16: Windows Forensics
Windows Forensics
So now we’ll turn our attention to Windows forensics. Like most modern OSes, Windows creates and modifies artifacts on the basis of user actions, ongoing processes, scheduled events, and so on. Today, we’ll dig into some of these artifacts.
Like before, we’re concerned mainly with on-disk artifacts.
Unlike before, we’re going to take a (mostly) high-level view of these artifacts. Instead of writing the parsers for the binary objects we’ll examine, we’ll use pre-written tools – but now you have the knowledge to understand how they work under the hood, so it’s not just “magically run the tool to get the answer”. If you had the specification for, say, a Windows event log, you’d be able to write a parser for it (I hope!) at this point.
Sleuth Kit + Autopsy
It’s usually a reasonable idea to start by flsing the entire drive image (and saving to a file), so that you can later grep for files of interest.
Please use Autopsy, it’s a GUI wrapper around TSK). The windows version is really the only option right now. If you install the MacOs version, it several versions back and not nearly worth using.
Side note: How do you show Hidden, etc., files within Windows? See https://support.microsoft.com/en-us/help/14201/windows-show-hidden-files for details.
bulk_extractor / scalpel
bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. It just does carving (in a very thorough, efficient, and recursive way) on the basis of various patters; this gets lots of data, but a non-trivial fraction is false positives.
Running it a whole disk image can be overkill; sometimes it’s best to run it on a single file or portion of the image. Or the whole image too, if you have time to read through all the results
(scalpel is another, similar tool. Scalpel is pretty old at this point and challenging to use.)
Thumbs.db / thumbcache
Most versions of Windows cache “thumbnails” of image files that are stored in users directories and opened by the user. Various tools can process these thumbnails, such as scalpel.
Since Windows 7, this data has been moved to a centralized database.
r/r 102632-128-4: Users/theodore/AppData/Local/Microsoft/Windows/Explorer/thumbcache_1920.db
r/r 102556-128-4: Users/theodore/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db
r/r 102633-128-1: Users/theodore/AppData/Local/Microsoft/Windows/Explorer/thumbcache_2560.db
r/r 102372-128-4: Users/theodore/AppData/Local/Microsoft/Windows/Explorer/thumbcache_32.db
r/r 102460-128-4: Users/theodore/AppData/Local/Microsoft/Windows/Explorer/thumbcache_48.db
r/r 102557-128-4: Users/theodore/AppData/Local/Microsoft/Windows/Explorer/thumbcache_768.db
r/r 102516-128-4: Users/theodore/AppData/Local/Microsoft/Windows/Explorer/thumbcache_96.db
r/r 102695-128-1: Users/theodore/AppData/Local/Microsoft/Windows/Explorer/thumbcache_custom_stream.db
r/r 102693-128-1: Users/theodore/AppData/Local/Microsoft/Windows/Explorer/thumbcache_exif.db
r/r 102313-128-4: Users/theodore/AppData/Local/Microsoft/Windows/Explorer/thumbcache_idx.db
r/r 102675-128-1: Users/theodore/AppData/Local/Microsoft/Windows/Explorer/thumbcache_sr.db
r/r 102692-128-1: Users/theodore/AppData/Local/Microsoft/Windows/Explorer/thumbcache_wide.db
r/r 102694-128-1: Users/theodore/AppData/Local/Microsoft/Windows/Explorer/thumbcache_wide_alternate.db
r/r 102590-128-1: Users/theodore/AppData/Local/Microsoft/Windows/Explorer/thumbcache_1280.db
r/r 102363-128-4: Users/theodore/AppData/Local/Microsoft/Windows/Explorer/thumbcache_16.db
Autopsy will parse these files for you.
Also an option is this program. Windows only: https://thumbcacheviewer.github.io
You can try vinetto (which is hard to install as it’s not a pip package really https://github.com/AtesComp/Vinetto).
If I extract thumbcache_1920.db to a local file, I can run the following to store thumbnails to the current directory (.).
vinetto -o . thumbcache_1920.db
here are the results
(base) brian@wpa014 thumbs % vinetto -o . t1920.db
Vinetto: Version 0.9.11
------------------------------------------------------
File: t1920.db
MD5: 5f2b91f8a3ae2b63784ddebfbfc449f2
------------------------------------------------------
Header
--------------------
Signature: CMMM (Thumbcache_*.db)
Format: 32 (Windows 10)
Type: 7 (thumbcache_1920.db)
------------------------------------------------------
Cache Entry 1
--------------------
Signature: CMMM
ID: 4e4bb0c4520deab3
------------------------------------------------------
Summary:
Extracted: 1 thumbnails to ./
It stored a file:
-rw-r--r--@ 1 brian staff 393963 Nov 16 13:47 4e4bb0c4520deab3.jpg
lnk files show recently opened files
LNK files are Windows shortcuts. Users might create them deliberately, but they are also created when files are opened by a user (to place in the “Recents” folder). Various tools exist to parse these files.
LECmd from eztools is the best choice.
Another option is liblnk](https://github.com/libyal/liblnk/wiki/Building), but it requires compilation.
Here’s an example command line of LECmd
dotnet LECmd.dll -f zebrass.lnk
And the output:
LECmd version 1.5.0.0
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/LECmd
Command line: -f zebrass.lnk
Processing /Users/brian/Downloads/case-demo/registries-old/zebrass.lnk
Source file: /Users/brian/Downloads/case-demo/registries-old/zebrass.lnk
Source created: 2022-03-31 03:07:09
Source modified: 2022-03-31 03:07:10
Source accessed: 2022-03-31 03:07:28
--- Header ---
Target created: 2022-03-31 05:59:21
Target modified: 2022-03-31 05:59:20
Target accessed: 2022-03-30 07:00:00
File size: 1,833,879
Flags: HasTargetIdList, HasLinkInfo, HasWorkingDir, IsUnicode, DisableKnownFolderTracking
File attributes: FileAttributeArchive
Icon index: 0
Show window: SwNormal (Activates and displays the window. The window is restored to its original size and position if the window is minimized or maximized.)
Working Directory: E:\
--- Link information ---
Flags: VolumeIdAndLocalBasePath
>> Volume information
Drive type: Removable storage media (Floppy, USB)
Serial number: 302C14A8
Label: SCANS
Local path: E:\zebrass.jpg
--- Target ID information (Format: Type ==> Value) ---
Absolute path: My Computer\E:\zebrass.jpg
-Root folder: GUID ==> My Computer
-Drive letter ==> E:
-File ==> zebrass.jpg
Short name: zebrass.jpg
Modified: 2022-03-31 05:59:20
Extension block count: 1
--------- Block 0 (Beef0004) ---------
Long name: zebrass.jpg
Created: 2022-03-31 05:59:22
Last access: 2022-03-30 07:00:00
MFT entry/sequence #: 4194592/null (0x400120/0xnull)
--- End Target ID information ---
---------- Processed /Users/brian/Downloads/case-demo/registries-old/zebrass.lnk in 0.05670850 seconds ----------
Registry
The Windows Registry is a binary key-value store that also supports subkeys. In other words, it is a hierarchical database that maintains configuration settings for applications, hardware, and users. Typically there are five top-level entries, or “hives,” in the registry:
- HKEY_USERS: all actively loaded user profiles for the system
- HKEY_CURRENT_USER: actively loaded profile for logged-on user
- HKEY_LOCAL_MACHINE: “vast array” of configuration information for the system (hardware and software)
- HKEY_CURRENT_CONFIG: hardware profile used at startup
- HKEY_CLASSES_ROOT: configuration information related to which applications open which files
You can directly access your local registry through regedit – note that you really should not. You can screw up your entire install. It’s better to instead use various forensic tools to directly parse the registry. Where do the backing files for the registry live?
HKEY_LOCAL_MACHINE\System: %WINDIR%\system32\config\System
HKEY_LOCAL_MACHINE\SAM: %WINDIR%\system32\config\Sam
HKEY_LOCAL_MACHINE\Security: %WINDIR%\system32\config\Security
HKEY_LOCAL_MACHINE\Software: %WINDIR%\system32\config\Software
HKEY_LOCAL_MACHINE\Hardware: volatile
HKEY_LOCAL_MACHINE\System\Clone: volatile
HKEY_USERS\User SID: NTUSER.DAT; Documents And Settings\User
HKEY_USERS\Default: %WINDIR%\system32\config\default
Along with various event logs, you can use the registry to find evidence that certain apps were opened, or settings modified, or hardware inserted/removed, etc.
r/r 28476-128-3: Windows/System32/config/SAM
r/r 28479-128-3: Windows/System32/config/SECURITY
r/r 28482-128-3: Windows/System32/config/SOFTWARE
r/r 28485-128-3: Windows/System32/config/SYSTEM
Demo of registry entries` on running instance of Windows:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLsHKLM \SYSTEM\MountedDevices: list of mounted devicesHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\: similarHKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR: additional information about mounted USB storage devicesHKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\GUID: recent network configurationHKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\GUID: wireless configurationHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist: recent user access, though ROT13ed!
There are various resources online listing registry keys of interest; I’ll post links to some of them on the course schedule page. (Feel free to post other you might find on CampusWire.)
Again, various tools are available to parse the registry forensically.
To use EZ Tools, you want to save those registry files in a directory, perhaps called “registries”. And then give RECmd a search string.
dotnet RECmd.dll -d registries --sa "usbstor"
you’ll get a ton of output, here’s one part of the output
Key: ControlSet001\Control\DeviceClasses\{10497b1b-ba51-44e5-8318-a65c837b6661}\##?#SWD#WPDBUSENUM#_??_USBSTOR#Disk&Ven_USB&Prod_DISK&Rev_1.00#7&f47f513&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{10497b1b-ba51-44e5-8318-a65c837b6661}, Value: DeviceInstance, Data: SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_USB&Prod_DISK&Rev_1.00#7&f47f513&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Above, in the LNK file we saw that the E: drive was called “SCANS”. Let’s try searching for that.
dotnet ../All_6/RECmd/RECmd.dll -d registries-old --sa "SCANS"|grep FriendlyName
Key: ControlSet001\Enum\SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_USB&Prod_DISK&Rev_1.00#7&6002f59&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}, Value: FriendlyName, Data: SCANS
Key: ControlSet001\Enum\SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_USB&Prod_DISK&Rev_1.00#7&f47f513&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}, Value: FriendlyName, Data: SCANS
Every USB has a serial number. If you plug one into your Mac, you can run this command to see its info:
system_profiler SPUSBDataType
Flash Drive:
Product ID: 0xef18
Vendor ID: 0xcd12
Version: 1.00
Serial Number: 9BFE648101C4F448
I plugged the same USB into my windows and so I can find that in the registry:
dotnet RECmd.dll -d registries --sa "9BFE648101C4F448"
Found 5 search hits in registries-old/SYSTEM
Key: ControlSet001\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}\##?#USB#VID_CD12&PID_EF18#9BFE648101C4F448#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Key: ControlSet001\Enum\USB\VID_CD12&PID_EF18\9BFE648101C4F448
Key: ControlSet001\Control\DeviceContainers\{9da61ae5-8649-5542-b65a-5b466a4f46b6}\BaseContainers\{9da61ae5-8649-5542-b65a-5b466a4f46b6}, Value: USB\VID_CD12&PID_EF18\9BFE648101C4F448
Key: ControlSet001\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}\##?#USB#VID_CD12&PID_EF18#9BFE648101C4F448#{a5dcbf10-6530-11d2-901f-00c04fb951ed}, Value: DeviceInstance, Data: USB\VID_CD12&PID_EF18\9BFE648101C4F448
Key: ControlSet001\Enum\USB\VID_CD12&PID_EF18\9BFE648101C4F448\Device Parameters, Value: SymbolicName, Data: \??\USB#VID_CD12&PID_EF18#9BFE648101C4F448#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
You can look up vendor numbers on this site: example 1 and example 2
Partial printer files
.SPL files are spoolfiles, that is, the file Windows creates when preparing to send a file to a printer. Find the EMF marker, then go back 41 bytes, carve from there.
Then you have an EMF file, which is an enhanced Windows Metafile. These are most easily viewed on Windows, since the are typically parsed with Windows API functions.
r/r 95702-128-3: Windows/System32/spool/PRINTERS/FP00003.SHD
r/r 95655-128-3: Windows/System32/spool/PRINTERS/FP00003.SPL
r/- * 0: Windows/System32/spool/PRINTERS/FP00003.SPL
icat -o 206848 case.dd 95655 > FP00000.SPL
Note that there is a header in front of the EMF that you have to remove the first 0x37 bytes.
(base) brian@wpa014 case-demo % hexdump -C FP00000.SPL|head
00000000 00 00 01 00 30 00 00 00 10 00 00 00 00 00 00 00 |....0...........|
00000010 46 00 75 00 6c 00 6c 00 20 00 70 00 61 00 67 00 |F.u.l.l. .p.a.g.|
00000020 65 00 20 00 70 00 68 00 6f 00 74 00 6f 00 00 00 |e. .p.h.o.t.o...|
00000030 0c 00 00 00 78 20 04 00 01 00 00 00 84 00 00 00 |....x ..........|
00000040 00 00 00 00 00 00 00 00 fe 18 00 00 ce 12 00 00 |................|
00000050 00 00 00 00 00 00 00 00 dc 69 00 00 b0 4f 00 00 |.........i...O..|
00000060 20 45 4d 46 00 00 01 00 78 20 04 00 0e 00 00 00 | EMF....x ......|
00000070 01 00 00 00 0c 00 00 00 6c 00 00 00 00 00 00 00 |........l.......|
00000080 00 19 00 00 d0 12 00 00 0f 01 00 00 cc 00 00 00 |................|
00000090 00 00 00 00 00 00 00 00 00 00 00 00 55 22 04 00 |............U"..|
If you remove it properly, then “EMF” (45 4d 46) appears at byte 0x29
fd= open("FP00003.SPL","rb")
data = fd.read()
with open("f.emf","wb") as fd:
fd.write(data[0x38:])
hexdump -C FP00000.SPL.emf|head
00000000 01 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 |................|
00000010 fe 18 00 00 ce 12 00 00 00 00 00 00 00 00 00 00 |................|
00000020 dc 69 00 00 b0 4f 00 00 20 45 4d 46 00 00 01 00 |.i...O.. EMF....|
00000030 78 20 04 00 0e 00 00 00 01 00 00 00 0c 00 00 00 |x ..............|
00000040 6c 00 00 00 00 00 00 00 00 19 00 00 d0 12 00 00 |l...............|
00000050 0f 01 00 00 cc 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 55 22 04 00 65 1c 03 00 50 00 72 00 |....U"..e...P.r.|
00000070 69 00 6e 00 74 00 20 00 74 00 65 00 73 00 74 00 |i.n.t. .t.e.s.t.|
00000080 00 00 00 00 62 00 00 00 0c 00 00 00 02 00 00 00 |....b...........|
00000090 25 00 00 00 0c 00 00 00 07 00 00 80 25 00 00 00 |%...........%...|
And then you can see the file.
Note it’s not perfect; depending upon the print driver the text in particular is often transcoded in a way that’s not legible.
Browser information
Depending upon the version of Windows, the browser information (cache, users-typed URLs, etc.) lives in various places. Tools exist to parse and extract relevant information.
Firefox (and many, many other tools) use SQLite to store their data locally. You can explore these files using sqlite directly, or by using a graphical viewer (like http://sqlitebrowser.org/), or programmatically (most programming languages, including Python, include binding to SQLite).
History files are located in the Edge directory:
r/r 103340-128-3: Users/theodore/AppData/Local/Microsoft/Edge/User Data/Default/History
You can parse them with several tools (including Autopsy) but it’s a sql lite file. We can browse through it directly (done in class).
select * from urls;
select * from downloads;
select * from keyword_search_terms;
Here’s some slightly more advanced sql to join info from two tables and convert the date.
SELECT
visits.id,
visit_time,
datetime((visit_time /1000000)-11644473600,'unixepoch' ) AS "datetime" ,
urls.url,
title
FROM visits
JOIN urls
ON visits.url = urls.id
Here’s one line of the result
12, 13293177152211681, 2022-03-31 05:12:32, https://www.bing.com/images/search?view=detailV2&ccid=W0wIzO8n&id=BE40084C54DD7F605F4420FDA9F39A0706AC98D3&thid=OIP.W0wIzO8nnYlemtXrrouzywHaE8&mediaurl=https%3A%2F%2Fcdn.gottman.com%2Fwp-content%2Fuploads%2F2014%2F08%2F5ThingsZebrasCanTeachUsAboutFightingStress.jpg&cdnurl=https%3A%2F%2Fth.bing.com%2Fth%2Fid%2FR.5b4c08ccef279d895e9ad5ebae8bb3cb%3Frik%3D05isBgea86n9IA%26pid%3DImgRaw%26r%3D0&exph=667&expw=1000&q=zebras&simid=608037317782934860&form=IRPRST&ck=86EBE25E3C2244EBFCDD9AEFFCFA3F4C&selectedindex=6&ajaxhist=0&ajaxserp=0&vt=0&sim=11 , zebras - Bing images
Here’s a pretty good article on more for this topic: https://blog.group-ib.com/forensics_edge
The WebCacheV01.dat file is also parsable, but I don’t have any particular tools to recommend (probably Autopsy does it).
Recycle Bin
d/d 263781-144-1: $Recycle.Bin/S-1-5-18
r/r 263782-128-1: $Recycle.Bin/S-1-5-18/desktop.ini
d/d 101564-144-1: $Recycle.Bin/S-1-5-21-2126189841-3840269279-428953238-1000
r/r 101567-128-1: $Recycle.Bin/S-1-5-21-2126189841-3840269279-428953238-1000/desktop.ini
d/d 103196-144-6: $Recycle.Bin/S-1-5-21-2126189841-3840269279-428953238-1001
r/r 268949-128-1: $Recycle.Bin/S-1-5-21-2126189841-3840269279-428953238-1001/$IEZKLQK.jpg
r/r 105594-128-4: $Recycle.Bin/S-1-5-21-2126189841-3840269279-428953238-1001/$REZKLQK.jpg
r/r 105594-128-9: $Recycle.Bin/S-1-5-21-2126189841-3840269279-428953238-1001/$REZKLQK.jpg:Zone.Identifier
r/r 103197-128-1: $Recycle.Bin/S-1-5-21-2126189841-3840269279-428953238-1001/desktop.ini
Here’s the actual file:
icat -o 0000104448 clone-disk 105594 > REZKLQK.jpg
And here’s how to get the the “INFO2” information associated with the recovered file.
% dotnet ../All_6/RBCmd/RBCmd.dll -f IEZKLQK.jpg
The output is as follows
RBCmd version 1.5.0.0
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/RBCmd
Command line: -f IEZKLQK.jpg
Found 1 files. Processing...
Source file: IEZKLQK.jpg
Version: 2 (Windows 10)
File size: 380,639 (371.7KB)
File name: C:\Users\theodore\Desktop\three_zebras.jpg
Deleted on: 2022-03-31 10:19:25
Processed 1 out of 1 files in 0.0084 seconds
Prefetch
EZ Tools will parse Prefetch files for you. But not on a mac! So I can’t show you the output.
icat -o 104448 image.dd 465 > wordpad.pf
dotnet PECmd.dll -f wordpad.pf
Reminder
Why are we doing all this? Recall from Lecture 01:
A forensic investigation has several goals, depending on the context. Typically, the primary goals are to
- Determine if there is evidence that a crime, tort, or policy violation has been committed;
- Identify the related events and actions that occurred;
- And identify who might be responsible.
In many criminal investigations, the goal of the investigator may additionally include determining the motive and intent of the perpetrator, corroborating alibis of the innocent, and verifying statements of witnesses. Moreover, criminal investigators need to preserve a demonstrable link between the artifacts we find at a crime scene and our later presentation of the evidence in court.
So, given a scenario, you are looking for evidence that supports or refutes that scenario, and possibly digging deeper.