vista forensics
DESCRIPTION
Vista Forensics. Vista Forensics. Disk and File System Changes GUID and MBR disks Directory Structure Reparse Points BitLocker Encryption. Vista Forensics. OS Artifacts Volume Shadow Copy Recycle Bin Event Logs Thumbnail Cache Shortcut (.lnk) files System Activity. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/1.jpg)
1
Vista Forensics
![Page 2: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/2.jpg)
2
Vista Forensics
• Disk and File System Changes– GUID and MBR disks– Directory Structure– Reparse Points– BitLocker Encryption
![Page 3: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/3.jpg)
3
Vista Forensics
• OS Artifacts– Volume Shadow Copy– Recycle Bin– Event Logs– Thumbnail Cache– Shortcut (.lnk) files– System Activity
![Page 4: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/4.jpg)
4
Vista Disk Changes
• MBR Disks
The first partition now starts at sector 2048, compared with sector 63 for all previous Windows OSs
![Page 5: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/5.jpg)
5
Vista Disk Changes
• GUID Partition Table (GPT) Disks– Also available with XP (x64), Server 2003 and
all Vista and future Windows versions.– MBR partition table points to sector 1.
![Page 6: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/6.jpg)
6
GUID Partition TableStarting Sectors Ending Sectors
![Page 7: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/7.jpg)
Vista Directory Structure
• Shown with “Dual partition” setup to enable BitLocker encryption on a non-TPM computer
• C:\Documents and Settings\ is now only a reparse point linked to c:\Users
• Many directory changes7
![Page 8: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/8.jpg)
Reparse Points
• Directory Junctions
• Symbolic Directory Links
• Symbolic File Links
8
![Page 9: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/9.jpg)
Reparse Points• Directory Junctions
– User can not access directory junction folders…..they are just empty pointers
– Redirects legacy programs from folders like C:\ Documents and Settings\ to C:\Users
– Uses the $C0 Reparse Point attribute in an NTFS MFT record to store the “pointer” information
9
![Page 10: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/10.jpg)
Reparse Points• Symbolic Directory Links“Vista processes symbolic links on the local system, even when they
reference a location on a remote server. Vista processes directory junctions that reference a remote file server on the server itself” Mark Russinovich
10
![Page 11: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/11.jpg)
Reparse Points• Symbolic File Links
11
![Page 12: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/12.jpg)
BitLocker Encryption
12
![Page 13: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/13.jpg)
Identification of BitLocker Encryption
13
• Previous versions of Windows (NT/2K/XP/2K3 ) do not know what BitLocker is.
• You will not be able to use XP to disable or interact
• Vista must be used to interact with BitLocker
![Page 14: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/14.jpg)
Working with BitLocker Encryption
14
• Must use Vista (can use VM) to Interact with BitLocker volumes.
• If BitLocker disk is attached to your Vista machine and is locked, the volume is not accessible.
• If BitLocker functionality is not enabled in your Vista machine or VM, then you must enable it before you can unlock or turn off BitLocker encryption on “foreign” BitLocker disks.
![Page 15: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/15.jpg)
Turning off BitLocker Encryption
15
• Click on the blue “Unlock Volume” link.
![Page 16: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/16.jpg)
Turning off BitLocker Encryption
16
• Provide recovery password from either USB drive or manually enter it.
![Page 17: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/17.jpg)
Turning off BitLocker Encryption
17
• Recovery password file….look for them on USB drives.
![Page 18: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/18.jpg)
Turning off BitLocker Encryption
18
• After you either provide the correct password or USB key, the disk will now be temporarily available.
![Page 19: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/19.jpg)
Turning off BitLocker Encryption
19
• BitLocker is now "unlocked" and you can access the partition. You will note that the icon has changed from a padlock to a key, but still says "On". This is a temporary disabling process and BitLocker will be re-enabled upon a reboot.
![Page 20: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/20.jpg)
Imaging BitLocker drives
20
• With BitLocker temporarily disabled, you can image in Windows using any Windows-based imaging tool.
• If you wish to permanently turn of BitLocker to access the drive outside of Vista, then click on the blue “Turn Off BitLocker” link to start the decryption process.– Note that this will change the drive as it is decrypting the data.– This will take a long time so be prepared to wait.
• You can image the fully encrypted drive just like any other drive with any other data on it….you just won’t be able to decipher anything on it until you disable or turn off BitLocker.
![Page 21: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/21.jpg)
Live BitLocker Encrypted Systems
21
If an admin user, you can:• Turn off or disable BitLocker or• Export a new copy of the recovery password text file.
![Page 22: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/22.jpg)
Live BitLocker Encrypted Systems
22
This disabling process is not like the prior “slave” drive example. The prior process was a one-time disabling and it reverts back to being enabled upon a reboot. On a live Vista machine, it will be disabled (but not decrypted) every time this system reboots, until you re-enable BitLocker .
![Page 23: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/23.jpg)
Booting a BitLocker System
23
•With TPM chip – startup PIN or startup key (USB)• Without TPM chip – USB startup key
•Or hit “Enter” to manually enter a recovery password…
![Page 24: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/24.jpg)
Booting a BitLocker System
24
•Enter your recovery password from the correct text file.
![Page 25: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/25.jpg)
OS Artifact Changes and Additions
25
•Volume Shadow Copy
•Recycle Bin
•Event Logs
•Thumbnail Cache
•Shortcut (.lnk) files
•System Activity
![Page 26: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/26.jpg)
Volume Shadow Copy
• a "point-in-time" snapshot
• introduced with XP and Server 2003, but is greatly enhanced in Windows Vista
• snapshots will take up approximately 15% of available drive space
• "snapshots" taken once a day, or whenever an application makes a system change that requires the creation of a snapshot
26
![Page 27: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/27.jpg)
Volume Shadow Copy
27
• Control Panel/System and Maintenance/ System/System Protection
![Page 28: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/28.jpg)
Volume Shadow Copy
28
• Previous Versions– Exist for files and
folders
• Can open, copy out or restore any previous version “snapshot”
• Each “snapshot” can contain different content, check all.
![Page 29: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/29.jpg)
Volume Shadow Copy
29
• Located in c:\System Volume Information folder
• File structure unknown at this time
• Easiest way to get file out of restore points is to use “Previous Versions” feature to copy out files/folders stored within.
![Page 30: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/30.jpg)
Volume Shadow Copy
30
• Open desired “Previous Version”
• Use WinRAR or similar to package desired evidence files to preserve dates/attributes
![Page 31: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/31.jpg)
Vista Recycle Bin
31
• now located at "C:\$Recycle.Bin" instead of "C:\RECYCLER"
• no longer uses an "INFO2" file
• $I file - deleted date/time & original path
• $R file – original file
• $I and $R keep extension of original file.
![Page 32: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/32.jpg)
Vista Recycle Bin
32
• Don’t forget “Previous Versions” of the Recycle Bin may exist.
• May find “deleted” files in the Recycle Bin as well….remember those “flags” in the MFT records you learned about?
![Page 33: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/33.jpg)
Vista Event Logs
33
• XP: Application, Security, System
• Vista: Application, Security, Setup, System, Forwarded Events, Hardware Events, Media Center, Internet Explorer, Key Management Service, DFS Replication, and many others.
• Now located in: C:\Windows\System32\winevt\Logs
![Page 34: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/34.jpg)
34
![Page 35: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/35.jpg)
Vista Event Logs
35
• Export/Save as .evtx, .xml, .txt or .csv
• Until adequate parsing tools are developed, best method of analysis is to export and load into your Vista forensic machine for analysis.
![Page 36: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/36.jpg)
36
![Page 37: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/37.jpg)
Thumbnail Cache(formerly thumbs.db)
• XP thumbs.db files have been replaced by “thumbcache_????.db” files in the folder:C:\Users\username\AppData\Local\Microsoft\Windows\Explorer
• Can now be attributed to a specific user’s viewing of files.
37
![Page 38: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/38.jpg)
Thumbnail Cache
• Populated when user selects the following views in Explorer:– Medium Icons– Large Icons– Extra Large Icons– Preview
38
![Page 39: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/39.jpg)
Thumbnail Cache
• thumbcache_1024.db and thumbcache_256.db contain jpeg files.
• thumbcache_96.db and thumbcache_32.db contain bitmap files.
• thumbcache_idx.db file consists of index entries for the graphics in the other thumbcache files.
39
![Page 40: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/40.jpg)
Shortcut (.lnk) files• Very much the same as in XP, except that new additional shortcut properties exist• Existing tools will parse out new .lnk files but only up to the new properties• New locations:User specific -
\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\
All Users -
\ProgramData\Microsoft\Windows\Start Menu\
40
![Page 41: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/41.jpg)
System Activity
• Internet Explorer 7– “Protected Mode” – runs process with “Low”
rights, even if logged on as Admin.Cache: %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet
Files\Low\Content.IE5
Cookies:%userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\Low
History: %userprofile%\AppData\Local\Microsoft\Windows\History\Low\History.IE5
– Virtualization (file and registry writes):%userprofile%\AppData\Local\Microsoft\Windows\Temporary
Internet Files\Virtualized\
41
![Page 42: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/42.jpg)
System Activity• Internet Explorer 7
– Standard “Privileged Mode”Cache: \Users\username\AppData\Local\Microsoft\Windows\Temporary
Internet Files\Content.IE5
Cookies:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\
History: \Users\username\AppData\Local\Microsoft\Windows\History\History.IE5\
• Other data locations:• \Users\username\AppData\Roaming\Microsoft\Internet Explorer\UserData\
• \Users\username\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low
42
![Page 43: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/43.jpg)
System Activity
• Recent "Documents" folder• \Users\username\AppData\Roaming\Microsoft\
Windows\Recent
• RSS Feeds• \Users\username\AppData\Local\Microsoft\
Feeds Cache\
43
![Page 44: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/44.jpg)
System Activity
• Media Player• \Users\username\AppData\Local\Microsoft\
Media Player\
• Temp Files• Low Privilege: \Users\username\AppData\Local\
Temp\Low\• Regular Privilege: \Users\username\AppData\
Local\Temp\
44
![Page 45: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/45.jpg)
System Activity
• These are just a few examples of new locations at which system and user activity files are stored.
• The Windows Registry also contains new hives, key locations and values ….
• There is not enough time in one lecture to cover it all so this is just a start of some of the significant items in Vista.
45
![Page 46: Vista Forensics](https://reader036.vdocuments.net/reader036/viewer/2022070413/56814c1f550346895db92454/html5/thumbnails/46.jpg)
46
Questions?
As usual, use the discussion board…