Windows 8 Forensics & Anti- Forensics Mike Spalding Twitter: @fatherofmaddog <Insert Witty Job Title Here>
Windows 8 Forensics& Anti-ForensicsMike SpaldingTwitter: @fatherofmaddog<Insert Witty Job Title Here>
DisclaimerUse this information at your own risk!I am not your lawyer, expert witness, or your priest. If you use this information while committing a crime you have only yourself to blame. Blame your parents for anything else that feel that you did not get/receive when you were a kid.Blah, blah, blah, blah, blah, blah!
Thank You’s
I need to thank a few people for helping me with this. They helped to shave time and effort on this.Tyler Smith - @bobbyMcSmathersDave Normand – AccessDataLt. Pete Martin – Yolo County DA’s Office
• Pre Windows Vista−Windows XP and before have more
similar feel when it comes to forensics; similar registries, event IDs, similar folder files, etc
• Post Windows Vista−Vista provided a significant change
to the environment, that from a forensic standpoint, XP and Vista could almost be considered unrelated to a certain degree.
• Some things have not changed; Registry – Sam, System, Software
Just a quick Primer on Windows Forensics over the years.
• Vista, Windows 7, Windows 8 …−Very much an evolutionary process.−For the most part few things have
moved, but many more things have added.
Brothers from another mother …
• My initial install was 7.6 Gb of 8.0 Gb−Well that was not enough, I needed
to load some office files, adobe, and general office utilities.
• My secondary action added 10 Gb−Windows then expanded to fill 17.2
Gb of the 18Gb (David Blain must work for MSFT)
• My third action was to add 12 Gb−Finally, I had enough to have some
nice slackspace, 7.5 Gb out of 30Gb was left. Huh?
Windows 8 needs to lose some weight
Windows 8 - Brings New Features• Features that matter to forensic
investigators−Pagefile and Swapfile functions−Windows 8 to Go−Windows 8 Bitlocker Updates−Windows 8 Cloud Integration−Windows 8 Thumbnail Caching−Windows 8 PC Refresh
• The biggest concern to an investigator is the data not present on the system−i.e. Cloud Services scare the forensic
person!
It’s a Dog eat Dog World!
Windows 8 – Pagefile & Swapfile• Pagefile.sys
−Similar to Windows 7 and Vista−One exception is that many apps are
listed as a “low priority” in the pagefile, this allows for more system critical apps to run
• Swapfile.sys−Tweaked to take advantage of
“Immersive Applications”−Apps are flushed in to the swap file
when memory gets full, this allows for apps to open immediately when not in use.
Windows 8 – I will take that 2 Go!• Win8 to Go
−Makes the OS Portable
−Allows for the OS to be operated from a USB drive
−Allows for up to six USB devices
*Military Service Dog not included.
Windows 8 – BitLocker• Microsoft Drive Encryption
−First bestowed to the world with Vista/Win 2008
−Is a whole disk encryption system; ie. While the system is on the files are accessible.
• New Encryption Features−Can be deployed with WinPE or MDT−Can limit encryption to just used
space (makes slack space a nice place to search! )
−Better Key Management for improved recovery, yeah whatever!
Windows 8 – Skydrive• Microsoft Skydrive Integration
−Always been available, but now integrated into OS directly
−Corporate installs of Win 8 will most likely drop this feature.
* On a surface device, you can view files, but cannot move them to the RT device from Skydrive.
Windows 8 – All Thumbs• In Win7 thumbs.db was replaced
−Thumbcache is used to store all thumbnails for the operating system
−In addition Win8 has several thumbcache files. Speculation is that this is to provide support for touchpads.
• The thumbcache in Win8 is different from Win7, so currently there are no forensic tools that can decipher the thumbcache, yet.
Windows 8 – PC Refresh• Win8 offers a feature called ‘PC
Refresh’−It allows for system files to be
reinstalled, while not effecting the user files located on the system
−You can choose to remove everything and it will quite literally remove all files.
−This feature is completely automated and the user is ask very limited questions.
−From a forensic standpoint, this means that things will probably stay static for this release.
Windows 8 – PC Refresh
Windows 8 – File History Artifacts• Win8 has the ability to have a File
History−This is not to be confused with a
shadowcopy.−This cannot be used on cloud services,
but can be used on virtual drives (anti-forensics ideas!!)
−A GPO can be used to have all File History stored to a network location or server.
−Located at: \\%user%\AppData\Local\Microsoft\Windows\FileHistory
−If this folder does not exist, neither does File History.
Windows 8 – ESE Structured DB File• Win8 has a database of filenames,
locations, and versions−This is helpful during investigations. It
can show history of files, depicts movements of files, etc.
−This is used when the restore files wizard is used.
−This is a great resource for keyword searches or targeted searches looking for a specific image or filename in question.
−Can be parsed with tools like ESEDbViewer.
Windows 8 – My new best friend!• Win8 utilizes an XML config file
that stores the following pieces of information:−Username, Machine Name, Libraries,
Exclude Folders, Location of Config Files, Retention Informaiton, Target Volume Details, Volume Letter, GUID of Volume, Volume Type, UNC Paths, Target Configuration files , and backup storage locations.
−This provides ample information if data is being stored on a flash drive or portable media.
−This can be used to trace machine history in the portable OS function.
Windows 8 – My new best friend!
Windows 8 – Backup Data• Win8 does not encrypt Backup
data−With user history and backup data being
made available, we will see that we can multiple variants of a file readily available.
−New files are deprecated using the system UTC time as a counter.
−The deprecation allows for the restore wizard to know which file to restore.
−Fortunately for us, it also allows for the investigator to view files after the fact.
Windows 8 – Default to the hard drive• Win8 will default to the local
system if the remote drive or cloud service is not available.−If a remove resource is unavailable, the
file is stored locally on the desktop.−When the remote resource is made
available, the files are synched and the local file remains on the system.
−The file is marked as deleted, but it just goes into slackspace or freespace on the local system.
−Fortunately for us, it also allows for the investigator to view files after the fact.
Windows 8 – Two are better than One
Windows 8 – New Registry Hives• The windows registry is useful for
investigations. as it contains hardware information, usernames & Passwords.−Hardware Information; thumb drives.−ID’s and Passwords−Internet Query details−Programs installed on the local host−System Information
Windows 8 – New Registry Hives• ELAM (Early Launch Anti-
Malware)−Contains information to file launch
times. −Has details specific to Windows
Defender and AV data.−ELAM driver loads before all other
processes, designed to prevent bootloader malware.
• BBI Registry File (Used with Immersive Applications)−Leveraged for licensing specific to users
and their applications. Uses logged on user and time.
Windows 8 – Internet Explorer 10• New IE 10 Features
−Flip Ahead or “fast forward”, allows for web pages to be scrolled like book pages.
−This also sends browsing history to Microsoft, to improve the flip ahead experience.
−Pin to start allows for the user to pin favorite websites to the start screen as a tile.
−Implicit/Explicit Sharing allows users to send a link (implicit) or content from a page (explicit)
Windows 8 – IE10• New IE 10
Features - Continued−EPM: Enhanced
Protected Mode uses randomized memory addressing to thwart against buffer overflows.
−Application Caching speeds up website data between immersive applications and the internet.
Windows 8 – Anti-Forensics• Encryption – Yes the tried and true
way of keeping something from someone.−For all intensive purposes no one would
use BitLocker to protect their data if anti-forensics was a pivotal concern.
−In Most cases, someone will use a whole disk encryption along with select file encryption.
−Many people worried about AF have started a practice to encrypt the hard drive twice.
−Some have called into question the security of TrueCrypt as a viable solution.
Windows 8 – Anti-Forensics• Time Tampering – The practice of
changing file and folder dates and time. −A number of tools are available to
perform this function. Tool remnants are usually an indicator that tampering to the drive has happened.
• Disk Wiping– The practice of writing an entire disk with 1s and 0s.−This is very secure method to destroy
evidence, but often times it is viewed poorly in court.
Windows 8 – Anti-Forensics• Throwing Chaffe: To lead the
investigator in the wrong direction. Time is usually something that many investigators do not have much of.
Windows 8 – Anti-Forensics• Disk Destruction –
When all else fails, use some gasoline and fire and destroy the evidence.
Shameless PlugBsides ColumbusJanuary 20th, 2014Doctors Hospital
WestThree Tracks
KeyNote Speakers:
Dave KennedyJayson Street
Questions & Comments@fatherofmaddog