First Look at the Windows 7 Forensics

Department of Computer and Information SciencesUniversity Of Strathclyde

Piotrek Smulikowski

01/09/2009

University of Strathclyde

First Look at theWindows 7 ForensicsForensic implications of the new Windows 7

This dissertation was submitted in part fulfilment of requirements for the degree of MSc Forensic Informatics

First Look at the Windows 7 Forensics

II

Piotrek Smulikowski

Abstract

Microsoft is ready for shipment of its new mainstream Operating System - Windows 7. From 22nd of October most of new computers will be sold with the new system. It is the intention of this paper to prepare computer forensic professionals for the challenges it can potentially bring and what impact it is likely to have on forensic examination.

Through the comprehensive research and the detailed analysis of the introduced features, it was possible to identify the prospective problems, that examiners can encounter, and document them. However, also new sources of evidence were discovered, replacing old and discarded sources.

This paper provides a first look at the Windows 7 from the computer forensic perspective and is designed to help digital investigators in better understanding but also more effective forensic analysis of the system.


III

Piotrek Smulikowski

Table of ContentsDeclaration ................................................................................................Error! Bookmark not defined.

Abstract.....................................................................................................................................................................II

Acknowledgments ..................................................................................Error! Bookmark not defined.

Table of Contents ................................................................................................................................................ III

List of Tables.......................................................................................................................................................V

List of Figures................................................................................................................................................... VI

1. Introduction .............................................................................................................................................. 1

1.1. Rationale ................................................................................................................................................. 1

1.2. Deliverables ........................................................................................................................................... 3

1.3. Project constraints ..............................................................................................................................3

1.4. Audience....................................................................................Error! Bookmark not defined.

1.5. This Document...................................................................................................................................... 4

2. Background Research / Literature Review .................................................................................. 6

1. Windows 7 Development versions .................................................................................................. 8

2. Windows 7 final editions .....................................................................................................................9

3. Internet Explorer 8.............................................................................................................................. 11

3.1. InPrivate – Stealth Browsing ....................................................................................................... 11

3.2. Suggested Sites .................................................................................................................................. 13

3.3. Session Recovery .............................................................................................................................. 14

3.4. Index.dat files ..................................................................................................................................... 16

4. Folder Structure ................................................................................................................................... 19

4.1. Libraries ............................................................................................................................................... 19

4.2. Windows Search and Federated Search .................................................................................. 20

4.3. User folders......................................................................................................................................... 21

5. New Taskbar and Jump List ............................................................................................................. 23

6. BitLocker ................................................................................................................................................. 28

6.1. BitLocker in Windows Vista ......................................................................................................... 28

6.1.1. Introduction ................................................................................................................................... 28

6.1.2. Authentication Methods ............................................................................................................ 28


IV

Piotrek Smulikowski

6.1.3. BitLocker Identification............................................................................................................. 29

6.1.4. BitLocker Acquisition ................................................................................................................. 31

6.2. BitLocker in Windows 7................................................................................................................. 32

6.2.1. Introduction ................................................................................................................................... 32

6.2.2. BitLocker To Go ............................................................................................................................ 32

6.2.3. BitLocker To Go Identification................................................................................................ 34

6.2.4. BitLocker To Go Acquisition .................................................................................................... 37

6.2.5. BitLocker changes........................................................................................................................ 38

6.3. Windows 7 BitLocker Conclusions ............................................................................................ 39

7. Registry Analysis.................................................................................................................................. 41

7.1. Introduction........................................................................................................................................ 41

7.2. Registry locations ............................................................................................................................. 42

7.2.1. Time Information..................................................................................................................... 42

7.2.2. Most Recently Used................................................................................................................. 43

7.2.3. UserAsisst ................................................................................................................................... 45

7.2.4. Autoruns...................................................................................................................................... 47

7.2.5. Network information.............................................................................................................. 47

7.2.6. Mounted Devices...................................................................................................................... 48

7.2.7. USB Device Information ........................................................................................................ 49

7.2.8. Internet Explorer ..................................................................................................................... 50

8. Miscellaneous new Features and Changes................................................................................. 51

8.1. Location and Sensors API.............................................................................................................. 51

8.2. exFAT / FAT64 .................................................................................................................................. 53

8.2.1. exFAT Identification.................................................................................................................... 53

8.3. Partition Table ................................................................................................................................... 54

8.4. XP mode................................................................................................................................................ 56

8.5. Biometrics and Fingerprint support ..............................Error! Bookmark not defined.

8.6. Uninstall Process ...................................................................Error! Bookmark not defined.

8.7. Mix.......................................................................................................................................................... 57

8.8. UAC..............................................................................................Error! Bookmark not defined.


V

Piotrek Smulikowski

9. Methodology .......................................................................................................................................... 58

9.1. Hardware and Software used ...................................................................................................... 60

10. Conclusions ............................................................................................................................................ 62

10.1. Research Achievements............................................................................................................. 62

10.2. Actual Constraints........................................................................................................................ 64

10.3. Reflections on Research..................................................Error! Bookmark not defined.

10.4. Final Conclusions ......................................................................................................................... 64

10.5. Future Work................................................................................................................................... 65

References: ................................................................................................Error! Bookmark not defined.

Bibliography......................................................................................................................................................... 67

APPENDIX A – Windows 7 Editions Comparison Chart..................................................................... 74

List of Tables

Table 1 Windows 7 Editions comparison (Protalinski, 2009) ............................................................ 9

Table 2. Behaviour of the Internet Explorer 8 InPrivate mode (Zeigler, 2008). ....................... 11

Table 3. Data stored during InPrivate session. Source: Windows Internet Explorer

Help ........................................................................................................................................................... 12

Table 4. File names and their respective application that store Jump List data ....................... 26

Table 5. Required Values for BitLocker stored in boot sector of an encrypted

volume (Hunter, 2006) ...................................................................................................................... 30

Table 6. Short naming convention for root hives .................................................................................. 41

Table 7. Registry paths and corresponding files.................................................................................... 42

Table 8. Differences and similarities in registry key locations between Windows

XP and Windows Vista. ...................................................................................................................... 45

Table 9. USB Information gathering process. Adapted from (SANS Forensics Blog,

2009)......................................................................................................................................................... 50

Table 10. Hardware and Software Specification of used PCs ........................................................... 60

Table 11. Windows 7 editions comparison chart source WIKIPEDIA........................................... 75


VI

Piotrek Smulikowski

List of Figures

Figure 1. Contents of the SuggestedSites.dat file, viewed in Hex editor. Visited

URLs are underlined in Blue and Referrer URLs are highlighted in yellow.................. 13

Figure 2. Contents of SuggestedSites.dat file with visible header underlined in red

and IE Browser version highlighted in yellow. ........................................................................ 14

Figure 3. Contents of the Active folder. In this example normal and InPrivate

modes are used and have multiple tabs open. Note: this screenshot comes

from Windows XP. ............................................................................................................................... 15

Figure 4. Contents of an example tab file. URL is highlighted in grey and page

name is in yellow.................................................................................................................................. 16

Figure 5. index.dat file parsed with Pasco and imported by Excel ................................................. 18

Figure 6. XML code in library-ms file. The included folder path is highlighted in

grey............................................................................................................................................................ 20

Figure 7. Contents of Search Connector configuration file. The domain search

provider is highlighted in grey ....................................................................................................... 21

Figure 8. Start Menu properties window, allows user to disable the Jump List and

customize contents of the start menu.......................................................................................... 24

Figure 9. Contents of the Jump List recent items file viewed in hex editor. Path to

recent 'cos.png' file is highlighted in grey. This particular file, stores recent

items list for Microsoft Paint. .......................................................................................................... 25

Figure 10. BitLocker Encrypted volume header of a boot sector in Windows Vista

viewed in Hex editor (Hargreaves & Chivers, 2007) ....................................... 31

Figure 11. Group Policy allow forcing users to encrypt USB sticks, (Funk, 2008) ................... 33

Figure 12. BitLocker To Go Reader window allows viewing files and exporting to

local machine. Screenshot taken from Windows Vista ......................................................... 34

Figure 13. BitLocker To Go encrypted portable drive. ........................................................................ 34


VII

Piotrek Smulikowski

Figure 14. Contents of the BitLocker To Go encrypted portable drive.

BitLockerToGo.exe file is clearly visible, Screen shot taken from

Windows Vista. ..................................................................................................................................... 35

Figure 15. FAT32 volume encrypted with BitLocker To Go. MSWIN4.1 OEM Nam

is highlighted in yellow and FAT32 file system highlighted in grey ................................ 35

Figure 16. BitLocker signature found on BitLocker To Go encrypted volume -

highlighted in yellow. Additionally original Computer Name, Drive Letter

and Date were also found - highlighted in grey. ...................................................................... 36

Figure 17. Header of NTFS drive encrypted with BitLocker To Go viewed in Hex

editor. The BitLocker singature -FVE-FS- is at 0x03 offset - highlighted in

yellow. Interestingly it is marked as FAT32 file system highlighted in grey................ 36

Figure 18. BitLocker signature found on encrypted NTFS volume - highlighted in

yellow. Computer name, Drive letter and Date were also found -

highlighted in grey............................................................................................................................... 37

Figure 19. Image shows binary data for the example UserAssist value. Underlined

in red is the obfuscated program path, in green is the decoded path.

Highlighted in yellow is the counter number and in blue is the time stamp

in Hex. ....................................................................................................................................................... 46

Figure 20. Output from Date/Time converting application DCode. Highlighted in

yellow is the time stamp from above example (see previous figure).............................. 47

Figure 21. exFAT partition signature 'EXFAT' ........................................................................................ 53

Figure 22. fdisk recognizes exFAT as NTFS with partition id=7...................................................... 54

Figure 23. Output from mmls tool, exFAT is recognised as NTFS................................................... 54

Figure 24. fdisk recognized two partition as NTFS............................................................................... 55

Figure 25. mmls tool displays the details and locations of the two partitions. ......................... 55

Figure 26. The output from the fsstat tool with details of the System Reserved

(left) and Windows 7 partitions (right). ..................................................................................... 56

1

1. IntroductionMicrosoft Windows is by far the most popular Operating System among typical computer users, as a result it has a great impact on computer forensics. Therefore there is no doubt that the introduction of the Windows 7 will have its footprint on forensics. The big question is what impact it is going to have, whether the existing methods will become obsolete or maybe there will be no forensically significant changes at all. Early opinions, suggest that digital investigators will not be forced to change their careers just yet. However information regarding the forensic issues of Windows 7 is very limited, there is no single detailed resource on the topic. This paper attempts to fill in the gap. It is intended that the research will provide forensic examiners with the starting point, first look at the issues surrounding the new Windows analysis. Through the in-depth discussion and examination of some of the relevant features, the study produced certain interesting findings.

The paper is primarily aimed at the forensic examiners to aid them in the analysis of the new Windows 7 based computer. It is hoped that after reading the research, forensic investigators will gain more confidence when faced with the new system. Additionally through the analysis of the new sources of evidence, examiners will be able to produce stronger evidence. Various functionalities include features that work in examiner’s favour or against it. The challenges that the Windows 7 will bring could potentially have an impact of the forensic analysis. This research attempted to analyse and document them to raise examiners awareness.

However, this is the first detailed analysis of the Windows 7 seen from the forensic point of view, while it may be regarded as comprehensive it is by no means the complete exhausted reference. It will take time and lots more research to achieve this and this paper tries to form a basis but also encourage for further studies on the topic.

1.1.RationaleThe introduction of new software can bring a wide range of changes that potentially affectcompatibility. This is especially true in the case of an Operating System which provides a basic functionality and platform for other software; it is a system that coordinates all computer actions. Since other applications rely on it, the way that they work is heavily dependent on the OS. Software for Apple Mac OS will not work on MS Windows Vista because it handles guest applications and data very differently. This is to be expected when it comes to different competitor’s platforms, however it can also be the case even on the same platform. For instance an application written for a Windows XP may or may not work under the Vista environment. Fortunately, over time, software developers modify their products so they work under the new system. The incompatibility issues may also affect


2

Piotrek Smulikowski

Windows 7, however very few have been reported so far. It is important to remember that the problem can affect forensics both ways: Windows 7 as (a) a target PC or (b) analysis platform. While studying software alternatives, the research may reveal such problems with tested collection of applications.

The research aims to discover the differences in the forensic analysis process between the new system and previous versions of Windows, namely Vista and XP. Windows XP was used as the main consumer OS for nearly 6 years, whereas the Vista will be replaced by the Windows 7 after little over 2.5 years. Given this much shorter development time it is not expected large amount of new features. Speculation suggests that this is refined version of the Vista, and some even say that it is what Vista was meant to be. Microsoft has dropped the introduction of the new Windows File System which would have had a very significant impact on forensic analysis. It is also possible that very few changes actually affect the process but this is the reason why this research is important; to find any major differences, if any, to the forensic analysis procedures.

Certainly, the time it will take for Windows 7 to be adopted by the majority of the PC market will be substantial and, similarly in the computer crime world, it will slowly gainpopularity. Although in current financial climate forecasts about computer sales vary but the Windows market share should be preserved. This means that when Windows 7 is released, 93% of new home computers sold, will be with this Operating System (NET APPLICATIONS, 2009). Therefore it is going to become the main OS used by home usersand it is safe to assume that criminals will start using the new system as well, and the sooner forensic specialists become familiar with the system the better.

The main beneficiaries of this study are thought to be forensic investigators and researchers. Analysts will learn how important to the analysis process the changes are, which techniques still apply, what could be a new source of forensic evidence. It will help to them to choose appropriate techniques in order to recover as much evidence as possible from the new system.

Results from the study could form a solid basis for further forensic research on the more specific issues of the Windows 7. The aim is to provide researchers with an overview of the new features and overall changes to the system architecture and how important they are to the forensic analysis process. If the research finds substantial differences that require further, more in depth analysis they could become a basis for more detailed and focusedstudy. However, if findings from the research state that there are no changes to the forensic analysis procedure, it could still be considered as a successful study since there is no otherpublished research, at least at the time of writing, which tries to examine the new system. Therefore it might be beneficial to the computer forensic community to establish that as a


3

Piotrek Smulikowski

fact, if this is the case. Hence, regardless of the findings of the research, it can still be valuable paper in a forensic field, provided of course that the research has been properly executed.

Literature available on the topic of Windows 7 and forensics is very limited and it is believed that this paper would fill this particular gap and possibly encourage forensic community to undertake further work in this field.

Last but not least from my personal point of view I hope to learn more about the forensic analysis of Windows based computers. During the course of my studies I got to know many techniques applicable for the Microsoft system but I realise that further development of my practical and theoretical knowledge is required to become good and effective investigator. I believe that extensive research of the platform can give me ‘an edge’ when applying for employment after graduation. This is why I treat this research very seriously and hope that it could open doors for me upon successful completion of the project.

1.2.DeliverablesThe following quote comes from the research proposal and discusses the deliverables:

“When the research will be finished the following deliverables are expected:

Review of the changes that have an impact on the forensic analysis. Comparison to the previous Windows systems analysis process. Identification of the new sources of evidence if such exists. Review and validation of the old, known evidence sources. Evaluation of the tools with regard to the new system. Draft of the forensic analysis procedure of the Windows 7. (not a key requirement)“

The research aims to deliver few different objectives, all oriented around the forensic analysis of the Windows 7. First being a review of the changes and new features that could potentially affect the examination. It is partially theoretical study of new features in order to highlight the forensically significant ones but also it includes the practical approach where features are examined on the actual PC running Windows 7.

1.3.Project constraintsThe research is focused around Windows 7 which is not yet a finished product. Thisprovides a strong argument for undertaking the study because it ensures the novelty factor.


4

Piotrek Smulikowski

However it also introduces the risk that the final product will vary substantially from the version examined. As a result it could potentially void results from the research. However,the version examined (RC) is thought to be very similar to the final version with only minorcosmetic changes rather than changes in core functionality and features so this should not affect the results.

Additionally, in order to improve the relevance of the research it would be desirable to wait until the final version is publically available. However, due to the fact that deadline for the research is nearly two months before official release it is infeasible to do so.

Due to the fact that there is very little information on the topic it is difficult to find any new sources of evidence. The Operating System is very complicated in its nature therefore it is nearly impossible to identify all changes by manual exploration or uninformed search. Structures like Windows Registry are incredibly complex and it would be impractical to crawl through all registry keys and check for any evidence. This problem is addressed by employing informed search which limits data set to the most likely candidates. For instance, rather than analyzing all new features only those that could potentially be storing any evidence would be analyzed, thus maintaining a balance between accurate results and effective use of time. In addition, attempts will be made to contact experts in Windows forensics, including Microsoft staff.

Another constraint that may have an impact on one of the deliverables is the availability of forensic software. Forensic software packages like, for example, EnCase tend to be very expensive. Moreover many manufacturers do not publish evaluation versions, and while this might stop ‘warez’ community from reverse engineering or devising anti-forensic techniques it also makes it very difficult to accumulate a collection of software to evaluate its behaviour on a new version of the Operating System. While majority of investigators work on integrated forensic packages like EnCase, FTK or X-Ways Forensics there are also free alternatives. Fortunately, selections of tools from a wide range of freeware and open source software can be easily assessed.

As with many projects, the time limit is a crucial constraint that effectively shapes the whole research. Therefore effective time management is highly important in order to bring research to a successful conclusion. Regular meetings with supervisor ought to help keep progress on track.

1.4. This DocumentThis paper was written as a dissertation for MSc Forensic Informatics course at theStrathclyde University. The project was guided by Lothian and Borders Police department.


5

Piotrek Smulikowski

As requested in the departmental guidelines the font size is 12. However, the 1.15 line spacing was used in order to reduce paper wastage, which was agreed with the supervisor.

References are submitted in Harvard – Leeds style, following patterns outlined in Postgraduate Handbook. Special plug-in for Microsoft Office Word 2007 is used in order to keep consistency of referencing (CODEPLEX, MICROSOFT, 2009).


6

Piotrek Smulikowski

2. Background Research At the time of writing the research Windows 7 has not yet been released to the public. As mentioned before with a release of any new version of Windows there is a lot of talk around it. Windows 7 has already made headlines but they mostly focus on the usability of the system, its performance, compatibility or pricing. Many Information Technology web portals and magazines have published a wide variety of articles and tutorials regarding the new features included in Windows 7. One such example is the article from Ars Technicaabout its Graphical User Interface (BRIGHT, P, 2008). In addition many independent websites are rising that are exclusively dedicated to the new Windows such as windows7news.com.

Microsoft is actively working on expanding its knowledge base available through Microsoft TechNet Library website (MICROSOFT), where IT professionals can find useful resources about Microsoft products. This portal contains, among others, articles on BitLocker, AppLocker or Security Enhancements of Windows 7. This knowledge base is oriented mainly towards developers or security specialists.

There is, however, very little information available on the new OS from the forensic point of view. All of the existing sources are limited to individual posts on forensic community forums or blogs. No articles are published on the subject and the gap has not been filled by Microsoft. According to an anonymous source, the Redmond based company delivers closed seminars for Law Enforcement agencies, which are not disclosed to the public. Some of these materials were made available, with permission, for the purpose of this research.

One of the most popular forums with a strong forensic community is forensicfocus.com. So far there have been only few discussions involving the new Windows. For instance, user oasol reported the first case based on Windows 7 (OASOL, 2009). Whereas user jenskr reported that some of the major forensic packages are compatible with 32 bit version of Windows 7 (JENSKR, 2009).In order to learn more details about the new OS in context of forensics a forum thread was created and although it had large number of the views very little response was noted. User MMachor reported that the 7 “is really from a forensic aspect very similar to Vista” and suggested that Recycle Bin, Prefetch and some other areas examined by him have not changed (MMAHOR, 2009) but he fails to go in to greater detail.

The blog run by Harlan Carvey (user keydet89), the author of many forensic publications including Windows Forensic Analysis book, provides details of certain aspects of Windows 7 forensics (CARVEY, Harlan, 2009). He suggests that usability features like Jump List are “going to be a gold mine for an analyst”. This view is shared by other testers too; they believe that it can provide information similar to Most Recently Used registry keys. Carvey


7

Piotrek Smulikowski

also confirmed compatibility of his own tool RegRipper (CARVEY, Harlan and Shavers, Brett, 2009) designed to extract forensic data from registry hives, and upon loading registry keys from the Windows 7 he was able to view evidence data as expected. Due to the tool’s component build some plug-ins responded better than others to the changes in new system. Analysis of unsuccessful extractions of data can help to determine differences between new OS and its predecessors. Carvey also announced, shortly after presentation of his second edition of the book, that the third edition would include forensic analysis of the new Microsoft OS incarnation.

An article from Didier Stevens’ blog reported that UserAssist key in registry, which holds shortcuts to most frequently used applications displayed in start menu in Windows, is obscured with Vigenère cipher unlike ROT-13 in previous versions (STEVENS, Didier, 2009). It was first found on Beta version of Windows 7, however it was then reverted back to the ROT-13 in RC version. Former Microsoft developer, Steve Riley claims that it was used by their team in order to more easily identify changes after a system upgrade and was only introduced for development purposes and therefore it was not necessary to be carried forward to final version. Later research showed that the cipher was indeed changed back to ROT-13 in the RC version.

Although, as shown above, some information with regard to forensics and Windows Seven is available it is still very sparse and incomplete; there is obvious lack of one integrated source of information that could form an early reference for examiners. Blogs can be very knowledgeable source however it is not easy to find all the information available if it is spread over many different sites.

Because of the lack of information on Windows 7, reference sources about Vista were analysed in order to help with verifying new features in the updated system. These can help to make ‘informed’ analysis of the new system. If some features were newly introduced in the previous system they are likely to be changed or improved upon and thiscould potentially create new sources of evidence.

After Windows Vista was released back in January 2007 many examiners wondered how it was going to affect the forensic analysis process. It was not long before the first articles were published. One of the first was the “Notes on Vista Forensics” part One and Two by Jamie Morris founder of Forensic Focus (MORRIS, Jamie, 2007) posted a little over a month after release. It provided “ a high level look at what we know now about those changes in Vista which seem likely to have most impact on computer forensic investigators” (MORRIS, Jamie, 2007).


8

Piotrek Smulikowski

Lecturers from Cranfield University published a paper called: “Potential Impacts of Windows Vista on Digital Investigations”, that follows a similar approach but that goes intogreater detail (HARGREAVES, C and Chivers, H, 2007). It analyzes new features and system changes from the forensic perspective.

Another interesting paper was presented at the Computer and Enterprise Investigation Conference 2007 (CEIC)(MUELLER, Lance, 2007) by Lance Mueller from Guidance Software(GUIDANCE SOFTWARE INC., 2009), the company that created EnCase. The author undertook a detailed examination of changes introduced in Vista like e.g. NTFS file system update.

1. Windows 7 Development versionsWhen Microsoft released Vista in January 2007, Windows XP had been on the market since October 2001, which means that its lifespan was over a five and half years. The new system did not have a good start with numerous ‘Vista Issues’ including mainly the performance and compatibility problems. This has resulted in the relatively low popularity of the Vista. Microsoft decided to shorten the life of Vista to just two and a half years in favour of the new version. Obviously, Vista is still going to be supported by Microsoft; however, the main development is dedicated to the Windows 7. Close to the date of finishing the Windows 7,Microsoft released Service Pack 2 for Vista, to help to bring it up to date especially in thelight of Windows 7. The newest OS has been well received by testers and is expected to have much better start based on early pre-order sales figures. According to the BBC: “Amazon said that sales of Windows 7 in the first eight hours it was available outstripped those of Windows Vista's entire 17 week pre-order period” (BBC NEWS UK, 2009).

Microsoft released the first build of the Windows 7 to the public on the 9th of January 2009. Build 7000 was a Beta release signifying an early development stage, however it provided the first insights into the feature sets available in the final version. Some of the big changes were discarded, like the new file system replacement of the NTFS, which would have an enormous affect on forensics in general, and file recovery in particular. It became a very popular download, and many IT savvy people tried it, including some forensic examiners like Harlan Carvey - author of the previously referenced blog posts. The reception it received was much better in comparison to Vista. However, it was a popular belief that the new system did not carry many changes; that it was just an improved Vista. This view was reinforced when Steve Ballmer, Microsoft’s CEO, said: “Windows 7 will be more like Windows Vista, but a lot better!” (PARRISH, Kevin, 2008). On 5th of May 2009 Microsoft made Release Candidate (RC) public. Version 7100 addressed feedback from testers and GUI improvements but feature changes were minor (MSDN BLOG, 2009).


9

Piotrek Smulikowski

Since the first announcement about Windows 7, Microsoft has moved the expected release date numerous times and some has suggested it might be as late as mid 2010. However, as development versions were progressing, it seemed as if the final date would be much earlier. On 2nd of June 2009, Brandon LeBlanc wrote on Windows Blog and confirmed thatthe General Availability date is 22nd of October 2009 (LEBLANC, Brandon, 2009). Although,developers and OEM Manufacturers were meant to be getting the final version sooner.

Few weeks later on 24.07.2009 Windows 7 was finally signed off by internal testing group which meant that it met quality control and reached Release To Manufacturing (RTM) status (LEBLANC, Brandon, 2009). At this point build 7600 was released to OEM Manufacturers for deployment purposes.

2. Windows 7 final editionsAs with Vista, Windows 7 comes in wide variety of editions. However the line up has changed slightly. With 6 different versions available varying feature sets. Emil Protalinski from Ars Technica (PROTALINSKI, Emil, 2009) compared them:

Windows 7 Starter (worldwide via OEM only): up to three concurrent applications, ability to join a Home Group, improved taskbar and JumpLists

Windows 7 Home Basic (emerging markets): unlimited applications, live thumbnail previews and enhanced visual experience, advanced networking support

Windows 7 Home Premium (worldwide): Aero Glass and advanced windows navigation, improved media format support, enhancements to Windows Media Center and media streaming, including Play To, multi-touch and improved handwriting recognition

Windows 7 Professional (worldwide): ability to join a managed network with Domain Join, data protection with advanced network backup and Encrypting File System, and print to the right printer at home or work with Location Aware Printing

Windows 7 Ultimate (worldwide): BitLocker data protection on internal and external drives, DirectAccess for seamless connectivity to corporate networks based on Windows Server 2008 R2, BranchCache support when on networks based on Windows Server 2008 R2, and lock unauthorized software from running with AppLocker

Windows 7 Enterprise (volume licenses): same as Ultimate, includes the following improvements: DirectAccess, BranchCache, Search, BitLocker, AppLocker, Virtualization Enhancements, Management, as well as Compatibility and Deployment.

Table 1 Windows 7 Editions comparison (PROTALINSKI, Emil, 2009)


10

Piotrek Smulikowski

To sum up: Starter is designed for low spec hardware – Netbooks, with heavily limitedfeatures. Home Basic edition is only for emerging markets whereas Home Premium, Professional and Ultimate are mainstream editions, available for retail sale. Enterprise is available only via Volume Licenses. Upgrading will only be available to mainstream editions. Analogically to Vista one installation disk can support all editions, the type of licence is determined on a basis of Product Key.

Due to the European Commission decision that Microsoft had violated European competition law by offering Internet Explorer (IE) browser as a default browser, the company decided to remove IE from the European version of Windows 7 (CLARKE, Gavin, 2009). As a result the special version called ‘Windows 7 E’ would not allow upgrades and so making the cost of the new Windows higher as only the full version would be sold. The issue was eventually resolved by introducing the ‘Web Browser Ballot’ screen allowing for choice of alternative browser (FIVEASH, Kelly, 2009).

For a detailed comparison of the Windows 7 editions please see Appendix A.


11

Piotrek Smulikowski

3. Internet Explorer 8Internet Explorer 8 (IE8) is the newest Web Browser developed by Microsoft as the default browser for Windows. It is bundled in Windows 7 but it is also offered as a recommended update for an IE7 on Vista or XP. Therefore some investigators may have already experienced examination of the new version. However it is important to note that there are substantial differences between releases for different platforms, XP in particular, due to improvements in privilege management on newer platforms. The newest release claims significant enhancements in security such as Click-Jacking prevention or Cross Site Scripting filters.

3.1. InPrivate – Stealth BrowsingMicrosoft followed other browser makers like for instance Safari and introduced stealth mode in the newest version. The InPrivate feature allows browsing the internet without leaving traces on a local machine. Certainly it has an impact onto forensic analysis of the new browser as an investigator has very little, if any, chances of reconstructing suspect’s online activity. By default when user starts a browser, the standard mode is launched and user activity is recorded in a normal manner, it is when user enables the InPrivate browsing (Safety > InPrivate Browsing) that the stealth mode is launched in another window. Behaviour of the browser changes only for the InPrivate session, thus if user has had standard window open, its history would be stored as normal, whereas the activity within the stealth mode window would be discarded. According to IE Microsoft Blog(ZEIGLER, Andy, 2008) InPrivate Browsing changes the behaviour in the following way:

New cookies are not stored o All new cookies become “session” cookies o Existing cookies can still be read o The new DOM storage feature behaves the same way

New history entries will not be recorded New temporary Internet files will be deleted after the Private Browsing window is closed Form data is not stored Passwords are not stored Addresses typed into the address bar are not stored Queries entered into the search box are not stored Visited links will not be stored

Table 2. Behaviour of the Internet Explorer 8 InPrivate mode (ZEIGLER, Andy, 2008).

Analysis showed that the wording of the above list (Table 2) is crucial because it means that only new history entries are not recorded. However, all other attributes such as Cache are recorded but deleted when the InPrivate windows is closed. It opens a possibility for


12

Piotrek Smulikowski

those files to be recovered by specialist data recovery tools. Alternative explanation (Table 3. Data stored during InPrivate session. Source: Windows Internet Explorer HelpTable 3) of the browser behaviour in the InPrivate mode comes from the Internet Explorer Help.

Information How it is affected by InPrivate BrowsingCookies Kept in memory so pages work correctly, but cleared when you

close the browser.Temporary Internet files

Stored on disk so pages work correctly, but deleted when you close the browser.

Webpage history This information is not stored.Form data and passwords

This information is not stored.

Anti-phishing cache Temporary information is encrypted and stored so pages work correctly.

Address bar and search AutoComplete

This information is not stored.

Automatic Crash Restore (ACR)

ACR can restore when a tab crashes in a session, but if the whole window crashes, data is deleted and the window cannot be restored.

Document Object Model (DOM) storage

The DOM storage is a kind of "super cookie" web developers can use to retain information. Like regular cookies, they are not kept after the window is closed.

Table 3. Data stored during InPrivate session. Source: Windows Internet Explorer Help

When privacy mode was first announced in 2008, it soon was unfavourably known as a ‘porn mode’ as it was believed to cover all browsing tracks. It produces mixed feelings in system administrators’ community since it could create opportunity for employees to abuse online access. Some argued that it should be disabled (AARON, 2009), what can be done setting up a Group Policy.

According to Microsoft the InPrivate functionality is designed to stop casual computer users from “gaining access to the browsing history”. The IE team suggest that it should be possible to retrieve the online activity: “The feature isn’t designed to protect a user from security experts or forensic researchers” (SHARP, John, 2008).

Shortly after a Beta version has been released it was examined by the investigators fromthe FoxIT forensic firm and it was found that it was possible to determine visited websites(SHARP, John, 2008). Christian Prickaerts claims that the feature is “mainly cosmetic” and that: “For a forensic investigator, retrieving the browsing history should be regarded as peanuts. The remaining records in the history file still enable me to deduce which websites have been visited” (SHARP, John, 2008). It is important to emphasise that tests were undertaken on the Beta version and unfortunately the method used by researchers was not disclosed.


Furthermore a Delete Browsing History window ( Preserve Favorites website data

marked as Favourites. Essentially if a Internet files and cookies would be preserved even though deleted using IE8.

To complement Microsoft’s care for user’s privacy, InPrivate filtering feature was developed (ZEIGLER, Andy, 2008)attempts by a third party websites and allows blocking such attempts. User own list of blocked sites or use list predefined by Microsoft.

3.2.Suggested SitesThe new Suggested Sites feature aims to deliver website recommendation based on other users’ online activity. If user optMicrosoft servers where stripped from identification datadatabase. Most commonly visited websites in him the system. It is important to note that no information isession is enabled.

The Suggested Sites capability has its own binary file called stored in C:\Users\<username>\AppDataFiles\Low\ folder. The file is createits default size is 5,121 KB, regardless of the contents. Its structure is different to the index.dat therefore it cannot be parsed by not publish any documentation of thcertain pattern can be seen.

Figure 1. Contents of the SuggestedSites.dat file, viewed in Hex editor.Referrer URLs are highlighted in yellow.

Figure 1 presents contents of the file where eachcharacter and followed by a visited URLappears on the top bar of the browser and finally is the R


13

Piotrek Smulikowski

Delete Browsing History window ( Safety > Delete Browsing History > Preserve Favorites website data ) now provides option for tracking data for websites

Essentially if a user added msn.com to Favourites then Temporary Internet files and cookies would be preserved even though the other history data

Microsoft’s care for user’s privacy, InPrivate filtering feature was (ZEIGLER, Andy, 2008). If enabled by user, it informs him about tracking

third party websites and allows blocking such attempts. User own list of blocked sites or use list predefined by Microsoft.

ew Suggested Sites feature aims to deliver website recommendation based on other users’ online activity. If user opt-in to use this feature, his history is analyzed and sent to Microsoft servers where stripped from identification data, it contributes to suggestiondatabase. Most commonly visited websites in user’s category would be recommended to

. It is important to note that no information is collected while InPrivate

The Suggested Sites capability has its own binary file called SuggestedSites.datAppData\Local\Microsoft\Windows\Temporary Internet

folder. The file is created automatically when user opts-in to use the feature and its default size is 5,121 KB, regardless of the contents. Its structure is different to the

cannot be parsed by a Pasco tool (JONES, Keith, 2003)not publish any documentation of this particular format. When loaded into Hex editor

. Contents of the SuggestedSites.dat file, viewed in Hex editor. Visited URLs are underliReferrer URLs are highlighted in yellow.

presents contents of the file where each of the new entries is marked by visited URL, here underlined in blue. Next is the page name as

of the browser and finally is the Referrer URL, highlighted in yellow.

Piotrek Smulikowski

Safety > Delete Browsing History >

tracking data for websites user added msn.com to Favourites then Temporary

other history data has been

Microsoft’s care for user’s privacy, InPrivate filtering feature was . If enabled by user, it informs him about tracking

third party websites and allows blocking such attempts. User can specify his

ew Suggested Sites feature aims to deliver website recommendation based on other analyzed and sent to

suggestionscategory would be recommended to

s collected while InPrivate

SuggestedSites.dat that is Temporary Internet

in to use the feature and its default size is 5,121 KB, regardless of the contents. Its structure is different to the

(JONES, Keith, 2003). Microsoft did format. When loaded into Hex editor a

Visited URLs are underlined in Blue and

is marked by ‘ext is the page name as

highlighted in yellow.


Rest of the data is currently not recognized. The header of the file is also different to index.dat files. It contains unidentified data0x60 offset as it can be seen at the

Figure 2. Contents of SuggestedSites

According to the details of the Suggested Sites functionality thehistory during the HTTPS sessions or user with a control, the functionalityuser decided to delete the record from the browser historyanalysing data in a history index.dat information. However, in a scenario software rather than built in method, there is a high possibility that the file was left. Currently it is the latest version of CCleaner (PIRIFORM LTD, 2009) on a live system

3.3.Session RecoveryMicrosoft boasts great improvements in lot of effort on improving reliability Crash Recovery were introduced. It is designed to isolate rest, so that the other tabs are not affected. developers had to introduce monitoring mechanism that records current and previous browsing session. These are stored in


14

Piotrek Smulikowski

Rest of the data is currently not recognized. The header of the file is also different to files. It contains unidentified data, followed by Internet Explorer version at the

0x60 offset as it can be seen at the Figure 2.

Sites.dat file with visible header underlined in red and IE Browser version highlighted in yellow.

According to the details of the Suggested Sites functionality the above file does not recordduring the HTTPS sessions or InPrivate mode. Additionally, in order to

the functionality is designed to delete the particular history entries if user decided to delete the record from the browser history. In a forensic examination

index.dat file should take priority since it provides more scenario where user deleted the history using third party

software rather than built in method, there is a high possibility that the SuggestedSites.datlatest version of CCleaner that is capable of removing the file

on a live system since it is protected by the OS.

improvements in the stability of a new browser. Developers spent a reliability thus new technologies like for instance

Crash Recovery were introduced. It is designed to isolate single tab that crashed from the not affected. However, in order to implement this feature

developers had to introduce monitoring mechanism that records current and previous are stored in the following folders:

Piotrek Smulikowski

Rest of the data is currently not recognized. The header of the file is also different to followed by Internet Explorer version at the

.dat file with visible header underlined in red and IE Browser version

file does not recordin order to provide

to delete the particular history entries if . In a forensic examination,

file should take priority since it provides more user deleted the history using third party

SuggestedSites.dat

is capable of removing the file

new browser. Developers spent a Automatic Tab

crashed from the in order to implement this feature

developers had to introduce monitoring mechanism that records current and previous


15

Piotrek Smulikowski

Windows 7, Vista C:\Users\<username>\AppData\Local\Microsoft\ Internet Explorer\Recovery\Active \Last Active

Windows XP C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active \Last Active

The Active folder stores current session data, whereas Last Active folder keeps previous browsing session data. Once a current session is closed, the contents of the Active folder are moved to the Last Active directory, thus overwriting the previously stored session. Deleting the browser history also causes removal of the folder contents.

The session data is recorded even in InPrivate mode however, once a window is closed it automatically deletes contents of Active folder. In fact it is deleted only if the iexplore.exe

process terminates successfully. However, if the whole application or the whole system crashes, the contents of Active folder are not deleted. This could create an opportunity for forensics to recover details of InPrivate session which would be otherwise difficult to obtain. Applications of this method are mostly limited to the scenario where suspect was caught in ‘action’ and officer at the scene simply pulled the power plug.

Each of the folders contains two types of files: RecoveryStore.{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.dat and {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.dat, which are created on-the-fly whenever IE8 is used. The first type is used as a manager for other files, one instance is created for each of the browsing modes – normal and InPrivate, regardless of anumber of windows opened. Latter type represents a single Tab and is created whenever anew one is opened. Figure 3 presents Active folder, in this case, two modes are used,normal and InPrivate, because two RecoveryStore files exists. On top of that multiple tabs are open. Please note that although the screenshot was taken from Windows XP the browser behaviour in this case is the same as in Windows 7.

Figure 3. Contents of the Active folder. In this example normal and InPrivate modes are used and have multiple tabs open. Note: this screenshot comes from Windows XP.


16

Piotrek Smulikowski

The file names are Globally Unique Identifiers (GUID) generated randomly by Windows. It is important to note that file names are generated they remain the same regardless of the contents. Therefore if a suspect used a single browser window and with a single tab for many websites, the contents of a file will change but the file name will persist.

Because the files are in a binary format, they have to be analysed with a hex editor. The RecoveryStore files do not seem to contain any comprehensible data, it is the tab files that bring more information when analysed. Figure 4 shows an example where, website URL and its name are stored in file.

Figure 4. Contents of an example tab file. URL is highlighted in grey and page name is in yellow.

However, the structure of the tab files can be very complex since the same file is used for as long as the corresponding tab is open. Therefore, if user was only using one tab for many different sites, all browsing history would be stored in a single file. It can be confusing asdifferent sites seem to be nested in one another using some unknown data structures. The order in which the URLs appear varies and it may seem chaotic. Nevertheless in all tested examples, the first URL that is in a file was always the most recent URL.

In addition tab files can also store page specific content such as html, java scripts or xml. These are stored after a tab history, in the second part of file. As a result a tab file can increase in size substantially, from the initial 5KB, for an empty tab.

3.4.Index.dat files Changes made to IE8, in comparison to IE7 mostly focused on adding new features rather than on redesigning the whole structure. Therefore backward compatibility is being maintained. This has a positive impact on a forensic analysis because it allows examiner to adopt familiar techniques and tools in order to retrieve valuable information.

As in previous versions the index.dat file is used as a store for all web related data, such ascache, history or cookies. Each of these artefacts – containers, has its own folder and a index.dat file within it. The IE7 on Vista has introduced Protected Mode which is limited privilege mode for browsing internet, for increased security. As a result, within each of


17

Piotrek Smulikowski

containers a new folder called Low exists which holds Protected Mode sub-container. Additionally when the Internet Explorer is in the Protected Mode all add-ons are installed in a Virtualized location and a registry key:

Virtualized Location C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized

Virtualized registry key

HKCU\Software\Microsoft\Internet Explorer\Internet Registry

Containers are spread around the user’s profile application data and their locations are consistent with previous versions:

CacheContainer for storing cacheable web content like images, pages, scripts. Every entry has a source URL and name of the file in Content.IE5 folder. Files are stored until expiry date is reached

C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

Visited LinksStores clicked URL links and AutoComplete data, used to highlight visited links.

C:\Users\<username>\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

HistoryHistory container for specific time frame between start date and end date.

C:\Users\<username>\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist01<startdate><enddate>\index.dat

CookieContainer for mapping individual Cookie files to their associated URLs with additional metadata

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

RSS Feeds CacheStores record of RSS feeds added by user


18

Piotrek Smulikowski

C:\Users\<username>\AppData\Local\Microsoft\Feeds Cache\index.dat

Due to the fact that the format of the index.dat files has not changed, examiners can use existing tools to analyse user’s web activity for instance, Pasco by Keith Jones (JONES, Keith, 2003). It parses the binary file and exports the tab delimited text file. Figure 5 shows parsed contents of a IE8 Cache.

Figure 5. index.dat file parsed with Pasco and imported by Excel

Paths to the individual containers (PERNICK, Ari, 2006) remained unchanged therefore a lot of current forensic tools should be compatible with the new IE version correctly. One of the examples, apart from the Pasco are the NirSoft applications (SOFER, Nir, 2009). They manage to successfully retrieve cache files history or even certain passwords. However, as in Vista, most of the tools should be run ‘as Administrator’, in order to overcome privilege limitations.


19

Piotrek Smulikowski

4. Folder StructureWith the release of Windows Vista the Documents and Settings folder was discarded and user profile was moved to Users folder using the Known Folder Id system. Although it did not affect programs functionality thanks to the Reparse Points, but it required time for users to get feel comfortable using it.

In Windows 7 there are no such differences in a physical directory structure. However there are differences in a logical layout. Microsoft introduced the Library functionality which allows users to have all their files in one logical location yet having actual files distributed all over the PC or even network. Idea is similar to an audio playlist and collection of mp3 files.

Introduction of Libraries allowed for more advanced search capabilities called Federated Search. In addition Microsoft brought back the old naming scheme in a format of e.g. ‘My Documents’.

4.1.LibrariesDefault Libraries are Documents, Music, Pictures, Videos, however, user can add his own types. One of the main requirements is that a folder that is added to the Library has to be indexed, as it allows for a fast searching of the contents.

Fortunately, since the new scheme affects how a third party programs handle for example ‘Save file as’ dialog box functionality, Microsoft documented Libraries feature in detail (KIRIATY, Yochay and Fliess, Alon, 2009).

The individual library files are named in the following format: <libraryname>.library-ms for example Music.library-ms and are stored in the following folder:

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Libraries\

Files are stored in the XML hence their structure is clear, after initial header tags, every folder that is included in the library wrapped with the following code:

<searchConnectorDescriptionList> <searchConnectorDescription publisher="Microsoft" product="Windows"> <description>@shell32.dll,-34577</description> <isDefaultSaveLocation>true</isDefaultSaveLocation> <isSupported>true</isSupported> <simpleLocation> <url>knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}</url> <serialized>MBAAAE…. </serialized>


</simpleLocation> </searchConnectorDescription>

From the forensic point of viewto the folder included in library. In this case it is one of the known folders e.g. Downloads. Figure 6 shows contents of the winhex folder added by user.

Figure 6. XML code in library

Once the feature becomes commonly used by valuable source of information of user’s setup, where important filesMicrosoft believes that Libraries could be a structure for all user files. The advantage beingthat user can add folders from all locally avdrive, HomeGroup or a network. Examiner devices, locations which were used and include them in

Additionally, because indexing is a prerequisite for a folder to be part of a Library, indexed locations can be investigated in order to find user specified places. They are recorded Registry in the following key:

HKLM\SOFTWARE\Microsoft\Windows SearchSystemIndex\WorkingSetRules

4.2.Windows Search and Federated SearchWindows Search 4.0 has been introduced asintroduction of Libraries extended the applications of the search engine. Arrangement View allows to customize the view of library contents based on Pictures Library, ‘by Year’ view would organise all photos in stacks foAnother feature, called Search Filter Suggestionsmetadata filter and a value, in order to view files matching that criteria. Therefore, if user


20

Piotrek Smulikowski

</simpleLocation></searchConnectorDescription>

From the forensic point of view, the most important field is the <url>, as it shows the path folder included in library. In this case it is one of the known folders e.g. Downloads.

shows contents of the .library-ms file where highlighted in grey is the path to a

XML code in library-ms file. The included folder path is highlighted in grey

Once the feature becomes commonly used by end users then this could prove to be valuable source of information of user’s setup, where important files are being kept

lieves that Libraries could be a structure for all user files. The advantage beingadd folders from all locally available resources, such as an external hard

network. Examiner then could easily find important storage vices, locations which were used and include them in the investigation.

Additionally, because indexing is a prerequisite for a folder to be part of a Library, indexed locations can be investigated in order to find user specified places. They are recorded

Windows Search\CrawlScopeManager\Windows\WorkingSetRules

Windows Search and Federated Searchhas been introduced as an update for the Vista; however

introduction of Libraries extended the applications of the search engine. Arrangement View to customize the view of library contents based on a metadata, for example in

‘by Year’ view would organise all photos in stacks for different years. called Search Filter Suggestions, allows user to select a predefined

metadata filter and a value, in order to view files matching that criteria. Therefore, if user

Piotrek Smulikowski

as it shows the path folder included in library. In this case it is one of the known folders e.g. Downloads.

ms file where highlighted in grey is the path to a

ms file. The included folder path is highlighted in grey

s then this could prove to be are being kept.

lieves that Libraries could be a structure for all user files. The advantage being,external hard

could easily find important storage

Additionally, because indexing is a prerequisite for a folder to be part of a Library, indexed locations can be investigated in order to find user specified places. They are recorded in

however, the introduction of Libraries extended the applications of the search engine. Arrangement View

metadata, for example in ther different years.

user to select a predefined metadata filter and a value, in order to view files matching that criteria. Therefore, if user


wants to find music files of a specific genre, he can eithen possible genre types would be suggested for him to select.

Search functionality can be extended even further with the Federated Search. It allows sending queries to external data sources, such as databases osupport OpenSearch technology. In practice, user can simply download Search Connector file (*.osdx) and then query contents of the website, all via Windows Explorer. Such configuration files exist for popular websites such asWhen user downloads and runs the *.osdx setup file, a <domainsearchname>.searchconnector

folder. The contents of the file are stored in XML format, the most interesting field, from the forensic perspective, is the <domain>Figure 7.

Figure 7. Contents of Search Connector configuration file. The domain search provider is highlighted in grey

Additionally, as in Vista, user can save specific search query if it is being reused. Search details are stored in <searchname>.search<username>\Searches\. The XML file has three significant fields:

<scope> - determines locations to be searched e.g. C: <kindList> - specifies what kind of a f <condition> -

These search techniques will most likely be used by advanced users, therefore examiners will probably rarely need to investigate these artefacts. However if this method is used by a suspect it could add important information to investigation.

4.3.User foldersWindows 7 has old, XP style, names for default user folders, unlike Vista which introduced different layout of user profile files. As a result the Documents folder is by default named ‘My Documents’, other folders like Music, Pictures and Videos are also affected. When folders were examined in WinHex, which shows physical structure of files, it became clear that these folders are Reparse Points to the standard, Vistaan implementation of a junction on NTFS file system, whereas junctions are logical links


21

Piotrek Smulikowski

wants to find music files of a specific genre, he can either select ‘genre:’ filter or type it in, then possible genre types would be suggested for him to select.

Search functionality can be extended even further with the Federated Search. It allows sending queries to external data sources, such as databases or web content, as long as they support OpenSearch technology. In practice, user can simply download Search Connector file (*.osdx) and then query contents of the website, all via Windows Explorer. Such configuration files exist for popular websites such as YouTube or Flickr (DMEX, 2008)When user downloads and runs the *.osdx setup file, a

searchname>.searchconnector-ms file is created and stored in <username>folder. The contents of the file are stored in XML format, the most interesting field, from the

<domain> where domain of the host is recorded, as seen on

. Contents of Search Connector configuration file. The domain search provider is highlighted in grey

Additionally, as in Vista, user can save specific search query if it is being reused. <searchname>.search-ms file also in the same folder

. The XML file has three significant fields:

determines locations to be searched e.g. C:\Usersspecifies what kind of a file it is e.g. email

filters the results

These search techniques will most likely be used by advanced users, therefore examiners will probably rarely need to investigate these artefacts. However if this method is used by a

dd important information to investigation.

Windows 7 has old, XP style, names for default user folders, unlike Vista which introduced different layout of user profile files. As a result the Documents folder is by default named

s’, other folders like Music, Pictures and Videos are also affected. When folders were examined in WinHex, which shows physical structure of files, it became clear that these folders are Reparse Points to the standard, Vista-style folders. Reparse Point isan implementation of a junction on NTFS file system, whereas junctions are logical links

Piotrek Smulikowski

ther select ‘genre:’ filter or type it in,

Search functionality can be extended even further with the Federated Search. It allows r web content, as long as they

support OpenSearch technology. In practice, user can simply download Search Connector file (*.osdx) and then query contents of the website, all via Windows Explorer. Such

(DMEX, 2008).

<username>\Searches\

folder. The contents of the file are stored in XML format, the most interesting field, from the where domain of the host is recorded, as seen on

. Contents of Search Connector configuration file. The domain search provider is highlighted in grey

Additionally, as in Vista, user can save specific search query if it is being reused. The Saved file also in the same folder

Users

These search techniques will most likely be used by advanced users, therefore examiners will probably rarely need to investigate these artefacts. However if this method is used by a

Windows 7 has old, XP style, names for default user folders, unlike Vista which introduced different layout of user profile files. As a result the Documents folder is by default named

s’, other folders like Music, Pictures and Videos are also affected. When folders were examined in WinHex, which shows physical structure of files, it became clear

style folders. Reparse Point isan implementation of a junction on NTFS file system, whereas junctions are logical links


22

Piotrek Smulikowski

pointing to another folder on Operating System level. They are transparent; hence user rarely notices a difference between an actual folder and a Reparse Point.

Since the actual locations of the folders are consistent with the layout known from Windows Vista, forensic examiner can simply examine already known folders within the C:\Users\<username>\ location.


23

Piotrek Smulikowski

5. New Taskbar and Jump ListOne of the most prominent GUI feature in Windows 7 is the new Taskbar and the integrated Jump List; designed as an interactive combination of quick launch shortcuts with taskbar buttons, plus application specific common tasks. It allows user to have access to most frequent tasks such as ‘Play next song’ in Windows Media Player, directly from the taskbar. Additionally user can also choose the most recent or frequent files handled by this application. This part of functionality is significant to forensics, as it could provide new sources of evidence.

Since the Windows 7 Beta was released, this feature was talked about, also in forensics community. Harlan Carvey said: “from a forensic perspective, this "Jump List" thing is just going to be a gold mine for an analyst, much like RecentDocs and UserAssist keys have been since Windows 2000” (CARVEY, Harlan, 2009).

Microsoft encourages developers to make use of these new functionalities in their software, to further integrate application to the Operating System. The company provides them with detailed documentation, video tutorials and walkthroughs on how to implement the new taskbar functionality. However, as with other features, little is known about how the features work or where data is being stored. After an extended research, on Microsoft Developers Network the following was found:

In addition to updating its list of recent documents, the Shell adds a shortcut to the user's Recent directory. The Windows 7 Taskbar uses that list and Recent directory to populate the list of recent items in the Jump Lists. (YOCHAYK, 2009)

Therefore, it is clear that recent files displayed in Jump List are the same as in the <username>\Recent directory. This data is simply duplicated, only presented in a more approachable manner to the user.

Anytime you double click on a file type with a registered handler [application that supports the file type], before Windows launches your application it automatically calls SHAddToRecentDocs on your application's behalf. This inserts the item in the Windows Recent list and eventually into the Jump List Recent Category. (YOCHAYK, 2009)

The above fragment explains mechanism in which items are added to the Windows Recent list and the Recent folder, what forms a basis for the Jump List recent items.

In addition to the recent and frequent lists, developers can add their own customized item list. This is the part that could make investigation of the Jump List worthwhile. Unless an application uses customized item list, by default a Jump List would only contain items from


the Recent directory. In such scenario, investigator can much easier navigate into the directory to view links to recently accessed documents or location rather than trying to find data artefacts in the system. However user can also ‘pin’ an item, in order to permanently keep it in the Jump List, which would be recorded in jump list data store but could be removed from the Recent directory.

The Jump List feature is enabled by default, however user can disable it from the Panel > Taskbar and Start Menu

The first option records recent applications displayed in a start menu and the second checkbox switches on or off the Jump List functionality. This is also the only way to clear the list, user has to un-tick the box and click apply, then if needed the function can be reenabled but with the emptied list. The pinned items remain in the list until being removed by a user. Further customization can be done by clicking the Customize button, where user can, among other things, add the recent items to the start menu like in previous versions of Windows.

Figure 8. Start Menu properties window, allows user to disable the Jump List and customize contents of the start

From the forensics standpoint this feature can indeed become a valuable source of information, especially if suspect deleted contents of the very recently it has not been known where the recent item data is stored. Although some suggested that it might be in registry stored on a perevidence that it was not the case Microsoft has frustrated some of beta testers. Later, one of the users from the forum suggested that the path to the files is: C:\Users\<Username>\AppData\Roaming

this is in fact the correct path as it was unofficially confirmed by Microsoft in their presentation for Law Enforcement only 2009).


24

Piotrek Smulikowski

the Recent directory. In such scenario, investigator can much easier navigate into the to view links to recently accessed documents or location rather than trying to

find data artefacts in the system. However user can also ‘pin’ an item, in order to permanently keep it in the Jump List, which would be recorded in jump list data store but

uld be removed from the Recent directory.

The Jump List feature is enabled by default, however user can disable it from the Panel > Taskbar and Start Menu in the second tab called Start Menu as seen on The first option records recent applications displayed in a start menu and the second checkbox switches on or off the Jump List functionality. This is also the only way to clear

tick the box and click apply, then if needed the function can be reenabled but with the emptied list. The pinned items remain in the list until being removed by a user. Further customization can be done by clicking the Customize button, where user

among other things, add the recent items to the start menu like in previous versions of

. Start Menu properties window, allows user to disable the Jump List and customize contents of the start menu.

rensics standpoint this feature can indeed become a valuable source of information, especially if suspect deleted contents of the <username>\Recent folder. Until very recently it has not been known where the recent item data is stored. Although some

ted that it might be in registry stored on a per-application basis, however, there was evidence that it was not the case (JODO3333, 2009). This lack of information from Microsoft has frustrated some of beta testers. Later, one of the users from the forum suggested that the path to the files is:

Roaming\Microsoft\Windows\ Recent\automaticDestinations

act the correct path as it was unofficially confirmed by Microsoft in their presentation for Law Enforcement only (MICROSOFT LAW ENFORCEMENT TECH TEAM,

Piotrek Smulikowski

the Recent directory. In such scenario, investigator can much easier navigate into the to view links to recently accessed documents or location rather than trying to

find data artefacts in the system. However user can also ‘pin’ an item, in order to permanently keep it in the Jump List, which would be recorded in jump list data store but

The Jump List feature is enabled by default, however user can disable it from the Control in the second tab called Start Menu as seen on Figure 8.

The first option records recent applications displayed in a start menu and the second checkbox switches on or off the Jump List functionality. This is also the only way to clear

tick the box and click apply, then if needed the function can be re-enabled but with the emptied list. The pinned items remain in the list until being removed by a user. Further customization can be done by clicking the Customize button, where user

among other things, add the recent items to the start menu like in previous versions of

. Start Menu properties window, allows user to disable the Jump List and customize contents of the start

rensics standpoint this feature can indeed become a valuable source of folder. Until

very recently it has not been known where the recent item data is stored. Although some application basis, however, there was

. This lack of information from Microsoft has frustrated some of beta testers. Later, one of the users from the forum

utomaticDestinations,

act the correct path as it was unofficially confirmed by Microsoft in their (MICROSOFT LAW ENFORCEMENT TECH TEAM,


25

Piotrek Smulikowski

Automatic Destination folder contains files responsible for the recent items on a Jump List. Every program that has items recorded in the list has its file stored in this directory. Files names are in a format XXXXXXXXXXXXXXXX.automaticDesitnations-ms, where name is about 16 digit long and the extension is ‘automaticDestination-ms’. When the Jump List feature is disabled, the contents of the folder are cleared. User can still perform tasks available for the application, however, no recent files are stored. Files are binary and it is not easy to understand the contents, especially as some of them can get large and complex. The default number of the recent items stored is 10 but it can be changed by a user. The order in which items are added to the list remains unclear. All files paths that are stored in the file, are part of application’s Jump List. The Figure 9 shows sample content of the Automatic Destination folder and clear text stored in the Jump List file, this particular file belongs to the Microsoft Paint application. The contents of the binary file seem chaotic however, forensic examiner should be able to determine the file paths recorded in the recent item list.

Figure 9. Contents of the Jump List recent items file viewed in hex editor. Path to recent 'cos.png' file is highlighted in grey. This particular file, stores recent items list for Microsoft Paint.

Numerous tests on different machines revealed that a naming pattern seems to appear: the file name represents specific application which is fixed. As an example the following file 1b4dd67f29cb1962.automaticDesitnations-ms is a store file for Windows Explorer. Analogically some of the other common applications were identified as seen in the Table 4:

File name Application1b4dd67f29cb1962. Windows Explorer918e0ecb43d17e23. Notepad74d7f43c1561dc1e. Windows Media Player99189dc15d887da6. Windows Disc Image Burner


26

Piotrek Smulikowski

adecfb853d77462a. Microsoft Word 2007b3f13480c2785ae. Paint5c450709f7ae4396. Firefox9fda41b86ddcf1db. VLC player23646679aaccfae0. Acrobat Reader 8.0

Table 4. File names and their respective application that store Jump List data

In order to identify the pattern the files in the AutomaticDestination folder were viewed in a Hex editor and contents were compared against recent items in the Jump List. Once type of a program was known it was cross checked with files on different computers. This kind of naming model was present on the 3 tested machines. However, because no documentation is available, it has not been possible to verify if the pattern is true for every PC or installation.

When the Jump List feature is disabled, the contents of the folder are cleared. User can still perform tasks available for the application, however, no recent files are stored. Additionally it was noted that the Windows Explorer’s recent items list behaves slightly differently than the rest. If user navigates to the e.g. readme.txt file and opens it, the handling application’s Jump List is updated but so is the Windows Explorer’s list. However if a user navigates only to the folder but does not open any files, the Jump List does not record the path. This is presumably because, no file was open no target was selected and destination path was not confirmed.

Microsoft has also identified another folder with files responsible for the Jump List(MICROSOFT LAW ENFORCEMENT TECH TEAM, 2009):

C:\Users\<Username>\AppData\Roaming\Microsoft\Windows\Recent\customDestinations

It stores files in similar format e.g. 74d7f43c1561dc1e.customDestinations. It is unclear what exactly these files contain but it is believed that they allow applications to have their own, custom ‘destinations’ or tasks. When examined files contain various tasks for instance ‘Start InPrivate Browsing’ just like Internet’s Explorer 8 task. This theory goes in line with the Jump Lists (in development stage known as Destination Lists) description given by Microsoft:

The Destination List is automatically populated based on frequency and recency of use for file-based applications. Additionally, an application can define custom destinations, enabling it to monitor its own destination usage and their semantics. Applications can also define Tasks (actions within the application that users will find convenient to access directly, for example, composing an e-mail) to appear in their menus. (OIAGA, Marius, 2009)


27

Piotrek Smulikowski

According to this extract Automatic Destinations folder is designed to store frequent and recent items only, whereas the Custom Destinations folder holds applications specific destinations or tasks.

As a result, forensic investigator should only be concerned with the AutomaticDestinationsdirectory as it records the user activity. As previously mentioned this can be successful mainly if the user attempts to manually delete his Recent folder contents. In this case he would only delete links stored in that directory, with the Destinations folders remaining due to being hidden and protected by the OS.


28

Piotrek Smulikowski

6. BitLockerThis section discusses the encryption software from Microsoft, bundled in, first Windows Vista and now, Windows 7. The section is divided into two parts, Windows Vista BitLocker and Windows 7 BitLocker, each of them providing details of identification and acquisition of encrypted volume. Unlike the rest of this paper, this section talks about Vista functionality with a purpose to highlight the subtle differences but also similarities between the two. Because the core functionality of the Vista BitLocker remained the same it would be impossible to discuss forensic analysis of the Windows 7 without providing details of the previous version.

6.1.BitLocker in Windows Vista

6.1.1. IntroductionBitLocker Drive Encryption was first introduced to Windows Vista as an encryption feature mainly for portable computers. It was designed to protect user’s data by encrypting the whole volume making it practically impossible to decrypt without password or recovery key. BitLocker was one of the most talked about security feature in Vista upon its release, although it was only available in top end editions, Enterprise and Ultimate.

Due to the number of high profile cases, data loss is considered as a serious issue, in 2007 alone HM Revenue and Customs (HMRC) lost 25 million records, in 2008 National Health Service (NHS) led the charts (585, 2009) (BBC NEWS, 2009). Taking this into account, Microsoft targeted encryption feature to government and business users rather than main stream consumers Because of the attention this feature drawn, it is documented extensively by Microsoft, although not all details are exposed. In addition many independent researches were undertaken involving BitLocker capability in Vista.

6.1.2. Authentication MethodsBitLocker can operate using five different authentication modes depending on hardware specification or user’s preference.

TPM only: volume encryption key in the microcontroller USB startup key: volume encryption key on the USB startup key TMP + USB startup key: volume encryption key in the microcontroller and USB

startup key


29

Piotrek Smulikowski

TPM + PIN: volume encryption key in the microcontroller + correct PIN is entered TPM + USB startup key + PIN: volume encryption key in the microcontroller and

USB startup key + correct PIN is entered

Microsoft developed the BitLocker to work with the Trusted Platform Module (TPM) hardware chip (from version 1.2) build in to a computer’s motherboard. This method set BitLocker apart from typical encryption solutions. The encryption keys are stored on a protected volume and in a TPM chip. During system boot up process the integrity of the Operating System and hardware is verified and on the successful completion of the check the TPM microcontroller releases the encryption key to continue system boot up. If the protected volume is removed from the original system and connected to other PC, it may be impossible to access the data. Jesse Kornblum claims that: “Decrypting the data without the keys stored in the TPM is infeasible” (KORNBLUM, Jesse, 2009).

However the TPM modules are not commonly used, even now, two years after the BitLocker for Vista was released. Therefore Microsoft provided another options: to decrypt volume by entering PIN number or by plugging in USB startup flash drive containing the encryption key, combination of the two methods is also possible. The USB only method does not have any hardware requirements therefore it can be used on any modern computer. The key stored on USB flash drive is 124 byte long, hidden, read-only, binary file with the name of the following format (GUID): xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.bekwhere x is a hexadecimal digit(HARGREAVES, C and Chivers, H, 2007). Encryption method supported by BitLocker is AES either 128 or 256 bit with Diffuser, by default BitLocker is set to 128 bit with Elephant Diffuser enabled (FERGUSON, Niels, 2006). As many forensic investigators know, it makes it practically impossible to crack with current computing power. If, for any reason, all methods are unavailable to a user, it is possible to decrypt the volume by entering 48 digit recovery key (using function keys), generated at the initial setup. More details of authentication process are available at Microsoft’s documentation (MICROSOFT TECHNET LLIBRARY, 2009).

Apart from the TPM capable motherboard BitLocker also requires System Volume partition formatted with the NTFS file system. Its size in Vista is minimum 1.46 GB and its assigned Drive Letter is S:. Partition is not encrypted and holds “files that are needed to load Windows after BIOS has booted the platform” (MICROSOFT TECHNET LLIBRARY, 2009).

6.1.3. BitLocker IdentificationWhen computer with BitLocker enabled is running, it is possible to identify the encrypted volume, although Administrator rights are required for all of them (STEWART, Barrie,


30

Piotrek Smulikowski

2007). It should be noted that initially investigator should check which edition of Vista is run as only the Enterprise and Ultimate have the BitLocker capability. Additionally, if a system does not have a 1,46 GB S: partition, the BitLocker could not be running on the system due to its requirements.

The most recommended way to check the presence of the BitLocker is via the Command Line Interface (CLI) using the manage-bde.wsf script.

Using command line with administrative permissions navigate to C:\Windows\System32\

Run the following command: cscript manage-bde.wsf –status

Information about each partition is displayed together with encryption and authentication methods.

Alternative methods to identify encrypted volume include checking status in Control Panel > BitLocker Drive Encryption or simply by viewing the Computer Management window with disk Management Snap-in.

These methods are applicable in Live Response scenario where an investigator is at the working and unlocked PC. However, in a case where the machine has been seized and is examined in a forensic lab, investigators can view the BIOS Parameter Block (BPB) to determine if the volume is encrypted with the BitLocker (HUNTER, Jamie, 2006). It is based at the first 0x54 bytes of the first sector and can be recognized by the following values:

Offset Size Field Required Value for BitLocker0x03 8 Signature ‘-‘,’F’,’V’,’E’,’-‘,’F’,’S’,’-‘0x0B 2 BytesPerSector0x0D 1 SectorsPerCluster One of 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40 or 0x800x0E 2 ReservedClusters 0x00000x10 1 FatCount 0x000x11 2 RootEntries 0x00000x13 2 Sectors 0x00000x16 2 SectorsPerFat 0x00000x20 4 LargeSectors 0x000000000x38 8 MetadataLcn

Table 5. Required Values for BitLocker stored in boot sector of an encrypted volume (HUNTER, Jamie, 2006)

The actual header of a boot sector of encrypted volume can be seen in Figure 10. Highlighted in yellow is the file system signature: -FVE-FS. In depth information about the identification of BitLocker is available from the (STEWART, Barrie, 2007, pp.22-24).


31

Piotrek Smulikowski

Figure 10. BitLocker Encrypted volume header of a boot sector in Windows Vista viewed in Hex editor (HARGREAVES, C and Chivers, H, 2007)

The identification of the encrypted volumes is essential, since it can potentially save the whole examination. If during Live analysis examiner fail to recognise BitLocker and switches off the machine without searching for a recovery key, on a next boot up, volume will be locked and possibility for finding recovery key would be only possible if suspect had a recovery key backed up on other seized media or written on some paper.

6.1.4. BitLocker AcquisitionHargreaves and Chivers suggest that once encrypted volume has been identified, investigators should always look for a recovery key (HARGREAVES, C and Chivers, H, 2007), which, as mentioned before, is generated at the initial setup. The file name is in GUID format e.g.: CE6B4C60-8F3B-11DE-BE35-62A555D89593.txt and its contents are in plain text. If, however, no keys are found, performing logical disk image of the encrypted volume is possible. It allows to image data in decrypted form for further analysis. Although the process is not forensically sound this could be the only successful method of capturing the data.

The aforementioned BitLocker Command Line Interface enables investigators to manage recovery keys (STEWART, Barrie, 2007). By typing the following command cscript manage-bde.wsf –protectors –get C: -sek G:\ it is possible to export the recovery key for the volume C: onto the USB drive G:. Additionally examiner can also attempt to duplicate the recovery key via the Control Panel > BitLocker Drive Encryption > Manage BitLocker Keys. Examiner can export keys, print them or reset them. If Active Directory is used by organisation it can be configured to backup recovery keys, hence investigator should be aware that system administrator might have access to backup recovery keys.

Renowned Computer Forensics and incident Response expert, Lance Mueller, posted a quick tutorial on how to identify BitLocker running on a live system. The video shows how to disable the BitLocker in order to “seize the hard drive and then later image and examine the date without having the key protectors” (MUELLER, Lance, 2008). It can be disabled with the following command: cscript manage-bde.wsf –protectors –disable C:


32

Piotrek Smulikowski

6.2.BitLocker in Windows 7BitLocker in Windows 7 has some minor differences in a way that it functions from Windows Vista, however it has a new major feature introduced BitLocker To Go. This section discusses changes that appeared since BitLocker for Vista.

6.2.1. IntroductionWhile BitLocker proved to be secure encryption solution for computers it did not stop Data Loss breaking news. With the increase of popularity, cheap prices and high capacities USB flash and portable drives created serious threat to data security. Ministry of Defence alone admitted to loss of eighty seven USB sticks in 5 years, all of them contained classified data (PAGE, Lewis, 2008). Windows 7 BitLocker addressed this problem by extending the encryption to removable devices.

Microsoft accepted feedback from system administrators and even admitted that deployment of the BitLocker Drive Encryption in Vista was “was more cumbersome than it needed to be” (MICROSOFT TECHNET , 2009). Before, administrators had to repartition the drive for the system volume to be loaded, which on a large scale can be lengthy and costly process. Now, the system volume partition is created upon the Windows 7 installation process.

In addition, Microsoft Developers granted greater control over the BitLocker to system administrators by introducing Group Policies changes, Data Recovery Agents (DRA) and other improvements to make deployment more efficient.

All these changes, although not big or revolutionary, can have great impact on popularity of the Windows 7 BitLocker. Encryption of USB sticks can impact directly digital forensics as until now investigators relatively rarely have to deal with encrypted flash drives. If Microsoft’s solution will be easy, efficient and robust it might change the current situation.

6.2.2. BitLocker To GoAfter BitLocker has been first introduced, it could only encrypt single Vista partition, with the Vista Service Pack 1 (SP1) functionality was extended to fixed volumes - another partitions. Now it includes removable storage devices. BitLocker To Go is the new feature implemented in Windows 7 BitLocker allows encrypting portable flash or hard drives


(FUNK, Troy, 2008). Portable drives can be of either FAT, FAT32, exFAT or NTFS file system.

Authentication methods are different than the OS volume encryption.

Passphrase – complex PIN number combination, Group Policy allow controlling complexity and length

Smart Card – card stores strong key but Smart Card Reader required Automatic Unlocking – allows trusted PCs to remember passphrase and unlock USB

drive automatically

BitLocker To Go is highly integrated in Windows Environment making it quick and easy to enable the feature. It could be managed straight from the Windows Explorer context menu; user can simply right click on a drive to enable BitLocker, unlock drive or manage authentication methods and keys. This feature can be used even if normal BitLocker is not enabled. Tests have shown that if during Windows 7 installation user chooses not to cSystem Reserved partition - required for BitLocker volume encryption portable drive encryption.

In enterprise environment Group Policy can be setup to force BitLocker To Go usage on any USB connected drive. If user refuses, a drivon Figure 11.

Figure 11. Group Policy allow forcing users

In order to support encrypted drives on older Windows Operating Systems, BitLocker to Go Reader is automatically installed to every protected drive. It is a Windows Explorer application that, after successful auvolume.


33

Piotrek Smulikowski

. Portable drives can be of either FAT, FAT32, exFAT or NTFS file

Authentication methods are different than the OS volume encryption.

complex PIN number combination, Group Policy allow controlling

card stores strong key but Smart Card Reader requiredallows trusted PCs to remember passphrase and unlock USB

BitLocker To Go is highly integrated in Windows Environment making it quick and easy to enable the feature. It could be managed straight from the Windows Explorer context menu;

er can simply right click on a drive to enable BitLocker, unlock drive or manage authentication methods and keys. This feature can be used even if normal BitLocker is not enabled. Tests have shown that if during Windows 7 installation user chooses not to c

required for BitLocker volume encryption – he can still use

In enterprise environment Group Policy can be setup to force BitLocker To Go usage on any USB connected drive. If user refuses, a drive will be set to read-only mode, as can be seen

. Group Policy allow forcing users to encrypt USB sticks, (FUNK, Troy, 2008)

In order to support encrypted drives on older Windows Operating Systems, BitLocker to Go Reader is automatically installed to every protected drive. It is a Windows Explorer application that, after successful authentication, allows files to be read from the encrypted

Piotrek Smulikowski

. Portable drives can be of either FAT, FAT32, exFAT or NTFS file

complex PIN number combination, Group Policy allow controlling

card stores strong key but Smart Card Reader requiredallows trusted PCs to remember passphrase and unlock USB

BitLocker To Go is highly integrated in Windows Environment making it quick and easy to enable the feature. It could be managed straight from the Windows Explorer context menu;

er can simply right click on a drive to enable BitLocker, unlock drive or manage authentication methods and keys. This feature can be used even if normal BitLocker is not enabled. Tests have shown that if during Windows 7 installation user chooses not to create

he can still use

In enterprise environment Group Policy can be setup to force BitLocker To Go usage on any only mode, as can be seen

(FUNK, Troy, 2008)

In order to support encrypted drives on older Windows Operating Systems, BitLocker to Go Reader is automatically installed to every protected drive. It is a Windows Explorer – like

thentication, allows files to be read from the encrypted


Figure 12. BitLocker To Go Reader window allows viewing files and exporting to local machine. Screenshot taken

Figure 12 presents the BitLocker To Go Reader window after authentication. Individual files or folders can be exported to local machine. No write operation can be performed though, it requires Windows 7 BitLocker.

6.2.3. BitLocker To Go IdentificationAs with the other types of BitLocker encryption there are several methods to determine that USB stick is encrypted by this particular encryption application. Identification is especially easy when a portable drilock icon is displayed against the drive in My Computer as seen on

Figure 13

However if, the drive is examined on other platforms the icon is not displayed. This was tested on the Ubuntu 8.04 and Mac OS X 10.5. For alternative system, other means for identification are available. When tBitLockerToGo.exe, COV 0000.ER

Figure 14 shows the contents of the encrypted drive.


34

Piotrek Smulikowski

. BitLocker To Go Reader window allows viewing files and exporting to local machine. Screenshot taken from Windows Vista

presents the BitLocker To Go Reader window after authentication. Individual files or folders can be exported to local machine. No write operation can be performed

7 BitLocker.

BitLocker To Go IdentificationAs with the other types of BitLocker encryption there are several methods to determine that USB stick is encrypted by this particular encryption application. Identification is especially easy when a portable drive is connected to the Windows platform PC since the lock icon is displayed against the drive in My Computer as seen on Figure 13

13. BitLocker To Go encrypted portable drive.

However if, the drive is examined on other platforms the icon is not displayed. This was tested on the Ubuntu 8.04 and Mac OS X 10.5. For alternative system, other means for identification are available. When the drive is opened, characteristic files are visible:

, COV 0000.ER, Read Me.url , language files and multiple PAD XXXX.NGcontents of the encrypted drive.

Piotrek Smulikowski

. BitLocker To Go Reader window allows viewing files and exporting to local machine. Screenshot taken

presents the BitLocker To Go Reader window after authentication. Individual files or folders can be exported to local machine. No write operation can be performed

As with the other types of BitLocker encryption there are several methods to determine that USB stick is encrypted by this particular encryption application. Identification is

ve is connected to the Windows platform PC since the 13.

However if, the drive is examined on other platforms the icon is not displayed. This was tested on the Ubuntu 8.04 and Mac OS X 10.5. For alternative system, other means for

he drive is opened, characteristic files are visible: PAD XXXX.NG files.


Figure 14. Contents of the BitLocker To Go encrypted portable drive. BitLockerToGo.exe file is clearly visible, Screen shot taken from Windows Vista.

Please note that although drive this particular does not contain any data, it is filled with encrypted data containers PAD XXXX.NGcontaining 98% of the volume size.

Alternative identification method is possible which is inSystem. By looking at the binary data in Hex editor, examiner can determine whether the volume is encrypted with BitLocker To Go.

FAT32At first USB drive with FAT32 file system was used for experiments. Although there is no clear evidence of BitLocker in header there is a hint. OEM Name for the file system is set to MSWIN4.1 which correctly identifies file system as FAT type, see Windows OS tend to name the FAT as be installed on a volume.

Figure 15. FAT32 volume encrypted with BitLocker To Go. MSWIN4.1 OEM Nam


35

Piotrek Smulikowski

. Contents of the BitLocker To Go encrypted portable drive. BitLockerToGo.exe file is clearly visible, Screen shot taken from Windows Vista.

h drive this particular does not contain any data, it is filled with PAD XXXX.NG files with size 0 bytes and one big file

containing 98% of the volume size.

Alternative identification method is possible which is independent from the Operating System. By looking at the binary data in Hex editor, examiner can determine whether the volume is encrypted with BitLocker To Go.

At first USB drive with FAT32 file system was used for experiments. Although there is no lear evidence of BitLocker in header there is a hint. OEM Name for the file system is set to

which correctly identifies file system as FAT type, see Figure 15. However, modern Windows OS tend to name the FAT as MSDOS5.0, which could indicate that BitLocker might

. FAT32 volume encrypted with BitLocker To Go. MSWIN4.1 OEM Nam is highlighted in yellowFAT32 file system highlighted in grey

Piotrek Smulikowski

. Contents of the BitLocker To Go encrypted portable drive. BitLockerToGo.exe file is clearly visible,

h drive this particular does not contain any data, it is filled with files with size 0 bytes and one big file COV 0000. ER

dependent from the Operating System. By looking at the binary data in Hex editor, examiner can determine whether the

At first USB drive with FAT32 file system was used for experiments. Although there is no lear evidence of BitLocker in header there is a hint. OEM Name for the file system is set to

. However, modern , which could indicate that BitLocker might

is highlighted in yellow and


Once the encrypted volume is viewed in Hex, examiner can search for BitLocker signature: ‘-FVE-FS-’. In the experiment, when the search was performed multiple instances of the signature were found and surprisingly0x88 offset from the signature, Computer name, Drive Letter and Date of the PC were encryption was initiated were found as seen at the

Figure 16. BitLocker signature found on BitLocker Tooriginal Computer Name, Drive Letter and Date were also found

Unfortunately it was not possible to verify whether this was standard for every setup having only access to one Windows 7 Ultimate PC. However if it was the case it could prove that the USB drive was connected to the specific PC and BitLocker To Go was enabled from that PC at the particular time. It could also aid examiner in searching the Recovery Key for the portable drive by pointing him/her to the recorded PC

NTFSAlthough the NTFS is not a recommended file system for USB flash drives, some might use BitLocker To Go to encrypt portable USB hard drives where it is a default system. The file system was tested in order to verify what kind evidence can be extracted and if findings from the FAT32 are applicable to the NTFS formatted drive.

Figure 17. Header of NTFS drive encrypted with BitLocker To Go viewed in Hex editor. The BitLocker singFVE-FS- is at 0x03 offset - highlighted in yellow. Interestingly it is marked as


36

Piotrek Smulikowski

Once the encrypted volume is viewed in Hex, examiner can search for BitLocker signature: ’. In the experiment, when the search was performed multiple instances of the

signature were found and surprisingly the other information was detected as well. At the 0x88 offset from the signature, Computer name, Drive Letter and Date of the PC were encryption was initiated were found as seen at the Figure 16.

. BitLocker signature found on BitLocker To Go encrypted volume - highlighted in yellow. Additionally original Computer Name, Drive Letter and Date were also found - highlighted in grey.

Unfortunately it was not possible to verify whether this was standard for every setup Windows 7 Ultimate PC. However if it was the case it could prove

that the USB drive was connected to the specific PC and BitLocker To Go was enabled from that PC at the particular time. It could also aid examiner in searching the Recovery Key for

ble drive by pointing him/her to the recorded PC

Although the NTFS is not a recommended file system for USB flash drives, some might use BitLocker To Go to encrypt portable USB hard drives where it is a default system. The file

der to verify what kind evidence can be extracted and if findings from the FAT32 are applicable to the NTFS formatted drive.

encrypted with BitLocker To Go viewed in Hex editor. The BitLocker singhighlighted in yellow. Interestingly it is marked as FAT32 file system highlighted in

grey.

Piotrek Smulikowski

Once the encrypted volume is viewed in Hex, examiner can search for BitLocker signature: ’. In the experiment, when the search was performed multiple instances of the

the other information was detected as well. At the 0x88 offset from the signature, Computer name, Drive Letter and Date of the PC were

highlighted in yellow. Additionally highlighted in grey.

Unfortunately it was not possible to verify whether this was standard for every setup Windows 7 Ultimate PC. However if it was the case it could prove

that the USB drive was connected to the specific PC and BitLocker To Go was enabled from that PC at the particular time. It could also aid examiner in searching the Recovery Key for

Although the NTFS is not a recommended file system for USB flash drives, some might use BitLocker To Go to encrypt portable USB hard drives where it is a default system. The file

der to verify what kind evidence can be extracted and if findings

encrypted with BitLocker To Go viewed in Hex editor. The BitLocker singature -file system highlighted in


Figure 17 presents the header of the NTFS drive which was encrypted with BitLocker To Go. The BitLocker signature can be seen in yellow but surprisingly it is showing as the FAT32 (in grey) volume. When compared the differences found in the structure of headers, though they follow similar fashion. Encrypted NTFS volume has BitLocker signature as the OEM Name but is inappropriately marked as FAT32, whereas encrypted FAT32 volume has MSWIN4.1 as OEM Name and the file system is properly recognized but there is no clear indication that the volume is encrypted.

Both encrypted file systems share an interesting characteristic of recording the Computers Name, Drive Letter and Date of the encryption. NTFS drive was also searched for the BitLocker signature -FVE-FS- and after some of the instances of the signature the details of encryption were found as displayed on

Figure 18. BitLocker signature found on encrypted NTFS volume letter and Date were also found

Additionally the encrypted NTFS volume was not recognised on a Windows Vista OS, it prompted to format a drive. When the USB stick was connected to the Ubuntu 8.04 computer it was not mounted neither. The (CARRIER, Brian) also failed to determine the NTFS, although it handled encrypted volume of FAT32 correctly. In contrast the aforementioned tools NTFS.

6.2.4. BitLocker To Go AcquisitionAcquiring forensically sound image of the portable devencryption that can create challenges. Taking physical image means that the contents will be encrypted therefore data will be unreachable. As shown in previous section it is possible to establish which PC was BitLock


37

Piotrek Smulikowski

presents the header of the NTFS drive which was encrypted with BitLocker To Go. The BitLocker signature can be seen in yellow but surprisingly it is showing as the

n compared the Figure 15 and Figure 17 there are some he structure of headers, though they follow similar fashion. Encrypted

NTFS volume has BitLocker signature as the OEM Name but is inappropriately marked as FAT32, whereas encrypted FAT32 volume has MSWIN4.1 as OEM Name and the file system

nized but there is no clear indication that the volume is encrypted.

Both encrypted file systems share an interesting characteristic of recording the Computers Name, Drive Letter and Date of the encryption. NTFS drive was also searched for the

and after some of the instances of the signature the details of encryption were found as displayed on Figure 18.

signature found on encrypted NTFS volume - highlighted in yellow. Computer name, Drive letter and Date were also found - highlighted in grey

Additionally the encrypted NTFS volume was not recognised on a Windows Vista OS, it t a drive. When the USB stick was connected to the Ubuntu 8.04

computer it was not mounted neither. The fsstat tool for viewing details of file systems also failed to determine the NTFS, although it handled encrypted volume

of FAT32 correctly. In contrast the aforementioned tools mmls and fdisk recognized it as the

BitLocker To Go AcquisitionAcquiring forensically sound image of the portable device seems to be an easy task. It is the encryption that can create challenges. Taking physical image means that the contents will be encrypted therefore data will be unreachable. As shown in previous section it is possible to establish which PC was BitLocker encryption enabled on. During the installation process

Piotrek Smulikowski

presents the header of the NTFS drive which was encrypted with BitLocker To Go. The BitLocker signature can be seen in yellow but surprisingly it is showing as the

there are some he structure of headers, though they follow similar fashion. Encrypted

NTFS volume has BitLocker signature as the OEM Name but is inappropriately marked as FAT32, whereas encrypted FAT32 volume has MSWIN4.1 as OEM Name and the file system

nized but there is no clear indication that the volume is encrypted.

Both encrypted file systems share an interesting characteristic of recording the Computers Name, Drive Letter and Date of the encryption. NTFS drive was also searched for the

and after some of the instances of the signature the details of

highlighted in yellow. Computer name, Drive

Additionally the encrypted NTFS volume was not recognised on a Windows Vista OS, it t a drive. When the USB stick was connected to the Ubuntu 8.04

tool for viewing details of file systems also failed to determine the NTFS, although it handled encrypted volume

recognized it as the

ice seems to be an easy task. It is the encryption that can create challenges. Taking physical image means that the contents will be encrypted therefore data will be unreachable. As shown in previous section it is possible

er encryption enabled on. During the installation process


38

Piotrek Smulikowski

user can either save recovery key on local machine or print it off. Unless paper with printed recovery key can be located, it is most likely that the key is stored on the local computer. The format of the recovery key file name changed slightly: BitLocker Recovery Key xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.txt. If user selected automatically unlock option it is possible that once a USB drive is plugged into the trusted PC it can be instantly decrypted allowing for logical imaging.

In a Live Response scenario where USB drive was found unlocked, examiner can simply right click on a drive in ‘My Computer’ and select Manage BitLocker field to export recovery key. However, investigator can also simply perform logical image of the decrypted drive.

Unlocking the drive with recovery key has become much easier since Windows Vista. Once a window asking to enter the password pops up, user can click ‘Forgot my Password’ and follow wizard and simply type in the recovery key.

6.2.5. BitLocker changesBitLocker developers put an emphasis on the user experience in Windows 7 BitLocker, as a result the initial setup process was simplified. System administrators can quickly enable BitLocker on multiple machine and control settings with extended capability by Group Policies. Home users can follow easy to use wizards to enable BitLocker without the hassle of repartitioning the hard drive to accommodate the 1,5 GB System Volume. All these and other improvements have made the whole process more user friendly and feature more usable.

With Windows 7 BitLocker the System Volume partition, volume used by BitLocker to verify integrity of the hardware and pre-startup authentication (MICROSOFT TECHNET,2009) – it is created automatically during the initial setup, if user selected default settings. If user performed custom installation and hard drive contained other partitions prior to Windows 7 installation, System Volume partition will not be created. However if user opts in to use BitLocker at the later stage partition will be automatically created during BitLocker setup. Therefore a lot of burden was taken off the end user and it is now embedded in the automated process. The partition is now being called System Reserved and has no Drive Letter assigned, therefore cannot be accessed through the Windows Explorer in order to avoid any accidental changes from being made. Additionally its size was limited to 100MB, so more space is available for user’s data.

When Vista BitLocker was first launched, it only allowed to encrypt the Operating System Volume (C:), which was extended to additional fixed volumes with the Vista Service Pack 1. However in order to encrypt the Data drives the C: drive had to be encrypted as well. The


39

Piotrek Smulikowski

Windows 7 BitLocker not only allows encrypting portable drives regardless if the encryption is enabled on the Windows 7 volume but also the fixed volumes. As a result examiner can find scenarios where Windows 7 drive is not encrypted but D: Data drive is. In this case it can be assumed that suspect could be storing incriminating data on the encrypted volume. It is important to remember about all the artefacts that the data on encrypted partition left on Windows 7. Therefore investigator might be able to recover history of files executed or viewed, thumbnails and more, since they are all stored on Windows 7 partition. This is also true for removable drives and BitLocker To Go.

Enterprises using Windows 7 BitLocker will benefit from the Data Recovery Agents (DRA) technology which is a new, certificate based key protector. The certificate contains public key that is applied to any drive that is mounted across the organisation. Because it is stored centrally, therefore an investigator can request from system administrators to decrypt encrypted volume using the DRA. IT departments have now granular control thanks to extended Group Policies.

BitLocker for Windows Vista could be manage using the Command Line Interface via already discussed script and had to be run by cscript manage-bde.wsf command. The same functionality is now provided by the manage-bde.exe executable placed in the same folder as before: C:\Windows\System32\

The identification of the BitLocker encrypted volume has not changed since the previous version. Similar can be said about acquisition process. According to Microsoft information provided during a Presentation on BitLocker (FUNK, Troy, 2008) did not indicate any changes in basic workings of BitLocker, therefore procedures that applied to Vista BitLocker are still valid for Windows 7 BitLocker. Unfortunately this has not been examined due to technical problems in the experiment lab.

6.3.Windows 7 BitLocker ConclusionsDeveloping team, responsible for the changes introduced in Windows 7 BitLocker, put much effort in making it more accessible for not only administrators in large organisation but also for end users. No doubt that data loss is an important issue and public awareness increases. By employing encryption technologies like BitLocker many news headlines could be avoided. Public’s data would not be disclosed to unauthorised people and businessmen could be confident that their sensitive data is not disclosed to competitors by simple human error.

As good as it sounds for governments and business use it creates number of challenges for Computer Forensics. With the range or improvements the BitLocker is certainly more


40

Piotrek Smulikowski

appealing to potential users, which in effect can mean increase in number of encrypted volumes to analyze for digital forensic experts. It is true that since BitLocker functionality is available only in most expensive Windows 7 editions, many normal home users will not be able to encrypt their hard drives or USB drives. However it is likely that due to improvements in user experience more people with Enterprise or Ultimate editions would start using it.

Just before the release of the Windows Vista BitLocker, Andy Woodward wrote the paper with the following title: ‘BitLocker - the end of digital forensics?’ (WOODWARD, Andre, 2006).He claimed that very few digital forensic examinations will involve BitLocker encrypted volumes. Although it might have been true with Vista BitLocker, the improvements in Windows 7 BitLocker can change the situation.


41

Piotrek Smulikowski

7. Registry AnalysisThis section is devoted to the Windows Registry. It examines the kind of information that is stored and can be retrieved by examiner. Due to its complex structure, only fraction of the registry was examined, it is by no means a complete list. In line with the main idea of this paper to show what has changed with respect to the forensic analysis of Windows system, it is focused on new sources of evidence. In addition some most common registry keys were evaluated in order to verify their relevance in the new system.

7.1. IntroductionWhile for Windows Registry lies at the core of the Operating System, for a forensic analyst it can be a goldmine of evidence. It stores settings and options for the whole system, therefore it can deliver large amount of forensically valuable information. Since its first appearance in Windows 3.1 it has grown into extremely complex data structure. Although there is no documentation from Microsoft, there are plenty of resources about forensic analysis of the registry. In fact it is so important artefact that Harlan Carvey considers writting a book about forensic analysis of the Windows Registry (CARVEY, Harlan, 2009). In depth analysis of the Registry, lies far beyond scope of this research, which is focused on the discovery of new and evaluation of already known sources of evidence.

During the research three methods of information gathering were employed. Firstly, paper called “A Windows Registry Quick Reference” by Derrick J. Farmer(FARMER, Derrick, 2007)was reviewed and a form a basis of the research. While the reference was based on the Windows XP, registry keys presented by the author were verified against the Windows 7 registry in order to show any differences. Secondly the RegRipper software (CARVEY, Harlan and Shavers, Brett, 2009) was run against registry hive files from the test Windows 7 PC. The application is designed to automatically extract information stored within registry files. If output from the software was flagged ‘not found’, it flagged a difference in registry structure and contents. Thirdly, registry was browsed in order to identify new possible sources of evidence.

The Table 6 presents popularly used naming conventions applied in this paper.

Short Name Full NameHKCR HKEY-_CLASS_ROOT

HKCU HKEY_CURRENT_USER

HKLM HKEY_LOCAL_MACHINE

HKU HKEY_USERS

HKCC HKEY_CURRENT_CONFIG

Table 6. Short naming convention for root hives


42

Piotrek Smulikowski

Although the Registry viewed by standard Registry Editor (regedit.exe) appears to be a single database, it is in fact highly integrated collection of files. The Table 7 lists files responsible for registry hives. Please note that Windows 7 and Vista include additional files (CARVEY, Harlan, 2009, p.161), marked with the * sign.

Registry Hive File PathHKLM\System C:\Windows\System32\config\SYSTEM

HKLM\SAM C:\Windows\System32\config\SAM

HKLM\Security C:\Windows\System32\config\SECURITY

HKLM\Software C:\Windows\System32\config\SOFTWARE

HKU\User SID C:\Users\<username>\NTUSER.DAT

HKU\Default C:\Windows\System32\config\DEFAULT

HKLM\Components* C:\Windows\System32\config\COMPONENTS

Usrclass.dat* C:\Users\<username>\AppData\Local\Microsoft\Windows\usrclass.dat

Table 7. Registry paths and corresponding files

7.2.Registry locationsThis part considers various registry key locations which could possibly be a source of forensic evidence. Due to a large amount of different locations, this section is technical and for reference mostly.

7.2.1. Time InformationEstablishing the time of the Operating System is crucial to a computer forensic investigation. Examiner should be able to establish precisely when particular event happened. Windows 7 follows the fashion set by previous Windows systems.

Time Zone InformationRegistry key holding information about the system time. Most important values are ActiveTimeBias, Bias, DaylightBias, StandardBias.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\

Using those values examiner can calculate different times necessary for his investigation. Formulas(FARMER, Derrick, 2007) are following:

UTC = Local Time + ActiveTimeBias Local Time = UTC – ActiveTimeBias


43

Piotrek Smulikowski

Standard Time = Bias + StandardBias Daylight Time = Bias + DaylightBias

Time is represented minutes, therefore decimal value is a number of minutes(MICROSOFT MSDN LIBRARY, 2009).

In addition to establishing the system’s time, Registry can provide examiner with LastWrite time for a particular key. Although the time stamp for each value is not recorded it can still be very helpful to know then the key was changed, especially in a case where a registry key has single value. In addition the time stamp from the registry key can be compared against other time stamps existing on a system.

The LastWrite value can be obtained with multiple tools like e.g. RegRipper, however at Live response scenario it might be possible to export the whole registry to text file. The benefit of that are keys having LastWrite values shown for every key but also that the keyword search through text file is instantaneous. However, with time since OS installation the registry can gain in size enormously.

Moreover, as with Vista, the Windows 7 does not automatically record Last Access time on NTFS volume. Microsoft by default disabled the update to reduce performance overhead, which in turn caused examiners to loose very important source of evidence. The value accountable for that setting is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem>NtfsDisableLastAccesUpdate

7.2.2. Most Recently UsedMost Recently Used files commonly known as MRUs, store details of recently used objects. This list was adopted from the Registry reference document (FARMER, Derrick, 2007) and it was compared against registry keys available in Windows 7. Please note that if certain functionality was not enabled some keys may be not available.

Content Windows XP Windows 7

Search Files Software\Microsoft\Search Assistant\ACMru\5603

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

Internet Search Assistant

Software\Microsoft\Search Assistant\ACMru\5001

N/A

Printers, Computers and People


N/A


44

Piotrek Smulikowski

Pictures, music, and videos


N/A

XP Start Menu -Recent

Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

The same as in XP

R. Desktop -Connect

Software\Microsoft\Terminal Server Client\Default [MRUnumber]

N/A

Run dialog box Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

The same as in XP

Regedit - Last accessed key

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

The same as in XP

Regedit -Favorites

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites

The same as in XP

MSPaint -Recent Files

Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List

The same as in XP

Mapped Network Drives

Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

N/A

Computer searched via WindowsExplorer

Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU

HomeGroup:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup\HME\Members

WordPad -Recent Files

Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List

The same as in XP

Common Dialog - Open

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

The same as in XP

Common Dialog - Save As

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

The same as in XP

WMP XP -Recent Files

Software\Microsoft\MediaPlayer\Player\RecentFileList

HKCU\Software\Microsoft\MediaPlayer\Preferences> Last_Location_26

WMP XP -Recent URLs

Software\Microsoft\MediaPlayer\Player\RecentURLList

N/A

OE6 Stationery list 1 - New Mail

Identities\{CLSID}\Software\Microsoft\Outlook Express\5.0\Recent Stationery List

N/A * No Outlook

OE 6 Stationery list 2 - NewMail

Identities\{CLSID}\Software\Microsoft\Outlook Express\5.0\Recent Stationery Wide List

N/A* No Outlook

PowerPoint -Recent Files

Software\Microsoft\Office\10.0\PowerPoint\Recent File List

HKCU\Software\Microsoft\Office\12.0\PowerPoint\File MRU

Access -Filename MRU

Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Access\Settings\File New Database\File Name MRU

HKCU\Software\Microsoft\Office\12.0\Access\Settings

FrontPage -Recent lists

Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent File List

HKCU\Software\Microsoft\Office\12.0\FrontPage\File MRU

Excel - Recent Files

Software\Microsoft\Office\10.0\Excel\Recent Files

HKCU\Software\Microsoft\Office\12.0\Excel\File MRU

Word - Recent Files

Software\Microsoft\Office\10.0\Word\Data

HKCU\Software\Microsoft\Office\12.0\Word\File MRU

Win ExplorerTyped Paths

N\A HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths


45

Piotrek Smulikowski

Table 8. Differences and similarities in registry key locations between Windows XP and Windows Vista.

7.2.3. UserAsisstThis particular registry key is known among examiners as a potentially rich source of evidence. It was used since Windows 2000 and it is still used in Windows 7. Operating System uses it to record “objects that user has accessed on the system such as Control Panel applets, shortcut files, programs, documents, media, etc.”(FARMER, Derrick, 2007). Unlike the Prefetch, it stores that information not system wide but on a per-user basis.

As already mentioned in the


46

Piotrek Smulikowski

Background Research section the Beta version of Windows 7 had keys obfuscated in Vigenère cipher unlike all previous versions of Windows. However, when the RC and final version was examined it became apparent that the ROT-13 or Caesarean cipher was used again. This simple cipher is based on a rule that each letter is replaced by the letter 13 spaces away from it in alphabet or in this case ASCII table. For example K:\uryvk.rkrtranslates into X:\helix.exe. By recommendation from the Windows Registry Quick Reference (FARMER, Derrick, 2007) the web based translation script (EDOCEO, 2009) was used to quickly decode the file names.

The UserAssist values can be found at: HKEY_CURRENT_USER\Software\Microsoft\Windows\Explorer\UserAssist\{GUID}\Count. By default there are two GUID keys in User Assist. Carvey suggested checking the GUID in HKCR\CLSID\ (CARVEY, Harlan, 2007, p.168). Although the method was successful in previous Windows versions, it did not provide any results. In fact, the whole registry was searched without success. It is however safe to assume that behind both GUID are Operating System applications responsible for interaction with the system Shell.

When RegRipper software was run against the Windows 7 RTM NTUSER.DAT file, no UserAssist keys were retrieved. The registry was manually examined and it became clear why the application did not extract any information. The data field is 72 bytes long as opposed to 16 bytes as in Vista and its predecessors. Due to the lack of documentation about new data structure it was necessary to analyse and understand its contents and behaviour. Derrick J. Farmer (FARMER, Derrick, 2007) explained the structure of theprevious format, where the fifth byte (offset 0x05) was a counter of how many times the application was run, however the counter starting value is 5. The last 8 bytes compose time stamp of a last access. In his book Harlan Carvey adds (CARVEY, Harlan, 2007) that the data is divided into DWORD – 4 bytes.

In order to examine behaviour of the new format, new application has been downloaded and executed for the first time – registry value for the applications was created. Application was then closed and the data for that value was recorded and compared with subsequent reiteration of the process. After multiple attempts it was possible to identify which bytes recorded the counter number and the time stamp. With more data to be examined it was difficult to establish which was recording what. Eventually it appeared that the 5th byte still is a counter number but the starting value is 00. The timestamp is the 60th - 68th byte (15 -17 DWORD). The Figure 19 presents the binary data for specific program where the count number is highlighted in yellow and time stamp in blue.


Figure 19. Image shows binary data for the example UserAssist value. Underlined in red iprogram path, in green is the decoded path. Highlighted in yellow is the counter number and in blue is the time

The time stamp is in hexadecimal foDETECTIVE GROUP LTD, 2009)form. Figure 20 shows the time stamp for the application run in the above example (highlighted in yellow) and the converted date in bold.

Figure 20. Output from Date/Time converting application DCode. Highlighted in yellow

7.2.4. Autoruns Applications automatically loaded on a system startup are recorded in various registry keys. It can be important to establish if any malicious software was running on a suspect


47

Piotrek Smulikowski

Image shows binary data for the example UserAssist value. Underlined in red is the obfuscated in green is the decoded path. Highlighted in yellow is the counter number and in blue is the time

stamp in Hex.

The time stamp is in hexadecimal format; by using software like DCode (DIGITAL DETECTIVE GROUP LTD, 2009) it is possible to decode time stamp into human readable

shows the time stamp for the application run in the above example (highlighted in yellow) and the converted date in bold.

. Output from Date/Time converting application DCode. Highlighted in yellow is the time stamp from above example (see previous figure)

Applications automatically loaded on a system startup are recorded in various registry keys. It can be important to establish if any malicious software was running on a suspect

Piotrek Smulikowski

s the obfuscated in green is the decoded path. Highlighted in yellow is the counter number and in blue is the time

(DIGITAL it is possible to decode time stamp into human readable

shows the time stamp for the application run in the above example

is the time stamp from

Applications automatically loaded on a system startup are recorded in various registry keys. It can be important to establish if any malicious software was running on a suspect


48

Piotrek Smulikowski

PC. Sysinternals Autoruns (SYSINTERNALS, 2009) application can easily provide all that information.

Windows XP Windows 7HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce The same as XPHKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

N/A

HKLM\Software\Microsoft\Windows\CurrentVersion\Run The same as XPHKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

N/A

HKCU\Software\Microsoft\Windows\CurrentVersion\Run The same as XPHKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce The same as XP<username>\Start Menu\Programs\Startup <username>\AppData\Roaming\Mi

crosoft\Windows\Start Menu\Programs

7.2.5. Network informationWindows records the wireless networks connected to the host PC. It stores a profile of the network its SSID identification name together with some more details, such as creation date, last connected and gateway MAC address. Depending on the context, this information can be highly important to the forensic investigation. In Windows XP the Zero Configuration Service was used however the Vista and Windows 7 manages networks differently.

The time stamp is in unusual format: d9 07 08 00 03 00 13 00 01 00 39 00 02 00 14 02, where each 2 bytes form little endian value. The decoding technique is following:

Year = d907 > 07d9 = 2009Month = 0800 > 0008 = August {Jan = 1, Feb = 2...}Weekday = 0300 > 0003 = Tuesday {Sunday = 1, Monday =2...}Day = 1300 > 0013 = 19Hour = 0100 > 0001 = 1 amMinutes = 3900 > 0039 = 57Seconds = 0200 > 0002 = 02

The complete decoded time stamp is: Tuesday, 19 August 2009 01:57:02

This method was posted on Mark McKinnon’s blog (MCKINNON, Mark, 2009).

Wireless Network informationRecords profiles of previously connected Wireless Networks. First key stores timestamps and SSID, second key stores Gateway’s details: MAC address, SSID name.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows


49

Piotrek Smulikowski

NT\CurrentVersion\NetworkList\Profiles\{GUID}\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\

Additionally, details of individual connections are recorded, IP address, DHCP server and more. The time stamp is stored in big endian Unix 32 bit hex value, DCode can be used to translate the value.

Network Connection informationRecords details of the connection, IP address DHCP server information, domain, time stamps etc.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\ Parameters\Interfaces\{GUID}

7.2.6. Mounted DevicesNTFS devices that are mounted to the Windows System are recorded together with a letter assigned to them. The binary data for the values \DosDevices\x: can be used to identify the specific devices.

Mounted DevicesLists previously connected drives.

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

7.2.7. USB Device InformationWhen user connects removable device, Windows records details of that device in registry and file system. The process of gathering all information has changed since Windows XP but is the same as on Vista. Couple of steps are required to retrieve all tracks:

1. Write Down Vendor, Product, VersionHKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR Disk&Ven_SanDisk&Prod_Cruzer&Rev_7.01

2. Write Down Serial Numbers


50

Piotrek Smulikowski

HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_###&Prod_####&Rev###\

0877500A0302335E&0\

3. Determine Drive Letter Device Mapped ToHKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices > FriendlyName

Look for Serial Number or Vendor and Product

G: PortableApps

4. Write Down Volume GUIDsHKLM\SYSTEM\MountedDevices


\??\Volume{c76d273c-8e40-11de-9db3-001a6b41face}

5. Find User That Used The Specific USB DeviceNTUSER.DAT HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Search for Device GUID

User1

6. Determine Last Time Device Connected – check Last Write for a keyHKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}


Last Write Time: 26/08/2009 - 13:31

7. Discover First Time Device ConnectedC:\Windows\inf\setupapi.log

Perform search for Serial Number

>>> [Device Install (Hardware initiated) -USB\VID_0781&PID_5151\0877500A0302335E]>>> Section start 2009/08/21 11:56:08.045...

Table 9. USB Information gathering process. Adapted from (SANS FORENSICS BLOG, 2009)

Please note that not every USB device has its own Serial Number.

7.2.8. Internet ExplorerInternet Explorer is highly integrated into the Windows OS and therefore into the Registry. Although the current 8th version differs a lot in its capabilities, the information stored in registry reminds older versions. It is ruled by compatibility issues, and the new features are only added to an already existing structure. Internet Explorer information is stored primarily in two registry keys.

Internet Explorer


51

Piotrek Smulikowski

Registry keys store information used by Internet Explorer 8. First Key holds data about History, Cache or Cookies. Second Key keeps data about e.g. Suggested Sites but one of the most important keys is the TypedURLs, which records URLs that user typed in. Additionally the path to download folder is stored in a root of this key

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\

HKCU\Software\Microsoft\Internet Explorer\

Internet Explorer can store data entered into username and password fields if user agrees to use the feature. IE7 and IE8 uses different method of storing credentials data, passwords are encrypted with the URL of the page that the password was entered. Therefore if URL still exists in history, it might be possible to decode the data.

AutoComplete PasswordsStores usernames and passwords remembered by the Internet Explorer, respectively Storage1 and Storage2

HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage1\

HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\


52

Piotrek Smulikowski

8. Miscellaneous Features and Changes

8.1. Location and Sensors APIMicrosoft has introduced native support for sensor devices which allows different sensors to be used without the need for any third party software, due to a standardized Application Programming Interface (API). Sensors supported include devices like for instance Light Sensor, Accelerometers 3D or even Human Proximity Sensor.

In addition, the platform allows for Location sensors such as Global Positioning System (GPS) to be used. Software based solution can also be applied, therefore applications like “IP resolver that provides location information based on an Internet address, a cellular phone tower triangulation that determines location based on nearby towers, or a Wi-Fi network location provider that reads location information from the connected wireless network hub” (MICROSOFT MSDN, 2009). The types of sensors used depend on hardware or software availability. Also this feature is limited to Home Premium, Professional and Ultimate. The feature is enabled by default but can be disabled by user via the Control Panel.

This functionality could be of a special interest to forensic investigators because it could provide them with the exact location of a computer and its user at a specific time. Sinceanalysis of the information goes beyond computer or online activity it could be of extreme value to the investigation. Investigators could potentially get actual location of a criminal from his end, rather than trying to track him down from their end by usage of IP address tracing. This method could help to counter anti-forensics techniques like usage of TOR networks to obscure IP address location (TOR PROJECT INC, 2009). Law enforcement agencies would not have to go through lengthy and troublesome procedures of Regulation of Investigatory Powers Act 2000 (RIPA) requests from Internet Service Providers (ISP).

Actual applications that would use the location data would be mostly third party, as currently the only Windows native application using the data is a Weather widget. As a result 3rd party developers decide on how their data that is stored and this is likely to vary between applications. According to documentation (MICROSOFT MSDN, 2009), a user is warned every time that the new program tries to access the location data.

Data artefacts left behind on a system are unclear, since it was impossible to test the feature without an appropriate hardware device or software. According to Microsoft Developers Network (MSDN) reference, the API provides software with two means of retrieving location from the sensor; one is by usage of C++ or second by scripting languages(MICROSOFT MSDN, 2009). Methods would call a system function to get the location and


53

Piotrek Smulikowski

that could be used by application or e.g. online script. The documentation does not state ifthe data is stored anywhere on a system in local files.

The Event Viewer keeps a log (Event Viewer > Custom Views > Location Activity) of all applications trying to access the location data. It is very unlikely that the actual location is stored in this log. However, theoretically if an application, that sends a request for the data, records this fact then it might be possible to tie this information with the request stored in a log. According to the MSDN not every request is stored but only the first successful andany failed requests are logged until application restarts (MICROSOFT MSDN , 2009). Depending on the scenario this information might be enough to retrieve the location.

This particular source of evidence also has flaws because the key limitation is the requirement for the criminal to have a hardware or software sensor and associatedconnectivity. Taking a GPS receiver as an example, a good signal reception to at least threeGPS satellites is required to determine the location. As a result it means that the criminal would need to have hardware capable of running Windows 7 in a correct edition, therefore a laptop, excluding Netbook category, with a GPS receiver. The criminal would also need to be outdoors or at least in the environment with clear sky view for a receiver to find a ‘fix’ –signal. Considering that GPS adapters, either USB or Bluetooth, are rarely used it becomes clear that this potential evidence has many limitations.

There are however other scenarios were this source could really contribute evidence to investigation. The mobile network has the potential to be the most feasible solution, due to its growing popularity. Therefore, if a criminal had a laptop connected to the internet via a USB broadband dongle his approximate location could be logged by the Localisation platform.

Another case would be if a criminal used a laptop on a local Wireless network as it would be possible for his location to be identified by locating the Wi-Fi network. This type of localisation is being developed as an alternative to GPS system for indoor or metropolitan environments, where buildings block the satellite signals (YU-CHUNG CHENG, Yatin Chawathe, John Krumm, 2005). Although this is still not a common solution it creates an opportunity.

The last example application could be in a case of a ‘grooming’ investigation where theundercover investigator is in contact with a criminal. Even if the criminal did not have location sensors, the investigator could send a Trojan that had hidden within, for example a picture, that would retrieve the location data like IP address or other information and send back to the investigators. Although the success of such method would depend on many


54

Piotrek Smulikowski

aspects such as the security setup of the criminal’s PC, the opportunity for exploitation of this feature exists.

8.2. exFAT / FAT64The extended File Allocation Table (exFAT) is the new file system designed for highcapacity portable flash drives. Unlike some early speculations it is not a replacement for the NTFS file system. First included in Windows Vista Service Pack 1 and Windows Embedded CE 6.0 and now supported by the Windows 7. Main advantages of exFAT over FAT32 are increased file size support from 232 to 264 bytes, large capacity drive support (32GB +) and lower performance overheads(DAVAK, 2008). It is better suited to flash drives than NTFS because it does not have a journal system and therefore preserves the longevity of the drive since no single location is being constantly overwritten. However, it comes at the cost of reliability of the file system.

The main drawback of the system is the lack of support from older systems or other platforms which reduces the portability of the exFAT drive. Microsoft has released an optional update for XP users available from the Windows Update website (MICROSOFT, 2009). However, since it is a proprietary file system, other platforms are disadvantaged and it will require time until such support becomes widespread. The file system is a default for SDXC cards - the newest large capacity SD cards with 32+ GB of storage (SD ASSOCIATION, 2008).

8.2.1. exFAT IdentificationFrom the forensic perspective it is important to note that exFAT supports UTC time rather than a Local time when recording time stamps. The file system signature – OEM Name ‘EXFAT’ can be found in the 0x03 Byte offset, as shown on Figure 21:

Figure 21. exFAT partition signature 'EXFAT'


55

Piotrek Smulikowski

Some tools like for example UNIX based fdisk do not recognise the partition type and identify it as NTFS partition as seen in Figure 22.

Figure 22. fdisk recognizes exFAT as NTFS with partition id=7

Analogically, the Brian Carrier’s mmls tool for viewing partition tables (CARRIER, Brian)recognizes it as the NTFS partition, see Figure 23.

Figure 23. Output from mmls tool, exFAT is recognised as NTFS

8.3.Partition TableBy default, during the Windows 7 installation process two partitions are created: Backup and Windows volume. First is a hidden letter-less partition called System_Reserved, which is used for backup purposes but also BitLocker if enabled. Its size is 100MB, which was reduced from the 200MB in Windows 7 Beta version. Users cannot access it via the Windows Explorer because it has no drive letter assigned to it, therefore it is not even displayed. It is done on purpose to avoid curious users changing important files, which was common for Vista’s 1.5GB partition. BitLocker uses this partition to store boot information that is executed during the authentication process. It is however possible not to create the partition, if user installs the Windows 7 on a drive where other partitions already exist, volume is not created.

Second partition is a C: drive system volume with the Windows 7 OS. Possibly due to the size of modern hard drives, Microsoft decided not to give an option to format with any other file system than NTFS. As a result it is standard file system on all Windows 7 volume.


56

Piotrek Smulikowski

The fdisk tool shows two partitions being recognized as NTFS, their start and ending points, see Figure 24.

Figure 24. fdisk recognized two partition as NTFS

The mmls tool (CARRIER, Brian) outputs the physical location of the two partitions, first one being the System Reserved and the second Windows 7 volume. It also confirms that both are formatted with the NTFS, (see Figure 25).

Figure 25. mmls tool displays the details and locations of the two partitions.

The fsstat tool (CARRIER, Brian) was used to view details of each partition which can be seen on Figure 26.


57

Piotrek Smulikowski

Figure 26. The output from the fsstat tool with details of the System Reserved (left) and Windows 7 partitions (right).

The fsstat tool was developed as part of the Sleuth Kit (CARRIER, Brian, 2009) by Brian Carrier years before Windows 7 release, this possibly why it recognizes volumes as the Windows XP.

As with the Windows Vista, the Volume Boot Record is still located in the 2048 sector of the hard drive.

Forensic analysts should be familiar with the Windows 7 partition setup for obvious reasons. Examination of the structure of the hard drive plays crucial part in the digital investigation.

8.4.XP modeAlthough Windows 7 has had few major compatibility problems reported it is still a big improvement comparing to its predecessor Widows Vista. This was confirmed throughout the whole research, where it worked faultlessly on many different hardware and software setups. However, Microsoft wanting to avoid the situation from early 2007 incorporated the Windows XP Mode to the new OS.


58

Piotrek Smulikowski

It is designed to overcome any possible incompatibility issues by running virtualized windows XP Operating System. The XP is highly embedded into the Windows 7, offering seamless operation (MICROSOFT VIRTUALISATION TEAM, 2009), however as with any virtualized system there is a performance overhead. The feature is primarily designed for Enterprises where support for legacy software is required but everyday users can also benefit from it.

It comprises of the Microsoft Virtual PC and Windows XP SP3, unclear if Home or Professional edition, free to download for Windows 7 Professional, Enterprise and Ultimate owners. Compatible hardware is still required; processor needs to support either Intel’s Virtualisation Technology or AMD-V, which can be verified by free tool SecurAble (GIBSON, Steve, 2008).

Unfortunately, due to the lack of supported hardware available for this research, the feature could not be examined for forensic artefacts. It is believed that it could potentially create new sources of evidence.

8.5.MixUnlike its predecessors Windows 7 is not shipped with embedded email client. Windows XP included the Outlook Express as a default client and Vista came with the Email client, however, Microsoft decided to exclude the functionality from the newest system. Instead Windows Live Essentials package includes the Mail – new email client and other applications such as Messenger or Photo Gallery. Because it is not built into the system it is not included in this research, although it certainly carries significant footprint on forensics.

If examiners would decide to use the Windows 7 as the forensic platform, it is important to note that, as in Windows Vista, all forensic applications and tool should be run ‘As Administrator’ in order to avoid program malfunctions. This is due to the User Account Control (UAC) privilege limitations.


59

Piotrek Smulikowski

9. MethodologyVarious different research methodologies were used throughout the research. The choice of a method depended on the examined feature. Due to a variety of different aspects of Windows 7 every feature discussed was independent and differed from another. Therefore, it posed a challenge to approach the problem in a best possible manner.

During a Background Research a lot of time was devoted for gathering information available about the topic. Due to the novelty of the research area there was very few sources of information. As a result, literature review in a strict sense was very limited, because there is no literature about the Windows 7 forensics. No books or even research papers were published up to or during the writing of the research, at least to the best of author’s knowledge. This lack of information about the particular subject reinforced the novelty factor of this research.

The only available sources of information were online resources. Some examiners shared their initial experiences of the new system on their blogs or forums. However, they either failed to go in detail or focused on very specific aspects only. Although these were incomplete and sparse pieces of information, they did help, especially in identifying possible sources of forensic evidence.

At this stage it was believed that it could be highly beneficial to get the information from the source. However Microsoft is a giant enterprise and it seemed nearly impossible to get their attention. After long research it was discovered that Chris Ard, an Investigative Consultant with Microsoft’s Law Enforcement Support Team, was scheduled to deliver a presentation (ARD, Chris, 2009) on forensic aspects of Windows 7 on a Crimes Against Children Conference in Dallas, USA. Email contact was initiated and Chris agreed to shed some light on the new Windows forensics. Because it was still a month before conference, he did not have facts confirmed through detailed analysis. However, he was kind enough to share his findings about possible sources of evidence. Interestingly Chris Ard said “there isn’t any guidance from the product development team regarding the changes that affect forensic investigations” even for Microsoft’s own forensic team. This Microsoft’s ‘every man for himself’ approach only stressed the importance of this research, to share the findings with the community. Findings from Chris Ard were very helpful and together with other known information it formed a basis for the research. Identification of the potential sources of forensic evidence was considered a key factor of research success. However, it was believed that new sources of evidence would be found during the analysis process as having the basic structure was crucial.

As mentioned before, the documentation of Windows 7 is very limited, both by Microsoft and forensic community. The purpose of this paper is to focus on impact that the Windows


60

Piotrek Smulikowski

7 has on forensic examinations and not the Vista. It was then necessary to learn the impact that Vista had on forensic analysis in order to help identifying new features in comparison to its predecessors. In addition studying multiple papers on this subject helped to find the balance between technical and theoretical approach. Also, how to create competent document focused on forensic examiners.

Once the potential sources were identified, the examination of individual aspects started. Due to the great variety of the features and their scope, it was impossible to employ a single methodology. Therefore each of them had to be approached individually with research methods tailored to its characteristics. However, in order to ensure the overall quality of examination, general modus operandi model was adopted. If a feature in question was a newly introduced it was researched in depth to gain thorough understanding of its operation; if possible it was practically examined and eventually forensic conclusions were drown and if needed the process would reiterate until satisfying conclusions could be drawn. Not all features created new sources of evidence, therefore if no findings were discovered, it was concluded that there is no impact on forensic analysis process. If, however new sources were found, significant effort was inputted to document new artefacts. Some of them were successfully analyzed and produced comprehensive results, whereas others still require a more in depth research, possibly an extensive and dedicated future study.

When Internet Explorer 8 was examined in search for potential forensic evidence, at first it appeared that few changes would have little effect on the forensics. However as the research progressed, more interesting aspects were discovered. At the beginning it was approached by analysing new features introduced into the IE8 with the purpose to recognise if it could potentially create new artefacts, data files. Next, the functionality of features was analysed for the same purpose. At the end if any data files were found, they were examined to produce detailed documentation. Although in some cases structures were so complex that comprehensive documentation would require lengthy in depth study for example the session recovery files. As with other sections the feature was reviewed from the forensic perspective in order to identify its impact.

Another section that required highly tailored approach was the BitLocker. Because of the complexity of BitLocker and its potentially high impact onto the forensic analysis, it was decided to first study the BitLocker for Windows Vista and then to discuss the Windows 7 BitLocker. This approach was believed to addresses the fact that the new version is more of an evolution from its predecessor rather than a complete replacement. To discuss the Windows 7 BitLocker alone would leave reader clueless about the functionality that it shares with its predecessor and effectively render incomplete examination.


61

Piotrek Smulikowski

The Registry section also required separate consideration. Because of the technical nature, it was bound to consist of mainly registry key locations. Some additional comments were made to clarify to a reader what each key contains and why it is important to an examination. Moreover, the registry as a structure remained the same for many versions of Windows, only the contents changed. As the Windows XP registry was analyzed in depth, it is well documented by researchers. One of the papers (FARMER, Derrick, 2007) provided a reference for forensic examiners and as a result it formed a basis for the examination of Windows 7 registry. All keys included in the paper were verified against the new registry. Any significant changes were examined in detail for example the UserAssist keys. In addition the RegRipper software (CARVEY, Harlan and Shavers, Brett, 2009) was used to help identifying the updated registry keys. Additionally through browsing potentially significant keys it was possible to identify new, important registry keys or values.

9.1.Hardware and Software usedThroughout the whole research wide variety of hardware and software setups were used. It was primarily driven by a desire to examine the final version of the Windows 7 in order to ensure that the results are applicable and comparable with what examiners can encounter. Therefore it was crucial to obtain the latest version, which became possible on the 6th of August 2009, when Microsoft released the final, RTM build to MSDN subscribers.

Soft/Hardware Desktop Laptop Netbook

OS version Windows 7 RTM Pro

Windows 7 RC Ultimate

Windows 7 RTM Pro

Windows Vista Home

Premium

Windows 7 RC Ultimate

Ubuntu 8.04

Windows XP SP3

CPU 2,6GHz Pentium 4 1,8GHz Intel C2D 1,6 GHz Intel Atom

Memory 1 GB @ 333MHz 2GB@667MHz 1,5GB@533MHz

Hard Disk 40GB 160GB 320GB

Network LAN LAN, WIFI LAN, WIFI

Graphics ATI Radeon 9660 Pro Integrated Integrated

Table 10. Hardware and Software Specification of used PCs

Table 10 presents the hardware and the software specifications of the PCs used for the examination. primary PC was the desktop computer with the Windows 7 installed, whereas other PCs were used to verify results. In addition the Netbook was used as the analysis machine with the Ubuntu 8.04 with the Sleuth Kit (CARRIER, Brian, 2009) and other open


62

Piotrek Smulikowski

source forensic tools. The Windows 7 PCs had the X-Ways Forensics and WinHex installed (X-WAYS, 2009). The author of the tools was kind enough to provide demo version of the X-Ways Forensics software.

Great majority of results was obtained with the RTM version although some features for example BitLocker was only available in Ultimate version hence the RC version was used. However there was no reports that it undergo any changes in the RTM product.


63

Piotrek Smulikowski

10. ConclusionsThis section concludes the findings of the research, outlining achievements of the study by also analysing weakness. Next, is the review of the obstacles faced during the research. Later, author discusses his reflections about the research. The next section covers overall conclusions of the research. Last is the discussion of the recommended future work with regard to this topic.

10.1. Research AchievementsThe expected deliverables set before the study, were based on an initial research about changes to the new system. It was a common believe that because the system is an evolution of the Vista, it would not have many forensically significant changes. Therefore the deliverables were expected to include forensic analysis experiment of the Windows 7 and comparison to the older systems. Additionally the software compatibility was aimed to accompany the results to help examiners choosing their toolkit. Finally, the optional requirement was the Windows 7 Forensic Analysis Draft to guide examiners through the process.

While it is still believed that the fulfilled deliverables could form a complete reference to the Windows 7 forensics, it has quickly been recognised that it would require significantly more time than the two months and only one researcher. Once the research started it became clear that the amount of time required to examine all features was highly underestimated at the beginning. However there was no means to provide correct estimation, since the changes on the new system were very sparsely, if at all, documented. Therefore the deliverables were reviewed in order to identify the requirements of the highest priority. It was decided that the analysis of the forensically significant features is the primary objective since this is what will have real impact on the forensic investigation. Not only it can help examiners, but also forensic software developers could benefit from the research findings, as they could address the new sources of evidence in their software.

Thanks to the comprehensive research on the system changes it was possible to successfully identify the features that could create new sources of evidence. Various information gathering methods were employed including reading available documentation, contacting experts and thorough online search. The identification proved to be successful when source from Microsoft confirmed which features are likely to affect the forensics (MICROSOFT LAW ENFORCEMENT TECH TEAM, 2009). Moreover this research uncovered more sources of evidence than it was suggested by the materials provided by Microsoft.


64

Piotrek Smulikowski

During the analysis stage some features did not produce new sources of evidence, whereas others did. Furthermore some changes were discovered to have a potentially great impact on the forensics. However, regardless of the outcome, the detailed analysis of the features alone can be considered as an achievement. Even if no evidence could be found, it means that the feature has been recognized as forensically insignificant and can be excluded from the forensic examination.

Great deal of time was devoted to IE8 analysis, since online activity is often the cause for the investigation in the first place. Some could argue that the browser is not Windows 7 specific and could be omitted however it is still the default browser for the new Windows. What is more, the information contained in section devoted to the IE8 could also benefit the investigators examining other Windows systems, with the IE8 Vista in particular. The section included detailed analysis of the InPrivacy browsing capability, identification and examination of the Suggested Sites and Session Recovery artefacts. Although very little information was available, it was attempted to document the feature from forensic perspective.

Some of the user experience improvements also produced new sources of evidence. The much talked about Jump List feature was examined and produced interesting results. Although due to its complexity it was not possible to document the component in depth, however it was possible to retrieve history records. Other new functionality analysed – the new search capability, produced information about the remote location that suspect was accessing.

The BitLocker analysis also delivered vast amount of information important to examiners. The introduction of the portable drives encryption can have a significant impact on the examinations. Although the research did not provide examiner with a way round the BitLocker protection, which is a hardly possible task, it provided means to identify an encrypted volume. Besides some other minor changes were reviewed and crucially the potential impact of the updated BitLocker was discussed.

Among many other findings, the analysis of the Windows Registry produced a quick reference of important registry entries. In particular, the UserAssist keys were analysed and decoded, in effect highly valuable, user activity data was extracted. This evidence source was one of the most commonly investigated data artefacts in previous versions of Windows. Hence it was highly important to decode and document the new format.


65

Piotrek Smulikowski

10.2. Actual ConstraintsNow that a research is finished it is safe to say that limitations outlined in the Project Constraints section were correctly identified. All combined composed a substantial challenge for the success of the research. The major obstacle was the most obvious one -time limitation. Having more time would benefit the project with more in depth analysis of the new features, allow for meeting all set requirements and provide more time for a writing the report. However as with all academic research there is a deadline that needs to be adhered to. Appropriate time management was in place, although there was a room for an improvement. In spite of this the topic was thoroughly researched and produced significant results.

Initially the complexity of the Windows Operating System was understated, as were the changes in comparison to Windows 7’s predecessors. It was when the identification finished and examination stage started, that it became clear that the project was too ambitious. It required intensive research, variety of different experiments to understand the forensic significance of discussed feature. Lack of documentation posed a real challenge, since for many tasks it was necessary to employ reverse engineering techniques.

Moreover the availability of the forensic software was indeed a great obstacle. Since, as expected, manufacturers do not post demonstration versions online, they had to be requested and depending on delivery method it can take long time. The EnCase demo arrived after over 3 weeks and its functionality was heavily limited making it impossible to examine the Windows 7 forensic image. The X-Ways Forensics was sent electronically but the trial version only worked on a C: drive of the system. Although it was very helpful for feature analysis process it was not feasible to perform analysis of the image. In addition to the time constraints it was also decided that since software compatibility could not be performed on multiple products it could not form a comprehensive review, therefore the deliverable was abandoned.

However one of the problems happened to resolve itself when Microsoft decided to release Windows 7 final version to MSDN subscribers (LEBLANC, Brandon, 2009). However at the time the news was published, it was unclear whether it would include Academic Alliance –student subscription. Fortunately, it did, therefore previously obtained results could have been verified and experiments replicated.

10.3. Final ConclusionsThis research delved into the Windows 7, three months prior to its official release in order to investigate changes made to the new system and their impact on forensics. It has


66

Piotrek Smulikowski

compiled and verified majority of information regarding the new Windows and its analysis. In addition it has attempted to document some of the new features identified as forensically significant. Through the examination of their behaviour and the produced data artefacts, research has discovered new potential sources of evidence. Moreover, a selection of already recognised evidence sources was evaluated against the new platform.

Shortly after the release of the Beta version of the new Windows, many had an impression that little has changed since the predecessor, that it was evolved version of Vista, “but a lot better!” as Microsoft’s CEO said (PARRISH, Kevin, 2008). Despite the fact that Windows 7 does not bring a revolution to Windows OS family, it may have its footprint on Windows forensics. Firstly its positive reception, suggests that it may quickly become vastly popular, therefore examiners will be very likely to face a computer with the new system. Secondly, developers focused on adding more functionality which in turn created new sources of evidence. Improvements to the user experience generated more forensic artefacts with features like the Jump List and the Suggested Sites or the Session Recovery in the Internet Explorer 8. However some features introduced new challenges to the forensic investigations such as the portable drive encryption or the privacy internet browsing. Ease of use combined with the perceived privacy can affect their popularity. Therefore this research tries to raise awareness and provide examiners with identification techniques in order to help them to approach analysis in best possible manner.

This study attempted to cover in detail most of the forensic issues surrounding the Windows 7 however it certainly had not exhausted the topic. In fact it is thought to be quite the opposite. Hopefully it will attract the forensic community to further research in more specific areas of the subject. And primarily that it will aid computer forensics investigators when faced with the windows for the first time.

10.4. Future WorkOn top of already covered aspects, more in depth analysis of certain features would be the next improvement. Due to the lack of a compatible hardware Windows XP Mode or Location API could not be fully examined. Both can potentially be valuable source of evidence. Additionally other functionalities that were not discussed because they were considered to have not changed like e.g. Recycle Bin or Prefetch (MMAHOR, 2009) could be verified.

It is believed that fulfilling all set deliverables would add more practical side of the research. The comparison of the results from the forensic analysis of windows 7 and its


67

Piotrek Smulikowski

predecessors would certainly point out more of minor changes, whereas production of the analysis draft could provide examiners with hands-on guide to Windows 7 examination.

Since this is only the first look at the Windows 7 forensics, there is plenty of further research opportunities in this area. The paper was aimed to deliver a basis for forensic examiners but also forensic researchers wanting to further expand the community’s knowledge.


68

Piotrek Smulikowski

Bibliography585. 2009. Data Loss Examples in 2008. [online]. [Accessed 15 Aug 2009]. Available from: <http://whereismydata.wordpress.com/2009/01/07/data-loss-examples-in-2008/>

AARON. 2009. Disable IE8 In-Private Feature. [online]. [Accessed 04 Aug 2009]. Available from: <http://didyourestart.blogspot.com/2009/05/disable-ie8-in-private-feature.html>

ARD, Chris. 2009. Speakers. [online]. [Accessed 20 Jul 2009]. Available from: <https://cacconference.org/Speakers.html#Chris_Ard>

BBC NEWS. 2009. Human error blamed for data loss. [online]. [Accessed 15 Aug 2009]. Available from: <http://news.bbc.co.uk/1/hi/england/lancashire/8003757.stm>

BBC NEWS UK. 2009. Windows 7 flies off virtual shelf. [online]. [Accessed 31 Jul 2009]. Available from: <http://news.bbc.co.uk/1/hi/technology/8151342.stm>

BRIGHT, P. 2008. First look at Windows 7's User Interface. [online]. [Accessed 22 Jul 2009]. Available from: <http://arstechnica.com/microsoft/news/2008/10/first-look-at-windows-7.ars>

CARRIER, Brian. 2009. The Sleuth Kit. [online]. [Accessed 15 Aug 2009]. Available from: <http://www.sleuthkit.org/sleuthkit/>

CARRIER, Brian. FSSTAT(1) manual page. [online]. [Accessed 15 Aug 2009]. Available from: <http://www.sleuthkit.org/sleuthkit/man/fsstat.html>

CARRIER, Brian. MMLS(1) Manual Page. [online]. [Accessed 04 Aug 2009]. Available from: <http://www.sleuthkit.org/sleuthkit/man/mmls.html>

CARVEY, Harlan. 2007. Windows Forensic Analysis DVD toolkit. USA: Syngress.

CARVEY, Harlan. 2009. search results for "Windows 7". [online]. [Accessed 31 Jul 2009]. Available from: <http://windowsir.blogspot.com/search?q=%22windows+7%22>

CARVEY, Harlan. 2009. Windows 7 Beta Registry. [online]. [Accessed 15 Aug 2009]. Available from: <http://windowsir.blogspot.com/2009/01/windows-7-beta-registry.html>

CARVEY, Harlan. 2009. Windows Forensic Analysis DVD toolkit Second Edition. Syngres.

CARVEY, Harlan. 2009. Windows Registry Forensic Analysis. [online]. [Accessed 15 Aug 2009]. Available from: <http://windowsir.blogspot.com/2009/07/windows-registry-forensic-analysis.html>


69

Piotrek Smulikowski

CARVEY, Harlan and Brett SHAVERS. 2009. RegRipper. [online]. [Accessed 31 Jul 2009]. Available from: <www.regripper.net>

CLARKE, Gavin. 2009. Microsoft to bomb Europe with IE-free Windows 7. [online]. [Accessed 03 Aug 2009]. Available from: <http://www.channelregister.co.uk/2009/06/11/microsoft_windows_ie_sku_europe/>

CODEPLEX, MICROSOFT. 2009. BibWord: Microsoft Word Citation and Bibliography styles. [online]. [Accessed 31 Jul 2009]. Available from: <http://www.codeplex.com/bibword/Release/ProjectReleases.aspx?ReleaseId=15852>

DAVAK. 2008. exFAT vs FAT32 vs NTFS. [online]. [Accessed 04 Aug 2009]. Available from: <http://www.tech-recipes.com/rx/2801/exfat_versus_fat32_versus_ntfs/>

DIGITAL DETECTIVE GROUP LTD. 2009. DCode. [online]. [Accessed 15 Aug 2009]. Available from: <http://www.digital-detective.co.uk/freetools/decode.asp>

DMEX. 2008. Windows 7 Search Federation Providers. [online]. [Accessed 04 Aug 2009]. Available from: <http://www.sevenforums.com/tutorials/742-windows-7-search-federation-providers.html>

EDOCEO. 2009. ROT13 Coversions. [online]. [Accessed 25 Aug 2009]. Available from: <http://edoceo.com/utilitas/rot13>

FARMER, Derrick. 2007. A Forensic Analysis of The Windows Registry; A Windows Registry Quick Reference: For the Everyday Examiner. [online]. [Accessed 15 Aug 2009]. Available from: <http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry>

FERGUSON, Niels. 2006. AES - CBC + Elephant Diffuser: A Disk Encryption Algorithm for Windows Vista. [online]. [Accessed 15 Aug 2009]. Available from: <http://download.microsoft.com/download/0/2/3/0238acaf-d3bf-4a6d-b3d6-0a0be4bbb36e/BitLockerCipher200608.pdf>

FIVEASH, Kelly. 2009. Microsoft ditches Windows 7 E plans. [online]. [Accessed 03 Aug 2009]. Available from: <http://www.theregister.co.uk/2009/08/03/microsoft_ditches_windows_e_plans/>

FORENSIC WIKI. 2009. BitLocker Disk Encryption. [online]. [Accessed 15 Aug 2009]. Available from: <http://www.forensicswiki.org/wiki/BitLocker_Disk_Encryption>

FUNK, Troy. 2008. BitLocker: Protecting data in Windows 7 and Windows Server 2008 R2. In: Microsoft WinHec 2008. Microsoft.


70

Piotrek Smulikowski

GIBSON, Steve. 2008. SecurAble: Determine Processor Security Features. [online]. [Accessed 15 Aug 2009]. Available from: <http://www.grc.com/securable.htm>

GUIDANCE SOFTWARE INC. 2009. Guidance Software. [online]. [Accessed 31 Jul 2009]. Available from: <http://www.guidancesoftware.com/>

HARGREAVES, C and H CHIVERS. 2007. Potential Impacts of Windows Vista on Digital. [online]. [Accessed 2009 Jul 31]. Available from: <http://www.forensicfocus.com/downloads/potential-impact-windows-vista.pdf>

HUNTER, Jamie. 2006. Detecting BitLocker. [online]. [Accessed 15 Aug 2009]. Available from: <http://blogs.msdn.com/si_team/archive/2006/10/26/detecting-bitlocker.aspx>

JENSKR. 2009. Windows 7 and forensic tools. [online]. [Accessed 31 Jul 2009]. Available from: <http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&p=6529921#6529921>

JODO3333. 2009. Microsoft Technet: Windows 7 forum: Jump List History Location? [online]. [Accessed 04 Aug 2009]. Available from: <http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf>

JONES, Keith. 2003. Pasco v1.0. [online]. [Accessed 03 Aug 2009]. Available from: <http://www.foundstone.com/us/resources/proddesc/pasco.htm>

KIRIATY, Yochay and Alon FLIESS. 2009. Inside Windows 7: Introducing Libraries. [online]. [Accessed 04 Aug 2009]. Available from: <http://msdn.microsoft.com/en-us/magazine/dd861346.aspx>

KORNBLUM, Jesse. 2009. Implementing BitLocker Drive Encryption for forensic analysis. Digital Investigation., pp.75-84.

LEBLANC, Brandon. 2009. The Date for General Availability (GA) of Windows 7 is…. [online]. [Accessed 03 Aug 2009]. Available from: <http://windowsteamblog.com/blogs/windows7/archive/2009/06/02/the-date-for-general-availability-ga-of-windows-7-is.aspx>

LEBLANC, Brandon. 2009. Windows 7 has been Released To Manufacturing. [online]. [Accessed 03 Aug 2009]. Available from: <http://windowsteamblog.com/blogs/windows7/archive/2009/07/22/windows-7-has-been-released-to-manufacturing.aspx>


71

Piotrek Smulikowski

LEBLANC, Brandon. 2009. Windows 7 Team Blog: When will you get Windows 7 RTM?[online]. [Accessed 22 Jul 2009]. Available from: <http://windowsteamblog.com/blogs/windows7/archive/2009/07/21/when-will-you-get-windows-7-rtm.aspx>

MCKINNON, Mark. 2009. Decoding the DateCreated and DateLastConnected SSID values From Vista/Win 7. [online]. [Accessed 26 Aug 2009]. Available from: <http://cfed-ttf.blogspot.com/2009/08/decoding-datecreated-and.html>

MICROSOFT. 2009. Update for Windows XP KB955704. [online]. [Accessed 04 Aug 2009]. Available from: <http://www.microsoft.com/downloads/details.aspx?FamilyID=1cbe3906-ddd1-4ca2-b727-c2dff5e30f61&displaylang=en>

MICROSOFT. 2009. Windows 7 BitLocker Executive Summary. [online]. [Accessed 15 Aug 2009]. Available from: <http://technet.microsoft.com/en-us/library/dd548341(WS.10).aspx>

MICROSOFT LAW ENFORCEMENT TECH TEAM. 2009. IE8 Trustworthy Computing and InPrivate Browsing. In: Microsoft Law Enforcement. UK: Microsoft.

MICROSOFT LAW ENFORCEMENT TECH TEAM. 2009. Windows 7 Forensic Introduction. In: Microsoft Law Enforcement. UK.

MICROSOFT MSDN. 2009. About Logging Location Activity. [online]. [Accessed 03 Aug 2009]. Available from: <http://msdn.microsoft.com/en-us/library/dd756640(VS.85).aspx>

MICROSOFT MSDN. 2009. Introduction to the Sensor and Location Platform in Windows. [online]. [Accessed 03 Aug 2009]. Available from: <http://msdn.microsoft.com/en-us/library/cc974528.aspx>

MICROSOFT MSDN LIBRARY. 2009. Time_Zone_Information Structure. [online]. [Accessed 15 Aug 2009]. Available from: <http://msdn.microsoft.com/en-us/library/ms725481%28VS.85%29.aspx>

MICROSOFT TECHNET. 2009. Windows 7 BitLocker Executive Overview. [online]. [Accessed 15 Aug 2009]. Available from: <http://technet.microsoft.com/en-us/library/dd548341%28WS.10%29.aspx>


72

Piotrek Smulikowski

MICROSOFT TECHNET. 2009. Windows BitLocker Drive Encryption Frequently Asked Questions. [online]. [Accessed 16 Aug 2009]. Available from: <http://technet.microsoft.com/en-us/library/cc766200(WS.10).aspx#BKMK_Partitions>

MICROSOFT. TechNet Library. [online]. [Accessed 22 Jul 2009]. Available from: <http://technet.microsoft.com/en-gb/library/dd349779.aspx>

MICROSOFT TECHNET LLIBRARY. 2009. BitLocker Drive Encryption Technical Overview. [online]. [Accessed 15 Aug 2009]. Available from: <http://technet.microsoft.com/en-us/library/cc732774%28WS.10%29.aspx>

MICROSOFT VIRTUALISATION TEAM. 2009. Microsoft Virtual Pc : Three modes of Windows XP Mode. [online]. [Accessed 28 Aug 2009]. Available from: <http://blogs.technet.com/windows_vpc/archive/2009/08/27/three-modes-of-windows-xp-mode.aspx>

MMAHOR. 2009. Windows 7 analysis. [online]. [Accessed 31 Jul 2009]. Available from: <http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&p=6527312#6527312>

MORRIS, Jamie. 2007. Notes on Vista Forensics, Part One. [online]. [Accessed 31 Jul 2009]. Available from: <http://www.securityfocus.com/infocus/1889>

MSDN BLOG. 2009. Some Changes Since Beta for the RC. [online]. [Accessed 03 Aug 2009]. Available from: <http://blogs.msdn.com/e7/archive/2009/02/26/some-changes-since-beta.aspx>

MUELLER, Lance. 2007. Basic Investigations of Windows Vista. [online]. [Accessed 31 Jul 2009]. Available from: <www.lancemueller.com/vistaceic2007.pptrvF_xTw8gBYPsg&sig2=4S4QVxRcY0oO7xTwNL9eQQ>

MUELLER, Lance. 2008. BitLocker Incident Response. [online]. [Accessed 15 Aug 2009]. Available from: <http://www.youtube.com/watch?v=FQotTY1qqks>

NET APPLICATIONS. 2009. Top Operating System Share Trend. [online]. [Accessed 15 Aug 2009]. Available from: <http://marketshare.hitslink.com/os-market-share.aspx?qprid=9>

OASOL. 2009. Windows 7. [online]. [Accessed 31 Jul 2009]. Available from: <http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&p=6530958>

OIAGA, Marius. 2009. Windows 7 User Interface - the Superbar (Enhanced Taskbar) A Microsoft Perspective - Softpedia. [online]. [Accessed 15 Aug 2009]. Available from:


73

Piotrek Smulikowski

<http://news.softpedia.com/news/Windows-7-User-Interface-The-Superbar-Enhanced-Taskbar-97143.shtml>

PAGE, Lewis. 2008. MoD: We lost 87 classifed USB sticks since 2003. [online]. [Accessed 15 Aug 2009]. Available from: <http://www.theregister.co.uk/2008/07/18/mod_secret_usb_sticks/>

PARRISH, Kevin. 2008. Ballmer says Windows 7 is Vista but improved! [online]. [Accessed 03 Aug 2009]. Available from: <http://www.tomsguide.com/us/Windows-Vista-7-Microsoft,news-2789.html>

PERNICK, Ari. 2006. A bit about WinInet's Index.dat. [online]. [Accessed 04 Aug 2009]. Available from: <http://blogs.msdn.com/wndp/archive/2006/08/04/WinInet_Index_dat.aspx>

PIRIFORM LTD. 2009. Version History. [online]. [Accessed 04 Aug 2009]. Available from: <http://www.ccleaner.com/download/version-history>

PROTALINSKI, Emil. 2009. Six editions of Windows 7: better than Vista, still too many. [online]. [Accessed 03 Aug 2009]. Available from: <http://arstechnica.com/microsoft/news/2009/02/official-windows-7-skus-revealed-six-editions.ars>

SANS FORENSICS BLOG. 2009. Computer Forensic Guide To Profiling USB Devices on Win7, Vista, and XP. [online]. [Accessed 20 Aug 2009]. Available from: <https://blogs.sans.org/computer-forensics/files/2009/08/usb_device_forensics_vista_win7_guide.pdf>

SD ASSOCIATION. 2008. Developers: SDXC Massive Storage, Incredible Speed. [online]. [Accessed 04 Aug 2009]. Available from: <http://www.sdcard.org/developers/tech/sdxc>

SHARP, John. 2008. FoxIT Exposes IE8 Beta Privacy Limits. [online]. [Accessed 04 Aug 2009]. Available from: <http://authentium.blogspot.com/2008/08/foxit-exposes-ie8-beta-privacy-limits.html>

SOFER, Nir. 2009. Web Browser Tools. [online]. [Accessed 04 Aug 2009]. Available from: <http://www.nirsoft.net/web_browser_tools.html>

STEVENS, Didier. 2009. Didier Stevens Blog. [online]. [Accessed 31 Jul 2009]. Available from: <http://blog.didierstevens.com/2009/01/29/quickpost-vigenere-is-beta-only/>

STEWART, Barrie. 2007. Forensic Implications of Windows Vista. [online]. [Accessed 03 Aug 2009]. Available from:


74

Piotrek Smulikowski

<http://www.whereisyourdata.co.uk/data/modules/wfdownloads/singlefile.php?cid=4&lid=9>

SYSINTERNALS. 2009. Autoruns for Windows v9.53. [online]. [Accessed 15 Aug 2009]. Available from: <http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx>

TOR PROJECT INC. 2009. Tor: Overview. [online]. [Accessed 03 Aug 2009]. Available from: <http://www.torproject.org/overview.html.en>

WIKIPEDIA. 2009. Windows 7 Editions Comparison Chart. [online]. [Accessed 25 Aug 2009]. Available from: <http://en.wikipedia.org/wiki/Windows_7_editions#Comparison_chart>

WOODWARD, Andre. 2006. BitLocker - the end of digital forensics? In: Proceedings of 4th Australian Digital Forensics Conference. Perth Australia: Edith Cowan University.

X-WAYS. 2009. Software for Computer Forensics, Data Recovery and IT Security. [online]. [Accessed 01 Aug 2009]. Available from: <http://www.x-ways.net/>

YOCHAYK. 2009. The Windows 7 Blog for Developers:Windows 7 Taskbar - Part 1. [online]. [Accessed 15 Aug 2009]. Available from: <http://blogs.msdn.com/yochay/archive/2009/01/06/windows-7-taskbar-part-1-the-basics.aspx>

YU-CHUNG CHENG, Yatin Chawathe, John Krumm. 2005. Accuracy Characterization for Metropolitan-scale Wi-Fi. [online]. [Accessed 03 Jul 2009]. Available from: <http://www.placelab.org/publications/pubs/IRS-TR-05-003.pdf>

ZEIGLER, Andy. 2008. IE8 and Privacy. [online]. [Accessed 03 Aug 2009]. Available from: <http://blogs.msdn.com/ie/archive/2008/08/25/ie8-and-privacy.aspx>


75

Piotrek Smulikowski

APPENDIX A – Windows 7 Editions Comparison ChartThis chart compares all editions of the Windows 7 based on their capabilities. This is the most complete comparison chart available online.

Cost & Features / Availability

StarterHome Basic

Home Premium Professional Enterprise Ultimate

OEMlicensing

Emerging markets

Retail and OEM licensing

Volume licensing

Retail and OEM licensing

32-bit and 64-bit versions

32-bit only 32-bit only Both Both Both Both

Maximum physical memory (64-bitmode)

N/A 8 GB 16 GB 192 GB 192 GB 192 GB

Maximum CPU chips supported 1 1 1 2 2 2

Home Group (create and join)

Join only Join only Yes Yes Yes Yes

Backup and Restore Center[25]

Cannot back up to network



Yes Yes Yes

Multiple monitors No Yes Yes Yes Yes Yes

Fast user switching No Yes Yes Yes Yes Yes

Desktop WallpaperChangeable No Yes Yes Yes Yes Yes

Desktop Window Manager

No Yes Yes Yes Yes Yes

Windows Mobility Center

No Yes Yes Yes Yes Yes

Windows Aero No Partial Yes Yes Yes Yes

Multi-Touch No No Yes Yes Yes Yes

Premium Games Included

No No Yes Yes Yes Yes

Windows Media Center



76

Piotrek Smulikowski

Windows Media Player Remote Media Experience[26]


Encrypting File System

No No No Yes Yes Yes

Location Aware Printing No No No Yes Yes Yes

Remote DesktopHost No No No Yes Yes Yes

Presentation Mode No No No Yes Yes Yes

Windows Server domain joining

No No No Yes Yes Yes

Support for Windows Virtual PC[27] + Windows XP Mode[28]

NoVirtual PC only

Virtual PC only

Yes Yes Yes

AppLocker No No No No Yes Yes

BitLocker Drive Encryption No No No No Yes Yes

BranchCache Distributed Cache

No No No No Yes Yes

DirectAccess No No No No Yes Yes

Subsystem for Unix-based Applications

No No No No Yes Yes

Multilingual User Interface Pack No No No No Yes Yes

Virtual Hard DiskBooting No No No No Yes Yes

Table 11. Windows 7 editions comparison chart. Source (WIKIPEDIA, 2009)

First Look at the Windows 7 Forensics

Documents

Transcript of First Look at the Windows 7 Forensics