Windows Forensics

Thai Minh Tuan

([email protected])

Slides are adapted from:

[1] Guide to Computer Forensics and Investigations. Sixth Edition. Cengage Learning, 2018, ISBN-13: 978-1-337-56894-4
[2] Practical Guide to Digital Forensics Investigations, Pearson IT Certification, 2020, ISBN-13: 978-0789759917 1
Outline
● Explain the purpose and structure of file systems
● Describe Microsoft file structures
● Explain the structure of NTFS disks
● Understand file system forensics
● Explain how the Windows Registry works
● Windows Event Log analysis
● Application execution forensics

2
File Systems
● File system
○ Gives OS a road map to data on a disk
● Type of file system an OS uses determines how data is stored on
the disk
● When you need to access a suspect’s computer to acquire or
inspect data
○ You should be familiar with both the computer’s OS and file
systems

3
Disk Drives (1 of 3)
● Disk drives are made up of one or more platters coated with magnetic
material
● Disk drive components
○ Geometry
○ Head
○ Tracks
○ Cylinders
○ Sectors

4
Disk Drives (2 of 3)

5
Disk Drives (3 of 3)

6
Solid-State Storage (SSD) Devices
● All flash memory devices have a feature called wear-leveling
○ An internal firmware feature used in solid-state drives that ensures even wear of
read/writes for all memory cells
● When dealing with solid-state devices, making a full forensic copy as soon
as possible is crucial
○ In case you need to recover data from unallocated disk space

7
Microsoft File Structures
● In Microsoft file structures, sectors are grouped to form clusters
○ Storage allocation units of one or more sectors
● Clusters range from 512 bytes up to 32,000 bytes each
○ minimizing the overhead of writing or reading files to a disk
● Clusters are numbered sequentially starting at 0 in NTFS and 2 in FAT
○ First sector of all disks contains a system area, the boot record, and a file structure
database
● OS assigns these cluster numbers, called logical addresses
○ Sector numbers are called physical addresses
● Clusters and their addresses are specific to a logical disk drive,
○ A disk partition

8
Disk Partitions (1 of 3)
● A partition is a logical drive
● Windows OSs can have three primary partitions followed by an extended
partition that can contain one or more logical drives
● Hidden partitions or voids
○ Large unused gaps between partitions on a disk
● Partition gap
○ Unused space between partitions

9
Disk Partitions (2 of 3)
● The partition table is in the Master Boot Record (MBR)
○ Located at sector 0 of the disk drive
● In a hexadecimal editor, such as WinHex, you can find the first partition at
offset 0x1BE
○ The file system’s hexadecimal code is offset 3 bytes from 0x1BE for the first partition

10
Disk Partitions (3 of 3)

11
FAT file system
● File Allocation Table (FAT)
○ File structure database that Microsoft originally designed for floppy disks
● FAT database is typically written to a disk’s outermost track and contains:
○ Filenames, directory names, date and time stamps, the starting cluster number, and file
attributes
● Three current FAT versions
○ FAT16, FAT32, and exFAT (used for mobile personal storage devices)
● Cluster sizes vary according to the hard disk size and file system

12
FAT file system

13
File Allocation Table (FAT)

14
File Allocation Table (FAT)
● When you run out of room for an allocated cluster
○ OS allocates another cluster for your file
● As files grow and require more disk space, assigned clusters are chained
together
○ The chain can be broken or fragmented
● When the OS stores data in a FAT file system, it assigns a starting cluster
position to a file
○ Data for the file is written to the first sector of the first assigned cluster

15
File Allocation Table (FAT)
● When this first assigned cluster is filled and runs out of room
○ FAT assigns the next available cluster to the file
● If the next available cluster isn’t contiguous to the current cluster
○ File becomes fragmented

16
Drive Slack
● Microsoft OSs allocate disk space for files by clusters
○ Results in drive slack
■ Unused space in a cluster between the end of an active file’s content and the end of
the cluster
● Drive slack includes: RAM slack and file slack
● An unintentional side effect of FAT16 allowing large clusters was that it
reduced fragmentation
○ As cluster size increased

17
Deleting FAT Files
● In Microsoft OSs, when a file is deleted
○ Directory entry is marked as a deleted file
■ With the HEX E5 character replacing the first letter of the filename
■ FAT chain for that file is set to 0
● Data in the file remains on the disk drive
● Area of the disk where the deleted file resides becomes unallocated disk
space
○ Available to receive new data from newly created files or other files needing more space

18
NTFS file system
● NT File System (NTFS)
○ Introduced with Windows NT
○ Primary file system for Windows 10
● Improvements over FAT file systems
○ NTFS provides more information about a file
○ NTFS gives more control over files and folders
● NTFS was Microsoft’s move toward a journaling file system
○ It records a transaction before the system carries it out

19
NTFS file system
● In NTFS, everything written to the disk is considered a file
● On an NTFS disk
○ First data set is the Partition Boot Sector
○ Next is Master File Table (MFT)
● NTFS results in much less file slack space
● Clusters are smaller for smaller disk drives
● NTFS also uses Unicode
○ An international data format

20
NTFS file system

21
Master File Table (MFT)
● Master File Table (MFT) contains information about all files
on the disk
○ Including the system files the OS uses
● In the MFT, the first 15 records are reserved for system files
● Records in the MFT are called metadata

22
Master File Table (MFT)

23
MFT and File Attributes (1 of 6)
● In the NTFS MFT
○ All files and folders are stored in separate records of 1024 bytes each
● Each record contains file or folder information
○ This information is divided into record fields containing metadata
● A record field is referred to as an attribute ID
● File or folder information is typically stored in one of two ways in an MFT
record:
○ Resident and nonresident

24
MFT and File Attributes (2 of 6)
● Files larger than 512 bytes are stored outside the MFT
○ MFT record provides cluster addresses where the file is stored on the drive’s partition
■ Referred to as data runs
● Each MFT record starts with a header identifying it as a resident or
nonresident attribute

25
MFT and File Attributes (3 of 6)

26
MFT and File Attributes (4 of 6)

27
MFT and File Attributes (5 of 6)

28
MFT Structures for File Data (6 of 6)
● For the header of all MFT records, the record fields of interest are as
follows:
○ At offset 0x00 - the MFT record identifier FILE
○ At offset 0x1C to 0x1F - size of the MFT record
○ At offset 0x14 - length of the header (indicates where the next attribute starts)
○ At offset 0x32 and 0x33 - the update sequence array, which stores the last 2 bytes of the
first sector of the MFT record

29
MFT Header

30
Attribute 0x30: short and long names

31
Attribute 0x30: short and long names

32
Attribute 0x30: Object_ID

33
Attribute 0x80: Data for a resident file

34
Attribute 0x80: Data for a nonresident file

35
NTFS Alternate Data Streams (1 of 2)
● Alternate data streams
○ Ways data can be appended to existing files
○ Can obscure valuable evidentiary data, intentionally or by coincidence
● In NTFS, an alternate data stream becomes an additional file attribute
○ Allows the file to be associated with different applications
● You can only tell whether a file has a data stream attached by examining
that file’s MFT entry

36
NTFS Alternate Data Streams (2 of 2)

37
NTFS Compressed Files
● NTFS provides compression similar to FAT DriveSpace 3 (a Windows 98
compression utility)
● With NTFS, files, folders, or entire volumes can be compressed
● Most computer forensics tools can uncompress and analyze compressed
Windows data

38
NTFS Encrypting File System (EFS)
● Encrypting File System (EFS)
○ Introduced with Windows 2000
○ Implements a public key and private key method of encrypting files, folders, or
disk volumes
● When EFS is used in Windows 2000 and later
○ A recovery certificate is generated and sent to the local Windows
administrator account
● Users can apply EFS to files stored on their local workstations or a
remote server

39
EFS Recovery Key Agent
● Recovery Key Agent implements the recovery certificate
○ Which is in the Windows administrator account
● Windows administrators can recover a key in two ways:
through Windows or from a command prompt
● Commands:
○ cipher
○ copy

40
Deleting NTFS Files
● When a file is deleted in Windows NT and later
○ The OS renames it and moves it to the Recycle Bin
● Can use the del (delete) MS-DOS command
○ Eliminates the file from the MFT listing in the same way FAT does

41
Whole Disk Encryption (1 of 2)
● In recent years, there has been more concern about loss of
○ Personal identity information (PII) and trade secrets caused by computer theft
● Of particular concern is the theft of laptop computers and handheld
devices
● To help prevent loss of information, software vendors now provide whole
disk encryption
● Current whole disk encryption tools offer the following features:
○ Preboot authentication
○ Full or partial disk encryption with secure hibernation
○ Advanced encryption algorithms
○ Key management function

42
Whole Disk Encryption (2 of 2)
● Whole disk encryption tools encrypt each sector of a drive separately
● Many of these tools encrypt the drive’s boot sector
○ To prevent any efforts to bypass the secured drive’s partition
● To examine an encrypted drive, decrypt it first
○ Run a vendor-specific program to decrypt the drive
○ Many vendors use a bootable CD or USB drive that prompts for a one-time passphrase

43
Filesystem Forensics
● Filesystem analysis allows analysts to understand timestamps and
reconstruct patterns of activity
● Each filesystem has its own nuance for how it handles timestamps and
updates to those timestamps
● On Windows, the primary file system is NTFS and has additional files for
analysis of timestamps, including:
○ $LogFile
○ USN Journal
○ $I30 (directory) files

44
MACB Timestamps
● The standard for filesystem timeline analysis is to create MACB
timestamp output files
● For NTFS, the following rules apply
○ M. Content Modification
○ A. File Access Time
○ C. Metadata Change Time (e.g. file rename, permissions, etc.)
○ B. Birth Time (file creation time)
● Many file systems lack the B time to show when a file was created
(born)

45
MFT $STANDARD_INFORMATION and $FILE_NAME
● Each file record on an NTFS volume has multiple copies of the MACB
timestamps
○ $STANDARD_INFORMATION timestamps are the ones you see in Explorer (aka “the
normal timestamps”)
○ $FILE_NAME timestamps are populated when the file is created and almost never
modified
■ Most files have two $FILE_NAME records, one for the regular file name and one for
the 8.3 (DOS) representation

46
MFT $STANDARD_INFORMATION and $FILE_NAME
● Forensic Value
○ Timeline Analysis
○ Information about a file or directory
○ File Type, Size
○ Date /Time when created, modified and accessed
● Location:
○ NTFS/root/$MFT
● Tool:
○ MFTECmd.exe , MFTExplorer .exe

47
NTFS $LogFile
● Stored in the MFT entry number 2
● Every time there is a change in the NTFS Metadata, a transaction recorded in
the $ LogFile
○ To redo or undo file system operations
● Why would $LogFile be important for investigation?
○ Record of all operations that occurred in the NTFS volume
■ File creation, deletion, renaming, copy

48
NTFS $LogFile
● Forensic Value
○ Timeline Analysis
○ File Activity Analysis (Open, Close and Update)
○ Evidence of renamed and deleted files
● Location:
○ NTFS/root/$LogFile
● Tool:
○ NTFS_Log_Tracker.exe, LogFileParser.exe

49
NTFS $J
● Contains the contents of the change journal and includes information
○ Date and time of the change, the reason for the change, the MFT entry, the MFT
parent entry and others
● Useful for investigation
○ Knowledge that a file existed on the system
○ Knowledge of file deletion (and when)
○ Identifying that Prefetch files have been deleted (and which ones)
○ Seeing when a user has overwritten a file prior to deletion (often used in secure
delete and anti-forensics)
○ Locating a staging directory where files were collected prior to being archived,
exfiltrated, and deleted
○ Identifying when malware has marked files with the hidden or system attribute to
limit visibility in Explorer (and unfortunately, other tools)
50
NTFS $J
● Forensic Value
○ Timeline Analysis
○ File Activity Analysis (Open, Close and Update
○ Evidence of renamed and deleted files
● Location:
○ NTFS/root/$Extend/$/RmMetadata UsnJrnl /$J
● Tool:
○ MFTECmd.exe

51
Windows Registry
● Registry
○ A database that stores hardware and software configuration information,
network connections, user preferences, and setup information
● To view the Registry, you can use:
○ Regedit (Registry Editor) program for Windows 9x systems
○ Regedt32 for Windows 2000, XP, and Vista
○ Both utilities can be used for Windows 7 and 8

52
Windows Registry Terminology
● Registry
● Registry Editor
● HKEY (Root key)
● Subkey
● Value name, data

53
Registry file location and purposes

54
Windows Registry HKEYs

55
Registry HKEYs Functions

56
Windows Registry Forensics
● Registry forensic analysis can provide multiple types of useful
evidence for investigations, including:
○ Mounted drives
○ Services created
○ Software installed/uninstalled
○ Files viewed in Explorer
○ Evidence of execution
○ Network info
○ Shutdown Time
○ Last logged on user with Time /Date
○ So much more
● Tools:
○ Registry viewer: Registry Explorer, FTK Imager, RegRipper
57
Windows event log
● The Windows event log is a detailed record of system, security and
application notifications stored by the Windows
● It’s a useful tool for
○ troubleshooting all kinds of different Windows problems
○ forensics analysis

58
Windows event log

59
How to search events?
● https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

60
Windows Event Log Forensics
● There are no shortage of tools to process .evtx logs
○ Including the native Windows Event Viewer
○ The data you see in the Event Viewer is a combination of the data stored in the event logs
and maps to label the data
● Overview approach
○ Get a copy of security event log
○ Convert the logs to CVS, XML, JSON format
■ Tools: EvtxECmd
○ Indexing/Searching evidences

61
Application Execution Forensics
● List application execution logs (Executable path, execution
time, execution count...)
○ Prefetch files
○ Shimcache
○ Amcache
○ UserAssist

62
Prefetch files
● A memory management technology
○ Save prefetch (executables) information in .pf
○ To improve customer experience,
● Preloads most frequently used software (with parameters) into memory
○ To speed the operating system booting and application launching

63
Prefetch files
● Forensic Value
○ The executable's name
○ The absolute Path to the executable
○ The number of times that the program ran within the system
○ The last time the application ran
○ A list of DLLs used by the program
● Location:
○ %SYSTEMROOT%\Prefetch\*.pf
● Tool:
○ PECmd.exe , WinPrefetchView .exe

64
Shimcache
● The primary goal is to optimize program loading
○ Speed up loading frequently executed programs by caching information about them
● Shimcach records execution history
○ program names, file paths, timestamps, and execution counts.
● Two actions that can cause the Shimcache to record an entry
○ A file is executed.
○ A user interactively browses a directory
● Stores various file metadata depending on the operating system
○ File Full Path
○ File Size
○ $Standard_Information (SI) Last Modified time
○ Shimcache Last Updated time
○ Process Execution Flag : set this flag during process creation/execution
● Only contains the information prior to the system’s last startup
○ current entries are stored only in memory
● The oldest data is replaced by new entries.

65
Shimcache
● Forensic Value:
○ The executable or script file names and full paths
○ The standard information last modified date
○ The size of the binary
○ whether the file actually ran on the system
● Location:
○ HKLM\SYSTEM\CurrentControlSet\Control\Sessio
nManager\AppCompatCache\AppCompatCache
● Tool:
○ AppCompatCacheParser.exe

66
Amcache
● Assist with application compatibility (Application Compatibility Cache)
○ ensure that software updates or system changes do not break existing
applications
○ used to apply compatibility fixes or "shims" to programs
○ maintain information about installed applications on the system.
○ including file paths, version numbers, and compatibility settings.
● Software Inventory
○ a repository of information about installed software.
○ C:\Windows\AppCompat\Programs\Amcache.hve
● Focus on software installation and updates
○ ShimCache entry is updated each time the application is executed

67
Amcache
● Forensic Value
○ The executable names and full paths
○ Last executed time
○ The size of the binary and its version
○ The executable hash (SHA1)
● Location:
○ C:\Windows\appcompat\Programs\ Amcache.hve
● Tool:
○ AmcacheParser.exe , RegRipper rr. exe)

68
UserAssist
● Microsoft uses UserAssist to populate a user’s start menu with frequently used
applications.
○ Every GUI-based program launched from the desktop are tracked
● These values are located in each user’s NTUSER.DAT
○ ROT-13 encoded.
○ Timestamp of last run
○ Count:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count
● Good to analyze the behaviors of users

69
UserAssist
● Forensic Value
○ The executed GUI program name
○ The executed GUI program path
○ Last executed time
○ Run count
● Location:
○ HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count
● Tool:
○ RegRipper(rr. exe), RegistryExplorer.exe

70
Other Windows Artifacts
● RDP Bitmap Cache (BMC) ● PowerShell
● ShellBags ● Lsass.exe
● Background Activity Moderator (BAM) / ● Windows.edb
(DAM) ● Sysmain.sdb
● Windows Error Reporting (WER) ● Thumbcache
● EventTranscript.db ● Jump Lists
● Volume Shadow Copy Service (VSS) ● Recycle Bin
● User Access Logging (UAL) ● System Resource Usage Monitor (SRUM)
● Alternate Data Streams (ADS) ● Windows 10 Timeline (ActivitiesCache)
● Link File Shortcut (. lnk) ● WordWheelQuery
● etc.

71
Conclusion
● Prioritize the data that will provide the best outcomes for investigations
● Forensics is about analysis, not tools
○ Tools process the data
○ Analysts make sense of the output
● Thank you Eric Zimmerman for his wonderful forensics tools
○ https://ericzimmerman.github.io/#!index.md

72