Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R3 Research|Readiness|Response
OS Artifacts
File Systems
NTFS, FAT32, EXFAT
Disk
From XP to Vista
Changed location of boot sector. BitLocker, unlocking, imaging, preservation. EXFAT. Transactional NTFS. Event Logging. New format-.evtx. New system for collecting and displaying events. New security event numbering. New directory tree for account profiles. Symbolic links. Virtual folders . Virtual registries. Volume Shadow Copies and difference files. User Account Control. Enforced Signed Drivers x64. Hard links. WinSxS.* Default settings-NTFS, change journal. Recycle Bin, no info2, now $I.* & $R.* Built in volume and disk wiping. SuperFetch & prefetch files. Profile based thumbcaches.* Office file format changes .docx, .pptx, .xlsx. New Office filesInfoPath, Grove, OneNote. EFS encrypted pagefile. x64 Windows. Windows 2008 Hyper-V. Built in Defender.
From XP to Windows 7
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\ MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0
Full format will zero out the entire volume space and rebuild a clean file system.
Windows 7 BitLocker
During installing, Windows 7 creates a System Reserved volumeenabling set up of BitLocker. In Vista, the System volume was generally 1.5 GB or more.
Windows 7 BitLocker
Vista & Windows 2008 cannot unlock BitLocker volumes created with Windows 7 or 2008 R2. Forensics tools may not recognize the new BitLocker volume header. Must use Windows 7 or 2008 R2 to open (and image) BitLocker volumes from Windows 7 or 2008 R2.
FVEVOL.SYS sits underneath the file system driver and performs all encryption / decryption.
Once booted, Windows (and the user) sees no difference in experience. The encryption / decryption happens at below the file system.
Forensic review or imaging begins with attaching the hard drive or USB drive to a Windows 7 or 2008 R2 system and unlocking it.
To unlock a BitLockered volume, first get the Recovery Password ID: manage-bde protectors get [volume]. The Recovery Password ID can be used to recover the Recovery Password from the AD.
To verify that this is the correct recovery key compare the identification with what is presented on the recovery screen.
Recovery key identification: 783F5FF9-18D4-4C Full recovery key identification: 783F5FF9-18D4-4C64-AD4ACD3075CB8335 BitLocker Recovery Key: 528748-036938-506726-199056-621005-314512-037290-524293
To view a BitLocker volume as it appears in its unlocked state, address it as a logical volume.
Selecting the I forgot my password will bring up a window to enter the recovery key.
Allows a related series of file system changes to be treated and logged as a transaction. NTFS can then commit if the changes are completed successfully, or abort and roll back if they are not.
The $Tops:$T stream is in XML and can be read in an XML reader, such as the Microsoft XML Notepad.
More of this: NTFS: Much of the heavy lifting is done by named data streams.
NTFS: $USNJrnl:$J
Windows 7 ArtifactsRecycle.Bin
[Volume]:\$Recycle.Bin. $Recycle.Bin is visible in Explorer (view hidden files). Per user store in a subfolder named with account SID. When a file is moved to the Recycle Bin, it becomes two files. $I and $R files. $I fileoriginal name and path, as well as the deleted date. $R fileoriginal file data stream and other attributes.
Windows 7 ArtifactsRecycle.Bin
Windows 7 ArtifactsRecycle.Bin
Windows 7 ArtifactsRecycle.Bin
The Recycle.Bin works similarly on FAT file systems, here EXFAT:
To allow standard user to function, any writes to protected folders are virtualized and written to
C:\Users\[user]\AppData\Local\VirtualStore
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\
Investigation of Vista through 2008 R2 requires the investigator to examine at least two account specific registry hive files for each user account.
NTUSER.DAT UsrClass.dat
The TxR files are stored in the TxR subfolder in \Windows\System32\config with the system registry hives.
C:\ProgramData\Microsoft\Search\Data\Applications\Windows Windows Search index file=Windows.edb, an ESE database. MSS*.logs are the database log files.
http://www.woany.co.uk/esedbviewer/
>C:\Windows\system32\esentutl.exe /r MSS /d. From the folder containing the Windows.edb and its log files.
Generic will bring up all tables. Desktop Search will bring up a select view. AV can interfere will esentutl.exe and eseDbViewer.
Match a ThumbnailCacheID from a Thumbnail Cache file to a ThumbnailCacheID in the Windows Search index to link a thumbnail to a file.
The shadow copy service is enabled by default on Vista and Windows 7, but not on Windows 2008 or 2008 R2.
Copy on Write: Before a block is written to, it is saved to the difference file. When a Shadow Copy is read, the volume consists of the live, unchanged blocks, and the saved blocks from the difference file.
2 3 5 7 9
1 0
T3
3 4 5 6 7 1 1 0 1
T4 1 3 7 9
... testshadow was shared successfully. net exited on [computername] with error code 0.
>robocopy /S /R:1 /W:1 /LOG:D:\VSStestcopylog.txt \\[computername] \testshadow D:\vssTest Log File : D:\VSStestcopylog.txt ...
\\localhost\C$\@GMT-2009.07.17-08.45.26\
Questions?