Difference between pages "BitLocker Disk Encryption" and "Prefetch"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Tools)
 
 
Line 1: Line 1:
'''BitLocker Disk Encryption''' (BDE) is [[Full Volume Encryption]] solution by [[Microsoft]] first included with the Enterprise and Ultimate editions of [[Windows|Windows Vista]]. It is also present in [[Windows|Windows 7]] along with a system for encrypting removable storage media devices, like [[USB]], which is called BitLocker To Go. Unlike previous versions of BitLocker, BitLocker To Go allows the user to protect volumes with a password or smart card.
+
{{Expand}}
 +
Windows Prefetch files, introduced in [[Windows|Windows XP]], are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in [[Windows|Windows Vista]], where it has been augmented with [[SuperFetch]], [[ReadyBoot]], and [[ReadyBoost]]. For SSD drives Prefetch is disabled by default [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx].
  
== BitLocker ==
+
The Prefetch files are stored in the directory:
BitLocker encrypts data with either 128-bit or 256-bit [[AES]] and optionally using a diffuser algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector key. Some of the key-protectors are:
+
<pre>
* TPM (Trusted Platform Module)
+
%SystemRoot%\Prefetch
* Smart card
+
</pre>
* recovery password
+
* start-up key
+
* clear key; this key-protector provides no protection
+
* user password
+
  
BitLocker has support for partial encrypted volumes.
+
The following files can be found in the Prefetch directory:
 +
* <tt>*.pf</tt>, Prefetch files;
 +
* <tt>Ag*.db</tt>, [[SuperFetch]] files;
 +
* <tt>Layout.ini</tt>;
 +
* <tt>PfPre_*.db</tt>;
 +
* <tt>PfSvPerfStats.bin</tt>
  
=== BitLocker To Go ===
+
A Prefetch file contains the name of the application, a dash, and then an eight character hash of the location from which that application was run, and a <tt>.pf</tt> extension. The filenames should be all uppercase except for the extension. The format of hashes is not known. A sample filename for [[md5deep]] would look like: <tt>MD5DEEP.EXE-4F89AB0C.pf</tt>. If an application is run from two different locations on the drive (i.e. the user runs <tt>C:\md5deep.exe</tt> and then <tt>C:\Apps\Hashing\md5deep.exe</tt>), there will be two different prefetch files in the Prefetch folder. According to MSDN up to 128 Prefetch files can be stored in the Prefetch directory [http://blogs.msdn.com/ryanmy/archive/2005/05/25/421882.aspx].
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encrypted. The "discovery drive" volume contains BitLocker To Go Reader to read from encrypted volumes on versions of Microsoft [[Windows]] without BitLocker support.
+
  
== How to detect ==
+
== File format ==
Volumes encrypted with BitLocker will have a different signature than the standard [[NTFS]] header.  
+
Each Prefetch file has a 4-byte signature (at offset 4) "SCCA" (or in hexadecimal notation 0x53 0x43 0x43 0x41). The signature is assumed to be preceded by a 4-byte format version indicator:
 +
* 17 (0x00000011) for [[Windows XP]] and [[Windows 2003]]
 +
* 23 (0x00000017) for [[Windows Vista]], [[Windows 2008]], [[Windows 7]] and [[Windows 2012]] (note Windows 2012 has not been confirmed)
 +
* 26 (0x0000001a) for [[Windows 8|Windows 8.1]] (note this could be Windows 8 as well but has not been confirmed)
  
A BitLocker encrypted volume starts with the "-FVE-FS-" signature.
+
For more information about the file format see: [[Windows Prefetch File Format]]
  
A hexdump of the start of the volume should look similar to:
+
== Metadata ==
<pre>
+
The Prefetch file contains various metadata.
00000000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
+
* The executable's name, up to 29 characters.
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 00 00 00  |........?.......|
+
* The run count, or number of times the application has been run.
00000020  00 00 00 00 e0 1f 00 00  00 00 00 00 00 00 00 00  |................|
+
* Volume related information, like volume path and volume serial number.
00000030  01 00 06 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+
* The size of the Prefetch file (sometimes referred to as end of file (EOF)).
00000040  80 00 29 00 00 00 00 4e  4f 20 4e 41 4d 45 20 20  |..)....NO NAME  |
+
* The files and directories that were used doing the application's start-up.
00000050  20 20 46 41 54 33 32 20  20 20 33 c9 8e d1 bc f4  |  FAT32  3.....|
+
</pre>
+
  
These volumes can also be identified by a GUID:
+
=== Timestamps ===
* for BitLocker: 4967d63b-2e29-4ad8-8399-f6a339e3d00
+
The Prefetch file contains 2 types of timestamps
* for BitLocker ToGo: 4967d63b-2e29-4ad8-8399-f6a339e3d01
+
* The time when the application was last ran (executed). Version 26 of the Prefetch format maintains 7 previous last run times.
 +
* The volume creation time (part of the volume information) of the volume the Prefetch file was created on.
 +
 
 +
The file system creation time of the Prefetch file indicates the first time the application was executed. Both the file system modification time of the Prefetch file and the embedded last run time indicate the last time the application was executed.
 +
 
 +
== Prefetch hash ==
 +
There are multiple known hashing functions to be used for prefetch file filename hashing, namely:
 +
* SCCA XP hash function; used on Windows XP and Windows 2003
 +
* SCCA Vista hash function; used on Windows Vista
 +
* SCCA 2008 hash function; used on Windows 2008, Windows 7, (possibly: Windows 2012) and Windows 8 (including 8.1)
 +
 
 +
=== SCCA XP hash function ===
 +
A Python implementation of the SCCA XP hash function:
  
Which in a hexdump of the start of the volume should look similar to:
 
 
<pre>
 
<pre>
000000a0  3b d6 67 49 29 2e d8 4a  83 99 f6 a3 39 e3 d0 01  |;.gI)..J....9...|
+
def ssca_xp_hash_function(filename):
 +
    hash_value = 0
 +
    for character in filename:
 +
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
 +
        hash_value = (hash_value * 314159269) % 0x100000000
 +
        if hash_value > 0x80000000:
 +
            hash_value = 0x100000000 - hash_value
 +
 
 +
    return (abs(hash_value) % 1000000007) % 0x100000000
 
</pre>
 
</pre>
  
== manage-bde ==
+
=== SCCA Vista hash function ===
To view the BitLocker Drive Encryption (BDE) status on a running Windows system:
+
A Python implementation of the SCCA Vista hash function:
 +
 
 
<pre>
 
<pre>
manage-bde.exe -status
+
def ssca_vista_hash_function(filename):
 +
    hash_value = 314159
 +
    for character in filename:
 +
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
 +
    return hash_value
 
</pre>
 
</pre>
  
To obtain the recovery password for volume C:
+
=== SCCA 2008 hash function ===
 +
A Python implementation of the SCCA 2008 hash function:
 +
 
 
<pre>
 
<pre>
manage-bde.exe -protectors -get C: -Type recoverypassword
+
def ssca_2008_hash_function(filename):
 +
    hash_value = 314159
 +
    filename_index = 0
 +
    filename_length = len(filename)
 +
    while filename_index + 8 < filename_length:
 +
        character_value = ord(filename[filename_index + 1]) * 37
 +
        character_value += ord(filename[filename_index + 2])
 +
        character_value *= 37
 +
        character_value += ord(filename[filename_index + 3])
 +
        character_value *= 37
 +
        character_value += ord(filename[filename_index + 4])
 +
        character_value *= 37
 +
        character_value += ord(filename[filename_index + 5])
 +
        character_value *= 37
 +
        character_value += ord(filename[filename_index + 6])
 +
        character_value *= 37
 +
        character_value += ord(filename[filename_index]) * 442596621
 +
        character_value += ord(filename[filename_index + 7])
 +
        hash_value = ((character_value - (hash_value * 803794207)) % 0x100000000)
 +
        filename_index += 8
 +
 
 +
    while filename_index < filename_length:  
 +
      hash_value = (((37 * hash_value) + ord(filename[filename_index])) % 0x100000000)
 +
      filename_index += 1
 +
 
 +
    return hash_value
 
</pre>
 
</pre>
  
Or just obtain the all “protectors” for volume C:
+
== Registry Keys ==
 
<pre>
 
<pre>
manage-bde.exe -protectors -get C:
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
 
</pre>
 
</pre>
 +
 +
The EnablePrefetcher Registry value can be used to disable prefetch.
  
 
== See Also ==
 
== See Also ==
* [[BitLocker:_how_to_image|BitLocker: How to image]]
+
* [[Windows Prefetch File Format]]
* [[Defeating Whole Disk Encryption]]
+
* [[SuperFetch]]
 +
* [[Prefetch XML]]
 +
* [[Windows]]
  
 
== External Links ==
 
== External Links ==
 
+
* [http://msdn.microsoft.com/msdnmag/issues/01/12/XPKernel/default.aspx More detail from Microsoft]
* [http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption Wikipedia entry on BitLocker]
+
* [http://en.wikipedia.org/wiki/Prefetcher Wikipedia Prefetcher]
* [http://www.nvlabs.in/nvbit_bitlocker_white_paper.pdf Accessing Bitlocker volumes from linux], by Nitin Kumar and Vipin Kumar, 2008
+
* [http://msdn.microsoft.com/en-us/library/ms940847(v=winembedded.5).aspx MSDN: Disabling Prefetch]
* [http://jessekornblum.com/publications/di09.html Implementing BitLocker for Forensic Analysis], ''Digital Investigation'', by Jesse D. Kornblum, 2009
+
* [http://www.microsoft.com/whdc/driver/kernel/XP_kernel.mspx Kernel Enhancements for Windows XP], by [[Microsoft]], January 13, 2003 (Microsoft's description of Prefetch when Windows XP was introduced)
* [https://googledrive.com/host/0B3fBvzttpiiSX2VCRk16TnpDd0U/BitLocker%20Drive%20Encryption%20(BDE)%20format.pdf BitLocker Drive Encryption (BDE) format specification], by the [[libbde|libbde project]], March 2011
+
* [http://blogs.msdn.com/b/ryanmy/archive/2005/05/25/421882.aspx Misinformation and the The Prefetch Flag], MSDN Blogs, May 25, 2005
* [http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true Microsoft's Step by Step Guide]
+
* [http://windowsir.blogspot.ch/2005/07/prefetch-file-metadata.html Prefetch file metadata], by [[Harlan Carvey]], July 13, 2005
* [http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx Microsoft Technical Overview]
+
* [http://windowsir.blogspot.ch/2006/04/prefetch-files-revisited.html Prefetch files, revisited], by [[Harlan Carvey]], April 13, 2006
* [http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7]
+
* [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx Support and Q&A for Solid-State Drives], by Steven Sinofsky, May 5, 2009
* [http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerFAQ.mspx Microsoft FAQ]
+
* [http://computer-forensics.sans.org/blog/2009/08/05/de-mystifying-defrag-identifying-when-defrag-has-been-used-for-anti-forensics-part-1-windows-xp/ De-mystifying Defrag: Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 - Windows XP)], by [[Chad Tilbury]], August 5, 2009
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555&DisplayLang=en Microsoft Description of the Encryption Algorithm]
+
* [http://www.swiftforensics.com/2010/04/the-windows-prefetchfile.html Windows Prefetch File (old blog entry from 42 LLC)], by [[Yogesh Khatri]], April 14, 2010
* [http://secude.com/htm/801/en/White_Paper%3A_Cold_Boot_Attacks.htm Cold Boot Attacks, Full Disk Encryption, and BitLocker]
+
* [http://www.dfinews.com/articles/2010/12/decoding-prefetch-files-forensic-purposes-part-1 Decoding Prefetch Files for Forensic Purposes: Part 1], by [[Mark Wade]], December 8, 2010
* [http://technet.microsoft.com/en-us/library/hh831412.aspx What's New in BitLocker] in Windows 8
+
* [http://crucialsecurityblog.harris.com/2011/04/11/prefetch-files-at-face-value/ Prefetch Files at Face Value], by [[Mark Wade]], April 11, 2011
 +
* [http://kitrap08.blogspot.hk/2011/07/windows-logical-prefetcher.html Windows Logical Prefetcher], TTS blog, July 30, 2011 (article is in Russian)
 +
* [http://labit.in/pliki-prefetch-w-windows/ Prefetch i niedokładny licznik] by Paweł Hałdrzyński, August 20, 2011 (article in Polish; uncertain about the year of publication)
 +
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisited.html Prefetch Analysis, Revisited], by [[Harlan Carvey]], March 8, 2012
 +
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisitedagain.html Prefetch Analysis, Revisited...Again...], by [[Harlan Carvey]], March 15, 2012
 +
* [http://www.hexacorn.com/blog/2012/06/13/prefetch-hash-calculator-a-hash-lookup-table-xpvistaw7w2k3w2k8/ Prefetch Hash Calculator + a hash lookup table xp/vista/w7/w2k3/w2k8], Hexacorn blog, June 13, 2012
 +
* [http://www.hexacorn.com/blog/2012/10/29/prefetch-file-names-and-unc-paths/ Prefetch file names and UNC paths], Hexacorn blog, October 29, 2012
 +
* [http://journeyintoir.blogspot.ch/2012/12/ntosboot-prefetch-file.html NTOSBOOT Prefetch File], by [[Corey Harrell]], December 5, 2012
 +
* [http://www.invoke-ir.com/2013/09/whats-new-in-prefetch-for-windows-8.html What's New in the Prefetch for Windows 8??], by Jared Atkinson, September 21, 2013
 +
* [http://www.swiftforensics.com/2013/10/windows-prefetch-pf-files.html?m=1 Windows Prefetch (.PF) files], by [[Yogesh Khatri]], October 21, 2013
 +
* [http://resources.infosecinstitute.com/windows-systems-artifacts-digital-forensics-part-iii-prefetch-files/ Windows Systems and Artifacts in Digital Forensics: Part III: Prefetch Files], by Ivan Dimov, November 21, 2013
 +
* [http://i.imgur.com/riuljsK.jpg Prefetch 101 -  a Windows 8 Prefetch file walkthrough], by Jared Atkinson, 2014
  
 
== Tools ==
 
== Tools ==
* [http://technet.microsoft.com/en-us/library/dd875513(v=ws.10).aspx manage-bde.exe], by [[Microsoft]]
 
* [http://www.hsc.fr/ressources/outils/dislocker/ dislocker]
 
* [[libbde]]
 
  
[[Category:Disk encryption]]
+
=== Commercial ===
 +
 
 +
=== Free - Non Open Source ===
 +
* [http://www.woanware.co.uk/forensics/prefetchforensics.html PrefetchForensics], PrefetchForensics is an application to extract information from Windows Prefetch files
 +
* [http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55 Prefetch-Parser], Parse the prefetch files and display information
 +
* [http://www.mitec.cz/wfa.html Windows File Analyzer] - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin
 +
* [http://www.tzworks.net/prototype_page.php?proto_id=1 Windows Prefetch Parser (pf)], Free tool that can be run on Windows, Linux or Mac OS-X
 +
 
 +
=== Open Source ===
 +
* [https://code.google.com/p/prefetch-tool/ prefetch-tool], Script to extract information from windows prefetch folder
 +
* [http://bitbucket.cassidiancybersecurity.com/prefetch-parser prefetch-parser], Standalone Python tools that parses Windows prefetch files and extracts all known and forensically relevant artefacts contained.
 +
 
 
[[Category:Windows]]
 
[[Category:Windows]]

Revision as of 00:02, 15 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows Prefetch files, introduced in Windows XP, are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in Windows Vista, where it has been augmented with SuperFetch, ReadyBoot, and ReadyBoost. For SSD drives Prefetch is disabled by default [1].

The Prefetch files are stored in the directory:

%SystemRoot%\Prefetch

The following files can be found in the Prefetch directory:

  • *.pf, Prefetch files;
  • Ag*.db, SuperFetch files;
  • Layout.ini;
  • PfPre_*.db;
  • PfSvPerfStats.bin

A Prefetch file contains the name of the application, a dash, and then an eight character hash of the location from which that application was run, and a .pf extension. The filenames should be all uppercase except for the extension. The format of hashes is not known. A sample filename for md5deep would look like: MD5DEEP.EXE-4F89AB0C.pf. If an application is run from two different locations on the drive (i.e. the user runs C:\md5deep.exe and then C:\Apps\Hashing\md5deep.exe), there will be two different prefetch files in the Prefetch folder. According to MSDN up to 128 Prefetch files can be stored in the Prefetch directory [2].

Contents

File format

Each Prefetch file has a 4-byte signature (at offset 4) "SCCA" (or in hexadecimal notation 0x53 0x43 0x43 0x41). The signature is assumed to be preceded by a 4-byte format version indicator:

For more information about the file format see: Windows Prefetch File Format

Metadata

The Prefetch file contains various metadata.

  • The executable's name, up to 29 characters.
  • The run count, or number of times the application has been run.
  • Volume related information, like volume path and volume serial number.
  • The size of the Prefetch file (sometimes referred to as end of file (EOF)).
  • The files and directories that were used doing the application's start-up.

Timestamps

The Prefetch file contains 2 types of timestamps

  • The time when the application was last ran (executed). Version 26 of the Prefetch format maintains 7 previous last run times.
  • The volume creation time (part of the volume information) of the volume the Prefetch file was created on.

The file system creation time of the Prefetch file indicates the first time the application was executed. Both the file system modification time of the Prefetch file and the embedded last run time indicate the last time the application was executed.

Prefetch hash

There are multiple known hashing functions to be used for prefetch file filename hashing, namely:

  • SCCA XP hash function; used on Windows XP and Windows 2003
  • SCCA Vista hash function; used on Windows Vista
  • SCCA 2008 hash function; used on Windows 2008, Windows 7, (possibly: Windows 2012) and Windows 8 (including 8.1)

SCCA XP hash function

A Python implementation of the SCCA XP hash function:

def ssca_xp_hash_function(filename):
    hash_value = 0
    for character in filename:
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
        hash_value = (hash_value * 314159269) % 0x100000000
        if hash_value > 0x80000000:
            hash_value = 0x100000000 - hash_value

    return (abs(hash_value) % 1000000007) % 0x100000000

SCCA Vista hash function

A Python implementation of the SCCA Vista hash function:

def ssca_vista_hash_function(filename):
    hash_value = 314159
    for character in filename:
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
    return hash_value

SCCA 2008 hash function

A Python implementation of the SCCA 2008 hash function:

def ssca_2008_hash_function(filename):
    hash_value = 314159
    filename_index = 0
    filename_length = len(filename)
    while filename_index + 8 < filename_length:
        character_value = ord(filename[filename_index + 1]) * 37
        character_value += ord(filename[filename_index + 2])
        character_value *= 37
        character_value += ord(filename[filename_index + 3])
        character_value *= 37
        character_value += ord(filename[filename_index + 4])
        character_value *= 37
        character_value += ord(filename[filename_index + 5])
        character_value *= 37
        character_value += ord(filename[filename_index + 6])
        character_value *= 37
        character_value += ord(filename[filename_index]) * 442596621
        character_value += ord(filename[filename_index + 7])
        hash_value = ((character_value - (hash_value * 803794207)) % 0x100000000)
        filename_index += 8

    while filename_index < filename_length: 
       hash_value = (((37 * hash_value) + ord(filename[filename_index])) % 0x100000000)
       filename_index += 1

    return hash_value 

Registry Keys

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

The EnablePrefetcher Registry value can be used to disable prefetch.

See Also

External Links

Tools

Commercial

Free - Non Open Source

Open Source

  • prefetch-tool, Script to extract information from windows prefetch folder
  • prefetch-parser, Standalone Python tools that parses Windows prefetch files and extracts all known and forensically relevant artefacts contained.