Evidence in Operating

Systems

Part II. Basic Techniques and Tools for Digital

Forensics

CSF: Forensics Cyber-Security

Fall 2019
Nuno Santos
 Two weeks ago: File system layer

} Studied the kind of evidence that can be found on file systems

} Learned multiple techniques to retrieve that evidence
} Seen how to recover formerly deleted contents
} How to recover deleted files when no metadata is available
} How to properly establish a timeline of events
2 CSF - Nuno Santos 2019/20
 Today: Evidence in operating systems

} What operating system structures can be relevant in forensics?

3 CSF - Nuno Santos 2019/20

 Class roadmap
} Windows Registry

} Windows Event Log

} Windows files

} Investigation of Windows systems

4 CSF - Nuno Santos 2019/20

 Windows Registry

5 CSF - Nuno Santos 2019/20

 Registry’s official definition

} Microsoft defines the Registry thus:

“A central hierarchical database used in Microsoft

Windows 9x, Windows CE, Windows NT, and
Windows 2000 used to store information necessary to
configure the system for one or more users,
applications and hardware devices.”

https://support.microsoft.com/en-us/kb/256986

6 CSF - Nuno Santos 2019/20

 Registry history
} The Registry was first introduced with Windows 95

} It replaces initialization (.ini) files introduced in Win 3.0

} win.ini and system.ini store user settings and OS parameters

} Since then, the structure has been maintained although

newer Windows versions tend to add specific changes

7 CSF - Nuno Santos 2019/20

 Forensics relevance of the Windows Registry

} The Registry is the heart and soul of Windows OSes

and a wealth of information can be recovered:

} System configuration
} Devices on the system
} User names
} Personal settings and browser preferences
} Web browsing activity
} Files opened
} Programs executed
} Application’s settings

8 CSF - Nuno Santos 2019/20

 Registry access activity
} Virtually everything done in Windows refers to or is recorded
into the Registry
} The RegMon program can be used to display registry activity in real time
} Registry access barely remains idle: the registry is referenced in
one way or another with every action taken by the user

9 CSF - Nuno Santos 2019/20

 Structure of the Windows Registry
} The Registry can be seen as a unified file system
} The Registry’s specific structure is divided into key and value
} Main root keys represent the root directory, sub-keys represent the
sub folders, and values represent the files

10 CSF - Nuno Santos 2019/20

 Root key functions
} HKEY_LOCAL_MACHINE (HKLM)
} Contains system-wide hardware settings and configuration information
(e.g., list of drives mounted on the system)
“real”; others are
shortcuts
} HKEY_USERS (HKU)
} Contains the root of all user profiles that exist on the system

} HKEY_CLASSES_ROOT (HKCR)
} Ensures the correct program opens when executed in Windows Explorer

} HKEY_CURRENT_USER (HKCU)
} Contains the profile (settings) of the user who is currently logged in

} HKEY_CURRENT_CONFIG (HCU)
} Information about the HW profile used by the computer during start up

'HKEY’ is an abbreviation for Handle to a Key

11 CSF - Nuno Santos 2019/20
 HKEY_LOCAL_MACHINE (HKLM)
} Settings that are used by the system during start-up
} It is independent from the user login

} Contains five subkeys:

} System
} System configuration, such as the computer name, system time zone
} Software
} Installed applications and OS services
} SAM
} Security Account Manager: stores user and group security information
} Security
} The security policy of the current user
} Hardware
} Information about the hardware devices

12 CSF - Nuno Santos 2019/20

 Timezone
} Identifies the current system time zone

} Location:
} HKLM\System\CurrentControlSet\Control\TimeZoneInformation

13 CSF - Nuno Santos 2019/20

 Network history
} Identify networks the
computer has been
connected to
} Could be wireless or wired.
} Identify domain
name/intranet name
} Identify SSID
} Identify Gateway MAC
Address

} Location:
} HKLM\Software\Microsoft\Win
dows NT\CurrentVersion\
NetworkList

} Also tell the last time the

network was connected to

14 CSF - Nuno Santos 2019/20

 USB devices
} Anytime a device is connected to the Universal Serial Bus (USB),
drivers are queried and the device's information is stored into the
Registry (i.e., thumb drives)
} HKLM\System\CurrentControlSet\Services\USBSTOR

15 CSF - Nuno Santos 2019/20

 Volume serial number
} Volume Serial Number of the Filesystem Partition on the USB
} HKLM\Software\Microsoft\Windows NT\CurrentVersion\EMDMgmt

Volume
serial number

\_??_USBSTOR#Disk&Ven_Best_Buy&Prod_Geek_Squad_U3&Rev_6.15#0C90195
032E36889&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}GEEKSQUAD_1414378827

} Drive letter and volume name

} HKLM\System\MountedDevices
} Examine Drive Letter’s value data looking for serial number
16 CSF - Nuno Santos 2019/20
 HKEY_USERS (HKU)
} Contains user-specific configuration information for all
currently active users on the computer

Default user

Specific Windows
services

Currently signed
in user with its full
SID

17 CSF - Nuno Santos 2019/20

 HKEY_CURRENT_USER (HKCU)
} HKCU is only a
pointer to the current
user under the HKU,
with the same
configuration and
settings:

18 CSF - Nuno Santos 2019/20

 MRU lists
} MRU ('most recently used’) lists contain entries about specific actions done by the user
} There’s numerous MRU lists located throughout various Registry keys
} Example: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

RunMRU: When a
user types a
command into the
'Run' box via the
Start menu, the
entry is added to
this Registry key

19 CSF - Nuno Santos 2019/20

 OpenSave MRU

} OpenSave MRU: tracks files that were opened / saved within a Windows shell dialog box
} Win7:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
} *key: tracks the most recent files of any extension input in an OpenSave dialog
} .???: stores file info from the OpenSave dialog by specific extension

20 CSF - Nuno Santos 2019/20

 Last Visited MRU
} Tracks the specific executable used by an application to open the files
documented in the OpenSaveMRU key
} Also tracks the directory location for the last file that was accessed by that application
} Location:
} HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

} Example
} Wordpad.exe
was last run to
open file in
folder c:\temp

21 CSF - Nuno Santos 2019/20

MRU lists:
Examples…

22 CSF - Nuno Santos 2019/20

 UserAssist
} The UserAssist key contains information about the exe files and
links that you open frequently
} Indicates last accessed system objects
} E.g., Control Panel applets, shortcut files, programs, etc.
} HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\

23 CSF - Nuno Santos 2019/20

 UserAssist

} We can gain a better understanding of what types of files or

applications have been accessed on a particular system, e.g.:

} The decoded value shows a potential amount of information:

} name of user profile - 'Cpt. Krunch' - from which the .exe was executed
} researching 'p2ktools.exe', it is used for managing Motorola cell phones
} user has p2ktools folder in parent directory called 'Razor programs’
} tells both location and indicator that the suspect has a Motorola Razor cell phone

24 CSF - Nuno Santos 2019/20

 Recent files
} A registry key tracks the last files and folders opened and is
used to populate data in “Recent” menus of the Start menu
} Location:
} HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

25 CSF - Nuno Santos 2019/20

 Office recent files

} MS Office programs track their own Recent Files list to make it

easier for users to remember the last files they were editing

} Location:
} HKCU\Software\Microsoft\Office\VERSION

26 CSF - Nuno Santos 2019/20

 Shell Bags
} Track user window viewing preferences to Windows Explorer
} Store info about which folders were most recently browsed by the user
} Location:
} HKU\Software\Microsoft\Windows\Shell\Bags

27 CSF - Nuno Santos 2019/20

 Search Assistant
} Search assistant remembers a
user’s search terms for
filenames, computers, or
words that are inside a file

} Location:
} HKCU\Software\Microsoft\Se
archAssistant\ACMru\####

} 5001: Search the Internet

} 5603: All or part of a doc name
} 5604: Word or phrase in a file
} 5647: Printers, computers, and
people

28 CSF - Nuno Santos 2019/20

 Search - WordWheelQuery
} Keywords searched for from the START menu bar on Windows 7
} Location:
} HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
} Keywords added in Unicode and listed in temporal order in MRUlist

29 CSF - Nuno Santos 2019/20

 Device accessed by which user

} Track USB devices plugged into a machine

} SYSTEM\CurrentControlSet\Enum\USBSTOR
} SYSTEM\CurrentControlSet\Enum\USB

} Identify a unique USB device plugged into the machine

} Identify Vendor, Product, and Version of USB device

} First time USB device was connected:

} C:\Windows\inf\setupapi.dev.log

} User that used the unique USB Device:

} Look for GUID from SYSTEM\MountedDevices
} HKU\{GUID}\Software\Microsoft\Windows\CurrentVersion\Explorer\Mount
Points2

30 CSF - Nuno Santos 2019/20

 Registry hives
} Each root key shown in the registry editor is actually a file
in the filesystem called registry hive

} A hive contains a logical group of keys, subkeys, and

values in the registry that has a set of supporting files
containing backups of its data

} Each time a new user logs on, a new hive is created for
that user with a separate file for the user profile
} User's app settings, desktop, environment, network connections, and
printers
} User profile hives are located under the HKEY_USERS key

32 CSF - Nuno Santos 2019/20

 Hive’s supporting files
} Hives have sets of supporting files
} Most of them located in: %SystemRoot%\System32\Config
} These files are updated each time a user logs on

Registry hive Supporting files

HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE\SAM
HKEY_LOCAL_MACHINE\Security
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\System
System, System.alt, System.log, System.sav
Ntuser.dat, Ntuser.dat.log
Sam, Sam.log, Sam.sav
Security, Security.log, Security.sav
Software, Software.log, Software.sav
System, System.alt, System.log, System.sav

33 CSF - Nuno Santos 2019/20

 Location of some important hives

Filename Location Content

ntuser.dat \Documents and Protected storage area for
ach user has an Settings\user account user
individual user.dat file in Most Recently Used (MRU)
windows\profiles\user files
account User preference settings
Default \Windows\system32\config System settings
SAM \Windows\system32\config User account management
and security settings
Security \Windows\system32\config Security settings
Software \Windows\system32\config All installed programs and
their settings
System \Windows\system32\config System settings

34 CSF - Nuno Santos 2019/20

 How the registry is assembled
} The registry is commonly described as a hierarchical database,
but note two important facts:
} The registry database is only ever complete when loaded into your
computer's memory
} The registry is the sum of two parts, the data and the processes that
create it and provide access to it

35 CSF - Nuno Santos 2019/20

 The registry can be accessed only via the kernel
} The registry exists in two main forms:
} Some registry hives are stored on disk even
when Windows is not running.
} All the registry hive structures only exist in
memory. This includes a set of volatile hives that
only exist when Windows is running.

} Access is done through the Registry

Configuration Manager

} When your computer is turned off the

registry does not exist even though most
of the registry data is stored on disk

36 CSF - Nuno Santos 2019/20

 Forensic analysis of the registry
} Browse the registry using some registry viewer tool
(e.g., regedit)

} Create forensic copies of the registry’s files (e.g., FTK

Imager)

} Create full copy of entire memory-resident registry

(e.g., Regripper)

} Analyze the dumps using specific decoders (e.g., yarp)

37 CSF - Nuno Santos 2019/20

 Windows Event Log

38 CSF - Nuno Santos 2019/20

 Windows Event Log
} Whenever an event, such as a user logging on or off,
occurs, the operating system logs the event

} An event can be any occurrence that the OS or a program

wants to keep track of or alert the user about

} Windows has a centralized log service to allow apps and

OS to report events that have taken place
} Application (example: Database message)
} System (example: driver failure)
} Security (example: Logon attempt, file access)

39 CSF - Nuno Santos 2019/20

 Structure of the Event Log
} The Event Log can be seen using a specific system tool

40 CSF - Nuno Santos 2019/20

 Event format
} Events have a specific format and meaning

41 CSF - Nuno Santos 2019/20

 Example of detailed event tracking
} Detailed Event tracking can include the following events:
} #528 – Successful Login (The user authenticate to the system)

} #592 – A new process has been created (application is launched)

} #560 – Object Open (a file is requested)

} #564 – Object Deleted

} #562 – Handle Closed (the file has been closed)

} #593 – A Process Has Exited (the application was terminated)

42 CSF - Nuno Santos 2019/20

 Last login, last password change, success login
} The last login time will be stored in the registry key
} SAM\Domains\Account\Users
} Local accounts of the system and equivalent security identifiers
} Also saves the last time the password of a user has been changed

} Success or failed logons: which accounts have been used

for attempted logons
} %system root%\System32\winevt\logs\Security.evtx
} Event ID - 528/4624 – Successful Logon
} Event ID - 529/4625 – Failed Logon
} Event ID - 538/4634 – Successful Logoff
} Event ID - 540/4624 – Successful Network Logon (e.g.: file shares)

43 CSF - Nuno Santos 2019/20

 Services events
} Analyze logs for suspicious services running at boot time
} Review services started or stopped around the time of a suspected
compromise

} Examples of relevant IDs:

} 7034 – Service crashed unexpectedly
} 7035 – Service sent a Start / Stop control
} 7036 – Service started or stopped
} 7040 – Start type changed (Boot | On Request | Disabled)

} Numerous malware and worms in the wild utilize Services

} Services started on boot for malware persistence
} Services can crash due to attacks like process injection
45 CSF - Nuno Santos 2019/20
 Windows files

46 CSF - Nuno Santos 2019/20

 Shortcut (LNK) files

} Shortcut files (.lnk) automatically

created by Windows
} Recent Items
} Opening local and remote data
files and documents will generate a
shortcut file

} Location:
} C:\Users\<user>\AppData\Roaming\
Microsoft\Windows\Recent\
} Can also be found in other locations

47 CSF - Nuno Santos 2019/20

 Win7 jump lists
} Windows 7 task bar (Jump List) allows users to access items / execute
tasks they frequently or have recently used quickly and easily
} Location:
} C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
} Has unique files prepended with the AppID of the associated application

48 CSF - Nuno Santos 2019/20

 Prefetch
} Windows creates a prefetch file when an application is run from a particular
location for the very first time; used to speed up the loading of applications
} Location:
} C:\Windows\Prefetch\(exename)-(hash).pf
} Includes last time of exec , # of times run, and device and file handles used by the program
1. Hash of the original path of the application
2. Application name
3. The number of times the application was run
4. Timestamps for the last 8 times the application was run

49 CSF - Nuno Santos 2019/20

 Autorun locations
} Registry keys that launch programs or apps during boot
} E.g., in a system intrusion, autorun locations could reveal the
installation of a trojan backdoor

} List of common autorun locations:

HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
(ProfilePath)\Start Menu\Programs\Startup

50 CSF - Nuno Santos 2019/20

 Thumbnails
} On Win XP: hidden file thumbs.db in directory where pictures
exist; stores thumbnail even if pictures deleted
} Include: thumbnail, last modification time, original filename

} On Win7: data sits under single directory

} C:\Users\<username>\AppData\Local\Microsoft\Windows\Explorer\

51 CSF - Nuno Santos 2019/20

 Recycle Bin
} The Recycle Bin allows user to retrieve and restore files
that have been deleted

} The user’s deleted file is placed within the file under a

subdirectory named with the user’s security ID, e.g.,
} C:\RECYCLER\S-1-5-21-1454471165-630328440-725345543-1003

52 CSF - Nuno Santos 2019/20

 More interesting files

} Installed programs

} Printer files
} Contain information about printing jobs

} Pagefile.sys and Hiberfil.sys

} The swap file and the file for storing RAM contents upon
hybernation

53 CSF - Nuno Santos 2019/20

 Investigation of Windows systems

54 CSF - Nuno Santos 2019/20

 Importance of operating system forensics

} Ultimately, in a forensic examination,

we’re investigating the actions of a person
1) action
} Almost every event or action on a system
is the result of a user either doing
something (or not doing something) 3) OS
forensics
} Many of such events introduce changes to
the system state that are supervised by
the operating system (OS)

} OS forensics helps understand how system

changes correlate to events resulting from
the actions of somebody in the real world 2) OS state change!

55 CSF - Nuno Santos 2019/20

 Windows boot process overview

56 CSF - Nuno Santos 2019/20

 Potential sources of evidence
} Windows Registry

} Windows Event Log

} Windows files

} NTFS (to be covered in the future)

57 CSF - Nuno Santos 2019/20

 Potential user activities to investigate

1. File download 5. Physical location

2. Program execution 6. USB or drive usage

3. File opening / creation 7. Account usage

4. Deleted file or file 8. Browser usage

knowledge

58 CSF - Nuno Santos 2019/20

 Evidence of program execution

Program
Execution

Last Visited RunMRU

UserAssist Start->Run
MRU

Win7 Jump Services

Prefetch
Lists Events

60 CSF - Nuno Santos 2019/20

 Evidence of file opening / creation

File Opening /
Creation

Open/Save Last Visited Office Recent

Recent Files
MRU MRU Files

Shortcut Win7 Jump

Prefetch Shell Bags
(LNK) files Lists

61 CSF - Nuno Santos 2019/20

 Evidence of deleted file or file knowledge

Deleted File or
File Knowledge

Search - Last Visited

Thumbs.db
WordWheelQuery MRU

Vista/Win7 Win7 Recycle

XP Recycle Bin
Thumbnails Bin

62 CSF - Nuno Santos 2019/20

 Conclusions

} Windows and Linux are the most popular operating

systems on desktop and server platforms

} Due to its central role in setting up and supervising the

system, Windows maintains valuable data structures for
forensic investigators: the Registry, and the Event Log

} By analyzing artifacts from such sources, we can gather a

wealth of info about user activities on the computer

66 CSF - Nuno Santos 2019/20

 References
} Primary bibliography
} Ayman Shaaban, Konstantin Sapronov. Practical Windows Forensics, 2016
} Deeper into Windows Registry
} https://www.techsupportalert.com/content/deeper-windows-registry.htm

} Secondary bibliography
} Windows forensic and security
https://articles.forensicfocus.com/2014/04/14/windows-forensics-and-security/
} Windows artifact analysis
https://uk.sans.org/posters/windows_artifact_analysis.pdf
} The evolution of Windows
https://businesstech.co.za/news/technology/94687/the-evolution-of-windows-1985-
to-2015/
} Data exfiltration and forensic analysis in a Microsoft Windows
environment
https://c.ymcdn.com/sites/www.issa.org/resource/resmgr/journalpdfs/feature1113.p
df

67 CSF - Nuno Santos 2019/20

 Next class
} II.8 Traffic Analysis

68 CSF - Nuno Santos 2019/20