevtsvcMessages.dll"
parameterFileName="wevtsvcParameter.dll"
>
PDC 06
30PDC 06
Channel Definition
System-defined channels are imported (System channel above)New provider-specific channels can be defined and configured<importChannel chid="C1" name="System" /><channel chid="C2" name="Microsoft-Windows-Demonstration/Operational“
type="Operational" isolation="System"><logging>
<autoBackup>true</autoBackup><maxSize>268435456</maxSize>
</logging><publishing>
<level>2</level><keywords>1</keywords>
</publishing></channel>
31PDC 06
Template Definition
Templates define the payload shape of eventsData elements define fields of eventsCan add user-defined XML representation for the payload<templates>
<template tid="tid_HelloWorld">
<data name="Greeting" inType="win:UnicodeString" outType="xs:string" />
</template>
</templates>
32PDC 06
EventManifest defines event attributes: ID (value), version, keywords, task, opcode, and levelReferences previously declared template that defines instance dataMessage - a user readable stringChannel - the name of the channel that transports the event to logs
<event value="101" version="1" level="win:Error" symbol=“MyEventDescriptor”keywords="el:Availability“task="el:EventProcessing"template=“tid_HelloWorld" channel=“C1"message="$(string.HelloWorld.Message)"
/>
33
Logging Interface
How to log an event:
At compile timeWrite a schemaCompile schema
At run timeRegister sourceCreate a sessionSend events
Publishing API
Publisher
PublishedEvents
session
Event publishing application
User modeKernel mode
Logs
EventSchema
Schemacompiler
Kernel Component
SessionsPublishingAPI
PublishedEvents
PDC 06
34
Roadmap
BackgroundCase Study
EngagementPreliminary ResultsRevised Scope
Vista Event LoggingEventsLogging ServiceUndocumented Internals
Event Log AnalysisRecoveryCorrelationReport
Shadow Copy Services
Provider CProvider CProvider BProvider B
Provider AProvider A
ControllerController
Log filesLog files
ControllerController
…
ConsumerConsumer
Real time delivery
Logged Events
Session 1
Buffers
Session 2 Session 64
Events
EventsEnable/Disable Session Control
ConsumerConsumer
Windows Kernel
Repair
Correlate
Recover
35
“Cutting-Edge Forensics”
“Conduct Cutting-Edge Forensic Investigations”
– back cover
On Event Log Repair:“We found no methods that were complete, and none explained the underlying principles for why the repair was needed.” – pg. 444
Available April 2, 2007
36
For More Info
C. R. Murphey, “Automated Windows Event Log Forensics,” Digital Investigation, August 2007
A peer-reviewed paper on anew tool for automating XPlog recovery and analysis
Digital Forensic Research Workshop, 8/13/07HTCIA National 8/27/07
38
Log Analysis Roadmap
Forensic Process ModelsRepair
Correlate
Recover
Extract:Step 1 – Recover
•Data Carve for Logs, etc.
Step 2 – Validate•Identify intact log files.
Step 3 – Correlate•Corresponding time, files, names,…
Analyze
Interpret
40
XP log signature – 16 bytes30 00 00 00 4c 66 4c 65 01 00 00 00 01 00 00 00
Vista log signature – 16 bytes“ElfFile” padded with nulls
Signatures
41
Step 1 – Recover
The Results:
Step 1 – RecoverRun DataLifter
100 logs are recovered.Only two are viewable.98 corrupt logs
Step 2Validate 98 logs?
43
Correlate
SQL queries to identify patterns
<QueryList>
<Query>
<Select Path=“System”>
*[System/Provider=“CD Burning Service”]</Select>
</Query>
</QueryList>
Repair
Correlate
Recover
The CD Burning service entered the running state. 11/11/2006 15:21
MessageTime (UTC)
The CD Burning service entered the running state. 11/11/2006 15:26The CD Burning service entered the running state. 11/11/2006 15:25The CD Burning service entered the running state. 11/11/2006 15:24The CD Burning service entered the running state. 11/11/2006 15:23The CD Burning service entered the running state. 11/11/2006 15:22
The CD Burning service entered the stopped state. 11/11/2006 15:27The CD Burning service entered the running state. 11/11/2006 15:27
The CD Burning service was successfully sent a start control. 11/11/2006 15:21
44
Shortcuts
Shortcuts may contain IDs, label, sizeA snapshot of file’s attributes, media’s attributes
Shortcut File
Read-onlyFile attributes
N/ALast access time (UTC)11/3/2006 10:12:34 AMLast write time (UTC)11/11/2006 3:21:14 PMCreation time (UTC)1643743File sizeE2C3-F184Volume Serial NumberNov 11 2006Volume LabelCD-ROMVolume TypeD:\OfInterest.docLocal Path
Link target information
45
Report
Correlations indicateA CD-ROM was burned
By username: BobAt: 11/11/2006 3:21 PM UTC
We can uniquely identify the CDLabel: “Nov 11 2006”Volume serial number: E2C3-F184
Proprietary documents were transferred.OfInterest.doc, 1.6MbLast Modified 11/3/2006 10:12:34 AM UTC
Repair
Correlate
Recover
46
Shortcuts
Shortcuts may contain IDs, label, sizeA snapshot of file’s attributes, media’s attributes
Shortcut File
Read-onlyFile attributes
N/ALast access time (UTC)11/3/2006 10:12:34 AMLast write time (UTC)11/11/2006 3:21:14 PMCreation time (UTC)1643743File sizeE2C3-F184Volume Serial NumberNov 11 2006Volume LabelCD-ROMVolume TypeD:\OfInterest.docLocal Path
Link target information
47
Timestamp Analysis
Last write time is earlier than created.
Can indicate the time at which a file was transferred from source media.Can help identify the source file on source
media.
11/3/2006 10:12:34 AMLast write11/11/2006 3:21:14 PMCreated
Read-onlyFile attributes
N/ALast access time (UTC)11/3/2006 10:12:34 AMLast write time (UTC)11/11/2006 3:21:14 PMCreation time (UTC)1643743File sizeE2C3-F184Volume Serial NumberNov 11 2006Volume LabelCD-ROMVolume TypeD:\OfInterest.docLocal Path
Link target information
48
Roadmap
BackgroundCase Study
EngagementPreliminary ResultsRevised Scope
Vista Event LoggingEventsLogging ServiceUndocumented Internals
Event Log AnalysisRecoveryCorrelationReport
Shadow Copy Services
Provider CProvider CProvider BProvider B
Provider AProvider A
ControllerController
Log filesLog files
ControllerController
…
ConsumerConsumer
Real time delivery
Logged Events
Session 1
Buffers
Session 2 Session 64
Events
EventsEnable/Disable Session Control
ConsumerConsumer
Windows Kernel
Repair
Correlate
Recover
49
"Shadow Copy tracks your every change."
Automatic point-in-time copies.
Incremental block level differences minimize space.
Deletes older copies as needed for space (LRU). X
50
Legal Concerns Related to Vista
Revised Federal Rules of Civil Procedure
Scope of ProductionHistorical snapshots are readily available in Vista
Duty to PreserveLitigation Hold NoticesPotential for Sanctions
Form of ProductionNative files?Metadata?Point-in-time Image Snapshots?
51
Impact on Policy Maintenance
May Complicate Corporate Policy Issues
Document retention policiesComplicates policy maintenanceDisabling shadow copies in turn breaks backups, restore engine
Metadata retention policyOwnership changes are visible nowGaps in documentation policy for Vista
52
Impact of Vista on ForensicsFRCP: The rules have changed.Vista, in turn, changes the rules.
What happens if one accepts the default system behavior?
Things may never go away permanently.Vista leaves far more information than XP
Changes in ownership (SID)
Executives dislike surprisesRisks regarding SOX compliance and litigation.
53
How Shadow Copy Works
Acts like block deviceA layer between the device and file system
Snapshot as of Wed. 7:00Snapshot as of Wed. 10:00Snapshot as of Wed. 13:00Snapshot as of Wed. 15:00Snapshot as of Wed. 19:00
File System
Volume Shadow Copy (VSS)Service
Block Device (disk)
Blocks
Blocks
Current File System
54
Application writesdata to disk
Shadow Copies
Disk Before
Stevenson, WinHec 06
Upon write, overwritten block moves to shadow copy
shadow copy holds onlyblocks that changed.
Disk After
Shadow Before
Shadow After
66
Windows RE Auto-Repair
ComputerBluescreens Reboot
>5attempts?
Auto-launchStartup Repair
Boot managerdetects failure
Fail over intoWindows RE
Diagnose and repaircomputer
Reboot
Successful boot?Windows Vistastarts
Cannot auto-repair(try manual)
YesYes
NoNo
NoNo
YesYes
Stevenson, WinHec 06
68
Tools - VSSAdmin
C:\>vssadmin /?vssadmin 1.1 - Volume Shadow Copy Service administrative command-
line tool(C) Copyright 2001 Microsoft Corp.
---- Commands Supported ----
Add ShadowStorage - Add a new volume shadow copy storage association
Create Shadow - Create a new volume shadow copyDelete Shadows - Delete volume shadow copiesDelete ShadowStorage - Delete volume shadow copy storage associationsList Providers - List registered volume shadow copy providersList Shadows - List existing volume shadow copiesList ShadowStorage - List volume shadow copy storage associationsList Volumes - List volumes eligible for shadow copiesList Writers - List subscribed volume shadow copy writersResize ShadowStorage - Resize a volume shadow copy storage
association
69
Resource Kit – VolRestC:\Resource Kit>volrestVOLREST 1.1 - Timewarp Previous Version command-line tool(C) Copyright 2003 Microsoft Corp.
Usage: VOLREST [options] FileName
Options are:/? - Displays this help./A - Includes files with specified attributes.
/AD Directories (only)./AS System files./AH Hidden files.
/B - Uses bare format (no heading information or summary)./S - Includes files in specified directory and all subdirectories./R:<DirectoryName> -
Restore all previous versions in target directory./E - Restores empty directories (use with /R)./SCT - Decorates restored file names with the shadow copy timestamp.
Use with /R. For example:"foo (Wednesday, January 01, 2003, 14.00.00).doc"
Examples:VOLREST Z:\MYDIRECTORY\MYFILE.DOCVOLREST //server\share\MYDIRECTORY\*.DOCVOLREST Z:\*.* /s /r:C:\OLDFILESVOLREST Z:\*.DOC /s /r:C:\OLDFILES /SCT
70
Questions?Rich@Murphey.orghttp://murphey.orghttp://acsworldwide.com
Provider CProvider C
Provider BProvider B
Provider AProvider A
ControllerController
Log filesLog files
ControllerController
…
ConsumerConsumer
Real time delivery
Logged Events
Session 1
Buffers
Session 2 Session 64
Events
EventsEnable/Disable Session Control
ConsumerConsumer
Windows KernelRepair
Correlate
Recover