210 likes | 324 Views
First Looks: Basic Investigations of Windows Vista. Lance Mueller lance.mueller@guidancesoftware.com. NTFS Version. NTFS Version. Symbolic Links. Last Access Dates.
E N D
First Looks: Basic Investigations of WindowsVista Lance Mueller lance.mueller@guidancesoftware.com
Last Access Dates • The last access dates in Windows Vista are no longer updated when a file is accessed. Microsoft explains that with all the new file system transactional journaling, it was somewhat of a performance hit, so they have disabled them by default. • In Windows Vista, this feature is enabled by default. This feature can be turned off via a registry key. This default setting obviously has a severe impact on how some types of cases are analyzed and examiners should take great care when using these date stamps as part of their analysis.
$USNJRNL • The USN Journal is a NTFS logging mechanism that logs various transactions that occur on the file system. This feature is available in Windows 2000, Windows XP and Windows 2003, but it is disabled by default. In Windows Vista, this feature in enabled by default, thus causing a verbose log to be created of various file system changes. These changes are written to an internal NTFS metadata file named “$USNJRNL” and specifically into an alternate data stream of that file. Various artifacts such as filenames, date stamps an MFT record numbers can be located in this journal and it should be inspected and or searched in Unicode when looking for specific filenames.
Operating System Versions • Feature availability of different Vista Versions: • BitLocker – Enterprise & Ultimate (Enterprise only when member of domain) • Windows Volume Shadow Service (VSS) – Business, Enterprise & Ultimate • Encrypting File System (EFS) - Business, Enterprise & Ultimate • Able to join domain - Business, Enterprise & Ultimate • Remote Desktop server - Business, Enterprise & Ultimate • Offline files and folder support - Business, Enterprise & Ultimate • IIS Web Server - Business, Enterprise & Ultimate
Directory Structure Changes • In the previous figure you can see several Junctions are now used to redirect to a different location, such as Documents and Settings folder and the Default User folder. • C:\Documents & Settings ----------------> C:\Users (Junction) • C:\Users\All Users -------------------> C:\ProgramData (Symbolic Link) • C:\Users\Default Users --------------------> C:\Users\Default (Junction)
Directory Structure Changes • Under each user folder, there are additional folders and Junction points.
Directory Structure Changes • The following chart shows where each Junction shown in the previous figure points to: • <username>\Application Data-> \<username>\AppData\Roaming • <username>\Cookies->\<username>\AppData\Roaming\Microsoft\Windws\Cookies • <username>\Local Settings->\<username>\AppData\Local • <username>\My Documents->\<username>\Documents • <username>\NetHood->\<username>\AppData\Roaming\Microsof\Windows\Network Shortcuts • <username>\PrintHood->\<username>\AppData\Roaming\Microsof\Windows\Printer Shortcuts • <username>\Recent->\<username>\AppData\Roaming\Microsof\Windows\Recent • <username>\SendTo->\<username>\AppData\Roaming\Microsof\Windows\SendTo • <username>\Start Menu->\<username>\AppData\Roaming\Microsoft\Windows\Start Menu • <username>\Templates->\<username>\AppData\Roaming\Microsof\Windows\Templates
Directory Structure Changes • Under the Documents folder there are three additional Junctions: • <username>\Documents\My Music-> \<username>\Music • <username>\Documents\My Picture-> \<username>\Pictures • <username>\Documents\My Videos-> \<username>\Videos
In addition, the C:\Users\AppData\Local folder contains three additional Junctions. This folder structure is where the Internet history information is now stored.
Public Folders • In Windows XP, a folder named All Users was located under the Documents & Settings folder which served as a structure that was accessible by all users. In Vista, this has been changed and is called ”Public”. Any files or folders located under the “public” folder are accessible by everyone. Note that the structure in a live machine is different that what is seen from a forensic view.
Registry • Several new registry files have been added to Windows Vista. The following list represents all the registry hives on a default Vista system: • C:\Boot\BCD • C:\Windows\System32\config\RegBack\SECURITY • C:\Windows\System32\config\RegBack\SOFTWARE • C:\Windows\System32\config\RegBack\DEFAULT • C:\Windows\System32\config\RegBack\SAM • C:\Windows\System32\config\RegBack\COMPONENTS • C:\Windows\System32\config\RegBack\SYSTEM • C:\Windows\System32\config\BCD-Template • C:\Windows\System32\config\COMPONENTS • C:\Windows\System32\config\DEFAULT • C:\Windows\System32\config\SAM • C:\Windows\System32\config\SECURITY • C:\Windows\System32\config\SOFTWARE • C:\Windows\System32\config\SYSTEM • C:\Windows\winsxs\x86_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.0.6000.16386_none_25edb26a062d63a9\BCD-Template
Registry • The user’s NTUSER.DAT file is still located in the root of the user’s root folder (C:\Users\<username>). • Notice that Windows Vista now uses the “REGBACK” folder instead of the “REPAIR” folder that Windows 2000/XP/2003 use for backup copies of the registry.
Registry virtualization • Windows Vista now contains a feature called “registry virtualization” as part of a security enhancement. This feature ensures that users who are not administrators cannot write t certain parts of the registry, especially during software installation. If a program tries to write to a specific registry key that is protected, the installation program will be seamlessly redirected to a “virtual” registry key contained within the user’s personal registry hive (NTUSER.DAT). • Any write attempt by a non administrator to the: HKEY_LOCAL_MACHINE\Software registry key(s) causes the system to redirect the write into a virtual store in the user’s profile: • HKEY_USERS\<User SID>_Classes\VirtualStore\Machine\Software
RECYCLE BIN • The contents of the recycle bin has changed in Windows Vista and the name of the folder itself has changed to”$Recycle.bin”. • The INFO2 file that is present in Windows 2000/XP/2003 has been removed. • In Windows Vista, two files are created when a file is deleted into the recycle bin. Both file have the same random looking name, but the names are proceeded with a “$R” or “$I”. The file with the “$R” at the beginning of the name is actually the data of the deleted file. The file with the “$I” at the beginning of the name contains the path of where the file originally resided, as well as the date and time it was deleted.
RECYCLE BIN • In addition, it is important to note that the user’s recycle bin is created the first time the user logs into their account, not the first time a file/folder is deleted as in Windows 2000/XP/2003.
Event Logs • The Windows event logs have changed dramatically in Windows Vista. A new XML fie format is being used for the event logs and a new extension of “EVTX” is now used. The files are now located in: • “C:\Windows\System32\winevt\Logs\” There are now approximately 30 different event logs that Windows Vista reports events to. Currently these logs can only be read by the native Windows Vista Event Viewer (eventvwr), although an EnCase EnScript is under development.
Windows Photo Gallery • The Windows Photo Galley is an application that is designed to make it easy to collect, categorize and edit your digital photos and videos. The Windows Photo Gallery can connect directly to digital devices such as cameras or removable media and then import the photos into the gallery. The photos that are imported into the gallery are stored into the user’s “Pictures” directory under their profile.