Windows 10 Forensics: OS Evidentiary Artefacts
43
Windows 10 Forensics OS Evidentiary Artefacts Version 1.5 (Build 10240) Brent Muir – 2015
-
Upload
brent-muir -
Category
Technology
-
view
8.192 -
download
16
Transcript of Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics OS Evidentiary Artefacts
Version 1.5 (Build 10240)
Brent Muir – 2015
TopicsOS Artefacts :
▫ File Systems / Partitions▫ Registry Hives▫ Event Logs ▫ Prefetch▫ Shellbags▫ LNK Shortcuts▫ Thumbcache▫ Recycle Bin▫ Volume Shadow Copies▫ Windows Indexing Service▫ Cortana (Search) ▫ Notification Centre▫ Picture Password
Application Artefacts:▫ Windows Store▫ Edge Browser (previously
Spartan) Legacy Internet Explorer
▫ Email (Mail application)▫ Unified Communication
Twitter Skype OneDrive
▫ Microsoft Office Apps Word Excel PowerPoint OneNote
▫ Maps
OS ArtefactsPart 1
File Systems / Partitions
• Supported File Systems:▫NTFS, Fat32, ExFat
• Default Partition structure:▫“Windows” – core OS (NTFS)▫“Recovery” (NTFS)▫“Reserved”▫“System” – UEFI (Fat32)▫“Recovery Image” (NTFS)
Registry Hives• Registry hives format has not changed
▫ Can be examined with numerous tools (e.g. RegistryBrowser, RegistryViewer, X-Ways Forensics, etc.)
• Location of important registry hives:▫ \Users\user_name\NTUSER.DAT▫ \Windows\System32\config\DEFAULT▫ \Windows\System32\config\SAM▫ \Windows\System32\config\SECURITY▫ \Windows\System32\config\SOFTWARE▫ \Windows\System32\config\SYSTEM
Event Logs
•EVTX log format has not changed▫Can be examined with numerous tools
(e.g. X-Ways Forensics, etc.)
•Location of EVTX logs:▫\Windows\System32\winevt\Logs\
Event Logs – Windows Store • \Windows\System32\winevt\Logs\Microsoft-
Windows-Store%4Operational.evtx
Source EventID Category Function
Microsoft-Windows-Install-Agent
2002 2001 Installing application
Windows-ApplicationModel-Store-SDK
5 5 Search query strings(e.g. query=twitter)
Event Logs – Windows Store • \Windows\System32\winevt\Logs\Microsoft-
Windows-AppXDeploymentServer%4Operational.evtx
Source EventID Category Function
Microsoft-Windows-AppXDeployment-Server
10002 3 Application deployment
Prefetch
•Location of Prefetch files:▫\Windows\Prefetch\
Shellbags
•NTUSER.dat▫\SOFTWARE\Microsoft\Windows\Shell\
Bags\
•UsrClass.dat
LNK Shortcuts• LNK format has not changed
▫Can be examined with numerous tools (e.g. X-Ways Forensics, etc.)
• Useful fields:▫Hostname▫MAC Address▫Volume ID▫Owner SID▫MAC Times
Thumbcache
•Location of Thumbcache files:▫\Users\user_name\AppData\Local\
Microsoft\Windows\Explorer\
Recycle Bin
•Recycle Bin artefacts have not changed▫$I
Still provides original file name and path▫$R
Original file
Volume Shadow Copies
•vssadmin tool still provides list of current VSCs
Windows Indexing Service• Windows indexing service is an evidentiary gold mine
▫ Potentially storing emails and other binary items Great as dictionary list for password cracking
• Stored in an .EDB file▫ Can be interpreted by EseDbViewer, ESEDatabaseView or X-
Ways Forensics If “dirty” dismount, need to use esentutl.exe
• In Windows 10 stored in the following directory:▫ C:\ProgramData\Microsoft\Search\Data\Applications\Windows\
Windows.edb
Cortana• Windows 10 features “Cortana”, a personal assistant, which expands upon the
unified search platform introduced in Windows 8, ▫ Search encompasses local files, Windows Store & online content▫ Can set reminders▫ Can initiate contact (e.g. write emails)
• Cortana Databases (EDBs):▫ \Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\
AppData\Indexed DB\IndexedDB.edb▫ \Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\
LocalState\ESEDatabase_CortanaCoreInstance\CortanaCireDb.dat Interesting Tables:
LocationTriggers▫ Latitude/Longitude and Name of place results
Geofences▫ Latitude/Longitude for where location based reminders are triggered
Reminders▫ Creation and completion time (UNIX numeric value)
Cortana• The following databases contain a list of contacts synched
from email accounts:
▫ \Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\Contacts_xxxxx.cfg
▫ \Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\Contacts_xxxxx.cfg.txt
Notification Centre
•The following databases contain a list of notifications:▫\Users\user_name\AppData\Local\
Microsoft\Windows\Notifications\appdb.dat Toast notifications are stored in embedded
XML
Picture Password• “Picture Password” is an alternate login method where
gestures on top of a picture are used as a password
• This registry key details the path to the location of the “Picture Password” file:▫ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Authentication\LogonUI\PicturePassword\user_GUID
• Path of locally stored Picture Password file:▫ C:\ProgramData\Microsoft\Windows\SystemData\user_GUID\
ReadOnly\PicturePassword\background.png
Application ArtefactsPart 2
Applications (Apps)• Applications (Apps) that utilise the Metro Modern UI are
treated differently to programs that work in desktop mode
• Apps are installed in the following directory:▫ \Program Files\WindowsApps\
• Settings and configuration DBs are located in following directories:▫ \Users\user_name\AppData\Local\Packages\package_name\
LocalState\ Two DB formats:
SQLite DBs (.SQL) Jet DBs (.EDB)
Windows Store• Apps are purchased/installed via the Windows Store
• During the Insider Preview their was a Beta Store which contained Windows 10 –compatible Apps (e.g. Microsoft Office Apps)
• Registry key of installed applications:▫ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Appx\
AppxAllUserStore\Applications\
• List of deleted applications:▫ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Appx\
AppxAllUserStore\Deleted\
Edge Browser• New web browser and rendering engine (Spartan)• Same as IE10, records no longer stored in Index.DAT files, stored in EDB
• Edge settings are stored in the following file:▫ \Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxxx\AC\
MicrosoftEdge\User\Default\DataStore\Data\nouser1\xxxxx\DBStore\spartan.edb
• Edge cache stored in the following directory:▫ \Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\#!
001\MicrosoftEdge\Cache\
• Last active browsing session stored:▫ \Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\
MicrosoftEdge\User\Default\Recovery\Active\
Browser History Records • Edge (and IE) history records stored in the following
database:▫ \Users\user_name\AppData\Local\Microsoft\
Windows\WebCache\WebCacheV01.dat
This is actually an .EDB file Can be interpreted by EseDbViewer or
ESEDatabaseView Might be a “dirty” dismount, need to use esentutl.exe Database also stores Cookies
Internet Explorer (legacy)
•Internet Cache stored in this directory:▫\Users\user_name\AppData\Local\
Microsoft\Windows\INetCache\
•Internet Cookies stored in this directory:▫\Users\user_name\AppData\Local\
Microsoft\Windows\INetCookies\
Email (Mail application)
• Body of emails are stored in TXT or HTML format ▫ Can be analysed by a number of tools▫ Stored in the following directory:
\Users\user_name\AppData\Local\Comms\Unistore\data\
• Metadata of emails are stored in the following DB (EDB format):▫ \Users\user_name\AppData\Local\Comms\UnistoreDB\store.vol
Attachments Email header Contact information
Unified Communication
• Unified Communication (UC) is a built-in Microsoft application that brings together all of the following social media platforms (by default):▫Appears to be scaled back from Windows 8.x (less
integrated as previous People App)
• UC settings are stored in the following DB:▫ \Users\user_name\AppData\Local\Packages\
microsoft.windowscommunicationsapps…\LocalState\livecomm.edb
Unified Communication • Interesting Tables:
▫ Account SourceID
List of accounts (e.g WL = Windows Live, Skype, TWITR, LI = LinkedIn) DomainTag
Username for each account▫ Contact
List of synched contacts across all account platforms▫ Event
Calendar entries (including birthdays of contacts if synched to Windows Live) and locations
▫ MeContact Further details about owner accounts
▫ Person and PersonLink Further details about each contact including what account they link back to (e.g
Skype)
Unified Communication • Locally cached contact entries are stored in this directory:
▫ \Users\user_name\AppData\Local\Packages\microsoft.windowscommunicationsapps_xxxxx\LocalState\Indexed\LiveComm\xxxxx\xxxxx\People\AddressBook\
• Contact photos are stored in this directory (JPGs):▫ \Users\user_name\AppData\Local\Packages\
microsoft.windowscommunicationsapps_xxxx\LocalState\LiveComm\xxxx\xxxx\UserTiles\
Twitter App• History DB located in following file:
▫ \Users\user_name\AppData\Local\Packages\xxxx.Twitter_xxxxxxx\LocalState\twitter_user_id\twitter.sqlite
• SQLite3 format DB▫ 11 Tables in DB
Relevant tables: messages – holds tweets & DMs search_queries – holds searches conducted in Twitter app by user statuses – lists latest tweets from accounts being followed users – lists user account and accounts being followed by user
Twitter App
•Settings located in file:▫\Users\user_name\AppData\Local\Packages\
xxxxx.Twitter_xxxx\Settings\settings.dat Includes user name (@xxxxx) Details on profile picture URL Twitter ID number
Skype App (legacy)•The Skype App was discontinued with
Windows 10 ▫Windows 10 prompts you to download the
desktop Skype application
OneDrive App
• Built-in by default, API allows all programs to save files in OneDrive
• List of Synced items located in file:▫ \Users\user_name\AppData\Local\Microsoft\
Windows\OneDrive\settings\xxxxxxxx.dat
• Locally cached items are stored in directory:▫ \Users\user_name\OneDrive\
Microsoft Office Apps
•With the release of the Windows Insider program Microsoft introduced the Office Mobile Apps▫If you have a valid Office365 account then
you can edit and create documents Otherwise these Apps are read-only
Word App• List of recent documents stored in the following file (XML):
▫ \Users\user_name\AppData\Local\Packages\Microsoft.Office.Word_xxxx\LocalState\AppData\Local\Office\16.0\MruServiceCache\xxxx_LiveId\Excel\Documents_en-AU
• Cached files stored in this directory:▫ \Users\user_name\AppData\Local\Packages\
Microsoft.Office.Word_xxxx\LocalState\OfficeFileCache\ Files stored as .FSD extension actually data embedded
Can be manually carved from FSD file
Excel App• List of recent documents stored in the following file
(XML):▫ \Users\user_name\AppData\Local\Packages\
Microsoft.Office.Excel_xxxx\LocalState\AppData\Local\Office\16.0\MruServiceCache\xxxx_LiveId\Excel\Documents_en-AU
• Cached files stored in this directory:▫ \Users\user_name\AppData\Local\Packages\
Microsoft.Office.Excel_xxxx\LocalState\OfficeFileCache\ Files stored as .FSD extension actually data embedded
Can be manually carved from FSD file
PowerPoint App• List of recent documents stored in the following file
(XML):▫ \Users\user_name\AppData\Local\Packages\
Microsoft.Office.PowerPoint_xxxx\LocalState\AppData\Local\Office\16.0\MruServiceCache\xxxx_LiveId\Excel\Documents_en-AU
• Cached files stored in this directory:▫ \Users\user_name\AppData\Local\Packages\
Microsoft.Office.PowerPoint_xxxx\LocalState\OfficeFileCache\ Files stored as .FSD extension actually data embedded
Can be manually carved from FSD file
OneNote App• Cached files stored in this directory:
▫ \Users\user_name\AppData\Local\Packages\Microsoft.Office.OneNote_xxxx\LocalState\AppData\Local\OneNote\16.0\
• Files stored as xxxx.bin extension ▫ Encoded binary files ▫ Embedded graphics such as PNG or JPG
Maps App
•Recent places stored in this file (XML):▫\Users\user_name\AppData\Local\Packages\
Microsoft.WindowsMaps_xxxx\LocalState\Graph\xxxx\Me\00000000.ttl Latitude/Longitude Dates modified (searched)
Forensic AcquisitionPart 3
Memory Acquisition
• WinPMEM (tested versions 1.6.2 & 2.0.1)▫Run as Administrator
Has to extract driver to local temp location V1.6.2 running process ~10MB V2.0.1 running process ~80MB
• FTK Imager▫Run as Administrator
Running process ~15MB
Live Disk Acquisition
•FTK Imager▫Can be used for Physical or Logical
acquisition
•X-Ways Forensics▫Can be used for Physical or Logical
acquisition
Resources• FTK Imager
▫ http://accessdata.com/product-download?/support/product-downloads
• Nirsoft ESEDatabaseView▫ http://www.nirsoft.net/utils/ese_database_view.html
• RegistryBrowser▫ https://lockandcode.com/software/registry_browser
• WinPMEM▫ https://github.com/google/rekall/releases
