Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Investigating Windows Systems Learning by Doing Theory  Practice

Session Outline Forensic Mindset Investigative Questions Common File Systems Type Investigating Windows Systems Windows Registry Investigative and Case Management Tools

Learning Objectives At the end of this module you will be able to: Describe the importance of the forensic mindset Describe common investigative questions Explain the basic steps in the forensic analysis process Discuss the forensic importance of the Windows Registry Demonstrate the case management functions of EnCASE and FTK

Forensic Mindset Digital Forensic Mindset – Condensed Definition: - Using your skills to determine what has occurred or, - What most likely occurred as opposed to what is possible - You do NOT work for anyone but the TRUTH! The tools used are not nearly important as the person using them! The examination should not occur in a vacuum. Find out all you can about what is already known.

Organizing the Investigation Use your knowledge to examine the system to answer; could it have happened that way or not? Don’t make it more complicated than it has to be – start with the obvious! Examples: –Check for programs that will cause you aggravation – encryption (PGP, Magic Folders, File Vault, EFS, etc.) –

Organizing the Investigation MAC information – what was happening on the system during the time frame you are interested in? What was being “written”, “changed” or “accessed”?

Investigative Questions One of most common questions is: Where on the Internet was it surfing. In absence of managed server logs. Use ?????? A great product (LE or Corp Security only is IEHistory by Scott Ponder of Phillips Ponder Company) -

Questions/Requests Another very common request is to gather up the all the s, including the deleted ones for the investigator to read. As always, this is done on the image or with hardware write protect. Any communication is usually requested and chat is being used more and more. MSN Chat does not by default store it’s chat’s. Newer versions do! AOL Instant Messenger. Encryption Yahoo Messenger stores them on the local drive but they are encrypted. Any ideas how to get around this?

Passwords & Encryption #1 rule – if you don’t know the password, ask the person who does! Are they lazy, is there an easily obtained password that is used in both circumstances. Access Data software (Password Recovery/ Ultimate Tool Kit) Is there a corporation that you can pay to have it done for you?

Where Do We Start? Verify integrity of image –MD5, SHA1 etc. Recover deleted files & folders Determine keyword list –What are you searching for Determine time lines –What is the time zone setting of the suspect system –What time frame is of importance –Graphical representation is very useful

Where Do We Start? Examine directory tree –What looks out of place –Stego tools installed –Evidence Scrubbers Perform keyword searches –Indexed –Slack & unallocated space

Where Do We Start? Search for relevant evidence types –Hash sets can be useful –Graphics –Spreadsheets –Hacking tools –Etc. Look for the obvious first When is enough enough??

Common File System Types FAT (File Allocation Table): FAT 16: DOS; Windows 3.X; Windows 95. FAT 32: Windows 95 release 2, Windows 98, Windows Me, Windows 2000, Windows XP, Server NTFS (New Technology File systems): Windows NT; Windows 2000; Window XP; Server 2003.

FAT 16 Use 16 bits in the file allocation table (FAT) Two FAT (Primary and Backup) Support up to 4GB of volume space Maximum file size of 2GB Support two partitions and 3 logical drives in the second partition. Use 8.3 file naming convention “/”, “\”, “[“, “]”, “|”, “ ”, “+”, “=“, “;”, “*” and “?” are illegal or invalid characteristics

NTFS Long file name support Ability to handle large storage devices Built-in security controls POSIX support. Volume striping File compression Master file table (MFT)

Investigating Windows Systems User/Systems/Data: (Intentionally) User profiles Program files Temporary files (temp files) Special application-level files. Internet history, . Artifacts: (Generated by the Systems) Metadata Windows system registry Event logs or log files Swap files Printer spool Recycle bin

Windows Registry A central hierarchical database to store information necessary to configure the system for one or more users, applications and hardware devices. Replaces AUTOEXEC.BAT, CONFIG.SYS and INI files First introduced in Windows 3.1 for storing OLE Settings (pre 1995). -

Windows Registry Wealth of investigative information Registered Owner Registered Organization Shutdown Time Recent DOCS Most Recent Used (MRU) List Typed URLs Previous Devices Mounted Software Installed

Registry Tools Registry Reader: Access Data Encase Windows –Regedit –Regedt32 Freeware tools –Never work on the original –Make a copy

Windows Registry There are five root keys: (HKCR) (HKCU) (HKLM) (HKU) (HKCC)

Registry Architecture Two are “Master” keys: HKEY_LOCAL_MACHINE Configuration data describing hardware and software installed on the computer HKEY_USERS Configuration data for each user that logs into the computer HKLM HKU Master Keys

Registry Architecture HKEY_CLASSES_ROOT File Associations and OLE HKEY_CURRENT_USER Currently logged on user HKEY_CURRENT_CONFIG Current hardware profile Three are derived from “Master” keys

HKEY_CLASSES_ROOT From HKLM\Software\Classes

HKEY_CURRENT_USER From HKU\SID of current user

HKEY_CURRENT_CONFIG HKLM\System\CurrentControlSet\Hardware Profiles\Current

The Windows Registry Dial-up Accounts: HKEY_CURRENT_USER\RemoteAccess\Addresses Dial-up Account Usernames: HKEY_CURRENT_USER\RemoteAccess\Profile\[isp_name] RegisteredOwner/Organization, Version, VersionNumber, ProductKey, ProductID, ProductName HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion MSN Messenger Info: HKEY_CURRENT_USER\Identities\{string}\Software\Microsoft\Messenger Service HKEY_CURRENT_USER\Software\Microsoft\MessengerService

The Windows Registry Outlook Express User Info ( , newsgroups, etc): HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Accounts HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Accounts\ x Internet Explorer History settings length: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Internet Settings\URLHistory

Automated Tools Easier case management Keyword searching includes slack\residue and other unallocated areas of disk space. Ability to use hash sets of known system files to minimize keyword search times. Ability to use hash sets to search for known files such as child porn, root kits or whatever you want to hash and find quickly. Unicode and ANSI compatible –Unicode provides a unique number for every character, no matter what the platform, no matter what the program, no matter what the language. –Needed for foreign language support Etc.

Encase Forensic Tools Supports “bit stream acquisitions” in three ways: #1 – drive to drive in a DOS environment loading it’s own drive lock TSR. #2 – drive to drive in a Windows environment using a hardware drive locker – “Fastbloc” or others.

Encase Forensic Tools

#3 – computer via computer using a cross over network cable. Encase for Dos loaded from a diskette with write protect software on suspect’s computer, Encase for Windows on Forensic examiner’s computer.

Forensic Toolkit: Access Data

Forensic Toolkit

Summary Computer Forensics is not a piece of software. Forensic mindset is paramount The windows registry is a treasure chest of forensics information You will need several tools in your forensic tool box.