Windows forensics the field guide for corporate computer investigations

The exception to this is the partition boot sector which is referenced by the MBR and contains the basics of the partition and bootstrap code. Table shows the key features of the boot sector on an NTFS system which are of use in a forensic examination. The full layout is included in Appendix E. The number of sectors reserved for the boot record. This number indicates the beginning of the actual NTFS file system. Should always be F8 for a hard drive.

The boot sector on an NTFS partition is mirrored on the last sector s of the disk as well, though it is not referenced as such. The master file table contains the information used to define the partition's file system and its contents, including metadata files.

To accommodate all of this information, Microsoft reserves a significant portion The space can be used, when necessary, by other applications but is initially set aside upon formatting.

The key inode attributes are as follows:. The basic file attribute information similar to FAT file information is stored here.

The information in the Standard Information includes the times and dates used by Windows for tracking file system additions, updates, and changes. The attribute containing the file owner and access control list ACL information. The actual content of the file, or pointers to the content of the file for most files, this will be a pointer to content.

Only very small files store the data resident. The number of quota bytes chargedincludes the sum of all data streams in the file. Because only the primary stream size is shown by most applications, the quota charge may be different than the displayed file size values. The permissions are shown in Table File is a sparse file a special type of file that is large in size but has small amounts of initial data. If it is suspected that the user changed the name of the file intentionally to hide it, that attribute will then have a date different from the initial creation date.

The easiest way to view MFT entry information directly is through the use of a third-party tool. DiskExplorer from Runtime Software has a great interface for doing this. NTFS treats directories as files as well. Sparse files. Sparse files were designed to allow for very large files to reserve space with minimal amounts of actual storage allocated.

A multi-gigabyte file with large runs of zeros may only take up a few megabytes if defined as a sparse file on NTFS. Be aware when conducting an examination using a native NTFS file system that copying a sparse file to another file system for example, FAT will result in the full-size file being generated and copied, requiring significantly more storage space or an NTFS drive to be used.

Reparse points. Reparse points permit the redirection of access to a file using set criteria. Individual applications can define their own reparse point information but NTFS used reparse points for a few key items of interest to the investigator. Symbolic links provide Unix-like redirects from one file or directory, in the case of junction points to another. The other items of interest are volume mount points. These permit an entry to point to another system or partition and appear to be part of the same logical directory structure.

The Windows Mountvol command will show all volume mount points present. Both present challenges for the investigator for searching, accessing, and copying files. NTFS allows for an individual user to claim ownership of a file or directory. That individual, designated as the owner, has the ability to assign access rights to Windows users and groups to that file or directory. These rights are stored along with the entity and can include any number of file permissions including reading, changing, and deleting a given file.

When accessed through a Windows environment, the NTFS driver checks the security permissions on a given file before permitting access to that file. If the individual currently logged on does not have rights to that file to perform the requested operation, access is denied.

If the user has administrative rights over the system on which the NTFS partition resides, that user can take ownership of the entity and grant themselves rights to access it. If they do not have administrative rights, they must request that an administrator or the owner of the entity grant them the requested permissions.

Likewise, any utility that performs a raw, sector-by-sector copy of a drive such as EnCase or SafeBack will likewise ignore file permissions as it is operating at a level below that of file system when copying. To access files on a machine for which the investigator does not have an account or the necessary permissions:. Create a Windows 98 boot disk. This will create a bootable DOS disk with the Windows 98 file on it. If a boot CD is needed for example, if there is no floppy drive on the system in question , Linux may be the best choice.

Run the executable to install the disk creator. These new images can be copied directly to a boot disk without needing to go through the first three steps. Boot the suspect's machine with the new floppy. Insert the new disk into the floppy drive of the target machine and ensure that the floppy drive is the first boot choice from the setup menu.

Browse the target NTFS file system in read-only mode and use other floppy disks or create a boot disk with network or null modem cable drivers to copy target files to a non-NTFS partition, bypassing any permissions.

NTFS permits the compression of files, directories, and volumes to save space. The compression used is lossless compression. There is no data lost in shrinking the file size. The specific algorithm used is an older Lempel-Zip LZ algorithm which searches for repeating strings of variable lengths and replaces them with smaller, fixed-length placeholder codes.

While not optimal in terms of storage reduction the algorithms used by programs such as PKZip and WinRAR do a much better job of compressing information to smaller sizes , the algorithm is fairly fast, allowing for a minimal time difference when accessing compressed files.

Information is lost when these algorithms are used. When a program accesses a file that is compressed using NTFS compression, the operating system compresses and decompresses the file on the fly. This is accomplished automatically when programs access NTFS-compressed files Windows filters out system calls to files with compressed data and performs the decompression first then passed the decompressed data to the calling program. This is a separate function from NTFS compression, but the compression and decompression are still handled by the operating system, just a different set of library functions.

Because the act of compression changes the data stored on the disk, compressed files cannot be searched accurately within a sector-by-sector image. These files need special treatment to be accurately searched, as do all compressed files. They need to be decompressed and searched at a logical file system level instead of a sector level.

Additionally, searches for file headers for example, tools that search for deleted files with no MFT record , will likely be unsuccessful on compressed data. Figure shows the actual data stored in the compressed bottom and uncompressed top versions of a text file containing the words to the United States Constitution. The lower, compressed image is not likely to find keywords or strings when a basic search is performed.

The Microsoft command line tool compact allows the investigator to search a logical volume for, and uncompress, NTFS- compacted files that are present. Any files with a "C" in front of the file name are compressed. The compact command also allows the investigator to both compress and decompress files and view the compression ratios.

In fact, it compacts at a 2. Note, however, the file size has not changed in the directory listing although the space used on disk has. This is of interest when copying files to a non-NTFS partition. Any files that were compressed will be decompressed when copying to a floppy or tape if a logical copy operation is used. This may require more storage space than was originally used on the source drive based on the compression ratios.

Windows also supports. These files are usually distributed with software, and the format is not commonly used for end-user compression and therefore less likely to contain evidence in a forensic investigation.

To extract the files from a compressed. NTFS version 5, introduced with Windows , brought the concept of encrypting the data within a file, directory, or volume as a native service provided by Windows. EFS permits an individual user to encrypt any files for which they are the owner. The act of encryption is fairly complex and uses both symmetric and public-key encryption. When encrypting a file, the file owner specifies who has access.

By default, only the individual performing the encryption and any designated data recovery agents DRAs are permitted access, but other users can be added by the individual. Data recovery agents are defined by policy as accounts that can be used to decrypt a file if the original account's encryption keys are lost or damaged or the original account holder is unavailable.

Most organizations designate their security group as one of the DRAs. Windows generates a random bit key called the file encryption key FEK specifically for that file.

If this is the first time the user encrypts a file, Windows generates a public and private key for the user. The private key is stored in an encrypted form encrypted with a master key generated by Windows from user-specific credentials with the individual user's profile.

A data decryption field DDF , containing the user's information and a copy of the FEK encrypted with the user's public key is generated and added to the file header. Additional DDFs for each additional user granted access likewise contain FEKs encrypted with that user's public key and placed in the file header. Symmetric encryption relies on a single key that can be used to both encrypt and decrypt a file. An example is XOR'ing a file against a given set of binary digits and storing the result.

A second XOR operation against the encrypted result with the same key will return the original data. Public key encryption relies on two keys: a public and a private key.

Public key algorithms use one-way functions, which are based on computationally hard problems for example, factoring of large numbers where a different key is used to encrypt public than to decrypt private. With public key encryption, the encryption cannot be reversed with knowledge the public key in a reasonable timeframe, allowing that key to be published widely. When a forensic investigator encounters an EFS-encrypted file, directory, or volume, he will not be able to read its contents using standard disk viewing tools at either a logical or physical level.

The contents can actually be read, but they will be unintelligible as they are encrypted. To recover the information from an EFS-encrypted file, the investigator has a few primary options:.

Obtain the user's credentials and log in as the user. This will potentially alter forensic evidence for example, login times and profile information and should only be performed after a full forensic duplicate of all information has been made. If EFS or other encryption is suspected and the user is logged in when the computer is found, a live system analysis should be performed in lieu of powering off the machine. The users' credentials can be obtained through social engineering, password guessing of that or other passwords , or any other technique used to obtain user passwords.

Use a designated DRA account to access the files. If the security group is registered as a DRA or has access to a DRA account, this account can be used to decrypt the files in question. After a DRA on a file has been identified, that account, if available, can be used to decrypt the contents. Certificate files with the private key included can be exported from Windows with a default extension of. These files can then be imported into the certificate store on the system used for analysis to permit access to files encrypted by those users.

Some users will export. PFX files to either have a backup copy of their certificate or to use the same certificate on multiple systems. Searching the suspect's drives for. PFX files may yield the needed certificate. The Certificate Manager of the Microsoft Management Console can be used to view and import certificates.

A sample Certificate Store is shown below in Figure To import a new certificate, right-click the existing store and select All Tasks Import. The wizard will then walk the user through importing a certificate. In most Windows builds, double-clicking a. PFX file will automatically import it. The Certificate Management option may be available directly from the Control Panel.

Search for the unencrypted data at a physical level. Even though a file may be encrypted, remnants of the file or the whole file may exist on the drive. If a forensic photographer is available, allow her to photograph the entire scene. If one is not available, the analyst may need to use a time-stamped camera, either digital or film.

Start with a few shots of the entire scene for overall layout. Follow with close-ups of each piece of evidence. Note cards bent in half make nice, inexpensive labels for purposes of photographing evidence locations.

Even if a professional forensic photographer is available, the analyst might have to assist her in identifying what to photograph from a digital perspective. Items that require special attention in a computer investigation include: Computer screens. Photograph the current screen with a still camera with a high enough resolution to read text if necessary. Network connections.

Any network or phone cables going to or from the computer should have closeup shots taken of them. Both ends of every cable should be photographed in the event that the analyst has to prove that a computer was connected to a specific network or phone line when he arrived. Peripheral connections. Connections to peripherals should likewise be shot in close-up for later reassembly and proof of connection. Tip Do not use a video camera to photograph a computer screen. Because of differences in the sampling rate of the camera and the refresh rate of the screen, images may not be properly viewable.

When in doubt, take additional pictures. It is impossible to go back and do so later. After all, even the location of the mouse can prove significant; it may help to show that a left-handed person was the last user. Process the Scene for Physical Evidence The processing of the scene for physical evidence is best left to those individuals who have been specifically trained to process it. In addition to the digital evidence they may hold, electronic devices are frequent repositories of physical evidence.

Anyone who has ever turned over a keyboard and examined the detritus that can be shaken out is aware of potential biological evidence. Likewise, anyone who has touched a computer screen has left his own mark for later examination.

The computer investigator can suggest items of interest in the digital investigation, which may be processed as part of the physical investigation. These include: Post-it notes or scraps of paper on, around, or under desks and computer equipment. Check under the keyboard. Post-its are an office favorite for writing down passwords. Papers with passwords, user names, or URLs. Any papers with information about the individual's computer system or potential usage should be collected.

Keys to laptops or locked drives. They can be taped under desks or hidden in plants. Additionally, application CDs might be necessary to load an individual application in the lab environment for analysis. Computer manuals, reference guides, and other electronic equipment documentation.

These guides may be useful in taking apart a system, figuring out what command accesses CMOS setup, and understanding an application. A fingerprint analyst without a dusting kit, a DNA collection expert without swabs, and a forensic entomologist without sample cases would be severely limited in their abilities to process a scene. Similarly, without the basic kit, the computer forensic analyst is like a carpenter without a saw.

Not all digital evidence processing kits are alike. Some analysts prefer to have a complete mobile lab available to them for on-site analysis. Companies such as DigitalForensics provide special purpose equipment for these scenarios. Other analysts work on a first responder model whereby evidence is collected by remote first responders and then shipped to a central location for analysis.

The sophistication of the evidence collection toolkit depends on the response model used, but at a minimum the following items should be included in any forensic response toolkit: Latex gloves. Not only do they prevent one from leaving fingerprints everywhere, but thicker latex gloves are also good protection against jagged edges when pulling apart computers. Security tape. The computer forensic analyst in a corporate setting may be acting alone and may need to cordon off an area as part of a physical crime scene.

Basic yellow "Do Not Cross" tape can be purchased at local hardware stores. It is sufficient for non-law enforcement use. Evidence tags and labels. Tags specifically designed for evidence collection can be purchased cheaply from any major supplier of law enforcement goods. They should be tamper-resistant and may have two parts: one that stays with the evidence and a second that remains in the custody of the analyst. Cable ties. Securing a label to a piece of evidence via adhesion may not always be possible.

A few inexpensive plastic cable ties do the trick nicely. Bolt cutters. Many laptop locks can be bypassed with a pair of scissors and a paper clip. Key locks require a little practice, and number locks require a lot of time. If time is of the essence, a set of bolt cutters or cable cutters will make quick work of inexpensive cable locks. When writing on a CD-R, evidence tag, or any other surface, a Sharpie is unbeatable.

Make sure that the pen has a felt-tip, preferably a fine point or better for those tight spaces. Anti-static bags and evidence bags. Anti-static bags are generally silver in color and protect computer equipment for static electricity both in the environment and generated by the analyst.

Evidence bags are tamperresistant and have a detachable evidence label. Buy several different sizes of each, ranging from floppy-disk size to laptop-size.

Digital camera. Any digital camera with a time and date stamp will suffice. Look for a built-in macro lens for close-ups of network connections, components, and cables. Anything above three megapixels is sufficient. Do not attempt to compete with Ansel Adams. Forensic notebook. Any book with numbered pages that cannot be removed is good for this one. Lab notebooks and general bound logbooks tend to be cheaper and just as good as those sold specifically for the purpose.

PC toolkit. This is one place not to skimp. Buy the larger-size PC toolkit one hundred pieces or better to get everything needed to take a machine apart on-site. Ensure that TORX bits are included.

Forensic laptop, hard disk, and adapters. It is always nice to be able to do some analysis on-site. A basic laptop with external USB 2. Tip Before destroying a laptop lock, try looking around the office for a hidden key, either taped under the desk or in an office plant. Basic combinations on a number lock are worth a try also; the phone extension of the particular desk is a favorite one. Combinations can be brute-forced in a fairly short period.

Four-digit locks have 10, combinations that can be tested in roughly an hour and a half. Process the Scene for Electronic Evidence The processing of digital evidence at the crime scene is the responsibility of the computer investigator.

After the physical processing of all IT equipment, the computer investigator takes over and is responsible for the packaging and handling of any electronic components. The company believed that there was information stored on both the employee's cell phone and PDA. Both devices were secured by the individual who them and then shipped them to us after a few weeks.

When the equipment arrived more than a month later, however, we had a difficult time analyzing the evidence. The cell phone battery had expired; luckily, we had a compatible charger available in our lab and were able to recharge it.

Unfortunately, the suspect's phone had continued to receive phone calls while locked up with HR. As a result, the received phone call log was overwritten. We were able to get the data through the phone company records given that it was a company phone. The PDA faired worse. The battery had expired, as had the backup battery. When we recharged the device, we saw that the volatile memory had been wiped out with the battery failure, leaving us with a clean system. A simple Brother P-Touch labeler is a cost-effective way to identify a specific cable and where it plugs in on both ends.

The cable connections can then be noted in the logbook for later reference when reassembling. After all cables have been labeled, the power cable can be removed to shut down the computer see the sidebar "Shutdown, Unplug, or Analyze Live" for details on powering down.

On Windows systems, the power cable should be removed from the connection on the PC itself instead of the wall jack. Pulling out the wrong power cable can be embarrassing and lead to data loss for example, if there is a UPS that communicates with the PC present. For laptops, the battery should be removed and then the laptop unplugged.

If the laptop is unplugged first, the machine may switch powersave modes, which will also potentially alter data. The Shutdown function of Windows should not be used, nor should the power switch on the box. Tip On older systems, the power switch was actually a relay on the power supply and using it caused all power to the system to be disconnected.

Recent machines use a software switch, which causes a motherboard interrupt to be generated, resulting in a Windows-friendly system shutdown. After powering down, each cable should be individually removed from the computer and placed in an evidence bag. After the cables have been removed, all components containing digital logic or that are sensitive to static charge should be placed in anti-static bags. The anti-static bags may then be placed into evidence bags and sealed.

Shutting down a Windows system using the Shutdown button will have tremendous impact upon a forensic investigation. From a forensic standpoint, shutdown will do the following: Overwrite sections of the hard disk free space as information in memory is written to disk. Remove the swap file pagefile.

Terminate any running processes or applications, some of which may prompt for the saving of data, rendering the information unrecoverable in certain cases. Alter dateand timestamps on numerous files.

Delete temporary files. Add entries to the event log. Although other operating systems may be damaged by an improper shutdown, Windows systems are generally better off being powered down by unplugging. The application data for currently open applications may or may not be written to disk, depending on the specific application. The contents of the memory are lost either way, and the hard disk structure is altered less by unplugging. Although using the built-in shutdown feature is rarely the best approach, performing a live analysis may be valuable.

The degree to which a live analysis is performed depends on the case and could consist of anything from a remote port scan to a full examination of the current operating conditions. Live Windows system analysis is covered in detail in Chapter 8, but the decision to do a live analysis can be evaluated by considering several questions: Is an incident actively occurring on the machine?

Will capturing data about the incident as it is occurring be potentially useful? If so, keystroke monitoring, network sniffing, and other techniques may be appropriate.

Is the active incident destroying data, attacking other systems, or performing another destructive act that will be stopped by unplugging? Will unplugging the system tip off the suspects? Are there currently open applications whose contents will be useful in the case? Are there suspected processes in memory that may be useful in the case?

Is information stored in memory likely to be a key component in the case? Is that information likely more valuable than the information on the hard disk? There are additional options between pulling the plug and performing an inperson, live analysis as well. They are as follows: Documenting the open applications before pulling the plug Evaluating the system remotely Performing a remote forensic duplication using EnCase Enterprise and then performing a live analysis Doing the critical pieces of a live analysis and then pulling the plug When making the decision to pull the plug, the key to success is understanding the implications, applying them to the specific case, and fully documenting the reasons behind the decision.

Note Windows 95 sets the file size of the pagefile to 0 at shutdown. For a piece of evidence to be used effectively in court, chain of custody must be maintained. Chain of custody begins with the securing of the evidence. The initial individual who secures and catalogs the evidence becomes the first custodian in the chain of custody. This person is responsible for ensuring that the evidence remains secured and intact until it can be brought back to the evidence room.

This means that the evidence is in the possession of the custodian at all times or is locked in a location accessible only to the custodian. Tip When transporting electronic media in a vehicle, do not place it in the glove box. The evidence room should be access-controlled and have direct access by no more than two individuals. Upon arrival, all evidence should be signed in to the evidence room by filling out a chain of custody form.

See Appendix A for an example chain of custody form. It is then turned over to the evidence room custodian. The evidence must then be logged as present in the evidence room. When the evidence is ready for analysis, the computer investigator requests signs the evidence out of the evidence room and takes custody for a period of time.

After the evidence has been analyzed, it should be returned to the evidence room for proper storage. Retention of evidence in the storage room will depend on space constraints, volume of evidence, and local statutes of limitations on the type of case. The retention policy should be documented and strictly enforced.

Many companies use a year rule for evidence of potentially illegal activity or evidence involved in civil litigation. When presented at court, the chain of custody form for a piece of evidence and any supplementary documentation may need to be presented to prove validity. The documentation should adequately show the following: The evidence collected is the same as that presented in court. The location of the evidence was known at all points in time. An evidence custodian was assigned at all points in time.

No individuals outside of those listed on the chain of custody form had access to the evidence. The evidence was not intentionally or inadvertently modified as part of the investigative process. Best Evidence Computer evidence has special considerations when presented in a court of law. For non-electronic evidence, the Federal Rules of Evidence define "best evidence" as the original writing, recording, or photograph as opposed to a copy.

The typing of information and copying of data from an outside source now qualifies as an original writing, recording, or photograph in its electronic form. To handle computer evidence, an exception was made to the best evidence rule permitting paper copies that represented the electronic form to be admitted as documentary evidence in court.

This permits the investigator to submit printouts of actual activity where applicable, although a visual demonstration may be of great value in getting a point across. A second clarification to the best evidence rule regarding electronic evidence concerns the definition of a duplicate. The original copy of a hard disk may be unavailable. Or the act of booting the disk in its original environment will alter it, making the original no longer valid.

For this reason, full forensic duplicates are now permitted for electronic evidence. Duplicates are bitstream, sector-by-sector images of electronic equipment. As the electronic items and a visual representation of them are the actual evidence, there is no specific requirement that the disk itself be presented.

Current case law permits the use of forensic duplicates as fully qualified substitutions as long as: 1. They are from the indicated source. They were acquired using proven tools and techniques. They have not been altered since the time of acquisition. Tip Tools such as dd, SafeBack, and EnCase, when used according to proper procedures, have all been court tested.

There are three main ways to store electronic evidence as used in an investigation: Store the entire computer system itself.

Store the hard disk or other drives from the computer system. Store a bitstream copy of the hard disk on write-protected media. Making the determination of what to store is a question of policy, storage space, and operational impact. An organization should have a policy that specifies what specifically should be stored and for how long.

This should also include how the data is stored, where it is stored, who has access to it, and ultimately how it is disposed of. Policy may be altered by the circumstances and outcome of the particular incident.

For example, cases involving potential civil or criminal litigation may require more stringent or longer storage than cases with a "no findings" outcome. Given the current best evidence thinking, there is little legal reason to store the actual computer or hard disk itself provided that an authenticated bitstream copy is available with the appropriate procedural documentation on the acquisition.

Storage space is likewise a consideration. The acquisition of a dozen or more computers in a large case is not unheard of, and the machines may be large servers. Most companies are unwilling to lease an evidence warehouse specifically for this purpose, however. In many cases, an evidence safe in a locked room may be the only viable option. This precludes the storage of large amounts of equipment. Yet there is at least one valid reason to make space for entire systems: the potential unavailability of the hardware in the future.

If there will be a need to reconstruct the hardware one day for example, if the hardware used a proprietary storage device that was not acquired to another media , this warrants serious consideration. Operational impact is always a concern when performing an investigation. The operational impact of removing a computer system or hard drive for an extended period, be it minutes or years, might outweigh any storage benefits of having the original media. Barring the concerns noted previously, storing a bitstream copy of all evidence as a base copy is the best approach.

The media should be write-protected to ensure that it cannot be altered. It must be of archival quality as some media, notably early CDs and DVDs, have longevity issues, as do many magnetic tapes.

It must be a long-lasting format as well, for if the format is proprietary and the reading hardware dies, all of the evidence may be rendered unusable. Working with Law Enforcement In the past, corporate executives believed that reporting criminal activity associated with IT security meant creating bad press for their organizations. As a result, corporations often suffered unreported losses. Today, however, attitudes have changed. Thanks to increased pressure from federal legislation like Sarbanes-Oxley and state legislation in locations like California, many IT security incidents are required to be reported.

Simultaneously, law enforcement outreach initiatives like the FBI's Infragard program foster industry partnerships to protect the national infrastructure. Tip Information security professionals should look to joining their local Infragard chapter.

The contacts with professional colleagues as well as law enforcement officials are invaluable, and there is a negligible cost to join free for some chapters. The best time to engage law enforcement is before an incident occurs. If the investigator makes contacts with local, state, and federal officials ahead of time, she will find it much more efficient to work with them after the proverbial excrement hits the fan.

Law enforcement agents bring skills and capabilities not generally accessible in the corporate world to the table. They are able to track incidents across borders both corporate and geographic , pursue criminal actions against attackers, and provide expertise in the technical, legal, and logistical areas of an investigation. At the same time, the corporate security investigator may be able to provide agents with information and expertise that they do not necessarily possess.

The investigator may assist law enforcement by: Acting as a liaison to internal staff. By coordinating with corporate staff, the computer investigator frees law enforcement from the difficulties of navigating a complex organizational structure.

Acquiring and preserving evidence. Not all evidence can wait for law enforcement to be engaged, and some evidence especially evidence that is transitory in nature may be easier for a corporate investigator to acquire based on existing laws for example, keystroke monitoring of an employee. This information should be collected and preserved in a forensically sound manner for later law enforcement involvement.

Analyzing evidence. Specifics regarding both one's business model and IT infrastructure may be useful to law enforcement. From the operations of proprietary IT systems to the analysis of the organization's supply chain, the computer investigator may have invaluable domain expertise. Providing loss figures. Many federal crime statutes require a loss to be shown in order to prosecute to the fullest.

By calculating the dollar loss of an incident appropriately, the computer investigator can improve the chance of a successful prosecution. Today, Windows is by far the most prevalent operating system present in the corporate world.

There are very few large organizations that do not have some Windows machines, and in most organizations, Windows machines make up the bulk of the environment. Since early , Microsoft has taken over the corporate server marketplace in terms of the number of individual servers shipped annually. There are numerous challenges for the computer investigator, given the pervasiveness of Windows.

The existence of exploitable security flaws in Windows-based systems is a particular challenge. Because of the enormous installed base of systems, a single flaw can affect a significant amount of infrastructure in a typical company. It becomes impossible or at the very least impractical to trace the origins of a worm such as Slammer, and when an active infection occurs, the crisis can make a more directed attack difficult to detect.

Similarly, the perceived insecurity of Windows systems is changing the courtroom landscape. Recent claims that insecure operating systems or malicious software are responsible for user actions have already been put forth successfully as arguments in British court systems, and it is only a matter of time until American courts are faced with similar arguments. At the same time, the increasing complexity of Windows has actually added some benefits for the forensic world.

Increased amounts of slack space, the use of paging files, and the inclusion of user-friendly features such as autofill forms using Intelliforms have increased the number of places a computer investigator can hope to find information. Windows will continue to evolve, and the computer investigator will need to maintain familiarity with new versions to continue to perform effective analyses.

The remainder of this book will focus on the most prevalent versions of Windows currently available — 98, , XP, and Server — with notes of significance for older versions. Mice were not part of a standard PC offered at the time, and the original versions did not support hard disks.

As a result, forensics was a bit easier, although the tools were not as robust; the entire contents of an evidence floppy, all K of it, could be printed out and reviewed manually.

A few third-party Graphical User Interfaces GUIs were made available for MS-DOS, but they were released with limited success, largely because color monitors with capable graphics card were not broadly available, and mice were just beginning to appear on standard PCs. Windows 1. By the end of , MS-DOS was still the predominate client operating system, and both Unix and Netware servers had a dominant place in the newly emerging corporate microcomputer server market.

In an effort to improve previous versions and broaden its appeal, Microsoft released two products in the — timeframe. They were tremendously successful. In the home market, Windows 3. Sales were likewise increased by the release of Microsoft Office and Microsoft Works products for home users, and the new, easy-to-use Microsoft Visual Basic programming environment expanded the number of developers exponentially almost overnight.

As a result, Microsoft released its development tools to a pre-trained audience. The easy-touse integrated development environment IDE likewise made Visual Basic more accessible to non programmers and new programmers, creating a plethora of new programs available and a resulting synergy in popularity.

In the business world, the counterpart to Windows 3. Enabling remote access, networking, and collaboration, WFW 3. At the same time, the introduction of a new Microsoft mouse and the incorporation of the product into most of the major OEM vendors to corporations ensured its continued success. Windows 3. Both products are now well beyond their support expiration, but a few point machines running legacy software still exist with each of these installed.

From a forensic examination standpoint, Windows 3. File system support was for FAT, and any of the analyses mentioned later that are related to FAT drives are applicable. The introduction of virtual memory is also of note. PAR, which was an early virtual memory file.

This file should be analyzed the same way as the swap files listed for later versions of Windows. Following the success of Windows 3. The corporate environment had a new operating system built from the ground up given the moniker Windows NT for New Technology that would compete for both the server and workstation markets. The home environment had its own new release, Windows 95, which remained backward compatible with the older versions on Windows and DOS but had a substantially new look and feel built on an updated architecture.

Both made strong headway into the corporate environment, frequently replacing Netware and other systems on the server with its ease-of-use, and replacing WFW 3. For the examiner, negligible differences exist in the architectures of the server and workstations products, although analysis might differ greatly based on the type of investigation.

Support for Windows NT 4. Following the success of Windows NT, the corporate line of products was renamed Windows and released as the upgrade path for Windows NT 4. Windows provided even more stability and better performance on both the desktop and server environments, offering support for larger server deployments as well as a robust management of users through Active Directory, Microsoft's LDAP effort.

Now entire drives could be encrypted with a few mouse clicks, and key escrow became an important consideration in corporate forensics. At the time of this writing, Windows is the predominant Windows server in operation but has been surpassed by Windows XP in popularity on the desktop.

Starting with Windows 95, Microsoft revamped the Windows 3. Because backward compatibility remained a major consideration, remnants of the legacy DOS architecture existed on the home environment for a longer period than in the corporate space. Windows 95, 98, and ME Windows 95 was replaced in popularity by Windows 98, a cosmetic and functionality-based update. Interim OSR2 for Windows 95 and SE for Windows 98 editions offered mid-stream updates to networking functionality, security, and feature sets.

Windows ME Millennium Edition introduced several enhancements to user-friendliness but never supplanted previous versions in market share. Windows 9 x never integrated full support for the NTFS file system. As a result, permissions, compression, encryption, and other options were primarily limited to third-party products. Long file names and other additions to the original FAT specifications were included as part of FAT32, as were file recovery Recycling Bin , networking, and registry features.

Although Windows 98 does exist in some corporate environments, it is still a predominantly personal-use operating system. The popularity of Windows 9 x has been diminishing with the increased push for security and stability in the home environment. There is still a reasonable likelihood of encountering Windows 9 x machines in a forensic investigation, although their usage will continue to decline rapidly as support wanes and users transition to newer operating systems.

Windows XP and In an effort to improve the security and stability of its home market while offering a competitive update for corporate users, Microsoft released Windows XP as its new client operating system. Windows XP SP2, the second service pack for the product, introduced further enhancements to the XP environment on security.

The addition of an improved client firewall and integrated security management center increased the security of home machines and presented new challenges for the computer investigator for example, the use of servlets and other remote analysis tools.

Note Although Microsoft dominates the personal computer market, embedded operating systems present on Programmable Logic Controllers PLCs and cell phones have more overall installations. Windows XP is the predominant operating system in use globally see Figure for prevalence information. It has the largest market share of any personal computer operating system. With the next Windows version not expected until late Windows Vista, formerly named Longhorn , XP will remain the most important system for the forensic examiner in the near future.

Likewise, given its stability and functionality, XP is the best candidate for a Windows analysis system as well. Unless otherwise noted, the commands and tools listed in this book will all run under the XP operating system.

Any respectable examiner will have both environments available for analysis. Replacing Windows on the server side is Windows Windows is achieving growth in market share but many corporations continue to use Windows as their core server platform. Usage of is expected to increase slowly, and familiarity with the environment is of current and future value to the computer investigator.

The basic defense comes in one of two forms: 1. It is easier to prove them rather than disprove them, and this can be done by illustrating the following: Malicious code that exhibits the behavior in question is known to exist. The machine in question was not adequately protected against said code through anti-virus, spyware detection, a host firewall, or other tools.

The malicious code in question or remnants of it were found on the machine. It is technically impossible to prove that malicious code was not responsible for a given action. The code may have been installed, ran, and then removed all reasonably obtainable traces of itself.

Fortunately, the computer investigator does not need to prove beyond any doubt, only beyond a reasonable doubt. In order to raise a reasonable doubt, the computer investigator should attempt to answer the following questions: Is there existing malicious code that mimics the behavior claimed by the suspect? Do any of the locations visited by the suspect recently have the code present? Was the subject's machine susceptible to the malicious code?

Is it the right operating system and version to be infected? Was the machine patched at the time to the appropriate level? Was antivirus or anti-spyware software installed and up to date? Is the machine currently infected? If not, what did the suspect do to remove the code? Remote Enumeration. Keystroke Recording. Network Monitoring. Overt Analysis. GUI-based Overt Analysis. Local Command Line Analysis. Remote Command Line Analysis.

Basic Information Gathering. System State Information. Running Program Information. Main Memory Analysis. Chapter 9. Forensic Duplication. Hard Disk Duplication. In-Situ Duplication. Direct Duplication. Magnetic Tape. Optical Disks. Multi-tiered Storage. Log File Duplication. Chapter File System Analysis. Index-based Searching. Bitwise Searching. Search Methodology. Hash Analysis. Positive Hash Analysis. Negative Hash Analysis. File Recovery. Special Files. Print Spool Files. Windows Shortcuts.

Paging File. Log File Analysis. Event Logs. Application Log. System Log. Security Log. Failed Log-on Event. Change of Policy. Successful or Failed Object Access. Account Change. Log Clearing. Internet Logs. HTTP Logs. FTP Logs. SMTP Logs. Internet Usage Analysis.