SlideShare une entreprise Scribd logo

Windows 7 forensics -overview-r3

CTIN
CTIN
Technologie
1  sur  98
Télécharger pour lire hors ligne
Digital Forensics and Windows 7 Overview Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R3– Research|Readiness|Response
Introduction and Encouragement Fvevol.sys File Systems NTFS, FAT32, EXFAT Mount, Partition & Managers Applications OS Artifacts Disk Highlights of new things of interest. – Changes between XP and Windows 7. – Climb the Stack of Forensics Knowledge.
World vs. Microsoft Pre-Vista, huge Windows XP base; pre-Office 2007. X64, Windows 7, Windows 2008 R2, Office 2010, * 2010, Windows 8, WP 7
From XP to Vista • Changed location of boot sector. • BitLocker, unlocking, imaging, preservation. • EXFAT. Transactional NTFS. • Event Logging. • New format-.evtx. • New system for collecting and displaying events. • New security event numbering. • New directory tree for account profiles. • Symbolic links. “Virtual” folders . • “Virtual” registries. • Volume Shadow Copies and difference files. • User Account Control. • Enforced Signed Drivers x64. • Hard links. WinSxS.* • Default settings-NTFS, change journal. • Recycle Bin, no info2, now $I.* & $R.* • Built in volume and disk wiping. • SuperFetch & prefetch files. • Profile based thumbcaches.* • Office file format changes .docx, .pptx, .xlsx. • New Office files—InfoPath, Grove, OneNote. • EFS encrypted pagefile. • x64 Windows. • Windows 2008 Hyper-V. • Built in Defender.
From XP to Windows 7
Windows 7 Highlights for Forensics • Changed volume header for BitLocker volumes. • Updated BitLocker, multiple volumes, Smartcard keys, not backwardly compatible. • BitLocker To Go. • Virtual Hard drives—Boot from, mount as “Disks.” • Virtual PC—integrated into the OS. • XP Mode. • Flash Media Enhancements. • Libraries, Sticky Notes, Jump Lists. • Service and Driver triggers. • Fewer Services on default startup. • I.E. 8, InPrivate Browsing, Tab and Session Recovery. • Changes in Volume Shadow Copy behavior. • New registry-like files. • WebDAV-Office cache. • More x64 clients. X64 Windows 2008 R2 (server). • Changes in Hyper-V. • Office 2010 file format changes—OneNote. • Thumbnail Cache. • Virtual Servers, thin clients. • Direct Access (IPSec). • Windows Search.
Windows 7 Disk Identification Disk signature: 0x1b8-1bb HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystem MultifunctionAdapter0DiskController0DiskPeripheral0
Windows 7 Partitions and Volumes If you can’t find your volumes look for this
Windows 7 Partitions and Volumes
Windows 7 Partitions and Volumes
Windows 7 Partitions and Volumes
Windows 7 Partitions and Volumes--VHD
Windows 7 Partitions and Volumes Full format will zero out the entire volume space and rebuild a clean file system.
Windows 7 Partitions and Volumes Diskpart clean /all will wipe the entire hard drive.
Windows 7 BitLocker During installing, Windows 7 creates a “System Reserved” volume—enabling set up of BitLocker. In Vista, the System volume was generally 1.5 GB or more.
Windows 7 BitLocker • Vista & Windows 2008 cannot unlock BitLocker volumes created with Windows 7 or 2008 R2. • Forensics tools may not recognize the new BitLocker volume header. • Must use Windows 7 or 2008 R2 to open (and image) BitLocker volumes from Windows 7 or 2008 R2.
Windows 7 BitLocker Review or Imaging File System Driver Fvevol.sys Volume Manager Applications User Mode Kernel Mode  FVEVOL.SYS sits underneath the file system driver and performs all encryption / decryption. • Once booted, Windows (and the user) sees no difference in experience. • The encryption / decryption happens at below the file system.
Windows 7 BitLocker Review or Imaging File System Driver Fvevol.sys Volume Manager Application User Mode Kernel Mode
Windows 7 BitLocker Review or Imaging Forensic review or imaging begins with attaching the hard drive or USB drive to a Windows 7 or 2008 R2 system and unlocking it.
Windows 7 BitLocker Review or Imaging Unlocking BitLocker with the GUI. Windows 7 will recognize an added BitLocker volume and prompt for the recovery key.
Windows 7 BitLocker Review or Imaging The “More/Less information” button will provide the BitLocker volume recovery key identification.
Windows 7 BitLocker Review or Imaging To unlock a BitLockered volume, first get the Recovery Password ID: manage-bde –protectors –get [volume]. The Recovery Password ID can be used to recover the Recovery Password from the AD.
Windows 7 BitLocker Review or Imaging • BitLocker Recovery Key 783F5FF9-18D4-4C64-AD4A- CD3075CB8335.txt: BitLocker Drive Encryption Recovery Key The recovery key is used to recover the data on a BitLocker protected drive. To verify that this is the correct recovery key compare the identification with what is presented on the recovery screen. Recovery key identification: 783F5FF9-18D4-4C Full recovery key identification: 783F5FF9-18D4-4C64-AD4A- CD3075CB8335 BitLocker Recovery Key: 528748-036938-506726-199056-621005-314512-037290-524293
Windows 7 BitLocker Review or Imaging Enter the recovery key exactly.
Windows 7 BitLocker Review or Imaging Unlock the BitLocker volume: Manage-bde.exe –unlock [volume] –rp [recovery password].
Windows 7 BitLocker Review or Imaging
Windows 7 BitLocker Review or Imaging Viewed or imaged as part of a physical disk, BitLocker volumes appear encrypted.
Windows 7 BitLocker Review or Imaging To view a BitLocker volume as it appears in its unlocked state, address it as a logical volume.
Windows 7 BitLocker Review or Imaging
Windows 7 BitLocker Review or Imaging Image the logical volume to obtain an image of the unlocked volume.
Windows 7 BitLocker To Go Review or Imaging
Windows 7 BitLocker To Go Review or Imaging Selecting the “I forgot my password” will bring up a window to enter the recovery key.
Windows 7 BitLocker To Go Review or Imaging
Windows 7 BitLocker To Go Review or Imaging
Windows 7 BitLocker To Go Review or Imaging
Windows 7 BitLocker To Go Review or Imaging
Windows 7 BitLocker To Go Review or Imaging The BitLocker To Go device is unlocked and ready for review or imaging.
Windows 7 File Systems • NTFS – Symbolic links to files, folders, and UNC paths. – Hard links are extensively used. – Disabled by default: Update Last Access Date. – Enabled by default: The NTFS Change Journal. • Transactional NTFS (TxF)—Installations, patches, and as-needed driver installations (IR?).
Windows 7 File Systems • TxF works on top of NTFS— • Allows a related series of file system changes to be treated and logged as a “transaction.” • NTFS can then commit if the changes are completed successfully, or abort and roll back if they are not. “Transactional NTFS (TxF) allows file operations on an NTFS file system volume to be performed in a transaction. TxF transactions increase application reliability by protecting data integrity across failures and simplify application development by greatly reducing the amount of error handling code.” http://msdn.microsoft.com/en-us/library/bb968806(VS.85).aspx
The $Tops:$T stream is in XML and can be read in an XML reader, such as the Microsoft XML Notepad. Windows 7 File Systems
Windows 7 File Systems NTFS: Symbolic links.
Windows 7 File Systems NTFS: Hard Links.
Windows 7 File Systems NTFS: Hard Links.
Windows 7 File Systems NTFS: Much of the heavy lifting is done by named data streams.
Windows 7 File Systems More of this: NTFS: Much of the heavy lifting is done by named data streams.
Windows 7 File Systems NTFS: $USNJrnl:$J
Windows 7 Artifacts—Recycle.Bin • [Volume]:$Recycle.Bin. • $Recycle.Bin is visible in Explorer (view hidden files). • Per user store in a subfolder named with account SID. • When a file is moved to the Recycle Bin, it becomes two files. • $I and $R files. • $I file—original name and path, as well as the deleted date. • $R file—original file data stream and other attributes.
Windows 7 Artifacts—Recycle.Bin Note the deleted date (in blue).
Windows 7 Artifacts—Recycle.Bin
Windows 7 Artifacts—Recycle.Bin The Recycle.Bin works similarly on FAT file systems, here EXFAT:
Windows 7 Artifacts Folder Virtualization
Windows 7 Artifacts Folder Virtualization – Part of User Access Control—Standard user cannot write to certain protected folders. • C:Windows • C:Program Files • C:Program Data – To allow standard user to function, any writes to protected folders are “virtualized” and written to C:Users[user]AppDataLocalVirtualStore
Windows 7 Artifacts Registry Virtualization HKEY_CURRENT_USERSoftwareClasses
Windows 7 Artifacts Registry Virtualization • Virtualize (HKEY_LOCAL_MACHINESOFTWARE) • Non-administrator writes are redirect to: HKEY_CURRENT_USERSoftwareClassesVirtualStoreMACHINESOFTWARE • Keys excluded from virtualization – HKEY_LOCAL_MACHINESoftwareClasses – HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows – HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows NT
Windows 7 Artifacts Registry Virtualization • Location of the registry hive file for the VirtualStore – Is NOT the user’s NTUSER.DAT – It is stored in the user’s UsrClass.dat Users[user]AppDataLocalMicrosoftWindowsUsrClass.dat • Investigation of Vista through 2008 R2 requires the investigator to examine at least two account specific registry hive files for each user account. – NTUSER.DAT – UsrClass.dat
Windows 7 Artifacts Transactional Registry • Related to TxF—also built on the Kernel Transaction Manager – http://msdn.microsoft.com/en-us/library/cc303705.aspx • TxR allows applications to perform registry operations in a transactional manner. – Typical scenario: software installation. – Files copied to file system and information to the registry as a single operation. – In the event of failure, registry modification rolled back or discarded.
Windows 7 Artifacts Transactional Registry The TxR files are stored in the TxR subfolder in WindowsSystem32config with the system registry hives.
Windows 7 Artifacts Transactional Registry
Windows 7 Artifacts Libraries
Windows 7 Artifacts Libraries Users[account]AppDataRoamingMicrosoftWindowsLibraries.
Windows 7 Artifacts Libraries Libraries are XML files.
Windows 7 Artifacts Libraries
Windows 7 Artifacts Libraries
Windows 7 Artifacts Sticky Notes Sticky notes are also files in the Structured Storage file format.
Windows 7 Artifacts Sticky Notes
Windows 7 Artifacts Chkdsk Logs System Volume InformationChkdsk
Windows 7 Artifacts Superfetch • The existence of a prefetch file indicates that the application named by the prefetch file was run. • The creation date of a prefetch file can indicate when the named application was first run. • The modification date of a prefetch file can indicate when the named application was last run.
Windows 7 Artifacts Superfetch WindowsPrefetch
Windows 7 Artifacts Superfetch—Much More
Windows 7 Artifacts Superfetch—Much More Look what gets loaded on boot.
Windows 7 Artifacts Search Index C:ProgramDataMicrosoftSearchDataApplicationsWindows • Windows Search index file=Windows.edb, an ESE database. • MSS*.logs are the database log files.
Windows 7 Artifacts Search Index http://www.woany.co.uk/esedbviewer/
Windows 7 Artifacts Search Index
Windows 7 Artifacts Search Index >C:Windowssystem32esentutl.exe /r MSS /d. From the folder containing the Windows.edb and its log files.
Windows 7 Artifacts Search Index • Generic will bring up all tables. • Desktop Search will bring up a select view. • AV can interfere will esentutl.exe and eseDbViewer.
Windows 7 Artifacts Search Index
Windows 7 Artifacts Search Index SystemIndex_0A • Over 380 fields.
Windows 7 Artifacts Search Index Match a ThumbnailCacheID from a Thumbnail Cache file to a ThumbnailCacheID in the Windows Search index to link a thumbnail to a file.
Windows 7 Artifacts Volume Shadow Copy • Volume shadow copies are bit level differential backups of a volume. – 16 KB blocks. – Copy on write. – Volume Shadow copy files are “difference” files. • The shadow copy service is enabled by default on Vista and Windows 7, but not on Windows 2008 or 2008 R2.
Windows 7 Artifacts Volume Shadow Copy • Shadow copies are the source data for Restore Points and the Restore Previous Versions features. • Used in can backup operations. • Shadow copies provide a “snapshot” of a volume at a particular time. • Shadow copies can show how files have been altered. • Shadow copies can retain data that has later been deleted, wiped, or encrypted.
Windows 7 Artifacts Volume Shadow Copy Volume shadow copies do not contain a complete image of everything that was on the volume at the time the shadow copy was made.
Windows 7 Artifacts Volume Shadow Copy The Volume Shadow Copy difference files are maintained in “System Volume Information” along with other VSS data files, including a new registry hive.
Windows 7 Artifacts Volume Shadow Copy 1 0 1 9 1 2 1 1 2 3 4 5 6 7 8 1 0 1 9 1 2 1 1 2 3 4 5 6 7 8 1 0 92 3 5 7 • Copy on Write: Before a block is written to, it is saved to the difference file. • When a Shadow Copy is read, the “volume” consists of the live, unchanged blocks, and the saved blocks from the difference file. Volume at start of VSS snapshot. Difference File Shadow copy of Volume at T1 T1 T3 1 0 1 9 1 2 1 1 2 3 4 5 6 7 8T2 Volume at end of VSS snapshot. T2
Volume Shadow Copy A Shadow copy includes portions of more than one difference file when those difference files contain original blocks from the time of that shadow copy’s creation or snapshot. • Here, there are three snapshots of the volume over time, and each as a corresponding difference file. • Difference file T2 includes changes since the first snapshot. • Difference File T3, changes since the second snapshot. • Difference File T4, changes since the third snapshot. • All difference files contain one or more of the original blocks from the volume at T1. • After the third snapshot, the shadow copy of the volume as it was on T1 would include data from each of the difference files in this example, as each contain one or more blocks of the volume as it was at T1. 1 0 1 9 1 2 1 1 2 3 4 5 6 7 8 1 1 1 0 1 3 7 9 1 0 92 3 5 7 73 4 5 6 1 0 1 9 1 2 1 1 2 3 4 5 6 7 8 Shadow copy of Volume at T1 Difference Files Volume at T1 T1 T2 T5 T3 T4
Windows 7 Artifacts Volume Shadow Copy
Windows 7 Artifacts Volume Shadow Copy
Windows 7 Artifacts Volume Shadow Copy vssadmin list shadows /for=[volume]:
Windows 7 Artifacts Volume Shadow Copy
Windows 7 Artifacts Volume Shadow Copy Shadow copies can be exposed through symbolic links. Mklink /d C:{test-shadow} ?GLOBALROOTDeviceHarddiskVolumeShadowCopy3
Windows 7 Artifacts Volume Shadow Copy Volume Shadows can be mounted directly as network shares. net share testshadow=.HarddiskVolumeShadowCopy11
Windows 7 Artifacts Volume Shadow Copy >psexec [computername] vssadmin list shadows /for=C: >psexec [computername] net share testshadow=.HarddiskVolumeShadowCopy20 PsExec v1.94 - Execute processes remotely . . . testshadow was shared successfully. net exited on [computername] with error code 0. >robocopy /S /R:1 /W:1 /LOG:D:VSStestcopylog.txt [computername] testshadow D:vssTest Log File : D:VSStestcopylog.txt . . .
Windows 7 Artifacts Volume Shadow Copy • Other ways to call shadow copies: – localhostC$UserstroylaDownloads (Yesterday, July 20, 2009, 12:00 AM) – localhostC$@GMT-2009.07.17-08.45.26 • Mount all shadow copies as symbolic links: for /f "tokens=4" %f in ('vssadmin list shadows ^| findstr GLOBALROOT') do @for /f "tokens=4 delims=" %g in ("%f") do @mklink /d %SYSTEMDRIVE%%g %f
Windows 7 Artifacts Volume Shadow Copy C:UsersTroylaDesktopfau-1.3.0.2390afauFAU.x64>dd if=.HarddiskVolumeShadowCopy11 of=E:shadow11.dd –localwrt The VistaFirewall Firewall is active with exceptions. Copying .HarddiskVolumeShadowCopy11 to E:shadow11.dd Output: E:shadow11.dd 136256155648 bytes 129943+1 records in 129943+1 records out 136256155648 bytes written Succeeded! C:UsersTroylaDesktopfau-1.3.0.2390afauFAU.x64> Shadow copies can be imaged.
Windows 7 Artifacts Volume Shadow Copy Images of shadow copies can be opened in forensics tools and appear as logical volumes.
Windows 7 Artifacts Volume Shadow Copy Data that has been deleted can be captured by shadow copies and available for retrieval in shadow copy images.
Windows 7 Artifacts Volume Shadow Copy Every shadow copy data set should approximate the size of the original volume. Amount of case data=(number of shadow copies) x (size of the volume)+(size of the volume). 10 shadow copies = 692 GB
You want More?
Questions?

Recommandé

Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
Prince Boonlia
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
CTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
CTIN
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
Brent Muir
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
Mike Spaulding
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 

Recommandé

Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
Prince Boonlia
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
CTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
CTIN
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
Brent Muir
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
Mike Spaulding
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
Brent Muir
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
CTIN
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
CTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
CTIN
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
Chiawei Wang
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
CTIN
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
somutripathi
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
CTIN
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5
Brent Muir
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensics
n|u - The Open Security Community
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
Kapil Soni
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Users guide-to-winfe
Users guide-to-winfeUsers guide-to-winfe
Users guide-to-winfe
Gol D Roger
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malware
tmugherini
 
Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OS
Reality Net System Solutions
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
Brent Muir
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual box
Brent Muir
 
Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0
Brent Muir
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
CTIN
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
OWASP Turkiye
 

Contenu connexe

Tendances

Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
CTIN
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
CTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
CTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
CTIN
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
somutripathi
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
CTIN
 
Users guide-to-winfe
Users guide-to-winfeUsers guide-to-winfe
Users guide-to-winfe
Gol D Roger
 

Tendances (20)

Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensics
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Users guide-to-winfe
Users guide-to-winfeUsers guide-to-winfe
Users guide-to-winfe
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malware
 
Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OS
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual box
 
Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0
 

En vedette

Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
CTIN
 
Nra
NraNra
Nra
CTIN
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
CTIN
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Edrm
EdrmEdrm
Edrm
CTIN
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
CTIN
 
F Database
F DatabaseF Database
F Database
CTIN
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
CTIN
 

En vedette (20)

Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Nra
NraNra
Nra
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
 
File Management Presentation
File Management PresentationFile Management Presentation
File Management Presentation
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP Khartoum
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Edrm
EdrmEdrm
Edrm
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
Introduction to memory forensics
Introduction to memory forensicsIntroduction to memory forensics
Introduction to memory forensics
 
Web and Social Media Image Forensics for News Professionals
Web and Social Media Image Forensics for News ProfessionalsWeb and Social Media Image Forensics for News Professionals
Web and Social Media Image Forensics for News Professionals
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 
Unit B Windows 7
Unit B Windows 7Unit B Windows 7
Unit B Windows 7
 
F Database
F DatabaseF Database
F Database
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
 
Cheatsheet of msdos
Cheatsheet of msdosCheatsheet of msdos
Cheatsheet of msdos
 

Similaire à Windows 7 forensics -overview-r3

TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File Systems
Shu-Yu Fu
 

Similaire à Windows 7 forensics -overview-r3 (20)

windows.pptx
windows.pptxwindows.pptx
windows.pptx
 
Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
 
Linux io introduction-fudcon-2015-with-demo-slides
Linux io introduction-fudcon-2015-with-demo-slidesLinux io introduction-fudcon-2015-with-demo-slides
Linux io introduction-fudcon-2015-with-demo-slides
 
TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File Systems
 
Linux Basics
Linux BasicsLinux Basics
Linux Basics
 
Ite v5.0 chapter5
Ite v5.0 chapter5Ite v5.0 chapter5
Ite v5.0 chapter5
 
ITE v5.0 - Chapter 5
ITE v5.0 - Chapter 5ITE v5.0 - Chapter 5
ITE v5.0 - Chapter 5
 
ITE7_Chp10.pptx
ITE7_Chp10.pptxITE7_Chp10.pptx
ITE7_Chp10.pptx
 
Windows_Installation.pptx
Windows_Installation.pptxWindows_Installation.pptx
Windows_Installation.pptx
 
IBM Transaction Analysis Workbench for z/OS: Combining analytic and deep-dive...
IBM Transaction Analysis Workbench for z/OS: Combining analytic and deep-dive...IBM Transaction Analysis Workbench for z/OS: Combining analytic and deep-dive...
IBM Transaction Analysis Workbench for z/OS: Combining analytic and deep-dive...
 
101 2.1 design hard disk layout v2
101 2.1 design hard disk layout v2101 2.1 design hard disk layout v2
101 2.1 design hard disk layout v2
 
2.1 design hard disk layout v2
2.1 design hard disk layout v22.1 design hard disk layout v2
2.1 design hard disk layout v2
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X Systems
 
Windows 10 Data Recovery
Windows 10 Data RecoveryWindows 10 Data Recovery
Windows 10 Data Recovery
 
Chapter 1,2,3 & 4_Win Server AD Basics.pptx
Chapter 1,2,3 & 4_Win Server AD Basics.pptxChapter 1,2,3 & 4_Win Server AD Basics.pptx
Chapter 1,2,3 & 4_Win Server AD Basics.pptx
 

Plus de CTIN

Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
CTIN
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
CTIN
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer Trespass
CTIN
 
CyberCrime
CyberCrimeCyberCrime
CyberCrime
CTIN
 
Search Warrants
Search WarrantsSearch Warrants
Search Warrants
CTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
CTIN
 
Raidprep
RaidprepRaidprep
Raidprep
CTIN
 
Networking Overview
Networking OverviewNetworking Overview
Networking Overview
CTIN
 
M Compevid
M CompevidM Compevid
M Compevid
CTIN
 
L Scope
L ScopeL Scope
L Scope
CTIN
 
Law Enforcement Role In Computing
Law Enforcement Role In ComputingLaw Enforcement Role In Computing
Law Enforcement Role In Computing
CTIN
 
Level1 Part7 Basic Investigations
Level1 Part7 Basic InvestigationsLevel1 Part7 Basic Investigations
Level1 Part7 Basic Investigations
CTIN
 
K Ai
K AiK Ai
K Ai
CTIN
 
July132000
July132000July132000
July132000
CTIN
 
Investigative Team
Investigative TeamInvestigative Team
Investigative Team
CTIN
 
Introduction To Unix
Introduction To UnixIntroduction To Unix
Introduction To Unix
CTIN
 

Plus de CTIN (16)

Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer Trespass
 
CyberCrime
CyberCrimeCyberCrime
CyberCrime
 
Search Warrants
Search WarrantsSearch Warrants
Search Warrants
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Raidprep
RaidprepRaidprep
Raidprep
 
Networking Overview
Networking OverviewNetworking Overview
Networking Overview
 
M Compevid
M CompevidM Compevid
M Compevid
 
L Scope
L ScopeL Scope
L Scope
 
Law Enforcement Role In Computing
Law Enforcement Role In ComputingLaw Enforcement Role In Computing
Law Enforcement Role In Computing
 
Level1 Part7 Basic Investigations
Level1 Part7 Basic InvestigationsLevel1 Part7 Basic Investigations
Level1 Part7 Basic Investigations
 
K Ai
K AiK Ai
K Ai
 
July132000
July132000July132000
July132000
 
Investigative Team
Investigative TeamInvestigative Team
Investigative Team
 
Introduction To Unix
Introduction To UnixIntroduction To Unix
Introduction To Unix
 

Dernier

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Dernier (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 

Windows 7 forensics -overview-r3

  • 1. Digital Forensics and Windows 7 Overview Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R3– Research|Readiness|Response
  • 2. Introduction and Encouragement Fvevol.sys File Systems NTFS, FAT32, EXFAT Mount, Partition & Managers Applications OS Artifacts Disk Highlights of new things of interest. – Changes between XP and Windows 7. – Climb the Stack of Forensics Knowledge.
  • 3. World vs. Microsoft Pre-Vista, huge Windows XP base; pre-Office 2007. X64, Windows 7, Windows 2008 R2, Office 2010, * 2010, Windows 8, WP 7
  • 4. From XP to Vista • Changed location of boot sector. • BitLocker, unlocking, imaging, preservation. • EXFAT. Transactional NTFS. • Event Logging. • New format-.evtx. • New system for collecting and displaying events. • New security event numbering. • New directory tree for account profiles. • Symbolic links. “Virtual” folders . • “Virtual” registries. • Volume Shadow Copies and difference files. • User Account Control. • Enforced Signed Drivers x64. • Hard links. WinSxS.* • Default settings-NTFS, change journal. • Recycle Bin, no info2, now $I.* & $R.* • Built in volume and disk wiping. • SuperFetch & prefetch files. • Profile based thumbcaches.* • Office file format changes .docx, .pptx, .xlsx. • New Office files—InfoPath, Grove, OneNote. • EFS encrypted pagefile. • x64 Windows. • Windows 2008 Hyper-V. • Built in Defender.
  • 5. From XP to Windows 7
  • 6. Windows 7 Highlights for Forensics • Changed volume header for BitLocker volumes. • Updated BitLocker, multiple volumes, Smartcard keys, not backwardly compatible. • BitLocker To Go. • Virtual Hard drives—Boot from, mount as “Disks.” • Virtual PC—integrated into the OS. • XP Mode. • Flash Media Enhancements. • Libraries, Sticky Notes, Jump Lists. • Service and Driver triggers. • Fewer Services on default startup. • I.E. 8, InPrivate Browsing, Tab and Session Recovery. • Changes in Volume Shadow Copy behavior. • New registry-like files. • WebDAV-Office cache. • More x64 clients. X64 Windows 2008 R2 (server). • Changes in Hyper-V. • Office 2010 file format changes—OneNote. • Thumbnail Cache. • Virtual Servers, thin clients. • Direct Access (IPSec). • Windows Search.
  • 7. Windows 7 Disk Identification Disk signature: 0x1b8-1bb HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystem MultifunctionAdapter0DiskController0DiskPeripheral0
  • 8. Windows 7 Partitions and Volumes If you can’t find your volumes look for this
  • 9. Windows 7 Partitions and Volumes
  • 10. Windows 7 Partitions and Volumes
  • 11. Windows 7 Partitions and Volumes
  • 12. Windows 7 Partitions and Volumes--VHD
  • 13. Windows 7 Partitions and Volumes Full format will zero out the entire volume space and rebuild a clean file system.
  • 14. Windows 7 Partitions and Volumes Diskpart clean /all will wipe the entire hard drive.
  • 15. Windows 7 BitLocker During installing, Windows 7 creates a “System Reserved” volume—enabling set up of BitLocker. In Vista, the System volume was generally 1.5 GB or more.
  • 16. Windows 7 BitLocker • Vista & Windows 2008 cannot unlock BitLocker volumes created with Windows 7 or 2008 R2. • Forensics tools may not recognize the new BitLocker volume header. • Must use Windows 7 or 2008 R2 to open (and image) BitLocker volumes from Windows 7 or 2008 R2.
  • 17. Windows 7 BitLocker Review or Imaging File System Driver Fvevol.sys Volume Manager Applications User Mode Kernel Mode  FVEVOL.SYS sits underneath the file system driver and performs all encryption / decryption. • Once booted, Windows (and the user) sees no difference in experience. • The encryption / decryption happens at below the file system.
  • 18. Windows 7 BitLocker Review or Imaging File System Driver Fvevol.sys Volume Manager Application User Mode Kernel Mode
  • 19. Windows 7 BitLocker Review or Imaging Forensic review or imaging begins with attaching the hard drive or USB drive to a Windows 7 or 2008 R2 system and unlocking it.
  • 20. Windows 7 BitLocker Review or Imaging Unlocking BitLocker with the GUI. Windows 7 will recognize an added BitLocker volume and prompt for the recovery key.
  • 21. Windows 7 BitLocker Review or Imaging The “More/Less information” button will provide the BitLocker volume recovery key identification.
  • 22. Windows 7 BitLocker Review or Imaging To unlock a BitLockered volume, first get the Recovery Password ID: manage-bde –protectors –get [volume]. The Recovery Password ID can be used to recover the Recovery Password from the AD.
  • 23. Windows 7 BitLocker Review or Imaging • BitLocker Recovery Key 783F5FF9-18D4-4C64-AD4A- CD3075CB8335.txt: BitLocker Drive Encryption Recovery Key The recovery key is used to recover the data on a BitLocker protected drive. To verify that this is the correct recovery key compare the identification with what is presented on the recovery screen. Recovery key identification: 783F5FF9-18D4-4C Full recovery key identification: 783F5FF9-18D4-4C64-AD4A- CD3075CB8335 BitLocker Recovery Key: 528748-036938-506726-199056-621005-314512-037290-524293
  • 24. Windows 7 BitLocker Review or Imaging Enter the recovery key exactly.
  • 25. Windows 7 BitLocker Review or Imaging Unlock the BitLocker volume: Manage-bde.exe –unlock [volume] –rp [recovery password].
  • 27. Windows 7 BitLocker Review or Imaging Viewed or imaged as part of a physical disk, BitLocker volumes appear encrypted.
  • 28. Windows 7 BitLocker Review or Imaging To view a BitLocker volume as it appears in its unlocked state, address it as a logical volume.
  • 30. Windows 7 BitLocker Review or Imaging Image the logical volume to obtain an image of the unlocked volume.
  • 31. Windows 7 BitLocker To Go Review or Imaging
  • 32. Windows 7 BitLocker To Go Review or Imaging Selecting the “I forgot my password” will bring up a window to enter the recovery key.
  • 33. Windows 7 BitLocker To Go Review or Imaging
  • 34. Windows 7 BitLocker To Go Review or Imaging
  • 35. Windows 7 BitLocker To Go Review or Imaging
  • 36. Windows 7 BitLocker To Go Review or Imaging
  • 37. Windows 7 BitLocker To Go Review or Imaging The BitLocker To Go device is unlocked and ready for review or imaging.
  • 38. Windows 7 File Systems • NTFS – Symbolic links to files, folders, and UNC paths. – Hard links are extensively used. – Disabled by default: Update Last Access Date. – Enabled by default: The NTFS Change Journal. • Transactional NTFS (TxF)—Installations, patches, and as-needed driver installations (IR?).
  • 39. Windows 7 File Systems • TxF works on top of NTFS— • Allows a related series of file system changes to be treated and logged as a “transaction.” • NTFS can then commit if the changes are completed successfully, or abort and roll back if they are not. “Transactional NTFS (TxF) allows file operations on an NTFS file system volume to be performed in a transaction. TxF transactions increase application reliability by protecting data integrity across failures and simplify application development by greatly reducing the amount of error handling code.” http://msdn.microsoft.com/en-us/library/bb968806(VS.85).aspx
  • 40. The $Tops:$T stream is in XML and can be read in an XML reader, such as the Microsoft XML Notepad. Windows 7 File Systems
  • 41. Windows 7 File Systems NTFS: Symbolic links.
  • 42. Windows 7 File Systems NTFS: Hard Links.
  • 43. Windows 7 File Systems NTFS: Hard Links.
  • 44. Windows 7 File Systems NTFS: Much of the heavy lifting is done by named data streams.
  • 45. Windows 7 File Systems More of this: NTFS: Much of the heavy lifting is done by named data streams.
  • 46. Windows 7 File Systems NTFS: $USNJrnl:$J
  • 47. Windows 7 Artifacts—Recycle.Bin • [Volume]:$Recycle.Bin. • $Recycle.Bin is visible in Explorer (view hidden files). • Per user store in a subfolder named with account SID. • When a file is moved to the Recycle Bin, it becomes two files. • $I and $R files. • $I file—original name and path, as well as the deleted date. • $R file—original file data stream and other attributes.
  • 48. Windows 7 Artifacts—Recycle.Bin Note the deleted date (in blue).
  • 50. Windows 7 Artifacts—Recycle.Bin The Recycle.Bin works similarly on FAT file systems, here EXFAT:
  • 51. Windows 7 Artifacts Folder Virtualization
  • 52. Windows 7 Artifacts Folder Virtualization – Part of User Access Control—Standard user cannot write to certain protected folders. • C:Windows • C:Program Files • C:Program Data – To allow standard user to function, any writes to protected folders are “virtualized” and written to C:Users[user]AppDataLocalVirtualStore
  • 53. Windows 7 Artifacts Registry Virtualization HKEY_CURRENT_USERSoftwareClasses
  • 54. Windows 7 Artifacts Registry Virtualization • Virtualize (HKEY_LOCAL_MACHINESOFTWARE) • Non-administrator writes are redirect to: HKEY_CURRENT_USERSoftwareClassesVirtualStoreMACHINESOFTWARE • Keys excluded from virtualization – HKEY_LOCAL_MACHINESoftwareClasses – HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows – HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows NT
  • 55. Windows 7 Artifacts Registry Virtualization • Location of the registry hive file for the VirtualStore – Is NOT the user’s NTUSER.DAT – It is stored in the user’s UsrClass.dat Users[user]AppDataLocalMicrosoftWindowsUsrClass.dat • Investigation of Vista through 2008 R2 requires the investigator to examine at least two account specific registry hive files for each user account. – NTUSER.DAT – UsrClass.dat
  • 56. Windows 7 Artifacts Transactional Registry • Related to TxF—also built on the Kernel Transaction Manager – http://msdn.microsoft.com/en-us/library/cc303705.aspx • TxR allows applications to perform registry operations in a transactional manner. – Typical scenario: software installation. – Files copied to file system and information to the registry as a single operation. – In the event of failure, registry modification rolled back or discarded.
  • 57. Windows 7 Artifacts Transactional Registry The TxR files are stored in the TxR subfolder in WindowsSystem32config with the system registry hives.
  • 64. Windows 7 Artifacts Sticky Notes Sticky notes are also files in the Structured Storage file format.
  • 66. Windows 7 Artifacts Chkdsk Logs System Volume InformationChkdsk
  • 67. Windows 7 Artifacts Superfetch • The existence of a prefetch file indicates that the application named by the prefetch file was run. • The creation date of a prefetch file can indicate when the named application was first run. • The modification date of a prefetch file can indicate when the named application was last run.
  • 70. Windows 7 Artifacts Superfetch—Much More Look what gets loaded on boot.
  • 71. Windows 7 Artifacts Search Index C:ProgramDataMicrosoftSearchDataApplicationsWindows • Windows Search index file=Windows.edb, an ESE database. • MSS*.logs are the database log files.
  • 72. Windows 7 Artifacts Search Index http://www.woany.co.uk/esedbviewer/
  • 74. Windows 7 Artifacts Search Index >C:Windowssystem32esentutl.exe /r MSS /d. From the folder containing the Windows.edb and its log files.
  • 75. Windows 7 Artifacts Search Index • Generic will bring up all tables. • Desktop Search will bring up a select view. • AV can interfere will esentutl.exe and eseDbViewer.
  • 77. Windows 7 Artifacts Search Index SystemIndex_0A • Over 380 fields.
  • 78. Windows 7 Artifacts Search Index Match a ThumbnailCacheID from a Thumbnail Cache file to a ThumbnailCacheID in the Windows Search index to link a thumbnail to a file.
  • 79. Windows 7 Artifacts Volume Shadow Copy • Volume shadow copies are bit level differential backups of a volume. – 16 KB blocks. – Copy on write. – Volume Shadow copy files are “difference” files. • The shadow copy service is enabled by default on Vista and Windows 7, but not on Windows 2008 or 2008 R2.
  • 80. Windows 7 Artifacts Volume Shadow Copy • Shadow copies are the source data for Restore Points and the Restore Previous Versions features. • Used in can backup operations. • Shadow copies provide a “snapshot” of a volume at a particular time. • Shadow copies can show how files have been altered. • Shadow copies can retain data that has later been deleted, wiped, or encrypted.
  • 81. Windows 7 Artifacts Volume Shadow Copy Volume shadow copies do not contain a complete image of everything that was on the volume at the time the shadow copy was made.
  • 82. Windows 7 Artifacts Volume Shadow Copy The Volume Shadow Copy difference files are maintained in “System Volume Information” along with other VSS data files, including a new registry hive.
  • 83. Windows 7 Artifacts Volume Shadow Copy 1 0 1 9 1 2 1 1 2 3 4 5 6 7 8 1 0 1 9 1 2 1 1 2 3 4 5 6 7 8 1 0 92 3 5 7 • Copy on Write: Before a block is written to, it is saved to the difference file. • When a Shadow Copy is read, the “volume” consists of the live, unchanged blocks, and the saved blocks from the difference file. Volume at start of VSS snapshot. Difference File Shadow copy of Volume at T1 T1 T3 1 0 1 9 1 2 1 1 2 3 4 5 6 7 8T2 Volume at end of VSS snapshot. T2
  • 84. Volume Shadow Copy A Shadow copy includes portions of more than one difference file when those difference files contain original blocks from the time of that shadow copy’s creation or snapshot. • Here, there are three snapshots of the volume over time, and each as a corresponding difference file. • Difference file T2 includes changes since the first snapshot. • Difference File T3, changes since the second snapshot. • Difference File T4, changes since the third snapshot. • All difference files contain one or more of the original blocks from the volume at T1. • After the third snapshot, the shadow copy of the volume as it was on T1 would include data from each of the difference files in this example, as each contain one or more blocks of the volume as it was at T1. 1 0 1 9 1 2 1 1 2 3 4 5 6 7 8 1 1 1 0 1 3 7 9 1 0 92 3 5 7 73 4 5 6 1 0 1 9 1 2 1 1 2 3 4 5 6 7 8 Shadow copy of Volume at T1 Difference Files Volume at T1 T1 T2 T5 T3 T4
  • 87. Windows 7 Artifacts Volume Shadow Copy vssadmin list shadows /for=[volume]:
  • 89. Windows 7 Artifacts Volume Shadow Copy Shadow copies can be exposed through symbolic links. Mklink /d C:{test-shadow} ?GLOBALROOTDeviceHarddiskVolumeShadowCopy3
  • 90. Windows 7 Artifacts Volume Shadow Copy Volume Shadows can be mounted directly as network shares. net share testshadow=.HarddiskVolumeShadowCopy11
  • 91. Windows 7 Artifacts Volume Shadow Copy >psexec [computername] vssadmin list shadows /for=C: >psexec [computername] net share testshadow=.HarddiskVolumeShadowCopy20 PsExec v1.94 - Execute processes remotely . . . testshadow was shared successfully. net exited on [computername] with error code 0. >robocopy /S /R:1 /W:1 /LOG:D:VSStestcopylog.txt [computername] testshadow D:vssTest Log File : D:VSStestcopylog.txt . . .
  • 92. Windows 7 Artifacts Volume Shadow Copy • Other ways to call shadow copies: – localhostC$UserstroylaDownloads (Yesterday, July 20, 2009, 12:00 AM) – localhostC$@GMT-2009.07.17-08.45.26 • Mount all shadow copies as symbolic links: for /f "tokens=4" %f in ('vssadmin list shadows ^| findstr GLOBALROOT') do @for /f "tokens=4 delims=" %g in ("%f") do @mklink /d %SYSTEMDRIVE%%g %f
  • 93. Windows 7 Artifacts Volume Shadow Copy C:UsersTroylaDesktopfau-1.3.0.2390afauFAU.x64>dd if=.HarddiskVolumeShadowCopy11 of=E:shadow11.dd –localwrt The VistaFirewall Firewall is active with exceptions. Copying .HarddiskVolumeShadowCopy11 to E:shadow11.dd Output: E:shadow11.dd 136256155648 bytes 129943+1 records in 129943+1 records out 136256155648 bytes written Succeeded! C:UsersTroylaDesktopfau-1.3.0.2390afauFAU.x64> Shadow copies can be imaged.
  • 94. Windows 7 Artifacts Volume Shadow Copy Images of shadow copies can be opened in forensics tools and appear as logical volumes.
  • 95. Windows 7 Artifacts Volume Shadow Copy Data that has been deleted can be captured by shadow copies and available for retrieval in shadow copy images.
  • 96. Windows 7 Artifacts Volume Shadow Copy Every shadow copy data set should approximate the size of the original volume. Amount of case data=(number of shadow copies) x (size of the volume)+(size of the volume). 10 shadow copies = 692 GB