1. Digital Forensics and Windows 7
Overview
Troy Larson
Principal Forensics Program Manager
TWC Network Security Investigations
NSINV-R3– Research|Readiness|Response
2. Introduction and Encouragement
Fvevol.sys
File Systems
NTFS, FAT32, EXFAT
Mount, Partition & Managers
Applications
OS Artifacts
Disk
Highlights of new
things of interest.
– Changes between XP
and Windows 7.
– Climb the Stack of
Forensics Knowledge.
3. World vs. Microsoft
Pre-Vista, huge Windows XP
base; pre-Office 2007.
X64, Windows 7,
Windows 2008 R2,
Office 2010, * 2010,
Windows 8, WP 7
4. From XP to Vista
• Changed location of boot sector.
• BitLocker, unlocking, imaging,
preservation.
• EXFAT. Transactional NTFS.
• Event Logging.
• New format-.evtx.
• New system for collecting and
displaying events.
• New security event numbering.
• New directory tree for account
profiles.
• Symbolic links. “Virtual” folders .
• “Virtual” registries.
• Volume Shadow Copies and
difference files.
• User Account Control.
• Enforced Signed Drivers x64.
• Hard links. WinSxS.*
• Default settings-NTFS, change
journal.
• Recycle Bin, no info2, now $I.* &
$R.*
• Built in volume and disk wiping.
• SuperFetch & prefetch files.
• Profile based thumbcaches.*
• Office file format changes .docx,
.pptx, .xlsx.
• New Office files—InfoPath, Grove,
OneNote.
• EFS encrypted pagefile.
• x64 Windows.
• Windows 2008 Hyper-V.
• Built in Defender.
6. Windows 7 Highlights for Forensics
• Changed volume header for
BitLocker volumes.
• Updated BitLocker, multiple
volumes, Smartcard keys, not
backwardly compatible.
• BitLocker To Go.
• Virtual Hard drives—Boot from,
mount as “Disks.”
• Virtual PC—integrated into the
OS.
• XP Mode.
• Flash Media Enhancements.
• Libraries, Sticky Notes, Jump
Lists.
• Service and Driver triggers.
• Fewer Services on default
startup.
• I.E. 8, InPrivate Browsing, Tab
and Session Recovery.
• Changes in Volume Shadow
Copy behavior.
• New registry-like files.
• WebDAV-Office cache.
• More x64 clients. X64
Windows 2008 R2 (server).
• Changes in Hyper-V.
• Office 2010 file format
changes—OneNote.
• Thumbnail Cache.
• Virtual Servers, thin clients.
• Direct Access (IPSec).
• Windows Search.
7. Windows 7 Disk Identification
Disk signature:
0x1b8-1bb
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystem
MultifunctionAdapter0DiskController0DiskPeripheral0
13. Windows 7 Partitions and Volumes
Full format will zero out the entire volume space and rebuild a clean
file system.
14. Windows 7 Partitions and Volumes
Diskpart clean /all will wipe the entire hard drive.
15. Windows 7 BitLocker
During installing, Windows 7 creates a “System Reserved”
volume—enabling set up of BitLocker.
In Vista, the System volume was generally 1.5 GB or more.
16. Windows 7 BitLocker
• Vista & Windows 2008 cannot unlock
BitLocker volumes created with Windows 7 or
2008 R2.
• Forensics tools may not recognize the new
BitLocker volume header.
• Must use Windows 7 or 2008 R2 to open (and
image) BitLocker volumes from Windows 7 or
2008 R2.
17. Windows 7 BitLocker
Review or Imaging
File System Driver
Fvevol.sys
Volume Manager
Applications
User Mode
Kernel Mode
FVEVOL.SYS sits
underneath the file
system driver and
performs all encryption /
decryption.
• Once booted,
Windows (and the
user) sees no
difference in
experience.
• The encryption /
decryption happens at
below the file system.
18. Windows 7 BitLocker
Review or Imaging
File System Driver
Fvevol.sys
Volume Manager
Application
User Mode
Kernel Mode
19. Windows 7 BitLocker
Review or Imaging
Forensic review
or imaging begins
with attaching
the hard drive or
USB drive to a
Windows 7 or
2008 R2 system
and unlocking it.
20. Windows 7 BitLocker
Review or Imaging
Unlocking
BitLocker with
the GUI.
Windows 7 will
recognize an
added BitLocker
volume and
prompt for the
recovery key.
21. Windows 7 BitLocker
Review or Imaging
The “More/Less
information”
button will provide
the BitLocker
volume recovery
key identification.
22. Windows 7 BitLocker
Review or Imaging
To unlock a BitLockered volume, first get the Recovery
Password ID: manage-bde –protectors –get [volume].
The Recovery Password ID can be used to recover the
Recovery Password from the AD.
23. Windows 7 BitLocker
Review or Imaging
• BitLocker Recovery Key 783F5FF9-18D4-4C64-AD4A-
CD3075CB8335.txt:
BitLocker Drive Encryption Recovery Key The recovery key is used to
recover the data on a BitLocker protected drive.
To verify that this is the correct recovery key compare the identification
with what is presented on the recovery screen.
Recovery key identification: 783F5FF9-18D4-4C
Full recovery key identification: 783F5FF9-18D4-4C64-AD4A-
CD3075CB8335
BitLocker Recovery Key:
528748-036938-506726-199056-621005-314512-037290-524293
37. Windows 7 BitLocker To Go
Review or Imaging
The BitLocker To Go device is unlocked
and ready for review or imaging.
38. Windows 7 File Systems
• NTFS
– Symbolic links to files, folders, and UNC paths.
– Hard links are extensively used.
– Disabled by default: Update Last Access Date.
– Enabled by default: The NTFS Change Journal.
• Transactional NTFS (TxF)—Installations,
patches, and as-needed driver installations
(IR?).
39. Windows 7 File Systems
• TxF works on top of NTFS—
• Allows a related series of file system changes to be
treated and logged as a “transaction.”
• NTFS can then commit if the changes are completed
successfully, or abort and roll back if they are not.
“Transactional NTFS (TxF) allows file operations on an
NTFS file system volume to be performed in a
transaction. TxF transactions increase application
reliability by protecting data integrity across failures and
simplify application development by greatly reducing the
amount of error handling code.”
http://msdn.microsoft.com/en-us/library/bb968806(VS.85).aspx
40. The $Tops:$T stream is in XML and can be read in an XML reader, such
as the Microsoft XML Notepad.
Windows 7 File Systems
47. Windows 7 Artifacts—Recycle.Bin
• [Volume]:$Recycle.Bin.
• $Recycle.Bin is visible in Explorer (view hidden files).
• Per user store in a subfolder named with account SID.
• When a file is moved to the Recycle Bin, it becomes two files.
• $I and $R files.
• $I file—original name and path, as well as the deleted date.
• $R file—original file data stream and other attributes.
52. Windows 7 Artifacts
Folder Virtualization
– Part of User Access Control—Standard user cannot
write to certain protected folders.
• C:Windows
• C:Program Files
• C:Program Data
– To allow standard user to function, any writes to
protected folders are “virtualized” and written to
C:Users[user]AppDataLocalVirtualStore
54. Windows 7 Artifacts
Registry Virtualization
• Virtualize
(HKEY_LOCAL_MACHINESOFTWARE)
• Non-administrator writes are redirect to:
HKEY_CURRENT_USERSoftwareClassesVirtualStoreMACHINESOFTWARE
• Keys excluded from virtualization
– HKEY_LOCAL_MACHINESoftwareClasses
– HKEY_LOCAL_MACHINE
SoftwareMicrosoftWindows
– HKEY_LOCAL_MACHINE
SoftwareMicrosoftWindows NT
55. Windows 7 Artifacts
Registry Virtualization
• Location of the registry hive file for the
VirtualStore
– Is NOT the user’s NTUSER.DAT
– It is stored in the user’s UsrClass.dat
Users[user]AppDataLocalMicrosoftWindowsUsrClass.dat
• Investigation of Vista through 2008 R2 requires
the investigator to examine at least two account
specific registry hive files for each user account.
– NTUSER.DAT
– UsrClass.dat
56. Windows 7 Artifacts
Transactional Registry
• Related to TxF—also built on the Kernel
Transaction Manager
– http://msdn.microsoft.com/en-us/library/cc303705.aspx
• TxR allows applications to perform registry
operations in a transactional manner.
– Typical scenario: software installation.
– Files copied to file system and information to the
registry as a single operation.
– In the event of failure, registry modification rolled
back or discarded.
57. Windows 7 Artifacts
Transactional Registry
The TxR files are stored in the TxR subfolder in
WindowsSystem32config with the system registry hives.
67. Windows 7 Artifacts
Superfetch
• The existence of a prefetch file indicates that the
application named by the prefetch file was run.
• The creation date of a prefetch file can indicate
when the named application was first run.
• The modification date of a prefetch file can
indicate when the named application was last
run.
71. Windows 7 Artifacts
Search Index
C:ProgramDataMicrosoftSearchDataApplicationsWindows
• Windows Search index file=Windows.edb, an ESE database.
• MSS*.logs are the database log files.
74. Windows 7 Artifacts
Search Index
>C:Windowssystem32esentutl.exe /r MSS /d.
From the folder containing the Windows.edb and its log files.
75. Windows 7 Artifacts
Search Index
• Generic will bring up all tables.
• Desktop Search will bring up a select view.
• AV can interfere will esentutl.exe and eseDbViewer.
78. Windows 7 Artifacts
Search Index
Match a ThumbnailCacheID from a Thumbnail Cache file to a
ThumbnailCacheID in the Windows Search index to link a thumbnail to a
file.
79. Windows 7 Artifacts
Volume Shadow Copy
• Volume shadow copies are bit level differential
backups of a volume.
– 16 KB blocks.
– Copy on write.
– Volume Shadow copy files are “difference” files.
• The shadow copy service is enabled by default on
Vista and Windows 7, but not on Windows 2008
or 2008 R2.
80. Windows 7 Artifacts
Volume Shadow Copy
• Shadow copies are the source data for Restore
Points and the Restore Previous Versions
features.
• Used in can backup operations.
• Shadow copies provide a “snapshot” of a volume
at a particular time.
• Shadow copies can show how files have been
altered.
• Shadow copies can retain data that has later been
deleted, wiped, or encrypted.
81. Windows 7 Artifacts
Volume Shadow Copy
Volume shadow copies do not contain a complete image
of everything that was on the volume at the time the
shadow copy was made.
82. Windows 7 Artifacts
Volume Shadow Copy
The Volume Shadow
Copy difference files are
maintained in “System
Volume Information”
along with other VSS
data files, including a
new registry hive.
83. Windows 7 Artifacts
Volume Shadow Copy
1
0
1 9
1
2
1
1
2 3 4 5 6 7 8
1
0
1 9
1
2
1
1
2 3 4 5 6 7 8
1
0
92 3 5 7
• Copy on Write: Before
a block is written to, it
is saved to the
difference file.
• When a Shadow Copy is
read, the “volume”
consists of the live,
unchanged blocks, and
the saved blocks from
the difference file.
Volume at start of VSS snapshot.
Difference File
Shadow copy of Volume at T1
T1
T3
1
0
1 9
1
2
1
1
2 3 4 5 6 7 8T2
Volume at end of VSS snapshot.
T2
84. Volume Shadow Copy
A Shadow copy includes portions of more
than one difference file when those
difference files contain original blocks
from the time of that shadow copy’s
creation or snapshot.
• Here, there are three snapshots of the volume
over time, and each as a corresponding
difference file.
• Difference file T2 includes changes since the
first snapshot.
• Difference File T3, changes since the second
snapshot.
• Difference File T4, changes since the third
snapshot.
• All difference files contain one or more of the
original blocks from the volume at T1.
• After the third snapshot, the shadow copy of
the volume as it was on T1 would include data
from each of the difference files in this
example, as each contain one or more blocks
of the volume as it was at T1.
1
0
1 9
1
2
1
1
2 3 4 5 6 7 8
1
1
1
0
1 3 7 9
1
0
92 3 5 7
73 4 5 6
1
0
1 9
1
2
1
1
2 3 4 5 6 7 8
Shadow copy of Volume at T1
Difference Files
Volume at T1
T1
T2
T5
T3
T4
89. Windows 7 Artifacts
Volume Shadow Copy
Shadow copies can be exposed through symbolic links.
Mklink /d C:{test-shadow} ?GLOBALROOTDeviceHarddiskVolumeShadowCopy3
90. Windows 7 Artifacts
Volume Shadow Copy
Volume Shadows can be mounted directly as network shares.
net share testshadow=.HarddiskVolumeShadowCopy11
91. Windows 7 Artifacts
Volume Shadow Copy
>psexec [computername] vssadmin list shadows /for=C:
>psexec [computername] net share testshadow=.HarddiskVolumeShadowCopy20
PsExec v1.94 - Execute processes remotely
. . .
testshadow was shared successfully.
net exited on [computername] with error code 0.
>robocopy /S /R:1 /W:1 /LOG:D:VSStestcopylog.txt [computername] testshadow D:vssTest
Log File : D:VSStestcopylog.txt
. . .
92. Windows 7 Artifacts
Volume Shadow Copy
• Other ways to call shadow copies:
– localhostC$UserstroylaDownloads (Yesterday, July 20, 2009, 12:00 AM)
– localhostC$@GMT-2009.07.17-08.45.26
• Mount all shadow copies as symbolic links:
for /f "tokens=4" %f in ('vssadmin list shadows ^| findstr GLOBALROOT') do @for
/f "tokens=4 delims=" %g in ("%f") do @mklink /d %SYSTEMDRIVE%%g %f
93. Windows 7 Artifacts
Volume Shadow Copy
C:UsersTroylaDesktopfau-1.3.0.2390afauFAU.x64>dd if=.HarddiskVolumeShadowCopy11
of=E:shadow11.dd –localwrt
The VistaFirewall Firewall is active with exceptions.
Copying .HarddiskVolumeShadowCopy11 to E:shadow11.dd
Output: E:shadow11.dd
136256155648 bytes
129943+1 records in
129943+1 records out
136256155648 bytes written
Succeeded!
C:UsersTroylaDesktopfau-1.3.0.2390afauFAU.x64>
Shadow copies can be imaged.
94. Windows 7 Artifacts
Volume Shadow Copy
Images of shadow copies can be opened in
forensics tools and appear as logical volumes.
95. Windows 7 Artifacts
Volume Shadow Copy
Data that has been deleted can be captured by
shadow copies and available for retrieval in shadow
copy images.
96. Windows 7 Artifacts
Volume Shadow Copy
Every shadow copy data set should approximate the size of
the original volume.
Amount of case data=(number of shadow copies) x (size of
the volume)+(size of the volume).
10 shadow
copies = 692 GB