1

Lecture 7Lecture 7

Forensic Analysis of Windows SystemsForensic Analysis of Windows Systems(contd.)(contd.)

Prof. Shamik Sengupta

Office 4210N

ssengupta@jjay.cuny.edu

http://jjcweb.jjay.cuny.edu/ssengupta/

Fall 2010

What we will cover today

Forensic analysis of Windows systems– Registry

– Time zone

– Print Spool

2

Windows Registry

What is the registry?– Think of it as a large database of settings and information

– Settings for – computer,

– applications,

– services,

– security and

– Users

Microsoft Defn.– “A central hierarchical database used to store information

that is necessary to configure the system for one or more users, applications and hardware devices.”

3

4

Registry Files

The Window’s registry is a repository for configuration information– On Windows 95/98, the registry is comprised of files

– windows\system.dat, windows\user.dat, etc

– On Windows NT/2000 onward,– several hive files located in systemroot\system32\config,

– ntuser.dat

The registry contains information about many aspects of the system in “separate compartments”– It can be viewed using “regedit” or regedt32 from command line

– It can be viewed using EnCase

5

A snapshot of Registry using regedit

Registry Hives

Windows Registry – four main system hives– Software (HKEY_LOCAL_MACHINE\Software)

– System (HKEY_LOCAL_MACHINE\System)

– Security (HKEY_LOCAL_MACHINE\Security)

– SAM (HKEY_LOCAL_MACHINE\SAM)

– Often clubbed as HKLM

User hive– HKEY_USERS\...

– HKU

6

HIVES

Subtree Filename

HKEY_LOCAL_MACHINE\System Windows\system32\config\System

HKEY_LOCAL_MACHINE\Software Windows\system32\config\Software

HKEY_LOCAL_MACHINE\Security Windows\system32\config\Security

HKEY_LOCAL_MACHINE\SAM Windows\system32\config\SAM

7

Subtree Filename

HKU\[…] NTUSER.DAT (in \documents and settings…)

One for each user

User Hive

When Windows loads a user profile, the OS loads the hive file into the HKEY_USER subtree

For the current user, – Windows links HKEY_CURRENT_USER (HKCU) to HKU\

SID

Use EnCase to mount your NTUSER.dat– Find the homepage for Internet explorer for this user

account

8

Closing a mounted Registry Hive

Closing a mounted registry hive is important!

– If you mount all the hives and saved your case, it will take a long time for the case to open next time

– A mounted hive does use extra RAM from your computer

How to close?– Select the “Devices” tab

– You will see the mounted hives in the table pane

– Right-click on the hive and select “Close”

9

Time Zone information

When conducting forensic investigation on a computer– It is critical to determine the time zone settings of hard

drives that have the Windows OS installed

How to understand time zone settings– Use Registry information

– Which Hive contains this info?

10

System Registry Hive11

Mount the System

System Hive12

Now a pause and look into the System Hive

There are lot of folders and possibly lot of “ControlSet” folders

What are these ControlSet folders?– A control set contains system configuration information such as device drivers

and services

– Several instances of control sets when viewing the Registry– Some are duplicates or mirror images of others and some are unique

– Depending on how often you change system settings or have problems with the settings you choose

– A typical installation of Windows may contain two/four– \ControlSet001

– \ControlSet002

– \CurrentControlSet

– \Clone

13

ControlSet folders

A typical installation of Windows may contain two/four– \ControlSet001

– \ControlSet002

– \CurrentControlSet

– \Clone

– ControlSet001 may be the last control set you booted with

– ControlSet002 could be what is known as the last known good control set, or the control set that last successfully booted Windows

– The CurrentControlSet subkey is just a pointer to one of the ControlSetXXX keys

– Clone is a clone of CurrentControlSet, and is created each time you boot your computer

How will you know which folder is for what?– In order to better understand how these control sets are used,

we need to access another subkey: “Select”

14

Select

Select is also under the SYSTEM key Select contains the following values:

– Current

– Default

– Failed

– LastKnownGood

Each of these values contain a REG_DWORD data type and refer to specifically to a control set – For example, if the Current value is set to 0x1, then CurrentControlSet

is pointing to ControlSet001

– Failed refers to a control set that was unable to boot Windows NT successfully

– The Default value usually agrees with Current

15

Viewing Select16

Viewing Select17

Time zone information18

Time zone information19

Time zone information

Bias – Minutes offset from GMT for the time zone setting (32 bit int)– E.g., 300

ActiveTimeBias – Minutes offset from GMT for the current time setting (32 bit int)

– E.g., 240

DaylightBias – Minutes offset from the Bias for DST settings (32 bit int)

– E.g., -60

StandardBias – Minutes offset from the Bias for the standard time (usually 0)

DaylightName – Name of the time zone DST setting (Unicode)

StandardName – Name of the standard time zone setting (Unicode)

20

Time zone information

DaylightStart, StandardStart:

Format: 8 fields: – each field is a 16 bit integer (2 bytes)

– 2-byte pad (00 00) Month Week Hour Minutes Secdonds Millisec Day

21

22

Printing

Printing involves a spooling process whereby the sending of data to a printer is delayed

– The delay allows the application program to continue to be responsive to the user

– The printing takes place in the background

Print spooling is accomplished by creating temporary files that contain both the data to be printed and sufficient information to complete the print job

– Files with extensions .SPL and .SHD are created for each job– .SHD file is a ‘shadow’ file that contains information about the print job including

owner, the printer, the name of the file printed and the printing method (EMF or RAW)

– In RAW format, the .SPL file contains the data to be printed

– In EMF format, the .SPL file contains the name of the file printed, the method and a list of files that contain the data to be printed

– .SHD, .SPL files are deleted after the print job completes

23

Printing (Continued)

In Windows, the spool files are kept in – <system folder>\system32\spool\printers

The .SPL and .SHD files contain the name of the file to be printed including its fully qualified path – The path may suggest that other media containing evidence exist

If the original file that the user printed does not exist on the seized evidence, the file may be found in enhanced metafile format

While in Hex view, locate the letters “EMF” in the right part of view pane

– Starting from the byte just prior to “E” select 41 bytes backwards

– Right-click on the highlighted area and view it as a picture

24

Case Example: Print Spooler Files

Print spooler evidence was the only evidence in a counterfeiting case in Orange County, California.

Department of Consumer Affairs examiners arrested a suspect for selling counterfeit state license certificates and seized his computer.

Although the examiner had seized some of the counterfeit certificates from victims, they were unable to locate evidence on the computer.

When the examiner requested a second view from the California Department of Insurance, Fraud Division, the Computer Forensic Team identified several deleted enhanced metafiles that exactly matched the paper copies that had been seized during the investigation.

The only evidence present on the drive was the enhanced metafiles. The defendant was convicted at trial.

Print spooler evidence was the only evidence in a counterfeiting case in Orange County, California.

Department of Consumer Affairs examiners arrested a suspect for selling counterfeit state license certificates and seized his computer.

Although the examiner had seized some of the counterfeit certificates from victims, they were unable to locate evidence on the computer.

When the examiner requested a second view from the California Department of Insurance, Fraud Division, the Computer Forensic Team identified several deleted enhanced metafiles that exactly matched the paper copies that had been seized during the investigation.

The only evidence present on the drive was the enhanced metafiles. The defendant was convicted at trial.

25

NTFS Log File

An artifact unique to an NTFS volume is the $LOGFILE– created during the formatting of an NTFS volume

$LOGFILE keep track of transactions and enable NTFS to recover from system crashes– transaction: set of operations that cause a change to file system

data or to a volume’s directory structure

– The operations are treated as a set, or transaction, for the purpose of maintaining the integrity of the volume if a system failure occurs

– E.g. To delete a file, necessary steps ($BITMAP file change to show clusters as unallocated, MFT record marked as deleted, deletion of index entry) are recorded in the $LOGFILE so that each step in a transaction can be executed again or each step can be undone if problem arises

– If a crash occurs, NTFS can recreate any transactions that completed and can undo or complete partially completed transactions

26

NTFS Log File (Continued)

$LOGFILE is maintained by NTFS and its MAC times are not updated

Any information found in this file was put there because a transaction occurred

This carries weight since it verifies that the file was in some way used on the computer

It is common to locate several file names in the $LOGFILE that no longer exist anywhere else on the volume– The recovery of file names with their associated dates and times

can be relevant evidence

27

NTFS Log File (Continued)

$LogFiles structuring is not entirely clear outside MS!

Some of the information that may be located in the $LOGFILE– Index entries

– Index entries are folder entries

– Each entry describes one file including its name and MAC times

– Copy of MFT record– MFT records all begin with ‘File’ followed by a hex value usually ‘2a’

– These records are located by searching the $LOGFILE for this repeating pattern

– Link files– Link files can be located by searching for the link files header within the

$LOGFILE

NTFS Log File (Continued)

Some general made-easy info about $LogFile– The logging area consists of a sequence of 4KB log records

– Magic number is “RCRD”

– The logrecord contains a sequence of variable sized records

– Similarly for the “restart” area– Magic number is “RSTR”

28