"Q: How many MS programmers does it take to change a light bulb? Windows Internals "Q: How many MS programmers does it take to change a light bulb? A: 2,304. One to write WinCheckLightBulbStatus, one to write WinGripLightBulb..."

In This Presentation Recycle Bin Windows Explorer Shortcut Files Prefetch Thumbcache Scheduled Tasks

Windows Internals The windows operating system has many, many components. Many components require saving some state information. Windows offers extensive configuration options and many quality of life user features. Supporting these features also requiresstoring extensive state information. Think about programs you have written and how much information you had to store to enable even simple configuration options. Provides a wealth of information to investigators. But also gives malware authors more places to hide.

Recycle Bin The recycle bin is a staging area for deleting files. Users might misclick. Or users may discover at a later date they still need a file. Thus files are moved into the recycle bin before being “permanently” deleted. By now we know deletion is less complete than many realize. The recycle bin contains the deleted files and metadata necessary to restore them to their original paths. Windows can be configured to bypass the recycle bin. The recycle bin folder is $Recycle.Bin on the disk.

Recycle Bin Operations When a file is deleted through the Windows Explorer shell: By default it is moved into a Recycle Bin subfolder. Subfolder is named with the user’s Security Identifier (SID) File renamed to start with “$R”, followed by six characters, and ending with the file’s original extension. Generates a corresponding index file beginning with “$I”, the matching six letters as the “$R” file, and then matching extension.

Recycle Bin Index Files Size of 544 bytes. Bytes 0-7: Header Btes 8-15: Original File Size in little-endian format. Bytes 16-23: 64-fit FILETIME object for when file was deleted. Bites 24-533: Name and path of original file in Unicode format.

Another Index File Example $I file header: 0x0000000000000001 Actual file size in bytes: 14942208 = 14592 KB Deletion Date: Mon, 16 Feb 2015 00:20:37 UTC FIle Location and Name: C:\Users\AymanT\Desktop\System

Windows Explorer Shortcut Files A file containing a pointer to another specific file in the file system. User Created: Manually created with location and target location specified by the user. Commonly found on the desktop.

Windows Explorer Shortcut Files Windows Created: Will be created and stored if the user has opened data or media files in the system. Locations: <System Volume>\Users\<User Name\AppData\Roaming\Microsoft\Windows\Recent <System Volume>\Users\<User Name\AppData\Roaming\Microsoft\Office\Recent These link files will persist even if the originale system file was deleted. Prove a specific file was opened even if original file was deleted or existed on external media. If creation time of the shortcut file and it’s modified time match, can presume file was opened only once from the location specified in the file.

Windows Explorer Shortcut Files These link files will persist even if the originale system file was deleted. Prove a specific file was opened even if original file was deleted or existed on external media. If creation time of the shortcut file and it’s modified time match, can presume file was opened only once from the location specified in the file.

The .lnk file contains: File contains MAC times of the target Shell Item list of the target Size of target Serial # of volume target stored on Useful for correlating with removable media Network volume share name MAC address of host computer (sometimes) Attributes, including read-only, system, volume label, encryption, sparse, compressed, offline, etc. Distributed link tracking information

Lnk file specs Forensics Wiki - https://forensicswiki.org/wiki/LNK The Windows Shortcut File Format by Jesse Hager - https://storage.googleapis.com/google-code-archive- downloads/v2/code.google.com/8bits/The_Windows_Shortcut_File_For mat.pdf Might not be 100% accurate these days.

Lnk file tools: Liblnk https://github.com/libyal/liblnk/ https://forensicswiki.org/wiki/Liblnk

Lnk file tools: Exiftool See right -> Others Lnk - https://github.c om/EricZimmer man/Lnk/ lnk-parse - https://github.c om/lcorbasson/ lnk-parse

Prefetch Files Application prefetching exists to speed up application startup times. Windows monitors the application’s behavior as it launches. Windows then “prefetches” the necessary code and data to a single location. Prevents the system from seeking across system files for DLLs and other needed data. Stored in the <SystemPartition>\Windows\Prefetch directory.

Prefetch Files Individual files are named “[original file name]-[hashvalue].pf” Hash calculated from path to application, arguments used, and other values. Maximum storage: Win 8+: 1024 files Win XP - 7: 128 files

Prefetch File Contents Application name Date application was last launched Usually holds the last 8 times. Run Count Volume from which the application launched. Includes volume creation date and serial number. List of DLLs and other files accessed by the application during first 10 seconds of runtime. Format changes from version to version of windows and sometimes based on the service pack.

Prefetch File Detailed Specs Forensics wiki http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format Documentation from libscca project https://github.com/libyal/libscca/blob/master/documentation/Win dows%20Prefetch%20File%20(PF)%20format.asciidoc

Prefetch Forensics Value Malware is an application. Running malware often causes Windows to generate a prefetch file. Prefetch will show us many locations accessed by the malware. Find where it alters values or hides files. Identify it as malware if files accessed are suspicious. Most applications don’t access many, if any, .dat or .bat files. Though IE does. Or because it ran from an unusual path like “Temp” or the “Temporary Internet Files” folder. The prefetch file is an artifact that can survive self-deletion of a malware dropper.

Reading Prefetch Files libscca: https://github.com/libyal/libscca Nirsoft’s Prefetch View (run in WINE): https://www.nirsoft.net/utils/win_prefetch_view.html Your favorite hex editor

Thumbcache Created when the user uses the Thumbnails or Filmstrip folder viewing options. Stores small thumbnail versions of the pictures created by this view mode in Thumbcache.db files.

Thumbcache Stored in <System Volume>\Users\<User Name>\AppData\Local\Microsoft\Windows\Explorer. thumbcache_idx.db thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and thumbcache_1024.db Thumbcache_sr.db Note: the different cache numbers reflect the different size images available in file viewer. Deleted photos may still have a copy left behind in a thumbcache file.

Thumbcache Structure and Recovery Reverse engineered from proprietary systems, details are sparse and hazy. In general every thumbnail in the cache is associated with two 64-bit variables. Secret ID: associates data in thumbcache_idx.db with thumbnail data in thumbcache_NN.db, exact purpose of var is unclear. Cache ID: links thumbnails with original files.

Thumbcache Structure and Recovery However, the original file path is not stored in the Thumbcache files. Must correlate with information in the Windows Indexer Windows.edb file. Database stored at <System Volume> \ProgramData \Microsoft \Search \Data \Applications \Windows This is a SQLite database. Find the stored associations between indexed files and CacheID.

Thumbcache Tools Can use file carver to extract the raw images. Already discussed SQLite tools. Another GUI tool - http://sqlitebrowser.org/ A Windows GUI Tool: https://thumbcacheviewer.github.io/ Reference - http://www.forensicswiki.org/wiki/Vista_thumbcache

Scheduled Tasks Scheduled tasks execute on a user defined schedule. Trigger can be calendar based or event based. Some are manually defined by the user through commands or wizards. Others are programatically created using the Windows API. Thus existence of a scheduled task doesn’t always mean a user deliberately created it. Can be executed once or on a regularly defined basis.

Scheduled Tasks Often used to run updates. Malware can achieve persistence by creating a task to start itself. Scheduled Tasks are stored as a “.job” file. Stored in the <SystemPartition>\Windows\System32\Tasks directory as well as in subfolders thereof.

.job file specifications XML files Can Include: Author Description Triggers Privilege Actions to perform Commands or executables Arguments

.job file XML

Another .job file example

Questions?