1. Investigating Windows Systems
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
Theory 
Practice
Learning by
Doing

2. Session Outline Forensic Mindset Investigative Questions
Common File Systems Type
Investigating Windows Systems
Windows Registry
Investigative and Case Management Tools

3. Learning Objectives At the end of this module you will be able to:
Describe the importance of the forensic mindset
Describe common investigative questions
Explain the basic steps in the forensic analysis process
Discuss the forensic importance of the Windows Registry
Demonstrate the case management functions of EnCASE and FTK

4. Forensic Mindset Digital Forensic Mindset – Condensed Definition:
- Using your skills to determine what has occurred or,
- What most likely occurred as opposed to what is possible
- You do NOT work for anyone but the TRUTH!
The tools used are not nearly important as the person using them!
The examination should not occur in a vacuum.
Find out all you can about what is already known.

5. Organizing the Investigation
Use your knowledge to examine the system to answer; could it have happened that way or not?
Don’t make it more complicated than it has to be – start with the obvious!
Examples:
Check for programs that will cause you aggravation – encryption (PGP, Magic Folders, File Vault, EFS, etc.)

6. Organizing the Investigation
MAC information – what was happening on the system during the time frame you are interested in?
What was being “written”, “changed” or “accessed”?

7. Investigative Questions
One of most common questions is: Where on the Internet was it surfing. In absence of managed server logs. Use ??????
A great product (LE or Corp Security only is IEHistory by Scott Ponder of Phillips Ponder Company) -

8. Questions/Requests
Another very common request is to gather up the all the s, including the deleted ones for the investigator to read.
As always, this is done on the image or with hardware write protect.
Any communication is usually requested and chat is being used more and more.
MSN Chat does not by default store it’s chat’s. Newer versions do!
AOL Instant Messenger. Encryption
Yahoo Messenger stores them on the local drive but they are encrypted. Any ideas how to get around this?

9. Passwords & Encryption
#1 rule – if you don’t know the password, ask the person who does!
Are they lazy, is there an easily obtained password that is used in both circumstances.
Access Data software (Password Recovery/ Ultimate Tool Kit)
Is there a corporation that you can pay to have it done for you?

10. Where Do We Start? Verify integrity of image
MD5, SHA1 etc.
Recover deleted files & folders
Determine keyword list
What are you searching for
Determine time lines
What is the time zone setting of the suspect system
What time frame is of importance
Graphical representation is very useful

11. Where Do We Start? Examine directory tree What looks out of place
Stego tools installed
Evidence Scrubbers
Perform keyword searches
Indexed
Slack & unallocated space

12. Where Do We Start? Search for relevant evidence types
Hash sets can be useful
Graphics
Spreadsheets
Hacking tools
Etc.
Look for the obvious first
When is enough enough??

13. Common File System Types
FAT (File Allocation Table):
FAT 16: DOS; Windows 3.X; Windows 95.
FAT 32: Windows 95 release 2, Windows 98, Windows Me, Windows 2000, Windows XP, Server 2003.
NTFS (New Technology File systems): Windows NT; Windows 2000; Window XP; Server 2003.

14. FAT 16 Use 16 bits in the file allocation table (FAT)
Two FAT (Primary and Backup)
Support up to 4GB of volume space
Maximum file size of 2GB
Support two partitions and 3 logical drives in the second partition.
Use 8.3 file naming convention
“/”, “\”, “[“, “]”, “|”, “<“, “>”, “+”, “=“, “;”, “*” and “?” are illegal or invalid characteristics

15. NTFS Long file name support Ability to handle large storage devices
Built-in security controls
POSIX support.
Volume striping
File compression
Master file table (MFT)

16. Investigating Windows Systems
User/Systems/Data: (Intentionally)
User profiles
Program files
Temporary files (temp files)
Special application-level files. Internet history, .
Artifacts: (Generated by the Systems)
Metadata
Windows system registry
Event logs or log files
Swap files
Printer spool
Recycle bin

17. Windows Registry
A central hierarchical database to store information necessary to configure the system for one or more users, applications and hardware devices.
Replaces AUTOEXEC.BAT, CONFIG.SYS and INI files
First introduced in Windows 3.1 for storing OLE Settings (pre 1995). -

18. Windows Registry Wealth of investigative information Registered Owner
Registered Organization
Shutdown Time
Recent DOCS
Most Recent Used (MRU) List
Typed URLs
Previous Devices Mounted
Software Installed

19. Registry Tools Registry Reader: Access Data Encase Windows
Regedit
Regedt32
Freeware tools
Never work on the original
Make a copy

20. Windows Registry There are five root keys: (HKCR) (HKCU) (HKLM) (HKU)
(HKCC)

21. Registry Architecture
Two are “Master” keys:
HKEY_LOCAL_MACHINE
Configuration data describing hardware and software installed on the computer
HKEY_USERS
Configuration data for each user that logs into the computer
Master
Keys
HKLM
HKU

22. Registry Architecture
Three are derived from “Master” keys
HKEY_CLASSES_ROOT
File Associations and OLE
HKEY_CURRENT_USER
Currently logged on user
HKEY_CURRENT_CONFIG
Current hardware profile

23. HKEY_CLASSES_ROOT
From HKLM\Software\Classes

24. HKEY_CURRENT_USER
From HKU\SID of current user

25. HKEY_CURRENT_CONFIG
HKLM\System\CurrentControlSet\Hardware Profiles\Current

26. The Windows Registry Dial-up Accounts: Dial-up Account Usernames:
HKEY_CURRENT_USER\RemoteAccess\Addresses
Dial-up Account Usernames:
HKEY_CURRENT_USER\RemoteAccess\Profile\[isp_name]
RegisteredOwner/Organization, Version, VersionNumber, ProductKey, ProductID, ProductName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
MSN Messenger Info:
HKEY_CURRENT_USER\Identities\{string}\Software\Microsoft\MessengerService
HKEY_CURRENT_USER\Software\Microsoft\MessengerService

27. The Windows Registry
Outlook Express User Info ( , newsgroups, etc):
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Account Manager\Accounts
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Accounts\ x
Internet Explorer History settings length:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\URLHistory

28. Automated Tools Easier case management
Keyword searching includes slack\residue and other unallocated areas of disk space.
Ability to use hash sets of known system files to minimize keyword search times.
Ability to use hash sets to search for known files such as child porn, root kits or whatever you want to hash and find quickly.
Unicode and ANSI compatible
Unicode provides a unique number for every character, no matter what the platform, no matter what the program, no matter what the language.
Needed for foreign language support
Etc.

29. Encase Forensic Tools
Supports “bit stream acquisitions” in three ways:
#1 – drive to drive in a DOS environment loading it’s own drive lock TSR.
#2 – drive to drive in a Windows environment using a hardware drive locker – “Fastbloc” or others.

30. Encase Forensic Tools

31. Encase Forensic Tools
#3 – computer via computer using a cross over network cable. Encase for Dos loaded from a diskette with write protect software on suspect’s computer, Encase for Windows on Forensic examiner’s computer.

34. Forensic Toolkit: Access Data

35. Forensic Toolkit

36. Forensic Toolkit

37. Summary Computer Forensics is not a piece of software.
Forensic mindset is paramount
The windows registry is a treasure chest of forensics information
You will need several tools in your forensic tool box.