Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Vista Forensics

VIEWS: 14 PAGES: 46

									    Vista Forensics




1
             Vista Forensics
• Disk and File System Changes
    – GUID and MBR disks
    – Directory Structure
    – Reparse Points
    – BitLocker Encryption




2
             Vista Forensics
• OS Artifacts
    – Volume Shadow Copy
    – Recycle Bin
    – Event Logs
    – Thumbnail Cache
    – Shortcut (.lnk) files
    – System Activity


3
         Vista Disk Changes
• MBR Disks
The first partition now starts at sector 2048,
compared with sector 63 for all previous
Windows OSs




4
           Vista Disk Changes
• GUID Partition Table (GPT) Disks
    – Also available with XP (x64), Server 2003 and
      all Vista and future Windows versions.
    – MBR partition table points to sector 1.




5
            GUID Partition Table
    Starting Sectors         Ending Sectors




6
      Vista Directory Structure
• Shown with “Dual
  partition” setup to
  enable BitLocker
  encryption on a non-
  TPM computer
• C:\Documents and
  Settings\ is now only a
  reparse point linked to
  c:\Users
• Many directory changes
7
               Reparse Points
• Directory
  Junctions
• Symbolic
  Directory
  Links
• Symbolic
  File Links


8
              Reparse Points
• Directory Junctions
    – User can not access directory junction
      folders…..they are just empty pointers
    – Redirects legacy programs from folders like
      C:\ Documents and Settings\ to C:\Users
    – Uses the $C0 Reparse Point attribute in an
      NTFS MFT record to store the “pointer”
      information


9
                    Reparse Points
• Symbolic Directory Links
“Vista processes symbolic links on the local system, even when they
reference a location on a remote server. Vista processes directory junctions
that reference a remote file server on the server itself” Mark Russinovich




10
           Reparse Points
• Symbolic File Links




11
     BitLocker Encryption




12
     Identification of BitLocker Encryption
• Previous versions of Windows (NT/2K/XP/2K3 ) do not
  know what BitLocker is.
• You will not be able to use XP to disable or interact




• Vista must be used
  to interact with
  BitLocker
13
     Working with BitLocker Encryption
• Must use Vista (can use VM) to Interact with BitLocker
  volumes.
• If BitLocker disk is attached to your Vista machine and
  is locked, the volume is not accessible.




• If BitLocker functionality is not enabled in your Vista
  machine or VM, then you must enable it before you can
  unlock or turn off BitLocker encryption on “foreign”
  BitLocker disks.
14
     Turning off BitLocker Encryption
• Click on the blue “Unlock Volume” link.




15
     Turning off BitLocker Encryption
• Provide recovery password from either USB drive or
  manually enter it.




16
     Turning off BitLocker Encryption
• Recovery password file….look for them on USB drives.




17
     Turning off BitLocker Encryption
• After you either provide the correct password or USB
  key, the disk will now be temporarily available.




18
     Turning off BitLocker Encryption
• BitLocker is now "unlocked" and you can access the
  partition. You will note that the icon has changed from a
  padlock to a key, but still says "On". This is a temporary
  disabling process and BitLocker will be re-enabled upon
  a reboot.




19
               Imaging BitLocker drives
• With BitLocker temporarily disabled, you can image in
  Windows using any Windows-based imaging tool.
• If you wish to permanently turn of BitLocker to access
  the drive outside of Vista, then click on the blue “Turn
  Off BitLocker” link to start the decryption process.
     – Note that this will change the drive as it is decrypting the data.
     – This will take a long time so be prepared to wait.
• You can image the fully encrypted drive just like any
  other drive with any other data on it….you just won’t be
  able to decipher anything on it until you disable or turn
  off BitLocker.


20
     Live BitLocker Encrypted Systems
If an admin user, you can:
• Turn off or disable BitLocker or
• Export a new copy of the recovery password text file.




21
     Live BitLocker Encrypted Systems
 This disabling process is not like the prior “slave” drive
 example. The prior process was a one-time disabling and
 it reverts back to being enabled upon a reboot. On a live
 Vista machine, it will be disabled (but not decrypted) every
 time this system reboots, until you re-enable BitLocker .




22
          Booting a BitLocker System
 •With TPM chip – startup PIN or startup key (USB)
 • Without TPM chip – USB startup key




     •Or hit “Enter” to manually enter a recovery password…
23
         Booting a BitLocker System
 •Enter your recovery password from the correct text file.




24
     OS Artifact Changes and
            Additions
     •Volume Shadow Copy
     •Recycle Bin
     •Event Logs
     •Thumbnail Cache
     •Shortcut (.lnk) files
     •System Activity

25
     Volume Shadow Copy
• a "point-in-time" snapshot
• introduced with XP and Server 2003, but is
  greatly enhanced in Windows Vista
• snapshots will take up approximately 15%
  of available drive space
• "snapshots" taken once a day, or
  whenever an application makes a system
  change that requires the creation of a
  snapshot
26
     Volume Shadow Copy
• Control
  Panel/System and
  Maintenance/
  System/System
  Protection




27
      Volume Shadow Copy
• Previous Versions
  – Exist for files and
    folders
• Can open, copy out
   or restore any
   previous version
   “snapshot”
• Each “snapshot” can
   contain different
28
   content, check all.
      Volume Shadow Copy
• Located in c:\System Volume Information
  folder
• File structure unknown at this time
• Easiest way to get file out of restore points
  is to use “Previous Versions” feature to
  copy out files/folders stored within.




29
      Volume Shadow Copy
• Open desired “Previous Version”
• Use WinRAR or similar to package desired
  evidence files to preserve dates/attributes




30
         Vista Recycle Bin
• now located at "C:\$Recycle.Bin" instead
  of "C:\RECYCLER"
• no longer uses an "INFO2" file
• $I file - deleted date/time & original path
• $R file – original file
• $I and $R keep extension of original file.



31
         Vista Recycle Bin
• Don’t forget “Previous Versions” of the
  Recycle Bin may exist.
• May find “deleted” files in the Recycle Bin
  as well….remember those “flags” in the
  MFT records you learned about?




32
         Vista Event Logs
• XP: Application, Security, System
• Vista: Application, Security, Setup,
  System, Forwarded Events, Hardware
  Events, Media Center, Internet Explorer,
  Key Management Service, DFS
  Replication, and many others.

• Now located in:
  C:\Windows\System32\winevt\Logs
33
34
         Vista Event Logs
• Export/Save as .evtx, .xml, .txt or .csv
• Until adequate parsing tools are
  developed, best method of analysis is to
  export and load into your Vista forensic
  machine for analysis.




35
36
               Thumbnail Cache
                     (formerly thumbs.db)

• XP thumbs.db files have been replaced by
  “thumbcache_????.db” files in the folder:
     C:\Users\username\AppData\Local\Microsoft\Windows\Explorer
• Can now be attributed to a specific user’s
  viewing of files.




37
               Thumbnail Cache
• Populated when user selects the following views
  in Explorer:
     –   Medium Icons
     –   Large Icons
     –   Extra Large Icons
     –   Preview




38
         Thumbnail Cache
• thumbcache_1024.db and
  thumbcache_256.db contain jpeg files.
• thumbcache_96.db and
  thumbcache_32.db contain bitmap files.
• thumbcache_idx.db file consists of index
  entries for the graphics in the other
  thumbcache files.


39
            Shortcut (.lnk) files
• Very much the same as in XP, except that
  new additional shortcut properties exist
• Existing tools will parse out new .lnk files
  but only up to the new properties
• New locations:
User specific -
\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\

All Users -
\ProgramData\Microsoft\Windows\Start Menu\

40
                   System Activity
• Internet Explorer 7
     – “Protected Mode” – runs process with “Low”
       rights, even if logged on as Admin.
Cache: %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet
   Files\Low\Content.IE5
Cookies:%userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\Low
History:
   %userprofile%\AppData\Local\Microsoft\Windows\History\Low\History.IE5

     – Virtualization (file and registry writes):
%userprofile%\AppData\Local\Microsoft\Windows\Temporary
  Internet Files\Virtualized\

41
                     System Activity
• Internet Explorer 7
      – Standard “Privileged Mode”
Cache: \Users\username\AppData\Local\Microsoft\Windows\Temporary
   Internet Files\Content.IE5
Cookies:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\
History:
   \Users\username\AppData\Local\Microsoft\Windows\History\History.IE5\



• Other data locations:
•    \Users\username\AppData\Roaming\Microsoft\Internet Explorer\UserData\
•    \Users\username\AppData\Roaming\Microsoft\Internet
     Explorer\UserData\Low

42
            System Activity
• Recent "Documents" folder
• \Users\username\AppData\Roaming\Microsoft\W
  indows\Recent
• RSS Feeds
• \Users\username\AppData\Local\Microsoft\Feed
  s Cache\




43
            System Activity
• Media Player
• \Users\username\AppData\Local\Microsoft\Medi
  a Player\
• Temp Files
• Low Privilege:
  \Users\username\AppData\Local\Temp\Low\
• Regular Privilege:
  \Users\username\AppData\Local\Temp\

44
             System Activity
• These are just a few examples of new
  locations at which system and user activity
  files are stored.
• The Windows Registry also contains new
  hives, key locations and values ….

• There is not enough time in one lecture to cover
  it all so this is just a start of some of the
  significant items in Vista.
45
              Questions?

     As usual, use the discussion board…




46

								
To top