Windows Forensics

Michael Sonntag

August 2015
General thoughts
Windows stores, like most OS, lots of data for various
reasons (finding bugs, speedup, user services etc)
Most of this information is in proprietary formats
These are typically binary formats, so re-engineering is a large factor!
There is no Windows: Only Windows XP, XP SP 2, XP SP 3,
Vista, 7, 8, 8.1, 10 CE, Embedded, Server 2008, 2008 R2, 2012
Many of them store data differently!
Comparison: Linux
Less variation, as few distributions are in widespread use
In total many more versions, but some standardization (LSB)
Much less than Windows, even accounting for the various versions
Data is typically stored less OS-dependent, but rather more
application-dependent!
Consequence: Individual investigation and comparison
of knowledge with actual system is necessary!
Windows forensics 2
What to look for: Typical aims
Files:
At rest: File was there
Executed: Program was started
Moving: File was moved from/to system; source/destination
Logs:
Something happened. Metadata still exists, but no content.
Example: Proxy log File was requested at ??? by IP ???; but the actual file
content is not available (at least not in the log!)
Was the SW installation performed correctly?
Content:
Memory: Esp. keys and passwords or traces of files/activities
Backups, deleted files
Configuration:
If this happens/happened, the system will/did do that
Windows forensics 3
Example: Program execution
A program was executed: When or wasnt it?
Where do we look for traces?
UserAssist: Registry
MRU (Most Recently Used): Registry (somewhere else)
Application Compatibility Cache: Registry (somewhere else)
Prefetch: Separate files
Executable file itself (timestamps): For outside limit(s)
Result:
We have numerous locations
Not all are updated simultaneously (or always; e.g. prefetch!)
We have to look in all places
and then combine results to get the best possible picture
Note: We have no guarantee that we get all information
Might run without traces (but never: Traces without running!)
Windows forensics 4
Where to look
Recycle bin: Deleted files (not necessarily actually gone)
Print spool files: Traces of printouts
Preview icons: What files were present some time ago
Prefetch: What files were executed
Swap/Hibernation file: Traces of memory content
Windows Registry: OS + application configuration & data
Recent files: Opened some time before
USB device history: Connected devices
Restore points: Old versions of files & registry
Autoruns: What happens on booting the OS
Event log: Traces of all kinds of things that happened

Windows forensics 5
Not covered here
Desktop: Normal file folder (but see metadata info!)
Similar: MyDocuments, Recent Files,
Pinned files/Jump lists
Similar to recently used files
C:\Users\username\AppData\Roaming\Microsoft\InternetExplorer\
QuickLaunch\UserPinned\TaskBar

Start menu entries

Actually a directory structure in user folder + overlay of general
configuration in a different directory
See also Windows 8 Tiles
Volume Shadow Copies: Similar to Restore points
Located under <Volume>\System Volume Information
Windows 8 Refresh / Restore points
Themselves, as well as artifacts left after refreshing/restoring
Windows 8 file history: Automatic backups of user data/files
Windows forensics 6
Windows forensic: Recycle bin
When deleting files normally, they end up in the recycler
Shift+DEL Deleted immediately
Special tools/file carving!
Something in the recycler Generally deleted intentionally
These files are completely recoverable: Name, content etc.
Emptying the recycle bin:
The saved files are actually deleted; just like normal files
Their directory entries within the recycler folder remain
Their data remains on the disk until overwritten
The INFO2 file (see later) is deleted and a new one created
Sometimes only shortened, i.e. the record numbers continue
Deleting a single file from the recycle bin
Changes the first byte of the record in INFO2 file to '00'
Typically drive letter; recreatable from drive number in record!
Note: Removable media does not have a recycle bin!
Windows forensics 7
Windows forensic: Recycle bin
Physical changes on deleting "into" the recycler:
File entry deleted from original directory
Remains there until overwritten!
Modified/Last Access updated
The long filename is deleted
File entry created in recycler directory
D<original drive letter><#>.<original extension>
Dc1.txt: Second deleted file from drive C, had txt extension
Note: In the Windows Explorer you always see only your own files and the
filenames from the INFO file!
Subdirectory: User-SID
Information added to recycler index file ("INFO"/"INFO2" file)
Includes deletion time, original location, recycle bin index
Index allows discovery of deletion order!
Attention: Windows Vista replaced the INFO file with a separate file
named similar as the one with the deleted data!

Windows forensics http://support.microsoft.com/kb/136517 8

Windows forensic: XP Recycle bin
The INFO2 file structure
Binary file
Contains the file name twice: ASCII and Unicode
20 Byte file header; Bytes 12-13 (-15?) are record size
Record size is usually 2003 = 0x0320 = 800 Bytes
Record structure
260 Bytes: Original file name (ASCII), including path
4 Bytes: Record number (starting at 0)
4 Bytes: Drive number (00 = A, 01 = B, 02 = C, )
8 Bytes: Deletion time (FILETIME format, UTC)
4 Bytes: Physical file size (=Bytes on disk!)
Therefore always multiples of cluster size
Actual file size: See directory entry of the file itself
520 Bytes: Original file name (Unicode), including path

Windows forensics 9
Windows forensic: XP Recycle bin
Original filename:
C:\Documents and
Settings\SONNTAG.ADS-
FIM\Desktop\
EURO Calculator & Info.URL
Record number: 1
Drive number: 2 (= C: )
Deletion time:
0063E71E:D605C801
(=1EE76300:01C805D6,
=3.10.2007 15:57:37 UTC)
Physical file size:
0x00100000 (=0x00001000, =
4096 Bytes
Windows forensics 10
Vista/7/8 - Recycle bin
Directory is same (User-SID), but organisation within differs
Each file is stored directly with a new filename:
$R<six random characters>.<original extension>
Same!
Information on real filename (and additional data):
$I<six random characters>.<original extension>

Additional data stored:

File length: 544 Bytes
Magic number
Original file size
Byte order is reversed!
Date and time of deletion
Windows 64 Bit hex value
Little endian
Original file name
520 Bytes = 260 characters
Max. path length!

Windows forensics 11
Print spool files
When printing documents they are not immediately sent
to the printer but rather stored in a local file
Which is then sent to the printer
And deleted after successful completion
Attention: Users can configure within the printer properties
that the data is sent immediately to the printer; this is rare!
Note: This applies to local printers only!
Network printers will have this file created on the print server
Typical file formats for spooling are:
RAW: Directly as the printer wants it, e.g. Postscript or some
proprietary format
Device dependent
Can be re-printed simply by sending it to a (similar!) printer again
EMF: Enhanced Metafile Format (32 Bit version of WMF)
Device independent
Viewer programs available
Windows forensics 12
Print spool files
For each print job two files are created
SHD: Job metadata (owner, printer, print method, )
SPL: Job data (RAW or EMF)
Contents of the SHD file:
Username, Name of user to notify
Document name
Printing time: SYSTEMTIME structure (=UTC!)
Page count
Windows version
Job ID
Priority
Printer name + driver + mode
Printing processor + format
Computer name
Windows forensics 13
Thumbnails: Thumbs.db
Thumbs.db: Hidden file to store thumbnail images
(previews) of the files in a folder
At least, if the folder was viewed in "Thumbnail view" at SOME
time in the past when the file was already there
Can be deactivated (Default: enabled) in Explorer properties
"Do not cache thumbnails"
Deleting images from the disk will not remove the thumbnail
from Thumbs.db!
They will never be removed from it!
Only solution: Delete Thumbs.db file (then recreated with current images)!

File format: OLE2 Compound Document (MS Office)

What is stored: JPEG, BMP, GIF, HTM
Encrypted files will still have an unencrypted thumbnail!
If viewed in thumbnail view when they were not yet encrypted
However, this security flaw was fixed at some time
Windows forensics 14
Thumbnails: Thumbs.db
Attention:
Windows Vista does no longer have this file generally
See below, only for special circumstances
Win2K+NTFS: Thumbnails in ADS (FAT Thumbs.db!)
Before Windows XP: Contained also drive letter and path
Windows ME, Win2K
Take care when copying directories to a USB stick:
When copying the directory, the Thumbs.db file is copied too
When copying all files, it is not copied (unless shown anyway)
Thumbs.db can be used to prove that images actually
were (but not necessarily seen; see below) on a certain
computer: The Thumbs.db file is still there, and the files
(including the same Thumbs.db) have been found
somewhere else!
Windows forensics 15
Thumbnails: Vista/7/8
They create thumbnails for files on different media types
Including removable and network drives
Including files in encrypted containers, e.g. TrueCrypt
But NOT for files encrypted with EFS, unless the thumbcache
directory is also encrypted!
Vista: Thumbnails are not deleted if file is encrypted by EFS later
Central cache for all directories per user in his folder
%USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer
Contains several files:
Thumbcache_32{96,256,1024}.db
Individual thumbnails in the various sizes (32-1024 pixel)
Thumbcache_idx.db: Central index for thumbnails
Required for finding the image in the cache files
Thumbcache_sr.db: Unknown; constant content
Win 7: Last-modified field for each thumbnail removed
Windows forensics 16
Thumbnails: Vista/7/8
When a file is deleted, the cache entry will be deleted too
(but not necessarily actually overwritten immediately!)
Thumbcache_??.db:
Indirectly contains the filename: Hash+.+extension
The Windows Search database (Windows.edb) does contain the
ThumbnailCacheID too, so using this file we can also assign full filenames
to the cache entries (Hash: Try all possible images and see if they match)!
Hash: Volume GUID, FILEID (NTFS); extension, DOS last write (both >=Win7)
Windows >=8.1: Additional hash input: Precision loss between original last
modified time and DOS modified time (as used in previous versions)
Also: Size (depends on which thumbcache), checksums, offsets, image data
JPG, PNG will remain, others are converted to BMP
File carving: Entries (not file!) start with CMMM
Thumbcache_idx.db:
ThumbnailCacheID + FILETIME when the original (!) file was
created (Vista only)
Windows forensics 17
Thumbnails: Vista/7/8
Windows Vista/7/8:
When accessing remote or mapped files, a Thumbs.db file is
created in the remote folder
Note: This includes local directories accessed through UNC names
Different file format than Windows XP
Entries are not deleted when the file is deleted
Windows 8:
Thumbs.db files will also be created for other kinds of access
(=Explorer), but ONLY in directories under a user profile folder:
C:\Users\<Username>\*
This does depend on the location, not on the user!
Browsing another users folder will create the cache there
Additional _16, _48, _WIDE files

Quick/Tassone/Choo, Forensic Analysis of Windows Thumbcache Files,

Proceedings of 20th Americas Conference on Information Systems (AMCIS 2014), 7-10 August 2014
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2429795
Windows forensics 18
Thumbnails
Confused?
Brief overview:

Quick/Tassone/Choo, Forensic Analysis of Windows Thumbcache Files,

Proceedings of 20th Americas Conference on Information Systems (AMCIS 2014), 7-10 August 2014
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2429795
See also: https://thumbcacheviewer.github.io/
Windows forensics 19
Thumbnails: Vista/7/8
Attention!
Thumbnails may be generated even when the folder has NOT
been viewed in thumbnail (Large Icons) view!
If the Details pane is active, this is sufficient
At least for two files (two most recently modified ones, presumably)
When pictures are accessed via a full UNC path and displayed
in thumbnail view, a thumbs.db file is created in the folder in
which the pictures resides
Only those pictures that were visible (many scrolling needed!)
As the Thumbs.db file changed between OS (XP/Vista/7), based on this file
you can identify the OS of the computer viewing them (not the one where
the thumbs.db file is located!)
Drag&Drop may also lead to thumbnails being created
Result: The presence of thumbnails does not necessarily
mean, that the user has seen these pictures (or their
directory), only that they existed on the computer!
Windows forensics Parsonage: Under My Thumbs http://computerforensics.parsonage.co.uk/downloads/UnderMyThumbs.pdf 20
Windows prefetch
Frequently (or recently) used applications are logged in
a special folder: Speed up their start by noting which
sectors from the disk will be required directly upon start
These are then swapped in immediately, even if not at the start
of the executable file
Stored in directory "C:\Windows\Prefetch"
Naming: <Executable file name>-XXXXXXX.pf
XXXXX: Hash of location from where it was run
Count of executing the program:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
UserAssist\{GUID}\Count
ROT-13 encoded!
"Data": 5th byte -5 = Count of execution
Maximum count (XP): 128 entries
Contains also references to loaded modules
Windows forensics 21
Windows prefetch
When is it updated?
XP: Boot time and application launch, 2003: Boot time (def.)
Disabled for SSD disks by default
Attention: Prefetch is system-wide
You cannot tell from the file which user executed it
But with MAC time this may be possible
If you know who was logged on at which time
See also the UserAssist registry entries (previous slide; HKCU!)
Note the MAC times of the files:
Created: Program was started for the first time
Modified: Program was started for the "last" time
Attention: Prefetch files will not be updated after some time
Probably when windows decides it exactly knows what to do
Accessed: Last run time of the program
Attention: No longer updated by default on Vista or later!
Windows forensics Disabling prefetch: http://msdn2.microsoft.com/en-us/library/ms940847.aspx 22
Windows prefetch
.pf file content
Filename: Offset 0x10
Timestamp: FILETIME at offset 0x78 (XP)/0x80 (>=Vista)
Run count: DWORD at offset 0x90 (XP)/0x98 (>=Vista)
Magic number at start: 0x11 (XP)/0x17 (>=Vista) 0x00 0x00
0x00 SCCA; has no end marking
List of files accessed in the first 10 minutes
Can be used to inspect suspected malware (what did they load) or media
files launched through double-clicking them
Can provide information on paths no longer existing
Example: TrueCrypt volume, deleted executables etc.

Layout.ini: List of files used on booting

Used for arranging files during defragmentation
Unwanted programs started on booting?

Windows forensics 23
Swap/Paging file
Contains pages from the memory
Not necessarily in a useful order!
Data may remain there for a very long time as well
If this sector happens to not being used
Attention: Normal shutdown may delete, truncate, or
overwrite the swap file!
In important cases it is therefore necessary (after doing live
analysis) to pull the plug, but not shutdown the system!
A hidden file (Linux: Partition!): C{D}:\pagefile.sys
Typical application for file/data carving: Assembling a
file/some content from numerous smaller parts
Very difficult and unreliable, unless complete and in correct
order (this is likely true only for very small files/data elements)!
Practical usage: Search for strings/regular expressions
Windows forensics 24
Swap/Paging file
Attention: Anything found in there is unreliable"!
You don't know when this information was put in there
You don't know which user was logged in at that time
The data might already have been on the disk when the paging
file was created
The swap file need not be located in contiguous sectors
There may be small "holes", which perhaps are not reused for
a long time because they are so small
Good location for finding old file fragments

Windows forensics 25
Hibernation file
Similar to the swap file: Contains memory pages
But here it is a complete image of the total memory!
May be smaller or larger than the swap file
Can be used to recreate the last use of the computer
Virtual machines come in handy for this
A hidden file: C:\Hiberfil.sys
Attention: The first block will always be overwritten with
zeros after boot, so never wake up a hibernated
computer without obtaining a forensic copy before!
Rest of the file remains unchanged until the next hibernation
So the state at a previous point in time might be recreated
partly (computer wont run, but memory might be salvaged)
The hibernation file is compressed: No plain text search

Windows forensics 26
Hibernation file
Very important in case of disk encryption: When the
computer is running, the key is in the memory.
Creating a memory dump will allow decrypting the disk
Not necessarily booting The password is not recovered, only
the cryptographic key. But a decrypted disk might allow (with
some modifications) booting!
When hibernated Hibernation file is encrypted itself, so it is
not very useful then.
Other kinds of encryption, e.g. TrueCrypt containers
Keys are in memory too
Hibernation files are part of shadow copies too, so keys from
containers opened weeks before might still be on the disk!
Password cracking/recovery software has special
analysis functions to extract password/keys from it
Windows forensics 27
The Windows Registry
The Registry is similar to a file system:
Hierarchical storage of data
Keys = Directories
Values = Files
Name, Data and Type (BINARY, DWORD, SZ, MULTI_SZ, EXPAND_SZ)
5 root keys exist:
HKLM: HKEY_LOCAL_MACHINE (Computer-specific data)
HKU: HKEY_USERS (User-specific data)
HKCR: HKEY_CLASSES_ROOT (application settings, file
associations, class registrations for COM objects)
Link to HKLM\Software\Classes
HKCC: HKEY_CURRENT_CONFIG (Current hardware config.)
Link to HKLM\System\CurrentControlSet\Hardware Profiles\Current
HKCU: HKEY_CURRENT_USER (Current user's data)
Link to HKU\<SID of current user>
Windows forensics 28
Registry: Physical storage
The Registry is logically a "single file"
But parts are stored in different files or created dynamically
File locations:
HKLM\SAM %SYSTEMROOT%\System32\config\SAM
HKLM\Security %SYSTEMROOT%\System32\config\SECURITY
HKLM\Software %SYSTEMROOT%\System32\config\software
HKLM\System %SYSTEMROOT%\System32\config\system
HKLM\Hardware Stored in memory only not on disk!
HKU\.Default %SYSTEMROOT%\System32\config\default
HKU\<SID> %USERPROFILE%\NTUSER.DAT
HKU\<SID>_Classes %USERPROFILE%\Local Settings\
Application Data\Microsoft\Windows\UsrClass.dat

Windows forensics 29
User/ identifiers: SID
SID = Security Identifier
S-1-0-0 (Nobody): A group with no members
S-1-1-0 (Everyone): A group that includes all users
S-1-2-0 (Local): Users who logged on locally
S-1-2-1 (Console Logon): Users on the phys. console
S-1-3-0 (Creator Owner): The user who created a new object
S-1-3-1 (Creator Group): The primary group of the user who created a
new object
S-1-5-2 (Logon Network): Users logging on via network
S-1-5-7 (Anonymous): Anonymous logged on users
S-1-5-18 (Local System): The OS itself
S-1-5-19 (Local Service): Service account
S-1-5-20 (Network Service): Service account Installation dependent
S-1-5-21-?????-500: Administrator (unique!)
S-1-5-32-544 (Administrators): Group of all administrators
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379649%28v=vs.85%29.aspx
Windows forensics http://support.microsoft.com/kb/243330/en-us 30
Obtaining access to an account
No password for a Windows account? Login might still be possible!
Passwords are stored as hashed values in the Registry (SAM)
Procedure:
Obtain Password Reset CD
Obviously possible also manually as well, just very complex
(find registry on disk, find location in registry)
Boot from this CD
Let it overwrite the hash in the registry with a known one
Can be anything, e.g. an empty password
Shutdown and reboot in Windows
Enter the password and log in
Drawback:
Encrypted files will be destroyed by this!
Why? EFS needs the actual password for decryption
Merely being the user is insufficient!
Note: This technique is generic. It works the same way for Linux or any
other application storing the passwords as hashes where they are
accessible (potentially only offline!)
Windows forensics 31
AutoRun
AutoRun Programs
Long list of locations in registry, e.g.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run; \RunOnce
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\
Run resp. \RunOnce
Same under HKCU!
Explorer hooks, like HKLM and
HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
Print monitors: HKLM\SYSTEM\CurrentControlSet\Print\Monitors
Winlogon notifications
Long list of locations outside the registry, e.g.
Startup folder in start menu of user profile
Scheduled tasks
Problem: Things might be started from anywhere; no authoritative
list from Microsoft available
Useful tool: AutoRuns from Microsoft
Will show all locations that are currently known

Windows forensics http://technet.microsoft.com/en-en/sysinternals/bb963902 32

Autorunner
Like AutoRun (based on it), but
Runs on multiple user accounts in one go
Parse LNK files to the actual file linked
Allows specifying multiple drive mappings
Different partitions were images to different files/mounted drives
Can perform hash checks against VirusTotal

Windows forensics (http://www.woanware.co.uk/forensics/autorunner.html) http://www.chip.de/downloads/Autorunner_13007784.html 33

Installed software
Software might be installed, although not visible as an
icon on the desktop or in any start menu
Registry keys are usually created during installation, but not
always removed (although they should be) when the program
is uninstalled
HKLM\SOFTWARE\Microsoft\Windows\C.V.\App Paths
HKLM\SOFTWARE\Microsoft\Windows\C.V.\Uninstall
Separate registry keys for application settings might exist too
Verification:
Check for the actual executable at the contained path
Check timestamp on registry key
Cross-verification: Search for all executable files
Note: Will not work for all kinds of plugins!

Windows forensics 34
RegRipper
A tool to rip the registry
Attention: Will not let you view open registry hives!
Use: Collection of registry keys with interesting values
Very large collection, and provides explanations too
Example output (listsoft plugin only):
listsoft v.20080324
(NTUSER.DAT) Lists contents of user's Software key

listsoft v.20080324
List the contents of the Software key in the NTUSER.DAT hive
file, in order by LastWrite time.

Tue May 14 14:55:56 2013Z Cygwin

Thu Dec 20 16:35:24 2012Z X-Ways AG
Mon Dec 17 16:35:28 2012Z Hewlett-Packard
Mon Dec 17 16:26:05 2012Z Microsoft
Mon Dec 17 16:06:55 2012Z AMD
Mon Dec 17 16:06:55 2012Z Wow6432Node Source:
Mon Dec 17 16:06:51 2012Z ATI https://code.google.com/p/regripper/wiki/RegRipper
Mon Dec 17 15:13:03 2012Z JavaSoft Organizing the process: AutoRip (plugins are grouped
Mon Dec 17 13:03:18 2012Z Realtek into collections)

Windows forensics 35
Recent files: MRU lists
MRU = Most Recently Used
Usually stored within the registry
Common lists include:
Start menu: HKCU
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Equivalent of %USERPROFILE%\Recent
="My Recent Documents"
Includes both local and network files!
Run box: HKCU
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
In order of most recently added (not: Used)!
Files (Common dialog box): HKCU\Software
Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Typed URLs in IE: HKCU
Software\Microsoft\InternetExplorer\TypedURLs

Windows forensics 36
Recent files: MRU lists
Windows default search: HKCU
Software\Microsoft\SearchAssistant\ACMru
Subkey "5603": Search terms for folders and filenames
Subkey "5604": Search terms for words/phrases within files
Note: MRU list locations depend heavily on the
Windows version
Software version
Installed patches
Program configuration!
Use software on a copy of the evidence when using the
program to identify the registry keys modified
E.g. SysInternals RegMon
Typically key names for other software are:
Settings, MRU, Recent, Opened,

Windows forensics 37
Last opened application

HKCU\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\LastVisitedPidMRU (<Vista:
LastVisitedMRU)
Applications last used to access the files listed in
OpenSavePidMRU (OpenSaveMRU)
Contains path information as well
Windows forensics 38
Running SW: App Compatibility
Some applications might have problems running on
newer version of Windows. These can be partially solved
by replacing certain system functions by older versions
(or in-memory patching, additional flags, ).
This is a database on disk, but the registry contains a
cache of a number of items from it
Drawback: Only some elements; format changed several times:
XP Vista/2008 7/2008R2
What is in there?
Executables recently run
Last modification time
File was executed?
File size
Last time file was run
Windows forensics https://www.mandiant.com/blog/leveraging-application-compatibility-cache-forensic-investigations/ 39
MUI cache
When an application is started, the shell stores the
application name in the registry
Name: Multilingual User Interface Cache
Content: FileDescription from resource of executable
Unfortunately nothing else
Note: All are values in a single (few) keys Timestamp useless
XP/2000/2003:
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
Vista/7/2008
HKCU\Software\Classes\Local
Settings\Software\Microsoft\Windows\Shell\MuiCache
HKCU\Software\Classes\Local Settings\MuiCache\**

Windows forensics https://www.mandiant.com/blog/execute/ 40

File execution hints
Other caches whether files were executed:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
StartPage\ProgramsCache
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
StartPage2\ProgramsCache
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
StartPage2\ProgramsCacheTBP
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
StartPage2\ProgramsCacheSMP

Windows forensics https://tzworks.net/prototype_page.php?proto_id=19 41

Recent files
Entries in "Recent", "Send to", "Start Menu",
Can prove the existence of files now deleted
Note: Usually not produced on creating/copying, but only on opening!
Especially useful for removable media, e.g. USB sticks
Saved on the disk as ".LNK" files, i.e. shortcuts
These contain a lot of information:
File location
Type of disk (hard disk, removable media, CD, )
File attributes, length,
Icon information
MAC times
May contain additional data
Working directory, shell item ID, description, command line
arguments, custom icon etc.
Windows forensics 42
USB device history
When a USB device is connected to a computer, this is
"logged" within the registry
I.e., configured and appropriate driver (if necessary) installed
This information remains when the device is disconnected!
Note: Most USB storage devices possess a unique serial
number
So the exact item can be recognized, not only its class/manufa.!
Software: UVCView from Microsoft
Registry key: HKLM\System\ControlSet00?\Enum\USBSTOR
Subkey: Vendor, Producer and Revision
Sub-Subkey: Serial number (if existing; else generated)
ParentIdPrefix: Corresponds to HKLM\System\MountedDevices
Binary value!
See also software: USBDeview!
Windows forensics 43
Excursion: Device installation
XP: In C:\Windows\setupapi.log the first installation of a
driver is logged
Win Vista, 7: more complex, but more data
C:\Windows\inf\setupapi.app.log: Application installation
Still used for devices and not programs (wrong name)!
application software installations that are associated with device driver
installations.
C:\Windows\inf\setupapi.dev.log: Device log
Containes e.g. unique Ids of USB devices
C:\Windows\inf\setupapi.offline.log: Initial installation
C:\Windows\setupact.log: Setup activities during installation
C:\Windows\setuperr.log: Errors during installation
Never deleted, only exact source of first plugin times
Created by default, cannot be turned off via registry
Remains during an OS upgrade
Windows forensics https://msdn.microsoft.com/en-us/library/windows/hardware/ff550900%28v=vs.85%29.aspx 44
 Graphic shows which files are used for logging when
Initial Windows installation
The last section is the same as in normal use!

Windows forensics https://technet.microsoft.com/en-us/library/ee851579%28v=ws.10%29.aspx 45

Excursion: Device installation
C:\Windows\inf\setupapi.app.log example
>>> [DIF_INSTALLDEVICE - ROOT\*ISATAP\0004]
>>> Section start 2015/07/20 08:06:42.086
cmd: C:\Windows\system32\svchost.exe -k netsvcs
cci: NdisCoinst: Guid of the adapter is {E18371B6-A10D-48AA-BFB6-7902DE674188}
cci: NdisCoinst: IfType 131, Characteristics 0x9, IsIrdaDevice 0, PhysicalMediaType 0,
MediaType 15, IsBridge 0, FoundGuidInDownlevel 0, EnableDhcp 2
cci: NdisCoinst: Connection name is Local Area Connection* 11
cci: NdisCoinst: Allocated NetLuidIndex is 10
Real typo of Win !
dvi: {Writing Device Properties}
! dvi: Device restart was skipped becasuse the DI_DONOTCALLCONFIGMG flag was set.
<<< Section end 2015/07/20 08:06:42.149
<<< [Exit status: SUCCESS]

C:\Windows\inf\setupapi.dev.log example
>>> [Device Install (Hardware initiated) -
USBSTOR\Disk&Ven_Generic&Prod_External&Rev_2.10\5A383430335A445620202020&0]
>>> Section start 2015/06/16 08:09:36.946
300 lines log entries
ump: Server install process exited with code 0x00000000 08:09:37.440
<<< Section end 2015/06/16 08:09:37.455
<<< [Exit status: SUCCESS]

Windows forensics 46
 Vendor: TinyDisk (Case label: "extreMEmory USB 2.0 4GB")
Product: 2007-06-13, Rev. 0.00
Serial number: 000000000001E1
ParentIdPrefix: 7&362d04ba&0
HKLM\System\MountedDevices: "\DosDevice\G:"
\??\STORAGE#RemovableMedia#7&362d04ba&0&RM#{53f5630d-
b6bf-11do-94f2-00a0c91efb8b}
Windows forensics 47
USB device history: setupapi.log
[2007/07/20 11:42:13 840.8 Driver Install]
#-019 Searching for hardware ID(s): usbstor\disktinydisk2007-06-13______0.00,usbstor\disktinydisk2007-06-
13______,usbstor\disktinydisk,usbstor\tinydisk2007-06-13______0,tinydisk2007-06-13______0,usbstor\gendisk,gendisk
#-018 Searching for compatible ID(s): usbstor\disk,usbstor\raw
#-198 Command line processed: C:\WINDOWS\system32\services.exe
#I022 Found "GenDisk" in C:\WINDOWS\inf\disk.inf; Device: "Disk drive"; Driver: "Disk drive"; Provider: "Microsoft"; Mfg:
"(Standard disk drives)"; Section name: "disk_install".
#I023 Actual install section: [disk_install.NT]. Rank: 0x00000006. Effective driver date: 07/01/2001.
#-166 Device install function: DIF_SELECTBESTCOMPATDRV.
#I063 Selected driver installs from section [disk_install] in "c:\windows\inf\disk.inf".
#I320 Class GUID of device remains: {4D36E967-E325-11CE-BFC1-08002BE10318}.
#I060 Set selected driver.
#I058 Selected best compatible driver.
#-166 Device install function: DIF_INSTALLDEVICEFILES.
#I124 Doing copy-only install of "USBSTOR\DISK&VEN_TINYDISK&PROD_2007-06-13&REV_0.00\000000000001E1&0".
#-166 Device install function: DIF_REGISTER_COINSTALLERS.
#I056 Coinstallers registered.
#-166 Device install function: DIF_INSTALLINTERFACES.
#-011 Installing section [disk_install.NT.Interfaces] from "c:\windows\inf\disk.inf".
#I054 Interfaces installed.
#-166 Device install function: DIF_INSTALLDEVICE.
#I123 Doing full install of "USBSTOR\DISK&VEN_TINYDISK&PROD_2007-06-13&REV_0.00\000000000001E1&0".
#I121 Device install of "USBSTOR\DISK&VEN_TINYDISK&PROD_2007-06-13&REV_0.00\000000000001E1&0" finished
successfully.
Note: This file exists on Windows XP and earlier only!

Windows forensics Note: This file exists on Windows XP and earlier only! 48
USB device history: setupapi.dev.log
>>> [Device Install (Hardware initiated) - USB\VID_13FD&PID_1340\5A383430335A445620202020]
>>> Section start 2015/06/16 08:09:36.665
ump: Creating Install Process: DrvInst.exe 08:09:36.665
ndv: Retrieving device info...
Hex: Convert to ASCII = Z8493ZDV
ndv: Setting device parameters... This is the serial number!
ndv: Searching just Driver Store...
dvi: {Build Driver List} 08:09:36.680
dvi: Searching for hardware ID(s):
dvi: usb\vid_13fd&pid_1340&rev_0210
dvi: usb\vid_13fd&pid_1340
dvi: Searching for compatible ID(s):
dvi: usb\class_08&subclass_06&prot_50
dvi: usb\class_08&subclass_06
dvi: usb\class_08
cpy: Policy is set to make all digital signatures equal.
dvi: Enumerating INFs from path list 'C:\Windows\INF'
inf: Opened PNF:
'C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf' ([strings.0409])
dvi: Created Driver Node:
dvi: HardwareID - USB\Class_08&SubClass_06&Prot_50
dvi: InfName -
C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf
dvi: DevDesc - USB Mass Storage Device
dvi: DrvDesc - USB Mass Storage Device
dvi: Provider - Microsoft
..

Windows forensics 49
USB device history
Last connection:
HKLM\System\ControlSet00?\Control\DeviceClasses
Subkey "{53f56307-b6bf-11d0-94f2-00a0c91efb8b}": Disks
Contains a subkey with the serial number included
Subkey "{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}": Volumes
Contains a subkey with the ParentIdPrefix included
The LastWrite Time of these keys is the date and time the
device was last connected to the computer
Accessing the LastWrite time:
Special tools, or
Regedt32: Export as text and open in Notepad
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-
94f2-00a0c91efb8b}\##?#USBSTOR#Disk&Ven_TinyDisk&Prod_2007-06-
13&Rev_0.00#000000000001E1&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Class Name: <NO CLASS>
Last Write Time: 21.12.2007 - 09:12
Value 0

Windows forensics 50
Registry: Owner information
Owner/Organization: HKLM\Software\Microsoft\
Windows NT\CurrentVersion
RegisteredOwner: Owner name
RegisteredOrganization: Organization name
ProductId: Product ID
DigitalProductId: Contains encrypted license key (Bytes 52-66)
InstallDate: Installation date (UNIX timestamp)
SystemRoot: Windows installation directory
Last user:HKLM\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon
DefaultUserName: Last logged in user
When? Timestamp of key!
DefaultDomainName: Last domain logged into
DontDisplayLastUserName: Don't store information above
http://www.dagondesign.com/articles/windows-xp-product-key-recovery/
Windows forensics http://geekswithblogs.net/willemf/archive/2006/04/23/76125.aspx 51
Registry: Timezone information

Last Sunday in March at 02:00

Last Sunday in October at 03:00

Data from HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Time Zones is copied here
ActiveTimeBias: Current (0xffffff88 = -120 = 2 h E of GMT)
DaylightBias: Delta during DST (= -60 = 1 h East of GMT)
Daylight-/StandardStart: Should be SYSTEMTIME structure
Year, Month (1=Jan), Day of week (0=Sun), Week (5=last), Hour, Min, Sec,
ms (two bytes each); (doesnt match above!)
http://msdn.microsoft.com/en-us/library/ms725481%28v=vs.85%29.aspx
Windows forensics http://msdn.microsoft.com/en-us/library/ms724950%28v=vs.85%29.aspx 52
Registry: Network shares
"My Network Shares": List of shares within the LAN
HKCU\Software\Microsoft\Windows\Current Version\
Explorer\ComputerDescriptions
Allows reconstruction of a past view, i.e. what shares were
accessed by the user
Contains computers, shares (directories) and printers
Value: Name = server/share/printer; Content = Description

Windows forensics 53
Registry: WLANs
When accessing a WLAN, its SSID is stored: HKLM\
Software\Microsoft\WZCSVC\Parameters\Interfaces
Subkeys look like GUIDs with values for "ActiveSettings",
"Static#000?",
The values for "#Static000?" contain the SSIDs at offset 0x14
IP address information for this connection (last only):
HKLM\System\ControlSet00?\Services\Tcpip\Parameters\Interfaces
Look for the same "GUID" key as of the WLAN!
Dhcp*: Data on DHCP server, assigned address, netmask,
default gateway, domain, nameservers,
LeaseObtainedTime/-TerminatesTime: Unix 23 Bit Timestamp
When the Address was received and what is the definite last time it could
have been used (but not: was used!)

Windows forensics 54
Registry: Timestamps
Every single registry key has a "LastWrite" time value
Does NOT exist for registry values!
Format: FILETIME
Updated, when a registry value directly within this key is
created, modified, or deleted
Win2K and WinXP registry editors are flawed
Regedit.exe, regedt32.exe
Registry values with a name length of 256-259 characters are
not shown
Values afterwards are suppressed as well
Subkeys are inaccessible too
But "reg.exe", the console registry tool, can show (and
manipulate) such values!

Windows forensics http://search.cpan.org/~adamk/Win32-TieRegistry-0.25/TieRegistry.pm 55

Registry: Various data
Thinking about shutting down a suspect's computer?
First check: HKLM
System\CurrentControlSet\Control\SessionManager\MemoryManagement\Cl
earPageFileAtShutdown
Value "1": Paging file NOT deleted, but overwritten with zeros
HKLM\System\CurrentControlSet\Control\FileSystem\
NtfsDisableLastAccessUpdate
Disables writing last access timestamp on the file system
Will still be changed on file modifications (i.e. writing to it), but not on
reading, accessing properties etc! Set to 1 by Default since Vista.
HKEY_CURRENT_USER\Software\Microsoft\Protected
Storage System Provider
Contains IE auto-complete passwords (encrypted)
Content not directly accessible, not even with regedt32
But can be read in live systems or by parsing the registry file
Windows forensics 56
Substituting executed programs
Allows hiding what programs were actually executed!
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options
Create subkey with name of executable, e.g. "calc.exe"
Create string with name "Debugger" and value of alternate
program, e.g. "C:\Windows\notepad.exe"
Typing "calc.exe" will then start the text editor
With "calc.exe" as parameter
or whatever the "original" file was, e.g. a .lnk file!
Shows only the "original" program in history lists!
HKCR\{exe|com|bat}file\shell\open\command
Default value contains command to execute ".exe" files
Similar for the explorer context menu:
HKCR\Drive\shell and HKCR\Folder\shell

Windows forensics 57
Process information
The task manager shows the current processes, but only
little information is available; most is statistical in nature
So live monitoring of activities might be useful
Active users on a server
Especially software (=i.e. specific processes)
Additionally it is very useful in the forensic process
We assume that this happens to the timestamps, when a user
performs this action.
Monitoring the system while doing it allows verifying whether
this is really a result, and whether it stems from this action
Also useful: Registry diffs
Copy registry Install software/perform action/ Copy
registry Identify differences

Windows forensics 58
Process information
Process Monitor allows deep investigations:
Realtime monitoring of all activity in file system, registry,
network, and process (e.g. create child) of all processes
Needs serious filtering: Thousands of events per second!
And starts logging immediately upon start (CTRL+E stops)
Attention: Will automatically exclude several elements:
Itself (obviously!), but also Autoruns.exe, FASTIO operations,
everything ending in pagefile.sys/$Mft/$LogFile/, the
System process, profiling events etc.
Typically of use if we need to find out:
Who accesses some resource (file, registry key, )
What a specific process is doing
Attention: May slow down Windows when capturing!

Windows Sysinternals: Process Monitor

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Windows forensics 59
Process information

Windows forensics 60
System restore points
Stored under C:\System Volume Information
Not accessible through Explorer, but by forensic tools!
Not even for the administrator!
Deleting a single one is very hard (but: all or all but last is easy)!

By default created every 24 hours & retained for 90 days

Registry: HKLM\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
Also: Manually, before Windows update/SW installation
When reverting to a previous point, another restore point is created
(to allow going "forward again)
Restoration is recorded in the system event log (Event ID 110)!
Disabling them is possible
Less than 200MB free on system drive automatically disabled!
Restoring is logged in the event log
Based on VSS (Volume Shadow Copy Service)
Will create a copy if something changes Fast to create
Maximum of 64 per volume

Windows forensics http://128.175.24.251/forensics/restorepoints.htm 61

System restore points
Content:
Files to restore (see change.log for original path/filename)
Documents (some), executables, ; Drivers and system files
Typically not any user files!
At least, not if they are in the normal location / normal file formats
Subfolder "snapshot": Registry files (SAM, Security, Software,
System, .Default, NTUSER files, USRCLASS files)
Getting access:
Run cmd.exe as Administrator
vssadmin list shadows shows all shadow copies
mklink /d c:\<directory>
\\?\GLOBALROOT\Device\<ShadowName>\ to create a
symbolic link from <directory> to a specific shadow, which can
then be investigated like a normal directory
Permission problems may still occur!
Changing permissions doesnt work : Shadow copies are read-only
Windows forensics 62
Event log
Event logs are normal files
Location: Specified in registry ( to allow relocation)
E.g. security: %SYSTEMROOT%\System32\config\SecEvent.Evt
Can be recovered through file carving etc.
Fixed size; configurable per log (typ. 512 kB 16 MB)
Problem: Security logging is off by default
Application and System are on by default
Clean shutdown: Offsets of oldest & newest entries
written to header; a clean flag set (dirty when active)
While in use, trailer (after current last entry) has data
Common source of corruption in forensics (pulling plug!)

Windows forensics 63
Event log
>=Vista: More logs (Setup, Administrative tasks, )
File format changed (*.evt *.evtx): Binary XML
Much easier to parse!
Logs are now separated into channels
Windows: Application, Security, System, Setup, ForwardedEvents
Applications and Services: Many channels of individual applications or
components
New version since Windows 10
Mostly the same as since Vista ( backwards compatible!)
Improvement: You can add your own XML data to an event

Windows forensics https://www.sans.org/reading-room/whitepapers/logging/evtx-windows-event-logging-32949 64

Event log
Content:
Each Event has an EventId, specifying its type
Examples: 528, 540 = Logon, 538 = Logoff
Contains additional details
These change with Windows versions Use same or newer!
Timestamp,
Record number: Used consecutively ( no record deletion!)
Inspection possible through windows
Or LogParser: Allows SQL-like queries against the log!
And against various other file formats as well
Reliability of event logs: Quite good
Modifications are difficult, but not impossible
Deleting some elements is very hard
But: Deleting the whole log is quite trivial

Windows forensics 65
 Location:
%SYSTEMROOT%\system32\LogFiles\Firewall\pfirewall.log
Logging is turned off by default
Activating: Windows Firewall Advanced Settings Windows
Firewall Properties Logging

Separate: Event log

Firewall rules and connection
security rules changes
I.e., configuration, but not the
individual "problems"!

Windows forensics 66
Internet Connection Firewall: Logs
Log file format: See file header!
#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port
size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
Example:
2012-08-23 11:11:09 ALLOW TCP 140.78.100.211 140.78.3.160 1735 80 0 - 0
0 0 - - - SEND
Outgoing web request to JKU webserver
2012-08-23 11:11:19 ALLOW UDP fe80::a400:fe81:
4022:2a12 ff02::1:2 546 547 0 - - - - - - - SEND
Outgoing DHCPv6 request ("Solicit")
2012-08-23 11:20:23 ALLOW ICMP 140.78.100.164 140.78.100.211 - - 0 - - - -
8 0 RECEIVE
Incoming ping request

Windows forensics 67
Summary
Especially the Registry is a treasure trove of information
But the data is very well hidden under obscure names/IDs
Special attention needs to be paid to how reliable the data is
Windows version, source of description of keys/values etc.!
Try it out on a copy and monitor the changes made
E.g. using registry-diff software, sandboxing software
Restore points contain previous versions of the registry
But it is hard to know exactly what is there to be found!
Activity remnants may remain for a long time: Recycle
bin records, print spool files, event log
Sometimes even forever (thumbs.db) unless explicitly removed!
Restricting the investigation is therefore very desirable
Only a subset of data need then be searched for/through!

Windows forensics 68
Thank you! Questions?

Thank you!
Any questions?

Michael Sonntag
[email protected]
+43 (732) 2468 4137
S3 235 (Science park 3, 2nd floor)
https://www.ins.jku.at

Windows forensics 69
Links
Windows Recycle Bin:
http://www.foundstone.com/us/resources/proddesc/rifi
uti.htm
MRU locations:
http://windowsxp.mvps.org/RegistryMRU.htm
Windows Spool Files
http://www.undocprint.org/winspool/spool_files
Hurlbut, D.: Thumbs DB File Forensic Issues
http://www.accessdata.com/media/en_US/print/papers/
wp.Thumbs_DB_Files.en_us.pdf
USBDeview
http://www.nirsoft.net/utils/usb_devices_view.html
System Restore Point Log Decoding
http://www.ediscovery.co.nz/wip/srp.html
Windows forensics 70
Links
Murphey, Rick: Automated Windows event log forensics:
http://www.dfrws.org/2007/proceedings/p92-
murphey.pdf
LogParser: http://www.microsoft.com/germany/technet/
datenbank/articles/600371.mspx
Rob Faber: Windows log forensics: http://www.net-
security.
org/dl/insecure/INSECURE-Mag-16.pdf page 86
Rowe, Eric: Volume Shadow Copy and Registry Forensics
http://montcs.bloomu.edu/~bobmon/DigFor/2012.HTCI
A-conference/Talks/HTCIA%202012%20-
%20VSC%20and%20Registry.pdf

Windows forensics 71