Digital Forensic Investigation

MSc #11761
@2018

Dr. Ali Hadi

ali@ashemery.com
Windows Forensic Investigations
Its Not Just One OS!!!

Dr. Ali Al-Shemery

Slide notes prepared from different sources…
Special thanks to Dr. Lynn Ackler for sharing his work…

Week #10
 Objectives – Part #1
• Learn about other places to find evidence
– Windows Domain
– User accounts
– Groups
– Permissions
– User profiles
– Swap files
– .lnk Files
– Windows 7 Artifacts (Jump Lists, Libraries, etc)
– Other stuff: Window registry (next week)
 Introduction
• So far, looked at Windows file systems
– Old ones – FAT
– Newer ones – NTFS
– Good to know about both
– FAT - Older systems and newer devices
• Thumb drives, cameras, phones, PDA’s
• Good to know about files ... How they are
– Allocated
– Deleted or restored
– Hidden from casual observers
 Windows Versions
• Why study Windows?
• Why do we need to know differences between versions?
Windows Versions – Cont.

Cited: Windows Internals, 6th Edition – Part1

 Windows Domains
• A Windows domain represents both a security and
administrative boundary within a Windows network
• Computers and users can be added to or removed from a
domain
• Joining a computer to a domain means that it must abide by
certain rules, or policies, that are enforced throughout the
domain
 Windows Domains – Cont.
• Domains consist of three general types of computers:
– Domain Controllers (DCs)
– Member Servers
– Client Computers
• DCs provide a central source of security and administrative
control to a Windows domain
• That’s the reason why DCs are arguably the most important
machines in a Microsoft domain environment and are a prime
target for attackers!
 Which DC is Running?
• Categorized based on the version of the OS running on DC
• A domain can consist of any version of Windows computers,
but the domain as a whole is identified by the version of the
OS being used on the DCs
 User Accounts
• Each account is assigned a unique Security Identifier (SID)
• When discussing activities, its very important to distinguish
between the user (human being) and the user account (set of
credentials that represent a particular person or object to the
network)
• Example: Windows records activities based on the user
account involved, but it cannot determine which user was
actually sitting at a keyboard 
 Account Types - Local
• Local accounts are stored in local computer’s SAM and valid
only on that computer

• Local accounts can be:

– Computer accounts: Represent a computer to the network
– User accounts: Represent a user to the network
– Service accounts: Represent a service to the network
 Account Types - Domain
• Domain accounts are stored in Active Directory on a domain
controller and valid throughout the domain

• Domain accounts can also be:

– User accounts
– Computer accounts
– Service accounts
Account Types – Cont.

Windows XP

Windows 7

Cited: Mastering Windows Network Forensics and Investigation, 2nd Edition

Account Types – Domain

Cited: Mastering Windows Network Forensics and Investigation, 2nd Edition

 Groups
• A group is simply a collection of accounts to which various
capabilities can be assigned
• Example: a group might be Development Employees
 Default Groups
Default Group
Capabilities of Group Members
Name
Members of this group can back up (i.e., copy) any
Backup Operators
data on the system.
Members of this group have permission to do just
Administrators about anything on the computer, including override all
access restrictions.
Members of this group become members of the
Domain Admins Administrators group for every computer in the
domain.
The hacker’s Holy Grail; members of this group have
Enterprise Admins full administrative control over all machines in the
entire forest.
Members of this group can create, delete, and modify
Account Operators
user accounts and members of most groups.
Cited: Mastering Windows Network Forensics and Investigation, 2nd Edition
 Permissions
• Assigned to files or other objects
that users might wish to access
• Determine which accounts are
allowed to access particular
resource and which level of access
each account is granted
• Example:
– Permission to read, write, or delete a
file
– Permission to send a print job to a
printer

Cited: Mastering Windows Network Forensics and Investigation, 2nd Edition

 Share Permissions
• Govern who has access to
shared resources over a
network
– Remote access

Cited: Mastering Windows Network Forensics and Investigation, 2nd Edition

 Share vs. File Permissions
Share permissions:
• Checked only when a file is accessed across a MS share
– Remote connection using the Server Message Block (SMB) protocol
• Not checked when a request is made from an account that is
logged on interactively

File permissions:
• Always checked whenever a file on an NTFS volume is
accessed
• Regardless from where the user accesses a resource
– on the same system
– Or from a remote system
 Local Accounts within a Domain
• Local accounts continue to exist even when computers come
together to form a domain!
• DCs contain domain accounts and only domain accounts!
• All other computers that participate in a domain still retain
their local accounts
• Result, most computers in a domain can be accessed either by
logging on with a domain account or by logging on directly to
one of the computer’s local accounts
– In practice once a computer is joined to a domain, the local accounts
are no longer used but they might still exist!
 User Profiles
• A Lot of potential forensic data found in user profiles
• Windows 9X
– Users only had separate identities for personal preferences, Desktop
– Data files
• All stored under one common My Documents folder
• No true distinction of ownership between users
• No ownership attribute for FAT files
 User Profiles – Cont.
• Since the release of Windows XP and 2000
– True log-on and user accounts
– File ownership and privacy between users enforced
• Can trace ownership to specific users
– Each user has their own user files
 User Profiles
• Desktop settings, Internet settings, Home page, Favorites,
History, Personnel Files, My Documents, My Pictures
• Several subfolders
– Appdata (hidden) – Local Setting (hidden)
– Cookies – My Documents
– Desktop – Recent (hidden)
– Downloads – SendTo (hidden)
– Favorites – Start Menu
– Links – Searches
– Libraries – Windows
 User Registry File
• NTUser.Dat file
– Personal preferences and computer settings for user
– If just look at file meta data – file attributes
• Find out a lot of information
• First time user logged on
– Creation date of file
• Last time user logged on
– Last modified date of file
 Swap File (Pagefile)
• Large file, hidden in root directory
• Used by OS as virtual memory
• Pagefile.sys
• Good place to look for forensic information
• Things stored there from RAM
– Picture files, spreadsheets, word docs, database files etc.
 Recycle Bin
Windows XP
• C:\RECYCLER
– Each user gets his own folder
– Use the user’s SID
– Each has its own INFO2 file
Recycle Bin – Cont.
recbin.exe
 Windows 7 - Recycle.Bin
• [Volume]:\$Recycle.Bin
• $Recycle.Bin (hidden by defualt)
• Subfolder per user named with account SID
• When a file is moved to the Recycle Bin, it becomes two files $I
and $R.
– $I -> original name and path, and deleted date
– $R -> original file data stream and other attributes
 Word Documents
• Document location
• Statistics
• Version and Language
• Last 10 authors
• MACPS times:
– Modified
– Accessed
– Created
– Printed
– Saved
 MeargeStreams
• Insert a spreadsheet into a word document
• Call it .doc – you see the Word document
• Call it .xls – you see the spreadsheet
• All sorts of uses
– Smuggling out forecasts
– Sharing pictures on the corporate server

Basic Exfil Technique!!!

 PDF Files

• Similar metadata as Word docs.

• Easily accessed
• File -> Properties

We’ll check Dider Stevens

PDF Analysis Tools in a
separate lab (or challenge)
Image Files
exif Data
Original Photo
off of the camera

After Photoshop
manipulation
Link Files (.lnk)
 Shortcut Files
• File extension .lnk
• Created whenever an off board file is opened
• Contain MAC times (UTC)
• Path name
• Volume type and S/N
 .lnk Files
• They appear as “My Recent Documents”
• Form the basis of Jump Lists
• Windows XP
– C:\Documents and Settings\User Name\Recent
• Vista & Windows 7
– \Users\user name\AppData\Roaming\Microsoft\Windows\Recent
– \Users\user name\AppData\Roaming\Microsoft\Office\Recent
– \Users\user name\Links\
 Clear “Recent Items”
Windows XP
• Properties of the Start Menu
• Select “Clear List”

Check Jump Lists in Vista and Windows 7

Clear “Recent Items”
Windows 7

To clear “Recent Item

List”
Right click on Recent
Items and select clear
http://www.forensicswiki.org/wiki/Shell_Item
lslnk.exe
.lnk File’s Properties
Lslnk.exe for Windows 7
Windows 7 LNK file Properties
More Information Windows 7
Windows Forensic Investigations
Its Not Just One OS!!!

Dr. Ali Al-Shemery

Slide notes prepared from different sources…
Special thanks to Dr. Lynn Ackler for sharing his work…

Week #11
 Objectives – Part #2
• Jump Lists
• Libraries
• Recycle.Bin
• SuperFetch
• Folder Virtualization
• Disk Wipping
• Volume Shadow Copies
• Others:
– IE8, Thumbcache, Virtual Hard Drive (VHD), Transactional NTFS (TxF), XP
Mode, Sticky Notes
 Jump Lists
• A new feature released with Microsoft Windows7
• Provides the user with a graphical interface associated with
each installed application which lists files that have been
previously accessed by that application
• Jump Lists can contain:
– Tasks
– Links to recent files
– Frequently used files
– Links to pinned files
Jump Lists – Cont.

Frequent files used

Recent files used

 Jump Lists – Cont.
• Feature enabled by default
• Default setting is to show the 10 most recently accessed files
per application
– Possible to adjust to a maximum of 60
• Records of the items pinned to the Taskbar are stored in the
directory (Torres, 2011):
– ‘C:\Users\%username%\AppData\Roaming\Microsoft\Internet
Explorer\Quick Launch\User Pinned\TaskBar’
 Jump Lists – Cont.
• Details of applications that have been pinned to the Taskbar are
also recorded in the Windows Registry values ‘Favorites’ and
‘FavoritesResolve’ at (AccessData, 2010):
– ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband’
 Jump Lists – Cont.
• Details of accessed files are held within structured storage files
which themselves are stored within the user’s profile at
(Larson):
– ‘%systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Win
dows\Recent\AutomaticDestinations’

• The number of items to be shown on a Jump List is stored

within the Registry value at (Li, 2011):
– ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advance
d\Start_JumpListItems’
 Jump Lists – Cont.

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent Items
 Jump Lists – Settings (1)

These options if
unchecked will prevent
application history from
appearing on the start
menu
 Jump Lists – Settings (2)

These options are used to

adjust the number of
items to display in the
Jump Lists
 Libraries
• A list of Monitored
folders
• Used to assist users to
find and organize their
media
– Documents
– Music
– Pictures
– Videos

They look like any other folder!!!

 Libraries Location

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Libraries
Custom Libraries
 Libraries … Wait!
• View them using a Forensic tool:
– XML based files named with the library-ms extension!
 Windows 7 - Superfetch
• Windows Prefetch files, introduced in Windows XP, are
designed to speed up the application startup process

• Prefetch files contain:

– Name of the executable
– Unicode list of DLLs used by that executable
– A count of how many times the executable has been run
– Timestamp indicating the last time the program was run
 Superfetch – Cont.
• Although Prefetch is present in Windows 2003, by default it is
only enabled for boot prefetching
• Augmented in Windows Vista with:
– SuperFetch
– ReadyBoot
– ReadyBoost

• Up to 128 Prefetch files are stored in the

%SystemRoot%\Prefetch directory
 Superfetch – Cont.
• Each file in that directory should contain the name of the
application, a dash, and then an eight character hash of the
location from which that application was run, and a .pf
extension
• The filenames should be all uppercase except for the
extension.
• A sample filename for md5deep would look like:
MD5DEEP.EXE-4F89AB0C.pf
 Superfetch – Cont.
• There will be two different prefetch files in the prefetch
folder for the same application if the user ran them from two
different locations:
– C:\md5deep.exe
– C:\Apps\Hashing\md5deep.exe
 Superfetch – Cont.
• Prefetch files indicates to the examiner the following:
– Existence: application named was run
– Creation date: when the application was first run
– Modification date: when the application was last run
 Windows 7 - Folder Virtualization
• Part of User Access Control (UAC) that prevents the standard
user from writing to certain protected folders:
– C:\Windows
– C:\Program Files
– C:\Program Data
• To allow standard user to function, any writes to protected
folders are “virtualized” and written to
• C:\Users\<username>\AppData\Local\VirtualStore
 Windows 7 – Diskpart

• Diskpart
– Utility added to wipe the entire hard drive
 Volume Shadow Copies (VSCs)
• One of the new, ominous-sounding aspects of the Windows
operating systems that can significantly impact an analyst’s
examination
• VSCs are significant and interesting as a source of artifacts
VSCs – Cont.
Volume Shadow Copies (VSCs)
VSCs using Shadow Explorer
 WARNING: why?
• Accessing VSCs on Live Systems
 Windows Registry
• What can you find there needs a whole lecture!!!
– Will be covered next
That’s it?

No … !!!
 Other Places to Check!
• IE8
• Scheduled Tasks
• Thumbcache
• Virtual Hard Drive (VHD)
Whole course is
• XP Mode needed to cover all the
• Most Recently Used (MRU) Windows Artifacts!!!
• Sticky Notes
• Hibernation Files
• Windows Registry
 Assignment(s) - Old
• What is the Event Record’s “Magic Number”?
– LfLe
• What are the Windows ReadyBoot and ReadyBoost?
– https://technet.microsoft.com/en-
us/magazine/2007.03.vistakernel.aspx
 Assignment #5
• Check the challenge #5 document for details.
 Resources
• File Analysis, Harlan Carvey
• http://www.forensicswiki.org/wiki/Prefetch
• http://www.woanware.co.uk/?page_id=173
• http://windowsir.blogspot.com/2007/05/prefetch-analysis.html
• http://www.forensicswiki.org/wiki/Windows_Shadow_Volumes
• http://www.forensickb.com/2009/12/forensic-review-of-windows-7-part-i.html
• http://windowsir.blogspot.com/2009/10/windows-7-and-future-of-forensic.html
• http://msdn.microsoft.com/en-us/library/bb470211%28VS.85%29.aspx
• http://msdn.microsoft.com/en-us/library/bb470206%28v=vs.85%29.aspx
• http://msdn.microsoft.com/en-us/library/bb470206%28v=vs.85%29.aspx
• http://msdn.microsoft.com/en-us/library/bb470124%28VS.85%29.aspx
• http://technet.microsoft.com/en-us/library/bb457112.aspx
• http://www.pc-3000flash.com/eng/help/help_information/ntfs/boot.htm
• Jesse Hager “The Windows Shortcut File Format”,
http://code.google.com/p/8bits/downloads/detail?name=The_Windows_Shortcut_File_Format.pdf&can=2&q=
• http://www.forensicswiki.org/wiki/Shell_Item
• http://windowsir.blogspot.com/2013/06/there-are-four-lights-shell-items.html
• http://windowsir.blogspot.com/2013/06/there-are-four-lights-lnk-parsing-tools.html
• http://www.sandersonforensics.com/forum/content.php?133-MFTView
• Forensic Analysis of Windows 7 Jump Lists
• Forensics Registry Analysis
– http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf
• AccessData (2010) Registry Quick Find Chart
– http://accessdata.com/media/en_us/print/papers/Registry_Quick_Find_Chart_9–27–
10.pdf
• Ard, C. (2007) Introduction to Windows 7
– http://info.publicintelligence.net/WIN7–TWO–Hour–Talk.pdf
• Barnett, A. (n.d.) The Forensic Value of the Windows 7 Jump List
– http://www.alexbarnett.com/jumplistforensics.pdf
• Carvey, H. ((a) 2011) Jump List DestList Structure
– http://windowsir.blogspot.com/2011/06/meetup–tools–and–other–stuff.html
• Larson, T. (n.d.) Forensic Examination of Windows 7 Jump Lists
– http://www.slideshare.net/ctin/windows–7–forensics–jump–listsrv3public
• Li, N. (2011) Change the Number of Recent Items Displayed in Windows 7 Jump List
– http://blogs.technet.com/b/win7/archive/2011/05/10/change–the–number–of–recent–
items–displayed–in–windows–7–jump–list.aspx