Intro to Windows Forensics - caitlinmallen/TechWiki GitHub Wiki

OS forensics

  • Windows
    • Product name is different from internal version number
      • Windows XP is 5.1, Windows Vista is 6.0 Build 6000, Windows Server 2008 is 6.0 Build 6001
    • Domains
      • A domain represents both a security and administrative boundary within a Windows network
      • Computers and users can be added to or removed from a domain
      • Join a computer to a domain means that it must abide by certain rules, or policies, that are enforced throughout the domain
      • Consist of three general types of computers
        • Domain controllers (DCs)
        • Member servers
        • Client comuters
      • Central source of security and administrative control
      • Most important machines!
    • Which DC is running?
      • Categorized based on the version of the OS running on the DC
      • A domain can consist of any version of Windows computers, but the domain as a whole is identified by the version of the OS being used on the DCs
    • User Accounts
      • Each account is assigned a unique Security Identifier (SID)
      • When discussing activities, it is important to distinguish between the user (human) and user account (set of credentials)
      • Algorithm used to generate SID
    • SID
      • Structure

- Relative ID is different from other users
  • Account Types
    • Local
      • Stored in the computer's SAM and only valid on that computer
      • Local accounts can be
        • Computer accounts
        • User accounts
        • Service accounts
    • Domain
      • Stored in AD
      • Can also be computer, user, and service accounts
  • Groups
    • Simply a collection of accounts to which various capabilities can be assigned
    • Role-based access control
  • Permissions
    • Assigned to files or other objects that users might wish to access
    • Determine which accounts are allowed to access particular resources and which level of access to each account is granted
  • Share Permissions
    • Govern who has access to a shared resource over a network
      • Remote access
  • Share vs File Permissions
    • Share
      • Checked only when a file is accessed across a MS share
      • Not checked when a request is made from an account that is logged on interactively
    • File
      • Always checked whenever a file is on a NTFS volume
      • Regardless of how it is accessed
  • Local Accounts within a Domain
    • Local accounts continue to exist even when computers come together to form a domain
    • DCs contain domain accounts and only domain accounts
    • All other computers that participate in a domain and still retain their local accounts
    • Result, most computers in a domain can be accessed either by logging on with a domain account or by logging on directly to one of the computer's local accounts
  • User Profiles
    • Lots of potential forensics data
    • Windows 9x
      • Users only had separate identities for personal preferences
      • Data files
        • All stored under one common Documents folder
        • No true distinction of ownership between users
        • No ownership attribute for FAT files
      • Several subfolders
        • Hidden Appdata
        • Cookies
        • Desktop
        • Local Settings
        • Recent
        • SendTo
  • Recycle Bin
    • Deleting files in Windows
      • By default, not deleted
      • Sent to recycle bin
        • DRIVE:\RECYCLED
        • DRIVE:\RECYCLER
        • DRIVE:$RECYCLE.BIN
      • Win 2k onwards, SID folder exists for each user inside the bin
    • Deleting a file prior to Vista
      • Data goes to
        • D <#Index> . <Original Extension>
        • D – deleted
        • C – drive number
        • - Number of files in the bin
      • Metadata in a file called INFO
        • Original file name and path
        • File size
        • Date and time of deletion
        • Drive letter
        • INFO2 Format
          • Header if 20 bytes long
          • Records are 800 bytes long
    • Deleting a file in Windows Vista onward
      • Data goes to
        • File itself
        • $R <Value> . <Original extension>
        • $R – Raw data
        • Random value
        • Same extension
      • Metadata goes to
        • $I <Value> . <Original Extension>
        • $I – Metadata
        • Random value matches the data file
        • Same extension
    • Deleting a file in Vista and 7
      • No info2 file
        • Separate metadata files for each deleted file
        • $I <6 RANDOMC CHARACTERS> . <original extension> - metadata
        • $R <6 RANDON CHARACTERS> . <original extension> = file itself
⚠️ **GitHub.com Fallback** ⚠️