Windows 7: Current Events in the World of Windows Forensics

Transcription

Windows 7: Current Events in the World of Windows Forensics
Windows 7:
Current Events in the World of
Windows Forensics
Troy Larson
Senior Forensic Program Manager
Network Security, Microsoft Corp.
Microsoft Network Security
Where Are We Now?
• Vista & Windows 2008
–
–
–
–
–
–
–
–
–
–
BitLocker.
Format-Wipes the volume.
EXFAT.
Event Logging—format, system, scheme.
Virtual Folders & Registry.
Volume Shadow Copy.
Links, Hard and Symbolic.
Change Journal.
Recycle Bin.
Superfetch.
Microsoft Network Security
Where Are We Now?
• Windows 7 & Window 2008 R2
Updated BitLocker.
BitLocker To Go.
VHDs—Boot from, mount as “Disks.”
XP Mode.
Flash Media Enhancements.
Libraries, Sticky Notes, Jump Lists.
Service and Driver triggers.
I.E. 8, InPrivate Browsing, Tab and Session
Recovery.
– Even more Volume Shadow Copy.
–
–
–
–
–
–
–
–
Microsoft Network Security
Digital Forensics Subject Matter
Expertise “Stack”
Applications—e.g.,
I.E., etc.
OS Artifacts
File Systems
NTFS, FAT32, EXFAT
Fvevol.sys
Thanks to Eoghan Casey.
Mount, Partition & Volume
Managers
“Disk”
Microsoft Network Security
Windows 7“Disk”
Note disk
signature:
2E140032
0x1b8-1bb
Microsoft Network Security
Windows 7“Disk”
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0
\DiskController\0\DiskPeripheral\0
Diskpart
>Automount scrub
Microsoft Network Security
Vista “Disk”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\
1&19f7e59c&0&Signature2E140032Offset100000Length114FD00000
Microsoft Network Security
Partitions and Volumes
Applications—e.g.,
I.E., etc.
OS Artifacts
File Systems
NTFS, FAT32, EXFAT
Fvevol.sys
Mount, Partition & Volume
Managers
“Disk”
Microsoft Network Security
Virtual Hard Drives
• Create
• Attach
• Detach
• Delete
BitLocker: Windows 7
During installing, Windows 7 creates a “System Reserved”
volume—enabling set up of BitLocker.
In Vista, the System volume was generally 1.5 GB or more.
Microsoft Network Security
BitLocker: Vista
• Physical level view of the header of the boot
sector of a Vista BitLocker protected volume:
– 0xEB 52 90 2D 46 56 45 2D 46 53 2D
– ëR
-FVE-FS-
Microsoft Network Security
BitLocker: Windows 7
• Physical level view of the header of the boot sector of
a Windows 7 BitLocker protected volume:
– 0xEB 58 90 2D 46 56 45 2D 46 53 2D
– ëX
-FVE-FS-
Microsoft Network Security
BitLocker: Windows 7
• Vista & Windows 2008 cannot unlock
BitLocker volumes created with Windows 7
or 2008 R2.
• Forensics tools may not recognize the new
BitLocker volume header.
• Must use Windows 7 or 2008 R2 to open
(and image) BitLocker volumes from
Windows 7 or 2008 R2.
Microsoft Network Security
BitLocker Review or Imaging
Application
User Mode
Kernel Mode
File System Driver
Fvevol.sys
Volume Manager
Microsoft Network Security
 FVEVOL.SYS sits
underneath the file
system driver and
performs all encryption /
decryption.
• Once booted,
Windows (and the
user) sees no
difference in
experience.
• The encryption /
decryption happens at
below the file system.
BitLocker Review or Imaging
Application
User Mode
Kernel Mode
File System Driver
Fvevol.sys
Volume Manager
Microsoft Network Security
BitLocker Review or Imaging
The “More/Less
information”
button will provide
the BitLocker
volume recovery
key identification.
Microsoft Network Security
BitLocker Review or Imaging
• BitLocker Recovery Key 783F5FF9-18D4-4C64-AD4ACD3075CB8335.txt:
BitLocker Drive Encryption Recovery Key The recovery key is used to
recover the data on a BitLocker protected drive.
To verify that this is the correct recovery key compare the
identification with what is presented on the recovery screen.
Recovery key identification: 783F5FF9-18D4-4C
Full recovery key identification: 783F5FF9-18D4-4C64-AD4ACD3075CB8335
BitLocker Recovery Key:
528748-036938-506726-199056-621005-314512-037290-524293
Microsoft Network Security
BitLocker Review or Imaging
Enter the recovery
key exactly.
Microsoft Network Security
BitLocker Review or Imaging
Viewed or imaged as part of a physical disk, BitLocker
volumes appear encrypted.
Microsoft Network Security
BitLocker Review or Imaging
To view a BitLocker volume as it appears in its
unlocked state, address it as a logical volume.
Microsoft Network Security
BitLocker Review or Imaging
Microsoft Network Security
File Systems
Applications—e.g.,
I.E., etc.
OS Artifacts
File Systems
NTFS, FAT32, EXFAT
Fvevol.sys
Mount, Partition & Volume
Managers
“Disk”
Microsoft Network Security
File Systems
Since Vista SP1, Format wipes while it formats.
http://support.microsoft.com/kb/941961
Diskpart.exe
> Clean all
Microsoft Network Security
File Systems-Vista & Windows 7
• NTFS
– Symbolic links to files, folders, and UNC paths.
• Beware the “Application Data” recursion loop.
• Cf. Link files.
– Hard links are extensively used (\Winsxs).
– Disabled by default: Update Last Access Date.
– Enabled by default: The NTFS Change Journal
($USN:$J).
• Transactional NTFS ($Tops:$T).
Microsoft Network Security
File Systems-Vista & Windows 7
The volume header of an EXFAT volume.
Do your
forensics
tools read
EXFAT?
Microsoft Network Security
OS Artifacts
Applications—e.g.,
I.E., etc.
OS Artifacts
File Systems
NTFS, FAT32, EXFAT
Fvevol.sys
Mount, Partition & Volume
Managers
“Disk”
Microsoft Network Security
OS Artifacts—Recycle.Bin
• [Volume]:\$Recycle.Bin
$Recycle.Bin is visible in Explorer (view hidden files).
Per user store in a subfolder named with account SID.
No more Info2 files.
When a file is deleted—moved to the Recycle Bin—it
generates two files in the Recycle Bin.
– $I and $R files.
–
–
–
–
• $I or $R followed by several random characters, then original
extension. The random characters are the same for each $I/$R
pair.
• $I file maintains the original name and path, as well as the
deleted date.
• $R file retains the original file data stream and other
attributes. The name attribute is changed to $R******.ext.
Microsoft Network Security
OS Artifacts—Recycle.Bin
Note the deleted
date (in blue).
Microsoft Network Security
OS Artifacts—Recycle.Bin
Microsoft Network Security
OS Artifacts—Folder Virtualization
– Part of User Access Control—Standard user cannot
write to certain protected folders.
• C:\Windows
• C:\Program Files
• C:\Program Data
– To allow standard user to function, any writes to
protected folders are “virtualized” and written to
C:\Users\[user]\AppData\Local\VirtualStore
Microsoft Network Security
OS Artifacts—Registry Virtualization
•
•
Virtualize (HKEY_LOCAL_MACHINE\SOFTWARE)
Non-administrator writes are redirect to:
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\
•
Keys excluded from virtualization
– HKEY_LOCAL_MACHINE\Software\Classes
– HKEY_LOCAL_MACHINE \Software\Microsoft\Windows
– HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT
Microsoft Network Security
OS Artifacts—Registry Virtualization
• Location of the registry hive file for the VirtualStore
– Is NOT the user’s NTUSER.DAT
– It is stored in the user’s UsrClass.dat
\Users\[user]\AppData\Local\Microsoft\Windows\UsrClass.dat
• Investigation of Vista - Windows 2008 R2 requires the investigator to
examine at least two account specific registry hive files for each user
account.
– NTUSER.DAT
– UsrClass.dat
Microsoft Network Security
OS Artifacts—Libraries
Microsoft Network Security
OS Artifacts—Libraries
\Users\[account]\AppData\Roaming\Microsoft\Windows\Libraries.
Microsoft Network Security
OS Artifacts—Libraries
Libraries
are XML
files.
Microsoft Network Security
OS Artifacts—Libraries
Microsoft Network Security
OS Artifacts—Shell
The “Recent” folder contains link files and two subfolders at
\User\[Account]\AppData\Roaming\Microsoft\Windows\Recent.
Microsoft Network Security
OS Artifacts—Shell
Microsoft Network Security
OS Artifacts—Shell
“AutomaticDestination” files are in the Structured
Storage file format.
Microsoft Network Security
OS Artifacts—Shell
Microsoft Network Security
OS Artifacts—Shell
Microsoft Network Security
OS Artifacts—Chkdsk Logs
\System Volume Information\Chkdsk
Microsoft Network Security
OS Artifacts—Superfetch
\Windows\Prefetch
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
• Volume shadow copies are bit level differential
backups of a volume.
– 16 KB blocks.
– Copy on write.
– Volume Shadow copy “files” are “difference” files.
• The shadow copy service is enabled by default
on Vista and Windows 7, but not on Windows
2008 or 2008 R2.
• “Difference files” reside in the System Volume
Information folder.
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
• Shadow copies are the source data for Restore
Points and the Restore Previous Versions
features.
• Used in backup operations.
• Shadow copies provide a “snapshot” of a
volume at a particular time.
• Shadow copies can show how files have been
altered.
• Shadow copies can retain data that has later
been deleted, wiped, or encrypted.
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
Volume shadow copies do not contain a complete image
of everything that was on the volume at the time the
shadow copy was made.
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
The Volume Shadow
Copy difference files are
maintained in “\System
Volume Information”
along with other VSS
data files, including a
new registry hive.
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
\System Volume Information\Syscache.hve
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
vssadmin list shadows /for=[volume]:
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
Shadow copies can be exposed through symbolic links.
Mklink /d C:\{test-shadow} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
Volume Shadows can be mounted directly as network shares.
net share testshadow=\\.\HarddiskVolumeShadowCopy11\
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
>psexec \\[computername] vssadmin list shadows /for=C:
>psexec \\[computername] net share testshadow=\\.\HarddiskVolumeShadowCopy20\
PsExec v1.94 - Execute processes remotely
...
testshadow was shared successfully.
net exited on [computername] with error code 0.
>robocopy /S /R:1 /W:1 /LOG:D:\VSStestcopylog.txt \\[computername] \testshadow
D:\vssTest
Log File : D:\VSStestcopylog.txt
...
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
• Other ways to call shadow copies:
– \\localhost\C$\Users\troyla\Downloads (Yesterday, July 20, 2009, 12:00 AM)
– \\localhost\C$\@GMT-2009.07.17-08.45.26\
– ?
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
Shadow copies can be imaged.
C:\Users\Troyla\Desktop\fau-1.3.0.2390a\fau\FAU.x64>dd if=\\.\HarddiskVolumeShadowCopy11
of=E:\shadow11.dd –localwrt
The VistaFirewall Firewall is active with exceptions.
Copying \\.\HarddiskVolumeShadowCopy11 to E:\shadow11.dd
Output: E:\shadow11.dd
136256155648 bytes
129943+1 records in
129943+1 records out
136256155648 bytes written
Succeeded!
C:\Users\Troyla\Desktop\fau-1.3.0.2390a\fau\FAU.x64>
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
Images of shadow copies can be opened in
forensics tools and appear as logical volumes.
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
Data that has been deleted can be captured by
shadow copies and available for retrieval in shadow
copy images.
Microsoft Network Security
OS Artifacts—Volume Shadow Copy
Every shadow copy data set should approximate the size of
the original volume.
Amount of case data=(number of shadow copies) x (size of
the volume)+(size of the volume).
10 shadow
copies = 692 GB
Microsoft Network Security
Applications—I.E. 8
Applications—e.g.,
I.E., etc.
OS Artifacts
File Systems
NTFS, FAT32, EXFAT
Fvevol.sys
Mount, Partition & Volume
Managers
“Disk”
Microsoft Network Security
Applications—I.E. 8
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -private
Microsoft Network Security
Applications—I.E. 8
Cache data appears to be written, then deleted.
Microsoft Network Security
Applications—I.E. 8
Residual cache files from InPrivate browsing.
Microsoft Network Security
Applications—I.E. 8
Tab and session recovery—a new source for historical
browsing information.
\User\[Account]\AppData\Local\Microsoft\Internet Explorer\Recovery
Microsoft Network Security
Applications—I.E. 8
Recovery file: Note the Structured Storage file format.
Microsoft Network Security
Applications—I.E. 8
Microsoft Network Security
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or
other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Microsoft Network Security