File History Analysis

Windows 8
 Who are we?
Kausar Khizra Nasa Quba
 Paranoid Yahoo  Paranoid Yahoo
 MSDF – UCF  MSDF – UCF
 C|EH AME ACE Security+  C|EH AME ACE Security+
 blogger@forensicfocus  blogger@forensicfocus
 Contact: [email protected],  Contact: [email protected],
LinkedIn LinkedIn
Agenda
 Part 1
 What is File History (FH)?
 Why learn FH?
 How does it work?
 Comparison of VSS and FH
 Part 2
 Forensic Analysis
 Examination of config file, registry and event files
File History Analysis: Part 1
 What is File History?
 Backup service introduced in Windows 8
 USN Journal
 Use network or external drive for backup
 Default backup folders
o Libraries
o Desktop
o Contacts
o Favorites
 Why learn File History?
 Regular User
 Recover deleted and/or previous version(s) of files/folders
 Forensic Examiner
 Recover deleted and/or previous version(s) of files/folder
 Find out the external drive in use that may also contain other
important data
 File History underline principle
 $UsnJrnl
 Tools
 Fsutil
 JP (Journal Parser) by TZWorks
jp64.exe –partition C –csv –a > output.csv
Sample of USN Journal entry when a txt file is created
 File History settings
 Save Copies - Every 10 min, 15min, 20min, 30min, hour, 3 hours, 6 hours, 12 hours,
daily
 Size of offline cache – 2%, 5%, 10%, 20%
 Keep saved versions – 1month, 3 months, 6 months, 9 months, 1 year, 2 years, forever
 File History service
Service = fhsvc
 File History DLLs
fhcfg.dll, fhcpl.dll, fhsvcctl.dll
 How does it work?
 Utilize USN Journal to track changes and saves file revisions on
backup location
 Saves the amended version with appended date/time. Example:
 MyABC (2013_10_03 03_37_37).doc
 MyABC (2013-11_03 04_55_20).doc
 File History states
 Turned OFF
 Turned ON
 Case 1: Media/network drive available/online
 Case 2: Media/network drive NOT available/online – Cache
 Where is this cache?
 Caches when media is temporarily unavailable
 Location of this cache data is
C:\Users\(username)\AppData\Local\Microsoft\Windows\FileHisto
ry\Data
 Example
 FH is set to run after every 10 minutes
 Create a file FHtest.txt at 4:03 p.m.
 Run FH manually without media at 4:05 p.m.
 Folder 44 created
 Example contd..
 Modified file FHtest.txt and saved it at 4:07 p.m.
 FH runs automatically at 4:15 p.m.
 Folder 45 is created
 Example contd..
 No changes were made on the file FHtest.txt for the next 20 minutes (2 events of FH service)
 No new folders created
 Example contd..
 Some changes done on FHtest.txt at 4:38 p.m.
 New folder 48 is created – at 4:45 p.m.
 Sequence did not break even when no changes were made
 Example contd..
 Now Toshiba (External Drive) is inserted and FH runs at 4:55 p.m. again
 All folders disappeared
 Example contd..
 Cache emptied into the external drive
 Notice the Date Modified and Date Created
 What was there for backup before?
 Volume Shadow Copy Service (VSS)
 Different underlying working principle - Block level backup
 Comparison
Volume Shadow Copy Service File History

 Block level backup  File level backup

 No limitation of backing up files/folders  Limitation of backing up only files under
on the drive certain folders i.e. Libraries, Desktop,
Contacts and Favorites.
 Good for recovering system older state –
 Good for recovering user files/folders
system files
 Employs USN journal feature of NTFS
 Takes the snapshot of the entire file-system
 Meant to save the copies on external
and saves the modified content only storage media
 Typically saves the copies on local disk  Does not support backing up cloud sync
 Does support cloud drives drives (Onedrive exception) e.g. Google
drive
 Is VSS gone completely?
No, this service is still running on Windows 8
 Why the confusion then?
 The feature to recover the older versions is not there
 But to create restore points and restoring systems, Windows 8 is still using VSS
File History Analysis: Part 2
 Forensic analysis
 Config file examination
 Registry examination
 Event log examination
 File History folders/files time stamp
 Inquisitive aspect
 When did the FH first run?
 When did the FH last run?
 What is the current state of service - ON/OFF?
 What is the name and type of device used to backup?
 What is the time set for automatic trigger?
 Which folders are excluded?
 What is the retention policy?
 When did the FH last copy files?
 When did the File History first run?
File History files/folders timestamps

C:\Users\Username\AppData\Local\Microsoft\Windows\FileH
istory (date created/date modified)
Catalog1.edb

Catalog2.edb
Configuration
File History Config1.xml
Data
Config2.xml
 Examination of a sample config file
C:\Users\Username\AppData\Local\Microsoft\Windows\FileHistory\Configurat
ion\Config1.xml
 Which folders are excluded?
 Library (Document, Music, Pictures, Videos), Favorites, Contact, Desktop,
Onedrive (Not old Skydrive)
 <FolderExclude>C:\Users\NasaQ\Desktop</FolderExclude>
 <FolderExclude>C:\Users\NasaQ\OneDrive</FolderExclude>
 <FolderExclude>C:\Users\NasaQ\Downloads</FolderExclude>
 <LibraryExclude>*491e922f-5643-4af4-a7eb-
4e7a138d8174</LibraryExclude>
 <LibraryExclude>*a990ae9f-a03b-4e80-94bc-
9912d7504104</LibraryExclude>
 <LibraryExclude>*7b0db17d-9cd2-4a93-9733-
46cc89022e7c</LibraryExclude>
Which folders are excluded? contd..
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window
s\CurrentVersion\Explorer\FolderDescriptions\{491E922F-
5643-4af4-A7EB-4E7A138D8174}
What is the current state of FH service - ON or
OFF?
What is the name and type of device used to
backup?
 What is the time set for automatic trigger?
Frequency of the File History service run. The time is in seconds. By
default, the DPFrequency is 3600 (60*60=1 hr)
 What is the retention policy?
 By default it is 'Forever' and that means retention policy is disabled.
<RetentionPolicies>
<RetentionPolicyType>DISABLED</RetentionPolicyType>
<MinimumRetentionAge>24</MinimumRetentionAge>
months
</RetentionPolicies>
 If one changes the policy to 1 year, it would reflect on the config file as follows
<RetentionPolicies>
<RetentionPolicyType>AGELIMIT</RetentionPolicyType>
<MinimumRetentionAge>12</MinimumRetentionAge>
</RetentionPolicies>
When did the File History last copy files?
 When did the File History last copy files? contd..
Registry Examination
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre
ntVersion\FileHistory
When did the File History last copy files? contd..
Decoding time 64 bit ProtectedUpToTime value
 When did the File History last copy files? contd..
ProtectedUptoTime zeroes out
 When did the File History last run?
 Case 1: When last copied time = FH last run time
 Case 2: When last copied time != FH last run time
 Event log analysis
 Event Viewer OR
 Under Advanced settings
Event log analysis contd..
 References
 Bright, P. (2012, July 10). A step back in time with Windows 8′s File History. Retrieved November 20,
2013, from ars technica: http://arstechnica.com/information-technology/2012/07/a-step-
back-in-time-with-windows-8s-file-history/
 Microsoft. (2013, November 16). New File History feature. Retrieved November 17, 2013, from
Windows Dev Center-Desktop: http://msdn.microsoft.com/en-
us/library/windows/desktop/hh848055(v=vs.85).aspx
 Microsoft. (n.d.). Set up a drive for File History. Retrieved November 13, 2013, from Windows:
http://windows.microsoft.com/en-us/windows-8/set-drive-file-history
 OMeally,Y. (2009, April 21). Technet Blogs. Retrieved November 10, 2013, from System Center
Configuration Manager Team Blog:
http://blogs.technet.com/b/configmgrteam/archive/2009/04/21/how-configuration-
manager-backup-uses-the-volume-shadow-copy-service.aspx
 Sinofsky, S. ( 2012 , July 10). MSDN Blogs . Retrieved November 15, 2013, from Protecting user
files with File History: http://blogs.msdn.com/b/b8/archive/2012/07/10/protecting-user-
files-with-file-history.aspx
The End – Thank you!
Question/Comments?