adam's notes

Windows Forensics

Windows Details

Boot Process

  1. BIOS conducts a power-on self-test (POST)
    • checks to see if devices are present and working
  2. computer reads the master boot record (MBR) and partition table
  3. MBR locates the boot partition
    • has the OS on it
  4. MBR passes control to the boot sector on the boot partition
  5. boot sector loads NTLDR
    • is the NT loader
    • is the first part of the Windows OS
    • responsible for preparing and loading the rest of the OS
  6. Contents of hyberfil.sys are loaded into memory and the system resumes at the previous state
    • When Windows is put into hibernation state instead of shut down
  7. NTLDR switches from real mode to 32-bit memory or 64-bit memory
    • real mode is the default for x86 systems
    • provides no support for memory protection, multitasking, or code privilege levels
  8. NTLDR stats minimal file system drivers
    • FAT, FAT32, NTFS
  9. NTLDR reads boot.ini and displays the boot loader menu
    • multiple OS will be displayed here if available
  10. NTLDR loads NTOSKRNL and passes hardware information
    • this is the kernel for Windows OS
    • this is the end of the boot phase
    • beginning of load phase
  11. NTLDR loads hal.dll (hardware abstraction layer)
  12. NTLDR loads the system hive (i.e. the Registry) and reads settings
  13. kernel initialization begins
    • screen turns blue
  14. services load phase begins
  15. Win32 subsystem start phase begins
  16. user logs on

Important Files

  • Ntdetect.com
    • A program that queries the computer for basic device/config data like time/date from CMOS, system bus types, disk drives, ports, and so on
  • Ntbootdd.sys
    • A storage controller device driver
  • Ntoskrnl.exe
    • The core of the operating system
  • Hal.dll
    • An interface for hardware
  • Smss.exe
    • A program that handles services on your system
  • Winlogon.exe
    • The program that logs you on
  • Lsass.exe
    • The program that handles security and logon policies
  • Explorer.exe
    • The interface the user interacts with, such as the desktop, Windows Explorer, and so on
  • Crss.exe
    • The program that handles tasks like creating threads, console windows, and so forth
  • to find what version of NTFS you have:
    • fsutil fsinfo ntfsinfo <volume>

Volatile Data

Volatile memory analysis is a live-system forensic technique in which you collect a memory dump and perform analysis in an isolated environment.

  • must first establish a trusted command shell
  • next, establish a data collection system and method for transmitting data
  • compute hash after memory capture
    • don’t need to calculate hash before data acquisition due to volatile nature of memory
  • common to acquire volatile data in a dump file for offline examination
    • dump is a complete copy of every bit of memory or cache recorded in permanent storage or printed on paper
  • data in memory is not consistently maintained during system operation
    • impossible to freeze the machine states in the course of data acquisition
  • there are 2 types of memory:
    • Stack (S)
      • memory is allocated to local variables and parameters within each function
        • allocated based on the last-in, first-out (FIFO) principle
      • when a program is running,
        • program variables use the memory allocated to the stack area again and again
      • this segment is the most dynamic area of the memory process
    • Heap (H)
      • Dynamic memory for a program comes from the heap segment
      • process may use a memory allocator such as malloc to request dynamic memory
      • when this happens, the address space of the process expands
      • data in the heap area can exist between function calls
      • memory allocator can reuse memory that has been released by the process
      • so, heap data is less stable than the data in the data segment
  • when a program is running,
    • code, data, and heap segments are usually placed in a single contiguous area
    • stack segment is separated
      • expands with the memory allocated space
  • memory can be viewed as a large array that contains many segments for different processes
  • memory grows and shrinks depending on system usage
    • due to either
      • growth of heap data
      • or expansion and release of stack data
    • data in code segment is static
    • stack data has greater effect than heap data

Tools

  • PsList
    • use to view process and thread statistics on a system
    • does not reveal the presence of the rootkit or other processes the rootkit has hidden
    • part of PsTools
  • PsInfo
    • from PsTools
    • tells you system uptime, operating system details, and other system info
    • good background info for forensics report
  • ListDLLs
    • allows you to view the currently loaded dynamic-link libraries (DLLs) for a process
    • cannot show DLLs loaded for hidden processes
  • PsLoggedOn
    • helps discover users who have logged on both locally and remotely
    • tells who is logged on to shares on the current machine
    • part of PsTools
  • netstat
    • displays incoming and outgoing network connections
    • displays routing tables and network interface statistics
    • use to view network connections on a machine

Windows Swap File

  • Swap file is used to augment RAM
    • it is a special place on the hard drive where items from memory can be temporarily stored for fast retrieval
  • ends in pagefile.sys
  • often referred to as virtual memory
  • hiberfil.sys file is related to swap file
    • is a memory file that can be converted to an image file and processed with volatility or even simple string searches
    • may contain password artifacts from apps recently run
  • In Windows 8
    • pagefile.sys is there all the time
    • hiberfil.sys is only present if you have fast startup enabled
    • by default, uses a hybrid shutdown that causes a hiberfil.sys file to be generated
      • only contains kernel files needed to boot

Volume Shadow Copy

Volume Shadow Copy (VSS) is a service in which state changes in blocks of data are compared daily and changed blocks are copied to a volume shadow.

  • runs once per day
  • stores change data as 16-KB blocks of data
  • in differential copies, only the changes are backed up on a cluster-by-cluster basis
  • for a full copy or clone, entire files are backed up

Windows Logs

  • different ways to get to logs based on Windows version
    • Windows 7 and Server 2008
      • Start button > Control Panel > Administrative Tools > Event Viewer
  • Logs
    • Security logs
      • contains successful and unsuccessful login events
    • Application logs
      • contains various events logged by applications
    • System logs
      • contains events logged by Windows system components
      • includes driver failures
    • ForwardedEvents log
      • used to store events forwarded from remote computers
    • Applications and Services log
      • used to store events from a single application or component rather than events that might have systemwide impact

Windows Directories

  • directories that are more likely to contain evidence:
    • C:\Windows documents and settings
      • default location to save documents
    • C:\users
      • contains user profile information, documents, pictures, and more for all users
      • not just the one currently logged on
    • C:\Program Files
      • By default, programs are installed in subdirectories of this directory
    • C:\Program Files (x86)
      • In 64-bit systems, 32-bit programs are installed here
    • C:\Users\username\Documents
      • current user’s Documents folder

UserAssist

UserAssist is a Windows feature that helps programs launch faster.

  • it maintains a record of programs that have been launched
  • can view all the programs that have been executed on a machine
    • by examining appropriate Registry keys
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\UserAssist
      • encrypted
        • need a UserAssist tool to read

Unallocated/Slack Space

  • search unallocated space for keywords
  • can use FTK to find documents in unallocated space
  • can build a full-text index
    • allows you to build a binary tree-based dictionary of all words that exist in an image

Alternate Data Streams

Alternate data streams are a method of attaching one file to another file, using NTFS.

  • was developed to support Mac HFS on NTFS
  • e.g., criminal can attach a script to a text file
  • can use Alternate Data Streams View to detect

Index.dat

  • browsers often store search history in a separate file
  • Internet Explorer stores in index.dat
  • Firefox stores in history.dat

Windows Files and Permissions

  • file permissions can change when moving a file
    • can depend on whether file is
      • copy-and-pasted
      • cut-and-pasted
      • whether in same partition or not
        • in same partition, files will retain original permissions
        • in different partition, files will inherit destination permissions

MAC

  • refers to Modified, Accessed, Created file properties
  • file created
    • is the date file was created on the volume
  • file accessed
    • date the file was last accessed
  • file modified
    • date file was last modified

Registry

The Registry is a repository of all the information on a Windows system.

A Registry hive is a group of keys, subkeys, and values in the Registry that has a set of supporting files that contain backups of its data.

  • supporting files for hives are found in %SystemRoot%\System32\Config
    • except for HKEY_CURRENT_USER
      • these are in %SystemRoot%\Profile\Username
  • registry is organized into 5 sections called hives
    1. HKEY_CLASSES_ROOT (HKCR)
      • stores information about drag-and-drop rules, program shortcuts, the user interface, and related items
    2. HKEY_CURRENT_USER (HKCU)
      • very important to any forensic investigation
      • stores information about the currently logged-on user, including desktop settings, user folders, and so forth
    3. HKEY_LOCAL_MACHINE (HKLM)
      • contains settings common to the entire machine, regardless of the individual user
    4. HKEY_USERS (HKU)
      • has profiles for all the users, including their settings
    5. HKEY_CURRENT_CONFIG (HCU)
      • contains the current system configuration
  • all Registry keys contain a value called LastWriteTime
    • tells when key was last changed
    • stored in FILETIME structure
      • represents the number of 100-nanosecond intervals since January 1, 1601
  • Auto-run locations are Registry keys that launch automatically at startup

USB Information

  • Registry key HKEY_LOCAL_MACHINES\System\ControlSet\Enum\USBSTOR lists USB devices that have been connected to the machine
  • SYSTEM\MountedDevices shows serial numbers for a given drive letter or volume that was mounted when the USB was inserted
  • Registry key \Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 indicates what user was logged onto the system when the USB device was connected

Wireless Networks

  • when a computer connects to a wireless network, the SSID is logged as a preferred network connection
    • info is stored in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces
  • HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles\ gives a list of all Wi-Fi networks the interface has connected to
    • SSID is contained in the Description key
    • Time first connected is stored in the DateCreated field
  • HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatures\Ur\{ProfileGUID} stores the MAC address of the wireless access point to which it was connected

Tracking Word Documents in the Registry

  • Many versions of Word store a PID_GUID value in the Registry
    • e.g., { 1 2 3 A 8 B 2 2 - 6 2 2 B - 1 4 C 4 - 8 4 A D - 0 0 D 1 B 6 1 B 0 3 A 4 }
      • 0 0 D 1 B 6 1 B 0 3 A 4 is the MAC address of the machine on which the document was created
  • useful for IP theft, espionage, etc. cases

Malware in the Registry

  • HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon contains a value named Shell with default data Explorer.exe
    • tells Windows to launch IE after logon
    • malware can append itself to this to start after logon
  • HKLM\SYSTEM\CurrentControlSet\Services\ lists system services
    • can find malware installed as a service here

Uninstalled Software

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall shows software that has been uninstalled on the machine

ShellBag

  • HKCU\Software\Microsoft\Shell\Bags indicate a given folder was accessed
    • not a specific file
    • useful to prove a user accessed a folder intentionally
  • OSForensics tool shows many Registry values in a single dashboard as User Activity

Shimcache

  • aka AppCompatCache
  • HKLM\System\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompa
  • Windows Shimcache was created to track compatibility issues with executed programs
  • stores various file metadata:
    • file full path
    • file size
    • last modified time
    • Shimcache last updated time
    • process execution flag
  • oldest data is replaced by new entries
  • two actions can cause Shimcache to record an entry:
    • file is executed
    • on Windows 8, 10, server 2012, and Server 2016, the Application Experience Lookup Service may record Shimcache entries for files in a directory that a user interactively browses

Amcache

Amcache is a Registry key that stores information about executed applications.

  • records a hash of the file
    • can use to search on Virus Total
  • found in C:\Windows\appcompat\Programs
  • cannot open on a running system bc it is being used

Prefetch

Prefetch contains the name of the executable, a Unicode list of DLLs used by the executable, a count of how many times it has been run, and a time stamp indicating the last time it was run.

  • found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\PrefetchParameter
  • designed to speed up application startup process
  • has been renamed multiple times: SuperFetch, ReadyBoot

SRUM

System Resource Usage Monitor (SRUM) database collects data on executables.

  • data stored in Microsoft’s database format Extensible Storage Engine (ESE)
  • allows one to trace resource utilization and network activity
  • tracks the network interface, network profile, time connection established, and length of connection
  • normally found at \Windows\system32\sru\SRUDB.dat
  • tools can be used to see this info

BAM and DAM

  • Background Activity Monitor (BAM) provides the full path of the executable file that was run on the system and the last execution date/time
    • located HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
  • Desktop Activity Monitor (DAM) also shows application usage
    • located HKLM\SYSTEM\CurrentControlSet\Services\dam

The $I30 Attribute

  • NTFS maintains an index of all files/directories that belong to a directory
    • called the $I30 attribute
  • every directory contains an $I30 attribute
  • when files or folders are removed, the $I30 index records are rearranged accordingly
    • may leave remnants of deleted file/folder entry within the slack space
  • $I30 is the file name given to NTFS MFT attributes containing filename indexes for directories
    • NTFS stores filename contents in several places

Graph View

Backlinks