In August of 2007 I presented what new things to look for forensically in Windows Vista at the HTCIA (High Tech Crime Investigation Association) www.htcia.org Annual Training conference.  It was received well by the people who attended my session. 

 I’m uploading my presentation in Powerpoint format for everyone to use www.forensa.com/HTCIA07.ppt .  I have lots of notes on the notes pages.  Be sure to look at them while reviewing this material.  Feel free to use the slides, just give credit where credit is due.

COFEE is a small and very basic GUI with two tabs.

Basically you tell it where your thumb drive is, and hit “Generate” and it will put all these files in the drive, you then run your nifty thumb drive and it executes all the commands for you with the defaults they have chosen.

Want more power? go to settings and see exactly what the parameters passed to each .exe are or throw in a new utility with your own parameters.

Soo, here’s the list, download them, make yourself 1 large .bat file and you have a cup of cofee!

 

arp.exe     Microsoft OS Native    

at.exe      Microsoft OS Native    

auditpol.exe      Microsoft Resource Kit 

autorunsc.exe     Microsoft Sysinternals 

cipher.exe  Microsoft OS Native    

cmd.exe     Microsoft OS Native    

*cmdline.exe      Diamond CS

http://www.diamondcs.com.au/index.php?page=products

dd.exe      GM Garner Forensic Utilities [also download

getopt.dll] http://users.erols.com/gmgarner/forensics/

driverquery.exe   Microsoft OS Native    

drivers.exe Microsoft Resource Kit 

dumpel.exe  Microsoft Resource Kit 

*dumpsec.exe      Somarsoft   http://www.somarsoft.com

fport.exe   Foundstone  http://www.foundstone.com

fsinfo.exe  Microsoft Resource Kit 

getmac.exe  Microsoft OS Native    

getopt.dll  GM Garner Forensic Utilities [also download

dd.exe]     http://users.erols.com/gmgarner/forensics/

global.exe  Microsoft Resource Kit 

handle.exe  Microsoft Sysinternals 

hostname.exe      Microsoft OS Native    

ifmember.exe      Microsoft Resource Kit 

ipconfig.exe      Microsoft OS Native    

ipxroute.exe      Microsoft OS Native    

LastLogon.exe          

listdlls.exe      Microsoft Sysinternals 

local.exe   Microsoft Resource Kit 

mem.exe     Microsoft OS Native    

*minicap.exe      DonationCoder

http://www.donationcoder.com/Software/Mouser/MiniCap/index.html

msinfo32.exe      Microsoft OS Native    

nbtstat.exe Microsoft OS Native    

net.exe     Microsoft OS Native    

netdom.exe  Microsoft OS Native    

netstat.exe Microsoft OS Native    

netusers.exe      Optimum X   http://www.optimumx.com/download/

ntlast.exe  Foundstone  http://www.foundstone.com

openfiles.exe     Microsoft OS Native    

*openports.exe    Diamond CS

http://www.diamondcs.com.au/index.php?page=products

pclip.exe   UnxUtils    http://unxutils.sourceforge.net

psfile.exe  Microsoft Sysinternals 

pslist.exe  Microsoft Sysinternals 

psloggedon.exe    Microsoft Sysinternals 

psloglist.exe     Microsoft Sysinternals 

psservice.exe     Microsoft Sysinternals 

pstat.exe   Microsoft Resource Kit 

psuptime.exe      Microsoft Sysinternals 

quser.exe   Microsoft OS Native    

reg.exe     Microsoft OS Native    

rifiuti.exe Foundstone  http://www.foundstone.com

route.exe   Microsoft OS Native    

sc.exe      Microsoft Resource Kit 

sclist.exe  Microsoft Resource Kit 

*sed.exe    Cygwin [Download Cygwin.exe then select sed.exe, required

for

execution of streams.exe and efsinfo.exe] http://www.cygwin.com

showgrps.exe      Microsoft Resource Kit 

smbios.exe  Microsoft Resource Kit 

srvcheck.exe      Microsoft Resource Kit       

srvinfo.exe Microsoft Resource Kit 

systeminfo.exe    Microsoft OS Native    

tasklist.exe      Microsoft OS Native    

tcpvcon.exe Microsoft Sysinternals 

uptime.exe  Microsoft OS Native    

whoami.exe  Microsoft Resource Kit

* Asterik means highly recommended files to download for optimum performance

Thanks to Edgar Zaya for the list

Recently the Seattle Times ran an article titled ‘Microsoft device helps police pluck evidence from cyberscene of crime’ http://seattletimes.nwsource.com/html/microsoft/2004379751_msftlaw29.html  The article while written well contains a few errors.  While I have not personally seen the new software product here are some insights that I have on it.  It is a pure software product that is used to create batch.  There is a lot of buzz about this software containing a ‘backdoor’ to access encrypted data.  This software does not contain any backdoor possibilities.  Yes it can read encrypted data if you supply your batch file with the key to access that data. Again it is purely a scripting platform that can be used to automate computer forensics data acquisitions.  The best thing that I can liken it to is Visual studio.  You can ‘program’ a ton of things with that framework, but you still need to have an idea of what you’re doing to get started. The Seattle time’s article referred to it as a hardware device because it was on a USB thumb drive.  I can put documents, photos, and programs on a thumb drive, but that doesn’t make them hardware. Referring to this as a hardware device is bad reporting in my opinion.

My first tip is - make sure you understand the requirements of data storage for FTK 2.0.  I’ll keep it short by saying that I ran out of disk space indexing a 120gig hard drive. 

I really do like the new interface.  It’s much more user friendly than version 1.71.  I really like the fact that you can migrate you FTK 1.7x license over to the new dongle and have both 1.7x and 2.0 licenses on the same dongle.  As an added bonus you can run both versions at the same time with 1 dongle.

There is a known issue installing FTK 2.0 on Windows Vista.  What else is new with Vista.  It didn’t appear to be a FTK issue itself, but more of a Oracle install issue.  Since 2.0 now uses a lite version of Oracle the install fails.

I can say that being able to start searching while FTK is still indexing was a great feature to include.  With my single processor and 1gig of RAM laptop, it was almost unbearable, but I was able to search before indexing was completed.  And hey, previously I’d have to wait for 3 to 6 hours to search for anything.

Summing it up, FTK 2.0 is a worthwile upgrade if you have the hardware to run it on.  They are not sure when Windows Vista compatability will be available, but still it’s a solid forensics platform.

Looking at a BitLocker drive recently, I noticed an interesting thing.  The 1.4GB drive that is created when installing BitLocker had a partition type of 0×27.  I found this odd because the  bitlocker encrypted drive is partition type 0×7 or normal NTFS except the contents are encrypted while the drive is at rest. 

I couldn’t help wondering, exactly what is partition type 0×27?  First thing I checked was the table of partition types on page 69 of Computer Forensics Incident Response Essentials by Warren G. Kruse and Jay G. Heiser.  Partition type 0×27 is not listed there.  Granted the book was published in 2002 and bitlocker was not available then.  I was unable to find any documention searching support.microsft.com on partition type 0×27.  I was able to get a contact at Microsoft to say that partition type 0×27 is call Active-State-System

I do know the reason for the 1.4GB size.  That default size was chosen for the caching installation files.  That way there is an un-encrypted drive to copy temporary.  1.4GB is that amount of temporary files needed to install Windows.

I received my FTK (Forensic Tool Kit by AccessData) 2.0 yesterday 29-Feb-2008.  Really slow shipping since it launched on 19-Feb-2008.  The 1st thing that I noticed is that my laptop which ran FTK 1.71 well, was under powered for FTK 2.0.  I was 1 processor and 1gig of RAM short.  This is a real beast.

 I gave the install a shot and it installed just fine on my HP Pavilion zv6000 with AMD Athlon 3200+ 64bit processor and 1gig of RAM.

 I’m still playing with the new interface and features.  I’ll leave those findings for a post later.

What really happens when you press the delete key?

File Allocation Table or FAT systems

For File Allocation Table or FAT systems (DOS based up to Windows 98 and all removable drives by default on NTFS systems) here is a quick overview:

1. The cluster(s) referenced in the FAT, relating to the file are zeroed out
2. The first letter of the file name is changed to a Greek sigma (hex E5)
3. The clusters that originally contained the file data are unchanged and will continue to retain the file data until they are overwritten.

What happens on an NTFS (Windows 2000 – Windows XP) partition when you or the system deletes a file?  First let’s differentiate between a file that is deleted versus a file that is moved to the recycle bin.  If a file goes to the recycle bin, the following happens:

1. The original MFT entry for the file is changed to reflect a new file name.  The new file name depends on several factors: The original drive of the file, the number of files already in the recycle bin and the file extension, if any.  So given the following:
   1. File’s origin                                       C:
   2. File order in the recycle bin            First
   3. File extension                                    rtf.

The new file name in the original MFT entry will be DC1.rtf.  Of course, when the amount of data is greater and cannot fit in its MFT entry, the data becomes nonresident and resides in a cluster.

2. The file is moved to a different subdirectory.  Remember the file is now known as DC1, DC2, etc.  The file no longer resided in its original subdirectory.  It now resides in a special security ID subdirectory, which is created for each user.  Normally for each use, there is a security ID subdirectory in the RECYCLER subdirectory.  So if there are three users, there are three unique security ID subdirectories. You can easily identify a security ID subdirectory by its weird name.  S-1-5-1-16528765-279065318-7643900643-1000 is an example of a security ID subdirectory name.
3. The file’s original path is stored in the system file called INOF2.  The system has to know the file’s original path in case the file needs to be retrieved.  Normally INFO2 starts with a 20 byte header.  After that comes a path statement in standard ASCII.  The drive letter in the path starts the entry.  Each entry is 800 bytes long and continues to the next standard ASCII path statement.  In between the two ASCII path statements is a Unicode path statement.  The deletion date and time is recorded in UTC and is the number of 100 nanoseconds from January 1, 1601.  There is an INFO2 associated with each security ID subdirectory in the RECYCLER subdirectory.
4. When the user empties the recycle bin, the INFO2 file is deleted, and its contents, the path names of the deleted files, becomes part of unallocated space and slack.  Using a unique hex string and searching slack and unallocated space, yields remnants of the INFO2 file entries.  The hex string 47 B5 5E 77 04 00 00 00 appears to be unique but yet common to most INFO2 file entries.  Check the NTFS partitions you are processing to see if the hex string appears.  If it does not, examine the INFO2 file for another unique hex string that is common to most of the INFO2 entries and then use the hex string to search slack and unallocated space of the NTFS partition. (Reference NTI training)

Windows Vista changed the recycle bin process. 

Windows Vista no longer uses the INFO2.bin file to track where the original file location existed.  Instead, when a file or folder is deleted (moved to the recycle bin) two files are created. The first file starts with $I FILEID#.EXT.  The FILEID# is a unique six‐character alphanumeric string.  EXT is the original file extension of the file that has been deleted.  If no extension is present then a folder was deleted.  The $I file contains an 8‐byte FILETIME structure at offset 0×10 that holds the time the file/folder was deleted.  The file then contains the full path and filename of the original file/folder at offset 0×18.  Each of the $I entries will have a corresponding file or folder present alongside them.  A second file is also appears when files are moved to the recycle bin.  These files start with a $R.  The file format is  $R FILEID#.EXT where FILEID# and EXT will match those used in the corresponding $I file.  The $R files contain all the original data.  Only the file name is changed.

For folders that have been deleted, a folder is created named $R FILEID# with a matching FILEID# of the $I file also created.  The contents of the deleted folder are moved to the $R folder and retain their original names.