Windows Forensics
Instructor: LT Dan Finnegan Spring 2010
Main Objectives
Understand Windows file systems Comprehend the Windows account controls Understand Active Directory Familiarize Microsoft boot tasks Understand MS-DOS startup tasks
10.1 Windows Evidence Acquisition Boot Disk
Avoid data contamination or modification; when examining or previewing a system, bypass the computers operating system to avoid altering evidence Creating a Windows Evidence Acquisition Boot Disk:
Modify [Link] and [Link] to prevent it from accessing system components on the drive Delete the [Link] file Alternatively, boot the system from a Linux floppy or CD-ROM
Write Protecting a Hard Disk
Need to control/block INTH13h functions that control disk access (read, write, format) This can be done with software or a hardware write blocker
3
10.1 Windows Evidence Acquisition Boot Disk (Cont.)
Make sure that if you use an Ethernet card or large Zip drive to transfer data to a collection disk, you have the drivers stored on the boot disk. Use FAT32 on collection disks to allow saving of large data files. Always virus check the boot disk to avoid damaging the computer!
10.2 File Systems
Simplest Windows file systems are:
FAT12 uses 12 bit files for each entry in the FAT (mainly used for floppies). FAT16 uses 16 bit fields. FAT32 uses 28 bit fields (with 4 reserved). FAT systems record only the last accessed date, not last accessed time. The FAT can be thought of as a list with one entry for each cluster in a volume. Clusters containing a zero are free for allocation.
5
10.2 File Systems (Cont.)
Opening a file in a subdirectory:
OS goes to root directory, determines which cluster has the subdirectory, and uses directory information in the cluster to determine the starting cluster of the file.
10.2 File Systems (cont.)
NTFS.
Stores information in a Master File Table (MFT). The MFT is a list of records that contain information to find data on a disk. Records contain created, last modified, and last accessed dates and times. Directories are called entries. NTFS created MFT entries as needed. Recovering deleted files in NTFS are complicated because: Unused entries in the MFT are reused before new ones are created, and Directory entries are sorted by name.
7
10.2 File Systems (Cont.)
NTFS is a journaling file system retains a record of file system operations that can be used to repair damage caused by a system crash.
10.3 Overview of Digital Evidence Processing Tools
Searching many computers most efficient to boot with an evidence acquisition boot disk and run a disk search utility (i.e. EnCase, DiskSearch Pro) from the DOS prompt. Booting from a floppy, Safeback can make an exact copy of a drive and preserve its integrity. You ccan also use EnCase, Forensic Toolkit, SnapBack DatArrest, Byte Back. Some software calculates integrity checks of acquired data separately, some acquire data along with integrity checks at regular intervals. Courts are generally satisfied with both methods. Many of these software titles can either use information from the BIOS or bypass the BIOS to ensure no false information.
9
FAT Directory Entries
Name Created Cluster 1 Folder1 Folder2 Folder3 Folder4 Folder5 Folder6 Folder7 Folder8 Folder9 Folder10 Folder11 Folder12 Folder13 Folder14 Folder15 New Folder Folder17 05/08/97 [Link] 05/08/97 [Link] 05/08/97 [Link] 05/08/97 [Link] 05/08/97 [Link] 05/08/97 [Link] 05/08/97 [Link] 05/08/97 [Link] 05/08/97 [Link] 05/08/97 [Link] 05/08/97 [Link] 05/08/97 [Link] 05/08/97 [Link] 05/08/97 [Link] 06/17/97 [Link] 02/02/98 [Link] 01/16/98 [Link] 15372 15356 15385 15365 15363 15383 15362 15384 15367 15358 15388 15357 15932 15382 18206
Deleted folder entry
First available
2 3 4 5 6 7 8 9 10 11 12 13 14 15 17 16
10
44646 39296
Reading MFT Entries
FILE0 Attribute Attribute Attribute Attribute
= 1024 bytes
11
The Sleuthkit: Viewing MFT
Shows low-level information
12
Reformatted Recovery
Before recovery
Re-formatted on 02/20/07
After recovery
Metadata visible Contents may be overwritten
13
File Deletion Process
MFT entry marked as available MFT $BITMAP updated Parent Folder
Index entry removed Folder contents resorted alphabetically $BITMAP attribute updated
14
Remnants of File Deletion
File system entries
Last accessed date Entry modified date INFO file date
Recycle Bin records
Search unallocated
Data on disk
May be recoverable
15
File Recovery
Search entire disk for filename and file records
NTFS uses MFT records starting with FILE0 or FILE*
Interpret the file record
MFT: filename, dates, location, and sometimes data
Resident versus non-resident data
Non-resident MFT has runlist of clusters
Check the location on disk for data
Different tools present information differently
16
Deleted MFT Entries
File dates and times
17
Basic MFT Entry Attributes
Type ID 16 32 48 96 128 = Hex 0x10 0x20 0x30 0x60 0x80 Name $STANDARD_INFORMATION $ATTRIBUTE_LIST $FILE_NAME $VOLUME_NAME $DATA
144 160
176
0x90 0xA0
0xB0
$INDEX_ROOT $INDEX_ALLOCATION
$BITMAP
18
The Sleuthkit: Viewing MFT
Shows low-level information
19
Reading a Deleted MFT Entry
Identify the FILE record header
20
10.3 Overview of Digital Evidence Processing Tools (Cont.)
Two main approaches to viewing data physically or logically.
Physical involves examining raw data using a text editor; data generally shown in hexadecimal form on the left and plain text on the right. Limitations: keyword search will not find occurrences that are broken across non-adjacent sectors. Logical examining data on a disk as it is represented by the file system. Limitations: areas of the disk not represented by the file system such a file slack and unallocated space. Always advisable to verify all findings to check accuracy!
21
10.4 Data Recovery
Two main forms of data recovery in FAT systems: recovering deleted data from unallocated space and recovering data from slack space.
Unallocated space can try recovering data by reconnecting links in the chain. This works best if file was stored in contiguous clusters. All tools assume that all clusters in a file are sequential. Some tools will recover deleted files from NTFS volumes. This process must be performed on a copy of the evidentiary disk because data on the disk is altered.
22
10.4.1 Windows-Based Recovery Tools
Tools such as EnCase and FTK can use a bitstream copy of a disk to display a virtual reconstruction of the file system, including deleted files. Does this without modifying the FAT. Tools recover files on FAT systems by assuming all clusters in a file are sequential. Fragmented files must be recovered manually. Windows-based tools (EnCase and FTK) can be used to recover deleted files on NTFS volumes.
23
Understanding the Boot Sequence
Make sure computer boots from a floppy disk
Modify CMOS Accessing CMOS depends on the BIOS
Delete key Ctrl+Alt+Insert Ctrl+A Ctrl+F1 F2 F12
24
10.4.2 Unix-based Recovery Tools
Linux can be used to perform basic examinations of FAT and NTFS systems. Fatback, The Sleuth Kit, and SMART can be used for recovering deleted files from a FAT system. Sleuth Kit combined with the Autopsy Forensic browser can be used to examine and recover deleted files on FAT systems. Sleuth Kit and the Autopsy Forensic browser can be used to examine and recover files from an NTFS system. Sleuth Kit can also recover slack space.
25
10.4.3 File Carving With Windows
Another approach to recovering deleted files is to examine unallocated space, swap files, and other digital objects for class characteristics like headers and footers. This process is like carving files out of the blob-like amalgam of data in unallocated space. File carving tools include DataLifter, EasyRecovery Pro, WinHex, and EnCase e-scripts. NTIs Graphic Image File Extractor can extract images, including those stored in Word documents.
26
10.4.3 File Carving With Windows (Cont.)
These tools are generally limited because they rely on files that have intact headers. Slack space contains fragmented data that can be recovered, but rarely can be reconstituted into complete files. If a small file overwrites a large file, it may be possible to recover the majority of the large file from slack space. It is easier to recover textual data from slack space because it is recognizable to the human eye.
27
10.4.4 Dealing With Password Protection and Encryption
Possible to use a hexadecimal editor like Winhex to remove a password from a file. More specialized tools to bypass or recover passwords include NTI, [Link], Russian Password Crackers, and others.
28
10.4.4 Dealing With Password Protection and Encryption (Cont.)
If necessary to bypass the logon password use a program like ntpasswd or ERD Commander. LC4 can attempt to guess older NT passwords. The most powerful and versatile password recovery programs are PRTK and DNA from Access Data. Access Datas Distributed Network Attack can brute force Adobe Acrobat and Word/Excel files encrypted with 40 bit encryption. Microsoft EFS generally uses 128-bit keys.
29
10.5 Log Files
Attribution is a major goal; log files can record which account was used to access a system at any given time. User accounts allow two forms of access to computers: interactive login and access to shared resources. System log files can contain the information about user accounts that were used to commit a crime and can show that a user account might have been stolen. Utility from Windows NT and 2000 to process log files is called dumpel. A detailed procedure for examining log files can be found in the Handbook of Computer Crime investigation.
30
LogParser: NT Event Logs
C:\>LogParser "SELECT TimeGenerated AS LogonDate, EXTRACT_TOKEN(Strings, 0, '|') AS Username FROM '[Link]' WHERE EventID NOT IN (541;542;543) AND EventType = 8 AND EventCategory = 2 AND Username NOT LIKE 'IUSR_%' LogonDate ------------------2002-05-06 [Link] 2002-05-09 [Link] 2002-05-09 [Link] 2002-05-12 [Link] Username ------------esmith adoe esmith esmith
31
NT Event Log Example
Unauthorized access Clock backdating
The system time was changed. Process ID: 300 Process Name: C:\WINDOWS\System32\[Link] Primary User Name: Owner Primary Domain: EOWYN Primary Logon ID: (0x0,0x14AA8) Client User Name: Owner Client Domain: EOWYN Client Logon ID: (0x0,0x14AA8) Previous Time: [Link] PM 2/13/2004 New Time: [Link] PM 12/11/2004
32
Preservation Scenario
Day 1:
Sys admin sees unauthorized logon attempts No network-level to determine scope of attack Attacker machine name captured in event logs
Unauthorized administrator logons to server. Concern about other systems.
33
Preservation Scenario
Sys admin searches security event logs
Two servers with successful logons from attacker
Takes screenshots of unauthorized logons
Does not preserve full log
Unauthorized administrator logons to server. Concern about other systems. Manual inspection reveals other servers with intruder logons. Screenshots taken but original logs not preserved.
34
Preservation Scenario
Day 2:
Another attacker machine name is observed Security event logs clearer (reason unknown) Not possible to look back in time for new name
Manual inspection reveals other servers with intruder logons. Screenshots taken but original logs not preserved.
Unauthorized administrator logons to server. Concern about other systems.
Another machine name is observed but original logs no longer exist. Lost opportunity.
35
10.6 File System Traces
An individuals actions on a computer can leave many traces that can be used by digital investigators. Moving a file within a volume does not change file times; the original deleted directory entry is identical to the new directory entry. This allows investigators to determine where files were moved from as long as the original directory entry exists.
36
NTFS Behavior (consistent inconsistencies)
Action Created Modified Accessed
Copy
Updated
Unchanged
Updated
Move (out of volume) Move (in volume) Cut&Paste
Updated
Unchanged
Updated
Unchanged
Unchanged
Unchanged
Unchanged
Unchanged
Updated
37
Reading Windows FILETIME
64-bit Windows FILETIME
100-nanosecond intervals since January 1, 1600
Contract originally created
0x00 0xEA 0x4A 0xF2 0x6A 0xD2 0xC6 0x01
38
10.6 File System Traces (Cont.)
Date-time stamp phenomenon.
File copied within a volume or moved from hard drive to floppy, the created and last accessed datetime stamps are updated but the last modified datetime stamp stays the same. This also occurs when a file is downloaded from certain types of file servers on the Internet.
39
10.6 File System Traces (Cont.)
Metadata.
Information retained in Microsoft Office documents. Includes location where a file was stored on disk, the printer, and original creation date and time. Date-time stamps embedded in the file can be useful for analysis.
Date-time stamps can be affected by external influences (I.e., files from a compressed Zip archive).
40
10.7 Windows Registry
Used to store system configuration and usage details in what are called keys. Win 95 & 98 registry files (called hives) are named system .dat and [Link]. Registry for Windows NT/2000/XP has a hive file named [Link] for each user account. Registry files recovered from an evidentiary system can be viewed by using regedt32; on an examination system using the Load Hive option on the Registry menu. Some keys are stored in ASCII, but can be saved as a text file.
41
10.8 Internet Traces
Accessing the Internet leaves a wide variety of information including web sites, contents viewed, and newsgroups accessed. Some Windows systems keep a log of when the modem was used. Some Internet dial-up services maintain connection logs.
42
10.8.1 Web Browsing
The first time a web page is viewed the browser caches the page on disk. When the same site is accessed again, the cached file is accessed. Some web browsers track the number of times a site is accessed. Netscape maintains a database of websites visited in [Link]. Entries marked as deleted can be recovered with EnCase of E-Script. Internet Explorer has similar information in files named [Link].
43
10.8.1 Web Browsing (Cont.)
Mozilla maintains a file named _CACHE_001_ that shows HTTP responses containing the current date and time according to the Web server clock. Netscape stores cookies in the [Link] file, while IE maintains cookies in the Windows\Cookies directory. The presence of a cookie does not necessarily prove that a person intentionally accessed a particular web site.
44
10.8.2 Usenet Access
Web browsers track which Usenet newsgroups have be accessed. Netscape stores information in a file with a rc. extension. MS Internet News stores information about newsgroup activities in the news directory.
45
10.8.3 E-Mail
Plain text files: Netscape and Eudora Proprietary formats: Outlook, Outlook Express, AOL FTK can be used to interpret a variety of proprietary formats. In some cases it is possible to recover messages that have been deleted but not yet purged.
46
10.8.4 Other Applications
Yahoo Pager, AOL IM, and other Instant Messaging programs do not retain archives of messages by default but may be configured to log chat sessions. Peer-to-peer file sharing programs may retain a list of hosts that were contacted or files that were accessed. The best chance of obtaining information relating to these applications is to search parts of the hard drive where data may have been stored temporarily, or to monitor network traffic from computer while the programs are in use.
47
10.8.5 Network Storage
One of the most common remote storage locations in an individuals ISP. Also, search for traces of file transfer applications. WS-FTP creates small log files showing file locations, FTP server names, and times of transfer. CRT and SSH can be configured to maintain individual configuration files for each computer that a user connects to frequently Shared network drives are another example of remote storage. Remnants of network file sharing may be found in various registry keys.
48
10.9 Program Analysis
Three primary approaches are: examine source code, view the program in compiled form, run the program in a test environment. Can use VMWare to create a virtual machine for testing purposes. Programs including Regsnap and Tripwire can be used to create a system baseline to show alterations during testing. Details about processes and network connections can be observed by using tools from [Link].
49
