First Look At The Windows 7 Forensics
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View First Look At The Windows 7 Forensics as PDF for free.
More details
- Words: 24,117
- Pages: 83
University of Strathclyde
First Look at the Windows 7 Forensics Forensic implications of the new Windows 7
Piotrek Smulikowski 01/09/2009
This dissertation was submitted in part fulfilment of requirements for the degree of MSc Forensic Informatics
Department of Computer and Information Sciences University Of Strathclyde
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Abstract Microsoft is ready for shipment of its new mainstream Operating System - Windows 7. From 22nd of October most of new computers will be sold with the new system. It is the intention of this paper to prepare computer forensic professionals for the challenges it can potentially bring and what impact it is likely to have on forensic examination. Through the comprehensive research and the detailed analysis of the introduced features, it was possible to identify the prospective problems, that examiners can encounter, and document them. However, also new sources of evidence were discovered, replacing old and discarded sources. This paper provides a first look at the Windows 7 from the computer forensic perspective and is designed to help digital investigators in better understanding but also more effective forensic analysis of the system.
II
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Table of Contents Declaration ................................................................................................Error! Bookmark not defined. Abstract.....................................................................................................................................................................II Acknowledgments ..................................................................................Error! Bookmark not defined. Table of Contents ................................................................................................................................................ III List of Tables.......................................................................................................................................................V List of Figures................................................................................................................................................... VI 1.
Introduction .............................................................................................................................................. 1 1.1.
Rationale ................................................................................................................................................. 1
1.2.
Deliverables ........................................................................................................................................... 3
1.3.
Project constraints .............................................................................................................................. 3
1.4.
Audience....................................................................................Error! Bookmark not defined.
1.5.
This Document...................................................................................................................................... 4
2.
Background Research / Literature Review .................................................................................. 6 1.
Windows 7 Development versions .................................................................................................. 8
2.
Windows 7 final editions ..................................................................................................................... 9
3.
Internet Explorer 8.............................................................................................................................. 11 3.1.
InPrivate – Stealth Browsing ....................................................................................................... 11
3.2.
Suggested Sites .................................................................................................................................. 13
3.3.
Session Recovery .............................................................................................................................. 14
3.4.
Index.dat files..................................................................................................................................... 16
4.
Folder Structure ................................................................................................................................... 19 4.1.
Libraries ............................................................................................................................................... 19
4.2.
Windows Search and Federated Search .................................................................................. 20
4.3.
User folders......................................................................................................................................... 21
5.
New Taskbar and Jump List ............................................................................................................. 23 6.
BitLocker ................................................................................................................................................. 28
6.1.
BitLocker in Windows Vista ......................................................................................................... 28
6.1.1.
Introduction ................................................................................................................................... 28
6.1.2.
Authentication Methods ............................................................................................................ 28 III
First Look at the Windows 7 Forensics
Piotrek Smulikowski
6.1.3.
BitLocker Identification............................................................................................................. 29
6.1.4.
BitLocker Acquisition ................................................................................................................. 31
6.2.
BitLocker in Windows 7................................................................................................................. 32
6.2.1.
Introduction ................................................................................................................................... 32
6.2.2.
BitLocker To Go ............................................................................................................................ 32
6.2.3.
BitLocker To Go Identification................................................................................................ 34
6.2.4.
BitLocker To Go Acquisition .................................................................................................... 37
6.2.5.
BitLocker changes........................................................................................................................ 38
6.3. 7.
Windows 7 BitLocker Conclusions ............................................................................................ 39 Registry Analysis.................................................................................................................................. 41
7.1.
Introduction........................................................................................................................................ 41
7.2.
Registry locations ............................................................................................................................. 42
7.2.1.
Time Information..................................................................................................................... 42
7.2.2.
Most Recently Used................................................................................................................. 43
7.2.3.
UserAsisst ................................................................................................................................... 45
7.2.4.
Autoruns...................................................................................................................................... 47
7.2.5.
Network information.............................................................................................................. 47
7.2.6.
Mounted Devices...................................................................................................................... 48
7.2.7.
USB Device Information ........................................................................................................ 49
7.2.8.
Internet Explorer ..................................................................................................................... 50
8.
Miscellaneous new Features and Changes................................................................................. 51 8.1.
Location and Sensors API.............................................................................................................. 51
8.2.
exFAT / FAT64 .................................................................................................................................. 53
8.2.1.
exFAT Identification.................................................................................................................... 53
8.3.
Partition Table ................................................................................................................................... 54
8.4.
XP mode................................................................................................................................................ 56
8.5.
Biometrics and Fingerprint support ..............................Error! Bookmark not defined.
8.6.
Uninstall Process ...................................................................Error! Bookmark not defined.
8.7.
Mix.......................................................................................................................................................... 57
8.8.
UAC..............................................................................................Error! Bookmark not defined. IV
First Look at the Windows 7 Forensics
9.
Piotrek Smulikowski
Methodology .......................................................................................................................................... 58 9.1.
10.
Hardware and Software used ...................................................................................................... 60 Conclusions ............................................................................................................................................ 62
10.1.
Research Achievements............................................................................................................. 62
10.2.
Actual Constraints........................................................................................................................ 64
10.3.
Reflections on Research..................................................Error! Bookmark not defined.
10.4.
Final Conclusions ......................................................................................................................... 64
10.5.
Future Work................................................................................................................................... 65
References: ................................................................................................Error! Bookmark not defined. Bibliography......................................................................................................................................................... 67 APPENDIX A – Windows 7 Editions Comparison Chart..................................................................... 74
List of Tables Table 1 Windows 7 Editions comparison (Protalinski, 2009) ............................................................ 9 Table 2. Behaviour of the Internet Explorer 8 InPrivate mode (Zeigler, 2008). ....................... 11 Table 3. Data stored during InPrivate session. Source: Windows Internet Explorer Help ........................................................................................................................................................... 12 Table 4. File names and their respective application that store Jump List data ....................... 26 Table 5. Required Values for BitLocker stored in boot sector of an encrypted volume (Hunter, 2006) ...................................................................................................................... 30 Table 6. Short naming convention for root hives .................................................................................. 41 Table 7. Registry paths and corresponding files.................................................................................... 42 Table 8. Differences and similarities in registry key locations between Windows XP and Windows Vista. ...................................................................................................................... 45 Table 9. USB Information gathering process. Adapted from (SANS Forensics Blog, 2009)......................................................................................................................................................... 50 Table 10. Hardware and Software Specification of used PCs ........................................................... 60 Table 11. Windows 7 editions comparison chart source WIKIPEDIA........................................... 75 V
First Look at the Windows 7 Forensics
Piotrek Smulikowski
List of Figures Figure 1. Contents of the SuggestedSites.dat file, viewed in Hex editor. Visited URLs are underlined in Blue and Referrer URLs are highlighted in yellow.................. 13 Figure 2. Contents of SuggestedSites.dat file with visible header underlined in red and IE Browser version highlighted in yellow. ........................................................................ 14 Figure 3. Contents of the Active folder. In this example normal and InPrivate modes are used and have multiple tabs open. Note: this screenshot comes from Windows XP. ............................................................................................................................... 15 Figure 4. Contents of an example tab file. URL is highlighted in grey and page name is in yellow.................................................................................................................................. 16 Figure 5. index.dat file parsed with Pasco and imported by Excel ................................................. 18 Figure 6. XML code in library-ms file. The included folder path is highlighted in grey............................................................................................................................................................ 20 Figure 7. Contents of Search Connector configuration file. The domain search provider is highlighted in grey ....................................................................................................... 21 Figure 8. Start Menu properties window, allows user to disable the Jump List and customize contents of the start menu.......................................................................................... 24 Figure 9. Contents of the Jump List recent items file viewed in hex editor. Path to recent 'cos.png' file is highlighted in grey. This particular file, stores recent items list for Microsoft Paint. .......................................................................................................... 25 Figure 10. BitLocker Encrypted volume header of a boot sector in Windows Vista viewed in Hex editor
(Hargreaves & Chivers, 2007) ....................................... 31
Figure 11. Group Policy allow forcing users to encrypt USB sticks, (Funk, 2008) ................... 33 Figure 12. BitLocker To Go Reader window allows viewing files and exporting to local machine. Screenshot taken from Windows Vista ......................................................... 34 Figure 13. BitLocker To Go encrypted portable drive......................................................................... 34
VI
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Figure 14. Contents of the BitLocker To Go encrypted portable drive. BitLockerToGo.exe file is clearly visible,
Screen shot taken from
Windows Vista. ..................................................................................................................................... 35 Figure 15. FAT32 volume encrypted with BitLocker To Go. MSWIN4.1 OEM Nam is highlighted in yellow and FAT32 file system highlighted in grey ................................ 35 Figure 16. BitLocker signature found on BitLocker To Go encrypted volume highlighted in yellow. Additionally original Computer Name, Drive Letter and Date were also found - highlighted in grey. ...................................................................... 36 Figure 17. Header of NTFS drive encrypted with BitLocker To Go viewed in Hex editor. The BitLocker singature -FVE-FS- is at 0x03 offset - highlighted in yellow. Interestingly it is marked as FAT32 file system highlighted in grey................ 36 Figure 18. BitLocker signature found on encrypted NTFS volume - highlighted in yellow. Computer name, Drive letter and Date were also found highlighted in grey............................................................................................................................... 37 Figure 19. Image shows binary data for the example UserAssist value. Underlined in red is the obfuscated program path, in green is the decoded path. Highlighted in yellow is the counter number and in blue is the time stamp in Hex........................................................................................................................................................ 46 Figure 20. Output from Date/Time converting application DCode. Highlighted in yellow is the time stamp from above example (see previous figure).............................. 47 Figure 21. exFAT partition signature 'EXFAT' ........................................................................................ 53 Figure 22. fdisk recognizes exFAT as NTFS with partition id=7...................................................... 54 Figure 23. Output from mmls tool, exFAT is recognised as NTFS................................................... 54 Figure 24. fdisk recognized two partition as NTFS............................................................................... 55 Figure 25. mmls tool displays the details and locations of the two partitions. ......................... 55 Figure 26. The output from the fsstat tool with details of the System Reserved (left) and Windows 7 partitions (right). ..................................................................................... 56
VII
1. Introduction Microsoft Windows is by far the most popular Operating System among typical computer users, as a result it has a great impact on computer forensics. Therefore there is no doubt that the introduction of the Windows 7 will have its footprint on forensics. The big question is what impact it is going to have, whether the existing methods will become obsolete or maybe there will be no forensically significant changes at all. Early opinions, suggest that digital investigators will not be forced to change their careers just yet. However information regarding the forensic issues of Windows 7 is very limited, there is no single detailed resource on the topic. This paper attempts to fill in the gap. It is intended that the research will provide forensic examiners with the starting point, first look at the issues surrounding the new Windows analysis. Through the in-depth discussion and examination of some of the relevant features, the study produced certain interesting findings. The paper is primarily aimed at the forensic examiners to aid them in the analysis of the new Windows 7 based computer. It is hoped that after reading the research, forensic investigators will gain more confidence when faced with the new system. Additionally through the analysis of the new sources of evidence, examiners will be able to produce stronger evidence. Various functionalities include features that work in examiner’s favour or against it. The challenges that the Windows 7 will bring could potentially have an impact of the forensic analysis. This research attempted to analyse and document them to raise examiners awareness. However, this is the first detailed analysis of the Windows 7 seen from the forensic point of view, while it may be regarded as comprehensive it is by no means the complete exhausted reference. It will take time and lots more research to achieve this and this paper tries to form a basis but also encourage for further studies on the topic.
1.1.Rationale The introduction of new software can bring a wide range of changes that potentially affect compatibility. This is especially true in the case of an Operating System which provides a basic functionality and platform for other software; it is a system that coordinates all computer actions. Since other applications rely on it, the way that they work is heavily dependent on the OS. Software for Apple Mac OS will not work on MS Windows Vista because it handles guest applications and data very differently. This is to be expected when it comes to different competitor’s platforms, however it can also be the case even on the same platform. For instance an application written for a Windows XP may or may not work under the Vista environment. Fortunately, over time, software developers modify their products so they work under the new system. The incompatibility issues may also affect 1
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Windows 7, however very few have been reported so far. It is important to remember that the problem can affect forensics both ways: Windows 7 as (a) a target PC or (b) analysis platform. While studying software alternatives, the research may reveal such problems with tested collection of applications. The research aims to discover the differences in the forensic analysis process between the new system and previous versions of Windows, namely Vista and XP. Windows XP was used as the main consumer OS for nearly 6 years, whereas the Vista will be replaced by the Windows 7 after little over 2.5 years. Given this much shorter development time it is not expected large amount of new features. Speculation suggests that this is refined version of the Vista, and some even say that it is what Vista was meant to be. Microsoft has dropped the introduction of the new Windows File System which would have had a very significant impact on forensic analysis. It is also possible that very few changes actually affect the process but this is the reason why this research is important; to find any major differences, if any, to the forensic analysis procedures. Certainly, the time it will take for Windows 7 to be adopted by the majority of the PC market will be substantial and, similarly in the computer crime world, it will slowly gain popularity. Although in current financial climate forecasts about computer sales vary but the Windows market share should be preserved. This means that when Windows 7 is released, 93% of new home computers sold, will be with this Operating System (NET APPLICATIONS, 2009). Therefore it is going to become the main OS used by home users and it is safe to assume that criminals will start using the new system as well, and the sooner forensic specialists become familiar with the system the better. The main beneficiaries of this study are thought to be forensic investigators and researchers. Analysts will learn how important to the analysis process the changes are, which techniques still apply, what could be a new source of forensic evidence. It will help to them to choose appropriate techniques in order to recover as much evidence as possible from the new system. Results from the study could form a solid basis for further forensic research on the more specific issues of the Windows 7. The aim is to provide researchers with an overview of the new features and overall changes to the system architecture and how important they are to the forensic analysis process. If the research finds substantial differences that require further, more in depth analysis they could become a basis for more detailed and focused study. However, if findings from the research state that there are no changes to the forensic analysis procedure, it could still be considered as a successful study since there is no other published research, at least at the time of writing, which tries to examine the new system. Therefore it might be beneficial to the computer forensic community to establish that as a 2
First Look at the Windows 7 Forensics
Piotrek Smulikowski
fact, if this is the case. Hence, regardless of the findings of the research, it can still be valuable paper in a forensic field, provided of course that the research has been properly executed. Literature available on the topic of Windows 7 and forensics is very limited and it is believed that this paper would fill this particular gap and possibly encourage forensic community to undertake further work in this field. Last but not least from my personal point of view I hope to learn more about the forensic analysis of Windows based computers. During the course of my studies I got to know many techniques applicable for the Microsoft system but I realise that further development of my practical and theoretical knowledge is required to become good and effective investigator. I believe that extensive research of the platform can give me ‘an edge’ when applying for employment after graduation. This is why I treat this research very seriously and hope that it could open doors for me upon successful completion of the project.
1.2.Deliverables The following quote comes from the research proposal and discusses the deliverables: “When the research will be finished the following deliverables are expected:
Review of the changes that have an impact on the forensic analysis. Comparison to the previous Windows systems analysis process. Identification of the new sources of evidence if such exists. Review and validation of the old, known evidence sources. Evaluation of the tools with regard to the new system. Draft of the forensic analysis procedure of the Windows 7. (not a key requirement)“
The research aims to deliver few different objectives, all oriented around the forensic analysis of the Windows 7. First being a review of the changes and new features that could potentially affect the examination. It is partially theoretical study of new features in order to highlight the forensically significant ones but also it includes the practical approach where features are examined on the actual PC running Windows 7.
1.3.Project constraints The research is focused around Windows 7 which is not yet a finished product. This provides a strong argument for undertaking the study because it ensures the novelty factor.
3
First Look at the Windows 7 Forensics
Piotrek Smulikowski
However it also introduces the risk that the final product will vary substantially from the version examined. As a result it could potentially void results from the research. However, the version examined (RC) is thought to be very similar to the final version with only minor cosmetic changes rather than changes in core functionality and features so this should not affect the results. Additionally, in order to improve the relevance of the research it would be desirable to wait until the final version is publically available. However, due to the fact that deadline for the research is nearly two months before official release it is infeasible to do so. Due to the fact that there is very little information on the topic it is difficult to find any new sources of evidence. The Operating System is very complicated in its nature therefore it is nearly impossible to identify all changes by manual exploration or uninformed search. Structures like Windows Registry are incredibly complex and it would be impractical to crawl through all registry keys and check for any evidence. This problem is addressed by employing informed search which limits data set to the most likely candidates. For instance, rather than analyzing all new features only those that could potentially be storing any evidence would be analyzed, thus maintaining a balance between accurate results and effective use of time. In addition, attempts will be made to contact experts in Windows forensics, including Microsoft staff. Another constraint that may have an impact on one of the deliverables is the availability of forensic software. Forensic software packages like, for example, EnCase tend to be very expensive. Moreover many manufacturers do not publish evaluation versions, and while this might stop ‘warez’ community from reverse engineering or devising anti-forensic techniques it also makes it very difficult to accumulate a collection of software to evaluate its behaviour on a new version of the Operating System. While majority of investigators work on integrated forensic packages like EnCase, FTK or X-Ways Forensics there are also free alternatives. Fortunately, selections of tools from a wide range of freeware and open source software can be easily assessed. As with many projects, the time limit is a crucial constraint that effectively shapes the whole research. Therefore effective time management is highly important in order to bring research to a successful conclusion. Regular meetings with supervisor ought to help keep progress on track.
1.4. This Document This paper was written as a dissertation for MSc Forensic Informatics course at the Strathclyde University. The project was guided by Lothian and Borders Police department. 4
First Look at the Windows 7 Forensics
Piotrek Smulikowski
As requested in the departmental guidelines the font size is 12. However, the 1.15 line spacing was used in order to reduce paper wastage, which was agreed with the supervisor. References are submitted in Harvard – Leeds style, following patterns outlined in Postgraduate Handbook. Special plug-in for Microsoft Office Word 2007 is used in order to keep consistency of referencing (CODEPLEX, MICROSOFT, 2009).
5
First Look at the Windows 7 Forensics
Piotrek Smulikowski
2. Background Research At the time of writing the research Windows 7 has not yet been released to the public. As mentioned before with a release of any new version of Windows there is a lot of talk around it. Windows 7 has already made headlines but they mostly focus on the usability of the system, its performance, compatibility or pricing. Many Information Technology web portals and magazines have published a wide variety of articles and tutorials regarding the new features included in Windows 7. One such example is the article from Ars Technica about its Graphical User Interface (BRIGHT, P, 2008). In addition many independent websites are rising that are exclusively dedicated to the new Windows such as windows7news.com. Microsoft is actively working on expanding its knowledge base available through Microsoft TechNet Library website (MICROSOFT), where IT professionals can find useful resources about Microsoft products. This portal contains, among others, articles on BitLocker, AppLocker or Security Enhancements of Windows 7. This knowledge base is oriented mainly towards developers or security specialists. There is, however, very little information available on the new OS from the forensic point of view. All of the existing sources are limited to individual posts on forensic community forums or blogs. No articles are published on the subject and the gap has not been filled by Microsoft. According to an anonymous source, the Redmond based company delivers closed seminars for Law Enforcement agencies, which are not disclosed to the public. Some of these materials were made available, with permission, for the purpose of this research. One of the most popular forums with a strong forensic community is forensicfocus.com. So far there have been only few discussions involving the new Windows. For instance, user oasol reported the first case based on Windows 7 (OASOL, 2009). Whereas user jenskr reported that some of the major forensic packages are compatible with 32 bit version of Windows 7 (JENSKR, 2009).In order to learn more details about the new OS in context of forensics a forum thread was created and although it had large number of the views very little response was noted. User MMachor reported that the 7 “is really from a forensic aspect very similar to Vista” and suggested that Recycle Bin, Prefetch and some other areas examined by him have not changed (MMAHOR, 2009) but he fails to go in to greater detail. The blog run by Harlan Carvey (user keydet89), the author of many forensic publications including Windows Forensic Analysis book, provides details of certain aspects of Windows 7 forensics (CARVEY, Harlan, 2009). He suggests that usability features like Jump List are “going to be a gold mine for an analyst”. This view is shared by other testers too; they believe that it can provide information similar to Most Recently Used registry keys. Carvey 6
First Look at the Windows 7 Forensics
Piotrek Smulikowski
also confirmed compatibility of his own tool RegRipper (CARVEY, Harlan and Shavers, Brett, 2009) designed to extract forensic data from registry hives, and upon loading registry keys from the Windows 7 he was able to view evidence data as expected. Due to the tool’s component build some plug-ins responded better than others to the changes in new system. Analysis of unsuccessful extractions of data can help to determine differences between new OS and its predecessors. Carvey also announced, shortly after presentation of his second edition of the book, that the third edition would include forensic analysis of the new Microsoft OS incarnation. An article from Didier Stevens’ blog reported that UserAssist key in registry, which holds shortcuts to most frequently used applications displayed in start menu in Windows, is obscured with Vigenère cipher unlike ROT-13 in previous versions (STEVENS, Didier, 2009). It was first found on Beta version of Windows 7, however it was then reverted back to the ROT-13 in RC version. Former Microsoft developer, Steve Riley claims that it was used by their team in order to more easily identify changes after a system upgrade and was only introduced for development purposes and therefore it was not necessary to be carried forward to final version. Later research showed that the cipher was indeed changed back to ROT-13 in the RC version. Although, as shown above, some information with regard to forensics and Windows Seven is available it is still very sparse and incomplete; there is obvious lack of one integrated source of information that could form an early reference for examiners. Blogs can be very knowledgeable source however it is not easy to find all the information available if it is spread over many different sites. Because of the lack of information on Windows 7, reference sources about Vista were analysed in order to help with verifying new features in the updated system. These can help to make ‘informed’ analysis of the new system. If some features were newly introduced in the previous system they are likely to be changed or improved upon and this could potentially create new sources of evidence. After Windows Vista was released back in January 2007 many examiners wondered how it was going to affect the forensic analysis process. It was not long before the first articles were published. One of the first was the “Notes on Vista Forensics” part One and Two by Jamie Morris founder of Forensic Focus (MORRIS, Jamie, 2007) posted a little over a month after release. It provided “ a high level look at what we know now about those changes in Vista which seem likely to have most impact on computer forensic investigators” (MORRIS, Jamie, 2007).
7
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Lecturers from Cranfield University published a paper called: “Potential Impacts of Windows Vista on Digital Investigations”, that follows a similar approach but that goes into greater detail (HARGREAVES, C and Chivers, H, 2007). It analyzes new features and system changes from the forensic perspective. Another interesting paper was presented at the Computer and Enterprise Investigation Conference 2007 (CEIC)(MUELLER, Lance, 2007) by Lance Mueller from Guidance Software (GUIDANCE SOFTWARE INC., 2009), the company that created EnCase. The author undertook a detailed examination of changes introduced in Vista like e.g. NTFS file system update.
1. Windows 7 Development versions When Microsoft released Vista in January 2007, Windows XP had been on the market since October 2001, which means that its lifespan was over a five and half years. The new system did not have a good start with numerous ‘Vista Issues’ including mainly the performance and compatibility problems. This has resulted in the relatively low popularity of the Vista. Microsoft decided to shorten the life of Vista to just two and a half years in favour of the new version. Obviously, Vista is still going to be supported by Microsoft; however, the main development is dedicated to the Windows 7. Close to the date of finishing the Windows 7, Microsoft released Service Pack 2 for Vista, to help to bring it up to date especially in the light of Windows 7. The newest OS has been well received by testers and is expected to have much better start based on early pre-order sales figures. According to the BBC: “Amazon said that sales of Windows 7 in the first eight hours it was available outstripped those of Windows Vista's entire 17 week pre-order period” (BBC NEWS UK, 2009). Microsoft released the first build of the Windows 7 to the public on the 9th of January 2009. Build 7000 was a Beta release signifying an early development stage, however it provided the first insights into the feature sets available in the final version. Some of the big changes were discarded, like the new file system replacement of the NTFS, which would have an enormous affect on forensics in general, and file recovery in particular. It became a very popular download, and many IT savvy people tried it, including some forensic examiners like Harlan Carvey - author of the previously referenced blog posts. The reception it received was much better in comparison to Vista. However, it was a popular belief that the new system did not carry many changes; that it was just an improved Vista. This view was reinforced when Steve Ballmer, Microsoft’s CEO, said: “Windows 7 will be more like Windows Vista, but a lot better!” (PARRISH, Kevin, 2008). On 5th of May 2009 Microsoft made Release Candidate (RC) public. Version 7100 addressed feedback from testers and GUI improvements but feature changes were minor (MSDN BLOG, 2009). 8
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Since the first announcement about Windows 7, Microsoft has moved the expected release date numerous times and some has suggested it might be as late as mid 2010. However, as development versions were progressing, it seemed as if the final date would be much earlier. On 2nd of June 2009, Brandon LeBlanc wrote on Windows Blog and confirmed that the General Availability date is 22nd of October 2009 (LEBLANC, Brandon, 2009). Although, developers and OEM Manufacturers were meant to be getting the final version sooner. Few weeks later on 24.07.2009 Windows 7 was finally signed off by internal testing group which meant that it met quality control and reached Release To Manufacturing (RTM) status (LEBLANC, Brandon, 2009). At this point build 7600 was released to OEM Manufacturers for deployment purposes.
2. Windows 7 final editions As with Vista, Windows 7 comes in wide variety of editions. However the line up has changed slightly. With 6 different versions available varying feature sets. Emil Protalinski from Ars Technica (PROTALINSKI, Emil, 2009) compared them:
Windows 7 Starter (worldwide via OEM only): up to three concurrent applications, ability to join a Home Group, improved taskbar and JumpLists
Windows 7 Home Basic (emerging markets): unlimited applications, live thumbnail previews and enhanced visual experience, advanced networking support
Windows 7 Home Premium (worldwide): Aero Glass and advanced windows navigation, improved media format support, enhancements to Windows Media Center and media streaming, including Play To, multi-touch and improved handwriting recognition
Windows 7 Professional (worldwide): ability to join a managed network with Domain Join, data protection with advanced network backup and Encrypting File System, and print to the right printer at home or work with Location Aware Printing
Windows 7 Ultimate (worldwide): BitLocker data protection on internal and external drives, DirectAccess for seamless connectivity to corporate networks based on Windows Server 2008 R2, BranchCache support when on networks based on Windows Server 2008 R2, and lock unauthorized software from running with AppLocker
Windows 7 Enterprise (volume licenses): same as Ultimate, includes the following improvements: DirectAccess, BranchCache, Search, BitLocker, AppLocker, Virtualization Enhancements, Management, as well as Compatibility and Deployment.
Table 1 Windows 7 Editions comparison (PROTALINSKI, Emil, 2009)
9
First Look at the Windows 7 Forensics
Piotrek Smulikowski
To sum up: Starter is designed for low spec hardware – Netbooks, with heavily limited features. Home Basic edition is only for emerging markets whereas Home Premium, Professional and Ultimate are mainstream editions, available for retail sale. Enterprise is available only via Volume Licenses. Upgrading will only be available to mainstream editions. Analogically to Vista one installation disk can support all editions, the type of licence is determined on a basis of Product Key. Due to the European Commission decision that Microsoft had violated European competition law by offering Internet Explorer (IE) browser as a default browser, the company decided to remove IE from the European version of Windows 7 (CLARKE, Gavin, 2009). As a result the special version called ‘Windows 7 E’ would not allow upgrades and so making the cost of the new Windows higher as only the full version would be sold. The issue was eventually resolved by introducing the ‘Web Browser Ballot’ screen allowing for choice of alternative browser (FIVEASH, Kelly, 2009). For a detailed comparison of the Windows 7 editions please see Appendix A.
10
First Look at the Windows 7 Forensics
Piotrek Smulikowski
3. Internet Explorer 8 Internet Explorer 8 (IE8) is the newest Web Browser developed by Microsoft as the default browser for Windows. It is bundled in Windows 7 but it is also offered as a recommended update for an IE7 on Vista or XP. Therefore some investigators may have already experienced examination of the new version. However it is important to note that there are substantial differences between releases for different platforms, XP in particular, due to improvements in privilege management on newer platforms. The newest release claims significant enhancements in security such as Click-Jacking prevention or Cross Site Scripting filters.
3.1. InPrivate – Stealth Browsing Microsoft followed other browser makers like for instance Safari and introduced stealth mode in the newest version. The InPrivate feature allows browsing the internet without leaving traces on a local machine. Certainly it has an impact onto forensic analysis of the new browser as an investigator has very little, if any, chances of reconstructing suspect’s online activity. By default when user starts a browser, the standard mode is launched and user activity is recorded in a normal manner, it is when user enables the InPrivate browsing (Safety > InPrivate Browsing) that the stealth mode is launched in another window. Behaviour of the browser changes only for the InPrivate session, thus if user has had standard window open, its history would be stored as normal, whereas the activity within the stealth mode window would be discarded. According to IE Microsoft Blog (ZEIGLER, Andy, 2008) InPrivate Browsing changes the behaviour in the following way:
New cookies are not stored o All new cookies become “session” cookies o Existing cookies can still be read o The new DOM storage feature behaves the same way New history entries will not be recorded New temporary Internet files will be deleted after the Private Browsing window is closed Form data is not stored Passwords are not stored Addresses typed into the address bar are not stored Queries entered into the search box are not stored Visited links will not be stored Table 2. Behaviour of the Internet Explorer 8 InPrivate mode (ZEIGLER, Andy, 2008).
Analysis showed that the wording of the above list (Table 2) is crucial because it means that only new history entries are not recorded. However, all other attributes such as Cache are recorded but deleted when the InPrivate windows is closed. It opens a possibility for 11
First Look at the Windows 7 Forensics
Piotrek Smulikowski
those files to be recovered by specialist data recovery tools. Alternative explanation (Table 3. Data stored during InPrivate session. Source: Windows Internet Explorer HelpTable 3) of the browser behaviour in the InPrivate mode comes from the Internet Explorer Help. Information Cookies Temporary Internet files Webpage history Form data and passwords Anti-phishing cache Address bar and search AutoComplete Automatic Crash Restore (ACR) Document Object Model (DOM) storage
How it is affected by InPrivate Browsing Kept in memory so pages work correctly, but cleared when you close the browser. Stored on disk so pages work correctly, but deleted when you close the browser. This information is not stored. This information is not stored. Temporary information is encrypted and stored so pages work correctly. This information is not stored. ACR can restore when a tab crashes in a session, but if the whole window crashes, data is deleted and the window cannot be restored. The DOM storage is a kind of "super cookie" web developers can use to retain information. Like regular cookies, they are not kept after the window is closed.
Table 3. Data stored during InPrivate session. Source: Windows Internet Explorer Help
When privacy mode was first announced in 2008, it soon was unfavourably known as a ‘porn mode’ as it was believed to cover all browsing tracks. It produces mixed feelings in system administrators’ community since it could create opportunity for employees to abuse online access. Some argued that it should be disabled (AARON, 2009), what can be done setting up a Group Policy. According to Microsoft the InPrivate functionality is designed to stop casual computer users from “gaining access to the browsing history”. The IE team suggest that it should be possible to retrieve the online activity: “The feature isn’t designed to protect a user from security experts or forensic researchers” (SHARP, John, 2008). Shortly after a Beta version has been released it was examined by the investigators from the FoxIT forensic firm and it was found that it was possible to determine visited websites (SHARP, John, 2008). Christian Prickaerts claims that the feature is “mainly cosmetic” and that: “For a forensic investigator, retrieving the browsing history should be regarded as peanuts. The remaining records in the history file still enable me to deduce which websites have been visited” (SHARP, John, 2008). It is important to emphasise that tests were undertaken on the Beta version and unfortunately the method used by researchers was not disclosed.
12
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Furthermore a Delete Browsing History window ( Safety > Delete Browsing History > Preserve Favorites website data ) now provides option for tracking data for websites marked as Favourites. Essentially if a user added msn.com to Favourites then Temporary Internet files and cookies would be preserved even though the other history data has been deleted using IE8. To complement Microsoft’s care for user’s privacy, InPrivate filtering feature was developed (ZEIGLER, Andy, 2008) 2008).. If enabled by user, it informs him about tracking attempts by a third party websites and allows blocking such attempts. User can specify his own list of blocked sites or use list predefined by Microsoft.
3.2.Suggested Sites The new ew Suggested Sites feature aims to deliver website recommendation based on other users’ online activity. If user opt opt-in to use this feature, his history is analyzed and sent to Microsoft servers where stripped from identification data data, it contributes to suggestions suggestion database. Most commonly visited websites in user’s category would be recommended to him the system.. It is important to note that no information iiss collected while InPrivate session is enabled. The Suggested Sites capability has its own binary file called SuggestedSites.dat that is stored in C:\Users\<username>\AppData AppData\Local\Microsoft\Windows\Temporary Temporary Internet Files\Low\ folder. The file is create created automatically when user opts-in in to use the feature and its default size is 5,121 KB, regardless of the contents. Its structure is different to the index.dat therefore it cannot be parsed by a Pasco tool (JONES, Keith, 2003). 2003) Microsoft did not publish any documentation of th this particular format. When loaded into Hex editor a certain pattern can be seen.
Figure 1.. Contents of the SuggestedSites.dat file, viewed in Hex editor. Visited URLs are underlined underli in Blue and Referrer URLs are highlighted in yellow.
Figure 1 presents contents of the file where each of the new entries is marked by ‘ character and followed by a visited URL URL, here underlined in blue. Next ext is the page name as appears on the top bar of the browser and finally is the R Referrer URL, highlighted in yellow. 13
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Rest of the data is currently not recognized. The header of the file is also different to index.dat files. It contains unidentified data data, followed by Internet Explorer version at the 0x60 offset as it can be seen at the Figure 2.
Figure 2. Contents of SuggestedSites Sites.dat .dat file with visible header underlined in red and IE Browser version highlighted in yellow.
According to the details of the Suggested Sites functionality the above file does not record history during the HTTPS sessions or InPrivate mode. Additionally, in order to provide user with a control, the functionality is designed to delete the particular history entries if user decided to delete the record from the browser history history.. In a forensic examination, examination analysing data in a history index.dat file should take priority since it provides more information. However, in a scenario where user deleted the history using third party software rather than built in method, there is a high possibility that the SuggestedSites.dat file was left. Currently it is the latest version of CCleaner that is capable of removing the file (PIRIFORM LTD, 2009) on a live system since it is protected by the OS.
3.3.Session Recovery Microsoft boasts great improvements in the stability of a new browser. Developers spent a lot of effort on improving reliability thus new technologies like for instance Automatic Tab Crash Recovery were introduced. It is designed to isolate single tab that crashed from the rest, so that the other tabs are not affected. However, in order to implement this feature developers had to introduce monitoring mechanism that records current and previous browsing session. These are stored in the following folders:
14
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Windows 7, Vista
C:\Users\<username>\AppData\Local\Microsoft\ Internet Explorer\Recovery\Active \Last Active
Windows XP
C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active \Last Active
The Active folder stores current session data, whereas Last Active folder keeps previous browsing session data. Once a current session is closed, the contents of the Active folder are moved to the Last Active directory, thus overwriting the previously stored session. Deleting the browser history also causes removal of the folder contents. The session data is recorded even in InPrivate mode however, once a window is closed it automatically deletes contents of Active folder. In fact it is deleted only if the iexplore.exe process terminates successfully. However, if the whole application or the whole system crashes, the contents of Active folder are not deleted. This could create an opportunity for forensics to recover details of InPrivate session which would be otherwise difficult to obtain. Applications of this method are mostly limited to the scenario where suspect was caught in ‘action’ and officer at the scene simply pulled the power plug. Each of the folders contains two types of files: RecoveryStore.{xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx}.dat and {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.dat, which are created onthe-fly whenever IE8 is used. The first type is used as a manager for other files, one instance is created for each of the browsing modes – normal and InPrivate, regardless of a number of windows opened. Latter type represents a single Tab and is created whenever a new one is opened. Figure 3 presents Active folder, in this case, two modes are used, normal and InPrivate, because two RecoveryStore files exists. On top of that multiple tabs are open. Please note that although the screenshot was taken from Windows XP the browser behaviour in this case is the same as in Windows 7.
Figure 3. Contents of the Active folder. In this example normal and InPrivate modes are used and have multiple tabs open. Note: this screenshot comes from Windows XP.
15
First Look at the Windows 7 Forensics
Piotrek Smulikowski
The file names are Globally Unique Identifiers (GUID) generated randomly by Windows. It is important to note that file names are generated they remain the same regardless of the contents. Therefore if a suspect used a single browser window and with a single tab for many websites, the contents of a file will change but the file name will persist. Because the files are in a binary format, they have to be analysed with a hex editor. The RecoveryStore files do not seem to contain any comprehensible data, it is the tab files that bring more information when analysed. Figure 4 shows an example where, website URL and its name are stored in file.
Figure 4. Contents of an example tab file. URL is highlighted in grey and page name is in yellow.
However, the structure of the tab files can be very complex since the same file is used for as long as the corresponding tab is open. Therefore, if user was only using one tab for many different sites, all browsing history would be stored in a single file. It can be confusing as different sites seem to be nested in one another using some unknown data structures. The order in which the URLs appear varies and it may seem chaotic. Nevertheless in all tested examples, the first URL that is in a file was always the most recent URL. In addition tab files can also store page specific content such as html, java scripts or xml. These are stored after a tab history, in the second part of file. As a result a tab file can increase in size substantially, from the initial 5KB, for an empty tab.
3.4.Index.dat files Changes made to IE8, in comparison to IE7 mostly focused on adding new features rather than on redesigning the whole structure. Therefore backward compatibility is being maintained. This has a positive impact on a forensic analysis because it allows examiner to adopt familiar techniques and tools in order to retrieve valuable information. As in previous versions the index.dat file is used as a store for all web related data, such as cache, history or cookies. Each of these artefacts – containers, has its own folder and a index.dat file within it. The IE7 on Vista has introduced Protected Mode which is limited privilege mode for browsing internet, for increased security. As a result, within each of 16
First Look at the Windows 7 Forensics
Piotrek Smulikowski
containers a new folder called Low exists which holds Protected Mode sub-container. Additionally when the Internet Explorer is in the Protected Mode all add-ons are installed in a Virtualized location and a registry key: Virtualized Location
C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
Virtualized registry key
HKCU\Software\Microsoft\Internet Explorer\Internet Registry
Containers are spread around the user’s profile application data and their locations are consistent with previous versions: Cache Container for storing cacheable web content like images, pages, scripts. Every entry has a source URL and name of the file in Content.IE5 folder. Files are stored until expiry date is reached C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
Visited Links Stores clicked URL links and AutoComplete data, used to highlight visited links. C:\Users\<username>\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
History History container for specific time frame between start date and end date. C:\Users\<username>\AppData\Local\Microsoft\Windows\History\History.IE5\ MSHist01<startdate><enddate>\index.dat
Cookie Container for mapping individual Cookie files to their associated URLs with additional metadata C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
RSS Feeds Cache Stores record of RSS feeds added by user
17
First Look at the Windows 7 Forensics
Piotrek Smulikowski
C:\Users\<username>\AppData\Local\Microsoft\Feeds Cache\index.dat
Due to the fact that the format of the index.dat files has not changed, examiners can use existing tools to analyse user’s web activity for instance, Pasco by Keith Jones (JONES, Keith, 2003). It parses the binary file and exports the tab delimited text file. Figure 5 shows parsed contents of a IE8 Cache.
Figure 5. index.dat file parsed with Pasco and imported by Excel
Paths to the individual containers (PERNICK, Ari, 2006) remained unchanged therefore a lot of current forensic tools should be compatible with the new IE version correctly. One of the examples, apart from the Pasco are the NirSoft applications (SOFER, Nir, 2009). They manage to successfully retrieve cache files history or even certain passwords. However, as in Vista, most of the tools should be run ‘as Administrator’, in order to overcome privilege limitations.
18
First Look at the Windows 7 Forensics
Piotrek Smulikowski
4. Folder Structure With the release of Windows Vista the Documents and Settings folder was discarded and user profile was moved to Users folder using the Known Folder Id system. Although it did not affect programs functionality thanks to the Reparse Points, but it required time for users to get feel comfortable using it. In Windows 7 there are no such differences in a physical directory structure. However there are differences in a logical layout. Microsoft introduced the Library functionality which allows users to have all their files in one logical location yet having actual files distributed all over the PC or even network. Idea is similar to an audio playlist and collection of mp3 files. Introduction of Libraries allowed for more advanced search capabilities called Federated Search. In addition Microsoft brought back the old naming scheme in a format of e.g. ‘My Documents’.
4.1.Libraries Default Libraries are Documents, Music, Pictures, Videos, however, user can add his own types. One of the main requirements is that a folder that is added to the Library has to be indexed, as it allows for a fast searching of the contents. Fortunately, since the new scheme affects how a third party programs handle for example ‘Save file as’ dialog box functionality, Microsoft documented Libraries feature in detail (KIRIATY, Yochay and Fliess, Alon, 2009). The individual library files are named in the following format:.library-ms for example Music.library-ms and are stored in the following folder: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Libraries\
Files are stored in the XML hence their structure is clear, after initial header tags, every folder that is included in the library wrapped with the following code: <searchConnectorDescriptionList> <searchConnectorDescription publisher="Microsoft" product="Windows"> <description>@shell32.dll,-34577true true <simpleLocation>
knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7} <serialized>MBAAAE….
19
First Look at the Windows 7 Forensics
Piotrek Smulikowski
From the forensic point of view view, the most important field is the, as it shows the path to the folder included in library. In this case it is one of the known folders e.g. Downloads. Figure 6 shows contents of the .library-ms ms file where highlighted in grey is the path to a winhex folder added by user.
Figure 6. XML code in library library-ms ms file. The included folder path is highlighted in grey
Once the feature becomes commonly used by end userss then this could prove to be valuable source of information of user’s setup, where important files are being kept. kept Microsoft believes lieves that Libraries could be a structure for all user files. The advantage being, being that user can add folders from all locally av available resources, such as an external hard drive, HomeGroup or a network. Examiner then could easily find important storage devices, vices, locations which were used and include them in the investigation. Additionally, because indexing is a prerequisite for a folder to be part of a Library, indexed locations can be investigated in order to find user specified places. They are recorded in Registry in the following key: HKLM\SOFTWARE\Microsoft\Windows Windows Search Search\CrawlScopeManager\Windows\ SystemIndex\WorkingSetRules WorkingSetRules
4.2.Windows Windows Search and Federated Search Windows Search 4.0 has been introduced as an update for the Vista; however, however the introduction of Libraries extended the applications of the search engine. Arrangement View allows to customize the view of library contents based on a metadata, for example in the Pictures Library, ‘by Year’ view would organise all photos in stacks fo forr different years. Another feature, called Search Filter Suggestions Suggestions, allows user to select a predefined metadata filter and a value, in order to view files matching that criteria. Therefore, if user
20
First Look at the Windows 7 Forensics
Piotrek Smulikowski
wants to find music files of a specific genre, he can ei either ther select ‘genre:’ filter or type it in, then possible genre types would be suggested for him to select. Search functionality can be extended even further with the Federated Search. It allows sending queries to external data sources, such as databases o orr web content, as long as they support OpenSearch technology. In practice, user can simply download Search Connector file (*.osdx) and then query contents of the website, all via Windows Explorer. Such configuration files exist for popular websites such as YouTube or Flickr (DMEX, 2008). 2008) When user downloads and runs the *.osdx setup file, a <domainsearchname>.searchconnector searchname>.searchconnector-ms file is created and stored in <username>\Searches\ <username> folder. The contents of the file are stored in XML format, the most interesting field, from the forensic perspective, is the <domain> where domain of the host is recorded, as seen on Figure 7.
Figure 7.. Contents of Search Connector configuration file. The domain search provider is highlighted in grey
Additionally, as in Vista, user can save specific search query if it is being reused. The Saved Search details are stored in <searchname>.search <searchname>.search-ms file also in the same folder <username>\Searches\. The XML file has three significant fields:
- determines locations to be searched e.g. C: C:\Users Users - specifies what kind of a ffile it is e.g. email - filters the results <scope>
These search techniques will most likely be used by advanced users, therefore examiners will probably rarely need to investigate these artefacts. However if this method is used by a suspect it could add dd important information to investigation.
4.3.User folders Windows 7 has old, XP style, names for default user folders, unlike Vista which introduced different layout of user profile files. As a result the Documents folder is by default named ‘My Documents’, s’, other folders like Music, Pictures and Videos are also affected. When folders were examined in WinHex, which shows physical structure of files, it became clear that these folders are Reparse Points to the standard, Vista Vista-style style folders. Reparse Point is an implementation of a junction on NTFS file system, whereas junctions are logical links
21
First Look at the Windows 7 Forensics
Piotrek Smulikowski
pointing to another folder on Operating System level. They are transparent; hence user rarely notices a difference between an actual folder and a Reparse Point. Since the actual locations of the folders are consistent with the layout known from Windows Vista, forensic examiner can simply examine already known folders within the C:\Users\<username>\ location.
22
First Look at the Windows 7 Forensics
Piotrek Smulikowski
5. New Taskbar and Jump List One of the most prominent GUI feature in Windows 7 is the new Taskbar and the integrated Jump List; designed as an interactive combination of quick launch shortcuts with taskbar buttons, plus application specific common tasks. It allows user to have access to most frequent tasks such as ‘Play next song’ in Windows Media Player, directly from the taskbar. Additionally user can also choose the most recent or frequent files handled by this application. This part of functionality is significant to forensics, as it could provide new sources of evidence. Since the Windows 7 Beta was released, this feature was talked about, also in forensics community. Harlan Carvey said: “from a forensic perspective, this "Jump List" thing is just going to be a gold mine for an analyst, much like RecentDocs and UserAssist keys have been since Windows 2000” (CARVEY, Harlan, 2009). Microsoft encourages developers to make use of these new functionalities in their software, to further integrate application to the Operating System. The company provides them with detailed documentation, video tutorials and walkthroughs on how to implement the new taskbar functionality. However, as with other features, little is known about how the features work or where data is being stored. After an extended research, on Microsoft Developers Network the following was found: In addition to updating its list of recent documents, the Shell adds a shortcut to the user's Recent directory. The Windows 7 Taskbar uses that list and Recent directory to populate the list of recent items in the Jump Lists. (YOCHAYK, 2009) Therefore, it is clear that recent files displayed in Jump List are the same as in the <username>\Recent directory. This data is simply duplicated, only presented in a more approachable manner to the user. Anytime you double click on a file type with a registered handler [application that supports the file type], before Windows launches your application it automatically calls SHAddToRecentDocs on your application's behalf. This inserts the item in the Windows Recent list and eventually into the Jump List Recent Category. (YOCHAYK, 2009) The above fragment explains mechanism in which items are added to the Windows Recent list and the Recent folder, what forms a basis for the Jump List recent items. In addition to the recent and frequent lists, developers can add their own customized item list. This is the part that could make investigation of the Jump List worthwhile. Unless an application uses customized item list, by default a Jump List would only contain items from 23
First Look at the Windows 7 Forensics
Piotrek Smulikowski
the Recent directory. In such scenario, investigator can much easier navigate into the directory to view links to recently accessed documents or location rather than trying to find data artefacts in the system. However user can also ‘pin’ an item, in order to permanently keep it in the Jump List, which would be recorded in jump list data store but could uld be removed from the Recent directory. The Jump List feature is enabled by default, however user can disable it from the Control Panel > Taskbar and Start Menu in the second tab called Start Menu as seen on Figure 8. The first option records recent applications displayed in a start menu and the second checkbox switches on or off the Jump List functionality. This is also the only way to clear the list, user has to un-tick tick the box and click apply, then if needed the function can be rere enabled but with the emptied list. The pinned items remain in the list until being removed by a user. Further customization can be done by clicking the Customize button, where user can, among other things, add the recent items to the start menu like in previous versions of Windows.
Figure 8.. Start Menu properties window, allows user to disable the Jump List and customize contents of the start menu.
From the forensics rensics standpoint this feature can indeed become a valuable source of information, especially if suspect deleted contents of the <username>\Recent folder. Until very recently it has not been known where the recent item data is stored. Although some suggested ted that it might be in registry stored on a per per-application application basis, however, there was evidence that it was not the case (JODO3333, 2009).. This lack of information from Microsoft has frustrated some of beta testers. Later, one of the users from the forum suggested that the path to the files is: C:\Users\<Username>\AppData\Roaming Roaming\Microsoft\Windows\ Recent\automaticDestinations utomaticDestinations,
this is in fact act the correct path as it was unofficially confirmed by Microsoft in their presentation for Law Enforcement only (MICROSOFT LAW ENFORCEMENT TECH TEAM, 2009). 24
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Automatic Destination folder contains files responsible for the recent items on a Jump List. Every program that has items recorded in the list has its file stored in this directory. Files names are in a format XXXXXXXXXXXXXXXX.automaticDesitnations-ms, where name is about 16 digit long and the extension is ‘automaticDestination-ms’. When the Jump List feature is disabled, the contents of the folder are cleared. User can still perform tasks available for the application, however, no recent files are stored. Files are binary and it is not easy to understand the contents, especially as some of them can get large and complex. The default number of the recent items stored is 10 but it can be changed by a user. The order in which items are added to the list remains unclear. All files paths that are stored in the file, are part of application’s Jump List. The Figure 9 shows sample content of the Automatic Destination folder and clear text stored in the Jump List file, this particular file belongs to the Microsoft Paint application. The contents of the binary file seem chaotic however, forensic examiner should be able to determine the file paths recorded in the recent item list.
Figure 9. Contents of the Jump List recent items file viewed in hex editor. Path to recent 'cos.png' file is highlighted in grey. This particular file, stores recent items list for Microsoft Paint.
Numerous tests on different machines revealed that a naming pattern seems to appear: the file name represents specific application which is fixed. As an example the following file 1b4dd67f29cb1962.automaticDesitnations-ms is a store file for Windows Explorer. Analogically some of the other common applications were identified as seen in the Table 4: File name 1b4dd67f29cb1962. 918e0ecb43d17e23. 74d7f43c1561dc1e. 99189dc15d887da6.
Application Windows Explorer Notepad Windows Media Player Windows Disc Image Burner
25
First Look at the Windows 7 Forensics
adecfb853d77462a. b3f13480c2785ae. 5c450709f7ae4396. 9fda41b86ddcf1db. 23646679aaccfae0.
Piotrek Smulikowski
Microsoft Word 2007 Paint Firefox VLC player Acrobat Reader 8.0
Table 4. File names and their respective application that store Jump List data
In order to identify the pattern the files in the AutomaticDestination folder were viewed in a Hex editor and contents were compared against recent items in the Jump List. Once type of a program was known it was cross checked with files on different computers. This kind of naming model was present on the 3 tested machines. However, because no documentation is available, it has not been possible to verify if the pattern is true for every PC or installation. When the Jump List feature is disabled, the contents of the folder are cleared. User can still perform tasks available for the application, however, no recent files are stored. Additionally it was noted that the Windows Explorer’s recent items list behaves slightly differently than the rest. If user navigates to the e.g. readme.txt file and opens it, the handling application’s Jump List is updated but so is the Windows Explorer’s list. However if a user navigates only to the folder but does not open any files, the Jump List does not record the path. This is presumably because, no file was open no target was selected and destination path was not confirmed. Microsoft has also identified another folder with files responsible for the Jump List(MICROSOFT LAW ENFORCEMENT TECH TEAM, 2009): C:\Users\<Username>\AppData\Roaming\Microsoft\Windows\Recent\customDestinations
It stores files in similar format e.g. 74d7f43c1561dc1e.customDestinations. It is unclear what exactly these files contain but it is believed that they allow applications to have their own, custom ‘destinations’ or tasks. When examined files contain various tasks for instance ‘Start InPrivate Browsing’ just like Internet’s Explorer 8 task. This theory goes in line with the Jump Lists (in development stage known as Destination Lists) description given by Microsoft: The Destination List is automatically populated based on frequency and recency of use for file-based applications. Additionally, an application can define custom destinations, enabling it to monitor its own destination usage and their semantics. Applications can also define Tasks (actions within the application that users will find convenient to access directly, for example, composing an e-mail) to appear in their menus. (OIAGA, Marius, 2009) 26
First Look at the Windows 7 Forensics
Piotrek Smulikowski
According to this extract Automatic Destinations folder is designed to store frequent and recent items only, whereas the Custom Destinations folder holds applications specific destinations or tasks. As a result, forensic investigator should only be concerned with the AutomaticDestinations directory as it records the user activity. As previously mentioned this can be successful mainly if the user attempts to manually delete his Recent folder contents. In this case he would only delete links stored in that directory, with the Destinations folders remaining due to being hidden and protected by the OS.
27
First Look at the Windows 7 Forensics
Piotrek Smulikowski
6. BitLocker This section discusses the encryption software from Microsoft, bundled in, first Windows Vista and now, Windows 7. The section is divided into two parts, Windows Vista BitLocker and Windows 7 BitLocker, each of them providing details of identification and acquisition of encrypted volume. Unlike the rest of this paper, this section talks about Vista functionality with a purpose to highlight the subtle differences but also similarities between the two. Because the core functionality of the Vista BitLocker remained the same it would be impossible to discuss forensic analysis of the Windows 7 without providing details of the previous version.
6.1.BitLocker in Windows Vista 6.1.1. Introduction BitLocker Drive Encryption was first introduced to Windows Vista as an encryption feature mainly for portable computers. It was designed to protect user’s data by encrypting the whole volume making it practically impossible to decrypt without password or recovery key. BitLocker was one of the most talked about security feature in Vista upon its release, although it was only available in top end editions, Enterprise and Ultimate. Due to the number of high profile cases, data loss is considered as a serious issue, in 2007 alone HM Revenue and Customs (HMRC) lost 25 million records, in 2008 National Health Service (NHS) led the charts (585, 2009) (BBC NEWS, 2009). Taking this into account, Microsoft targeted encryption feature to government and business users rather than main stream consumers Because of the attention this feature drawn, it is documented extensively by Microsoft, although not all details are exposed. In addition many independent researches were undertaken involving BitLocker capability in Vista.
6.1.2. Authentication Methods BitLocker can operate using five different authentication modes depending on hardware specification or user’s preference.
TPM only: volume encryption key in the microcontroller USB startup key: volume encryption key on the USB startup key TMP + USB startup key: volume encryption key in the microcontroller and USB startup key
28
First Look at the Windows 7 Forensics
Piotrek Smulikowski
TPM + PIN: volume encryption key in the microcontroller + correct PIN is entered TPM + USB startup key + PIN: volume encryption key in the microcontroller and USB startup key + correct PIN is entered
Microsoft developed the BitLocker to work with the Trusted Platform Module (TPM) hardware chip (from version 1.2) build in to a computer’s motherboard. This method set BitLocker apart from typical encryption solutions. The encryption keys are stored on a protected volume and in a TPM chip. During system boot up process the integrity of the Operating System and hardware is verified and on the successful completion of the check the TPM microcontroller releases the encryption key to continue system boot up. If the protected volume is removed from the original system and connected to other PC, it may be impossible to access the data. Jesse Kornblum claims that: “Decrypting the data without the keys stored in the TPM is infeasible” (KORNBLUM, Jesse, 2009). However the TPM modules are not commonly used, even now, two years after the BitLocker for Vista was released. Therefore Microsoft provided another options: to decrypt volume by entering PIN number or by plugging in USB startup flash drive containing the encryption key, combination of the two methods is also possible. The USB only method does not have any hardware requirements therefore it can be used on any modern computer. The key stored on USB flash drive is 124 byte long, hidden, read-only, binary file with the name of the following format (GUID): xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.bek where x is a hexadecimal digit(HARGREAVES, C and Chivers, H, 2007). Encryption method supported by BitLocker is AES either 128 or 256 bit with Diffuser, by default BitLocker is set to 128 bit with Elephant Diffuser enabled (FERGUSON, Niels, 2006). As many forensic investigators know, it makes it practically impossible to crack with current computing power. If, for any reason, all methods are unavailable to a user, it is possible to decrypt the volume by entering 48 digit recovery key (using function keys), generated at the initial setup. More details of authentication process are available at Microsoft’s documentation (MICROSOFT TECHNET LLIBRARY, 2009). Apart from the TPM capable motherboard BitLocker also requires System Volume partition formatted with the NTFS file system. Its size in Vista is minimum 1.46 GB and its assigned Drive Letter is S:. Partition is not encrypted and holds “files that are needed to load Windows after BIOS has booted the platform” (MICROSOFT TECHNET LLIBRARY, 2009).
6.1.3. BitLocker Identification When computer with BitLocker enabled is running, it is possible to identify the encrypted volume, although Administrator rights are required for all of them (STEWART, Barrie, 29
First Look at the Windows 7 Forensics
Piotrek Smulikowski
2007). It should be noted that initially investigator should check which edition of Vista is run as only the Enterprise and Ultimate have the BitLocker capability. Additionally, if a system does not have a 1,46 GB S: partition, the BitLocker could not be running on the system due to its requirements. The most recommended way to check the presence of the BitLocker is via the Command Line Interface (CLI) using the manage-bde.wsf script.
Using command line with administrative permissions navigate to C:\Windows\System32\
Run the following command: cscript manage-bde.wsf –status Information about each partition is displayed together with encryption and authentication methods.
Alternative methods to identify encrypted volume include checking status in Control Panel > BitLocker Drive Encryption or simply by viewing the Computer Management window with disk Management Snap-in. These methods are applicable in Live Response scenario where an investigator is at the working and unlocked PC. However, in a case where the machine has been seized and is examined in a forensic lab, investigators can view the BIOS Parameter Block (BPB) to determine if the volume is encrypted with the BitLocker (HUNTER, Jamie, 2006). It is based at the first 0x54 bytes of the first sector and can be recognized by the following values: Offset 0x03 0x0B 0x0D 0x0E 0x10 0x11 0x13 0x16 0x20 0x38
Size 8 2 1 2 1 2 2 2 4 8
Field Signature BytesPerSector SectorsPerCluster ReservedClusters FatCount RootEntries Sectors SectorsPerFat LargeSectors MetadataLcn
Required Value for BitLocker ‘-‘,’F’,’V’,’E’,’-‘,’F’,’S’,’-‘ One of 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40 or 0x80 0x0000 0x00 0x0000 0x0000 0x0000 0x00000000
Table 5. Required Values for BitLocker stored in boot sector of an encrypted volume (HUNTER, Jamie, 2006)
The actual header of a boot sector of encrypted volume can be seen in Figure 10. Highlighted in yellow is the file system signature: -FVE-FS. In depth information about the identification of BitLocker is available from the (STEWART, Barrie, 2007, pp.22-24).
30
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Figure 10. BitLocker Encrypted volume header of a boot sector in Windows Vista viewed in Hex editor (HARGREAVES, C and Chivers, H, 2007)
The identification of the encrypted volumes is essential, since it can potentially save the whole examination. If during Live analysis examiner fail to recognise BitLocker and switches off the machine without searching for a recovery key, on a next boot up, volume will be locked and possibility for finding recovery key would be only possible if suspect had a recovery key backed up on other seized media or written on some paper.
6.1.4. BitLocker Acquisition Hargreaves and Chivers suggest that once encrypted volume has been identified, investigators should always look for a recovery key (HARGREAVES, C and Chivers, H, 2007), which, as mentioned before, is generated at the initial setup. The file name is in GUID format e.g.: CE6B4C60-8F3B-11DE-BE35-62A555D89593.txt and its contents are in plain text. If, however, no keys are found, performing logical disk image of the encrypted volume is possible. It allows to image data in decrypted form for further analysis. Although the process is not forensically sound this could be the only successful method of capturing the data. The aforementioned BitLocker Command Line Interface enables investigators to manage recovery keys (STEWART, Barrie, 2007). By typing the following command cscript managebde.wsf –protectors –get C: -sek G:\ it is possible to export the recovery key for the volume C: onto the USB drive G:. Additionally examiner can also attempt to duplicate the recovery key via the Control Panel > BitLocker Drive Encryption > Manage BitLocker Keys. Examiner can export keys, print them or reset them. If Active Directory is used by organisation it can be configured to backup recovery keys, hence investigator should be aware that system administrator might have access to backup recovery keys. Renowned Computer Forensics and incident Response expert, Lance Mueller, posted a quick tutorial on how to identify BitLocker running on a live system. The video shows how to disable the BitLocker in order to “seize the hard drive and then later image and examine the date without having the key protectors” (MUELLER, Lance, 2008). It can be disabled with the following command: cscript manage-bde.wsf –protectors –disable C: 31
First Look at the Windows 7 Forensics
Piotrek Smulikowski
6.2.BitLocker in Windows 7 BitLocker in Windows 7 has some minor differences in a way that it functions from Windows Vista, however it has a new major feature introduced BitLocker To Go. This section discusses changes that appeared since BitLocker for Vista.
6.2.1. Introduction While BitLocker proved to be secure encryption solution for computers it did not stop Data Loss breaking news. With the increase of popularity, cheap prices and high capacities USB flash and portable drives created serious threat to data security. Ministry of Defence alone admitted to loss of eighty seven USB sticks in 5 years, all of them contained classified data (PAGE, Lewis, 2008). Windows 7 BitLocker addressed this problem by extending the encryption to removable devices. Microsoft accepted feedback from system administrators and even admitted that deployment of the BitLocker Drive Encryption in Vista was “was more cumbersome than it needed to be” (MICROSOFT TECHNET , 2009). Before, administrators had to repartition the drive for the system volume to be loaded, which on a large scale can be lengthy and costly process. Now, the system volume partition is created upon the Windows 7 installation process. In addition, Microsoft Developers granted greater control over the BitLocker to system administrators by introducing Group Policies changes, Data Recovery Agents (DRA) and other improvements to make deployment more efficient. All these changes, although not big or revolutionary, can have great impact on popularity of the Windows 7 BitLocker. Encryption of USB sticks can impact directly digital forensics as until now investigators relatively rarely have to deal with encrypted flash drives. If Microsoft’s solution will be easy, efficient and robust it might change the current situation.
6.2.2. BitLocker To Go After BitLocker has been first introduced, it could only encrypt single Vista partition, with the Vista Service Pack 1 (SP1) functionality was extended to fixed volumes - another partitions. Now it includes removable storage devices. BitLocker To Go is the new feature implemented in Windows 7 BitLocker allows encrypting portable flash or hard drives
32
First Look at the Windows 7 Forensics
Piotrek Smulikowski
(FUNK, Troy, 2008).. Portable drives can be of either FAT, FAT32, exFAT or NTFS file system. Authentication methods are different than the OS volume encryption.
Passphrase – complex PIN number combination, Group Policy allow controlling complexity and length Smart Card – card stores strong key but Smart Card Reader required Automatic Unlocking – allows trusted PCs to remember passphrase and unlock USB drive automatically
BitLocker To Go is highly integrated in Windows Environment making it quick and easy to enable the feature. It could be managed straight from the Windows Explorer context menu; user er can simply right click on a drive to enable BitLocker, unlock drive or manage authentication methods and keys. This feature can be used even if normal BitLocker is not enabled. Tests have shown that if during Windows 7 installation user chooses not to create c System Reserved partition - required for BitLocker volume encryption – he can still use portable drive encryption. In enterprise environment Group Policy can be setup to force BitLocker To Go usage on any USB connected drive. If user refuses, a driv drive will be set to read-only only mode, as can be seen on Figure 11.
Figure 11.. Group Policy allow forcing users to encrypt USB sticks, (FUNK, Troy, 2008)
In order to support encrypted drives on older Windows Operating Systems, BitLocker to Go Reader is automatically installed to every protected drive. It is a Windows Explorer – like application that, after successful au authentication, thentication, allows files to be read from the encrypted volume.
33
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Figure 12.. BitLocker To Go Reader window allows viewing files and exporting to local machine. Screenshot taken from Windows Vista
Figure 12 presents the BitLocker To Go Reader window after authentication. Individual files or folders can be exported to local machine. No write operation can be performed though, it requires Windows 7 BitLocker.
6.2.3. BitLocker To Go Identification As with the other types of BitLocker encryption there are several methods to determine that USB stick is encrypted by this particular encryption application. Identification is especially easy when a portable dri drive ve is connected to the Windows platform PC since the lock icon is displayed against the drive in My Computer as seen on Figure 13. 13
Figure 13 13. BitLocker To Go encrypted portable drive.
However if, the drive is examined on other platforms the icon is not displayed. This was tested on the Ubuntu 8.04 and Mac OS X 10.5. For alternative system, other means for identification are available. When tthe he drive is opened, characteristic files are visible: BitLockerToGo.exe, , COV 0000.ER, Read Me.url , language files and multiple PAD XXXX.NG files. Figure 14 shows the contents of the encrypted drive.
34
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Figure 14.. Contents of the BitLocker To Go encrypted portable drive. BitLockerToGo.exe file is clearly visible, Screen shot taken from Windows Vista.
Please note that although h drive this particular does not contain any data, it is filled with encrypted data containers PAD XXXX.NG files with size 0 bytes and one big file COV 0000. ER containing 98% of the volume size. Alternative identification method is possible which is in independent dependent from the Operating System. By looking at the binary data in Hex editor, examiner can determine whether the volume is encrypted with BitLocker To Go. FAT32 At first USB drive with FAT32 file system was used for experiments. Although there is no clear lear evidence of BitLocker in header there is a hint. OEM Name for the file system is set to MSWIN4.1 which correctly identifies file system as FAT type, see Figure 15.. However, modern Windows OS tend to name the FAT as MSDOS5.0, which could indicate that BitLocker might be installed on a volume.
Figure 15.. FAT32 volume encrypted with BitLocker To Go. MSWIN4.1 OEM Nam is highlighted in yellow and FAT32 file system highlighted in grey
35
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Once the encrypted volume is viewed in Hex, examiner can search for BitLocker signature: ‘-FVE-FS-’. In the experiment, when the search was performed multiple instances of the signature were found and surprisingly the other information was detected as well. At the 0x88 offset from the signature, Computer name, Drive Letter and Date of the PC were encryption was initiated were found as seen at the Figure 16.
Figure 16.. BitLocker signature found on BitLocker To Go encrypted volume - highlighted in yellow. Additionally original Computer Name, Drive Letter and Date were also found - highlighted in grey.
Unfortunately it was not possible to verify whether this was standard for every setup having only access to one Windows 7 Ultimate PC. However if it was the case it could prove that the USB drive was connected to the specific PC and BitLocker To Go was enabled from that PC at the particular time. It could also aid examiner in searching the Recovery Key for the portable ble drive by pointing him/her to the recorded PC NTFS Although the NTFS is not a recommended file system for USB flash drives, some might use BitLocker To Go to encrypt portable USB hard drives where it is a default system. The file system was tested in order der to verify what kind evidence can be extracted and if findings from the FAT32 are applicable to the NTFS formatted drive.
Figure 17. Header of NTFS drive encrypted with BitLocker To Go viewed in Hex editor. The BitLocker singature sing FVE-FS- is at 0x03 offset - highlighted in yellow. Interestingly it is marked as FAT32 file system highlighted in grey.
36
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Figure 17 presents the header of the NTFS drive which was encrypted with BitLocker To Go. The BitLocker signature can be seen in yellow but surprisingly it is showing as the FAT32 (in grey) volume. When n compared the Figure 15 and Figure 17 there are some differences found in the he structure of headers, though they follow similar fashion. Encrypted NTFS volume has BitLocker signature as the OEM Name but is inappropriately marked as FAT32, whereas encrypted FAT32 volume has MSWIN4.1 as OEM Name and the file system is properly recognized nized but there is no clear indication that the volume is encrypted. Both encrypted file systems share an interesting characteristic of recording the Computers Name, Drive Letter and Date of the encryption. NTFS drive was also searched for the BitLocker signature -FVE-FS- and after some of the instances of the signature the details of encryption were found as displayed on Figure 18.
Figure 18. BitLocker signature found on encrypted NTFS volume - highlighted in yellow. Computer name, Drive letter and Date were also found - highlighted in grey
Additionally the encrypted NTFS volume was not recognised on a Windows Vista OS, it prompted to formatt a drive. When the USB stick was connected to the Ubuntu 8.04 computer it was not mounted neither. The fsstat tool for viewing details of file systems (CARRIER, Brian) also failed to determine the NTFS, although it handled encrypted volume of FAT32 correctly. In contrast the aforementioned tools mmls and fdisk recognized it as the NTFS.
6.2.4. BitLocker To Go Acquisition Acquiring forensically sound image of the portable dev device ice seems to be an easy task. It is the encryption that can create challenges. Taking physical image means that the contents will be encrypted therefore data will be unreachable. As shown in previous section it is possible to establish which PC was BitLock BitLocker er encryption enabled on. During the installation process 37
First Look at the Windows 7 Forensics
Piotrek Smulikowski
user can either save recovery key on local machine or print it off. Unless paper with printed recovery key can be located, it is most likely that the key is stored on the local computer. The format of the recovery key file name changed slightly: BitLocker Recovery Key xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.txt. If user selected automatically unlock option it is possible that once a USB drive is plugged into the trusted PC it can be instantly decrypted allowing for logical imaging. In a Live Response scenario where USB drive was found unlocked, examiner can simply right click on a drive in ‘My Computer’ and select Manage BitLocker field to export recovery key. However, investigator can also simply perform logical image of the decrypted drive. Unlocking the drive with recovery key has become much easier since Windows Vista. Once a window asking to enter the password pops up, user can click ‘Forgot my Password’ and follow wizard and simply type in the recovery key.
6.2.5. BitLocker changes BitLocker developers put an emphasis on the user experience in Windows 7 BitLocker, as a result the initial setup process was simplified. System administrators can quickly enable BitLocker on multiple machine and control settings with extended capability by Group Policies. Home users can follow easy to use wizards to enable BitLocker without the hassle of repartitioning the hard drive to accommodate the 1,5 GB System Volume. All these and other improvements have made the whole process more user friendly and feature more usable. With Windows 7 BitLocker the System Volume partition, volume used by BitLocker to verify integrity of the hardware and pre-startup authentication (MICROSOFT TECHNET, 2009) – it is created automatically during the initial setup, if user selected default settings. If user performed custom installation and hard drive contained other partitions prior to Windows 7 installation, System Volume partition will not be created. However if user opts in to use BitLocker at the later stage partition will be automatically created during BitLocker setup. Therefore a lot of burden was taken off the end user and it is now embedded in the automated process. The partition is now being called System Reserved and has no Drive Letter assigned, therefore cannot be accessed through the Windows Explorer in order to avoid any accidental changes from being made. Additionally its size was limited to 100MB, so more space is available for user’s data. When Vista BitLocker was first launched, it only allowed to encrypt the Operating System Volume (C:), which was extended to additional fixed volumes with the Vista Service Pack 1. However in order to encrypt the Data drives the C: drive had to be encrypted as well. The 38
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Windows 7 BitLocker not only allows encrypting portable drives regardless if the encryption is enabled on the Windows 7 volume but also the fixed volumes. As a result examiner can find scenarios where Windows 7 drive is not encrypted but D: Data drive is. In this case it can be assumed that suspect could be storing incriminating data on the encrypted volume. It is important to remember about all the artefacts that the data on encrypted partition left on Windows 7. Therefore investigator might be able to recover history of files executed or viewed, thumbnails and more, since they are all stored on Windows 7 partition. This is also true for removable drives and BitLocker To Go. Enterprises using Windows 7 BitLocker will benefit from the Data Recovery Agents (DRA) technology which is a new, certificate based key protector. The certificate contains public key that is applied to any drive that is mounted across the organisation. Because it is stored centrally, therefore an investigator can request from system administrators to decrypt encrypted volume using the DRA. IT departments have now granular control thanks to extended Group Policies. BitLocker for Windows Vista could be manage using the Command Line Interface via already discussed script and had to be run by cscript manage-bde.wsf command. The same functionality is now provided by the manage-bde.exe executable placed in the same folder as before: C:\Windows\System32\ The identification of the BitLocker encrypted volume has not changed since the previous version. Similar can be said about acquisition process. According to Microsoft information provided during a Presentation on BitLocker (FUNK, Troy, 2008) did not indicate any changes in basic workings of BitLocker, therefore procedures that applied to Vista BitLocker are still valid for Windows 7 BitLocker. Unfortunately this has not been examined due to technical problems in the experiment lab.
6.3.Windows 7 BitLocker Conclusions Developing team, responsible for the changes introduced in Windows 7 BitLocker, put much effort in making it more accessible for not only administrators in large organisation but also for end users. No doubt that data loss is an important issue and public awareness increases. By employing encryption technologies like BitLocker many news headlines could be avoided. Public’s data would not be disclosed to unauthorised people and businessmen could be confident that their sensitive data is not disclosed to competitors by simple human error. As good as it sounds for governments and business use it creates number of challenges for Computer Forensics. With the range or improvements the BitLocker is certainly more 39
First Look at the Windows 7 Forensics
Piotrek Smulikowski
appealing to potential users, which in effect can mean increase in number of encrypted volumes to analyze for digital forensic experts. It is true that since BitLocker functionality is available only in most expensive Windows 7 editions, many normal home users will not be able to encrypt their hard drives or USB drives. However it is likely that due to improvements in user experience more people with Enterprise or Ultimate editions would start using it. Just before the release of the Windows Vista BitLocker, Andy Woodward wrote the paper with the following title: ‘BitLocker - the end of digital forensics?’ (WOODWARD, Andre, 2006).He claimed that very few digital forensic examinations will involve BitLocker encrypted volumes. Although it might have been true with Vista BitLocker, the improvements in Windows 7 BitLocker can change the situation.
40
First Look at the Windows 7 Forensics
Piotrek Smulikowski
7. Registry Analysis This section is devoted to the Windows Registry. It examines the kind of information that is stored and can be retrieved by examiner. Due to its complex structure, only fraction of the registry was examined, it is by no means a complete list. In line with the main idea of this paper to show what has changed with respect to the forensic analysis of Windows system, it is focused on new sources of evidence. In addition some most common registry keys were evaluated in order to verify their relevance in the new system.
7.1. Introduction While for Windows Registry lies at the core of the Operating System, for a forensic analyst it can be a goldmine of evidence. It stores settings and options for the whole system, therefore it can deliver large amount of forensically valuable information. Since its first appearance in Windows 3.1 it has grown into extremely complex data structure. Although there is no documentation from Microsoft, there are plenty of resources about forensic analysis of the registry. In fact it is so important artefact that Harlan Carvey considers writting a book about forensic analysis of the Windows Registry (CARVEY, Harlan, 2009). In depth analysis of the Registry, lies far beyond scope of this research, which is focused on the discovery of new and evaluation of already known sources of evidence. During the research three methods of information gathering were employed. Firstly, paper called “A Windows Registry Quick Reference” by Derrick J. Farmer(FARMER, Derrick, 2007) was reviewed and a form a basis of the research. While the reference was based on the Windows XP, registry keys presented by the author were verified against the Windows 7 registry in order to show any differences. Secondly the RegRipper software (CARVEY, Harlan and Shavers, Brett, 2009) was run against registry hive files from the test Windows 7 PC. The application is designed to automatically extract information stored within registry files. If output from the software was flagged ‘not found’, it flagged a difference in registry structure and contents. Thirdly, registry was browsed in order to identify new possible sources of evidence. The Table 6 presents popularly used naming conventions applied in this paper. Short Name HKCR HKCU HKLM HKU HKCC
Full Name HKEY-_CLASS_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_CONFIG
Table 6. Short naming convention for root hives
41
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Although the Registry viewed by standard Registry Editor (regedit.exe) appears to be a single database, it is in fact highly integrated collection of files. The Table 7 lists files responsible for registry hives. Please note that Windows 7 and Vista include additional files (CARVEY, Harlan, 2009, p.161), marked with the * sign. Registry Hive HKLM\System HKLM\SAM HKLM\Security HKLM\Software HKU\User SID HKU\Default HKLM\Components* Usrclass.dat*
File Path C:\Windows\System32\config\SYSTEM C:\Windows\System32\config\SAM C:\Windows\System32\config\SECURITY C:\Windows\System32\config\SOFTWARE C:\Users\<username>\NTUSER.DAT C:\Windows\System32\config\DEFAULT C:\Windows\System32\config\COMPONENTS
C:\Users\<username>\AppData\Local\Microsoft\ Windows\usrclass.dat Table 7. Registry paths and corresponding files
7.2.Registry locations This part considers various registry key locations which could possibly be a source of forensic evidence. Due to a large amount of different locations, this section is technical and for reference mostly. 7.2.1. Time Information Establishing the time of the Operating System is crucial to a computer forensic investigation. Examiner should be able to establish precisely when particular event happened. Windows 7 follows the fashion set by previous Windows systems. Time Zone Information Registry key holding information about the system time. Most important values are ActiveTimeBias, Bias, DaylightBias, StandardBias. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\
Using those values examiner can calculate different times necessary for his investigation. Formulas(FARMER, Derrick, 2007) are following:
UTC = Local Time + ActiveTimeBias Local Time = UTC – ActiveTimeBias 42
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Standard Time = Bias + StandardBias Daylight Time = Bias + DaylightBias
Time is represented minutes, therefore decimal value is a number of minutes(MICROSOFT MSDN LIBRARY, 2009). In addition to establishing the system’s time, Registry can provide examiner with LastWrite time for a particular key. Although the time stamp for each value is not recorded it can still be very helpful to know then the key was changed, especially in a case where a registry key has single value. In addition the time stamp from the registry key can be compared against other time stamps existing on a system. The LastWrite value can be obtained with multiple tools like e.g. RegRipper, however at Live response scenario it might be possible to export the whole registry to text file. The benefit of that are keys having LastWrite values shown for every key but also that the keyword search through text file is instantaneous. However, with time since OS installation the registry can gain in size enormously. Moreover, as with Vista, the Windows 7 does not automatically record Last Access time on NTFS volume. Microsoft by default disabled the update to reduce performance overhead, which in turn caused examiners to loose very important source of evidence. The value accountable for that setting is: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem>NtfsDisableLastAcces Update
7.2.2. Most Recently Used Most Recently Used files commonly known as MRUs, store details of recently used objects. This list was adopted from the Registry reference document (FARMER, Derrick, 2007) and it was compared against registry keys available in Windows 7. Please note that if certain functionality was not enabled some keys may be not available. Content
Windows XP
Windows 7
Search Files
Software\Microsoft\Search Assistant\ACMru\5603
HKCU\Software\Microsoft\Windows \CurrentVersion\Explorer\WordWh eelQuery
Internet Search Assistant Printers, Computers and People
Software\Microsoft\Search Assistant\ACMru\5001
N/A
Software\Microsoft\Search Assistant\ACMru\5647
N/A
43
First Look at the Windows 7 Forensics
Pictures, music, and videos XP Start Menu Recent R. Desktop Connect Run dialog box Regedit - Last accessed key Regedit Favorites MSPaint Recent Files Mapped Network Drives Computer searched via Windows Explorer WordPad Recent Files Common Dialog - Open Common Dialog - Save As WMP XP Recent Files WMP XP Recent URLs OE6 Stationery list 1 - New Mail OE 6 Stationery list 2 - New Mail PowerPoint Recent Files Access Filename MRU FrontPage Recent lists Excel - Recent Files Word - Recent Files Win Explorer Typed Paths
Piotrek Smulikowski
Software\Microsoft\Search Assistant\ACMru\5604
N/A
Software\Microsoft\Windows\CurrentVer sion\Explorer\RecentDocs
The same as in XP
Software\Microsoft\Terminal Server Client\Default [MRUnumber]
N/A
Software\Microsoft\Windows\CurrentVer sion\Explorer\RunMRU Software\Microsoft\Windows\CurrentVer sion\Applets\Regedit
The same as in XP
Software\Microsoft\Windows\CurrentVer sion\Applets\Regedit\Favorites
The same as in XP
Software\Microsoft\Windows\CurrentVer sion\Applets\Paint\Recent File List
The same as in XP
Software\Microsoft\Windows\CurrentVer sion\Explorer\Map Network Drive MRU
N/A
Software\Microsoft\Windows\CurrentVer sion\Explorer\FindComputerMRU
HomeGroup:
Software\Microsoft\Windows\CurrentVer sion\Applets\Wordpad\Recent File List
The same as in XP
Software\Microsoft\Windows\CurrentVer sion\Explorer\ComDlg32\LastVisitedMRU
The same as in XP
Software\Microsoft\Windows\CurrentVer sion\Explorer\ComDlg32\OpenSaveMRU
The same as in XP
Software\Microsoft\MediaPlayer\Player \RecentFileList
HKCU\Software\Microsoft\MediaPl ayer\Preferences> Last_Location_26
Software\Microsoft\MediaPlayer\Player \RecentURLList
N/A
Identities\{CLSID}\Software\Microsoft \Outlook Express\5.0\Recent Stationery List Identities\{CLSID}\Software\Microsoft \Outlook Express\5.0\Recent Stationery Wide List
N/A * No Outlook
Software\Microsoft\Office\10.0\PowerP oint\Recent File List
HKCU\Software\Microsoft\Office\ 12.0\PowerPoint\File MRU
Software\Microsoft\Office\10.0\Common \Open Find\Microsoft Access\Settings\File New Database\File Name MRU Software\Microsoft\FrontPage\Explorer \FrontPage Explorer\Recent File List
HKCU\Software\Microsoft\Office\ 12.0\Access\Settings
Software\Microsoft\Office\10.0\Excel\ Recent Files
HKCU\Software\Microsoft\Office\ 12.0\Excel\File MRU
Software\Microsoft\Office\10.0\Word\D ata
HKCU\Software\Microsoft\Office\ 12.0\Word\File MRU
N\A
HKCU\Software\Microsoft\Windows \CurrentVersion\Explorer\TypedP aths
44
The same as in XP
HKLM\SOFTWARE\Microsoft\Windows \CurrentVersion\HomeGroup\HME\M embers
N/A * No Outlook
HKCU\Software\Microsoft\Office\ 12.0\FrontPage\File MRU
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Table 8. Differences and similarities in registry key locations between Windows XP and Windows Vista.
7.2.3. UserAsisst This particular registry key is known among examiners as a potentially rich source of evidence. It was used since Windows 2000 and it is still used in Windows 7. Operating System uses it to record “objects that user has accessed on the system such as Control Panel applets, shortcut files, programs, documents, media, etc.”(FARMER, Derrick, 2007). Unlike the Prefetch, it stores that information not system wide but on a per-user basis. As already mentioned in the
45
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Background Research section the Beta version of Windows 7 had keys obfuscated in Vigenère cipher unlike all previous versions of Windows. However, when the RC and final version was examined it became apparent that the ROT-13 or Caesarean cipher was used again. This simple cipher is based on a rule that each letter is replaced by the letter 13 spaces away from it in alphabet or in this case ASCII table. For example K:\uryvk.rkr translates into X:\helix.exe. By recommendation from the Windows Registry Quick Reference (FARMER, Derrick, 2007) the web based translation script (EDOCEO, 2009) was used to quickly decode the file names. The UserAssist values can be found at: By default there are two GUID keys in User Assist. Carvey suggested checking the GUID in HKCR\CLSID\ (CARVEY, Harlan, 2007, p.168). Although the method was successful in previous Windows versions, it did not provide any results. In fact, the whole registry was searched without success. It is however safe to assume that behind both GUID are Operating System applications responsible for interaction with the system Shell. HKEY_CURRENT_USER\Software\Microsoft\Windows\Explorer\UserAssist\{GUID}\Count.
When RegRipper software was run against the Windows 7 RTM NTUSER.DAT file, no UserAssist keys were retrieved. The registry was manually examined and it became clear why the application did not extract any information. The data field is 72 bytes long as opposed to 16 bytes as in Vista and its predecessors. Due to the lack of documentation about new data structure it was necessary to analyse and understand its contents and behaviour. Derrick J. Farmer (FARMER, Derrick, 2007) explained the structure of the previous format, where the fifth byte (offset 0x05) was a counter of how many times the application was run, however the counter starting value is 5. The last 8 bytes compose time stamp of a last access. In his book Harlan Carvey adds (CARVEY, Harlan, 2007) that the data is divided into DWORD – 4 bytes. In order to examine behaviour of the new format, new application has been downloaded and executed for the first time – registry value for the applications was created. Application was then closed and the data for that value was recorded and compared with subsequent reiteration of the process. After multiple attempts it was possible to identify which bytes recorded the counter number and the time stamp. With more data to be examined it was difficult to establish which was recording what. Eventually it appeared that the 5th byte still is a counter number but the starting value is 00. The timestamp is the 60th - 68th byte (15 17 DWORD). The Figure 19 presents the binary data for specific program where the count number is highlighted in yellow and time stamp in blue.
46
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Figure 19. Image shows binary data for the example UserAssist value. Underlined in red iiss the obfuscated program path, in green is the decoded path. Highlighted in yellow is the counter number and in blue is the time stamp in Hex.
The time stamp is in hexadecimal fo format; by using software like DCode (DIGITAL DETECTIVE GROUP LTD, 2009) it is possible to decode time stamp into human readable form. Figure 20 shows the time stamp for the application run in the above example (highlighted in yellow) and the converted date in bold.
Figure 20.. Output from Date/Time converting application DCode. Highlighted in yellow is the time stamp from above example (see previous figure)
7.2.4. Autoruns Applications automatically loaded on a system startup are recorded in various registry keys. It can be important to establish if any malicious software was running on a suspect 47
First Look at the Windows 7 Forensics
Piotrek Smulikowski
PC. Sysinternals Autoruns (SYSINTERNALS, 2009) application can easily provide all that information. Windows XP HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce HKLM\Software\Microsoft\Windows\CurrentVersion\policies \Explorer\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows NT\CurrentVersion \Windows\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce <username>\Start Menu\Programs\Startup
Windows 7 The same as XP N/A The same as XP N/A The same as XP The same as XP <username>\AppData\Roaming\Mi crosoft\Windows\Start Menu\Programs
7.2.5. Network information Windows records the wireless networks connected to the host PC. It stores a profile of the network its SSID identification name together with some more details, such as creation date, last connected and gateway MAC address. Depending on the context, this information can be highly important to the forensic investigation. In Windows XP the Zero Configuration Service was used however the Vista and Windows 7 manages networks differently. The time stamp is in unusual format: d9 07 08 00 03 00 13 00 01 00 39 00 02 00 where each 2 bytes form little endian value. The decoding technique is following: Year Month Weekday Day Hour Minutes Seconds
= = = = = = =
14 02,
d907 > 07d9 = 2009 0800 > 0008 = August {Jan = 1, Feb = 2...} 0300 > 0003 = Tuesday {Sunday = 1, Monday =2...} 1300 > 0013 = 19 0100 > 0001 = 1 am 3900 > 0039 = 57 0200 > 0002 = 02
The complete decoded time stamp is: Tuesday, 19 August 2009 01:57:02 This method was posted on Mark McKinnon’s blog (MCKINNON, Mark, 2009). Wireless Network information Records profiles of previously connected Wireless Networks. First key stores timestamps and SSID, second key stores Gateway’s details: MAC address, SSID name. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
48
First Look at the Windows 7 Forensics
Piotrek Smulikowski
NT\CurrentVersion\NetworkList\Profiles\{GUID}\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\
Additionally, details of individual connections are recorded, IP address, DHCP server and more. The time stamp is stored in big endian Unix 32 bit hex value, DCode can be used to translate the value. Network Connection information Records details of the connection, IP address DHCP server information, domain, time stamps etc. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\ Parameters\Interfaces\{GUID}
7.2.6. Mounted Devices NTFS devices that are mounted to the Windows System are recorded together with a letter assigned to them. The binary data for the values \DosDevices\x: can be used to identify the specific devices. Mounted Devices Lists previously connected drives. HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
7.2.7. USB Device Information When user connects removable device, Windows records details of that device in registry and file system. The process of gathering all information has changed since Windows XP but is the same as on Vista. Couple of steps are required to retrieve all tracks: 1. Write Down Vendor, Product, Version Disk&Ven_SanDisk&Prod_Cruzer&Rev_7.01
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
2. Write Down Serial Numbers
49
First Look at the Windows 7 Forensics
Piotrek Smulikowski
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\D isk&Ven_###&Prod_####&Rev###\
0877500A0302335E&0\
3. Determine Drive Letter Device Mapped To G: PortableApps
HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices > FriendlyName
Look for Serial Number or Vendor and Product 4. Write Down Volume GUIDs \??\Volume{c76d273c-8e40-11de-9db3001a6b41face}
HKLM\SYSTEM\MountedDevices
Look for Serial Number or Vendor and Product 5. Find User That Used The Specific USB Device User1
NTUSER.DAT HKU\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2
Search for Device GUID 6. Determine Last Time Device Connected – check Last Write for a key HKLM\SYSTEM\CurrentControlSet\Control\Device Classes\{53f56307-b6bf-11d0-94f200a0c91efb8b}
Last Write Time: 26/08/2009 - 13:31
Look for Serial Number or Vendor and Product 7. Discover First Time Device Connected >>> [Device Install (Hardware initiated) USB\VID_0781&PID_5151\0877500A0302335E] >>> Section start 2009/08/21 11:56:08.045 ...
C:\Windows\inf\setupapi.log
Perform search for Serial Number
Table 9. USB Information gathering process. Adapted from (SANS FORENSICS BLOG, 2009)
Please note that not every USB device has its own Serial Number.
7.2.8. Internet Explorer Internet Explorer is highly integrated into the Windows OS and therefore into the Registry. Although the current 8th version differs a lot in its capabilities, the information stored in registry reminds older versions. It is ruled by compatibility issues, and the new features are only added to an already existing structure. Internet Explorer information is stored primarily in two registry keys. Internet Explorer
50
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Registry keys store information used by Internet Explorer 8. First Key holds data about History, Cache or Cookies. Second Key keeps data about e.g. Suggested Sites but one of the most important keys is the TypedURLs, which records URLs that user typed in. Additionally the path to download folder is stored in a root of this key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ HKCU\Software\Microsoft\Internet Explorer\
Internet Explorer can store data entered into username and password fields if user agrees to use the feature. IE7 and IE8 uses different method of storing credentials data, passwords are encrypted with the URL of the page that the password was entered. Therefore if URL still exists in history, it might be possible to decode the data. AutoComplete Passwords Stores usernames and passwords remembered by the Internet Explorer, respectively Storage1 and Storage2 HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage1\ HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\
51
First Look at the Windows 7 Forensics
Piotrek Smulikowski
8. Miscellaneous Features and Changes 8.1. Location and Sensors API Microsoft has introduced native support for sensor devices which allows different sensors to be used without the need for any third party software, due to a standardized Application Programming Interface (API). Sensors supported include devices like for instance Light Sensor, Accelerometers 3D or even Human Proximity Sensor. In addition, the platform allows for Location sensors such as Global Positioning System (GPS) to be used. Software based solution can also be applied, therefore applications like “IP resolver that provides location information based on an Internet address, a cellular phone tower triangulation that determines location based on nearby towers, or a Wi-Fi network location provider that reads location information from the connected wireless network hub” (MICROSOFT MSDN, 2009). The types of sensors used depend on hardware or software availability. Also this feature is limited to Home Premium, Professional and Ultimate. The feature is enabled by default but can be disabled by user via the Control Panel. This functionality could be of a special interest to forensic investigators because it could provide them with the exact location of a computer and its user at a specific time. Since analysis of the information goes beyond computer or online activity it could be of extreme value to the investigation. Investigators could potentially get actual location of a criminal from his end, rather than trying to track him down from their end by usage of IP address tracing. This method could help to counter anti-forensics techniques like usage of TOR networks to obscure IP address location (TOR PROJECT INC, 2009). Law enforcement agencies would not have to go through lengthy and troublesome procedures of Regulation of Investigatory Powers Act 2000 (RIPA) requests from Internet Service Providers (ISP). Actual applications that would use the location data would be mostly third party, as currently the only Windows native application using the data is a Weather widget. As a result 3rd party developers decide on how their data that is stored and this is likely to vary between applications. According to documentation (MICROSOFT MSDN, 2009), a user is warned every time that the new program tries to access the location data. Data artefacts left behind on a system are unclear, since it was impossible to test the feature without an appropriate hardware device or software. According to Microsoft Developers Network (MSDN) reference, the API provides software with two means of retrieving location from the sensor; one is by usage of C++ or second by scripting languages (MICROSOFT MSDN, 2009). Methods would call a system function to get the location and 52
First Look at the Windows 7 Forensics
Piotrek Smulikowski
that could be used by application or e.g. online script. The documentation does not state if the data is stored anywhere on a system in local files. The Event Viewer keeps a log (Event Viewer > Custom Views > Location Activity) of all applications trying to access the location data. It is very unlikely that the actual location is stored in this log. However, theoretically if an application, that sends a request for the data, records this fact then it might be possible to tie this information with the request stored in a log. According to the MSDN not every request is stored but only the first successful and any failed requests are logged until application restarts (MICROSOFT MSDN , 2009). Depending on the scenario this information might be enough to retrieve the location. This particular source of evidence also has flaws because the key limitation is the requirement for the criminal to have a hardware or software sensor and associated connectivity. Taking a GPS receiver as an example, a good signal reception to at least three GPS satellites is required to determine the location. As a result it means that the criminal would need to have hardware capable of running Windows 7 in a correct edition, therefore a laptop, excluding Netbook category, with a GPS receiver. The criminal would also need to be outdoors or at least in the environment with clear sky view for a receiver to find a ‘fix’ – signal. Considering that GPS adapters, either USB or Bluetooth, are rarely used it becomes clear that this potential evidence has many limitations. There are however other scenarios were this source could really contribute evidence to investigation. The mobile network has the potential to be the most feasible solution, due to its growing popularity. Therefore, if a criminal had a laptop connected to the internet via a USB broadband dongle his approximate location could be logged by the Localisation platform. Another case would be if a criminal used a laptop on a local Wireless network as it would be possible for his location to be identified by locating the Wi-Fi network. This type of localisation is being developed as an alternative to GPS system for indoor or metropolitan environments, where buildings block the satellite signals (YU-CHUNG CHENG, Yatin Chawathe, John Krumm, 2005). Although this is still not a common solution it creates an opportunity. The last example application could be in a case of a ‘grooming’ investigation where the undercover investigator is in contact with a criminal. Even if the criminal did not have location sensors, the investigator could send a Trojan that had hidden within, for example a picture, that would retrieve the location data like IP address or other information and send back to the investigators. Although the success of such method would depend on many
53
First Look at the Windows 7 Forensics
Piotrek Smulikowski
aspects such as the security setup of the criminal’s PC, the opportunity for exploitation of this feature exists.
8.2. exFAT / FAT64 The extended File Allocation Table (exFAT) is the new file system designed for high capacity portable flash drives. Unlike some early speculations it is not a replacement for the NTFS file system. First included in Windows Vista Service Pack 1 and Windows Embedded CE 6.0 and now supported by the Windows 7. Main advantages of exFAT over FAT32 are increased file size support from 232 to 264 bytes, large capacity drive support (32GB +) and lower performance overheads(DAVAK, 2008). It is better suited to flash drives than NTFS because it does not have a journal system and therefore preserves the longevity of the drive since no single location is being constantly overwritten. However, it comes at the cost of reliability of the file system. The main drawback of the system is the lack of support from older systems or other platforms which reduces the portability of the exFAT drive. Microsoft has released an optional update for XP users available from the Windows Update website (MICROSOFT, 2009). However, since it is a proprietary file system, other platforms are disadvantaged and it will require time until such support becomes widespread. The file system is a default for SDXC cards - the newest large capacity SD cards with 32+ GB of storage (SD ASSOCIATION, 2008).
8.2.1. exFAT Identification From the forensic perspective it is important to note that exFAT supports UTC time rather than a Local time when recording time stamps. The file system signature – OEM Name ‘EXFAT’ can be found in the 0x03 Byte offset, as shown on Figure 21:
Figure 21. exFAT partition signature 'EXFAT'
54
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Some tools like for example UNIX based fdisk do not recognise the partition type and identify it as NTFS partition as seen in Figure 22.
Figure 22. fdisk recognizes exFAT as NTFS with partition id=7
Analogically, the Brian Carrier’s mmls tool for viewing partition tables (CARRIER, Brian) recognizes it as the NTFS partition, see Figure 23.
Figure 23. Output from mmls tool, exFAT is recognised as NTFS
8.3.Partition Table By default, during the Windows 7 installation process two partitions are created: Backup and Windows volume. First is a hidden letter-less partition called System_Reserved, which is used for backup purposes but also BitLocker if enabled. Its size is 100MB, which was reduced from the 200MB in Windows 7 Beta version. Users cannot access it via the Windows Explorer because it has no drive letter assigned to it, therefore it is not even displayed. It is done on purpose to avoid curious users changing important files, which was common for Vista’s 1.5GB partition. BitLocker uses this partition to store boot information that is executed during the authentication process. It is however possible not to create the partition, if user installs the Windows 7 on a drive where other partitions already exist, volume is not created. Second partition is a C: drive system volume with the Windows 7 OS. Possibly due to the size of modern hard drives, Microsoft decided not to give an option to format with any other file system than NTFS. As a result it is standard file system on all Windows 7 volume.
55
First Look at the Windows 7 Forensics
Piotrek Smulikowski
The fdisk tool shows two partitions being recognized as NTFS, their start and ending points, see Figure 24.
Figure 24. fdisk recognized two partition as NTFS
The mmls tool (CARRIER, Brian) outputs the physical location of the two partitions, first one being the System Reserved and the second Windows 7 volume. It also confirms that both are formatted with the NTFS, (see Figure 25).
Figure 25. mmls tool displays the details and locations of the two partitions.
The fsstat tool (CARRIER, Brian) was used to view details of each partition which can be seen on Figure 26.
56
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Figure 26. The output from the fsstat tool with details of the System Reserved (left) and Windows 7 partitions (right).
The fsstat tool was developed as part of the Sleuth Kit (CARRIER, Brian, 2009) by Brian Carrier years before Windows 7 release, this possibly why it recognizes volumes as the Windows XP. As with the Windows Vista, the Volume Boot Record is still located in the 2048 sector of the hard drive. Forensic analysts should be familiar with the Windows 7 partition setup for obvious reasons. Examination of the structure of the hard drive plays crucial part in the digital investigation.
8.4.XP mode Although Windows 7 has had few major compatibility problems reported it is still a big improvement comparing to its predecessor Widows Vista. This was confirmed throughout the whole research, where it worked faultlessly on many different hardware and software setups. However, Microsoft wanting to avoid the situation from early 2007 incorporated the Windows XP Mode to the new OS.
57
First Look at the Windows 7 Forensics
Piotrek Smulikowski
It is designed to overcome any possible incompatibility issues by running virtualized windows XP Operating System. The XP is highly embedded into the Windows 7, offering seamless operation (MICROSOFT VIRTUALISATION TEAM, 2009), however as with any virtualized system there is a performance overhead. The feature is primarily designed for Enterprises where support for legacy software is required but everyday users can also benefit from it. It comprises of the Microsoft Virtual PC and Windows XP SP3, unclear if Home or Professional edition, free to download for Windows 7 Professional, Enterprise and Ultimate owners. Compatible hardware is still required; processor needs to support either Intel’s Virtualisation Technology or AMD-V, which can be verified by free tool SecurAble (GIBSON, Steve, 2008). Unfortunately, due to the lack of supported hardware available for this research, the feature could not be examined for forensic artefacts. It is believed that it could potentially create new sources of evidence.
8.5.Mix Unlike its predecessors Windows 7 is not shipped with embedded email client. Windows XP included the Outlook Express as a default client and Vista came with the Email client, however, Microsoft decided to exclude the functionality from the newest system. Instead Windows Live Essentials package includes the Mail – new email client and other applications such as Messenger or Photo Gallery. Because it is not built into the system it is not included in this research, although it certainly carries significant footprint on forensics. If examiners would decide to use the Windows 7 as the forensic platform, it is important to note that, as in Windows Vista, all forensic applications and tool should be run ‘As Administrator’ in order to avoid program malfunctions. This is due to the User Account Control (UAC) privilege limitations.
58
First Look at the Windows 7 Forensics
Piotrek Smulikowski
9. Methodology Various different research methodologies were used throughout the research. The choice of a method depended on the examined feature. Due to a variety of different aspects of Windows 7 every feature discussed was independent and differed from another. Therefore, it posed a challenge to approach the problem in a best possible manner. During a Background Research a lot of time was devoted for gathering information available about the topic. Due to the novelty of the research area there was very few sources of information. As a result, literature review in a strict sense was very limited, because there is no literature about the Windows 7 forensics. No books or even research papers were published up to or during the writing of the research, at least to the best of author’s knowledge. This lack of information about the particular subject reinforced the novelty factor of this research. The only available sources of information were online resources. Some examiners shared their initial experiences of the new system on their blogs or forums. However, they either failed to go in detail or focused on very specific aspects only. Although these were incomplete and sparse pieces of information, they did help, especially in identifying possible sources of forensic evidence. At this stage it was believed that it could be highly beneficial to get the information from the source. However Microsoft is a giant enterprise and it seemed nearly impossible to get their attention. After long research it was discovered that Chris Ard, an Investigative Consultant with Microsoft’s Law Enforcement Support Team, was scheduled to deliver a presentation (ARD, Chris, 2009) on forensic aspects of Windows 7 on a Crimes Against Children Conference in Dallas, USA. Email contact was initiated and Chris agreed to shed some light on the new Windows forensics. Because it was still a month before conference, he did not have facts confirmed through detailed analysis. However, he was kind enough to share his findings about possible sources of evidence. Interestingly Chris Ard said “there isn’t any guidance from the product development team regarding the changes that affect forensic investigations” even for Microsoft’s own forensic team. This Microsoft’s ‘every man for himself’ approach only stressed the importance of this research, to share the findings with the community. Findings from Chris Ard were very helpful and together with other known information it formed a basis for the research. Identification of the potential sources of forensic evidence was considered a key factor of research success. However, it was believed that new sources of evidence would be found during the analysis process as having the basic structure was crucial. As mentioned before, the documentation of Windows 7 is very limited, both by Microsoft and forensic community. The purpose of this paper is to focus on impact that the Windows 59
First Look at the Windows 7 Forensics
Piotrek Smulikowski
7 has on forensic examinations and not the Vista. It was then necessary to learn the impact that Vista had on forensic analysis in order to help identifying new features in comparison to its predecessors. In addition studying multiple papers on this subject helped to find the balance between technical and theoretical approach. Also, how to create competent document focused on forensic examiners. Once the potential sources were identified, the examination of individual aspects started. Due to the great variety of the features and their scope, it was impossible to employ a single methodology. Therefore each of them had to be approached individually with research methods tailored to its characteristics. However, in order to ensure the overall quality of examination, general modus operandi model was adopted. If a feature in question was a newly introduced it was researched in depth to gain thorough understanding of its operation; if possible it was practically examined and eventually forensic conclusions were drown and if needed the process would reiterate until satisfying conclusions could be drawn. Not all features created new sources of evidence, therefore if no findings were discovered, it was concluded that there is no impact on forensic analysis process. If, however new sources were found, significant effort was inputted to document new artefacts. Some of them were successfully analyzed and produced comprehensive results, whereas others still require a more in depth research, possibly an extensive and dedicated future study. When Internet Explorer 8 was examined in search for potential forensic evidence, at first it appeared that few changes would have little effect on the forensics. However as the research progressed, more interesting aspects were discovered. At the beginning it was approached by analysing new features introduced into the IE8 with the purpose to recognise if it could potentially create new artefacts, data files. Next, the functionality of features was analysed for the same purpose. At the end if any data files were found, they were examined to produce detailed documentation. Although in some cases structures were so complex that comprehensive documentation would require lengthy in depth study for example the session recovery files. As with other sections the feature was reviewed from the forensic perspective in order to identify its impact. Another section that required highly tailored approach was the BitLocker. Because of the complexity of BitLocker and its potentially high impact onto the forensic analysis, it was decided to first study the BitLocker for Windows Vista and then to discuss the Windows 7 BitLocker. This approach was believed to addresses the fact that the new version is more of an evolution from its predecessor rather than a complete replacement. To discuss the Windows 7 BitLocker alone would leave reader clueless about the functionality that it shares with its predecessor and effectively render incomplete examination.
60
First Look at the Windows 7 Forensics
Piotrek Smulikowski
The Registry section also required separate consideration. Because of the technical nature, it was bound to consist of mainly registry key locations. Some additional comments were made to clarify to a reader what each key contains and why it is important to an examination. Moreover, the registry as a structure remained the same for many versions of Windows, only the contents changed. As the Windows XP registry was analyzed in depth, it is well documented by researchers. One of the papers (FARMER, Derrick, 2007) provided a reference for forensic examiners and as a result it formed a basis for the examination of Windows 7 registry. All keys included in the paper were verified against the new registry. Any significant changes were examined in detail for example the UserAssist keys. In addition the RegRipper software (CARVEY, Harlan and Shavers, Brett, 2009) was used to help identifying the updated registry keys. Additionally through browsing potentially significant keys it was possible to identify new, important registry keys or values.
9.1.Hardware and Software used Throughout the whole research wide variety of hardware and software setups were used. It was primarily driven by a desire to examine the final version of the Windows 7 in order to ensure that the results are applicable and comparable with what examiners can encounter. Therefore it was crucial to obtain the latest version, which became possible on the 6th of August 2009, when Microsoft released the final, RTM build to MSDN subscribers.
Soft/Hardware
Desktop
Laptop
Netbook
Windows 7 RTM Pro
Windows 7 RTM Pro
Windows 7 RC Ultimate
Windows 7 RC Ultimate
Windows Vista Home
Ubuntu 8.04
Premium
Windows XP SP3
2,6GHz Pentium 4
1,8GHz Intel C2D
1,6 GHz Intel Atom
1 GB @ 333MHz
2GB@667MHz
1,5GB@533MHz
Hard Disk
40GB
160GB
320GB
Network
LAN
LAN, WIFI
LAN, WIFI
Graphics
ATI Radeon 9660 Pro
Integrated
Integrated
OS version
CPU Memory
Table 10. Hardware and Software Specification of used PCs
Table 10 presents the hardware and the software specifications of the PCs used for the examination. primary PC was the desktop computer with the Windows 7 installed, whereas other PCs were used to verify results. In addition the Netbook was used as the analysis machine with the Ubuntu 8.04 with the Sleuth Kit (CARRIER, Brian, 2009) and other open 61
First Look at the Windows 7 Forensics
Piotrek Smulikowski
source forensic tools. The Windows 7 PCs had the X-Ways Forensics and WinHex installed (X-WAYS, 2009). The author of the tools was kind enough to provide demo version of the XWays Forensics software. Great majority of results was obtained with the RTM version although some features for example BitLocker was only available in Ultimate version hence the RC version was used. However there was no reports that it undergo any changes in the RTM product.
62
First Look at the Windows 7 Forensics
10.
Piotrek Smulikowski
Conclusions
This section concludes the findings of the research, outlining achievements of the study by also analysing weakness. Next, is the review of the obstacles faced during the research. Later, author discusses his reflections about the research. The next section covers overall conclusions of the research. Last is the discussion of the recommended future work with regard to this topic.
10.1.
Research Achievements
The expected deliverables set before the study, were based on an initial research about changes to the new system. It was a common believe that because the system is an evolution of the Vista, it would not have many forensically significant changes. Therefore the deliverables were expected to include forensic analysis experiment of the Windows 7 and comparison to the older systems. Additionally the software compatibility was aimed to accompany the results to help examiners choosing their toolkit. Finally, the optional requirement was the Windows 7 Forensic Analysis Draft to guide examiners through the process. While it is still believed that the fulfilled deliverables could form a complete reference to the Windows 7 forensics, it has quickly been recognised that it would require significantly more time than the two months and only one researcher. Once the research started it became clear that the amount of time required to examine all features was highly underestimated at the beginning. However there was no means to provide correct estimation, since the changes on the new system were very sparsely, if at all, documented. Therefore the deliverables were reviewed in order to identify the requirements of the highest priority. It was decided that the analysis of the forensically significant features is the primary objective since this is what will have real impact on the forensic investigation. Not only it can help examiners, but also forensic software developers could benefit from the research findings, as they could address the new sources of evidence in their software. Thanks to the comprehensive research on the system changes it was possible to successfully identify the features that could create new sources of evidence. Various information gathering methods were employed including reading available documentation, contacting experts and thorough online search. The identification proved to be successful when source from Microsoft confirmed which features are likely to affect the forensics (MICROSOFT LAW ENFORCEMENT TECH TEAM, 2009). Moreover this research uncovered more sources of evidence than it was suggested by the materials provided by Microsoft.
63
First Look at the Windows 7 Forensics
Piotrek Smulikowski
During the analysis stage some features did not produce new sources of evidence, whereas others did. Furthermore some changes were discovered to have a potentially great impact on the forensics. However, regardless of the outcome, the detailed analysis of the features alone can be considered as an achievement. Even if no evidence could be found, it means that the feature has been recognized as forensically insignificant and can be excluded from the forensic examination. Great deal of time was devoted to IE8 analysis, since online activity is often the cause for the investigation in the first place. Some could argue that the browser is not Windows 7 specific and could be omitted however it is still the default browser for the new Windows. What is more, the information contained in section devoted to the IE8 could also benefit the investigators examining other Windows systems, with the IE8 Vista in particular. The section included detailed analysis of the InPrivacy browsing capability, identification and examination of the Suggested Sites and Session Recovery artefacts. Although very little information was available, it was attempted to document the feature from forensic perspective. Some of the user experience improvements also produced new sources of evidence. The much talked about Jump List feature was examined and produced interesting results. Although due to its complexity it was not possible to document the component in depth, however it was possible to retrieve history records. Other new functionality analysed – the new search capability, produced information about the remote location that suspect was accessing. The BitLocker analysis also delivered vast amount of information important to examiners. The introduction of the portable drives encryption can have a significant impact on the examinations. Although the research did not provide examiner with a way round the BitLocker protection, which is a hardly possible task, it provided means to identify an encrypted volume. Besides some other minor changes were reviewed and crucially the potential impact of the updated BitLocker was discussed. Among many other findings, the analysis of the Windows Registry produced a quick reference of important registry entries. In particular, the UserAssist keys were analysed and decoded, in effect highly valuable, user activity data was extracted. This evidence source was one of the most commonly investigated data artefacts in previous versions of Windows. Hence it was highly important to decode and document the new format.
64
First Look at the Windows 7 Forensics
10.2.
Piotrek Smulikowski
Actual Constraints
Now that a research is finished it is safe to say that limitations outlined in the Project Constraints section were correctly identified. All combined composed a substantial challenge for the success of the research. The major obstacle was the most obvious one time limitation. Having more time would benefit the project with more in depth analysis of the new features, allow for meeting all set requirements and provide more time for a writing the report. However as with all academic research there is a deadline that needs to be adhered to. Appropriate time management was in place, although there was a room for an improvement. In spite of this the topic was thoroughly researched and produced significant results. Initially the complexity of the Windows Operating System was understated, as were the changes in comparison to Windows 7’s predecessors. It was when the identification finished and examination stage started, that it became clear that the project was too ambitious. It required intensive research, variety of different experiments to understand the forensic significance of discussed feature. Lack of documentation posed a real challenge, since for many tasks it was necessary to employ reverse engineering techniques. Moreover the availability of the forensic software was indeed a great obstacle. Since, as expected, manufacturers do not post demonstration versions online, they had to be requested and depending on delivery method it can take long time. The EnCase demo arrived after over 3 weeks and its functionality was heavily limited making it impossible to examine the Windows 7 forensic image. The X-Ways Forensics was sent electronically but the trial version only worked on a C: drive of the system. Although it was very helpful for feature analysis process it was not feasible to perform analysis of the image. In addition to the time constraints it was also decided that since software compatibility could not be performed on multiple products it could not form a comprehensive review, therefore the deliverable was abandoned. However one of the problems happened to resolve itself when Microsoft decided to release Windows 7 final version to MSDN subscribers (LEBLANC, Brandon, 2009). However at the time the news was published, it was unclear whether it would include Academic Alliance – student subscription. Fortunately, it did, therefore previously obtained results could have been verified and experiments replicated.
10.3.
Final Conclusions
This research delved into the Windows 7, three months prior to its official release in order to investigate changes made to the new system and their impact on forensics. It has 65
First Look at the Windows 7 Forensics
Piotrek Smulikowski
compiled and verified majority of information regarding the new Windows and its analysis. In addition it has attempted to document some of the new features identified as forensically significant. Through the examination of their behaviour and the produced data artefacts, research has discovered new potential sources of evidence. Moreover, a selection of already recognised evidence sources was evaluated against the new platform. Shortly after the release of the Beta version of the new Windows, many had an impression that little has changed since the predecessor, that it was evolved version of Vista, “but a lot better!” as Microsoft’s CEO said (PARRISH, Kevin, 2008). Despite the fact that Windows 7 does not bring a revolution to Windows OS family, it may have its footprint on Windows forensics. Firstly its positive reception, suggests that it may quickly become vastly popular, therefore examiners will be very likely to face a computer with the new system. Secondly, developers focused on adding more functionality which in turn created new sources of evidence. Improvements to the user experience generated more forensic artefacts with features like the Jump List and the Suggested Sites or the Session Recovery in the Internet Explorer 8. However some features introduced new challenges to the forensic investigations such as the portable drive encryption or the privacy internet browsing. Ease of use combined with the perceived privacy can affect their popularity. Therefore this research tries to raise awareness and provide examiners with identification techniques in order to help them to approach analysis in best possible manner. This study attempted to cover in detail most of the forensic issues surrounding the Windows 7 however it certainly had not exhausted the topic. In fact it is thought to be quite the opposite. Hopefully it will attract the forensic community to further research in more specific areas of the subject. And primarily that it will aid computer forensics investigators when faced with the windows for the first time.
10.4.
Future Work
On top of already covered aspects, more in depth analysis of certain features would be the next improvement. Due to the lack of a compatible hardware Windows XP Mode or Location API could not be fully examined. Both can potentially be valuable source of evidence. Additionally other functionalities that were not discussed because they were considered to have not changed like e.g. Recycle Bin or Prefetch (MMAHOR, 2009) could be verified. It is believed that fulfilling all set deliverables would add more practical side of the research. The comparison of the results from the forensic analysis of windows 7 and its
66
First Look at the Windows 7 Forensics
Piotrek Smulikowski
predecessors would certainly point out more of minor changes, whereas production of the analysis draft could provide examiners with hands-on guide to Windows 7 examination. Since this is only the first look at the Windows 7 forensics, there is plenty of further research opportunities in this area. The paper was aimed to deliver a basis for forensic examiners but also forensic researchers wanting to further expand the community’s knowledge.
67
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Bibliography 585. 2009. Data Loss Examples in 2008. [online]. [Accessed 15 Aug 2009]. Available from: ARD, Chris. 2009. Speakers. [online]. [Accessed 20 Jul 2009]. Available from: BBC NEWS. 2009. Human error blamed for data loss. [online]. [Accessed 15 Aug 2009]. Available from: BBC NEWS UK. 2009. Windows 7 flies off virtual shelf. [online]. [Accessed 31 Jul 2009]. Available from: BRIGHT, P. 2008. First look at Windows 7's User Interface. [online]. [Accessed 22 Jul 2009]. Available from: CARRIER, Brian. 2009. The Sleuth Kit. [online]. [Accessed 15 Aug 2009]. Available from: CARRIER, Brian. MMLS(1) Manual Page. [online]. [Accessed 04 Aug 2009]. Available from: CARVEY, Harlan. 2007. Windows Forensic Analysis DVD toolkit. USA: Syngress. CARVEY, Harlan. 2009. search results for "Windows 7". [online]. [Accessed 31 Jul 2009]. Available from: CARVEY, Harlan. 2009. Windows 7 Beta Registry. [online]. [Accessed 15 Aug 2009]. Available from: CARVEY, Harlan. 2009. Windows Forensic Analysis DVD toolkit Second Edition. Syngres. CARVEY, Harlan. 2009. Windows Registry Forensic Analysis. [online]. [Accessed 15 Aug 2009]. Available from: 68
First Look at the Windows 7 Forensics
Piotrek Smulikowski
CARVEY, Harlan and Brett SHAVERS. 2009. RegRipper. [online]. [Accessed 31 Jul 2009]. Available from: <www.regripper.net> CLARKE, Gavin. 2009. Microsoft to bomb Europe with IE-free Windows 7. [online]. [Accessed 03 Aug 2009]. Available from: DAVAK. 2008. exFAT vs FAT32 vs NTFS. [online]. [Accessed 04 Aug 2009]. Available from: DMEX. 2008. Windows 7 Search Federation Providers. [online]. [Accessed 04 Aug 2009]. Available from: EDOCEO. 2009. ROT13 Coversions. [online]. [Accessed 25 Aug 2009]. Available from: FARMER, Derrick. 2007. A Forensic Analysis of The Windows Registry; A Windows Registry Quick Reference: For the Everyday Examiner. [online]. [Accessed 15 Aug 2009]. Available from: FERGUSON, Niels. 2006. AES - CBC + Elephant Diffuser: A Disk Encryption Algorithm for Windows Vista. [online]. [Accessed 15 Aug 2009]. Available from: FIVEASH, Kelly. 2009. Microsoft ditches Windows 7 E plans. [online]. [Accessed 03 Aug 2009]. Available from: FUNK, Troy. 2008. BitLocker: Protecting data in Windows 7 and Windows Server 2008 R2. In: Microsoft WinHec 2008. Microsoft.
69
First Look at the Windows 7 Forensics
Piotrek Smulikowski
GIBSON, Steve. 2008. SecurAble: Determine Processor Security Features. [online]. [Accessed 15 Aug 2009]. Available from: GUIDANCE SOFTWARE INC. 2009. Guidance Software. [online]. [Accessed 31 Jul 2009]. Available from: HUNTER, Jamie. 2006. Detecting BitLocker. [online]. [Accessed 15 Aug 2009]. Available from: JENSKR. 2009. Windows 7 and forensic tools. [online]. [Accessed 31 Jul 2009]. Available from: JODO3333. 2009. Microsoft Technet: Windows 7 forum: Jump List History Location? [online]. [Accessed 04 Aug 2009]. Available from: JONES, Keith. 2003. Pasco v1.0. [online]. [Accessed 03 Aug 2009]. Available from: KIRIATY, Yochay and Alon FLIESS. 2009. Inside Windows 7: Introducing Libraries. [online]. [Accessed 04 Aug 2009]. Available from: KORNBLUM, Jesse. 2009. Implementing BitLocker Drive Encryption for forensic analysis. Digital Investigation., pp.75-84. LEBLANC, Brandon. 2009. The Date for General Availability (GA) of Windows 7 is…. [online]. [Accessed 03 Aug 2009]. Available from: LEBLANC, Brandon. 2009. Windows 7 has been Released To Manufacturing. [online]. [Accessed 03 Aug 2009]. Available from:
70
First Look at the Windows 7 Forensics
Piotrek Smulikowski
LEBLANC, Brandon. 2009. Windows 7 Team Blog: When will you get Windows 7 RTM? [online]. [Accessed 22 Jul 2009]. Available from: MCKINNON, Mark. 2009. Decoding the DateCreated and DateLastConnected SSID values From Vista/Win 7. [online]. [Accessed 26 Aug 2009]. Available from: MICROSOFT. 2009. Update for Windows XP KB955704. [online]. [Accessed 04 Aug 2009]. Available from: MICROSOFT. 2009. Windows 7 BitLocker Executive Summary. [online]. [Accessed 15 Aug 2009]. Available from: MICROSOFT LAW ENFORCEMENT TECH TEAM. 2009. IE8 Trustworthy Computing and InPrivate Browsing. In: Microsoft Law Enforcement. UK: Microsoft. MICROSOFT LAW ENFORCEMENT TECH TEAM. 2009. Windows 7 Forensic Introduction. In: Microsoft Law Enforcement. UK. MICROSOFT MSDN. 2009. About Logging Location Activity. [online]. [Accessed 03 Aug 2009]. Available from: MICROSOFT MSDN. 2009. Introduction to the Sensor and Location Platform in Windows. [online]. [Accessed 03 Aug 2009]. Available from: MICROSOFT MSDN LIBRARY. 2009. Time_Zone_Information Structure. [online]. [Accessed 15 Aug 2009]. Available from: MICROSOFT TECHNET. 2009. Windows 7 BitLocker Executive Overview. [online]. [Accessed 15 Aug 2009]. Available from:
71
First Look at the Windows 7 Forensics
Piotrek Smulikowski
MICROSOFT TECHNET. 2009. Windows BitLocker Drive Encryption Frequently Asked Questions. [online]. [Accessed 16 Aug 2009]. Available from: MICROSOFT. TechNet Library. [online]. [Accessed 22 Jul 2009]. Available from: MICROSOFT TECHNET LLIBRARY. 2009. BitLocker Drive Encryption Technical Overview. [online]. [Accessed 15 Aug 2009]. Available from: MICROSOFT VIRTUALISATION TEAM. 2009. Microsoft Virtual Pc : Three modes of Windows XP Mode. [online]. [Accessed 28 Aug 2009]. Available from: MMAHOR. 2009. Windows 7 analysis. [online]. [Accessed 31 Jul 2009]. Available from: MORRIS, Jamie. 2007. Notes on Vista Forensics, Part One. [online]. [Accessed 31 Jul 2009]. Available from: MSDN BLOG. 2009. Some Changes Since Beta for the RC. [online]. [Accessed 03 Aug 2009]. Available from: MUELLER, Lance. 2007. Basic Investigations of Windows Vista. [online]. [Accessed 31 Jul 2009]. Available from: <www.lancemueller.com/vistaceic2007.pptrvF_xTw8gBYPsg&sig2=4S4QVxRcY0oO7xTwN L9eQQ> MUELLER, Lance. 2008. BitLocker Incident Response. [online]. [Accessed 15 Aug 2009]. Available from: NET APPLICATIONS. 2009. Top Operating System Share Trend. [online]. [Accessed 15 Aug 2009]. Available from: OASOL. 2009. Windows 7. [online]. [Accessed 31 Jul 2009]. Available from: OIAGA, Marius. 2009. Windows 7 User Interface - the Superbar (Enhanced Taskbar) A Microsoft Perspective - Softpedia. [online]. [Accessed 15 Aug 2009]. Available from: 72
First Look at the Windows 7 Forensics
Piotrek Smulikowski
PAGE, Lewis. 2008. MoD: We lost 87 classifed USB sticks since 2003. [online]. [Accessed 15 Aug 2009]. Available from: PERNICK, Ari. 2006. A bit about WinInet's Index.dat. [online]. [Accessed 04 Aug 2009]. Available from: PIRIFORM LTD. 2009. Version History. [online]. [Accessed 04 Aug 2009]. Available from: PROTALINSKI, Emil. 2009. Six editions of Windows 7: better than Vista, still too many. [online]. [Accessed 03 Aug 2009]. Available from: SANS FORENSICS BLOG. 2009. Computer Forensic Guide To Profiling USB Devices on Win7, Vista, and XP. [online]. [Accessed 20 Aug 2009]. Available from: SD ASSOCIATION. 2008. Developers: SDXC Massive Storage, Incredible Speed. [online]. [Accessed 04 Aug 2009]. Available from: SHARP, John. 2008. FoxIT Exposes IE8 Beta Privacy Limits. [online]. [Accessed 04 Aug 2009]. Available from: SOFER, Nir. 2009. Web Browser Tools. [online]. [Accessed 04 Aug 2009]. Available from: STEVENS, Didier. 2009. Didier Stevens Blog. [online]. [Accessed 31 Jul 2009]. Available from:
First Look at the Windows 7 Forensics
Piotrek Smulikowski
SYSINTERNALS. 2009. Autoruns for Windows v9.53. [online]. [Accessed 15 Aug 2009]. Available from: TOR PROJECT INC. 2009. Tor: Overview. [online]. [Accessed 03 Aug 2009]. Available from: WIKIPEDIA. 2009. Windows 7 Editions Comparison Chart. [online]. [Accessed 25 Aug 2009]. Available from: WOODWARD, Andre. 2006. BitLocker - the end of digital forensics? In: Proceedings of 4th Australian Digital Forensics Conference. Perth Australia: Edith Cowan University. X-WAYS. 2009. Software for Computer Forensics, Data Recovery and IT Security. [online]. [Accessed 01 Aug 2009]. Available from: YU-CHUNG CHENG, Yatin Chawathe, John Krumm. 2005. Accuracy Characterization for Metropolitan-scale Wi-Fi. [online]. [Accessed 03 Jul 2009]. Available from: ZEIGLER, Andy. 2008. IE8 and Privacy. [online]. [Accessed 03 Aug 2009]. Available from:
74
First Look at the Windows 7 Forensics
Piotrek Smulikowski
APPENDIX A – Windows 7 Editions Comparison Chart This chart compares all editions of the Windows 7 based on their capabilities. This is the most complete comparison chart available online. Starter Cost & Features / Availability
Home Basic
Home Professional Enterprise Ultimate Premium
OEM Emerging Retail and OEM licensing markets licensing
Volume licensing
Retail and OEM licensing
32-bit and 64-bit versions
32-bit only
32-bit only Both
Both
Both
Both
Maximum physical memory (64-bit mode)
N/A
8 GB
16 GB
192 GB
192 GB
192 GB
Maximum CPU chips supported
1
1
1
2
2
2
Home Group (create and join)
Join only Join only
Yes
Yes
Yes
Yes
Backup and Restore Center[25]
Cannot Cannot Cannot back up back up back up to to to network network network
Yes
Yes
Yes
Multiple monitors No Fast user switching No
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Desktop Wallpaper No Changeable
Yes
Yes
Yes
Yes
Yes
Desktop Window Manager
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Partial
Yes
Yes
Yes
Yes
No
No
Yes
Yes
Yes
Yes
No
No
Yes
Yes
Yes
Yes
No
No
Yes
Yes
Yes
Yes
No
Windows Mobility No Center Windows Aero No Multi-Touch Premium Games Included Windows Media Center
75
First Look at the Windows 7 Forensics
Windows Media Player Remote Media Experience[26] Encrypting File System Location Aware Printing
Piotrek Smulikowski
No
No
Yes
Yes
Yes
Yes
No
No
No
Yes
Yes
Yes
No
No
No
Yes
Yes
Yes
No
No
No
Yes
Yes
Yes
No
No
No
Yes
Yes
Yes
No
No
No
Yes
Yes
Yes
No
Virtual PC Virtual PC Yes only only
Yes
Yes
No
No
No
No
Yes
Yes
BitLocker Drive Encryption
No
No
No
No
Yes
Yes
BranchCache Distributed Cache
No
No
No
No
Yes
Yes
No
No
No
No
Yes
Yes
No
No
No
No
Yes
Yes
No
No
No
No
Yes
Yes
No
No
No
No
Yes
Yes
Remote Desktop Host Presentation Mode Windows Server domain joining Support for Windows Virtual PC[27] + Windows XP Mode[28] AppLocker
DirectAccess Subsystem for Unix-based Applications Multilingual User Interface Pack Virtual Hard Disk Booting
Table 11. Windows 7 editions comparison chart. Source (WIKIPEDIA, 2009)
76
First Look at the Windows 7 Forensics Forensic implications of the new Windows 7
Piotrek Smulikowski 01/09/2009
This dissertation was submitted in part fulfilment of requirements for the degree of MSc Forensic Informatics
Department of Computer and Information Sciences University Of Strathclyde
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Abstract Microsoft is ready for shipment of its new mainstream Operating System - Windows 7. From 22nd of October most of new computers will be sold with the new system. It is the intention of this paper to prepare computer forensic professionals for the challenges it can potentially bring and what impact it is likely to have on forensic examination. Through the comprehensive research and the detailed analysis of the introduced features, it was possible to identify the prospective problems, that examiners can encounter, and document them. However, also new sources of evidence were discovered, replacing old and discarded sources. This paper provides a first look at the Windows 7 from the computer forensic perspective and is designed to help digital investigators in better understanding but also more effective forensic analysis of the system.
II
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Table of Contents Declaration ................................................................................................Error! Bookmark not defined. Abstract.....................................................................................................................................................................II Acknowledgments ..................................................................................Error! Bookmark not defined. Table of Contents ................................................................................................................................................ III List of Tables.......................................................................................................................................................V List of Figures................................................................................................................................................... VI 1.
Introduction .............................................................................................................................................. 1 1.1.
Rationale ................................................................................................................................................. 1
1.2.
Deliverables ........................................................................................................................................... 3
1.3.
Project constraints .............................................................................................................................. 3
1.4.
Audience....................................................................................Error! Bookmark not defined.
1.5.
This Document...................................................................................................................................... 4
2.
Background Research / Literature Review .................................................................................. 6 1.
Windows 7 Development versions .................................................................................................. 8
2.
Windows 7 final editions ..................................................................................................................... 9
3.
Internet Explorer 8.............................................................................................................................. 11 3.1.
InPrivate – Stealth Browsing ....................................................................................................... 11
3.2.
Suggested Sites .................................................................................................................................. 13
3.3.
Session Recovery .............................................................................................................................. 14
3.4.
Index.dat files..................................................................................................................................... 16
4.
Folder Structure ................................................................................................................................... 19 4.1.
Libraries ............................................................................................................................................... 19
4.2.
Windows Search and Federated Search .................................................................................. 20
4.3.
User folders......................................................................................................................................... 21
5.
New Taskbar and Jump List ............................................................................................................. 23 6.
BitLocker ................................................................................................................................................. 28
6.1.
BitLocker in Windows Vista ......................................................................................................... 28
6.1.1.
Introduction ................................................................................................................................... 28
6.1.2.
Authentication Methods ............................................................................................................ 28 III
First Look at the Windows 7 Forensics
Piotrek Smulikowski
6.1.3.
BitLocker Identification............................................................................................................. 29
6.1.4.
BitLocker Acquisition ................................................................................................................. 31
6.2.
BitLocker in Windows 7................................................................................................................. 32
6.2.1.
Introduction ................................................................................................................................... 32
6.2.2.
BitLocker To Go ............................................................................................................................ 32
6.2.3.
BitLocker To Go Identification................................................................................................ 34
6.2.4.
BitLocker To Go Acquisition .................................................................................................... 37
6.2.5.
BitLocker changes........................................................................................................................ 38
6.3. 7.
Windows 7 BitLocker Conclusions ............................................................................................ 39 Registry Analysis.................................................................................................................................. 41
7.1.
Introduction........................................................................................................................................ 41
7.2.
Registry locations ............................................................................................................................. 42
7.2.1.
Time Information..................................................................................................................... 42
7.2.2.
Most Recently Used................................................................................................................. 43
7.2.3.
UserAsisst ................................................................................................................................... 45
7.2.4.
Autoruns...................................................................................................................................... 47
7.2.5.
Network information.............................................................................................................. 47
7.2.6.
Mounted Devices...................................................................................................................... 48
7.2.7.
USB Device Information ........................................................................................................ 49
7.2.8.
Internet Explorer ..................................................................................................................... 50
8.
Miscellaneous new Features and Changes................................................................................. 51 8.1.
Location and Sensors API.............................................................................................................. 51
8.2.
exFAT / FAT64 .................................................................................................................................. 53
8.2.1.
exFAT Identification.................................................................................................................... 53
8.3.
Partition Table ................................................................................................................................... 54
8.4.
XP mode................................................................................................................................................ 56
8.5.
Biometrics and Fingerprint support ..............................Error! Bookmark not defined.
8.6.
Uninstall Process ...................................................................Error! Bookmark not defined.
8.7.
Mix.......................................................................................................................................................... 57
8.8.
UAC..............................................................................................Error! Bookmark not defined. IV
First Look at the Windows 7 Forensics
9.
Piotrek Smulikowski
Methodology .......................................................................................................................................... 58 9.1.
10.
Hardware and Software used ...................................................................................................... 60 Conclusions ............................................................................................................................................ 62
10.1.
Research Achievements............................................................................................................. 62
10.2.
Actual Constraints........................................................................................................................ 64
10.3.
Reflections on Research..................................................Error! Bookmark not defined.
10.4.
Final Conclusions ......................................................................................................................... 64
10.5.
Future Work................................................................................................................................... 65
References: ................................................................................................Error! Bookmark not defined. Bibliography......................................................................................................................................................... 67 APPENDIX A – Windows 7 Editions Comparison Chart..................................................................... 74
List of Tables Table 1 Windows 7 Editions comparison (Protalinski, 2009) ............................................................ 9 Table 2. Behaviour of the Internet Explorer 8 InPrivate mode (Zeigler, 2008). ....................... 11 Table 3. Data stored during InPrivate session. Source: Windows Internet Explorer Help ........................................................................................................................................................... 12 Table 4. File names and their respective application that store Jump List data ....................... 26 Table 5. Required Values for BitLocker stored in boot sector of an encrypted volume (Hunter, 2006) ...................................................................................................................... 30 Table 6. Short naming convention for root hives .................................................................................. 41 Table 7. Registry paths and corresponding files.................................................................................... 42 Table 8. Differences and similarities in registry key locations between Windows XP and Windows Vista. ...................................................................................................................... 45 Table 9. USB Information gathering process. Adapted from (SANS Forensics Blog, 2009)......................................................................................................................................................... 50 Table 10. Hardware and Software Specification of used PCs ........................................................... 60 Table 11. Windows 7 editions comparison chart source WIKIPEDIA........................................... 75 V
First Look at the Windows 7 Forensics
Piotrek Smulikowski
List of Figures Figure 1. Contents of the SuggestedSites.dat file, viewed in Hex editor. Visited URLs are underlined in Blue and Referrer URLs are highlighted in yellow.................. 13 Figure 2. Contents of SuggestedSites.dat file with visible header underlined in red and IE Browser version highlighted in yellow. ........................................................................ 14 Figure 3. Contents of the Active folder. In this example normal and InPrivate modes are used and have multiple tabs open. Note: this screenshot comes from Windows XP. ............................................................................................................................... 15 Figure 4. Contents of an example tab file. URL is highlighted in grey and page name is in yellow.................................................................................................................................. 16 Figure 5. index.dat file parsed with Pasco and imported by Excel ................................................. 18 Figure 6. XML code in library-ms file. The included folder path is highlighted in grey............................................................................................................................................................ 20 Figure 7. Contents of Search Connector configuration file. The domain search provider is highlighted in grey ....................................................................................................... 21 Figure 8. Start Menu properties window, allows user to disable the Jump List and customize contents of the start menu.......................................................................................... 24 Figure 9. Contents of the Jump List recent items file viewed in hex editor. Path to recent 'cos.png' file is highlighted in grey. This particular file, stores recent items list for Microsoft Paint. .......................................................................................................... 25 Figure 10. BitLocker Encrypted volume header of a boot sector in Windows Vista viewed in Hex editor
(Hargreaves & Chivers, 2007) ....................................... 31
Figure 11. Group Policy allow forcing users to encrypt USB sticks, (Funk, 2008) ................... 33 Figure 12. BitLocker To Go Reader window allows viewing files and exporting to local machine. Screenshot taken from Windows Vista ......................................................... 34 Figure 13. BitLocker To Go encrypted portable drive......................................................................... 34
VI
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Figure 14. Contents of the BitLocker To Go encrypted portable drive. BitLockerToGo.exe file is clearly visible,
Screen shot taken from
Windows Vista. ..................................................................................................................................... 35 Figure 15. FAT32 volume encrypted with BitLocker To Go. MSWIN4.1 OEM Nam is highlighted in yellow and FAT32 file system highlighted in grey ................................ 35 Figure 16. BitLocker signature found on BitLocker To Go encrypted volume highlighted in yellow. Additionally original Computer Name, Drive Letter and Date were also found - highlighted in grey. ...................................................................... 36 Figure 17. Header of NTFS drive encrypted with BitLocker To Go viewed in Hex editor. The BitLocker singature -FVE-FS- is at 0x03 offset - highlighted in yellow. Interestingly it is marked as FAT32 file system highlighted in grey................ 36 Figure 18. BitLocker signature found on encrypted NTFS volume - highlighted in yellow. Computer name, Drive letter and Date were also found highlighted in grey............................................................................................................................... 37 Figure 19. Image shows binary data for the example UserAssist value. Underlined in red is the obfuscated program path, in green is the decoded path. Highlighted in yellow is the counter number and in blue is the time stamp in Hex........................................................................................................................................................ 46 Figure 20. Output from Date/Time converting application DCode. Highlighted in yellow is the time stamp from above example (see previous figure).............................. 47 Figure 21. exFAT partition signature 'EXFAT' ........................................................................................ 53 Figure 22. fdisk recognizes exFAT as NTFS with partition id=7...................................................... 54 Figure 23. Output from mmls tool, exFAT is recognised as NTFS................................................... 54 Figure 24. fdisk recognized two partition as NTFS............................................................................... 55 Figure 25. mmls tool displays the details and locations of the two partitions. ......................... 55 Figure 26. The output from the fsstat tool with details of the System Reserved (left) and Windows 7 partitions (right). ..................................................................................... 56
VII
1. Introduction Microsoft Windows is by far the most popular Operating System among typical computer users, as a result it has a great impact on computer forensics. Therefore there is no doubt that the introduction of the Windows 7 will have its footprint on forensics. The big question is what impact it is going to have, whether the existing methods will become obsolete or maybe there will be no forensically significant changes at all. Early opinions, suggest that digital investigators will not be forced to change their careers just yet. However information regarding the forensic issues of Windows 7 is very limited, there is no single detailed resource on the topic. This paper attempts to fill in the gap. It is intended that the research will provide forensic examiners with the starting point, first look at the issues surrounding the new Windows analysis. Through the in-depth discussion and examination of some of the relevant features, the study produced certain interesting findings. The paper is primarily aimed at the forensic examiners to aid them in the analysis of the new Windows 7 based computer. It is hoped that after reading the research, forensic investigators will gain more confidence when faced with the new system. Additionally through the analysis of the new sources of evidence, examiners will be able to produce stronger evidence. Various functionalities include features that work in examiner’s favour or against it. The challenges that the Windows 7 will bring could potentially have an impact of the forensic analysis. This research attempted to analyse and document them to raise examiners awareness. However, this is the first detailed analysis of the Windows 7 seen from the forensic point of view, while it may be regarded as comprehensive it is by no means the complete exhausted reference. It will take time and lots more research to achieve this and this paper tries to form a basis but also encourage for further studies on the topic.
1.1.Rationale The introduction of new software can bring a wide range of changes that potentially affect compatibility. This is especially true in the case of an Operating System which provides a basic functionality and platform for other software; it is a system that coordinates all computer actions. Since other applications rely on it, the way that they work is heavily dependent on the OS. Software for Apple Mac OS will not work on MS Windows Vista because it handles guest applications and data very differently. This is to be expected when it comes to different competitor’s platforms, however it can also be the case even on the same platform. For instance an application written for a Windows XP may or may not work under the Vista environment. Fortunately, over time, software developers modify their products so they work under the new system. The incompatibility issues may also affect 1
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Windows 7, however very few have been reported so far. It is important to remember that the problem can affect forensics both ways: Windows 7 as (a) a target PC or (b) analysis platform. While studying software alternatives, the research may reveal such problems with tested collection of applications. The research aims to discover the differences in the forensic analysis process between the new system and previous versions of Windows, namely Vista and XP. Windows XP was used as the main consumer OS for nearly 6 years, whereas the Vista will be replaced by the Windows 7 after little over 2.5 years. Given this much shorter development time it is not expected large amount of new features. Speculation suggests that this is refined version of the Vista, and some even say that it is what Vista was meant to be. Microsoft has dropped the introduction of the new Windows File System which would have had a very significant impact on forensic analysis. It is also possible that very few changes actually affect the process but this is the reason why this research is important; to find any major differences, if any, to the forensic analysis procedures. Certainly, the time it will take for Windows 7 to be adopted by the majority of the PC market will be substantial and, similarly in the computer crime world, it will slowly gain popularity. Although in current financial climate forecasts about computer sales vary but the Windows market share should be preserved. This means that when Windows 7 is released, 93% of new home computers sold, will be with this Operating System (NET APPLICATIONS, 2009). Therefore it is going to become the main OS used by home users and it is safe to assume that criminals will start using the new system as well, and the sooner forensic specialists become familiar with the system the better. The main beneficiaries of this study are thought to be forensic investigators and researchers. Analysts will learn how important to the analysis process the changes are, which techniques still apply, what could be a new source of forensic evidence. It will help to them to choose appropriate techniques in order to recover as much evidence as possible from the new system. Results from the study could form a solid basis for further forensic research on the more specific issues of the Windows 7. The aim is to provide researchers with an overview of the new features and overall changes to the system architecture and how important they are to the forensic analysis process. If the research finds substantial differences that require further, more in depth analysis they could become a basis for more detailed and focused study. However, if findings from the research state that there are no changes to the forensic analysis procedure, it could still be considered as a successful study since there is no other published research, at least at the time of writing, which tries to examine the new system. Therefore it might be beneficial to the computer forensic community to establish that as a 2
First Look at the Windows 7 Forensics
Piotrek Smulikowski
fact, if this is the case. Hence, regardless of the findings of the research, it can still be valuable paper in a forensic field, provided of course that the research has been properly executed. Literature available on the topic of Windows 7 and forensics is very limited and it is believed that this paper would fill this particular gap and possibly encourage forensic community to undertake further work in this field. Last but not least from my personal point of view I hope to learn more about the forensic analysis of Windows based computers. During the course of my studies I got to know many techniques applicable for the Microsoft system but I realise that further development of my practical and theoretical knowledge is required to become good and effective investigator. I believe that extensive research of the platform can give me ‘an edge’ when applying for employment after graduation. This is why I treat this research very seriously and hope that it could open doors for me upon successful completion of the project.
1.2.Deliverables The following quote comes from the research proposal and discusses the deliverables: “When the research will be finished the following deliverables are expected:
Review of the changes that have an impact on the forensic analysis. Comparison to the previous Windows systems analysis process. Identification of the new sources of evidence if such exists. Review and validation of the old, known evidence sources. Evaluation of the tools with regard to the new system. Draft of the forensic analysis procedure of the Windows 7. (not a key requirement)“
The research aims to deliver few different objectives, all oriented around the forensic analysis of the Windows 7. First being a review of the changes and new features that could potentially affect the examination. It is partially theoretical study of new features in order to highlight the forensically significant ones but also it includes the practical approach where features are examined on the actual PC running Windows 7.
1.3.Project constraints The research is focused around Windows 7 which is not yet a finished product. This provides a strong argument for undertaking the study because it ensures the novelty factor.
3
First Look at the Windows 7 Forensics
Piotrek Smulikowski
However it also introduces the risk that the final product will vary substantially from the version examined. As a result it could potentially void results from the research. However, the version examined (RC) is thought to be very similar to the final version with only minor cosmetic changes rather than changes in core functionality and features so this should not affect the results. Additionally, in order to improve the relevance of the research it would be desirable to wait until the final version is publically available. However, due to the fact that deadline for the research is nearly two months before official release it is infeasible to do so. Due to the fact that there is very little information on the topic it is difficult to find any new sources of evidence. The Operating System is very complicated in its nature therefore it is nearly impossible to identify all changes by manual exploration or uninformed search. Structures like Windows Registry are incredibly complex and it would be impractical to crawl through all registry keys and check for any evidence. This problem is addressed by employing informed search which limits data set to the most likely candidates. For instance, rather than analyzing all new features only those that could potentially be storing any evidence would be analyzed, thus maintaining a balance between accurate results and effective use of time. In addition, attempts will be made to contact experts in Windows forensics, including Microsoft staff. Another constraint that may have an impact on one of the deliverables is the availability of forensic software. Forensic software packages like, for example, EnCase tend to be very expensive. Moreover many manufacturers do not publish evaluation versions, and while this might stop ‘warez’ community from reverse engineering or devising anti-forensic techniques it also makes it very difficult to accumulate a collection of software to evaluate its behaviour on a new version of the Operating System. While majority of investigators work on integrated forensic packages like EnCase, FTK or X-Ways Forensics there are also free alternatives. Fortunately, selections of tools from a wide range of freeware and open source software can be easily assessed. As with many projects, the time limit is a crucial constraint that effectively shapes the whole research. Therefore effective time management is highly important in order to bring research to a successful conclusion. Regular meetings with supervisor ought to help keep progress on track.
1.4. This Document This paper was written as a dissertation for MSc Forensic Informatics course at the Strathclyde University. The project was guided by Lothian and Borders Police department. 4
First Look at the Windows 7 Forensics
Piotrek Smulikowski
As requested in the departmental guidelines the font size is 12. However, the 1.15 line spacing was used in order to reduce paper wastage, which was agreed with the supervisor. References are submitted in Harvard – Leeds style, following patterns outlined in Postgraduate Handbook. Special plug-in for Microsoft Office Word 2007 is used in order to keep consistency of referencing (CODEPLEX, MICROSOFT, 2009).
5
First Look at the Windows 7 Forensics
Piotrek Smulikowski
2. Background Research At the time of writing the research Windows 7 has not yet been released to the public. As mentioned before with a release of any new version of Windows there is a lot of talk around it. Windows 7 has already made headlines but they mostly focus on the usability of the system, its performance, compatibility or pricing. Many Information Technology web portals and magazines have published a wide variety of articles and tutorials regarding the new features included in Windows 7. One such example is the article from Ars Technica about its Graphical User Interface (BRIGHT, P, 2008). In addition many independent websites are rising that are exclusively dedicated to the new Windows such as windows7news.com. Microsoft is actively working on expanding its knowledge base available through Microsoft TechNet Library website (MICROSOFT), where IT professionals can find useful resources about Microsoft products. This portal contains, among others, articles on BitLocker, AppLocker or Security Enhancements of Windows 7. This knowledge base is oriented mainly towards developers or security specialists. There is, however, very little information available on the new OS from the forensic point of view. All of the existing sources are limited to individual posts on forensic community forums or blogs. No articles are published on the subject and the gap has not been filled by Microsoft. According to an anonymous source, the Redmond based company delivers closed seminars for Law Enforcement agencies, which are not disclosed to the public. Some of these materials were made available, with permission, for the purpose of this research. One of the most popular forums with a strong forensic community is forensicfocus.com. So far there have been only few discussions involving the new Windows. For instance, user oasol reported the first case based on Windows 7 (OASOL, 2009). Whereas user jenskr reported that some of the major forensic packages are compatible with 32 bit version of Windows 7 (JENSKR, 2009).In order to learn more details about the new OS in context of forensics a forum thread was created and although it had large number of the views very little response was noted. User MMachor reported that the 7 “is really from a forensic aspect very similar to Vista” and suggested that Recycle Bin, Prefetch and some other areas examined by him have not changed (MMAHOR, 2009) but he fails to go in to greater detail. The blog run by Harlan Carvey (user keydet89), the author of many forensic publications including Windows Forensic Analysis book, provides details of certain aspects of Windows 7 forensics (CARVEY, Harlan, 2009). He suggests that usability features like Jump List are “going to be a gold mine for an analyst”. This view is shared by other testers too; they believe that it can provide information similar to Most Recently Used registry keys. Carvey 6
First Look at the Windows 7 Forensics
Piotrek Smulikowski
also confirmed compatibility of his own tool RegRipper (CARVEY, Harlan and Shavers, Brett, 2009) designed to extract forensic data from registry hives, and upon loading registry keys from the Windows 7 he was able to view evidence data as expected. Due to the tool’s component build some plug-ins responded better than others to the changes in new system. Analysis of unsuccessful extractions of data can help to determine differences between new OS and its predecessors. Carvey also announced, shortly after presentation of his second edition of the book, that the third edition would include forensic analysis of the new Microsoft OS incarnation. An article from Didier Stevens’ blog reported that UserAssist key in registry, which holds shortcuts to most frequently used applications displayed in start menu in Windows, is obscured with Vigenère cipher unlike ROT-13 in previous versions (STEVENS, Didier, 2009). It was first found on Beta version of Windows 7, however it was then reverted back to the ROT-13 in RC version. Former Microsoft developer, Steve Riley claims that it was used by their team in order to more easily identify changes after a system upgrade and was only introduced for development purposes and therefore it was not necessary to be carried forward to final version. Later research showed that the cipher was indeed changed back to ROT-13 in the RC version. Although, as shown above, some information with regard to forensics and Windows Seven is available it is still very sparse and incomplete; there is obvious lack of one integrated source of information that could form an early reference for examiners. Blogs can be very knowledgeable source however it is not easy to find all the information available if it is spread over many different sites. Because of the lack of information on Windows 7, reference sources about Vista were analysed in order to help with verifying new features in the updated system. These can help to make ‘informed’ analysis of the new system. If some features were newly introduced in the previous system they are likely to be changed or improved upon and this could potentially create new sources of evidence. After Windows Vista was released back in January 2007 many examiners wondered how it was going to affect the forensic analysis process. It was not long before the first articles were published. One of the first was the “Notes on Vista Forensics” part One and Two by Jamie Morris founder of Forensic Focus (MORRIS, Jamie, 2007) posted a little over a month after release. It provided “ a high level look at what we know now about those changes in Vista which seem likely to have most impact on computer forensic investigators” (MORRIS, Jamie, 2007).
7
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Lecturers from Cranfield University published a paper called: “Potential Impacts of Windows Vista on Digital Investigations”, that follows a similar approach but that goes into greater detail (HARGREAVES, C and Chivers, H, 2007). It analyzes new features and system changes from the forensic perspective. Another interesting paper was presented at the Computer and Enterprise Investigation Conference 2007 (CEIC)(MUELLER, Lance, 2007) by Lance Mueller from Guidance Software (GUIDANCE SOFTWARE INC., 2009), the company that created EnCase. The author undertook a detailed examination of changes introduced in Vista like e.g. NTFS file system update.
1. Windows 7 Development versions When Microsoft released Vista in January 2007, Windows XP had been on the market since October 2001, which means that its lifespan was over a five and half years. The new system did not have a good start with numerous ‘Vista Issues’ including mainly the performance and compatibility problems. This has resulted in the relatively low popularity of the Vista. Microsoft decided to shorten the life of Vista to just two and a half years in favour of the new version. Obviously, Vista is still going to be supported by Microsoft; however, the main development is dedicated to the Windows 7. Close to the date of finishing the Windows 7, Microsoft released Service Pack 2 for Vista, to help to bring it up to date especially in the light of Windows 7. The newest OS has been well received by testers and is expected to have much better start based on early pre-order sales figures. According to the BBC: “Amazon said that sales of Windows 7 in the first eight hours it was available outstripped those of Windows Vista's entire 17 week pre-order period” (BBC NEWS UK, 2009). Microsoft released the first build of the Windows 7 to the public on the 9th of January 2009. Build 7000 was a Beta release signifying an early development stage, however it provided the first insights into the feature sets available in the final version. Some of the big changes were discarded, like the new file system replacement of the NTFS, which would have an enormous affect on forensics in general, and file recovery in particular. It became a very popular download, and many IT savvy people tried it, including some forensic examiners like Harlan Carvey - author of the previously referenced blog posts. The reception it received was much better in comparison to Vista. However, it was a popular belief that the new system did not carry many changes; that it was just an improved Vista. This view was reinforced when Steve Ballmer, Microsoft’s CEO, said: “Windows 7 will be more like Windows Vista, but a lot better!” (PARRISH, Kevin, 2008). On 5th of May 2009 Microsoft made Release Candidate (RC) public. Version 7100 addressed feedback from testers and GUI improvements but feature changes were minor (MSDN BLOG, 2009). 8
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Since the first announcement about Windows 7, Microsoft has moved the expected release date numerous times and some has suggested it might be as late as mid 2010. However, as development versions were progressing, it seemed as if the final date would be much earlier. On 2nd of June 2009, Brandon LeBlanc wrote on Windows Blog and confirmed that the General Availability date is 22nd of October 2009 (LEBLANC, Brandon, 2009). Although, developers and OEM Manufacturers were meant to be getting the final version sooner. Few weeks later on 24.07.2009 Windows 7 was finally signed off by internal testing group which meant that it met quality control and reached Release To Manufacturing (RTM) status (LEBLANC, Brandon, 2009). At this point build 7600 was released to OEM Manufacturers for deployment purposes.
2. Windows 7 final editions As with Vista, Windows 7 comes in wide variety of editions. However the line up has changed slightly. With 6 different versions available varying feature sets. Emil Protalinski from Ars Technica (PROTALINSKI, Emil, 2009) compared them:
Windows 7 Starter (worldwide via OEM only): up to three concurrent applications, ability to join a Home Group, improved taskbar and JumpLists
Windows 7 Home Basic (emerging markets): unlimited applications, live thumbnail previews and enhanced visual experience, advanced networking support
Windows 7 Home Premium (worldwide): Aero Glass and advanced windows navigation, improved media format support, enhancements to Windows Media Center and media streaming, including Play To, multi-touch and improved handwriting recognition
Windows 7 Professional (worldwide): ability to join a managed network with Domain Join, data protection with advanced network backup and Encrypting File System, and print to the right printer at home or work with Location Aware Printing
Windows 7 Ultimate (worldwide): BitLocker data protection on internal and external drives, DirectAccess for seamless connectivity to corporate networks based on Windows Server 2008 R2, BranchCache support when on networks based on Windows Server 2008 R2, and lock unauthorized software from running with AppLocker
Windows 7 Enterprise (volume licenses): same as Ultimate, includes the following improvements: DirectAccess, BranchCache, Search, BitLocker, AppLocker, Virtualization Enhancements, Management, as well as Compatibility and Deployment.
Table 1 Windows 7 Editions comparison (PROTALINSKI, Emil, 2009)
9
First Look at the Windows 7 Forensics
Piotrek Smulikowski
To sum up: Starter is designed for low spec hardware – Netbooks, with heavily limited features. Home Basic edition is only for emerging markets whereas Home Premium, Professional and Ultimate are mainstream editions, available for retail sale. Enterprise is available only via Volume Licenses. Upgrading will only be available to mainstream editions. Analogically to Vista one installation disk can support all editions, the type of licence is determined on a basis of Product Key. Due to the European Commission decision that Microsoft had violated European competition law by offering Internet Explorer (IE) browser as a default browser, the company decided to remove IE from the European version of Windows 7 (CLARKE, Gavin, 2009). As a result the special version called ‘Windows 7 E’ would not allow upgrades and so making the cost of the new Windows higher as only the full version would be sold. The issue was eventually resolved by introducing the ‘Web Browser Ballot’ screen allowing for choice of alternative browser (FIVEASH, Kelly, 2009). For a detailed comparison of the Windows 7 editions please see Appendix A.
10
First Look at the Windows 7 Forensics
Piotrek Smulikowski
3. Internet Explorer 8 Internet Explorer 8 (IE8) is the newest Web Browser developed by Microsoft as the default browser for Windows. It is bundled in Windows 7 but it is also offered as a recommended update for an IE7 on Vista or XP. Therefore some investigators may have already experienced examination of the new version. However it is important to note that there are substantial differences between releases for different platforms, XP in particular, due to improvements in privilege management on newer platforms. The newest release claims significant enhancements in security such as Click-Jacking prevention or Cross Site Scripting filters.
3.1. InPrivate – Stealth Browsing Microsoft followed other browser makers like for instance Safari and introduced stealth mode in the newest version. The InPrivate feature allows browsing the internet without leaving traces on a local machine. Certainly it has an impact onto forensic analysis of the new browser as an investigator has very little, if any, chances of reconstructing suspect’s online activity. By default when user starts a browser, the standard mode is launched and user activity is recorded in a normal manner, it is when user enables the InPrivate browsing (Safety > InPrivate Browsing) that the stealth mode is launched in another window. Behaviour of the browser changes only for the InPrivate session, thus if user has had standard window open, its history would be stored as normal, whereas the activity within the stealth mode window would be discarded. According to IE Microsoft Blog (ZEIGLER, Andy, 2008) InPrivate Browsing changes the behaviour in the following way:
New cookies are not stored o All new cookies become “session” cookies o Existing cookies can still be read o The new DOM storage feature behaves the same way New history entries will not be recorded New temporary Internet files will be deleted after the Private Browsing window is closed Form data is not stored Passwords are not stored Addresses typed into the address bar are not stored Queries entered into the search box are not stored Visited links will not be stored Table 2. Behaviour of the Internet Explorer 8 InPrivate mode (ZEIGLER, Andy, 2008).
Analysis showed that the wording of the above list (Table 2) is crucial because it means that only new history entries are not recorded. However, all other attributes such as Cache are recorded but deleted when the InPrivate windows is closed. It opens a possibility for 11
First Look at the Windows 7 Forensics
Piotrek Smulikowski
those files to be recovered by specialist data recovery tools. Alternative explanation (Table 3. Data stored during InPrivate session. Source: Windows Internet Explorer HelpTable 3) of the browser behaviour in the InPrivate mode comes from the Internet Explorer Help. Information Cookies Temporary Internet files Webpage history Form data and passwords Anti-phishing cache Address bar and search AutoComplete Automatic Crash Restore (ACR) Document Object Model (DOM) storage
How it is affected by InPrivate Browsing Kept in memory so pages work correctly, but cleared when you close the browser. Stored on disk so pages work correctly, but deleted when you close the browser. This information is not stored. This information is not stored. Temporary information is encrypted and stored so pages work correctly. This information is not stored. ACR can restore when a tab crashes in a session, but if the whole window crashes, data is deleted and the window cannot be restored. The DOM storage is a kind of "super cookie" web developers can use to retain information. Like regular cookies, they are not kept after the window is closed.
Table 3. Data stored during InPrivate session. Source: Windows Internet Explorer Help
When privacy mode was first announced in 2008, it soon was unfavourably known as a ‘porn mode’ as it was believed to cover all browsing tracks. It produces mixed feelings in system administrators’ community since it could create opportunity for employees to abuse online access. Some argued that it should be disabled (AARON, 2009), what can be done setting up a Group Policy. According to Microsoft the InPrivate functionality is designed to stop casual computer users from “gaining access to the browsing history”. The IE team suggest that it should be possible to retrieve the online activity: “The feature isn’t designed to protect a user from security experts or forensic researchers” (SHARP, John, 2008). Shortly after a Beta version has been released it was examined by the investigators from the FoxIT forensic firm and it was found that it was possible to determine visited websites (SHARP, John, 2008). Christian Prickaerts claims that the feature is “mainly cosmetic” and that: “For a forensic investigator, retrieving the browsing history should be regarded as peanuts. The remaining records in the history file still enable me to deduce which websites have been visited” (SHARP, John, 2008). It is important to emphasise that tests were undertaken on the Beta version and unfortunately the method used by researchers was not disclosed.
12
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Furthermore a Delete Browsing History window ( Safety > Delete Browsing History > Preserve Favorites website data ) now provides option for tracking data for websites marked as Favourites. Essentially if a user added msn.com to Favourites then Temporary Internet files and cookies would be preserved even though the other history data has been deleted using IE8. To complement Microsoft’s care for user’s privacy, InPrivate filtering feature was developed (ZEIGLER, Andy, 2008) 2008).. If enabled by user, it informs him about tracking attempts by a third party websites and allows blocking such attempts. User can specify his own list of blocked sites or use list predefined by Microsoft.
3.2.Suggested Sites The new ew Suggested Sites feature aims to deliver website recommendation based on other users’ online activity. If user opt opt-in to use this feature, his history is analyzed and sent to Microsoft servers where stripped from identification data data, it contributes to suggestions suggestion database. Most commonly visited websites in user’s category would be recommended to him the system.. It is important to note that no information iiss collected while InPrivate session is enabled. The Suggested Sites capability has its own binary file called SuggestedSites.dat that is stored in C:\Users\<username>\AppData AppData\Local\Microsoft\Windows\Temporary Temporary Internet Files\Low\ folder. The file is create created automatically when user opts-in in to use the feature and its default size is 5,121 KB, regardless of the contents. Its structure is different to the index.dat therefore it cannot be parsed by a Pasco tool (JONES, Keith, 2003). 2003) Microsoft did not publish any documentation of th this particular format. When loaded into Hex editor a certain pattern can be seen.
Figure 1.. Contents of the SuggestedSites.dat file, viewed in Hex editor. Visited URLs are underlined underli in Blue and Referrer URLs are highlighted in yellow.
Figure 1 presents contents of the file where each of the new entries is marked by ‘ character and followed by a visited URL URL, here underlined in blue. Next ext is the page name as appears on the top bar of the browser and finally is the R Referrer URL, highlighted in yellow. 13
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Rest of the data is currently not recognized. The header of the file is also different to index.dat files. It contains unidentified data data, followed by Internet Explorer version at the 0x60 offset as it can be seen at the Figure 2.
Figure 2. Contents of SuggestedSites Sites.dat .dat file with visible header underlined in red and IE Browser version highlighted in yellow.
According to the details of the Suggested Sites functionality the above file does not record history during the HTTPS sessions or InPrivate mode. Additionally, in order to provide user with a control, the functionality is designed to delete the particular history entries if user decided to delete the record from the browser history history.. In a forensic examination, examination analysing data in a history index.dat file should take priority since it provides more information. However, in a scenario where user deleted the history using third party software rather than built in method, there is a high possibility that the SuggestedSites.dat file was left. Currently it is the latest version of CCleaner that is capable of removing the file (PIRIFORM LTD, 2009) on a live system since it is protected by the OS.
3.3.Session Recovery Microsoft boasts great improvements in the stability of a new browser. Developers spent a lot of effort on improving reliability thus new technologies like for instance Automatic Tab Crash Recovery were introduced. It is designed to isolate single tab that crashed from the rest, so that the other tabs are not affected. However, in order to implement this feature developers had to introduce monitoring mechanism that records current and previous browsing session. These are stored in the following folders:
14
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Windows 7, Vista
C:\Users\<username>\AppData\Local\Microsoft\ Internet Explorer\Recovery\Active \Last Active
Windows XP
C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active \Last Active
The Active folder stores current session data, whereas Last Active folder keeps previous browsing session data. Once a current session is closed, the contents of the Active folder are moved to the Last Active directory, thus overwriting the previously stored session. Deleting the browser history also causes removal of the folder contents. The session data is recorded even in InPrivate mode however, once a window is closed it automatically deletes contents of Active folder. In fact it is deleted only if the iexplore.exe process terminates successfully. However, if the whole application or the whole system crashes, the contents of Active folder are not deleted. This could create an opportunity for forensics to recover details of InPrivate session which would be otherwise difficult to obtain. Applications of this method are mostly limited to the scenario where suspect was caught in ‘action’ and officer at the scene simply pulled the power plug. Each of the folders contains two types of files: RecoveryStore.{xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx}.dat and {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.dat, which are created onthe-fly whenever IE8 is used. The first type is used as a manager for other files, one instance is created for each of the browsing modes – normal and InPrivate, regardless of a number of windows opened. Latter type represents a single Tab and is created whenever a new one is opened. Figure 3 presents Active folder, in this case, two modes are used, normal and InPrivate, because two RecoveryStore files exists. On top of that multiple tabs are open. Please note that although the screenshot was taken from Windows XP the browser behaviour in this case is the same as in Windows 7.
Figure 3. Contents of the Active folder. In this example normal and InPrivate modes are used and have multiple tabs open. Note: this screenshot comes from Windows XP.
15
First Look at the Windows 7 Forensics
Piotrek Smulikowski
The file names are Globally Unique Identifiers (GUID) generated randomly by Windows. It is important to note that file names are generated they remain the same regardless of the contents. Therefore if a suspect used a single browser window and with a single tab for many websites, the contents of a file will change but the file name will persist. Because the files are in a binary format, they have to be analysed with a hex editor. The RecoveryStore files do not seem to contain any comprehensible data, it is the tab files that bring more information when analysed. Figure 4 shows an example where, website URL and its name are stored in file.
Figure 4. Contents of an example tab file. URL is highlighted in grey and page name is in yellow.
However, the structure of the tab files can be very complex since the same file is used for as long as the corresponding tab is open. Therefore, if user was only using one tab for many different sites, all browsing history would be stored in a single file. It can be confusing as different sites seem to be nested in one another using some unknown data structures. The order in which the URLs appear varies and it may seem chaotic. Nevertheless in all tested examples, the first URL that is in a file was always the most recent URL. In addition tab files can also store page specific content such as html, java scripts or xml. These are stored after a tab history, in the second part of file. As a result a tab file can increase in size substantially, from the initial 5KB, for an empty tab.
3.4.Index.dat files Changes made to IE8, in comparison to IE7 mostly focused on adding new features rather than on redesigning the whole structure. Therefore backward compatibility is being maintained. This has a positive impact on a forensic analysis because it allows examiner to adopt familiar techniques and tools in order to retrieve valuable information. As in previous versions the index.dat file is used as a store for all web related data, such as cache, history or cookies. Each of these artefacts – containers, has its own folder and a index.dat file within it. The IE7 on Vista has introduced Protected Mode which is limited privilege mode for browsing internet, for increased security. As a result, within each of 16
First Look at the Windows 7 Forensics
Piotrek Smulikowski
containers a new folder called Low exists which holds Protected Mode sub-container. Additionally when the Internet Explorer is in the Protected Mode all add-ons are installed in a Virtualized location and a registry key: Virtualized Location
C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
Virtualized registry key
HKCU\Software\Microsoft\Internet Explorer\Internet Registry
Containers are spread around the user’s profile application data and their locations are consistent with previous versions: Cache Container for storing cacheable web content like images, pages, scripts. Every entry has a source URL and name of the file in Content.IE5 folder. Files are stored until expiry date is reached C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
Visited Links Stores clicked URL links and AutoComplete data, used to highlight visited links. C:\Users\<username>\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
History History container for specific time frame between start date and end date. C:\Users\<username>\AppData\Local\Microsoft\Windows\History\History.IE5\ MSHist01<startdate><enddate>\index.dat
Cookie Container for mapping individual Cookie files to their associated URLs with additional metadata C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
RSS Feeds Cache Stores record of RSS feeds added by user
17
First Look at the Windows 7 Forensics
Piotrek Smulikowski
C:\Users\<username>\AppData\Local\Microsoft\Feeds Cache\index.dat
Due to the fact that the format of the index.dat files has not changed, examiners can use existing tools to analyse user’s web activity for instance, Pasco by Keith Jones (JONES, Keith, 2003). It parses the binary file and exports the tab delimited text file. Figure 5 shows parsed contents of a IE8 Cache.
Figure 5. index.dat file parsed with Pasco and imported by Excel
Paths to the individual containers (PERNICK, Ari, 2006) remained unchanged therefore a lot of current forensic tools should be compatible with the new IE version correctly. One of the examples, apart from the Pasco are the NirSoft applications (SOFER, Nir, 2009). They manage to successfully retrieve cache files history or even certain passwords. However, as in Vista, most of the tools should be run ‘as Administrator’, in order to overcome privilege limitations.
18
First Look at the Windows 7 Forensics
Piotrek Smulikowski
4. Folder Structure With the release of Windows Vista the Documents and Settings folder was discarded and user profile was moved to Users folder using the Known Folder Id system. Although it did not affect programs functionality thanks to the Reparse Points, but it required time for users to get feel comfortable using it. In Windows 7 there are no such differences in a physical directory structure. However there are differences in a logical layout. Microsoft introduced the Library functionality which allows users to have all their files in one logical location yet having actual files distributed all over the PC or even network. Idea is similar to an audio playlist and collection of mp3 files. Introduction of Libraries allowed for more advanced search capabilities called Federated Search. In addition Microsoft brought back the old naming scheme in a format of e.g. ‘My Documents’.
4.1.Libraries Default Libraries are Documents, Music, Pictures, Videos, however, user can add his own types. One of the main requirements is that a folder that is added to the Library has to be indexed, as it allows for a fast searching of the contents. Fortunately, since the new scheme affects how a third party programs handle for example ‘Save file as’ dialog box functionality, Microsoft documented Libraries feature in detail (KIRIATY, Yochay and Fliess, Alon, 2009). The individual library files are named in the following format:
Files are stored in the XML hence their structure is clear, after initial header tags, every folder that is included in the library wrapped with the following code: <searchConnectorDescriptionList> <searchConnectorDescription publisher="Microsoft" product="Windows"> <description>@shell32.dll,-34577
19
First Look at the Windows 7 Forensics
Piotrek Smulikowski
From the forensic point of view view, the most important field is the
Figure 6. XML code in library library-ms ms file. The included folder path is highlighted in grey
Once the feature becomes commonly used by end userss then this could prove to be valuable source of information of user’s setup, where important files are being kept. kept Microsoft believes lieves that Libraries could be a structure for all user files. The advantage being, being that user can add folders from all locally av available resources, such as an external hard drive, HomeGroup or a network. Examiner then could easily find important storage devices, vices, locations which were used and include them in the investigation. Additionally, because indexing is a prerequisite for a folder to be part of a Library, indexed locations can be investigated in order to find user specified places. They are recorded in Registry in the following key: HKLM\SOFTWARE\Microsoft\Windows Windows Search Search\CrawlScopeManager\Windows\ SystemIndex\WorkingSetRules WorkingSetRules
4.2.Windows Windows Search and Federated Search Windows Search 4.0 has been introduced as an update for the Vista; however, however the introduction of Libraries extended the applications of the search engine. Arrangement View allows to customize the view of library contents based on a metadata, for example in the Pictures Library, ‘by Year’ view would organise all photos in stacks fo forr different years. Another feature, called Search Filter Suggestions Suggestions, allows user to select a predefined metadata filter and a value, in order to view files matching that criteria. Therefore, if user
20
First Look at the Windows 7 Forensics
Piotrek Smulikowski
wants to find music files of a specific genre, he can ei either ther select ‘genre:’ filter or type it in, then possible genre types would be suggested for him to select. Search functionality can be extended even further with the Federated Search. It allows sending queries to external data sources, such as databases o orr web content, as long as they support OpenSearch technology. In practice, user can simply download Search Connector file (*.osdx) and then query contents of the website, all via Windows Explorer. Such configuration files exist for popular websites such as YouTube or Flickr (DMEX, 2008). 2008) When user downloads and runs the *.osdx setup file, a <domainsearchname>.searchconnector searchname>.searchconnector-ms file is created and stored in <username>\Searches\ <username> folder. The contents of the file are stored in XML format, the most interesting field, from the forensic perspective, is the <domain> where domain of the host is recorded, as seen on Figure 7.
Figure 7.. Contents of Search Connector configuration file. The domain search provider is highlighted in grey
Additionally, as in Vista, user can save specific search query if it is being reused. The Saved Search details are stored in <searchname>.search <searchname>.search-ms file also in the same folder <username>\Searches\. The XML file has three significant fields:
- determines locations to be searched e.g. C: C:\Users Users
These search techniques will most likely be used by advanced users, therefore examiners will probably rarely need to investigate these artefacts. However if this method is used by a suspect it could add dd important information to investigation.
4.3.User folders Windows 7 has old, XP style, names for default user folders, unlike Vista which introduced different layout of user profile files. As a result the Documents folder is by default named ‘My Documents’, s’, other folders like Music, Pictures and Videos are also affected. When folders were examined in WinHex, which shows physical structure of files, it became clear that these folders are Reparse Points to the standard, Vista Vista-style style folders. Reparse Point is an implementation of a junction on NTFS file system, whereas junctions are logical links
21
First Look at the Windows 7 Forensics
Piotrek Smulikowski
pointing to another folder on Operating System level. They are transparent; hence user rarely notices a difference between an actual folder and a Reparse Point. Since the actual locations of the folders are consistent with the layout known from Windows Vista, forensic examiner can simply examine already known folders within the C:\Users\<username>\ location.
22
First Look at the Windows 7 Forensics
Piotrek Smulikowski
5. New Taskbar and Jump List One of the most prominent GUI feature in Windows 7 is the new Taskbar and the integrated Jump List; designed as an interactive combination of quick launch shortcuts with taskbar buttons, plus application specific common tasks. It allows user to have access to most frequent tasks such as ‘Play next song’ in Windows Media Player, directly from the taskbar. Additionally user can also choose the most recent or frequent files handled by this application. This part of functionality is significant to forensics, as it could provide new sources of evidence. Since the Windows 7 Beta was released, this feature was talked about, also in forensics community. Harlan Carvey said: “from a forensic perspective, this "Jump List" thing is just going to be a gold mine for an analyst, much like RecentDocs and UserAssist keys have been since Windows 2000” (CARVEY, Harlan, 2009). Microsoft encourages developers to make use of these new functionalities in their software, to further integrate application to the Operating System. The company provides them with detailed documentation, video tutorials and walkthroughs on how to implement the new taskbar functionality. However, as with other features, little is known about how the features work or where data is being stored. After an extended research, on Microsoft Developers Network the following was found: In addition to updating its list of recent documents, the Shell adds a shortcut to the user's Recent directory. The Windows 7 Taskbar uses that list and Recent directory to populate the list of recent items in the Jump Lists. (YOCHAYK, 2009) Therefore, it is clear that recent files displayed in Jump List are the same as in the <username>\Recent directory. This data is simply duplicated, only presented in a more approachable manner to the user. Anytime you double click on a file type with a registered handler [application that supports the file type], before Windows launches your application it automatically calls SHAddToRecentDocs on your application's behalf. This inserts the item in the Windows Recent list and eventually into the Jump List Recent Category. (YOCHAYK, 2009) The above fragment explains mechanism in which items are added to the Windows Recent list and the Recent folder, what forms a basis for the Jump List recent items. In addition to the recent and frequent lists, developers can add their own customized item list. This is the part that could make investigation of the Jump List worthwhile. Unless an application uses customized item list, by default a Jump List would only contain items from 23
First Look at the Windows 7 Forensics
Piotrek Smulikowski
the Recent directory. In such scenario, investigator can much easier navigate into the directory to view links to recently accessed documents or location rather than trying to find data artefacts in the system. However user can also ‘pin’ an item, in order to permanently keep it in the Jump List, which would be recorded in jump list data store but could uld be removed from the Recent directory. The Jump List feature is enabled by default, however user can disable it from the Control Panel > Taskbar and Start Menu in the second tab called Start Menu as seen on Figure 8. The first option records recent applications displayed in a start menu and the second checkbox switches on or off the Jump List functionality. This is also the only way to clear the list, user has to un-tick tick the box and click apply, then if needed the function can be rere enabled but with the emptied list. The pinned items remain in the list until being removed by a user. Further customization can be done by clicking the Customize button, where user can, among other things, add the recent items to the start menu like in previous versions of Windows.
Figure 8.. Start Menu properties window, allows user to disable the Jump List and customize contents of the start menu.
From the forensics rensics standpoint this feature can indeed become a valuable source of information, especially if suspect deleted contents of the <username>\Recent folder. Until very recently it has not been known where the recent item data is stored. Although some suggested ted that it might be in registry stored on a per per-application application basis, however, there was evidence that it was not the case (JODO3333, 2009).. This lack of information from Microsoft has frustrated some of beta testers. Later, one of the users from the forum suggested that the path to the files is: C:\Users\<Username>\AppData\Roaming Roaming\Microsoft\Windows\ Recent\automaticDestinations utomaticDestinations,
this is in fact act the correct path as it was unofficially confirmed by Microsoft in their presentation for Law Enforcement only (MICROSOFT LAW ENFORCEMENT TECH TEAM, 2009). 24
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Automatic Destination folder contains files responsible for the recent items on a Jump List. Every program that has items recorded in the list has its file stored in this directory. Files names are in a format XXXXXXXXXXXXXXXX.automaticDesitnations-ms, where name is about 16 digit long and the extension is ‘automaticDestination-ms’. When the Jump List feature is disabled, the contents of the folder are cleared. User can still perform tasks available for the application, however, no recent files are stored. Files are binary and it is not easy to understand the contents, especially as some of them can get large and complex. The default number of the recent items stored is 10 but it can be changed by a user. The order in which items are added to the list remains unclear. All files paths that are stored in the file, are part of application’s Jump List. The Figure 9 shows sample content of the Automatic Destination folder and clear text stored in the Jump List file, this particular file belongs to the Microsoft Paint application. The contents of the binary file seem chaotic however, forensic examiner should be able to determine the file paths recorded in the recent item list.
Figure 9. Contents of the Jump List recent items file viewed in hex editor. Path to recent 'cos.png' file is highlighted in grey. This particular file, stores recent items list for Microsoft Paint.
Numerous tests on different machines revealed that a naming pattern seems to appear: the file name represents specific application which is fixed. As an example the following file 1b4dd67f29cb1962.automaticDesitnations-ms is a store file for Windows Explorer. Analogically some of the other common applications were identified as seen in the Table 4: File name 1b4dd67f29cb1962. 918e0ecb43d17e23. 74d7f43c1561dc1e. 99189dc15d887da6.
Application Windows Explorer Notepad Windows Media Player Windows Disc Image Burner
25
First Look at the Windows 7 Forensics
adecfb853d77462a. b3f13480c2785ae. 5c450709f7ae4396. 9fda41b86ddcf1db. 23646679aaccfae0.
Piotrek Smulikowski
Microsoft Word 2007 Paint Firefox VLC player Acrobat Reader 8.0
Table 4. File names and their respective application that store Jump List data
In order to identify the pattern the files in the AutomaticDestination folder were viewed in a Hex editor and contents were compared against recent items in the Jump List. Once type of a program was known it was cross checked with files on different computers. This kind of naming model was present on the 3 tested machines. However, because no documentation is available, it has not been possible to verify if the pattern is true for every PC or installation. When the Jump List feature is disabled, the contents of the folder are cleared. User can still perform tasks available for the application, however, no recent files are stored. Additionally it was noted that the Windows Explorer’s recent items list behaves slightly differently than the rest. If user navigates to the e.g. readme.txt file and opens it, the handling application’s Jump List is updated but so is the Windows Explorer’s list. However if a user navigates only to the folder but does not open any files, the Jump List does not record the path. This is presumably because, no file was open no target was selected and destination path was not confirmed. Microsoft has also identified another folder with files responsible for the Jump List(MICROSOFT LAW ENFORCEMENT TECH TEAM, 2009): C:\Users\<Username>\AppData\Roaming\Microsoft\Windows\Recent\customDestinations
It stores files in similar format e.g. 74d7f43c1561dc1e.customDestinations. It is unclear what exactly these files contain but it is believed that they allow applications to have their own, custom ‘destinations’ or tasks. When examined files contain various tasks for instance ‘Start InPrivate Browsing’ just like Internet’s Explorer 8 task. This theory goes in line with the Jump Lists (in development stage known as Destination Lists) description given by Microsoft: The Destination List is automatically populated based on frequency and recency of use for file-based applications. Additionally, an application can define custom destinations, enabling it to monitor its own destination usage and their semantics. Applications can also define Tasks (actions within the application that users will find convenient to access directly, for example, composing an e-mail) to appear in their menus. (OIAGA, Marius, 2009) 26
First Look at the Windows 7 Forensics
Piotrek Smulikowski
According to this extract Automatic Destinations folder is designed to store frequent and recent items only, whereas the Custom Destinations folder holds applications specific destinations or tasks. As a result, forensic investigator should only be concerned with the AutomaticDestinations directory as it records the user activity. As previously mentioned this can be successful mainly if the user attempts to manually delete his Recent folder contents. In this case he would only delete links stored in that directory, with the Destinations folders remaining due to being hidden and protected by the OS.
27
First Look at the Windows 7 Forensics
Piotrek Smulikowski
6. BitLocker This section discusses the encryption software from Microsoft, bundled in, first Windows Vista and now, Windows 7. The section is divided into two parts, Windows Vista BitLocker and Windows 7 BitLocker, each of them providing details of identification and acquisition of encrypted volume. Unlike the rest of this paper, this section talks about Vista functionality with a purpose to highlight the subtle differences but also similarities between the two. Because the core functionality of the Vista BitLocker remained the same it would be impossible to discuss forensic analysis of the Windows 7 without providing details of the previous version.
6.1.BitLocker in Windows Vista 6.1.1. Introduction BitLocker Drive Encryption was first introduced to Windows Vista as an encryption feature mainly for portable computers. It was designed to protect user’s data by encrypting the whole volume making it practically impossible to decrypt without password or recovery key. BitLocker was one of the most talked about security feature in Vista upon its release, although it was only available in top end editions, Enterprise and Ultimate. Due to the number of high profile cases, data loss is considered as a serious issue, in 2007 alone HM Revenue and Customs (HMRC) lost 25 million records, in 2008 National Health Service (NHS) led the charts (585, 2009) (BBC NEWS, 2009). Taking this into account, Microsoft targeted encryption feature to government and business users rather than main stream consumers Because of the attention this feature drawn, it is documented extensively by Microsoft, although not all details are exposed. In addition many independent researches were undertaken involving BitLocker capability in Vista.
6.1.2. Authentication Methods BitLocker can operate using five different authentication modes depending on hardware specification or user’s preference.
TPM only: volume encryption key in the microcontroller USB startup key: volume encryption key on the USB startup key TMP + USB startup key: volume encryption key in the microcontroller and USB startup key
28
First Look at the Windows 7 Forensics
Piotrek Smulikowski
TPM + PIN: volume encryption key in the microcontroller + correct PIN is entered TPM + USB startup key + PIN: volume encryption key in the microcontroller and USB startup key + correct PIN is entered
Microsoft developed the BitLocker to work with the Trusted Platform Module (TPM) hardware chip (from version 1.2) build in to a computer’s motherboard. This method set BitLocker apart from typical encryption solutions. The encryption keys are stored on a protected volume and in a TPM chip. During system boot up process the integrity of the Operating System and hardware is verified and on the successful completion of the check the TPM microcontroller releases the encryption key to continue system boot up. If the protected volume is removed from the original system and connected to other PC, it may be impossible to access the data. Jesse Kornblum claims that: “Decrypting the data without the keys stored in the TPM is infeasible” (KORNBLUM, Jesse, 2009). However the TPM modules are not commonly used, even now, two years after the BitLocker for Vista was released. Therefore Microsoft provided another options: to decrypt volume by entering PIN number or by plugging in USB startup flash drive containing the encryption key, combination of the two methods is also possible. The USB only method does not have any hardware requirements therefore it can be used on any modern computer. The key stored on USB flash drive is 124 byte long, hidden, read-only, binary file with the name of the following format (GUID): xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.bek where x is a hexadecimal digit(HARGREAVES, C and Chivers, H, 2007). Encryption method supported by BitLocker is AES either 128 or 256 bit with Diffuser, by default BitLocker is set to 128 bit with Elephant Diffuser enabled (FERGUSON, Niels, 2006). As many forensic investigators know, it makes it practically impossible to crack with current computing power. If, for any reason, all methods are unavailable to a user, it is possible to decrypt the volume by entering 48 digit recovery key (using function keys), generated at the initial setup. More details of authentication process are available at Microsoft’s documentation (MICROSOFT TECHNET LLIBRARY, 2009). Apart from the TPM capable motherboard BitLocker also requires System Volume partition formatted with the NTFS file system. Its size in Vista is minimum 1.46 GB and its assigned Drive Letter is S:. Partition is not encrypted and holds “files that are needed to load Windows after BIOS has booted the platform” (MICROSOFT TECHNET LLIBRARY, 2009).
6.1.3. BitLocker Identification When computer with BitLocker enabled is running, it is possible to identify the encrypted volume, although Administrator rights are required for all of them (STEWART, Barrie, 29
First Look at the Windows 7 Forensics
Piotrek Smulikowski
2007). It should be noted that initially investigator should check which edition of Vista is run as only the Enterprise and Ultimate have the BitLocker capability. Additionally, if a system does not have a 1,46 GB S: partition, the BitLocker could not be running on the system due to its requirements. The most recommended way to check the presence of the BitLocker is via the Command Line Interface (CLI) using the manage-bde.wsf script.
Using command line with administrative permissions navigate to C:\Windows\System32\
Run the following command: cscript manage-bde.wsf –status Information about each partition is displayed together with encryption and authentication methods.
Alternative methods to identify encrypted volume include checking status in Control Panel > BitLocker Drive Encryption or simply by viewing the Computer Management window with disk Management Snap-in. These methods are applicable in Live Response scenario where an investigator is at the working and unlocked PC. However, in a case where the machine has been seized and is examined in a forensic lab, investigators can view the BIOS Parameter Block (BPB) to determine if the volume is encrypted with the BitLocker (HUNTER, Jamie, 2006). It is based at the first 0x54 bytes of the first sector and can be recognized by the following values: Offset 0x03 0x0B 0x0D 0x0E 0x10 0x11 0x13 0x16 0x20 0x38
Size 8 2 1 2 1 2 2 2 4 8
Field Signature BytesPerSector SectorsPerCluster ReservedClusters FatCount RootEntries Sectors SectorsPerFat LargeSectors MetadataLcn
Required Value for BitLocker ‘-‘,’F’,’V’,’E’,’-‘,’F’,’S’,’-‘ One of 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40 or 0x80 0x0000 0x00 0x0000 0x0000 0x0000 0x00000000
Table 5. Required Values for BitLocker stored in boot sector of an encrypted volume (HUNTER, Jamie, 2006)
The actual header of a boot sector of encrypted volume can be seen in Figure 10. Highlighted in yellow is the file system signature: -FVE-FS. In depth information about the identification of BitLocker is available from the (STEWART, Barrie, 2007, pp.22-24).
30
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Figure 10. BitLocker Encrypted volume header of a boot sector in Windows Vista viewed in Hex editor (HARGREAVES, C and Chivers, H, 2007)
The identification of the encrypted volumes is essential, since it can potentially save the whole examination. If during Live analysis examiner fail to recognise BitLocker and switches off the machine without searching for a recovery key, on a next boot up, volume will be locked and possibility for finding recovery key would be only possible if suspect had a recovery key backed up on other seized media or written on some paper.
6.1.4. BitLocker Acquisition Hargreaves and Chivers suggest that once encrypted volume has been identified, investigators should always look for a recovery key (HARGREAVES, C and Chivers, H, 2007), which, as mentioned before, is generated at the initial setup. The file name is in GUID format e.g.: CE6B4C60-8F3B-11DE-BE35-62A555D89593.txt and its contents are in plain text. If, however, no keys are found, performing logical disk image of the encrypted volume is possible. It allows to image data in decrypted form for further analysis. Although the process is not forensically sound this could be the only successful method of capturing the data. The aforementioned BitLocker Command Line Interface enables investigators to manage recovery keys (STEWART, Barrie, 2007). By typing the following command cscript managebde.wsf –protectors –get C: -sek G:\ it is possible to export the recovery key for the volume C: onto the USB drive G:. Additionally examiner can also attempt to duplicate the recovery key via the Control Panel > BitLocker Drive Encryption > Manage BitLocker Keys. Examiner can export keys, print them or reset them. If Active Directory is used by organisation it can be configured to backup recovery keys, hence investigator should be aware that system administrator might have access to backup recovery keys. Renowned Computer Forensics and incident Response expert, Lance Mueller, posted a quick tutorial on how to identify BitLocker running on a live system. The video shows how to disable the BitLocker in order to “seize the hard drive and then later image and examine the date without having the key protectors” (MUELLER, Lance, 2008). It can be disabled with the following command: cscript manage-bde.wsf –protectors –disable C: 31
First Look at the Windows 7 Forensics
Piotrek Smulikowski
6.2.BitLocker in Windows 7 BitLocker in Windows 7 has some minor differences in a way that it functions from Windows Vista, however it has a new major feature introduced BitLocker To Go. This section discusses changes that appeared since BitLocker for Vista.
6.2.1. Introduction While BitLocker proved to be secure encryption solution for computers it did not stop Data Loss breaking news. With the increase of popularity, cheap prices and high capacities USB flash and portable drives created serious threat to data security. Ministry of Defence alone admitted to loss of eighty seven USB sticks in 5 years, all of them contained classified data (PAGE, Lewis, 2008). Windows 7 BitLocker addressed this problem by extending the encryption to removable devices. Microsoft accepted feedback from system administrators and even admitted that deployment of the BitLocker Drive Encryption in Vista was “was more cumbersome than it needed to be” (MICROSOFT TECHNET , 2009). Before, administrators had to repartition the drive for the system volume to be loaded, which on a large scale can be lengthy and costly process. Now, the system volume partition is created upon the Windows 7 installation process. In addition, Microsoft Developers granted greater control over the BitLocker to system administrators by introducing Group Policies changes, Data Recovery Agents (DRA) and other improvements to make deployment more efficient. All these changes, although not big or revolutionary, can have great impact on popularity of the Windows 7 BitLocker. Encryption of USB sticks can impact directly digital forensics as until now investigators relatively rarely have to deal with encrypted flash drives. If Microsoft’s solution will be easy, efficient and robust it might change the current situation.
6.2.2. BitLocker To Go After BitLocker has been first introduced, it could only encrypt single Vista partition, with the Vista Service Pack 1 (SP1) functionality was extended to fixed volumes - another partitions. Now it includes removable storage devices. BitLocker To Go is the new feature implemented in Windows 7 BitLocker allows encrypting portable flash or hard drives
32
First Look at the Windows 7 Forensics
Piotrek Smulikowski
(FUNK, Troy, 2008).. Portable drives can be of either FAT, FAT32, exFAT or NTFS file system. Authentication methods are different than the OS volume encryption.
Passphrase – complex PIN number combination, Group Policy allow controlling complexity and length Smart Card – card stores strong key but Smart Card Reader required Automatic Unlocking – allows trusted PCs to remember passphrase and unlock USB drive automatically
BitLocker To Go is highly integrated in Windows Environment making it quick and easy to enable the feature. It could be managed straight from the Windows Explorer context menu; user er can simply right click on a drive to enable BitLocker, unlock drive or manage authentication methods and keys. This feature can be used even if normal BitLocker is not enabled. Tests have shown that if during Windows 7 installation user chooses not to create c System Reserved partition - required for BitLocker volume encryption – he can still use portable drive encryption. In enterprise environment Group Policy can be setup to force BitLocker To Go usage on any USB connected drive. If user refuses, a driv drive will be set to read-only only mode, as can be seen on Figure 11.
Figure 11.. Group Policy allow forcing users to encrypt USB sticks, (FUNK, Troy, 2008)
In order to support encrypted drives on older Windows Operating Systems, BitLocker to Go Reader is automatically installed to every protected drive. It is a Windows Explorer – like application that, after successful au authentication, thentication, allows files to be read from the encrypted volume.
33
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Figure 12.. BitLocker To Go Reader window allows viewing files and exporting to local machine. Screenshot taken from Windows Vista
Figure 12 presents the BitLocker To Go Reader window after authentication. Individual files or folders can be exported to local machine. No write operation can be performed though, it requires Windows 7 BitLocker.
6.2.3. BitLocker To Go Identification As with the other types of BitLocker encryption there are several methods to determine that USB stick is encrypted by this particular encryption application. Identification is especially easy when a portable dri drive ve is connected to the Windows platform PC since the lock icon is displayed against the drive in My Computer as seen on Figure 13. 13
Figure 13 13. BitLocker To Go encrypted portable drive.
However if, the drive is examined on other platforms the icon is not displayed. This was tested on the Ubuntu 8.04 and Mac OS X 10.5. For alternative system, other means for identification are available. When tthe he drive is opened, characteristic files are visible: BitLockerToGo.exe, , COV 0000.ER, Read Me.url , language files and multiple PAD XXXX.NG files. Figure 14 shows the contents of the encrypted drive.
34
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Figure 14.. Contents of the BitLocker To Go encrypted portable drive. BitLockerToGo.exe file is clearly visible, Screen shot taken from Windows Vista.
Please note that although h drive this particular does not contain any data, it is filled with encrypted data containers PAD XXXX.NG files with size 0 bytes and one big file COV 0000. ER containing 98% of the volume size. Alternative identification method is possible which is in independent dependent from the Operating System. By looking at the binary data in Hex editor, examiner can determine whether the volume is encrypted with BitLocker To Go. FAT32 At first USB drive with FAT32 file system was used for experiments. Although there is no clear lear evidence of BitLocker in header there is a hint. OEM Name for the file system is set to MSWIN4.1 which correctly identifies file system as FAT type, see Figure 15.. However, modern Windows OS tend to name the FAT as MSDOS5.0, which could indicate that BitLocker might be installed on a volume.
Figure 15.. FAT32 volume encrypted with BitLocker To Go. MSWIN4.1 OEM Nam is highlighted in yellow and FAT32 file system highlighted in grey
35
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Once the encrypted volume is viewed in Hex, examiner can search for BitLocker signature: ‘-FVE-FS-’. In the experiment, when the search was performed multiple instances of the signature were found and surprisingly the other information was detected as well. At the 0x88 offset from the signature, Computer name, Drive Letter and Date of the PC were encryption was initiated were found as seen at the Figure 16.
Figure 16.. BitLocker signature found on BitLocker To Go encrypted volume - highlighted in yellow. Additionally original Computer Name, Drive Letter and Date were also found - highlighted in grey.
Unfortunately it was not possible to verify whether this was standard for every setup having only access to one Windows 7 Ultimate PC. However if it was the case it could prove that the USB drive was connected to the specific PC and BitLocker To Go was enabled from that PC at the particular time. It could also aid examiner in searching the Recovery Key for the portable ble drive by pointing him/her to the recorded PC NTFS Although the NTFS is not a recommended file system for USB flash drives, some might use BitLocker To Go to encrypt portable USB hard drives where it is a default system. The file system was tested in order der to verify what kind evidence can be extracted and if findings from the FAT32 are applicable to the NTFS formatted drive.
Figure 17. Header of NTFS drive encrypted with BitLocker To Go viewed in Hex editor. The BitLocker singature sing FVE-FS- is at 0x03 offset - highlighted in yellow. Interestingly it is marked as FAT32 file system highlighted in grey.
36
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Figure 17 presents the header of the NTFS drive which was encrypted with BitLocker To Go. The BitLocker signature can be seen in yellow but surprisingly it is showing as the FAT32 (in grey) volume. When n compared the Figure 15 and Figure 17 there are some differences found in the he structure of headers, though they follow similar fashion. Encrypted NTFS volume has BitLocker signature as the OEM Name but is inappropriately marked as FAT32, whereas encrypted FAT32 volume has MSWIN4.1 as OEM Name and the file system is properly recognized nized but there is no clear indication that the volume is encrypted. Both encrypted file systems share an interesting characteristic of recording the Computers Name, Drive Letter and Date of the encryption. NTFS drive was also searched for the BitLocker signature -FVE-FS- and after some of the instances of the signature the details of encryption were found as displayed on Figure 18.
Figure 18. BitLocker signature found on encrypted NTFS volume - highlighted in yellow. Computer name, Drive letter and Date were also found - highlighted in grey
Additionally the encrypted NTFS volume was not recognised on a Windows Vista OS, it prompted to formatt a drive. When the USB stick was connected to the Ubuntu 8.04 computer it was not mounted neither. The fsstat tool for viewing details of file systems (CARRIER, Brian) also failed to determine the NTFS, although it handled encrypted volume of FAT32 correctly. In contrast the aforementioned tools mmls and fdisk recognized it as the NTFS.
6.2.4. BitLocker To Go Acquisition Acquiring forensically sound image of the portable dev device ice seems to be an easy task. It is the encryption that can create challenges. Taking physical image means that the contents will be encrypted therefore data will be unreachable. As shown in previous section it is possible to establish which PC was BitLock BitLocker er encryption enabled on. During the installation process 37
First Look at the Windows 7 Forensics
Piotrek Smulikowski
user can either save recovery key on local machine or print it off. Unless paper with printed recovery key can be located, it is most likely that the key is stored on the local computer. The format of the recovery key file name changed slightly: BitLocker Recovery Key xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.txt. If user selected automatically unlock option it is possible that once a USB drive is plugged into the trusted PC it can be instantly decrypted allowing for logical imaging. In a Live Response scenario where USB drive was found unlocked, examiner can simply right click on a drive in ‘My Computer’ and select Manage BitLocker field to export recovery key. However, investigator can also simply perform logical image of the decrypted drive. Unlocking the drive with recovery key has become much easier since Windows Vista. Once a window asking to enter the password pops up, user can click ‘Forgot my Password’ and follow wizard and simply type in the recovery key.
6.2.5. BitLocker changes BitLocker developers put an emphasis on the user experience in Windows 7 BitLocker, as a result the initial setup process was simplified. System administrators can quickly enable BitLocker on multiple machine and control settings with extended capability by Group Policies. Home users can follow easy to use wizards to enable BitLocker without the hassle of repartitioning the hard drive to accommodate the 1,5 GB System Volume. All these and other improvements have made the whole process more user friendly and feature more usable. With Windows 7 BitLocker the System Volume partition, volume used by BitLocker to verify integrity of the hardware and pre-startup authentication (MICROSOFT TECHNET, 2009) – it is created automatically during the initial setup, if user selected default settings. If user performed custom installation and hard drive contained other partitions prior to Windows 7 installation, System Volume partition will not be created. However if user opts in to use BitLocker at the later stage partition will be automatically created during BitLocker setup. Therefore a lot of burden was taken off the end user and it is now embedded in the automated process. The partition is now being called System Reserved and has no Drive Letter assigned, therefore cannot be accessed through the Windows Explorer in order to avoid any accidental changes from being made. Additionally its size was limited to 100MB, so more space is available for user’s data. When Vista BitLocker was first launched, it only allowed to encrypt the Operating System Volume (C:), which was extended to additional fixed volumes with the Vista Service Pack 1. However in order to encrypt the Data drives the C: drive had to be encrypted as well. The 38
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Windows 7 BitLocker not only allows encrypting portable drives regardless if the encryption is enabled on the Windows 7 volume but also the fixed volumes. As a result examiner can find scenarios where Windows 7 drive is not encrypted but D: Data drive is. In this case it can be assumed that suspect could be storing incriminating data on the encrypted volume. It is important to remember about all the artefacts that the data on encrypted partition left on Windows 7. Therefore investigator might be able to recover history of files executed or viewed, thumbnails and more, since they are all stored on Windows 7 partition. This is also true for removable drives and BitLocker To Go. Enterprises using Windows 7 BitLocker will benefit from the Data Recovery Agents (DRA) technology which is a new, certificate based key protector. The certificate contains public key that is applied to any drive that is mounted across the organisation. Because it is stored centrally, therefore an investigator can request from system administrators to decrypt encrypted volume using the DRA. IT departments have now granular control thanks to extended Group Policies. BitLocker for Windows Vista could be manage using the Command Line Interface via already discussed script and had to be run by cscript manage-bde.wsf command. The same functionality is now provided by the manage-bde.exe executable placed in the same folder as before: C:\Windows\System32\ The identification of the BitLocker encrypted volume has not changed since the previous version. Similar can be said about acquisition process. According to Microsoft information provided during a Presentation on BitLocker (FUNK, Troy, 2008) did not indicate any changes in basic workings of BitLocker, therefore procedures that applied to Vista BitLocker are still valid for Windows 7 BitLocker. Unfortunately this has not been examined due to technical problems in the experiment lab.
6.3.Windows 7 BitLocker Conclusions Developing team, responsible for the changes introduced in Windows 7 BitLocker, put much effort in making it more accessible for not only administrators in large organisation but also for end users. No doubt that data loss is an important issue and public awareness increases. By employing encryption technologies like BitLocker many news headlines could be avoided. Public’s data would not be disclosed to unauthorised people and businessmen could be confident that their sensitive data is not disclosed to competitors by simple human error. As good as it sounds for governments and business use it creates number of challenges for Computer Forensics. With the range or improvements the BitLocker is certainly more 39
First Look at the Windows 7 Forensics
Piotrek Smulikowski
appealing to potential users, which in effect can mean increase in number of encrypted volumes to analyze for digital forensic experts. It is true that since BitLocker functionality is available only in most expensive Windows 7 editions, many normal home users will not be able to encrypt their hard drives or USB drives. However it is likely that due to improvements in user experience more people with Enterprise or Ultimate editions would start using it. Just before the release of the Windows Vista BitLocker, Andy Woodward wrote the paper with the following title: ‘BitLocker - the end of digital forensics?’ (WOODWARD, Andre, 2006).He claimed that very few digital forensic examinations will involve BitLocker encrypted volumes. Although it might have been true with Vista BitLocker, the improvements in Windows 7 BitLocker can change the situation.
40
First Look at the Windows 7 Forensics
Piotrek Smulikowski
7. Registry Analysis This section is devoted to the Windows Registry. It examines the kind of information that is stored and can be retrieved by examiner. Due to its complex structure, only fraction of the registry was examined, it is by no means a complete list. In line with the main idea of this paper to show what has changed with respect to the forensic analysis of Windows system, it is focused on new sources of evidence. In addition some most common registry keys were evaluated in order to verify their relevance in the new system.
7.1. Introduction While for Windows Registry lies at the core of the Operating System, for a forensic analyst it can be a goldmine of evidence. It stores settings and options for the whole system, therefore it can deliver large amount of forensically valuable information. Since its first appearance in Windows 3.1 it has grown into extremely complex data structure. Although there is no documentation from Microsoft, there are plenty of resources about forensic analysis of the registry. In fact it is so important artefact that Harlan Carvey considers writting a book about forensic analysis of the Windows Registry (CARVEY, Harlan, 2009). In depth analysis of the Registry, lies far beyond scope of this research, which is focused on the discovery of new and evaluation of already known sources of evidence. During the research three methods of information gathering were employed. Firstly, paper called “A Windows Registry Quick Reference” by Derrick J. Farmer(FARMER, Derrick, 2007) was reviewed and a form a basis of the research. While the reference was based on the Windows XP, registry keys presented by the author were verified against the Windows 7 registry in order to show any differences. Secondly the RegRipper software (CARVEY, Harlan and Shavers, Brett, 2009) was run against registry hive files from the test Windows 7 PC. The application is designed to automatically extract information stored within registry files. If output from the software was flagged ‘not found’, it flagged a difference in registry structure and contents. Thirdly, registry was browsed in order to identify new possible sources of evidence. The Table 6 presents popularly used naming conventions applied in this paper. Short Name HKCR HKCU HKLM HKU HKCC
Full Name HKEY-_CLASS_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_CONFIG
Table 6. Short naming convention for root hives
41
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Although the Registry viewed by standard Registry Editor (regedit.exe) appears to be a single database, it is in fact highly integrated collection of files. The Table 7 lists files responsible for registry hives. Please note that Windows 7 and Vista include additional files (CARVEY, Harlan, 2009, p.161), marked with the * sign. Registry Hive HKLM\System HKLM\SAM HKLM\Security HKLM\Software HKU\User SID HKU\Default HKLM\Components* Usrclass.dat*
File Path C:\Windows\System32\config\SYSTEM C:\Windows\System32\config\SAM C:\Windows\System32\config\SECURITY C:\Windows\System32\config\SOFTWARE C:\Users\<username>\NTUSER.DAT C:\Windows\System32\config\DEFAULT C:\Windows\System32\config\COMPONENTS
C:\Users\<username>\AppData\Local\Microsoft\ Windows\usrclass.dat Table 7. Registry paths and corresponding files
7.2.Registry locations This part considers various registry key locations which could possibly be a source of forensic evidence. Due to a large amount of different locations, this section is technical and for reference mostly. 7.2.1. Time Information Establishing the time of the Operating System is crucial to a computer forensic investigation. Examiner should be able to establish precisely when particular event happened. Windows 7 follows the fashion set by previous Windows systems. Time Zone Information Registry key holding information about the system time. Most important values are ActiveTimeBias, Bias, DaylightBias, StandardBias. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\
Using those values examiner can calculate different times necessary for his investigation. Formulas(FARMER, Derrick, 2007) are following:
UTC = Local Time + ActiveTimeBias Local Time = UTC – ActiveTimeBias 42
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Standard Time = Bias + StandardBias Daylight Time = Bias + DaylightBias
Time is represented minutes, therefore decimal value is a number of minutes(MICROSOFT MSDN LIBRARY, 2009). In addition to establishing the system’s time, Registry can provide examiner with LastWrite time for a particular key. Although the time stamp for each value is not recorded it can still be very helpful to know then the key was changed, especially in a case where a registry key has single value. In addition the time stamp from the registry key can be compared against other time stamps existing on a system. The LastWrite value can be obtained with multiple tools like e.g. RegRipper, however at Live response scenario it might be possible to export the whole registry to text file. The benefit of that are keys having LastWrite values shown for every key but also that the keyword search through text file is instantaneous. However, with time since OS installation the registry can gain in size enormously. Moreover, as with Vista, the Windows 7 does not automatically record Last Access time on NTFS volume. Microsoft by default disabled the update to reduce performance overhead, which in turn caused examiners to loose very important source of evidence. The value accountable for that setting is: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem>NtfsDisableLastAcces Update
7.2.2. Most Recently Used Most Recently Used files commonly known as MRUs, store details of recently used objects. This list was adopted from the Registry reference document (FARMER, Derrick, 2007) and it was compared against registry keys available in Windows 7. Please note that if certain functionality was not enabled some keys may be not available. Content
Windows XP
Windows 7
Search Files
Software\Microsoft\Search Assistant\ACMru\5603
HKCU\Software\Microsoft\Windows \CurrentVersion\Explorer\WordWh eelQuery
Internet Search Assistant Printers, Computers and People
Software\Microsoft\Search Assistant\ACMru\5001
N/A
Software\Microsoft\Search Assistant\ACMru\5647
N/A
43
First Look at the Windows 7 Forensics
Pictures, music, and videos XP Start Menu Recent R. Desktop Connect Run dialog box Regedit - Last accessed key Regedit Favorites MSPaint Recent Files Mapped Network Drives Computer searched via Windows Explorer WordPad Recent Files Common Dialog - Open Common Dialog - Save As WMP XP Recent Files WMP XP Recent URLs OE6 Stationery list 1 - New Mail OE 6 Stationery list 2 - New Mail PowerPoint Recent Files Access Filename MRU FrontPage Recent lists Excel - Recent Files Word - Recent Files Win Explorer Typed Paths
Piotrek Smulikowski
Software\Microsoft\Search Assistant\ACMru\5604
N/A
Software\Microsoft\Windows\CurrentVer sion\Explorer\RecentDocs
The same as in XP
Software\Microsoft\Terminal Server Client\Default [MRUnumber]
N/A
Software\Microsoft\Windows\CurrentVer sion\Explorer\RunMRU Software\Microsoft\Windows\CurrentVer sion\Applets\Regedit
The same as in XP
Software\Microsoft\Windows\CurrentVer sion\Applets\Regedit\Favorites
The same as in XP
Software\Microsoft\Windows\CurrentVer sion\Applets\Paint\Recent File List
The same as in XP
Software\Microsoft\Windows\CurrentVer sion\Explorer\Map Network Drive MRU
N/A
Software\Microsoft\Windows\CurrentVer sion\Explorer\FindComputerMRU
HomeGroup:
Software\Microsoft\Windows\CurrentVer sion\Applets\Wordpad\Recent File List
The same as in XP
Software\Microsoft\Windows\CurrentVer sion\Explorer\ComDlg32\LastVisitedMRU
The same as in XP
Software\Microsoft\Windows\CurrentVer sion\Explorer\ComDlg32\OpenSaveMRU
The same as in XP
Software\Microsoft\MediaPlayer\Player \RecentFileList
HKCU\Software\Microsoft\MediaPl ayer\Preferences> Last_Location_26
Software\Microsoft\MediaPlayer\Player \RecentURLList
N/A
Identities\{CLSID}\Software\Microsoft \Outlook Express\5.0\Recent Stationery List Identities\{CLSID}\Software\Microsoft \Outlook Express\5.0\Recent Stationery Wide List
N/A * No Outlook
Software\Microsoft\Office\10.0\PowerP oint\Recent File List
HKCU\Software\Microsoft\Office\ 12.0\PowerPoint\File MRU
Software\Microsoft\Office\10.0\Common \Open Find\Microsoft Access\Settings\File New Database\File Name MRU Software\Microsoft\FrontPage\Explorer \FrontPage Explorer\Recent File List
HKCU\Software\Microsoft\Office\ 12.0\Access\Settings
Software\Microsoft\Office\10.0\Excel\ Recent Files
HKCU\Software\Microsoft\Office\ 12.0\Excel\File MRU
Software\Microsoft\Office\10.0\Word\D ata
HKCU\Software\Microsoft\Office\ 12.0\Word\File MRU
N\A
HKCU\Software\Microsoft\Windows \CurrentVersion\Explorer\TypedP aths
44
The same as in XP
HKLM\SOFTWARE\Microsoft\Windows \CurrentVersion\HomeGroup\HME\M embers
N/A * No Outlook
HKCU\Software\Microsoft\Office\ 12.0\FrontPage\File MRU
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Table 8. Differences and similarities in registry key locations between Windows XP and Windows Vista.
7.2.3. UserAsisst This particular registry key is known among examiners as a potentially rich source of evidence. It was used since Windows 2000 and it is still used in Windows 7. Operating System uses it to record “objects that user has accessed on the system such as Control Panel applets, shortcut files, programs, documents, media, etc.”(FARMER, Derrick, 2007). Unlike the Prefetch, it stores that information not system wide but on a per-user basis. As already mentioned in the
45
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Background Research section the Beta version of Windows 7 had keys obfuscated in Vigenère cipher unlike all previous versions of Windows. However, when the RC and final version was examined it became apparent that the ROT-13 or Caesarean cipher was used again. This simple cipher is based on a rule that each letter is replaced by the letter 13 spaces away from it in alphabet or in this case ASCII table. For example K:\uryvk.rkr translates into X:\helix.exe. By recommendation from the Windows Registry Quick Reference (FARMER, Derrick, 2007) the web based translation script (EDOCEO, 2009) was used to quickly decode the file names. The UserAssist values can be found at: By default there are two GUID keys in User Assist. Carvey suggested checking the GUID in HKCR\CLSID\ (CARVEY, Harlan, 2007, p.168). Although the method was successful in previous Windows versions, it did not provide any results. In fact, the whole registry was searched without success. It is however safe to assume that behind both GUID are Operating System applications responsible for interaction with the system Shell. HKEY_CURRENT_USER\Software\Microsoft\Windows\Explorer\UserAssist\{GUID}\Count.
When RegRipper software was run against the Windows 7 RTM NTUSER.DAT file, no UserAssist keys were retrieved. The registry was manually examined and it became clear why the application did not extract any information. The data field is 72 bytes long as opposed to 16 bytes as in Vista and its predecessors. Due to the lack of documentation about new data structure it was necessary to analyse and understand its contents and behaviour. Derrick J. Farmer (FARMER, Derrick, 2007) explained the structure of the previous format, where the fifth byte (offset 0x05) was a counter of how many times the application was run, however the counter starting value is 5. The last 8 bytes compose time stamp of a last access. In his book Harlan Carvey adds (CARVEY, Harlan, 2007) that the data is divided into DWORD – 4 bytes. In order to examine behaviour of the new format, new application has been downloaded and executed for the first time – registry value for the applications was created. Application was then closed and the data for that value was recorded and compared with subsequent reiteration of the process. After multiple attempts it was possible to identify which bytes recorded the counter number and the time stamp. With more data to be examined it was difficult to establish which was recording what. Eventually it appeared that the 5th byte still is a counter number but the starting value is 00. The timestamp is the 60th - 68th byte (15 17 DWORD). The Figure 19 presents the binary data for specific program where the count number is highlighted in yellow and time stamp in blue.
46
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Figure 19. Image shows binary data for the example UserAssist value. Underlined in red iiss the obfuscated program path, in green is the decoded path. Highlighted in yellow is the counter number and in blue is the time stamp in Hex.
The time stamp is in hexadecimal fo format; by using software like DCode (DIGITAL DETECTIVE GROUP LTD, 2009) it is possible to decode time stamp into human readable form. Figure 20 shows the time stamp for the application run in the above example (highlighted in yellow) and the converted date in bold.
Figure 20.. Output from Date/Time converting application DCode. Highlighted in yellow is the time stamp from above example (see previous figure)
7.2.4. Autoruns Applications automatically loaded on a system startup are recorded in various registry keys. It can be important to establish if any malicious software was running on a suspect 47
First Look at the Windows 7 Forensics
Piotrek Smulikowski
PC. Sysinternals Autoruns (SYSINTERNALS, 2009) application can easily provide all that information. Windows XP HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce HKLM\Software\Microsoft\Windows\CurrentVersion\policies \Explorer\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows NT\CurrentVersion \Windows\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce <username>\Start Menu\Programs\Startup
Windows 7 The same as XP N/A The same as XP N/A The same as XP The same as XP <username>\AppData\Roaming\Mi crosoft\Windows\Start Menu\Programs
7.2.5. Network information Windows records the wireless networks connected to the host PC. It stores a profile of the network its SSID identification name together with some more details, such as creation date, last connected and gateway MAC address. Depending on the context, this information can be highly important to the forensic investigation. In Windows XP the Zero Configuration Service was used however the Vista and Windows 7 manages networks differently. The time stamp is in unusual format: d9 07 08 00 03 00 13 00 01 00 39 00 02 00 where each 2 bytes form little endian value. The decoding technique is following: Year Month Weekday Day Hour Minutes Seconds
= = = = = = =
14 02,
d907 > 07d9 = 2009 0800 > 0008 = August {Jan = 1, Feb = 2...} 0300 > 0003 = Tuesday {Sunday = 1, Monday =2...} 1300 > 0013 = 19 0100 > 0001 = 1 am 3900 > 0039 = 57 0200 > 0002 = 02
The complete decoded time stamp is: Tuesday, 19 August 2009 01:57:02 This method was posted on Mark McKinnon’s blog (MCKINNON, Mark, 2009). Wireless Network information Records profiles of previously connected Wireless Networks. First key stores timestamps and SSID, second key stores Gateway’s details: MAC address, SSID name. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
48
First Look at the Windows 7 Forensics
Piotrek Smulikowski
NT\CurrentVersion\NetworkList\Profiles\{GUID}\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\
Additionally, details of individual connections are recorded, IP address, DHCP server and more. The time stamp is stored in big endian Unix 32 bit hex value, DCode can be used to translate the value. Network Connection information Records details of the connection, IP address DHCP server information, domain, time stamps etc. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\ Parameters\Interfaces\{GUID}
7.2.6. Mounted Devices NTFS devices that are mounted to the Windows System are recorded together with a letter assigned to them. The binary data for the values \DosDevices\x: can be used to identify the specific devices. Mounted Devices Lists previously connected drives. HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
7.2.7. USB Device Information When user connects removable device, Windows records details of that device in registry and file system. The process of gathering all information has changed since Windows XP but is the same as on Vista. Couple of steps are required to retrieve all tracks: 1. Write Down Vendor, Product, Version Disk&Ven_SanDisk&Prod_Cruzer&Rev_7.01
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
2. Write Down Serial Numbers
49
First Look at the Windows 7 Forensics
Piotrek Smulikowski
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\D isk&Ven_###&Prod_####&Rev###\
0877500A0302335E&0\
3. Determine Drive Letter Device Mapped To G: PortableApps
HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices > FriendlyName
Look for Serial Number or Vendor and Product 4. Write Down Volume GUIDs \??\Volume{c76d273c-8e40-11de-9db3001a6b41face}
HKLM\SYSTEM\MountedDevices
Look for Serial Number or Vendor and Product 5. Find User That Used The Specific USB Device User1
NTUSER.DAT HKU\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2
Search for Device GUID 6. Determine Last Time Device Connected – check Last Write for a key HKLM\SYSTEM\CurrentControlSet\Control\Device Classes\{53f56307-b6bf-11d0-94f200a0c91efb8b}
Last Write Time: 26/08/2009 - 13:31
Look for Serial Number or Vendor and Product 7. Discover First Time Device Connected >>> [Device Install (Hardware initiated) USB\VID_0781&PID_5151\0877500A0302335E] >>> Section start 2009/08/21 11:56:08.045 ...
C:\Windows\inf\setupapi.log
Perform search for Serial Number
Table 9. USB Information gathering process. Adapted from (SANS FORENSICS BLOG, 2009)
Please note that not every USB device has its own Serial Number.
7.2.8. Internet Explorer Internet Explorer is highly integrated into the Windows OS and therefore into the Registry. Although the current 8th version differs a lot in its capabilities, the information stored in registry reminds older versions. It is ruled by compatibility issues, and the new features are only added to an already existing structure. Internet Explorer information is stored primarily in two registry keys. Internet Explorer
50
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Registry keys store information used by Internet Explorer 8. First Key holds data about History, Cache or Cookies. Second Key keeps data about e.g. Suggested Sites but one of the most important keys is the TypedURLs, which records URLs that user typed in. Additionally the path to download folder is stored in a root of this key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ HKCU\Software\Microsoft\Internet Explorer\
Internet Explorer can store data entered into username and password fields if user agrees to use the feature. IE7 and IE8 uses different method of storing credentials data, passwords are encrypted with the URL of the page that the password was entered. Therefore if URL still exists in history, it might be possible to decode the data. AutoComplete Passwords Stores usernames and passwords remembered by the Internet Explorer, respectively Storage1 and Storage2 HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage1\ HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\
51
First Look at the Windows 7 Forensics
Piotrek Smulikowski
8. Miscellaneous Features and Changes 8.1. Location and Sensors API Microsoft has introduced native support for sensor devices which allows different sensors to be used without the need for any third party software, due to a standardized Application Programming Interface (API). Sensors supported include devices like for instance Light Sensor, Accelerometers 3D or even Human Proximity Sensor. In addition, the platform allows for Location sensors such as Global Positioning System (GPS) to be used. Software based solution can also be applied, therefore applications like “IP resolver that provides location information based on an Internet address, a cellular phone tower triangulation that determines location based on nearby towers, or a Wi-Fi network location provider that reads location information from the connected wireless network hub” (MICROSOFT MSDN, 2009). The types of sensors used depend on hardware or software availability. Also this feature is limited to Home Premium, Professional and Ultimate. The feature is enabled by default but can be disabled by user via the Control Panel. This functionality could be of a special interest to forensic investigators because it could provide them with the exact location of a computer and its user at a specific time. Since analysis of the information goes beyond computer or online activity it could be of extreme value to the investigation. Investigators could potentially get actual location of a criminal from his end, rather than trying to track him down from their end by usage of IP address tracing. This method could help to counter anti-forensics techniques like usage of TOR networks to obscure IP address location (TOR PROJECT INC, 2009). Law enforcement agencies would not have to go through lengthy and troublesome procedures of Regulation of Investigatory Powers Act 2000 (RIPA) requests from Internet Service Providers (ISP). Actual applications that would use the location data would be mostly third party, as currently the only Windows native application using the data is a Weather widget. As a result 3rd party developers decide on how their data that is stored and this is likely to vary between applications. According to documentation (MICROSOFT MSDN, 2009), a user is warned every time that the new program tries to access the location data. Data artefacts left behind on a system are unclear, since it was impossible to test the feature without an appropriate hardware device or software. According to Microsoft Developers Network (MSDN) reference, the API provides software with two means of retrieving location from the sensor; one is by usage of C++ or second by scripting languages (MICROSOFT MSDN, 2009). Methods would call a system function to get the location and 52
First Look at the Windows 7 Forensics
Piotrek Smulikowski
that could be used by application or e.g. online script. The documentation does not state if the data is stored anywhere on a system in local files. The Event Viewer keeps a log (Event Viewer > Custom Views > Location Activity) of all applications trying to access the location data. It is very unlikely that the actual location is stored in this log. However, theoretically if an application, that sends a request for the data, records this fact then it might be possible to tie this information with the request stored in a log. According to the MSDN not every request is stored but only the first successful and any failed requests are logged until application restarts (MICROSOFT MSDN , 2009). Depending on the scenario this information might be enough to retrieve the location. This particular source of evidence also has flaws because the key limitation is the requirement for the criminal to have a hardware or software sensor and associated connectivity. Taking a GPS receiver as an example, a good signal reception to at least three GPS satellites is required to determine the location. As a result it means that the criminal would need to have hardware capable of running Windows 7 in a correct edition, therefore a laptop, excluding Netbook category, with a GPS receiver. The criminal would also need to be outdoors or at least in the environment with clear sky view for a receiver to find a ‘fix’ – signal. Considering that GPS adapters, either USB or Bluetooth, are rarely used it becomes clear that this potential evidence has many limitations. There are however other scenarios were this source could really contribute evidence to investigation. The mobile network has the potential to be the most feasible solution, due to its growing popularity. Therefore, if a criminal had a laptop connected to the internet via a USB broadband dongle his approximate location could be logged by the Localisation platform. Another case would be if a criminal used a laptop on a local Wireless network as it would be possible for his location to be identified by locating the Wi-Fi network. This type of localisation is being developed as an alternative to GPS system for indoor or metropolitan environments, where buildings block the satellite signals (YU-CHUNG CHENG, Yatin Chawathe, John Krumm, 2005). Although this is still not a common solution it creates an opportunity. The last example application could be in a case of a ‘grooming’ investigation where the undercover investigator is in contact with a criminal. Even if the criminal did not have location sensors, the investigator could send a Trojan that had hidden within, for example a picture, that would retrieve the location data like IP address or other information and send back to the investigators. Although the success of such method would depend on many
53
First Look at the Windows 7 Forensics
Piotrek Smulikowski
aspects such as the security setup of the criminal’s PC, the opportunity for exploitation of this feature exists.
8.2. exFAT / FAT64 The extended File Allocation Table (exFAT) is the new file system designed for high capacity portable flash drives. Unlike some early speculations it is not a replacement for the NTFS file system. First included in Windows Vista Service Pack 1 and Windows Embedded CE 6.0 and now supported by the Windows 7. Main advantages of exFAT over FAT32 are increased file size support from 232 to 264 bytes, large capacity drive support (32GB +) and lower performance overheads(DAVAK, 2008). It is better suited to flash drives than NTFS because it does not have a journal system and therefore preserves the longevity of the drive since no single location is being constantly overwritten. However, it comes at the cost of reliability of the file system. The main drawback of the system is the lack of support from older systems or other platforms which reduces the portability of the exFAT drive. Microsoft has released an optional update for XP users available from the Windows Update website (MICROSOFT, 2009). However, since it is a proprietary file system, other platforms are disadvantaged and it will require time until such support becomes widespread. The file system is a default for SDXC cards - the newest large capacity SD cards with 32+ GB of storage (SD ASSOCIATION, 2008).
8.2.1. exFAT Identification From the forensic perspective it is important to note that exFAT supports UTC time rather than a Local time when recording time stamps. The file system signature – OEM Name ‘EXFAT’ can be found in the 0x03 Byte offset, as shown on Figure 21:
Figure 21. exFAT partition signature 'EXFAT'
54
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Some tools like for example UNIX based fdisk do not recognise the partition type and identify it as NTFS partition as seen in Figure 22.
Figure 22. fdisk recognizes exFAT as NTFS with partition id=7
Analogically, the Brian Carrier’s mmls tool for viewing partition tables (CARRIER, Brian) recognizes it as the NTFS partition, see Figure 23.
Figure 23. Output from mmls tool, exFAT is recognised as NTFS
8.3.Partition Table By default, during the Windows 7 installation process two partitions are created: Backup and Windows volume. First is a hidden letter-less partition called System_Reserved, which is used for backup purposes but also BitLocker if enabled. Its size is 100MB, which was reduced from the 200MB in Windows 7 Beta version. Users cannot access it via the Windows Explorer because it has no drive letter assigned to it, therefore it is not even displayed. It is done on purpose to avoid curious users changing important files, which was common for Vista’s 1.5GB partition. BitLocker uses this partition to store boot information that is executed during the authentication process. It is however possible not to create the partition, if user installs the Windows 7 on a drive where other partitions already exist, volume is not created. Second partition is a C: drive system volume with the Windows 7 OS. Possibly due to the size of modern hard drives, Microsoft decided not to give an option to format with any other file system than NTFS. As a result it is standard file system on all Windows 7 volume.
55
First Look at the Windows 7 Forensics
Piotrek Smulikowski
The fdisk tool shows two partitions being recognized as NTFS, their start and ending points, see Figure 24.
Figure 24. fdisk recognized two partition as NTFS
The mmls tool (CARRIER, Brian) outputs the physical location of the two partitions, first one being the System Reserved and the second Windows 7 volume. It also confirms that both are formatted with the NTFS, (see Figure 25).
Figure 25. mmls tool displays the details and locations of the two partitions.
The fsstat tool (CARRIER, Brian) was used to view details of each partition which can be seen on Figure 26.
56
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Figure 26. The output from the fsstat tool with details of the System Reserved (left) and Windows 7 partitions (right).
The fsstat tool was developed as part of the Sleuth Kit (CARRIER, Brian, 2009) by Brian Carrier years before Windows 7 release, this possibly why it recognizes volumes as the Windows XP. As with the Windows Vista, the Volume Boot Record is still located in the 2048 sector of the hard drive. Forensic analysts should be familiar with the Windows 7 partition setup for obvious reasons. Examination of the structure of the hard drive plays crucial part in the digital investigation.
8.4.XP mode Although Windows 7 has had few major compatibility problems reported it is still a big improvement comparing to its predecessor Widows Vista. This was confirmed throughout the whole research, where it worked faultlessly on many different hardware and software setups. However, Microsoft wanting to avoid the situation from early 2007 incorporated the Windows XP Mode to the new OS.
57
First Look at the Windows 7 Forensics
Piotrek Smulikowski
It is designed to overcome any possible incompatibility issues by running virtualized windows XP Operating System. The XP is highly embedded into the Windows 7, offering seamless operation (MICROSOFT VIRTUALISATION TEAM, 2009), however as with any virtualized system there is a performance overhead. The feature is primarily designed for Enterprises where support for legacy software is required but everyday users can also benefit from it. It comprises of the Microsoft Virtual PC and Windows XP SP3, unclear if Home or Professional edition, free to download for Windows 7 Professional, Enterprise and Ultimate owners. Compatible hardware is still required; processor needs to support either Intel’s Virtualisation Technology or AMD-V, which can be verified by free tool SecurAble (GIBSON, Steve, 2008). Unfortunately, due to the lack of supported hardware available for this research, the feature could not be examined for forensic artefacts. It is believed that it could potentially create new sources of evidence.
8.5.Mix Unlike its predecessors Windows 7 is not shipped with embedded email client. Windows XP included the Outlook Express as a default client and Vista came with the Email client, however, Microsoft decided to exclude the functionality from the newest system. Instead Windows Live Essentials package includes the Mail – new email client and other applications such as Messenger or Photo Gallery. Because it is not built into the system it is not included in this research, although it certainly carries significant footprint on forensics. If examiners would decide to use the Windows 7 as the forensic platform, it is important to note that, as in Windows Vista, all forensic applications and tool should be run ‘As Administrator’ in order to avoid program malfunctions. This is due to the User Account Control (UAC) privilege limitations.
58
First Look at the Windows 7 Forensics
Piotrek Smulikowski
9. Methodology Various different research methodologies were used throughout the research. The choice of a method depended on the examined feature. Due to a variety of different aspects of Windows 7 every feature discussed was independent and differed from another. Therefore, it posed a challenge to approach the problem in a best possible manner. During a Background Research a lot of time was devoted for gathering information available about the topic. Due to the novelty of the research area there was very few sources of information. As a result, literature review in a strict sense was very limited, because there is no literature about the Windows 7 forensics. No books or even research papers were published up to or during the writing of the research, at least to the best of author’s knowledge. This lack of information about the particular subject reinforced the novelty factor of this research. The only available sources of information were online resources. Some examiners shared their initial experiences of the new system on their blogs or forums. However, they either failed to go in detail or focused on very specific aspects only. Although these were incomplete and sparse pieces of information, they did help, especially in identifying possible sources of forensic evidence. At this stage it was believed that it could be highly beneficial to get the information from the source. However Microsoft is a giant enterprise and it seemed nearly impossible to get their attention. After long research it was discovered that Chris Ard, an Investigative Consultant with Microsoft’s Law Enforcement Support Team, was scheduled to deliver a presentation (ARD, Chris, 2009) on forensic aspects of Windows 7 on a Crimes Against Children Conference in Dallas, USA. Email contact was initiated and Chris agreed to shed some light on the new Windows forensics. Because it was still a month before conference, he did not have facts confirmed through detailed analysis. However, he was kind enough to share his findings about possible sources of evidence. Interestingly Chris Ard said “there isn’t any guidance from the product development team regarding the changes that affect forensic investigations” even for Microsoft’s own forensic team. This Microsoft’s ‘every man for himself’ approach only stressed the importance of this research, to share the findings with the community. Findings from Chris Ard were very helpful and together with other known information it formed a basis for the research. Identification of the potential sources of forensic evidence was considered a key factor of research success. However, it was believed that new sources of evidence would be found during the analysis process as having the basic structure was crucial. As mentioned before, the documentation of Windows 7 is very limited, both by Microsoft and forensic community. The purpose of this paper is to focus on impact that the Windows 59
First Look at the Windows 7 Forensics
Piotrek Smulikowski
7 has on forensic examinations and not the Vista. It was then necessary to learn the impact that Vista had on forensic analysis in order to help identifying new features in comparison to its predecessors. In addition studying multiple papers on this subject helped to find the balance between technical and theoretical approach. Also, how to create competent document focused on forensic examiners. Once the potential sources were identified, the examination of individual aspects started. Due to the great variety of the features and their scope, it was impossible to employ a single methodology. Therefore each of them had to be approached individually with research methods tailored to its characteristics. However, in order to ensure the overall quality of examination, general modus operandi model was adopted. If a feature in question was a newly introduced it was researched in depth to gain thorough understanding of its operation; if possible it was practically examined and eventually forensic conclusions were drown and if needed the process would reiterate until satisfying conclusions could be drawn. Not all features created new sources of evidence, therefore if no findings were discovered, it was concluded that there is no impact on forensic analysis process. If, however new sources were found, significant effort was inputted to document new artefacts. Some of them were successfully analyzed and produced comprehensive results, whereas others still require a more in depth research, possibly an extensive and dedicated future study. When Internet Explorer 8 was examined in search for potential forensic evidence, at first it appeared that few changes would have little effect on the forensics. However as the research progressed, more interesting aspects were discovered. At the beginning it was approached by analysing new features introduced into the IE8 with the purpose to recognise if it could potentially create new artefacts, data files. Next, the functionality of features was analysed for the same purpose. At the end if any data files were found, they were examined to produce detailed documentation. Although in some cases structures were so complex that comprehensive documentation would require lengthy in depth study for example the session recovery files. As with other sections the feature was reviewed from the forensic perspective in order to identify its impact. Another section that required highly tailored approach was the BitLocker. Because of the complexity of BitLocker and its potentially high impact onto the forensic analysis, it was decided to first study the BitLocker for Windows Vista and then to discuss the Windows 7 BitLocker. This approach was believed to addresses the fact that the new version is more of an evolution from its predecessor rather than a complete replacement. To discuss the Windows 7 BitLocker alone would leave reader clueless about the functionality that it shares with its predecessor and effectively render incomplete examination.
60
First Look at the Windows 7 Forensics
Piotrek Smulikowski
The Registry section also required separate consideration. Because of the technical nature, it was bound to consist of mainly registry key locations. Some additional comments were made to clarify to a reader what each key contains and why it is important to an examination. Moreover, the registry as a structure remained the same for many versions of Windows, only the contents changed. As the Windows XP registry was analyzed in depth, it is well documented by researchers. One of the papers (FARMER, Derrick, 2007) provided a reference for forensic examiners and as a result it formed a basis for the examination of Windows 7 registry. All keys included in the paper were verified against the new registry. Any significant changes were examined in detail for example the UserAssist keys. In addition the RegRipper software (CARVEY, Harlan and Shavers, Brett, 2009) was used to help identifying the updated registry keys. Additionally through browsing potentially significant keys it was possible to identify new, important registry keys or values.
9.1.Hardware and Software used Throughout the whole research wide variety of hardware and software setups were used. It was primarily driven by a desire to examine the final version of the Windows 7 in order to ensure that the results are applicable and comparable with what examiners can encounter. Therefore it was crucial to obtain the latest version, which became possible on the 6th of August 2009, when Microsoft released the final, RTM build to MSDN subscribers.
Soft/Hardware
Desktop
Laptop
Netbook
Windows 7 RTM Pro
Windows 7 RTM Pro
Windows 7 RC Ultimate
Windows 7 RC Ultimate
Windows Vista Home
Ubuntu 8.04
Premium
Windows XP SP3
2,6GHz Pentium 4
1,8GHz Intel C2D
1,6 GHz Intel Atom
1 GB @ 333MHz
2GB@667MHz
1,5GB@533MHz
Hard Disk
40GB
160GB
320GB
Network
LAN
LAN, WIFI
LAN, WIFI
Graphics
ATI Radeon 9660 Pro
Integrated
Integrated
OS version
CPU Memory
Table 10. Hardware and Software Specification of used PCs
Table 10 presents the hardware and the software specifications of the PCs used for the examination. primary PC was the desktop computer with the Windows 7 installed, whereas other PCs were used to verify results. In addition the Netbook was used as the analysis machine with the Ubuntu 8.04 with the Sleuth Kit (CARRIER, Brian, 2009) and other open 61
First Look at the Windows 7 Forensics
Piotrek Smulikowski
source forensic tools. The Windows 7 PCs had the X-Ways Forensics and WinHex installed (X-WAYS, 2009). The author of the tools was kind enough to provide demo version of the XWays Forensics software. Great majority of results was obtained with the RTM version although some features for example BitLocker was only available in Ultimate version hence the RC version was used. However there was no reports that it undergo any changes in the RTM product.
62
First Look at the Windows 7 Forensics
10.
Piotrek Smulikowski
Conclusions
This section concludes the findings of the research, outlining achievements of the study by also analysing weakness. Next, is the review of the obstacles faced during the research. Later, author discusses his reflections about the research. The next section covers overall conclusions of the research. Last is the discussion of the recommended future work with regard to this topic.
10.1.
Research Achievements
The expected deliverables set before the study, were based on an initial research about changes to the new system. It was a common believe that because the system is an evolution of the Vista, it would not have many forensically significant changes. Therefore the deliverables were expected to include forensic analysis experiment of the Windows 7 and comparison to the older systems. Additionally the software compatibility was aimed to accompany the results to help examiners choosing their toolkit. Finally, the optional requirement was the Windows 7 Forensic Analysis Draft to guide examiners through the process. While it is still believed that the fulfilled deliverables could form a complete reference to the Windows 7 forensics, it has quickly been recognised that it would require significantly more time than the two months and only one researcher. Once the research started it became clear that the amount of time required to examine all features was highly underestimated at the beginning. However there was no means to provide correct estimation, since the changes on the new system were very sparsely, if at all, documented. Therefore the deliverables were reviewed in order to identify the requirements of the highest priority. It was decided that the analysis of the forensically significant features is the primary objective since this is what will have real impact on the forensic investigation. Not only it can help examiners, but also forensic software developers could benefit from the research findings, as they could address the new sources of evidence in their software. Thanks to the comprehensive research on the system changes it was possible to successfully identify the features that could create new sources of evidence. Various information gathering methods were employed including reading available documentation, contacting experts and thorough online search. The identification proved to be successful when source from Microsoft confirmed which features are likely to affect the forensics (MICROSOFT LAW ENFORCEMENT TECH TEAM, 2009). Moreover this research uncovered more sources of evidence than it was suggested by the materials provided by Microsoft.
63
First Look at the Windows 7 Forensics
Piotrek Smulikowski
During the analysis stage some features did not produce new sources of evidence, whereas others did. Furthermore some changes were discovered to have a potentially great impact on the forensics. However, regardless of the outcome, the detailed analysis of the features alone can be considered as an achievement. Even if no evidence could be found, it means that the feature has been recognized as forensically insignificant and can be excluded from the forensic examination. Great deal of time was devoted to IE8 analysis, since online activity is often the cause for the investigation in the first place. Some could argue that the browser is not Windows 7 specific and could be omitted however it is still the default browser for the new Windows. What is more, the information contained in section devoted to the IE8 could also benefit the investigators examining other Windows systems, with the IE8 Vista in particular. The section included detailed analysis of the InPrivacy browsing capability, identification and examination of the Suggested Sites and Session Recovery artefacts. Although very little information was available, it was attempted to document the feature from forensic perspective. Some of the user experience improvements also produced new sources of evidence. The much talked about Jump List feature was examined and produced interesting results. Although due to its complexity it was not possible to document the component in depth, however it was possible to retrieve history records. Other new functionality analysed – the new search capability, produced information about the remote location that suspect was accessing. The BitLocker analysis also delivered vast amount of information important to examiners. The introduction of the portable drives encryption can have a significant impact on the examinations. Although the research did not provide examiner with a way round the BitLocker protection, which is a hardly possible task, it provided means to identify an encrypted volume. Besides some other minor changes were reviewed and crucially the potential impact of the updated BitLocker was discussed. Among many other findings, the analysis of the Windows Registry produced a quick reference of important registry entries. In particular, the UserAssist keys were analysed and decoded, in effect highly valuable, user activity data was extracted. This evidence source was one of the most commonly investigated data artefacts in previous versions of Windows. Hence it was highly important to decode and document the new format.
64
First Look at the Windows 7 Forensics
10.2.
Piotrek Smulikowski
Actual Constraints
Now that a research is finished it is safe to say that limitations outlined in the Project Constraints section were correctly identified. All combined composed a substantial challenge for the success of the research. The major obstacle was the most obvious one time limitation. Having more time would benefit the project with more in depth analysis of the new features, allow for meeting all set requirements and provide more time for a writing the report. However as with all academic research there is a deadline that needs to be adhered to. Appropriate time management was in place, although there was a room for an improvement. In spite of this the topic was thoroughly researched and produced significant results. Initially the complexity of the Windows Operating System was understated, as were the changes in comparison to Windows 7’s predecessors. It was when the identification finished and examination stage started, that it became clear that the project was too ambitious. It required intensive research, variety of different experiments to understand the forensic significance of discussed feature. Lack of documentation posed a real challenge, since for many tasks it was necessary to employ reverse engineering techniques. Moreover the availability of the forensic software was indeed a great obstacle. Since, as expected, manufacturers do not post demonstration versions online, they had to be requested and depending on delivery method it can take long time. The EnCase demo arrived after over 3 weeks and its functionality was heavily limited making it impossible to examine the Windows 7 forensic image. The X-Ways Forensics was sent electronically but the trial version only worked on a C: drive of the system. Although it was very helpful for feature analysis process it was not feasible to perform analysis of the image. In addition to the time constraints it was also decided that since software compatibility could not be performed on multiple products it could not form a comprehensive review, therefore the deliverable was abandoned. However one of the problems happened to resolve itself when Microsoft decided to release Windows 7 final version to MSDN subscribers (LEBLANC, Brandon, 2009). However at the time the news was published, it was unclear whether it would include Academic Alliance – student subscription. Fortunately, it did, therefore previously obtained results could have been verified and experiments replicated.
10.3.
Final Conclusions
This research delved into the Windows 7, three months prior to its official release in order to investigate changes made to the new system and their impact on forensics. It has 65
First Look at the Windows 7 Forensics
Piotrek Smulikowski
compiled and verified majority of information regarding the new Windows and its analysis. In addition it has attempted to document some of the new features identified as forensically significant. Through the examination of their behaviour and the produced data artefacts, research has discovered new potential sources of evidence. Moreover, a selection of already recognised evidence sources was evaluated against the new platform. Shortly after the release of the Beta version of the new Windows, many had an impression that little has changed since the predecessor, that it was evolved version of Vista, “but a lot better!” as Microsoft’s CEO said (PARRISH, Kevin, 2008). Despite the fact that Windows 7 does not bring a revolution to Windows OS family, it may have its footprint on Windows forensics. Firstly its positive reception, suggests that it may quickly become vastly popular, therefore examiners will be very likely to face a computer with the new system. Secondly, developers focused on adding more functionality which in turn created new sources of evidence. Improvements to the user experience generated more forensic artefacts with features like the Jump List and the Suggested Sites or the Session Recovery in the Internet Explorer 8. However some features introduced new challenges to the forensic investigations such as the portable drive encryption or the privacy internet browsing. Ease of use combined with the perceived privacy can affect their popularity. Therefore this research tries to raise awareness and provide examiners with identification techniques in order to help them to approach analysis in best possible manner. This study attempted to cover in detail most of the forensic issues surrounding the Windows 7 however it certainly had not exhausted the topic. In fact it is thought to be quite the opposite. Hopefully it will attract the forensic community to further research in more specific areas of the subject. And primarily that it will aid computer forensics investigators when faced with the windows for the first time.
10.4.
Future Work
On top of already covered aspects, more in depth analysis of certain features would be the next improvement. Due to the lack of a compatible hardware Windows XP Mode or Location API could not be fully examined. Both can potentially be valuable source of evidence. Additionally other functionalities that were not discussed because they were considered to have not changed like e.g. Recycle Bin or Prefetch (MMAHOR, 2009) could be verified. It is believed that fulfilling all set deliverables would add more practical side of the research. The comparison of the results from the forensic analysis of windows 7 and its
66
First Look at the Windows 7 Forensics
Piotrek Smulikowski
predecessors would certainly point out more of minor changes, whereas production of the analysis draft could provide examiners with hands-on guide to Windows 7 examination. Since this is only the first look at the Windows 7 forensics, there is plenty of further research opportunities in this area. The paper was aimed to deliver a basis for forensic examiners but also forensic researchers wanting to further expand the community’s knowledge.
67
First Look at the Windows 7 Forensics
Piotrek Smulikowski
Bibliography 585. 2009. Data Loss Examples in 2008. [online]. [Accessed 15 Aug 2009]. Available from:
First Look at the Windows 7 Forensics
Piotrek Smulikowski
CARVEY, Harlan and Brett SHAVERS. 2009. RegRipper. [online]. [Accessed 31 Jul 2009]. Available from: <www.regripper.net> CLARKE, Gavin. 2009. Microsoft to bomb Europe with IE-free Windows 7. [online]. [Accessed 03 Aug 2009]. Available from:
69
First Look at the Windows 7 Forensics
Piotrek Smulikowski
GIBSON, Steve. 2008. SecurAble: Determine Processor Security Features. [online]. [Accessed 15 Aug 2009]. Available from:
70
First Look at the Windows 7 Forensics
Piotrek Smulikowski
LEBLANC, Brandon. 2009. Windows 7 Team Blog: When will you get Windows 7 RTM? [online]. [Accessed 22 Jul 2009]. Available from:
71
First Look at the Windows 7 Forensics
Piotrek Smulikowski
MICROSOFT TECHNET. 2009. Windows BitLocker Drive Encryption Frequently Asked Questions. [online]. [Accessed 16 Aug 2009]. Available from:
First Look at the Windows 7 Forensics
Piotrek Smulikowski
First Look at the Windows 7 Forensics
Piotrek Smulikowski
74
First Look at the Windows 7 Forensics
Piotrek Smulikowski
APPENDIX A – Windows 7 Editions Comparison Chart This chart compares all editions of the Windows 7 based on their capabilities. This is the most complete comparison chart available online. Starter Cost & Features / Availability
Home Basic
Home Professional Enterprise Ultimate Premium
OEM Emerging Retail and OEM licensing markets licensing
Volume licensing
Retail and OEM licensing
32-bit and 64-bit versions
32-bit only
32-bit only Both
Both
Both
Both
Maximum physical memory (64-bit mode)
N/A
8 GB
16 GB
192 GB
192 GB
192 GB
Maximum CPU chips supported
1
1
1
2
2
2
Home Group (create and join)
Join only Join only
Yes
Yes
Yes
Yes
Backup and Restore Center[25]
Cannot Cannot Cannot back up back up back up to to to network network network
Yes
Yes
Yes
Multiple monitors No Fast user switching No
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Desktop Wallpaper No Changeable
Yes
Yes
Yes
Yes
Yes
Desktop Window Manager
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Partial
Yes
Yes
Yes
Yes
No
No
Yes
Yes
Yes
Yes
No
No
Yes
Yes
Yes
Yes
No
No
Yes
Yes
Yes
Yes
No
Windows Mobility No Center Windows Aero No Multi-Touch Premium Games Included Windows Media Center
75
First Look at the Windows 7 Forensics
Windows Media Player Remote Media Experience[26] Encrypting File System Location Aware Printing
Piotrek Smulikowski
No
No
Yes
Yes
Yes
Yes
No
No
No
Yes
Yes
Yes
No
No
No
Yes
Yes
Yes
No
No
No
Yes
Yes
Yes
No
No
No
Yes
Yes
Yes
No
No
No
Yes
Yes
Yes
No
Virtual PC Virtual PC Yes only only
Yes
Yes
No
No
No
No
Yes
Yes
BitLocker Drive Encryption
No
No
No
No
Yes
Yes
BranchCache Distributed Cache
No
No
No
No
Yes
Yes
No
No
No
No
Yes
Yes
No
No
No
No
Yes
Yes
No
No
No
No
Yes
Yes
No
No
No
No
Yes
Yes
Remote Desktop Host Presentation Mode Windows Server domain joining Support for Windows Virtual PC[27] + Windows XP Mode[28] AppLocker
DirectAccess Subsystem for Unix-based Applications Multilingual User Interface Pack Virtual Hard Disk Booting
Table 11. Windows 7 editions comparison chart. Source (WIKIPEDIA, 2009)
76
Related Documents
First Look At The Windows 7 Forensics
June 2020 1
A First Look At Vb_net
May 2020 11
First Look At The Health Care Bill
May 2020 8
Take A Look At The Picture First
November 2019 15
Look At The World.pdf
May 2020 21
First Look At Macro Study Guide
June 2020 0More Documents from ""
First Look At The Windows 7 Forensics
June 2020 1
Zadania.docx
October 2019 1
Kalendarz.docx
May 2020 0