windows 7 forensics -overview-r3
DESCRIPTION
TRANSCRIPT
![Page 1: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/1.jpg)
Digital Forensics and Windows 7Overview
Troy LarsonPrincipal Forensics Program ManagerTWC Network Security Investigations
NSINV-R3– Research|Readiness|Response
![Page 2: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/2.jpg)
Introduction and Encouragement
Fvevol.sys
File SystemsNTFS, FAT32, EXFAT
Mount, Partition & Managers
Applications
OS Artifacts
Disk
Highlights of new things of interest.
– Changes between XP and Windows 7.
– Climb the Stack of Forensics Knowledge.
![Page 3: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/3.jpg)
World vs. Microsoft
Pre-Vista, huge Windows XP base; pre-Office 2007.
X64, Windows 7, Windows 2008 R2, Office 2010, * 2010, Windows 8, WP 7
![Page 4: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/4.jpg)
From XP to Vista
• Changed location of boot sector.• BitLocker, unlocking, imaging,
preservation.• EXFAT. Transactional NTFS.• Event Logging.• New format-.evtx.• New system for collecting and
displaying events.• New security event numbering.• New directory tree for account
profiles.• Symbolic links. “Virtual” folders .• “Virtual” registries.• Volume Shadow Copies and
difference files.• User Account Control.• Enforced Signed Drivers x64.
• Hard links. WinSxS.*• Default settings-NTFS, change
journal.• Recycle Bin, no info2, now $I.* &
$R.*• Built in volume and disk wiping.• SuperFetch & prefetch files.• Profile based thumbcaches.*• Office file format changes .docx,
.pptx, .xlsx.• New Office files—InfoPath, Grove,
OneNote.• EFS encrypted pagefile.• x64 Windows.• Windows 2008 Hyper-V.• Built in Defender.
![Page 5: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/5.jpg)
From XP to Windows 7
![Page 6: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/6.jpg)
Windows 7 Highlights for Forensics
• Changed volume header for BitLocker volumes.
• Updated BitLocker, multiple volumes, Smartcard keys, not backwardly compatible.
• BitLocker To Go.• Virtual Hard drives—Boot from,
mount as “Disks.” • Virtual PC—integrated into the
OS.• XP Mode.• Flash Media Enhancements.• Libraries, Sticky Notes, Jump
Lists.• Service and Driver triggers.• Fewer Services on default
startup.
• I.E. 8, InPrivate Browsing, Tab and Session Recovery.
• Changes in Volume Shadow Copy behavior.
• New registry-like files.• WebDAV-Office cache.• More x64 clients. X64
Windows 2008 R2 (server).• Changes in Hyper-V.• Office 2010 file format
changes—OneNote.• Thumbnail Cache.• Virtual Servers, thin clients.• Direct Access (IPSec).• Windows Search.
![Page 7: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/7.jpg)
Windows 7 Disk Identification
Disk signature:0x1b8-1bb
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0
![Page 8: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/8.jpg)
Windows 7 Partitions and Volumes
If you can’t find your volumes look for this
![Page 9: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/9.jpg)
Windows 7 Partitions and Volumes
![Page 10: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/10.jpg)
Windows 7 Partitions and Volumes
![Page 11: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/11.jpg)
Windows 7 Partitions and Volumes
![Page 12: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/12.jpg)
Windows 7 Partitions and Volumes--VHD
![Page 13: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/13.jpg)
Windows 7 Partitions and Volumes
Full format will zero out the entire volume space and rebuild a clean file system.
![Page 14: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/14.jpg)
Windows 7 Partitions and Volumes
Diskpart clean /all will wipe the entire hard drive.
![Page 15: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/15.jpg)
Windows 7 BitLocker
During installing, Windows 7 creates a “System Reserved” volume—enabling set up of BitLocker.
In Vista, the System volume was generally 1.5 GB or more.
![Page 16: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/16.jpg)
Windows 7 BitLocker
• Vista & Windows 2008 cannot unlock BitLocker volumes created with Windows 7 or 2008 R2.
• Forensics tools may not recognize the new BitLocker volume header.
• Must use Windows 7 or 2008 R2 to open (and image) BitLocker volumes from Windows 7 or 2008 R2.
![Page 17: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/17.jpg)
Windows 7 BitLockerReview or Imaging
File System Driver
Fvevol.sys
Volume Manager
Applications
User ModeKernel Mode
FVEVOL.SYS sits underneath the file system driver and performs all encryption / decryption.
• Once booted, Windows (and the user) sees no difference in experience.
• The encryption / decryption happens at below the file system.
![Page 18: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/18.jpg)
Windows 7 BitLockerReview or Imaging
File System Driver
Fvevol.sys
Volume Manager
Application
User ModeKernel Mode
![Page 19: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/19.jpg)
Windows 7 BitLockerReview or Imaging
Forensic review or imaging begins with attaching the hard drive or USB drive to a Windows 7 or 2008 R2 system and unlocking it.
![Page 20: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/20.jpg)
Windows 7 BitLockerReview or Imaging
Unlocking BitLocker with the GUI. Windows 7 will recognize an added BitLocker volume and prompt for the recovery key.
![Page 21: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/21.jpg)
Windows 7 BitLockerReview or Imaging
The “More/Less information” button will provide the BitLocker volume recovery key identification.
![Page 22: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/22.jpg)
Windows 7 BitLockerReview or Imaging
To unlock a BitLockered volume, first get the Recovery Password ID: manage-bde –protectors –get [volume]. The Recovery Password ID can be used to recover the Recovery Password from the AD.
![Page 23: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/23.jpg)
Windows 7 BitLockerReview or Imaging
• BitLocker Recovery Key 783F5FF9-18D4-4C64-AD4A-CD3075CB8335.txt:
BitLocker Drive Encryption Recovery Key The recovery key is used to recover the data on a BitLocker protected drive.
To verify that this is the correct recovery key compare the identification with what is presented on the recovery screen.
Recovery key identification: 783F5FF9-18D4-4CFull recovery key identification: 783F5FF9-18D4-4C64-AD4A-CD3075CB8335
BitLocker Recovery Key:528748-036938-506726-199056-621005-314512-037290-524293
![Page 24: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/24.jpg)
Windows 7 BitLockerReview or Imaging
Enter the recovery key exactly.
![Page 25: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/25.jpg)
Windows 7 BitLockerReview or Imaging
Unlock the BitLocker volume:Manage-bde.exe –unlock [volume] –rp [recovery password].
![Page 26: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/26.jpg)
Windows 7 BitLockerReview or Imaging
![Page 27: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/27.jpg)
Windows 7 BitLockerReview or Imaging
Viewed or imaged as part of a physical disk, BitLocker volumes appear encrypted.
![Page 28: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/28.jpg)
Windows 7 BitLockerReview or Imaging
To view a BitLocker volume as it appears in its unlocked state, address it as a logical volume.
![Page 29: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/29.jpg)
Windows 7 BitLockerReview or Imaging
![Page 30: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/30.jpg)
Windows 7 BitLockerReview or Imaging
Image the logical volume to obtain an image of the unlocked volume.
![Page 31: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/31.jpg)
Windows 7 BitLocker To GoReview or Imaging
![Page 32: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/32.jpg)
Windows 7 BitLocker To Go Review or Imaging
Selecting the “I forgot my password” will bring up a window to enter the recovery key.
![Page 33: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/33.jpg)
Windows 7 BitLocker To Go Review or Imaging
![Page 34: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/34.jpg)
Windows 7 BitLocker To Go Review or Imaging
![Page 35: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/35.jpg)
Windows 7 BitLocker To Go Review or Imaging
![Page 36: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/36.jpg)
Windows 7 BitLocker To Go Review or Imaging
![Page 37: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/37.jpg)
Windows 7 BitLocker To Go Review or Imaging
The BitLocker To Go device is unlocked and ready for review or imaging.
![Page 38: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/38.jpg)
Windows 7 File Systems
• NTFS
– Symbolic links to files, folders, and UNC paths.
– Hard links are extensively used.
– Disabled by default: Update Last Access Date.
– Enabled by default: The NTFS Change Journal.
• Transactional NTFS (TxF)—Installations, patches, and as-needed driver installations (IR?).
![Page 39: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/39.jpg)
Windows 7 File Systems
• TxF works on top of NTFS—
• Allows a related series of file system changes to be treated and logged as a “transaction.”
• NTFS can then commit if the changes are completed successfully, or abort and roll back if they are not.
“Transactional NTFS (TxF) allows file operations on an NTFS file system volume to be performed in a transaction. TxF transactions increase application reliability by protecting data integrity across failures and simplify application development by greatly reducing the amount of error handling code.”
http://msdn.microsoft.com/en-us/library/bb968806(VS.85).aspx
![Page 40: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/40.jpg)
The $Tops:$T stream is in XML and can be read in an XML reader, such as the Microsoft XML Notepad.
Windows 7 File Systems
![Page 41: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/41.jpg)
Windows 7 File Systems
NTFS: Symbolic links.
![Page 42: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/42.jpg)
Windows 7 File Systems
NTFS: Hard Links.
![Page 43: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/43.jpg)
Windows 7 File Systems
NTFS: Hard Links.
![Page 44: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/44.jpg)
Windows 7 File Systems
NTFS: Much of the heavy lifting is done by named data streams.
![Page 45: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/45.jpg)
Windows 7 File Systems
More of this: NTFS: Much of the heavy lifting is done by named data streams.
![Page 46: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/46.jpg)
Windows 7 File Systems
NTFS: $USNJrnl:$J
![Page 47: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/47.jpg)
Windows 7 Artifacts—Recycle.Bin• [Volume]:\$Recycle.Bin.• $Recycle.Bin is visible in Explorer (view hidden files).• Per user store in a subfolder named with account SID.• When a file is moved to the Recycle Bin, it becomes two files.• $I and $R files.
• $I file—original name and path, as well as the deleted date.• $R file—original file data stream and other attributes.
![Page 48: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/48.jpg)
Windows 7 Artifacts—Recycle.Bin
Note the deleted date (in blue).
![Page 49: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/49.jpg)
Windows 7 Artifacts—Recycle.Bin
![Page 50: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/50.jpg)
Windows 7 Artifacts—Recycle.BinThe Recycle.Bin works similarly on FAT file systems, here EXFAT:
![Page 51: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/51.jpg)
Windows 7 ArtifactsFolder Virtualization
![Page 52: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/52.jpg)
Windows 7 ArtifactsFolder Virtualization
– Part of User Access Control—Standard user cannot write to certain protected folders.
• C:\Windows
• C:\Program Files
• C:\Program Data
– To allow standard user to function, any writes to protected folders are “virtualized” and written to
C:\Users\[user]\AppData\Local\VirtualStore
![Page 53: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/53.jpg)
Windows 7 ArtifactsRegistry Virtualization
HKEY_CURRENT_USER\Software\Classes
![Page 54: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/54.jpg)
Windows 7 ArtifactsRegistry Virtualization
• Virtualize (HKEY_LOCAL_MACHINE\SOFTWARE)
• Non-administrator writes are redirect to: HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\
• Keys excluded from virtualization– HKEY_LOCAL_MACHINE\Software\Classes– HKEY_LOCAL_MACHINE
\Software\Microsoft\Windows– HKEY_LOCAL_MACHINE
\Software\Microsoft\Windows NT
![Page 55: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/55.jpg)
Windows 7 ArtifactsRegistry Virtualization
• Location of the registry hive file for the VirtualStore– Is NOT the user’s NTUSER.DAT
– It is stored in the user’s UsrClass.dat\Users\[user]\AppData\Local\Microsoft\Windows\UsrClass.dat
• Investigation of Vista through 2008 R2 requires the investigator to examine at least two account specific registry hive files for each user account.– NTUSER.DAT
– UsrClass.dat
![Page 56: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/56.jpg)
Windows 7 ArtifactsTransactional Registry
• Related to TxF—also built on the Kernel Transaction Manager– http://msdn.microsoft.com/en-us/library/cc303705.aspx
• TxR allows applications to perform registry operations in a transactional manner.– Typical scenario: software installation.
– Files copied to file system and information to the registry as a single operation.
– In the event of failure, registry modification rolled back or discarded.
![Page 57: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/57.jpg)
Windows 7 ArtifactsTransactional Registry
The TxR files are stored in the TxR subfolder in \Windows\System32\config with the system registry hives.
![Page 58: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/58.jpg)
Windows 7 ArtifactsTransactional Registry
![Page 59: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/59.jpg)
Windows 7 ArtifactsLibraries
![Page 60: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/60.jpg)
Windows 7 ArtifactsLibraries
\Users\[account]\AppData\Roaming\Microsoft\Windows\Libraries.
![Page 61: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/61.jpg)
Windows 7 ArtifactsLibraries
Libraries are XML files.
![Page 62: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/62.jpg)
Windows 7 ArtifactsLibraries
![Page 63: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/63.jpg)
Windows 7 ArtifactsLibraries
![Page 64: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/64.jpg)
Windows 7 ArtifactsSticky Notes
Sticky notes are also files in the Structured Storage file format.
![Page 65: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/65.jpg)
Windows 7 ArtifactsSticky Notes
![Page 66: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/66.jpg)
Windows 7 ArtifactsChkdsk Logs
\System Volume Information\Chkdsk
![Page 67: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/67.jpg)
Windows 7 ArtifactsSuperfetch
• The existence of a prefetch file indicates that the application named by the prefetch file was run.
• The creation date of a prefetch file can indicate when the named application was first run.
• The modification date of a prefetch file can indicate when the named application was last run.
![Page 68: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/68.jpg)
Windows 7 ArtifactsSuperfetch
\Windows\Prefetch
![Page 69: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/69.jpg)
Windows 7 ArtifactsSuperfetch—Much More
![Page 70: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/70.jpg)
Windows 7 ArtifactsSuperfetch—Much More
Look what gets loaded on boot.
![Page 71: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/71.jpg)
Windows 7 ArtifactsSearch Index
C:\ProgramData\Microsoft\Search\Data\Applications\Windows• Windows Search index file=Windows.edb, an ESE database.• MSS*.logs are the database log files.
![Page 72: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/72.jpg)
Windows 7 ArtifactsSearch Index
http://www.woany.co.uk/esedbviewer/
![Page 73: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/73.jpg)
Windows 7 ArtifactsSearch Index
![Page 74: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/74.jpg)
Windows 7 ArtifactsSearch Index
>C:\Windows\system32\esentutl.exe /r MSS /d.From the folder containing the Windows.edb and its log files.
![Page 75: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/75.jpg)
Windows 7 ArtifactsSearch Index
• Generic will bring up all tables.• Desktop Search will bring up a select view.• AV can interfere will esentutl.exe and eseDbViewer.
![Page 76: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/76.jpg)
Windows 7 ArtifactsSearch Index
![Page 77: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/77.jpg)
Windows 7 ArtifactsSearch Index
SystemIndex_0A• Over 380 fields.
![Page 78: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/78.jpg)
Windows 7 ArtifactsSearch Index
Match a ThumbnailCacheID from a Thumbnail Cache file to a ThumbnailCacheID in the Windows Search index to link a thumbnail to a file.
![Page 79: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/79.jpg)
Windows 7 ArtifactsVolume Shadow Copy
• Volume shadow copies are bit level differential backups of a volume.– 16 KB blocks.
– Copy on write.
– Volume Shadow copy files are “difference” files.
• The shadow copy service is enabled by default on Vista and Windows 7, but not on Windows 2008 or 2008 R2.
![Page 80: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/80.jpg)
Windows 7 ArtifactsVolume Shadow Copy
• Shadow copies are the source data for Restore Points and the Restore Previous Versions features.
• Used in can backup operations.• Shadow copies provide a “snapshot” of a volume
at a particular time.• Shadow copies can show how files have been
altered.• Shadow copies can retain data that has later been
deleted, wiped, or encrypted.
![Page 81: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/81.jpg)
Windows 7 ArtifactsVolume Shadow Copy
Volume shadow copies do not contain a complete image of everything that was on the volume at the time the shadow copy was made.
![Page 82: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/82.jpg)
Windows 7 ArtifactsVolume Shadow Copy
The Volume Shadow Copy difference files are maintained in “\System Volume Information” along with other VSS data files, including a new registry hive.
![Page 83: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/83.jpg)
Windows 7 ArtifactsVolume Shadow Copy
10
1 912
11
2 3 4 5 6 7 8
10
1 912
11
2 3 4 5 6 7 8
10
92 3 5 7
• Copy on Write: Before a block is written to, it is saved to the difference file.
• When a Shadow Copy is read, the “volume” consists of the live, unchanged blocks, and the saved blocks from the difference file.
Volume at start of VSS snapshot.
Difference File
Shadow copy of Volume at T1
T1
T3
10
1 912
11
2 3 4 5 6 7 8T2
Volume at end of VSS snapshot.
T2
![Page 84: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/84.jpg)
Volume Shadow Copy
A Shadow copy includes portions of more than one difference file when those difference files contain original blocks from the time of that shadow copy’s creation or snapshot.• Here, there are three snapshots of the volume
over time, and each as a corresponding difference file.
• Difference file T2 includes changes since the first snapshot.
• Difference File T3, changes since the second snapshot.
• Difference File T4, changes since the third snapshot.
• All difference files contain one or more of the original blocks from the volume at T1.
• After the third snapshot, the shadow copy of the volume as it was on T1 would include data from each of the difference files in this example, as each contain one or more blocks of the volume as it was at T1.
10
1 912
11
2 3 4 5 6 7 8
11
10
1 3 7 9
10
92 3 5 7
73 4 5 6
10
1 912
11
2 3 4 5 6 7 8
Shadow copy of Volume at T1
Difference Files
Volume at T1
T1
T2
T5
T3
T4
![Page 85: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/85.jpg)
Windows 7 ArtifactsVolume Shadow Copy
![Page 86: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/86.jpg)
Windows 7 ArtifactsVolume Shadow Copy
![Page 87: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/87.jpg)
Windows 7 ArtifactsVolume Shadow Copy
vssadmin list shadows /for=[volume]:
![Page 88: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/88.jpg)
Windows 7 ArtifactsVolume Shadow Copy
![Page 89: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/89.jpg)
Windows 7 ArtifactsVolume Shadow Copy
Shadow copies can be exposed through symbolic links.
Mklink /d C:\{test-shadow} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\
![Page 90: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/90.jpg)
Windows 7 ArtifactsVolume Shadow Copy
Volume Shadows can be mounted directly as network shares.
net share testshadow=\\.\HarddiskVolumeShadowCopy11\
![Page 91: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/91.jpg)
Windows 7 ArtifactsVolume Shadow Copy
>psexec \\[computername] vssadmin list shadows /for=C:
>psexec \\[computername] net share testshadow=\\.\HarddiskVolumeShadowCopy20\
PsExec v1.94 - Execute processes remotely
. . .
testshadow was shared successfully.
net exited on [computername] with error code 0.
>robocopy /S /R:1 /W:1 /LOG:D:\VSStestcopylog.txt \\[computername] \testshadow D:\vssTest
Log File : D:\VSStestcopylog.txt
. . .
![Page 92: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/92.jpg)
Windows 7 ArtifactsVolume Shadow Copy
• Other ways to call shadow copies:
– \\localhost\C$\Users\troyla\Downloads (Yesterday, July 20, 2009, 12:00 AM)
– \\localhost\C$\@GMT-2009.07.17-08.45.26\
• Mount all shadow copies as symbolic links:for /f "tokens=4" %f in ('vssadmin list shadows ^| findstr GLOBALROOT') do @for /f "tokens=4 delims=\" %g in ("%f") do @mklink /d %SYSTEMDRIVE%\%g %f\
![Page 93: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/93.jpg)
Windows 7 ArtifactsVolume Shadow Copy
C:\Users\Troyla\Desktop\fau-1.3.0.2390a\fau\FAU.x64>dd if=\\.\HarddiskVolumeShadowCopy11 of=E:\shadow11.dd –localwrt
The VistaFirewall Firewall is active with exceptions.
Copying \\.\HarddiskVolumeShadowCopy11 to E:\shadow11.ddOutput: E:\shadow11.dd136256155648 bytes129943+1 records in129943+1 records out136256155648 bytes written
Succeeded!
C:\Users\Troyla\Desktop\fau-1.3.0.2390a\fau\FAU.x64>
Shadow copies can be imaged.
![Page 94: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/94.jpg)
Windows 7 ArtifactsVolume Shadow Copy
Images of shadow copies can be opened in forensics tools and appear as logical volumes.
![Page 95: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/95.jpg)
Windows 7 ArtifactsVolume Shadow Copy
Data that has been deleted can be captured by shadow copies and available for retrieval in shadow copy images.
![Page 96: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/96.jpg)
Windows 7 ArtifactsVolume Shadow Copy
Every shadow copy data set should approximate the size of the original volume.
Amount of case data=(number of shadow copies) x (size of the volume)+(size of the volume).
10 shadow copies = 692 GB
![Page 97: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/97.jpg)
You want More?
![Page 98: Windows 7 forensics -overview-r3](https://reader036.vdocuments.site/reader036/viewer/2022081720/54c0d45c4a7959eb128b45b7/html5/thumbnails/98.jpg)
Questions?