Windows 7: Current Events in the World of Windows Forensics

Microsoft Network Security

Windows 7:Current Events in the World of

Windows Forensics

Troy LarsonSenior Forensic Program ManagerNetwork Security, Microsoft Corp.


Where Are We Now?

• Vista & Windows 2008– BitLocker.– Format-Wipes the volume.– EXFAT.– Event Logging—format, system, scheme.– Virtual Folders & Registry.– Volume Shadow Copy.– Links, Hard and Symbolic.– Change Journal.– Recycle Bin.– Superfetch.


Where Are We Now?

• Windows 7 & Window 2008 R2– Updated BitLocker.– BitLocker To Go.– VHDs—Boot from, mount as “Disks.” – XP Mode.– Flash Media Enhancements.– Libraries, Sticky Notes, Jump Lists.– Service and Driver triggers.– I.E. 8, InPrivate Browsing, Tab and Session

Recovery.– Even more Volume Shadow Copy.


Digital Forensics Subject Matter Expertise “Stack”

Thanks to Eoghan Casey.

File SystemsNTFS, FAT32, EXFAT

Fvevol.sys

Mount, Partition & VolumeManagers

Applications—e.g., I.E., etc.

OS Artifacts

“Disk”


Windows 7“Disk”

Note disk signature:2E140032

0x1b8-1bb


Windows 7“Disk”HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0

Diskpart>Automount scrub


Vista “Disk”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\1&19f7e59c&0&Signature2E140032Offset100000Length114FD00000


Partitions and Volumes


Fvevol.sysMount, Partition & Volume

Managers


OS Artifacts

“Disk”

Virtual Hard Drives• Create• Attach• Detach• Delete


BitLocker: Windows 7

During installing, Windows 7 creates a “System Reserved” volume—enabling set up of BitLocker.

In Vista, the System volume was generally 1.5 GB or more.


BitLocker: Vista

• Physical level view of the header of the boot sector of a Vista BitLocker protected volume:– 0xEB 52 90 2D 46 56 45 2D 46 53 2D– ëR�-FVE-FS-



• Physical level view of the header of the boot sector of a Windows 7 BitLocker protected volume:– 0xEB 58 90 2D 46 56 45 2D 46 53 2D– ëX�-FVE-FS-



• Vista & Windows 2008 cannot unlock BitLocker volumes created with Windows 7 or 2008 R2.

• Forensics tools may not recognize the new BitLocker volume header.

• Must use Windows 7 or 2008 R2 to open (and image) BitLocker volumes from Windows 7 or 2008 R2.


BitLocker Review or Imaging

File System Driver

Fvevol.sys

Volume Manager

ApplicationUser Mode

Kernel Mode

FVEVOL.SYS sits underneath the file system driver and performs all encryption / decryption.

• Once booted, Windows (and the user) sees no difference in experience.

• The encryption / decryption happens at below the file system.



File System Driver

Fvevol.sys

Volume Manager

ApplicationUser Mode

Kernel Mode



The “More/Less information” button will provide the BitLocker volume recovery key identification.


BitLocker Review or Imaging• BitLocker Recovery Key 783F5FF9-18D4-4C64-AD4A-

CD3075CB8335.txt:

BitLocker Drive Encryption Recovery Key The recovery key is used to recover the data on a BitLocker protected drive.

To verify that this is the correct recovery key compare the identification with what is presented on the recovery screen.

Recovery key identification: 783F5FF9-18D4-4CFull recovery key identification: 783F5FF9-18D4-4C64-AD4A-CD3075CB8335

BitLocker Recovery Key:528748-036938-506726-199056-621005-314512-037290-524293



Enter the recovery key exactly.


BitLocker Review or ImagingViewed or imaged as part of a physical disk, BitLocker volumes appear encrypted.



To view a BitLocker volume as it appears in its unlocked state, address it as a logical volume.


File Systems


Fvevol.sys



OS Artifacts

“Disk”


File Systems

Since Vista SP1, Format wipes while it formats.http://support.microsoft.com/kb/941961

Diskpart.exe> Clean all

http://support.microsoft.com/kb/941961�


File Systems-Vista & Windows 7

• NTFS– Symbolic links to files, folders, and UNC paths.

• Beware the “Application Data” recursion loop.• Cf. Link files.

– Hard links are extensively used (\Winsxs).– Disabled by default: Update Last Access Date.– Enabled by default: The NTFS Change Journal

($USN:$J).

• Transactional NTFS ($Tops:$T).


File Systems-Vista & Windows 7The volume header of an EXFAT volume.

Do your forensics tools read EXFAT?


OS Artifacts


Fvevol.sys



OS Artifacts

“Disk”


OS Artifacts—Recycle.Bin• [Volume]:\$Recycle.Bin

– $Recycle.Bin is visible in Explorer (view hidden files).– Per user store in a subfolder named with account SID.– No more Info2 files.– When a file is deleted—moved to the Recycle Bin—it

generates two files in the Recycle Bin.– $I and $R files.

• $I or $R followed by several random characters, then original extension. The random characters are the same for each $I/$R pair.

• $I file maintains the original name and path, as well as the deleted date.

• $R file retains the original file data stream and other attributes. The name attribute is changed to $R******.ext.


OS Artifacts—Recycle.Bin

Note the deleted date (in blue).


OS Artifacts—Recycle.Bin


OS Artifacts—Folder Virtualization

– Part of User Access Control—Standard user cannot write to certain protected folders.• C:\Windows• C:\Program Files• C:\Program Data

– To allow standard user to function, any writes to protected folders are “virtualized” and written to

C:\Users\[user]\AppData\Local\VirtualStore


OS Artifacts—Registry Virtualization

• Virtualize (HKEY_LOCAL_MACHINE\SOFTWARE)• Non-administrator writes are redirect to:

HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\

• Keys excluded from virtualization– HKEY_LOCAL_MACHINE\Software\Classes– HKEY_LOCAL_MACHINE \Software\Microsoft\Windows– HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT


OS Artifacts—Registry Virtualization

• Location of the registry hive file for the VirtualStore– Is NOT the user’s NTUSER.DAT– It is stored in the user’s UsrClass.dat\Users\[user]\AppData\Local\Microsoft\Windows\UsrClass.dat

• Investigation of Vista - Windows 2008 R2 requires the investigator to examine at least two account specific registry hive files for each user account.– NTUSER.DAT – UsrClass.dat


OS Artifacts—Libraries



\Users\[account]\AppData\Roaming\Microsoft\Windows\Libraries.



Libraries are XML files.


OS Artifacts—ShellThe “Recent” folder contains link files and two subfolders at\User\[Account]\AppData\Roaming\Microsoft\Windows\Recent.


OS Artifacts—Shell


OS Artifacts—Shell“AutomaticDestination” files are in the Structured Storage file format.


OS Artifacts—Shell


OS Artifacts—Chkdsk Logs\System Volume Information\Chkdsk


OS Artifacts—Superfetch\Windows\Prefetch


OS Artifacts—Volume Shadow Copy

• Volume shadow copies are bit level differential backups of a volume.– 16 KB blocks.– Copy on write.– Volume Shadow copy “files” are “difference” files.

• The shadow copy service is enabled by default on Vista and Windows 7, but not on Windows 2008 or 2008 R2.

• “Difference files” reside in the System Volume Information folder.



• Shadow copies are the source data for Restore Points and the Restore Previous Versions features.

• Used in backup operations.• Shadow copies provide a “snapshot” of a

volume at a particular time.• Shadow copies can show how files have been

altered.• Shadow copies can retain data that has later

been deleted, wiped, or encrypted.


OS Artifacts—Volume Shadow CopyVolume shadow copies do not contain a complete image of everything that was on the volume at the time the shadow copy was made.



The Volume Shadow Copy difference files are maintained in “\System Volume Information” along with other VSS data files, including a new registry hive.



\System Volume Information\Syscache.hve



vssadmin list shadows /for=[volume]:



Shadow copies can be exposed through symbolic links.

Mklink /d C:\{test-shadow} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\



Volume Shadows can be mounted directly as network shares.

net share testshadow=\\.\HarddiskVolumeShadowCopy11\



>psexec \\[computername] vssadmin list shadows /for=C:

>psexec \\[computername] net share testshadow=\\.\HarddiskVolumeShadowCopy20\

PsExec v1.94 - Execute processes remotely

. . .testshadow was shared successfully.net exited on [computername] with error code 0.

>robocopy /S /R:1 /W:1 /LOG:D:\VSStestcopylog.txt \\[computername] \testshadow D:\vssTest

Log File : D:\VSStestcopylog.txt. . .



• Other ways to call shadow copies:

– \\localhost\C$\Users\troyla\Downloads ( Yesterday, July 20, 2009, 12:00 AM)

– \\localhost\C$\@GMT-2009.07.17-08.45.26\

– ?



C:\Users\Troyla\Desktop\fau-1.3.0.2390a\fau\FAU.x64>dd if=\\.\HarddiskVolumeShadowCopy11 of=E:\shadow11.dd –localwrt

The VistaFirewall Firewall is active with exceptions.

Copying \\.\HarddiskVolumeShadowCopy11 to E:\shadow11.ddOutput: E:\shadow11.dd136256155648 bytes129943+1 records in129943+1 records out136256155648 bytes written

Succeeded!

C:\Users\Troyla\Desktop\fau-1.3.0.2390a\fau\FAU.x64>

Shadow copies can be imaged.


OS Artifacts—Volume Shadow CopyImages of shadow copies can be opened in forensics tools and appear as logical volumes.



Data that has been deleted can be captured by shadow copies and available for retrieval in shadow copy images.


OS Artifacts—Volume Shadow CopyEvery shadow copy data set should approximate the size of the original volume.

Amount of case data=(number of shadow copies) x (size of the volume)+(size of the volume).

10 shadow copies = 692 GB


Applications—I.E. 8


Fvevol.sys



OS Artifacts

“Disk”



"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -private



Cache data appears to be written, then deleted.



Residual cache files from InPrivate browsing.



Tab and session recovery—a new source for historical browsing information.

\User\[Account]\AppData\Local\Microsoft\Internet Explorer\Recovery


Applications—I.E. 8Recovery file: Note the Structured Storage file format.


© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information

provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows 7: Current Events in the World of Windows Forensics

Documents

Transcript of Windows 7: Current Events in the World of Windows Forensics