Presentation is loading. Please wait.

Presentation is loading. Please wait.

"Q: How many MS programmers does it take to change a light bulb?

Published byวัฒนา ติณสูลานนท์ Modified over 5 years ago

Similar presentations

Presentation on theme: ""Q: How many MS programmers does it take to change a light bulb?"— Presentation transcript:

1 "Q: How many MS programmers does it take to change a light bulb?
Windows Internals "Q: How many MS programmers does it take to change a light bulb? A: 2,304. One to write WinCheckLightBulbStatus, one to write WinGripLightBulb..."

2 In This Presentation Recycle Bin Windows Explorer Shortcut Files
Prefetch Thumbcache Scheduled Tasks

3 Windows Internals The windows operating system has many, many components. Many components require saving some state information. Windows offers extensive configuration options and many quality of life user features. Supporting these features also requiresstoring extensive state information. Think about programs you have written and how much information you had to store to enable even simple configuration options. Provides a wealth of information to investigators. But also gives malware authors more places to hide.

4 Recycle Bin The recycle bin is a staging area for deleting files.
Users might misclick. Or users may discover at a later date they still need a file. Thus files are moved into the recycle bin before being “permanently” deleted. By now we know deletion is less complete than many realize. The recycle bin contains the deleted files and metadata necessary to restore them to their original paths. Windows can be configured to bypass the recycle bin. The recycle bin folder is $Recycle.Bin on the disk.

5 Recycle Bin Operations
When a file is deleted through the Windows Explorer shell: By default it is moved into a Recycle Bin subfolder. Subfolder is named with the user’s Security Identifier (SID) File renamed to start with “$R”, followed by six characters, and ending with the file’s original extension. Generates a corresponding index file beginning with “$I”, the matching six letters as the “$R” file, and then matching extension.

6 Recycle Bin Index Files
Size of 544 bytes. Bytes 0-7: Header Btes 8-15: Original File Size in little-endian format. Bytes 16-23: 64-fit FILETIME object for when file was deleted. Bites : Name and path of original file in Unicode format.

7 Another Index File Example
$I file header: 0x Actual file size in bytes: = KB Deletion Date: Mon, 16 Feb :20:37 UTC FIle Location and Name: C:\Users\AymanT\Desktop\System

8 Windows Explorer Shortcut Files
A file containing a pointer to another specific file in the file system. User Created: Manually created with location and target location specified by the user. Commonly found on the desktop.

9 Windows Explorer Shortcut Files
Windows Created: Will be created and stored if the user has opened data or media files in the system. Locations: <System Volume>\Users\<User Name\AppData\Roaming\Microsoft\Windows\Recent <System Volume>\Users\<User Name\AppData\Roaming\Microsoft\Office\Recent These link files will persist even if the originale system file was deleted. Prove a specific file was opened even if original file was deleted or existed on external media. If creation time of the shortcut file and it’s modified time match, can presume file was opened only once from the location specified in the file.

10 Windows Explorer Shortcut Files
These link files will persist even if the originale system file was deleted. Prove a specific file was opened even if original file was deleted or existed on external media. If creation time of the shortcut file and it’s modified time match, can presume file was opened only once from the location specified in the file.

11 The .lnk file contains: File contains MAC times of the target
Shell Item list of the target Size of target Serial # of volume target stored on Useful for correlating with removable media Network volume share name MAC address of host computer (sometimes) Attributes, including read-only, system, volume label, encryption, sparse, compressed, offline, etc. Distributed link tracking information

12 Lnk file specs Forensics Wiki - https://forensicswiki.org/wiki/LNK
The Windows Shortcut File Format by Jesse Hager - downloads/v2/code.google.com/8bits/The_Windows_Shortcut_File_For mat.pdf Might not be 100% accurate these days.

13 Lnk file tools: Liblnk https://github.com/libyal/liblnk/

14 Lnk file tools: Exiftool See right -> Others
Lnk - om/EricZimmer man/Lnk/ lnk-parse - om/lcorbasson/ lnk-parse

15 Prefetch Files Application prefetching exists to speed up application startup times. Windows monitors the application’s behavior as it launches. Windows then “prefetches” the necessary code and data to a single location. Prevents the system from seeking across system files for DLLs and other needed data. Stored in the <SystemPartition>\Windows\Prefetch directory.

16 Prefetch Files Individual files are named “[original file name]-[hashvalue].pf” Hash calculated from path to application, arguments used, and other values. Maximum storage: Win 8+: 1024 files Win XP - 7: 128 files

17 Prefetch File Contents
Application name Date application was last launched Usually holds the last 8 times. Run Count Volume from which the application launched. Includes volume creation date and serial number. List of DLLs and other files accessed by the application during first 10 seconds of runtime. Format changes from version to version of windows and sometimes based on the service pack.

18 Prefetch File Detailed Specs
Forensics wiki Documentation from libscca project dows%20Prefetch%20File%20(PF)%20format.asciidoc

19 Prefetch Forensics Value
Malware is an application. Running malware often causes Windows to generate a prefetch file. Prefetch will show us many locations accessed by the malware. Find where it alters values or hides files. Identify it as malware if files accessed are suspicious. Most applications don’t access many, if any, .dat or .bat files. Though IE does. Or because it ran from an unusual path like “Temp” or the “Temporary Internet Files” folder. The prefetch file is an artifact that can survive self-deletion of a malware dropper.

20 Reading Prefetch Files
libscca: Nirsoft’s Prefetch View (run in WINE): Your favorite hex editor

21 Thumbcache Created when the user uses the Thumbnails or Filmstrip folder viewing options. Stores small thumbnail versions of the pictures created by this view mode in Thumbcache.db files.

22 Thumbcache Stored in <System Volume>\Users\<User Name>\AppData\Local\Microsoft\Windows\Explorer. thumbcache_idx.db thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and thumbcache_1024.db Thumbcache_sr.db Note: the different cache numbers reflect the different size images available in file viewer. Deleted photos may still have a copy left behind in a thumbcache file.

23 Thumbcache Structure and Recovery
Reverse engineered from proprietary systems, details are sparse and hazy. In general every thumbnail in the cache is associated with two 64-bit variables. Secret ID: associates data in thumbcache_idx.db with thumbnail data in thumbcache_NN.db, exact purpose of var is unclear. Cache ID: links thumbnails with original files.

24 Thumbcache Structure and Recovery
However, the original file path is not stored in the Thumbcache files. Must correlate with information in the Windows Indexer Windows.edb file. Database stored at <System Volume> \ProgramData \Microsoft \Search \Data \Applications \Windows This is a SQLite database. Find the stored associations between indexed files and CacheID.

25 Thumbcache Tools Can use file carver to extract the raw images.
Already discussed SQLite tools. Another GUI tool - A Windows GUI Tool: Reference -

26 Scheduled Tasks Scheduled tasks execute on a user defined schedule.
Trigger can be calendar based or event based. Some are manually defined by the user through commands or wizards. Others are programatically created using the Windows API. Thus existence of a scheduled task doesn’t always mean a user deliberately created it. Can be executed once or on a regularly defined basis.

27 Scheduled Tasks Often used to run updates.
Malware can achieve persistence by creating a task to start itself. Scheduled Tasks are stored as a “.job” file. Stored in the <SystemPartition>\Windows\System32\Tasks directory as well as in subfolders thereof.

28 .job file specifications
XML files Can Include: Author Description Triggers Privilege Actions to perform Commands or executables Arguments

29 .job file XML

30 Another .job file example

31 Questions?

Download ppt ""Q: How many MS programmers does it take to change a light bulb?"

Similar presentations

Computer Forensics Internet Artifacts.

Computer Forensics Internet Artifacts.
Microsoft Office 2007-Illustrated Introductory, Windows Vista Edition Windows XP Unit B.

Microsoft Office 2007-Illustrated Introductory, Windows Vista Edition Windows XP Unit B.
®® Microsoft Windows 7 for Power Users Tutorial 6 Optimizing Your Hard Disk.

®® Microsoft Windows 7 for Power Users Tutorial 6 Optimizing Your Hard Disk.
MODULE 4 File and Folder Management. Creating file and folder A computer file is a resource for storing information, which is available to a computer.

MODULE 4 File and Folder Management. Creating file and folder A computer file is a resource for storing information, which is available to a computer.
Exploring Microsoft Windows 8 Chapter 1 Getting Started with Windows 8

Exploring Microsoft Windows 8 Chapter 1 Getting Started with Windows 8
Return to the Office 2007 web page Lesson 3: Managing Computer Files.

Return to the Office 2007 web page Lesson 3: Managing Computer Files.
Using Folders to Organize Files

Using Folders to Organize Files
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
The sequence of folders to a file or folder is called a(n) ________.

The sequence of folders to a file or folder is called a(n) ________.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
Laboratory Exercise # 3 – Basic File Management Office Productivity Tools 1 Laboratory Exercise # 3 Basic File Management Objectives: At the end of the.

Laboratory Exercise # 3 – Basic File Management Office Productivity Tools 1 Laboratory Exercise # 3 Basic File Management Objectives: At the end of the.
Microsoft Office 2010 - Illustrated Fundamentals Unit B: Understanding File Management.

Microsoft Office Illustrated Fundamentals Unit B: Understanding File Management.
Course ILT Folder and file management Unit objectives Explore the contents of a hard disk and view file and folder attributes by using Windows Explorer.

Course ILT Folder and file management Unit objectives Explore the contents of a hard disk and view file and folder attributes by using Windows Explorer.
With Windows 7 Comprehensive© 2012 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Windows 7 Comprehensive.

With Windows 7 Comprehensive© 2012 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Windows 7 Comprehensive.

Similar presentations

Ads by Google