Laureate Online Education Computer Forensics © All rights reserved 2005 – 2012. The Computer Forensics module, in all its parts: syllabus, guidelines, lectures, discussion questions, technical notes, images, projects and any additional material is copyrighted by Laureate Online Education B.V. Computer Forensics Seminar for Week 4: Investigating Windows Systems In this seminar, we will examine the basic techniques and software tools to investigate computers running Microsoft Windows operating systems. Overview The important things that a digital evidence investigator must understand about computers with Windows operating systems include file systems, account management systems, log files, and other advanced techniques such as .NET framework. There are several variants of Windows operating systems, and each of them may store valuable forensic information in different locations. Furthermore, different cases require digital investigators to explore and research different components. In this seminar, we will discuss the important common aspects of Windows systems with the expectation that you will know how to extract valuable information from Windows for each different, new case, even if we do not address the exact location for that kind of information. Digital Evidence Acquisition Techniques for Windows In the previous seminar, we discussed several approaches to acquire a forensic hard drive. For example, one can use a Linux bootable CD to bit-by-bit copy the target drive (even if the target drive is Windows based) to a third place, or use commercial tools such as EnCase or Forensic Tool Kit (FTK) to do that. Furthermore, EABD describes a method for generating an Evidence Acquisition Boot Disk (EABD) in Windows 95, which could be used to acquire hard drives. These tools will generally boot the computer with the basic components of the operating systems and then copy the data to a third drive. However, the booting process may unexpectedly write to the target drive. For example, the Microsoft Windows NT/2000/XP booting process accesses more than 500 files (Windows 9x accesses more than 400 files). Without sufficient preservation mechanisms, it could be difficult for a digital investigator to explain in court why the system still contains the acceptable evidence after more than 500 files were “changed” during the boot process (before the evidence was acquired). In order to avoid the unexpected writes, one may use the physical drive blocker (PDBLOCK) to disable both the standard Interrupt 13 and the Interrupt 13 Extensions (int13h). After the target hard drive image is acquired, we need to search/analyze the image for potential evidence. In order for this process to be effective, it is essential to understand the basics of FAT12/FAT16/FAT32/FATNTFS/etc. file systems, which are used by Windows operating systems. See [FAT] for comprehensive discussions on FAT-based file systems. NTFS Alternate Data Stream, Compressed Files, and EFS Microsoft introduced the New Technology File System (NTFS) for Windows NT. Since then, NTFS has been used in Windows 2000 and XP. The detailed descriptions of NTFS can be found at (NTFS). A NTFS disk begins with the partition boot sector, which starts at sector 0 and can expand to 16 sectors. After the partition boot sector, the disk contains the master file table (MFT), which usually consumes about 12.5% of the disk when it is created. As data are added, the MFT can expand to take up 50% of the disk. MFT contains information about all files located on the disk, including the system files the operating system uses. In NTFS, all files and folders have file attributes. Individual elements of a file, such as its name, security information, and even the data, are considered file attributes. Each attribute has a unique attribute type. Compared to FAT-based file systems, NTFS contains much less file slack space. Seminar 4: Investigating Windows Systems 2 NTFS supports alternate data streams (one of the main reasons for Microsoft to support multiple stream data is for Macintosh file support), which allow data to be appended to existing files without being observed by regular applications. Attackers may use this function to hide valuable information to an existing file without other users observing it. For example, a network intruder may install backdoor (malicious) programs to a victim system as an alternate data stream to a regular application program, but the owner will not notice the existence of such malicious software. The web site (NTFSdangers) contains a detailed discussion on potential dangers of NTFS alternate data streams. When information is added to an existing file as a multiple data stream, the data stream becomes an additional data attribute of a file, and the file can be associated with different applications. For example, a stream hostfile.xxx:Stream.doc can be considered a regular WinWord document and be opened/edited by WinWord or other application software, although you can only see the hostfile.xxx file. Thus, a digital forensic investigator should also check all potential data streams in which suspects may hide valuable information. You may practice this functionality in the group project work. In the following, we use an example to illustrate how this works in Windows 2000/XP: 1. Create a command interface by running cmd (in the Start > Run window). 2. Assume that we do not have the file “file.txt” in the current directory. 3. In the cmd interface, type: “echo AnyStringThatYouWant > file.txt:AnyNameThatYouWant”. 4. Type “dir file.txt” to see that the file.txt has size 0. 5. Type “more file.txt” to examine the file content and you will not see the stream data. 6. In order to examine the stream data, you need to type “more