Difference between pages "Dd" and "Windows"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Cautions)
 
(Introduced in Windows 8)
 
Line 1: Line 1:
{{Infobox_Software |
+
{{Expand}}
  name = dd |
+
  maintainer = [[Paul Rubin]], [[David MacKenzie]], [[Stuart Kemp]] |
+
  os = {{Linux}}, {{Windows}}, {{Mac OS X}} |
+
  genre = {{Disk imaging}} |
+
  license = {{GPL}} |
+
  website = [ftp://ftp.gnu.org/gnu/coreutils/ ftp.gnu.org/gnu/coreutils/] |
+
}}
+
  
'''dd''', sometimes called '''GNU dd''', is the oldest [[Tools#Disk_Imaging_Tools|imaging tool]] still used. Although it is functional and requires only minimal resources to run, it lacks some of the useful features found in more modern imagers such as [[metadata]] gathering, error correction, piecewise hashing, and a user-friendly interface. dd is a command line program that uses several obscure command line arguments to control the imaging process. Because some of these flags are similar and, if confused, can destroy the source media the examiner is trying to duplicate, users should be careful when running this program. The program generates [[Raw image file|raw image files]] which can be read by many other programs.
+
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
  
dd is part of the [[GNU Coreutils]] package which in turn has been ported to many [[Operating system|operating systems]].  
+
There are 2 main branches of Windows:
 +
* the DOS-branch: i.e. Windows 95, 98, ME
 +
* the NT-branch: i.e. Windows NT 4, XP, Vista
  
There are a few forks of dd for forensic purposes including [[dcfldd]], [[sdd]], [[dd_rescue]], [[ddrescue]], [[dccidd]], and a [[Windows|Microsoft Windows]] version that supports reading [[physical memory]].
+
== Features ==
 +
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
  
== Example ==
+
=== Introduced in Windows NT ===
 +
* [[NTFS]]
  
Here are two common dd command lines:
+
=== Introduced in Windows 2000 ===
  
'''UNIX/Linux'''
+
=== Introduced in Windows XP ===
 +
* [[Prefetch]]
 +
* System Restore (Restore Points); also present in Windows ME
  
dd if=/dev/hda of=mybigfile.img bs=65536 conv=noerror,sync
+
==== SP2 ====
 +
* Windows Firewall
  
'''Windows'''
+
=== Introduced in Windows Server 2003 ===
 +
* Volume Shadow Copies
  
dd.exe if=\\.\PhysicalDrive0 of=d:\images\PhysicalDrive0.img --md5sum --verifymd5
+
=== Introduced in [[Windows Vista]] ===
--md5out=d:\images\PhysicalDrive0.img.md5
+
* [[BitLocker Disk Encryption | BitLocker]]
 +
* [[Windows Desktop Search | Search]] integrated in operating system
 +
* [[ReadyBoost]]
 +
* [[SuperFetch]]
 +
* [[NTFS|Transactional NTFS (TxF)]]
 +
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
 +
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
 +
* $Recycle.Bin
 +
* [[Windows XML Event Log (EVTX)]]
 +
* [[User Account Control (UAC)]]
  
== Tips ==
+
=== Introduced in Windows Server 2008 ===
With linux in addition to
+
dd if=/dev/hda of=mybigfile.img bs=65536 conv=noerror,sync
+
  
You can wipe a drive with:
+
=== Introduced in [[Windows 7]] ===
dd if=/dev/zero of=/dev/hda bs=4K conv=noerror,sync
+
* [[BitLocker Disk Encryption | BitLocker To Go]]
 +
* [[Jump Lists]]
 +
* [[Sticky Notes]]
  
For imaging a useful alternate invocation in Linux or UNIX is:
+
=== Introduced in [[Windows 8]] ===
dd if=/dev/hda bs=4K conv=sync,noerror | tee mybigfile.img | md5sum > mybigfile.md5
+
* [[Windows File History | File History]]
 +
* [[Windows Storage Spaces | Storage Spaces]]
 +
* [[Search Charm History]]
 +
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
  
The above alternate imaging command uses dd to read the harddrive being imaged and outputs the data to tee.  tee saves a copy of the data as your image file and also outputs a copy of the data to md5sum.  md5sum calculates the hash which gets saved in mybgifile.md5
+
=== Introduced in Windows Server 2012 ===
 +
* [[Resilient File System (ReFS)]]
  
For all of the above
+
== Forensics ==
if            => input file
+
/dev/hda      => the linux name of a physical disk.  Mac has their own names.
+
/dev/zero      => in linux, this is an infinite source of nulls
+
of            => output file
+
mybigfile.img  => The name of the image file you are creating
+
bs            => [[blocksize]]
+
65536          => 64K  (I normally use 4K in linux.  That is what the linux kernel uses as a page size.)
+
noerror        => don't die if you have a read error from the source drive
+
sync          => if there is an error, null fill the rest of the block.
+
  
In linux, the blocksize value can have a multiplicative suffix: 
+
=== Partition layout ===
c =1
+
Default partition layout, first partition starts:
w =2
+
* at sector 63 in Windows 2000, XP, 2003
b =512
+
* at sector 2048 in Windows Vista, 2008, 7
kB =1000,          K =1024
+
MB =1000*1000,     M =1024*1024
+
GB =1000*1000*1000, G =1024*1024*1024
+
and so on for T, P, E, Z, Y.
+
  
Things to know:
+
=== Filesystems ===
 +
* [[FAT]], [[FAT|exFAT]]
 +
* [[NTFS]]
 +
* [[Resilient File System (ReFS) | ReFS]]
  
Having a bigger blocksize is more efficient, but if you use a 1MB block as an example and have a read error in the first sector, then dd will null fill the entire MB.  Thus you should use as small a blocksize as feasible.
+
=== Recycle Bin ===
  
But with linux if you go below 4KB blocksize, you can hit really bad performance issues. It can be as much as 10x slower to use the default 512 byte block as it is to use a 4KB block.
+
==== RECYCLER ====
 +
Used by Windows 2000, XP.
 +
Uses INFO2 file.
  
Without noerror and sync, you basically don't have a forensic image. For forensic images they are mandatory.
+
See: [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf]
  
dd by itself does not hash, that is why the alternate command is provided.
+
==== $RECYCLE.BIN ====
 +
Used by Windows Vista.
 +
Uses $I and $R files.
  
== Cautions ==
+
See: [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf]
=== Reversing Args can cause evidence erasure ===
+
Use extreme care when typing the command line for this program. Reversing the <tt>if</tt> and <tt>of</tt> flags will cause the computer to erase your evidence!
+
  
=== Use extreme caution if reading from a tape drive ===
+
=== Registry ===
At least with Linux/UNIX, tape drives have functional differences from disk that make them more complex to "image".  Specifically they have EOF and EOT markings on the tape media that do not have a corresponding functionality with disks. 
+
  
Most commercial backup software use EOF separators to allow a single tape to hold multiple backup sessions.
+
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
  
ie.
+
=== Thumbs.db Files ===
backup1-- EOF -- backup2 -- EOF -- backup3 -- EOT
+
  
A simple dd if=/dev/st0 of=image.dd will only preserve the first backup session.
+
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
  
For testing, from Linux you can create a multi-session backup tape via:
+
See also: [[Vista thumbcache]].
  
mt rewind -f /dev/st0
+
=== Browser Cache ===
tar -cf /dev/nst0 /home
+
tar -cf /dev/nst0 /srv
+
  
The nst device driver considers the closing of /dev/nst0 to signal the
+
=== Browser History ===
end of a tape file, so it appends a EOF mark after each invocation of
+
tar.
+
  
So the tape would have:
+
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
home_tar_archive -- EOF -- srv_tar_archive -- EOF -- EOT
+
  
If you start reading from the start of the tape with either dd or tar,
+
=== Search ===
they will stop when the first EOF is hit and thus will only extract the home archive and will miss the srv archive.
+
See [[Windows Desktop Search]]
  
== See also ==
+
=== Setup log files (setupapi.log) ===
 +
Windows Vista introduced several setup log files [http://support.microsoft.com/kb/927521].
  
* [[aimage]]
+
=== Sleep/Hibernation ===
* [[Blackbag]]
+
 
* [[dc3dd]]
+
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
* [[dcfldd]]
+
 
* [[dd_rescue]]
+
=== Users ===
* [[ddrescue]]
+
Windows stores a users Security identifiers (SIDs) under the following registry key:
* [[sdd]]
+
<pre>
* [[sg_dd]]
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
* [[mdd]]
+
</pre>
 +
 
 +
The %SID%\ProfileImagePath value should also contain the username.
 +
 
 +
=== Windows Error Reporting (WER) ===
 +
 
 +
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
 +
<pre>
 +
C:\ProgramData\Microsoft\Windows\WER\
 +
</pre>
 +
 
 +
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
 +
<pre>
 +
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
 +
</pre>
 +
 
 +
Corresponding registry key:
 +
<pre>
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
 +
</pre>
 +
 
 +
== Advanced Format (4KB Sector) Hard Drives ==
 +
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
 +
 
 +
== %SystemRoot% ==
 +
The actual value of %SystemRoot% is store in the following registry value:
 +
<pre>
 +
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
 +
Value: SystemRoot
 +
</pre>
 +
 
 +
== See Also ==
 +
* [[Windows Event Log (EVT)]]
 +
* [[Windows XML Event Log (EVTX)]]
 +
* [[Windows Vista]]
 +
* [[Windows 7]]
 +
* [[Windows 8]]
  
 
== External Links ==
 
== External Links ==
  
* [http://www.linuxjournal.com/article/1320 LinuxJournal article about dd]
+
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
* [http://users.erols.com/gmgarner/forensics/ Windows Version of dd and other forensics tools]
+
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
 +
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
 +
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
 +
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
 +
 
 +
=== Malware/Rootkits ===
 +
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
 +
 
 +
=== Tracking removable media ===
 +
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
 +
 
 +
=== Under the hood ===
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
 +
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
 +
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
 +
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
 +
 
 +
==== MSI ====
 +
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
 +
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
 +
 
 +
==== Side-by-side (WinSxS) ====
 +
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
 +
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
 +
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
 +
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
 +
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
 +
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
 +
 
 +
==== Application Compatibility Database ====
 +
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
 +
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
 +
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
 +
* [http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
 +
 
 +
==== System Restore (Restore Points) ====
 +
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
 +
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
 +
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
 +
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
 +
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
 +
 
 +
==== Crash dumps ====
 +
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
 +
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
 +
 
 +
==== RPC ====
 +
* [http://blogs.technet.com/b/networking/archive/2008/10/24/rpc-to-go-v-1.aspx RPC to Go v.1], by Michael Platts, October 24, 2008
 +
* [http://blogs.technet.com/b/networking/archive/2008/12/04/rpc-to-go-v-2.aspx RPC to Go v.2], by Michael Platts, December 4, 2008
 +
 
 +
==== WMI ====
 +
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf Understanding WMI Malware], by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010
 +
 
 +
==== Windows Error Reporting (WER) ====
 +
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
 +
 
 +
==== Windows Firewall ====
 +
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
 +
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
 +
 
 +
==== Windows 32-bit on Windows 64-bit (WoW64) ====
 +
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
 +
 
 +
=== Windows XP ===
 +
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
 +
 
 +
[[Category:Operating systems]]

Revision as of 14:14, 25 November 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows is a widely-spread operating system from Microsoft.

There are 2 main branches of Windows:

  • the DOS-branch: i.e. Windows 95, 98, ME
  • the NT-branch: i.e. Windows NT 4, XP, Vista

Features

  • Basic and Dynamic Disks, see: [1]

Introduced in Windows NT

Introduced in Windows 2000

Introduced in Windows XP

  • Prefetch
  • System Restore (Restore Points); also present in Windows ME

SP2

  • Windows Firewall

Introduced in Windows Server 2003

  • Volume Shadow Copies

Introduced in Windows Vista

Introduced in Windows Server 2008

Introduced in Windows 7

Introduced in Windows 8

Introduced in Windows Server 2012

Forensics

Partition layout

Default partition layout, first partition starts:

  • at sector 63 in Windows 2000, XP, 2003
  • at sector 2048 in Windows Vista, 2008, 7

Filesystems

Recycle Bin

RECYCLER

Used by Windows 2000, XP. Uses INFO2 file.

See: [2]

$RECYCLE.BIN

Used by Windows Vista. Uses $I and $R files.

See: [3]

Registry

The Windows Registry is a database of keys and values that provides a wealth of information to forensic investigators.

Thumbs.db Files

Thumbs.db files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the investigator.

See also: Vista thumbcache.

Browser Cache

Browser History

The Web Browser History files can contain significant information. The default web browser that comes with Windows is Microsoft Internet Explorer but other common browsers on Windows are Apple Safari, Google Chrome, Mozilla Firefox and Opera.

Search

See Windows Desktop Search

Setup log files (setupapi.log)

Windows Vista introduced several setup log files [4].

Sleep/Hibernation

After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.

Users

Windows stores a users Security identifiers (SIDs) under the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

The %SID%\ProfileImagePath value should also contain the username.

Windows Error Reporting (WER)

As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:

C:\ProgramData\Microsoft\Windows\WER\

As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:

C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\

Corresponding registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting

Advanced Format (4KB Sector) Hard Drives

Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see Advanced Format.

%SystemRoot%

The actual value of %SystemRoot% is store in the following registry value:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Value: SystemRoot

See Also

External Links

Malware/Rootkits

Tracking removable media

Under the hood

MSI

Side-by-side (WinSxS)

Application Compatibility Database

System Restore (Restore Points)

Crash dumps

RPC

WMI

Windows Error Reporting (WER)

Windows Firewall

Windows 32-bit on Windows 64-bit (WoW64)

Windows XP