Saturday, December 26, 2009

Forensic review of Windows 7 - Part II - File system

Windows 7 supports the same file systems that Windows Vista supports, i.e. FAT, NTFS & exFAT. Internally, Windows 7 uses the same underlying file system as Windows Vista, NTFS version 3.1. Windows 7 continues to utilize the transactional filesystem database, located in the \$Extend\$RmMetadata folder.

Windows 7 continues to not update the last accessed timestamp unless other timestamps (written) are triggered. This is a registry setting that has been available since Windows 2000, but not enabled by default until Vista.



The exFAT filesystem used in Windows 7 is the same as the version used in Windows Vista and is designed for removable drives. The latest version of EnCase supports the exFAT file system and will display the exFAT volume contents similiar to this example:



When formatting external drives and flash devices, Windows 7 will completely WIPE the contents of the volume UNLESS the "QUICK FORMAT" option is selected, regardless of whether NTFS, FAT or exFAT is used. When the "QUICK FORMAT" option is selected, the prior data remains in unallocated space of the newly created volume and can be carved.

Thursday, December 24, 2009

Forensic review of Windows 7 - Part I

Over the next few weeks, I will be documenting and posting some basic information about Windows 7 from a forensic perspective. I know many of you may have already encountered a Windows 7 box or have been exploring it yourself. Please feel free to post comments with whatever little forensic nuggets you have found useful.

Initially looking at a Windows 7 image, it closely resembles a Windows Vista installation (no surprise there). There are a few small differences and changes which I will document with additional posts.

Starting off simple, here is a view of a clean Windows 7 install.


Take note there are two separate partitions. During a clean install where the disk does not contain any pre-existing partitions, the Windows 7 installation process creates two partitions, even though you specify one partition. The installation process warns you that an additional partition may be created and in fact a 100MB "hidden" partition is created. There is a little trickery you can do to avoid the 100MB partition, but it’s not intuitive and it is likely a typical user will not know how to avoid it from being created, so you are likely to see two separate partitions, one 100MB and the main partition which by default is the remainder of the physical disk. The second partition is important because it will likely skew any link files you review. EnCase assigns drive letters in chronological order as they are encountered in the partition table, so the hidden partition gets the "C" volume letter, but really it’s a hidden partition and does not get a letter assignment. The main partition gets a "D" assignment, but really it is "C". The contents of any shortcut files will point to "C", which in EnCase in "D".

If the disk has a partition scheme already defined (i.e. it has an older version of windows or it was partitioned prior to starting the installation) then it continues to just use the one defined partition or whatever partitions were defined prior to starting the installation process.

A view of the typical default folders. Looks very "Vista-ish"


A view of a user's profile:



Internet History folders:

For the most part, if you have done an exam on a Vista machine, you will feel right at home with a Windows 7 image and should have no problem finding the common locations for artifacts.

Sunday, December 6, 2009

Export x Number of bytes around selected search hits - categorized by keyword hit

Updated - December 15, 2009 - Third version now available below

This EnScript is an update to the previous post here.

Changes & updates in this version:

1. Now includes the MD5 hash of the file the hit is located in (internal and unallocated files are excluded).

2. Keyword column now shows the hit text as well as the keyword. This is in case you used a GREP expression, it will show the expression and the hit.

3. The AFTER count now starts at the end of the keyword hit instead of the the beginning of the keyword hit.

4. The red highlighted keyword hit should now be accurate and only show the exact characters in the keyword hit.

There are now three versions of this EnScript available.

The first version is from the original EnScript that creates one "Proximity Report" with all the hits you selected from the search hits pane.

The second version is an adaptation from the original based on a reader's request. This second version creates one proximity report for each unique keyword hit. This version was created to easily facilitate redaction of certain hits.

This third version creates one proximity report per keyword. i.e. if you have five different keywords that you have selected in the search hit pane, then five different folders are created and in each foler is one report containing all the hits for that keyword.
Download here - updated original version
Download here - updated adapted version
Download here - updated third version

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles