windows 8 forensics & anti forensics

Windows 8 Forensics& Anti-ForensicsMike SpaldingTwitter: @fatherofmaddog<Insert Witty Job Title Here>

DisclaimerUse this information at your own risk!I am not your lawyer, expert witness, or your priest. If you use this information while committing a crime you have only yourself to blame. Blame your parents for anything else that feel that you did not get/receive when you were a kid.Blah, blah, blah, blah, blah, blah!

Thank You’s

I need to thank a few people for helping me with this. They helped to shave time and effort on this.Tyler Smith - @bobbyMcSmathersDave Normand – AccessDataLt. Pete Martin – Yolo County DA’s Office

• Pre Windows Vista−Windows XP and before have more

similar feel when it comes to forensics; similar registries, event IDs, similar folder files, etc

• Post Windows Vista−Vista provided a significant change

to the environment, that from a forensic standpoint, XP and Vista could almost be considered unrelated to a certain degree.

• Some things have not changed; Registry – Sam, System, Software

Just a quick Primer on Windows Forensics over the years.

• Vista, Windows 7, Windows 8 …−Very much an evolutionary process.−For the most part few things have

moved, but many more things have added.

Brothers from another mother …

• My initial install was 7.6 Gb of 8.0 Gb−Well that was not enough, I needed

to load some office files, adobe, and general office utilities.

• My secondary action added 10 Gb−Windows then expanded to fill 17.2

Gb of the 18Gb (David Blain must work for MSFT)

• My third action was to add 12 Gb−Finally, I had enough to have some

nice slackspace, 7.5 Gb out of 30Gb was left. Huh?

Windows 8 needs to lose some weight

Windows 8 - Brings New Features• Features that matter to forensic

investigators−Pagefile and Swapfile functions−Windows 8 to Go−Windows 8 Bitlocker Updates−Windows 8 Cloud Integration−Windows 8 Thumbnail Caching−Windows 8 PC Refresh

• The biggest concern to an investigator is the data not present on the system−i.e. Cloud Services scare the forensic

person!

It’s a Dog eat Dog World!

Windows 8 – Pagefile & Swapfile• Pagefile.sys

−Similar to Windows 7 and Vista−One exception is that many apps are

listed as a “low priority” in the pagefile, this allows for more system critical apps to run

• Swapfile.sys−Tweaked to take advantage of

“Immersive Applications”−Apps are flushed in to the swap file

when memory gets full, this allows for apps to open immediately when not in use.

Windows 8 – I will take that 2 Go!• Win8 to Go

−Makes the OS Portable

−Allows for the OS to be operated from a USB drive

−Allows for up to six USB devices

*Military Service Dog not included.

Windows 8 – BitLocker• Microsoft Drive Encryption

−First bestowed to the world with Vista/Win 2008

−Is a whole disk encryption system; ie. While the system is on the files are accessible.

• New Encryption Features−Can be deployed with WinPE or MDT−Can limit encryption to just used

space (makes slack space a nice place to search! )

−Better Key Management for improved recovery, yeah whatever!

Windows 8 – Skydrive• Microsoft Skydrive Integration

−Always been available, but now integrated into OS directly

−Corporate installs of Win 8 will most likely drop this feature.

* On a surface device, you can view files, but cannot move them to the RT device from Skydrive.

Windows 8 – All Thumbs• In Win7 thumbs.db was replaced

−Thumbcache is used to store all thumbnails for the operating system

−In addition Win8 has several thumbcache files. Speculation is that this is to provide support for touchpads.

• The thumbcache in Win8 is different from Win7, so currently there are no forensic tools that can decipher the thumbcache, yet.

Windows 8 – PC Refresh• Win8 offers a feature called ‘PC

Refresh’−It allows for system files to be

reinstalled, while not effecting the user files located on the system

−You can choose to remove everything and it will quite literally remove all files.

−This feature is completely automated and the user is ask very limited questions.

−From a forensic standpoint, this means that things will probably stay static for this release.

Windows 8 – PC Refresh

Windows 8 – File History Artifacts• Win8 has the ability to have a File

History−This is not to be confused with a

shadowcopy.−This cannot be used on cloud services,

but can be used on virtual drives (anti-forensics ideas!!)

−A GPO can be used to have all File History stored to a network location or server.

−Located at: \\%user%\AppData\Local\Microsoft\Windows\FileHistory

−If this folder does not exist, neither does File History.

Windows 8 – ESE Structured DB File• Win8 has a database of filenames,

locations, and versions−This is helpful during investigations. It

can show history of files, depicts movements of files, etc.

−This is used when the restore files wizard is used.

−This is a great resource for keyword searches or targeted searches looking for a specific image or filename in question.

−Can be parsed with tools like ESEDbViewer.

Windows 8 – My new best friend!• Win8 utilizes an XML config file

that stores the following pieces of information:−Username, Machine Name, Libraries,

Exclude Folders, Location of Config Files, Retention Informaiton, Target Volume Details, Volume Letter, GUID of Volume, Volume Type, UNC Paths, Target Configuration files , and backup storage locations.

−This provides ample information if data is being stored on a flash drive or portable media.

−This can be used to trace machine history in the portable OS function.

Windows 8 – My new best friend!

Windows 8 – Backup Data• Win8 does not encrypt Backup

data−With user history and backup data being

made available, we will see that we can multiple variants of a file readily available.

−New files are deprecated using the system UTC time as a counter.

−The deprecation allows for the restore wizard to know which file to restore.

−Fortunately for us, it also allows for the investigator to view files after the fact.

Windows 8 – Default to the hard drive• Win8 will default to the local

system if the remote drive or cloud service is not available.−If a remove resource is unavailable, the

file is stored locally on the desktop.−When the remote resource is made

available, the files are synched and the local file remains on the system.

−The file is marked as deleted, but it just goes into slackspace or freespace on the local system.

−Fortunately for us, it also allows for the investigator to view files after the fact.

Windows 8 – Two are better than One

Windows 8 – New Registry Hives• The windows registry is useful for

investigations. as it contains hardware information, usernames & Passwords.−Hardware Information; thumb drives.−ID’s and Passwords−Internet Query details−Programs installed on the local host−System Information

Windows 8 – New Registry Hives• ELAM (Early Launch Anti-

Malware)−Contains information to file launch

times. −Has details specific to Windows

Defender and AV data.−ELAM driver loads before all other

processes, designed to prevent bootloader malware.

• BBI Registry File (Used with Immersive Applications)−Leveraged for licensing specific to users

and their applications. Uses logged on user and time.

Windows 8 – Internet Explorer 10• New IE 10 Features

−Flip Ahead or “fast forward”, allows for web pages to be scrolled like book pages.

−This also sends browsing history to Microsoft, to improve the flip ahead experience.

−Pin to start allows for the user to pin favorite websites to the start screen as a tile.

−Implicit/Explicit Sharing allows users to send a link (implicit) or content from a page (explicit)

Windows 8 – IE10• New IE 10

Features - Continued−EPM: Enhanced

Protected Mode uses randomized memory addressing to thwart against buffer overflows.

−Application Caching speeds up website data between immersive applications and the internet.

Windows 8 – Anti-Forensics• Encryption – Yes the tried and true

way of keeping something from someone.−For all intensive purposes no one would

use BitLocker to protect their data if anti-forensics was a pivotal concern.

−In Most cases, someone will use a whole disk encryption along with select file encryption.

−Many people worried about AF have started a practice to encrypt the hard drive twice.

−Some have called into question the security of TrueCrypt as a viable solution.

Windows 8 – Anti-Forensics• Time Tampering – The practice of

changing file and folder dates and time. −A number of tools are available to

perform this function. Tool remnants are usually an indicator that tampering to the drive has happened.

• Disk Wiping– The practice of writing an entire disk with 1s and 0s.−This is very secure method to destroy

evidence, but often times it is viewed poorly in court.

Windows 8 – Anti-Forensics• Throwing Chaffe: To lead the

investigator in the wrong direction. Time is usually something that many investigators do not have much of.

Windows 8 – Anti-Forensics• Disk Destruction –

When all else fails, use some gasoline and fire and destroy the evidence.

Shameless PlugBsides ColumbusJanuary 20th, 2014Doctors Hospital

WestThree Tracks

KeyNote Speakers:

Dave KennedyJayson Street

Questions & Comments@fatherofmaddog