1. Windows Forensics
Instructor: LT Dan Finnegan
Spring 2010
2. 2 Main Objectives Understand Windows file systems
Comprehend the Windows account controls
Understand Active Directory
Familiarize Microsoft boot tasks
Understand MS-DOS startup tasks
3. 3 10.1 Windows Evidence Acquisition Boot Disk Avoid data contamination or modification; when examining or previewing a system, bypass the computer’s operating system to avoid altering evidence
Creating a “Windows Evidence Acquisition Boot Disk:”
Modify “command.com” and “io.sys” to prevent it from accessing system components on the drive
Delete the “drivespace.bin” file
Alternatively, boot the system from a Linux floppy or CD-ROM
Write Protecting a Hard Disk
Need to control/block “INTH13h” functions that control disk access (read, write, format)
This can be done with software or a hardware write blocker
4. 4 10.1 Windows Evidence Acquisition Boot Disk (Cont.) Make sure that if you use an Ethernet card or large Zip drive to transfer data to a collection disk, you have the drivers stored on the boot disk.
Use FAT32 on collection disks to allow saving of large data files.
Always virus check the boot disk to avoid damaging the computer!
5. 5 10.2 File Systems Simplest Windows file systems are:
FAT12 – uses 12 bit files for each entry in the FAT (mainly used for floppies).
FAT16 – uses 16 bit fields.
FAT32 – uses 28 bit fields (with 4 reserved).
FAT systems record only the last accessed date, not last accessed time.
The FAT can be thought of as a list with one entry for each cluster in a volume.
Clusters containing a zero are free for allocation.
6. 6 10.2 File Systems (Cont.) Opening a file in a subdirectory:
OS goes to root directory, determines which cluster has the subdirectory, and uses directory information in the cluster to determine the starting cluster of the file.
7. 7 10.2 File Systems (cont.) NTFS.
Stores information in a Master File Table (MFT).
The MFT is a list of records that contain information to find data on a disk.
Records contain created, last modified, and last accessed dates and times.
Directories are called “entries.”
NTFS created MFT entries as needed.
Recovering deleted files in NTFS are complicated because:
Unused entries in the MFT are reused before new ones are created, and
Directory entries are sorted by name.
8. 8 10.2 File Systems (Cont.) NTFS is a journaling file system – retains a record of file system operations that can be used to repair damage caused by a system crash.
9. 9 10.3 Overview of Digital Evidence Processing Tools Searching many computers – most efficient to boot with an evidence acquisition boot disk and run a disk search utility (i.e. EnCase, DiskSearch Pro) from the DOS prompt.
Booting from a floppy, Safeback can make an exact copy of a drive and preserve its integrity. You ccan also use EnCase, Forensic Toolkit, SnapBack DatArrest, Byte Back.
Some software calculates integrity checks of acquired data separately, some acquire data along with integrity checks at regular intervals.
Courts are generally satisfied with both methods.
Many of these software titles can either use information from the BIOS or bypass the BIOS to ensure no false information.
10. 10 FAT Directory Entries Deleted folder entry
First available
11. 11
12. 12 The Sleuthkit: Viewing MFT Shows low-level information
13. 13 Reformatted Recovery Before recovery
Re-formatted �on 02/20/07
After recovery
Metadata visible
Contents may be overwritten
14. 14 File Deletion Process MFT entry marked as available
MFT $BITMAP updated
Parent Folder
Index entry removed
Folder contents resorted alphabetically
$BITMAP attribute updated
15. 15 Remnants of File Deletion File system entries
Last accessed date
Entry modified date
INFO file date
Recycle Bin records
Search unallocated
Data on disk
May be recoverable
16. 16 File Recovery Search entire disk for filename and file records
NTFS uses MFT records starting with “FILE0” or “FILE*”
Interpret the file record
MFT: filename, dates, location, and sometimes data
Resident versus non-resident data
Non-resident MFT has “runlist” of clusters
Check the location on disk for data
Different tools present information differently
17. 17 Deleted MFT Entries
18. 18 Basic MFT Entry Attributes
19. 19 The Sleuthkit: Viewing MFT Shows low-level information
20. 20 Reading a Deleted MFT Entry Identify the FILE record header
21. 21 10.3 Overview of Digital Evidence Processing Tools (Cont.) Two main approaches to viewing data – physically or logically.
Physical – involves examining raw data using a text editor; data generally shown in hexadecimal form on the left and plain text on the right. Limitations: keyword search will not find occurrences that are broken across non-adjacent sectors.
Logical – examining data on a disk as it is represented by the file system. Limitations: areas of the disk not represented by the file system such a file slack and unallocated space.
Always advisable to verify all findings to check accuracy!
22. 22 10.4 Data Recovery Two main forms of data recovery in FAT systems: recovering deleted data from unallocated space and recovering data from slack space.
Unallocated space – can try recovering data by reconnecting links in the chain. This works best if file was stored in contiguous clusters. All tools assume that all clusters in a file are sequential. Some tools will recover deleted files from NTFS volumes.
This process must be performed on a copy of the evidentiary disk because data on the disk is altered.
23. 23 10.4.1 Windows-Based Recovery Tools Tools such as EnCase and FTK can use a bitstream copy of a disk to display a virtual reconstruction of the file system, including deleted files.
Does this without modifying the FAT.
Tools recover files on FAT systems by assuming all clusters in a file are sequential.
Fragmented files must be recovered manually.
Windows-based tools (EnCase and FTK) can be used to recover deleted files on NTFS volumes.
24. 24 Understanding the Boot Sequence Make sure computer boots from a floppy disk
Modify CMOS
Accessing CMOS depends on the BIOS
Delete key
Ctrl+Alt+Insert
Ctrl+A
Ctrl+F1
F2
F12
25. 25 10.4.2 Unix-based Recovery Tools Linux can be used to perform basic examinations of FAT and NTFS systems.
Fatback, The Sleuth Kit, and SMART can be used for recovering deleted files from a FAT system.
Sleuth Kit combined with the Autopsy Forensic browser can be used to examine and recover deleted files on FAT systems.
Sleuth Kit and the Autopsy Forensic browser can be used to examine and recover files from an NTFS system.
Sleuth Kit can also recover slack space.
26. 26 10.4.3 File Carving With Windows Another approach to recovering deleted files is to examine unallocated space, swap files, and other digital objects for class characteristics like headers and footers.
This process is like carving files out of the blob-like amalgam of data in unallocated space.
File carving tools include DataLifter, Easy-Recovery Pro, WinHex, and EnCase e-scripts.
NTI’s Graphic Image File Extractor can extract images, including those stored in Word documents.
27. 27 10.4.3 File Carving With Windows (Cont.) These tools are generally limited because they rely on files that have intact headers.
Slack space contains fragmented data that can be recovered, but rarely can be reconstituted into complete files.
If a small file overwrites a large file, it may be possible to recover the majority of the large file from slack space.
It is easier to recover textual data from slack space because it is recognizable to the human eye.
28. 28 10.4.4 Dealing With Password Protection and Encryption Possible to use a hexadecimal editor like Winhex to remove a password from a file.
More specialized tools to bypass or recover passwords include NTI, Lostpassword.com, Russian Password Crackers, and others.
29. 29 10.4.4 Dealing With Password Protection and Encryption (Cont.) If necessary to bypass the logon password use a program like ntpasswd or ERD Commander. LC4 can attempt to guess older NT passwords.
The most powerful and versatile password recovery programs are PRTK and DNA from Access Data. Access Data’s Distributed Network Attack can brute force Adobe Acrobat and Word/Excel files encrypted with 40 bit encryption.
Microsoft EFS generally uses 128-bit keys.
30. 30 10.5 Log Files Attribution is a major goal; log files can record which account was used to access a system at any given time.
User accounts allow two forms of access to computers: interactive login and access to shared resources.
System log files can contain the information about user accounts that were used to commit a crime and can show that a user account might have been stolen.
Utility from Windows NT and 2000 to process log files is called “dumpel.”
A detailed procedure for examining log files can be found in the Handbook of Computer Crime investigation.”
31. 31 LogParser: NT Event Logs C:\>LogParser "SELECT TimeGenerated AS LogonDate, EXTRACT_TOKEN(Strings, 0, '|') AS Username FROM 'SecEvent.Evt' WHERE EventID NOT IN (541;542;543) AND EventType = 8 AND EventCategory = 2 AND Username NOT LIKE 'IUSR_%'“
LogonDate Username
------------------- -------------
2002-05-06 21:03:31 esmith
2002-05-09 17:42:06 adoe
2002-05-09 19:56:53 esmith
2002-05-12 00:12:32 esmith Unofficial LogParser support site: http://www.logparser.com/Unofficial LogParser support site: http://www.logparser.com/
32. 32 NT Event Log Example Unauthorized access
Clock backdating
The system time was changed.
Process ID: 300
Process Name: C:\WINDOWS\System32\RUNDLL32.EXE
Primary User Name: Owner
Primary Domain: EOWYN
Primary Logon ID: (0x0,0x14AA8)
Client User Name: Owner
Client Domain: EOWYN
Client Logon ID: (0x0,0x14AA8)
Previous Time: 4:20:03 PM 2/13/2004
New Time: 4:20:03 PM 12/11/2004
33. 33 Preservation Scenario Day 1:
Sys admin sees unauthorized logon attempts
No network-level to determine scope of attack
Attacker machine name captured in event logs
34. 34 Preservation Scenario Sys admin searches security event logs
Two servers with successful logons from attacker
Takes screenshots of unauthorized logons
Does not preserve full log
35. 35 Preservation Scenario Day 2:
Another attacker machine name is observed
Security event logs clearer (reason unknown)
Not possible to look back in time for new name
36. 36 10.6 File System Traces An individual’s actions on a computer can leave many traces that can be used by digital investigators.
Moving a file within a volume does not change file times; the original deleted directory entry is identical to the new directory entry. This allows investigators to determine where files were moved from as long as the original directory entry exists.
37. 37 NTFS Behavior (consistent inconsistencies)
38. 38 Reading Windows FILETIME 64-bit Windows FILETIME
100-nanosecond intervals since January 1, 1600
Contract originally created
0x00 0xEA 0x4A 0xF2 0x6A 0xD2 0xC6 0x01
39. 39 10.6 File System Traces (Cont.) Date-time stamp phenomenon.
File copied within a volume or moved from hard drive to floppy, the created and last accessed date-time stamps are updated but the last modified date-time stamp stays the same.
This also occurs when a file is downloaded from certain types of file servers on the Internet.
40. 40 10.6 File System Traces (Cont.) Metadata.
Information retained in Microsoft Office documents.
Includes location where a file was stored on disk, the printer, and original creation date and time.
Date-time stamps embedded in the file can be useful for analysis.
Date-time stamps can be affected by external influences (I.e., files from a compressed Zip archive).
41. 41 10.7 Windows Registry Used to store system configuration and usage details in what are called “keys.”
Win 95 & 98 registry files (called “hives”) are named “system .dat” and “user.dat.”
Registry for Windows NT/2000/XP has a hive file named “ntuser.dat” for each user account.
Registry files recovered from an evidentiary system can be viewed by using “regedt32;” on an examination system using the Load Hive option on the Registry menu.
Some keys are stored in ASCII, but can be saved as a text file.
42. 42 10.8 Internet Traces Accessing the Internet leaves a wide variety of information including web sites, contents viewed, and newsgroups accessed.
Some Windows systems keep a log of when the modem was used.
Some Internet dial-up services maintain connection logs.
43. 43 10.8.1 Web Browsing The first time a web page is viewed the browser caches the page on disk. When the same site is accessed again, the cached file is accessed.
Some web browsers track the number of times a site is accessed.
Netscape maintains a database of websites visited in “Netscape.hst.” Entries marked as deleted can be recovered with EnCase of E-Script.
Internet Explorer has similar information in files named “index.dat.”
44. 44 10.8.1 Web Browsing (Cont.) Mozilla maintains a file named “_CACHE_001_” that shows HTTP responses containing the current date and time according to the Web server clock.
Netscape stores cookies in the cookies.txt file, while IE maintains cookies in the Windows\Cookies directory.
The presence of a cookie does not necessarily prove that a person intentionally accessed a particular web site.
45. 45 10.8.2 Usenet Access Web browsers track which Usenet newsgroups have be accessed.
Netscape stores information in a file with a “rc.” extension.
MS Internet News stores information about newsgroup activities in the news directory.
46. 46 10.8.3 E-Mail Plain text files: Netscape and Eudora
Proprietary formats: Outlook, Outlook Express, AOL
FTK can be used to interpret a variety of proprietary formats.
In some cases it is possible to recover messages that have been deleted but not yet purged.
47. 47 10.8.4 Other Applications Yahoo Pager, AOL IM, and other Instant Messaging programs do not retain archives of messages by default but may be configured to log chat sessions.
Peer-to-peer file sharing programs may retain a list of hosts that were contacted or files that were accessed.
The best chance of obtaining information relating to these applications is to search parts of the hard drive where data may have been stored temporarily, or to monitor network traffic from computer while the programs are in use.
48. 48 10.8.5 Network Storage One of the most common remote storage locations in an individual’s ISP.
Also, search for traces of file transfer applications.
WS-FTP creates small log files showing file locations, FTP server names, and times of transfer.
CRT and SSH can be configured to maintain individual configuration files for each computer that a user connects to frequently
Shared network drives are another example of remote storage.
Remnants of network file sharing may be found in various registry keys.
49. 49 10.9 Program Analysis Three primary approaches are: examine source code, view the program in compiled form, run the program in a test environment.
Can use VMWare to create a virtual machine for testing purposes.
Programs including Regsnap and Tripwire can be used to create a system baseline to show alterations during testing.
Details about processes and network connections can be observed by using tools from Sysinternals.com.
