Windows 7: Current Events in the World of Windows Forensics

Transcription

Windows 7:
Current Events in the World of
Windows Forensics
Troy Larson
Senior Forensic Program Manager
Network Security, Microsoft Corp.
Microsoft Network Security
Where Are We Now?
• Vista & Windows 2008
–
–
–
–
–
–
–
–
–
–
BitLocker.
Format-Wipes the volume.
EXFAT.
Event Logging—format, system, scheme.
Virtual Folders & Registry.
Volume Shadow Copy.
Links, Hard and Symbolic.
Change Journal.
Recycle Bin.
Superfetch.
Where Are We Now?
• Windows 7 & Window 2008 R2
Updated BitLocker.
BitLocker To Go.
VHDs—Boot from, mount as “Disks.”
XP Mode.
Flash Media Enhancements.
Libraries, Sticky Notes, Jump Lists.
Service and Driver triggers.
I.E. 8, InPrivate Browsing, Tab and Session
Recovery.
– Even more Volume Shadow Copy.
–
–
–
–
–
–
–
–
Digital Forensics Subject Matter
Expertise “Stack”
Applications—e.g.,
I.E., etc.
OS Artifacts
File Systems
NTFS, FAT32, EXFAT
Fvevol.sys
Thanks to Eoghan Casey.
Mount, Partition & Volume
Managers
“Disk”
Windows 7“Disk”
Note disk
signature:
2E140032
0x1b8-1bb
Windows 7“Disk”
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0
\DiskController\0\DiskPeripheral\0
Diskpart
>Automount scrub
Vista “Disk”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\
1&19f7e59c&0&Signature2E140032Offset100000Length114FD00000
Partitions and Volumes
I.E., etc.
OS Artifacts
File Systems
NTFS, FAT32, EXFAT
Fvevol.sys
Managers
“Disk”
Virtual Hard Drives
• Create
• Attach
• Detach
• Delete
BitLocker: Windows 7
During installing, Windows 7 creates a “System Reserved”
volume—enabling set up of BitLocker.
In Vista, the System volume was generally 1.5 GB or more.
BitLocker: Vista
• Physical level view of the header of the boot
sector of a Vista BitLocker protected volume:
– 0xEB 52 90 2D 46 56 45 2D 46 53 2D
– ëR
-FVE-FS-
• Physical level view of the header of the boot sector of
a Windows 7 BitLocker protected volume:
– 0xEB 58 90 2D 46 56 45 2D 46 53 2D
– ëX
-FVE-FS-
• Vista & Windows 2008 cannot unlock
BitLocker volumes created with Windows 7
or 2008 R2.
• Forensics tools may not recognize the new
BitLocker volume header.
• Must use Windows 7 or 2008 R2 to open
(and image) BitLocker volumes from
Windows 7 or 2008 R2.
BitLocker Review or Imaging
Application
User Mode
Kernel Mode
File System Driver
Fvevol.sys
Volume Manager
 FVEVOL.SYS sits
underneath the file
system driver and
performs all encryption /
decryption.
• Once booted,
Windows (and the
user) sees no
difference in
experience.
• The encryption /
decryption happens at
below the file system.
Application
User Mode
Kernel Mode
File System Driver
Fvevol.sys
Volume Manager
The “More/Less
information”
button will provide
the BitLocker
volume recovery
key identification.
• BitLocker Recovery Key 783F5FF9-18D4-4C64-AD4ACD3075CB8335.txt:
BitLocker Drive Encryption Recovery Key The recovery key is used to
recover the data on a BitLocker protected drive.
To verify that this is the correct recovery key compare the
identification with what is presented on the recovery screen.
Recovery key identification: 783F5FF9-18D4-4C
Full recovery key identification: 783F5FF9-18D4-4C64-AD4ACD3075CB8335
BitLocker Recovery Key:
528748-036938-506726-199056-621005-314512-037290-524293
Enter the recovery
key exactly.
Viewed or imaged as part of a physical disk, BitLocker
volumes appear encrypted.
To view a BitLocker volume as it appears in its
unlocked state, address it as a logical volume.
File Systems
I.E., etc.
OS Artifacts
File Systems
NTFS, FAT32, EXFAT
Fvevol.sys
Managers
“Disk”
File Systems
Since Vista SP1, Format wipes while it formats.
http://support.microsoft.com/kb/941961
Diskpart.exe
> Clean all
File Systems-Vista & Windows 7
• NTFS
– Symbolic links to files, folders, and UNC paths.
• Beware the “Application Data” recursion loop.
• Cf. Link files.
– Hard links are extensively used (\Winsxs).
– Disabled by default: Update Last Access Date.
– Enabled by default: The NTFS Change Journal
($USN:$J).
• Transactional NTFS ($Tops:$T).
File Systems-Vista & Windows 7
The volume header of an EXFAT volume.
Do your
forensics
tools read
EXFAT?
OS Artifacts
I.E., etc.
OS Artifacts
File Systems
NTFS, FAT32, EXFAT
Fvevol.sys
Managers
“Disk”
OS Artifacts—Recycle.Bin
• [Volume]:\$Recycle.Bin
$Recycle.Bin is visible in Explorer (view hidden files).
Per user store in a subfolder named with account SID.
No more Info2 files.
When a file is deleted—moved to the Recycle Bin—it
generates two files in the Recycle Bin.
– $I and $R files.
–
–
–
–
• $I or $R followed by several random characters, then original
extension. The random characters are the same for each $I/$R
pair.
• $I file maintains the original name and path, as well as the
deleted date.
• $R file retains the original file data stream and other
attributes. The name attribute is changed to $R******.ext.
Note the deleted
date (in blue).
OS Artifacts—Folder Virtualization
– Part of User Access Control—Standard user cannot
write to certain protected folders.
• C:\Windows
• C:\Program Files
• C:\Program Data
– To allow standard user to function, any writes to
protected folders are “virtualized” and written to
C:\Users\[user]\AppData\Local\VirtualStore
OS Artifacts—Registry Virtualization
•
•
Virtualize (HKEY_LOCAL_MACHINE\SOFTWARE)
Non-administrator writes are redirect to:
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\
•
Keys excluded from virtualization
– HKEY_LOCAL_MACHINE\Software\Classes
– HKEY_LOCAL_MACHINE \Software\Microsoft\Windows
– HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT
OS Artifacts—Registry Virtualization
• Location of the registry hive file for the VirtualStore
– Is NOT the user’s NTUSER.DAT
– It is stored in the user’s UsrClass.dat
\Users\[user]\AppData\Local\Microsoft\Windows\UsrClass.dat
• Investigation of Vista - Windows 2008 R2 requires the investigator to
examine at least two account specific registry hive files for each user
account.
– NTUSER.DAT
– UsrClass.dat
OS Artifacts—Libraries
\Users\[account]\AppData\Roaming\Microsoft\Windows\Libraries.
Libraries
are XML
files.
OS Artifacts—Shell
The “Recent” folder contains link files and two subfolders at
\User\[Account]\AppData\Roaming\Microsoft\Windows\Recent.
“AutomaticDestination” files are in the Structured
Storage file format.
OS Artifacts—Chkdsk Logs
\System Volume Information\Chkdsk
OS Artifacts—Superfetch
\Windows\Prefetch
OS Artifacts—Volume Shadow Copy
• Volume shadow copies are bit level differential
backups of a volume.
– 16 KB blocks.
– Copy on write.
– Volume Shadow copy “files” are “difference” files.
• The shadow copy service is enabled by default
on Vista and Windows 7, but not on Windows
2008 or 2008 R2.
• “Difference files” reside in the System Volume
Information folder.
• Shadow copies are the source data for Restore
Points and the Restore Previous Versions
features.
• Used in backup operations.
• Shadow copies provide a “snapshot” of a
volume at a particular time.
• Shadow copies can show how files have been
altered.
• Shadow copies can retain data that has later
been deleted, wiped, or encrypted.
Volume shadow copies do not contain a complete image
of everything that was on the volume at the time the
shadow copy was made.
The Volume Shadow
Copy difference files are
maintained in “\System
Volume Information”
along with other VSS
data files, including a
new registry hive.
\System Volume Information\Syscache.hve
vssadmin list shadows /for=[volume]:
Shadow copies can be exposed through symbolic links.
Mklink /d C:\{test-shadow} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\
Volume Shadows can be mounted directly as network shares.
net share testshadow=\\.\HarddiskVolumeShadowCopy11\
>psexec \\[computername] vssadmin list shadows /for=C:
>psexec \\[computername] net share testshadow=\\.\HarddiskVolumeShadowCopy20\
PsExec v1.94 - Execute processes remotely
...
testshadow was shared successfully.
net exited on [computername] with error code 0.
>robocopy /S /R:1 /W:1 /LOG:D:\VSStestcopylog.txt \\[computername] \testshadow
D:\vssTest
Log File : D:\VSStestcopylog.txt
...
• Other ways to call shadow copies:
– \\localhost\C$\Users\troyla\Downloads (Yesterday, July 20, 2009, 12:00 AM)
– \\localhost\C$\@GMT-2009.07.17-08.45.26\
– ?
Shadow copies can be imaged.
C:\Users\Troyla\Desktop\fau-1.3.0.2390a\fau\FAU.x64>dd if=\\.\HarddiskVolumeShadowCopy11
of=E:\shadow11.dd –localwrt
The VistaFirewall Firewall is active with exceptions.
Copying \\.\HarddiskVolumeShadowCopy11 to E:\shadow11.dd
Output: E:\shadow11.dd
136256155648 bytes
129943+1 records in
129943+1 records out
136256155648 bytes written
Succeeded!
C:\Users\Troyla\Desktop\fau-1.3.0.2390a\fau\FAU.x64>
Images of shadow copies can be opened in
forensics tools and appear as logical volumes.
Data that has been deleted can be captured by
shadow copies and available for retrieval in shadow
copy images.
Every shadow copy data set should approximate the size of
the original volume.
Amount of case data=(number of shadow copies) x (size of
the volume)+(size of the volume).
10 shadow
copies = 692 GB
Applications—I.E. 8
I.E., etc.
OS Artifacts
File Systems
NTFS, FAT32, EXFAT
Fvevol.sys
Managers
“Disk”
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -private
Cache data appears to be written, then deleted.
Residual cache files from InPrivate browsing.
Tab and session recovery—a new source for historical
browsing information.
\User\[Account]\AppData\Local\Microsoft\Internet Explorer\Recovery
Recovery file: Note the Structured Storage file format.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or
other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows 7: Current Events in the World of Windows Forensics

Transcription

Similar documents

Mission College

EZStream - ClearOne

SVR302: Windows Server code name “Longhorn” Technical Overview

The NCCS State Charity Office Database System

The software that controls your logistic flows The software that

Khalil Abd El

dynamics-crm-gp-rms-sharepoint

Blackadders uses FloSuite Legal

Untitled