Links and Tools
Windows 8 Forensics Guide
You can now find a free Windows 8 forensics guide over on the Propeller Head Forensics blog. Amanda's guide is a great way to get started learning about some of the new things that you're likely to see in Windows 8 (if you aren't already running the Consumer Review edition)
I had an opportunity to meet and listen to Christopher Ard of MS talk about some of the neat new features of Windows 8 recently at the Massachusetts Attorney General's Cyber Crime Conference. I also sat in on Chris Brown's presentation on ProDiscover, and he stated that he's working on adding support for the new ReFS file system to ProDiscover. Looks like there are lots of cool things on the horizon with Windows 8 forensic analysis.
Timelines
The Sploited blog has posted part 2 (part 1 is here) of the Forensic Timelines for Beginners series, in which they discuss creating timelines using the tools and techniques illustrated in chapter 7 of Windows Forensic Analysis Toolkit 3/e.
File System Behavior
There's an interesting thread over on the Win4n6 Yahoo Group regarding file system behavior when files are deleted, including removed from the Recycle Bin. During the thread, one of members made the statement that during some vendor training, they'd been told that when files are deleted, Windows will automatically securely wipe the files. This is, in fact, not the case, as Troy Larson clearly states during the thread.
What this does being up, as Troy says later in the thread, is that Windows systems are extremely active under the hood. During the thread, several members say that they did their own testing and found that files were not securely deleted...what this comes back to is that some files may be very quickly overwritten by normal system activity. This is something that I've pointed out in my books and presentations for some time, particularly when talking about the need for immediate response. Troy even mentions in a follow-up post that "just opening and editing a Word file creates several temporary and scratch files--more than you would image." Even with no specific user interaction, Windows systems have a great deal of activity that go on behind the scenes...look at some of the performance enhancements for XP described here, and in particular in the "Prefetch" section. Windows 7 is very similar, in that it ships with a Scheduled Task that performs a defrag once a week, and another that backups up the main Registry hives every 10 days. Add to that all of the other activity that occurs on Windows systems, and it's not surprising that some folks are seeing, on an inconsistent basis, that Windows appears to be securely wiping files upon deletion. This is very important for DF analysts to keep in mind while performing analysis and file or record carving, but also for incident responders to keep in mind, particularly when developing IR procedures...the more immediate the response, the fresher and more pristine data you will be able to preserve.
Resources
MS File System Behavior Overview
SQLite WAL Files
The DigitalInvestigation blog has an excellent post on SQLite Write Ahead Log files, and their potential as a forensic resource. I've seen these, as well, in the course of forensic impact analysis, and this is a very good read for folks who want to get a little bit familiar with what these files are all about, and how they can be useful during an examination.
Scripting
Melissa's got a very good post up that demonstrates how useful scripting skills (or "skillz") can be. Over the years that I've done infosec work, I've found that an ability to write scripts has been invaluable, and I've found that to be even more true in the DFIR realm. I once held an FTE position where I wrote a Perl script that would reach out across the enterprise, locate all systems that were turned on, query certain Registry keys and return the results to me. As I began investigating my findings, I was able to develop a white list, and within relatively short order got to the point where I could launch the script before lunch, and return to find a report that was about half a page in length.
I was able to provide a viable solution that worked extremely well in my environment (rather than fitting the problem to a commercial tool), for free.
If you're interested in trying out some of the things she demonstrates on your Windows box, check out the Resources section below.
Resources
Unix Command Line Tools for Windows
Utilities and SDK from MS
Unix Utilities
Encryption
Encryption has long been a thorn in the side for examiners. I've had a number of engagements where I was asked to acquire images of systems known to be encrypted, and more than a few where we found out after we got on-site that some of the systems employed whole disk encryption. In those cases, we opted for a live acquisition via FTK Imager (fully documented, of course). It appears that Jesse has found found a free program that can reportedly decrypt BitLocker-protected volumes.
PE Files
If you do PE analysis, check out the CorkAmi Google Code site. There's a good deal of very good information there, as well as detailed information regarding the PE file format.
You can now find a free Windows 8 forensics guide over on the Propeller Head Forensics blog. Amanda's guide is a great way to get started learning about some of the new things that you're likely to see in Windows 8 (if you aren't already running the Consumer Review edition)
I had an opportunity to meet and listen to Christopher Ard of MS talk about some of the neat new features of Windows 8 recently at the Massachusetts Attorney General's Cyber Crime Conference. I also sat in on Chris Brown's presentation on ProDiscover, and he stated that he's working on adding support for the new ReFS file system to ProDiscover. Looks like there are lots of cool things on the horizon with Windows 8 forensic analysis.
Timelines
The Sploited blog has posted part 2 (part 1 is here) of the Forensic Timelines for Beginners series, in which they discuss creating timelines using the tools and techniques illustrated in chapter 7 of Windows Forensic Analysis Toolkit 3/e.
File System Behavior
There's an interesting thread over on the Win4n6 Yahoo Group regarding file system behavior when files are deleted, including removed from the Recycle Bin. During the thread, one of members made the statement that during some vendor training, they'd been told that when files are deleted, Windows will automatically securely wipe the files. This is, in fact, not the case, as Troy Larson clearly states during the thread.
What this does being up, as Troy says later in the thread, is that Windows systems are extremely active under the hood. During the thread, several members say that they did their own testing and found that files were not securely deleted...what this comes back to is that some files may be very quickly overwritten by normal system activity. This is something that I've pointed out in my books and presentations for some time, particularly when talking about the need for immediate response. Troy even mentions in a follow-up post that "just opening and editing a Word file creates several temporary and scratch files--more than you would image." Even with no specific user interaction, Windows systems have a great deal of activity that go on behind the scenes...look at some of the performance enhancements for XP described here, and in particular in the "Prefetch" section. Windows 7 is very similar, in that it ships with a Scheduled Task that performs a defrag once a week, and another that backups up the main Registry hives every 10 days. Add to that all of the other activity that occurs on Windows systems, and it's not surprising that some folks are seeing, on an inconsistent basis, that Windows appears to be securely wiping files upon deletion. This is very important for DF analysts to keep in mind while performing analysis and file or record carving, but also for incident responders to keep in mind, particularly when developing IR procedures...the more immediate the response, the fresher and more pristine data you will be able to preserve.
Resources
MS File System Behavior Overview
SQLite WAL Files
The DigitalInvestigation blog has an excellent post on SQLite Write Ahead Log files, and their potential as a forensic resource. I've seen these, as well, in the course of forensic impact analysis, and this is a very good read for folks who want to get a little bit familiar with what these files are all about, and how they can be useful during an examination.
Scripting
Melissa's got a very good post up that demonstrates how useful scripting skills (or "skillz") can be. Over the years that I've done infosec work, I've found that an ability to write scripts has been invaluable, and I've found that to be even more true in the DFIR realm. I once held an FTE position where I wrote a Perl script that would reach out across the enterprise, locate all systems that were turned on, query certain Registry keys and return the results to me. As I began investigating my findings, I was able to develop a white list, and within relatively short order got to the point where I could launch the script before lunch, and return to find a report that was about half a page in length.
I was able to provide a viable solution that worked extremely well in my environment (rather than fitting the problem to a commercial tool), for free.
If you're interested in trying out some of the things she demonstrates on your Windows box, check out the Resources section below.
Resources
Unix Command Line Tools for Windows
Utilities and SDK from MS
Unix Utilities
Encryption
Encryption has long been a thorn in the side for examiners. I've had a number of engagements where I was asked to acquire images of systems known to be encrypted, and more than a few where we found out after we got on-site that some of the systems employed whole disk encryption. In those cases, we opted for a live acquisition via FTK Imager (fully documented, of course). It appears that Jesse has found found a free program that can reportedly decrypt BitLocker-protected volumes.
PE Files
If you do PE analysis, check out the CorkAmi Google Code site. There's a good deal of very good information there, as well as detailed information regarding the PE file format.