Lecture 7 Forensic Analysis of Windows Systems (contd.) Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu http://jjcweb.jjay.cuny.edu/ssengupta/ Fall 2010

What we will cover today Forensic analysis of Windows systems Registry Time zone Print Spool

Windows Registry What is the registry? Microsoft Defn. Think of it as a large database of settings and information Settings for computer, applications, services, security and Users Microsoft Defn. “A central hierarchical database used to store information that is necessary to configure the system for one or more users, applications and hardware devices.”

Registry Files The Window’s registry is a repository for configuration information On Windows 95/98, the registry is comprised of files windows\system.dat, windows\user.dat, etc On Windows NT/2000 onward, several hive files located in systemroot\system32\config, ntuser.dat The registry contains information about many aspects of the system in “separate compartments” It can be viewed using “regedit” or regedt32 from command line It can be viewed using EnCase

A snapshot of Registry using regedit

Windows Registry – four main system hives Registry Hives Windows Registry – four main system hives Software (HKEY_LOCAL_MACHINE\Software) System (HKEY_LOCAL_MACHINE\System) Security (HKEY_LOCAL_MACHINE\Security) SAM (HKEY_LOCAL_MACHINE\SAM) Often clubbed as HKLM User hive HKEY_USERS\... HKU

HIVES Subtree Filename HKEY_LOCAL_MACHINE\System Windows\system32\config\System HKEY_LOCAL_MACHINE\Software Windows\system32\config\Software HKEY_LOCAL_MACHINE\Security Windows\system32\config\Security HKEY_LOCAL_MACHINE\SAM Windows\system32\config\SAM Subtree Filename HKU\[…] NTUSER.DAT (in \documents and settings…) One for each user

Use EnCase to mount your NTUSER.dat User Hive When Windows loads a user profile, the OS loads the hive file into the HKEY_USER subtree For the current user, Windows links HKEY_CURRENT_USER (HKCU) to HKU\SID Use EnCase to mount your NTUSER.dat Find the homepage for Internet explorer for this user account

Closing a mounted Registry Hive Closing a mounted registry hive is important! If you mount all the hives and saved your case, it will take a long time for the case to open next time A mounted hive does use extra RAM from your computer How to close? Select the “Devices” tab You will see the mounted hives in the table pane Right-click on the hive and select “Close”

When conducting forensic investigation on a computer Time Zone information When conducting forensic investigation on a computer It is critical to determine the time zone settings of hard drives that have the Windows OS installed How to understand time zone settings Use Registry information Which Hive contains this info?

System Registry Hive Mount the System

System Hive

Now a pause and look into the System Hive There are lot of folders and possibly lot of “ControlSet” folders What are these ControlSet folders? A control set contains system configuration information such as device drivers and services Several instances of control sets when viewing the Registry Some are duplicates or mirror images of others and some are unique Depending on how often you change system settings or have problems with the settings you choose A typical installation of Windows may contain two/four \ControlSet001 \ControlSet002 \CurrentControlSet \Clone

How will you know which folder is for what? ControlSet folders A typical installation of Windows may contain two/four \ControlSet001 \ControlSet002 \CurrentControlSet \Clone ControlSet001 may be the last control set you booted with ControlSet002 could be what is known as the last known good control set, or the control set that last successfully booted Windows The CurrentControlSet subkey is just a pointer to one of the ControlSetXXX keys Clone is a clone of CurrentControlSet, and is created each time you boot your computer How will you know which folder is for what? In order to better understand how these control sets are used, we need to access another subkey: “Select”

Select Select is also under the SYSTEM key Select contains the following values: Current Default Failed LastKnownGood Each of these values contain a REG_DWORD data type and refer to specifically to a control set For example, if the Current value is set to 0x1, then CurrentControlSet is pointing to ControlSet001 Failed refers to a control set that was unable to boot Windows NT successfully The Default value usually agrees with Current

Viewing Select

Viewing Select

Time zone information

Time zone information

Time zone information Bias – Minutes offset from GMT for the time zone setting (32 bit int) E.g., 300 ActiveTimeBias – Minutes offset from GMT for the current time setting (32 bit int) E.g., 240 DaylightBias – Minutes offset from the Bias for DST settings (32 bit int) E.g., -60 StandardBias – Minutes offset from the Bias for the standard time (usually 0) DaylightName – Name of the time zone DST setting (Unicode) StandardName – Name of the standard time zone setting (Unicode)

Time zone information DaylightStart, StandardStart: Format: 8 fields: each field is a 16 bit integer (2 bytes) 2-byte pad (00 00) Month Week Hour Minutes Secdonds Millisec Day

Printing Files with extensions .SPL and .SHD are created for each job Printing involves a spooling process whereby the sending of data to a printer is delayed The delay allows the application program to continue to be responsive to the user The printing takes place in the background Print spooling is accomplished by creating temporary files that contain both the data to be printed and sufficient information to complete the print job Files with extensions .SPL and .SHD are created for each job .SHD file is a ‘shadow’ file that contains information about the print job including owner, the printer, the name of the file printed and the printing method (EMF or RAW) In RAW format, the .SPL file contains the data to be printed In EMF format, the .SPL file contains the name of the file printed, the method and a list of files that contain the data to be printed .SHD, .SPL files are deleted after the print job completes

Printing (Continued) In Windows, the spool files are kept in <system folder>\system32\spool\printers The .SPL and .SHD files contain the name of the file to be printed including its fully qualified path The path may suggest that other media containing evidence exist If the original file that the user printed does not exist on the seized evidence, the file may be found in enhanced metafile format While in Hex view, locate the letters “EMF” in the right part of view pane Starting from the byte just prior to “E” select 41 bytes backwards Right-click on the highlighted area and view it as a picture

Case Example: Print Spooler Files Print spooler evidence was the only evidence in a counterfeiting case in Orange County, California. Department of Consumer Affairs examiners arrested a suspect for selling counterfeit state license certificates and seized his computer. Although the examiner had seized some of the counterfeit certificates from victims, they were unable to locate evidence on the computer. When the examiner requested a second view from the California Department of Insurance, Fraud Division, the Computer Forensic Team identified several deleted enhanced metafiles that exactly matched the paper copies that had been seized during the investigation. The only evidence present on the drive was the enhanced metafiles. The defendant was convicted at trial.

NTFS Log File An artifact unique to an NTFS volume is the $LOGFILE created during the formatting of an NTFS volume $LOGFILE keep track of transactions and enable NTFS to recover from system crashes transaction: set of operations that cause a change to file system data or to a volume’s directory structure The operations are treated as a set, or transaction, for the purpose of maintaining the integrity of the volume if a system failure occurs E.g. To delete a file, necessary steps ($BITMAP file change to show clusters as unallocated, MFT record marked as deleted, deletion of index entry) are recorded in the $LOGFILE so that each step in a transaction can be executed again or each step can be undone if problem arises If a crash occurs, NTFS can recreate any transactions that completed and can undo or complete partially completed transactions

NTFS Log File (Continued) $LOGFILE is maintained by NTFS and its MAC times are not updated Any information found in this file was put there because a transaction occurred This carries weight since it verifies that the file was in some way used on the computer It is common to locate several file names in the $LOGFILE that no longer exist anywhere else on the volume The recovery of file names with their associated dates and times can be relevant evidence

NTFS Log File (Continued) $LogFiles structuring is not entirely clear outside MS! Some of the information that may be located in the $LOGFILE Index entries Index entries are folder entries Each entry describes one file including its name and MAC times Copy of MFT record MFT records all begin with ‘File’ followed by a hex value usually ‘2a’ These records are located by searching the $LOGFILE for this repeating pattern Link files Link files can be located by searching for the link files header within the $LOGFILE

NTFS Log File (Continued) Some general made-easy info about $LogFile The logging area consists of a sequence of 4KB log records Magic number is “RCRD” The logrecord contains a sequence of variable sized records Similarly for the “restart” area Magic number is “RSTR”