Difference between pages "BitLocker: how to image" and "Windows"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(See Also)
 
(Crash dumps)
 
Line 1: Line 1:
 +
{{Expand}}
  
= Imaging Options =
+
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
  
There are multiple ways to image a computer with BitLocker security in place, namely:
+
There are 2 main branches of Windows:
* Offline imaging
+
* the DOS-branch: i.e. Windows 95, 98, ME
* Live imaging
+
* the NT-branch: i.e. Windows NT 4, XP, Vista
  
== Offline imaging ==
+
== Features ==
 +
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
  
One can make an offline image with the image containing encrypted information.
+
=== Introduced in Windows NT ===
 +
* [[NTFS]]
  
Multiple options to offline decrypt the information, provided the password or recovery password is available, are available. Some of which are:
+
=== Introduced in Windows 2000 ===
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
+
* [[EnCase]] (as of version 6) with the (optional) encryption module
+
* [[libbde]]
+
  
The recovery password is a long series of digits broken up into 8 segments.
+
=== Introduced in Windows XP ===
 +
* [[Prefetch]]
 +
* System Restore (Restore Points); also present in Windows ME
 +
 
 +
==== SP2 ====
 +
* Windows Firewall
 +
 
 +
=== Introduced in Windows Server 2003 ===
 +
* Volume Shadow Copies
 +
 
 +
=== Introduced in [[Windows Vista]] ===
 +
* [[BitLocker Disk Encryption | BitLocker]]
 +
* [[Windows Desktop Search | Search]] integrated in operating system
 +
* [[ReadyBoost]]
 +
* [[SuperFetch]]
 +
* [[NTFS|Transactional NTFS (TxF)]]
 +
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
 +
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
 +
* $Recycle.Bin
 +
* [[Windows XML Event Log (EVTX)]]
 +
* [[User Account Control (UAC)]]
 +
 
 +
=== Introduced in Windows Server 2008 ===
 +
 
 +
=== Introduced in [[Windows 7]] ===
 +
* [[BitLocker Disk Encryption | BitLocker To Go]]
 +
* [[Jump Lists]]
 +
* [[Sticky Notes]]
 +
 
 +
=== Introduced in [[Windows 8]] ===
 +
* [[Windows Shadow Volumes | File History]]
 +
* [[Windows Storage Spaces | Storage Spaces]]
 +
* [[Search Charm History]]
 +
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
 +
 
 +
=== Introduced in Windows Server 2012 ===
 +
* [[Resilient File System (ReFS)]]
 +
 
 +
== Forensics ==
 +
 
 +
=== Partition layout ===
 +
Default partition layout, first partition starts:
 +
* at sector 63 in Windows 2000, XP, 2003
 +
* at sector 2048 in Windows Vista, 2008, 7
 +
 
 +
=== Filesystems ===
 +
* [[FAT]], [[FAT|exFAT]]
 +
* [[NTFS]]
 +
* [[Resilient File System (ReFS) | ReFS]]
 +
 
 +
=== Recycle Bin ===
 +
 
 +
==== RECYCLER ====
 +
Used by Windows 2000, XP.
 +
Uses INFO2 file.
 +
 
 +
See: [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf]
 +
 
 +
==== $RECYCLE.BIN ====
 +
Used by Windows Vista.
 +
Uses $I and $R files.
 +
 
 +
See: [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf]
 +
 
 +
=== Registry ===
 +
 
 +
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
 +
 
 +
=== Thumbs.db Files ===
 +
 
 +
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
 +
 
 +
See also: [[Vista thumbcache]].
 +
 
 +
=== Browser Cache ===
 +
 
 +
=== Browser History ===
 +
 
 +
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
 +
 
 +
=== Search ===
 +
See [[Windows Desktop Search]]
 +
 
 +
=== Setup log files (setupapi.log) ===
 +
Windows Vista introduced several setup log files [http://support.microsoft.com/kb/927521].
 +
 
 +
=== Sleep/Hibernation ===
 +
 
 +
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
 +
 
 +
=== Users ===
 +
Windows stores a users Security identifiers (SIDs) under the following registry key:
 
<pre>
 
<pre>
123456-123456-123456-123456-123456-123456-13456-123456
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
 
</pre>
 
</pre>
  
Note that there is no white space in the recovery password including not at the end, e.g. EnCase does not accept the recovery password if there is trailing white space.
+
The %SID%\ProfileImagePath value should also contain the username.
  
The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into e.g. by running:
+
=== Windows Error Reporting (WER) ===
 +
 
 +
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
 
<pre>
 
<pre>
manage-bde.exe -protectors -get C: -Type recoverypassword
+
C:\ProgramData\Microsoft\Windows\WER\
 
</pre>
 
</pre>
  
The basic steps are:
+
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
 +
<pre>
 +
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
 +
</pre>
  
# Make an offline full disk image.
+
Corresponding registry key:
# Recover the password, this can be done by booting the original computer, or by creating a clone and booting the clone.  (booting from a clone has not been tested at this time.)
+
<pre>
## Once booted log into the computer
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
## Use the BitLocker control panel applet to display the password.  This can also be done from the command-line.
+
</pre>
## record the password
+
#:
+
# For EnCase v6 or higher with the encryption module installed
+
## Load the image into EnCase
+
## You will be prompted for the password.  Simply enter it and continue.
+
## If you prefer to have an un-encrypted image to work with other tools or share with co-workers, you can "re-acquire" the image from within EnCase.  The new image will have unencrypted data.
+
## After adding the encrypted image into your case, simply right click on the drive in the left panel and select acquire.  Select "do not add to case".  You will be presented a dialog window to enter new information about the image.  Make sure the destination you select for your new image does not exist.
+
  
== Live imaging ==
+
== Advanced Format (4KB Sector) Hard Drives ==
 +
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
  
=== FTK Lite ===
+
== %SystemRoot% ==
==== Imaging of a physical drive ====
+
The actual value of %SystemRoot% is store in the following registry value:
 +
<pre>
 +
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
 +
Value: SystemRoot
 +
</pre>
  
Using FTK Imager lite, it was determined a live image of the physical system disk resulted in an image with an encrypted bitlocker container on it.
+
== See Also ==
 +
* [[Windows Event Log (EVT)]]
 +
* [[Windows XML Event Log (EVTX)]]
 +
* [[Windows Vista]]
 +
* [[Windows 7]]
 +
* [[Windows 8]]
  
Note that the phrase "physical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
+
== External Links ==
  
==== Imaging of a logical partition ====
+
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
 +
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
 +
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
 +
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
 +
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
  
I was able to add a partition and create an image in which the data was unencrypted.
+
=== Malware/Rootkits ===
 +
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
  
Note that the phrase "logical" here corresponds directly with FTK Imagers use of the term in their image acquire menu.
+
=== Tracking removable media ===
 +
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
  
==== Files and Folders collections ====
+
=== Under the hood ===
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
 +
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
 +
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
 +
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
  
This was not attempted, but it seems reasonable to assume this will collect unencrypted files.
+
==== MSI ====
 +
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
 +
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
  
 +
==== Side-by-side (WinSxS) ====
 +
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
 +
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
 +
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
 +
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
 +
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
 +
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
  
=== X-Ways ===
+
==== Application Compatibility Database ====
==== Imaging of a physical drive ====
+
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
 +
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
 +
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
 +
* [http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
  
X-Ways support states this is not supported.
+
==== System Restore (Restore Points) ====
 +
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
 +
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
 +
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
 +
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
 +
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
  
==== Imaging of a logical partition ====
+
==== Crash dumps ====
 +
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
 +
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
  
X-Ways support states that this should work.
+
==== RPC ====
 +
* [http://blogs.technet.com/b/networking/archive/2008/10/24/rpc-to-go-v-1.aspx RPC to Go v.1], by Michael Platts, October 24, 2008
 +
* [http://blogs.technet.com/b/networking/archive/2008/12/04/rpc-to-go-v-2.aspx RPC to Go v.2], by Michael Platts, December 4, 2008
  
In at least one instance, I was able to add C: drive (not the physical disk, just the partition) and create an image that could in turn be processed by X-Ways. Both existing and deleted files were available within X-Ways after processing.
+
==== WMI ====
 +
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf Understanding WMI Malware], by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010
  
There has been atleast one report on the X-Ways forum that this feature does not work, so it may not work for all configurations of bitlocker.
+
==== Windows Error Reporting (WER) ====
 +
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
  
== See Also ==
+
==== Windows Firewall ====
* [[BitLocker Disk Encryption]]
+
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
* [[Defeating Whole Disk Encryption]]
+
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
 +
 
 +
==== Windows 32-bit on Windows 64-bit (WoW64) ====
 +
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
 +
 
 +
=== Windows XP ===
 +
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
  
[[Category:Disk encryption]]
+
[[Category:Operating systems]]
[[Category:Howto]]
+
[[Category:Windows]]
+

Revision as of 12:11, 17 September 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows is a widely-spread operating system from Microsoft.

There are 2 main branches of Windows:

  • the DOS-branch: i.e. Windows 95, 98, ME
  • the NT-branch: i.e. Windows NT 4, XP, Vista

Features

  • Basic and Dynamic Disks, see: [1]

Introduced in Windows NT

Introduced in Windows 2000

Introduced in Windows XP

  • Prefetch
  • System Restore (Restore Points); also present in Windows ME

SP2

  • Windows Firewall

Introduced in Windows Server 2003

  • Volume Shadow Copies

Introduced in Windows Vista

Introduced in Windows Server 2008

Introduced in Windows 7

Introduced in Windows 8

Introduced in Windows Server 2012

Forensics

Partition layout

Default partition layout, first partition starts:

  • at sector 63 in Windows 2000, XP, 2003
  • at sector 2048 in Windows Vista, 2008, 7

Filesystems

Recycle Bin

RECYCLER

Used by Windows 2000, XP. Uses INFO2 file.

See: [2]

$RECYCLE.BIN

Used by Windows Vista. Uses $I and $R files.

See: [3]

Registry

The Windows Registry is a database of keys and values that provides a wealth of information to forensic investigators.

Thumbs.db Files

Thumbs.db files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the investigator.

See also: Vista thumbcache.

Browser Cache

Browser History

The Web Browser History files can contain significant information. The default web browser that comes with Windows is Microsoft Internet Explorer but other common browsers on Windows are Apple Safari, Google Chrome, Mozilla Firefox and Opera.

Search

See Windows Desktop Search

Setup log files (setupapi.log)

Windows Vista introduced several setup log files [4].

Sleep/Hibernation

After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.

Users

Windows stores a users Security identifiers (SIDs) under the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

The %SID%\ProfileImagePath value should also contain the username.

Windows Error Reporting (WER)

As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:

C:\ProgramData\Microsoft\Windows\WER\

As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:

C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\

Corresponding registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting

Advanced Format (4KB Sector) Hard Drives

Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see Advanced Format.

%SystemRoot%

The actual value of %SystemRoot% is store in the following registry value:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Value: SystemRoot

See Also

External Links

Malware/Rootkits

Tracking removable media

Under the hood

MSI

Side-by-side (WinSxS)

Application Compatibility Database

System Restore (Restore Points)

Crash dumps

RPC

WMI

Windows Error Reporting (WER)

Windows Firewall

Windows 32-bit on Windows 64-bit (WoW64)

Windows XP