Windows 10 Forensics
In this article, we are going to take a close look at the fundamentally new sources of digital evidences that are typical for the new version of the Windows 10 operating system, such as Notification center, new browser Microsoft Edge and digital personal assistant Cortana. Also, we will study some of the sources that were in the previous versions of the operating system, but format of which was changed, for example, Prefetch-files. We are going to study in details the important source of the digital evidences, which appeared in the Windows XP operating system and that is used in the new version of the operating system – Volume Shadow Copy Service.
Windows 10 Notification Сenter
The Notification center that appeared in the new version of Windows allows programs to display messages on the screen just like it happens in the operating systems of mobile devices. These messages, of course, can contain valuable information for the forensic analysis.
These messages are stored at the file appd.dat, which is located in the following catalog:
<System_partition>\Users\<UserName>\AppData\Local\Microsoft\Windows\Notifications
The analysis of the file via hex-viewer shows that the records about notifications are kept in the XML format (ref. Figure 1).
Figure 1. Fragment of the file appdb.dat opened in the hex-viewer of the AccessData FTK Imager program
As it can be seen on the Figure 1, the XML markup version 1.0 and encoding UTF-8 are used. In this case, there is a notification about received message on the social network “Vkontakte”. The most valuable information is contained in the descriptors <image> and <text>. The descriptor <image> contains the link to the image of a user’s profile who sent the message. The descriptor <text> contains the name of the sender and text of the message. It worth mentioning that there is a set of meandering symbols instead of text on the Figure 1 as the hex-viewer does not support UTF-8 encoding. In order to decode text in <text> descriptors, you can use even some online services, for example https://www.artlebedev.ru/tools/decoder/.
Microsoft Edge web-browser
Starting from the Internet Explorer 10, Microsoft developers changed the format of data storing. They replaced index.dat, which was familiar to the most forensic experts, with the database in the ESE format that is stored in the file WebCacheV01.dat.
In spite of the fact that with the release of Windows 10 the developers introduced web-browser – Microsoft Edge, which had code name «Spartan», the traditional for Windows operating system browser Internet Explorer (version 11) still exists, its browsing history is stored in the following catalog:
<System_partition>\Users\<UserName>\AppData\Local\Microsoft\Windows\WebCache
File WebCacheV01.dat, which is stored in the abovementioned catalog, contains not only the browsing history of Internet Explorer, but also the browsing history of the new browser Microsoft Edge. Additionally it stores information about cookies. This database can be in the «Dirty Shutdown» state and it can be an obstacle for the forensic analysis of the data. In order to find out in what state it is, an expert can use the utility esentutl.exe that can be found in the following catalog:
<System_partition>\Windows\System32
In order to receive the information about the database an expert needs to copy the catalog \WebCache to the workstation then open it and put the following command in the command prompt:
esentutl /mh WebCacheV01.dat
On the Figure 2, it can be seen that command output contains, besides the rest of the information, information about current directory, in our case we can see that database is on the «Dirty Shutdown» state (ref. Figure 2).
Figure 2. The result of esentult using with the key /mh
In order to turn the database into the «Clean Shutdown» state, an expert needs to put log-files into it. It can be done by the following command:
esentutl /r V01 /d
The key /d is used in order to command the utility to look for the log-files only in the current directory. When the utility esentutl.exe will be run for the second time with the key /mh, the value of the “State” will be changed into «Clean Shutdown».
Software ESEDatabaseView developed by NirSoft can be used for browsing the database content. In order to get the general information about the types of information contained in the database, an expert needs to go to the table “Containers». In our case, the database contains 28 containers (ref. Figure 3).
Figure 3. Table «Containers» of the WebCacheV01.dat database opened with NirSoft ESEDatabaseView
As it can be seen on the Figure 3, the information about visited web-pages is contained in the containers 2, 14, 15 and 21. This table contains not only the information about the containers, but also the paths to the files with data.
The values of time stamps in this database have to be converted into hexadecimal form and then decoded via, for example, DCode program using the format «Windows: 64 bit Hex Value – Big Endian».
It should be mentioned that the information about web-pages that a user had visited in the «InPrivate» mode is contained in the same containers. These pages have value «8» in the column «Flags» [Muir 2015].
Information about user’s downloads is stored in the container 22 that has name «iedownload». Information in this container is in the hexadecimal form and has to be converted into ASCII.
Files that were cached by the browser are stored in the following catalog:
<System_partition>\Users\<UserName>\AppData\Local\Packages\Microsoft.MicrosoftEdge_***\AC\#!001\MicrosoftEdge\Cache\
Data extraction from the files for analysis in the automatic mode can be done via, for example, Belkasoft Evidence Center.
Cortana
Personal assistant Cortana was realized in the Windows 8 as an application. With the realize of the new version of the operating system Cortana became a part of the system. Even though, the personal assistant is not available in Russian now, an expert needs to understand what kind of artefacts can be found during the analysis.
Information about the usage of the digital personal assistant is stored in the databases in the ESE format – IndexedDB.edb and CortanaCoreDb.dat, which are located in the following catalogs:
<System_partition>\Users\<UserName>\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\AppData\Indexed DB\
<System_partition>\Users\<UserName>\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\ESEDatabase_CortanaCoreInstance\
The first database contains information about data that was indexed by Cortana, the second one contains information about interaction between a user and assistant. It should be mentioned that time stamps of the second database are in the Google Chrome Value format and can be decoded via, for example, Digital Detective DCode.
Prefetch-files
As it is known, Prefetch-files contain metadata (data definitions), which are very important for a digital forensic analysis or computer forensic analysis. For example, these files contain information about the last run of the program and information about how many times it was run. Also by the analysis of prefetch-files, an expert can find out from which logical drive a program was run (including the information about the volume serial number), and get a list of DLL and other files that were used.
Prefetch-files in the Microsoft Windows 10 operating system are still contained in the catalog \Windows\Prefetch\ and have «.pf» extension, but as it was noticed by Francesco Picasso [Picasso 2015: Electronic resource], their format was changed.
Figure 4. Fragment of the VK.EXE-570D9FDD.pf file opened via hex-editor 0xED
As it can be seen on the Figure 4, the files have «MAM» signature and there are no strings. The fact is that the Xpress Huffman algorithm is used for compressing of the files. Francesco Picasso in his article shows the script that was written on the Python programming language and it allows to extract Prefetch-file of the new format. The script can be downloaded from the following link: https://gist.github.com/dfirfpi/113ff71274a97b489dfd.
It should be mentioned that the Microsoft Windows version 8.1 or higher has to be used in order to run the script. A specialized software, for example, Mitec Windows File Analyzer, can be used for extraction data from the file.
Volume Shadow Copy Service
As it is known, volume shadow copy service appeared with the release of the Windows XP operating system. In the Windows XP it allowed to make system recovery via so-called « recovery point» to the previous state of the operating system and it was a valuable source of the information in the context of the forensic analysis as it allowed to recover the previous state of the operating system register. With the release of Windows Vista operating system volume shadow copies start to contain not only the previous versions of the system files, but also they contained user’s data. In the new version of the operating system, this service is still a valuable source of the information for the forensic analysis.
The command prompt (with admin permission) can be used in order to check the list of the shadow copies on the working system. An expert needs to input the command vssadmin list shadows (ref. Figure 5).
Figure 5. Example of the vssadmin list shadows command output
There are programs with a graphical user interface, for example, Shadow Explorer (ref. Figure 6).
Figure 6. List of the shadow copies displayed via Shadow Explorer program
Of course an expert rarely has an access to the working system, usually it happens during crime scene investigation or search incident. Shadow copies can be extracted by VHD method that was offered by Harlan Carvey (ref. Carvey 2014).
First of all, it is required to convert the image (it is better to make bit-stream copy of a system partition separetly) into VHD format (Virtual Hard Disk), via utility vhdtool.exe.
This file has to be mounted in the mode « read-only» in the «Control panel».
An expert can check how many shadow copies there are via the utility vssadmin.exe (for example: vssadmin list shadows /for=n, where n is a letter of the mounted system partition image).
In order to get an access to the files, an expert needs to create a link to the shadow copy that will be analysed. It can be done with a command mklink (for example, mklink /d C:\<mount point> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\, a value after mount point can be copied from vssadmin). Then an expert will be able to work with the files stored in the shadow copy.
In this article, we took a close look at the most valuable for forensic analysis artefacts, which appeared in the Microsoft Windows 10 operating system and those appeared in the previous versions of the operating system but still relevant.
References
1. Muir, B. Windows 10 – Cortana & Notification Center Forensics. – 2015. – URL: http://bsmuir.kinja.com/windows-10-cortana-notification-center-forenics-1724511442
2. Muir, B. Windows 10 – Microsoft Edge Browser Forensics. – 2015. – URL: http://bsmuir.kinja.com/windows-10-microsoft-edge-browser-forensics-1733533818
3. Picasso, F. A first look at Windows 10 prefetch files. – 2015. – URL: http://blog.digital-forensics.it/2015/06/a-first-look-at-windows-10-prefetch.html
4. Carvey, H. Windows Forensic Analysis Toolkit, 4th Edition. Advanced Analysis Techniques for Windows 8. – Waltham: Syngress, 2014. – 350 p.
Comentários
Postar um comentário