Windows 7: Current Events in the World of Windows Forensics
Transcription
Windows 7: Current Events in the World of Windows Forensics
Windows 7: Current Events in the World of Windows Forensics Troy Larson Senior Forensic Program Manager Network Security, Microsoft Corp. Microsoft Network Security Where Are We Now? • Vista & Windows 2008 – – – – – – – – – – BitLocker. Format-Wipes the volume. EXFAT. Event Logging—format, system, scheme. Virtual Folders & Registry. Volume Shadow Copy. Links, Hard and Symbolic. Change Journal. Recycle Bin. Superfetch. Microsoft Network Security Where Are We Now? • Windows 7 & Window 2008 R2 Updated BitLocker. BitLocker To Go. VHDs—Boot from, mount as “Disks.” XP Mode. Flash Media Enhancements. Libraries, Sticky Notes, Jump Lists. Service and Driver triggers. I.E. 8, InPrivate Browsing, Tab and Session Recovery. – Even more Volume Shadow Copy. – – – – – – – – Microsoft Network Security Digital Forensics Subject Matter Expertise “Stack” Applications—e.g., I.E., etc. OS Artifacts File Systems NTFS, FAT32, EXFAT Fvevol.sys Thanks to Eoghan Casey. Mount, Partition & Volume Managers “Disk” Microsoft Network Security Windows 7“Disk” Note disk signature: 2E140032 0x1b8-1bb Microsoft Network Security Windows 7“Disk” HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 \DiskController\0\DiskPeripheral\0 Diskpart >Automount scrub Microsoft Network Security Vista “Disk” HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\ 1&19f7e59c&0&Signature2E140032Offset100000Length114FD00000 Microsoft Network Security Partitions and Volumes Applications—e.g., I.E., etc. OS Artifacts File Systems NTFS, FAT32, EXFAT Fvevol.sys Mount, Partition & Volume Managers “Disk” Microsoft Network Security Virtual Hard Drives • Create • Attach • Detach • Delete BitLocker: Windows 7 During installing, Windows 7 creates a “System Reserved” volume—enabling set up of BitLocker. In Vista, the System volume was generally 1.5 GB or more. Microsoft Network Security BitLocker: Vista • Physical level view of the header of the boot sector of a Vista BitLocker protected volume: – 0xEB 52 90 2D 46 56 45 2D 46 53 2D – ëR -FVE-FS- Microsoft Network Security BitLocker: Windows 7 • Physical level view of the header of the boot sector of a Windows 7 BitLocker protected volume: – 0xEB 58 90 2D 46 56 45 2D 46 53 2D – ëX -FVE-FS- Microsoft Network Security BitLocker: Windows 7 • Vista & Windows 2008 cannot unlock BitLocker volumes created with Windows 7 or 2008 R2. • Forensics tools may not recognize the new BitLocker volume header. • Must use Windows 7 or 2008 R2 to open (and image) BitLocker volumes from Windows 7 or 2008 R2. Microsoft Network Security BitLocker Review or Imaging Application User Mode Kernel Mode File System Driver Fvevol.sys Volume Manager Microsoft Network Security FVEVOL.SYS sits underneath the file system driver and performs all encryption / decryption. • Once booted, Windows (and the user) sees no difference in experience. • The encryption / decryption happens at below the file system. BitLocker Review or Imaging Application User Mode Kernel Mode File System Driver Fvevol.sys Volume Manager Microsoft Network Security BitLocker Review or Imaging The “More/Less information” button will provide the BitLocker volume recovery key identification. Microsoft Network Security BitLocker Review or Imaging • BitLocker Recovery Key 783F5FF9-18D4-4C64-AD4ACD3075CB8335.txt: BitLocker Drive Encryption Recovery Key The recovery key is used to recover the data on a BitLocker protected drive. To verify that this is the correct recovery key compare the identification with what is presented on the recovery screen. Recovery key identification: 783F5FF9-18D4-4C Full recovery key identification: 783F5FF9-18D4-4C64-AD4ACD3075CB8335 BitLocker Recovery Key: 528748-036938-506726-199056-621005-314512-037290-524293 Microsoft Network Security BitLocker Review or Imaging Enter the recovery key exactly. Microsoft Network Security BitLocker Review or Imaging Viewed or imaged as part of a physical disk, BitLocker volumes appear encrypted. Microsoft Network Security BitLocker Review or Imaging To view a BitLocker volume as it appears in its unlocked state, address it as a logical volume. Microsoft Network Security BitLocker Review or Imaging Microsoft Network Security File Systems Applications—e.g., I.E., etc. OS Artifacts File Systems NTFS, FAT32, EXFAT Fvevol.sys Mount, Partition & Volume Managers “Disk” Microsoft Network Security File Systems Since Vista SP1, Format wipes while it formats. http://support.microsoft.com/kb/941961 Diskpart.exe > Clean all Microsoft Network Security File Systems-Vista & Windows 7 • NTFS – Symbolic links to files, folders, and UNC paths. • Beware the “Application Data” recursion loop. • Cf. Link files. – Hard links are extensively used (\Winsxs). – Disabled by default: Update Last Access Date. – Enabled by default: The NTFS Change Journal ($USN:$J). • Transactional NTFS ($Tops:$T). Microsoft Network Security File Systems-Vista & Windows 7 The volume header of an EXFAT volume. Do your forensics tools read EXFAT? Microsoft Network Security OS Artifacts Applications—e.g., I.E., etc. OS Artifacts File Systems NTFS, FAT32, EXFAT Fvevol.sys Mount, Partition & Volume Managers “Disk” Microsoft Network Security OS Artifacts—Recycle.Bin • [Volume]:\$Recycle.Bin $Recycle.Bin is visible in Explorer (view hidden files). Per user store in a subfolder named with account SID. No more Info2 files. When a file is deleted—moved to the Recycle Bin—it generates two files in the Recycle Bin. – $I and $R files. – – – – • $I or $R followed by several random characters, then original extension. The random characters are the same for each $I/$R pair. • $I file maintains the original name and path, as well as the deleted date. • $R file retains the original file data stream and other attributes. The name attribute is changed to $R******.ext. Microsoft Network Security OS Artifacts—Recycle.Bin Note the deleted date (in blue). Microsoft Network Security OS Artifacts—Recycle.Bin Microsoft Network Security OS Artifacts—Folder Virtualization – Part of User Access Control—Standard user cannot write to certain protected folders. • C:\Windows • C:\Program Files • C:\Program Data – To allow standard user to function, any writes to protected folders are “virtualized” and written to C:\Users\[user]\AppData\Local\VirtualStore Microsoft Network Security OS Artifacts—Registry Virtualization • • Virtualize (HKEY_LOCAL_MACHINE\SOFTWARE) Non-administrator writes are redirect to: HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\ • Keys excluded from virtualization – HKEY_LOCAL_MACHINE\Software\Classes – HKEY_LOCAL_MACHINE \Software\Microsoft\Windows – HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT Microsoft Network Security OS Artifacts—Registry Virtualization • Location of the registry hive file for the VirtualStore – Is NOT the user’s NTUSER.DAT – It is stored in the user’s UsrClass.dat \Users\[user]\AppData\Local\Microsoft\Windows\UsrClass.dat • Investigation of Vista - Windows 2008 R2 requires the investigator to examine at least two account specific registry hive files for each user account. – NTUSER.DAT – UsrClass.dat Microsoft Network Security OS Artifacts—Libraries Microsoft Network Security OS Artifacts—Libraries \Users\[account]\AppData\Roaming\Microsoft\Windows\Libraries. Microsoft Network Security OS Artifacts—Libraries Libraries are XML files. Microsoft Network Security OS Artifacts—Libraries Microsoft Network Security OS Artifacts—Shell The “Recent” folder contains link files and two subfolders at \User\[Account]\AppData\Roaming\Microsoft\Windows\Recent. Microsoft Network Security OS Artifacts—Shell Microsoft Network Security OS Artifacts—Shell “AutomaticDestination” files are in the Structured Storage file format. Microsoft Network Security OS Artifacts—Shell Microsoft Network Security OS Artifacts—Shell Microsoft Network Security OS Artifacts—Chkdsk Logs \System Volume Information\Chkdsk Microsoft Network Security OS Artifacts—Superfetch \Windows\Prefetch Microsoft Network Security OS Artifacts—Volume Shadow Copy • Volume shadow copies are bit level differential backups of a volume. – 16 KB blocks. – Copy on write. – Volume Shadow copy “files” are “difference” files. • The shadow copy service is enabled by default on Vista and Windows 7, but not on Windows 2008 or 2008 R2. • “Difference files” reside in the System Volume Information folder. Microsoft Network Security OS Artifacts—Volume Shadow Copy • Shadow copies are the source data for Restore Points and the Restore Previous Versions features. • Used in backup operations. • Shadow copies provide a “snapshot” of a volume at a particular time. • Shadow copies can show how files have been altered. • Shadow copies can retain data that has later been deleted, wiped, or encrypted. Microsoft Network Security OS Artifacts—Volume Shadow Copy Volume shadow copies do not contain a complete image of everything that was on the volume at the time the shadow copy was made. Microsoft Network Security OS Artifacts—Volume Shadow Copy The Volume Shadow Copy difference files are maintained in “\System Volume Information” along with other VSS data files, including a new registry hive. Microsoft Network Security OS Artifacts—Volume Shadow Copy \System Volume Information\Syscache.hve Microsoft Network Security OS Artifacts—Volume Shadow Copy Microsoft Network Security OS Artifacts—Volume Shadow Copy Microsoft Network Security OS Artifacts—Volume Shadow Copy vssadmin list shadows /for=[volume]: Microsoft Network Security OS Artifacts—Volume Shadow Copy Microsoft Network Security OS Artifacts—Volume Shadow Copy Shadow copies can be exposed through symbolic links. Mklink /d C:\{test-shadow} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\ Microsoft Network Security OS Artifacts—Volume Shadow Copy Volume Shadows can be mounted directly as network shares. net share testshadow=\\.\HarddiskVolumeShadowCopy11\ Microsoft Network Security OS Artifacts—Volume Shadow Copy >psexec \\[computername] vssadmin list shadows /for=C: >psexec \\[computername] net share testshadow=\\.\HarddiskVolumeShadowCopy20\ PsExec v1.94 - Execute processes remotely ... testshadow was shared successfully. net exited on [computername] with error code 0. >robocopy /S /R:1 /W:1 /LOG:D:\VSStestcopylog.txt \\[computername] \testshadow D:\vssTest Log File : D:\VSStestcopylog.txt ... Microsoft Network Security OS Artifacts—Volume Shadow Copy • Other ways to call shadow copies: – \\localhost\C$\Users\troyla\Downloads (Yesterday, July 20, 2009, 12:00 AM) – \\localhost\C$\@GMT-2009.07.17-08.45.26\ – ? Microsoft Network Security OS Artifacts—Volume Shadow Copy Shadow copies can be imaged. C:\Users\Troyla\Desktop\fau-1.3.0.2390a\fau\FAU.x64>dd if=\\.\HarddiskVolumeShadowCopy11 of=E:\shadow11.dd –localwrt The VistaFirewall Firewall is active with exceptions. Copying \\.\HarddiskVolumeShadowCopy11 to E:\shadow11.dd Output: E:\shadow11.dd 136256155648 bytes 129943+1 records in 129943+1 records out 136256155648 bytes written Succeeded! C:\Users\Troyla\Desktop\fau-1.3.0.2390a\fau\FAU.x64> Microsoft Network Security OS Artifacts—Volume Shadow Copy Images of shadow copies can be opened in forensics tools and appear as logical volumes. Microsoft Network Security OS Artifacts—Volume Shadow Copy Data that has been deleted can be captured by shadow copies and available for retrieval in shadow copy images. Microsoft Network Security OS Artifacts—Volume Shadow Copy Every shadow copy data set should approximate the size of the original volume. Amount of case data=(number of shadow copies) x (size of the volume)+(size of the volume). 10 shadow copies = 692 GB Microsoft Network Security Applications—I.E. 8 Applications—e.g., I.E., etc. OS Artifacts File Systems NTFS, FAT32, EXFAT Fvevol.sys Mount, Partition & Volume Managers “Disk” Microsoft Network Security Applications—I.E. 8 "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -private Microsoft Network Security Applications—I.E. 8 Cache data appears to be written, then deleted. Microsoft Network Security Applications—I.E. 8 Residual cache files from InPrivate browsing. Microsoft Network Security Applications—I.E. 8 Tab and session recovery—a new source for historical browsing information. \User\[Account]\AppData\Local\Microsoft\Internet Explorer\Recovery Microsoft Network Security Applications—I.E. 8 Recovery file: Note the Structured Storage file format. Microsoft Network Security Applications—I.E. 8 Microsoft Network Security © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Microsoft Network Security