06 - Microsoft File Systems and The Windows Registry
Class: CYBR-405
Notes:
Artifacts of Interest: MFT
- What is an MFT?
- Master File Table
- What does the MFT do?
- Indexes files, just keep tracks of them
The $I30 System File
This is directory-level artifact persistence.
-
Evidence exists in more than just the MFT.
-
Directory structures themselves retain historical data.
-
When the number of new files or subfolders increases in a folder, Windows creates an I30 file to store the additional new files' or folders' information
-
The I30 files contain useful artifacts for an investigation
- The I30 file may contain residual information of its name, size, and date-time values for a deleted file
- Listings for deleted files are relocated to the end of the
file
Experienced CTF Users:
- Now, Let's watch a Dive-In video using a tool to extract the I30 file and view files
- https://youtu.be/XzoYNOIJ37s?si=alMiG4xvN9to3K45\&t=283
Notes:
- The MFT won't show deleted files, but this will!
- Using the Sleuth Kit (awesome forensic investigation tools) -> FTK imager
- Hex signature:
- 494E4458 (INDX)
- You will see deleted files with a red X
- FTK Imager detects that there are $I30 indexes in the disk
- You can recover these files
- Need to use INDXParse.py but need to have python installed
- Specify
-cfor csv output - And give file:
../I30
- Specify
- MACB timestamps -> format to show this data
- You will use
-dto find entries in the slack space
$UsnJrnl System File
The Update Sequence Number Journal logs file system changes.
- Think of it as: A change log for NTFS. It records: File created; File deleted; File renamed; File modified
- Why it's powerful:
- Even if the file is gone, the journal may show: That it existed When it changed What kind of change occurred (Create-Delete-Change - with timestamps)
$UsnJrnlanswers the "WHEN" and "WHAT happened" questions very well. Holds 20 days max
CTF Users: C:\Windows\system32> fsutil usn readjournal c:
- The Update Sequence Number Journal (
$UsnJrnl) provides a log of actions performed on a file - Figure 6-31 Hexadecimal view of a
$Jfile
/CYBR-405/Visual%20Aids/Pasted%20image%2020260216092600.png)
Notes:
- It does the same thing, file created/deleted/modified
- You can find files in this way
- This will help also prove that there where files once
Artifacts of Interest: Registry
- "It is really a database"
Understanding the Windows Registry
- Registry is a database that stores hardware and software configuration information, network connections, user preferences, and setup information
- The Registry can contain valuable evidence for an investigation
- Viewing the Registry files from a static acquisition requires special tools such as FTK Registry Viewer, Autopsy, X-Ways Forensics, and others
Notes:
- Contains the glue for your OS
- Uses a set of keys and values stored in folders
- It does have a lot of great things stored in it
- Most forensics tools with thake care of looking for things in it
- Each key has a data value
- It could be binary, text, hex, or other stuff
- It has all sorts of information
- Software execution
- Hardware (USBs, etc...)
Data Types in the Registry
-
The Registry is a hierarchical structured database that contains the following data types:
- Keys that are like folders on a disk partition
- Subkeys are like sub-folders that contain values like data and reference to files
-
The data types found in keys and subkeys are shown in Table 6-11 in the text (next slide)
-
The Registry is not just configuration... it's behavioral evidence.
- It shows what programs ran.
- It shows USB devices connected.
- It shows user preferences.
- Registry hives must be parsed with specialized tools.
Registry Organization
/CYBR-405/Visual%20Aids/Pasted%20image%2020260216093117.png)
- Registry is structured like folders and subfolders
- Keys=Folders
- Values = data entries
- Contains:
- System configuration
- User activity
- Software Execution
- Device History (USB, etc.)
Exploring the Organization of the Windows Registry
| File name and location | Purpose of file |
|---|---|
| Users\user-account\Ntuser.dat | User-protected storage area; contains the list of most recently used files and desktop configuration settings |
| Windows\system32\config\Default.dat | Contains the computer's system settings |
| Windows\system32\config\SAM.dat | Contains user account management and security settings |
| Windows\system32\config\Security.dat | Contains the computer's security settings |
| Windows\system32\config\Software.dat | Contains installed programs' settings and associated usernames and passwords |
| Windows\system32\config\System.dat | Contains additional computer system settings |
| Windows\system32\config\systemprofile | Contains additional ntuser information |
User Assist
UserAssist tracks:
- Programs a user has executed via GUI.
- Important:
- Stored under NTUSER.DAT (user hive)
- Entries are ROT13 encoded
- Why investigators love it:
- Shows what applications a user launched
- Often includes run count
- Includes timestamps
This answers:
- WHO used WHAT program and WHEN.
https://www.youtube.com/shorts/0CkIo3FAW_U
Notes:
- Includes what applications were run
- Shows timestamps
- ROT13 cypher:
- Returns each letter on the alphabet shifted by 13 positions
- Takes the modulo operation (the remainder)
Artifacts of Interest: Links
- Shortcuts in your desktop
LNKs
This is one of the best Windows artifacts.
A .Ink file can contain:
- Original file path
- Timestamps
- Volume serial number
- Network share info
- Sometimes MAC address
Even if:
- The original file is gone
- The USB drive is removed
- The LNK may remain
Provides:
- Same Name (generally)
- Location when it was open
- Date First Open (created)
- Date Last Open (modified)
Notes:
- In some CTFs, they put the flag in the shortcut!
- The file didn't exists but the link did, and you could get the flag from it
LNK files are one of the best tools for the forensic investigator because they show which files a user accessed and when even if the file is no longer on the computer
LNK files can be found in multiple locations
- Shortcuts
- LNK Files
- Jumplist
- Web Browsers
Artifacts of Interest: Prefetch
- Preload things on memory to make things faster
Prefetch
- To help reduce the time it takes to load an application into memory in Windows, Microsoft has implemented the Prefetch function
- The first time an application is run, the OS will create a prefetch file for it
- The next time the application is run, Windows preloads the necessary links to other data or executable files into memory
- The contents of a prefetch file can reveal the following:
- When an application was installed, how many times the application had been run, dates and time it was run, and data that was accessed by the application
Prefetch is: execution evidence.
- Windows creates a .pf file the first time a program runs.
- Prefetch contains:
- Program name
- Hash of path
- Last 8 run times
- Run count
- Files accessed by program
- Prefetch proves execution on that system.
Notes:
- Prefetch can give you some execution proof to prove that a service ran.
- Prefetch can be disabled.
- Server versions of Windows often have it off.
Artifacts of Interest: Logs
- Tell you who logs in and logs out, and when
Event Logs
Logs maintain a historical record of things that happen on a computer or other information system.
Most computers (OS) have several different types of event logs but the 4 that are used the most often:
- Application - what a program does
- System - what the computer does
- Security - logins/logoffs
- Office Alerts - Office Documents
Security log is often most important:
- Logons
- Logoffs
- Failed Attempts
- Privilege use
This answers: WHO logged in and WHEN
Browser Logs
Each web browser keeps a set of activity logs which contain
- URL of web pages visited
- Date and times of visit
- Number of times visited (not always accurate)
- Downloaded items
- Cached passwordslcredentials
And some record file activity -
- Name of file
- Location
- Dateltime viewed
/CYBR-405/Visual%20Aids/Pasted%20image%2020260216094052.png)
Notes:
- On CTFs you always need to check browser history if you are given access to a browser session
- You can find a flag there!
Browser History Logs
| Location | File Name |
|---|---|
| C:\Users[username]\AppData\Local\Google\Chrome\User Data\Default\History | History (sqlite) |
| C:\Users[username]\AppData\Roaming\Mozilla\Firefox\Profiles[profile folder name] | places.sqlite |
| C:\Users[username]\AppData\Local\Microsoft\Edge\User Data\Default | History (sqlite) |
| SQLite (battle field tested): | |
| https://www.youtube.com/shorts/2vx6FTvzRCI |
Notes:
- SQLite is lightweight and easy to use
- It is not a gigantic database of information but you can do queries very quick and easy
- In SQLite even with lots of records it will still be relatively fast
Artifacts of Interest: Memory
- When you lose power, you lose volatile information
RAM Acquisition
Now we move into volatile memory.
RAM capture contains:
- Running processes
- Open files
- Encryption keys
- Passwords
- Network connections
Memory is:
- Unstructured
- Time-sensitive
Important: If you power off a system, you lose this.
Notes:
- Memory is unstructured and time-sensitive
- Clipboard more than likely is gone after a restart
/CYBR-405/Visual%20Aids/Pasted%20image%2020260216094554.png)
- Don't worry about this, there are tools to make this easy
Hiberfil\Pagefile.sys
Hiberfil.sys:
- Snapshot of RAM when system hibernates.
Pagefile.sys:
- Virtual memory spillover.
- May contain historical artifacts.
Why investigators care:
- These can contain remnants of:
- Chat messages
- Passwords
- Decrypted content
- Browser fragments
Artifacts of Interest: Shadow
- Restore from a point in time
Volume Shadow Snapshots
Windows automatically creates restore points.
These are snapshots in time.
- They may contain:
- Older versions of files
- Deleted files
- Historical registry states
This is extremely valuable for: Timeline reconstruction.
https://www.youtube.com/shorts/gAMaeyLOKYY
Notes:
- Volume Shadow Copies is a backup mechanism for Windows but it is also a gold mine for forensics investigators
- We have to get things back up and running as quickly as possible, sometimes they do not care about forensics!
Recycle Bin
Deleted files go to: $Recycle.Bin
Windows:
- Renames file
- Stores metadata
Artifacts include:
- Original Path
- Deletion Time
- File Size
Even if user empties recycle bin:
- Data remnants may still exist is MFT or unallocated spaces
Investigative Questions
This is Forensics
EVERYTHING ties back to:
- Who
- What
- When
- Where
- Why
- How
Each artifact answers different pieces of that puzzle.
EVERYTHING ties back to:
- MFT → What existed
- $UsnJrnl → What changed and when
- Registry → What user did
- LNK → What user accessed
- Prefetch → What executed
- Event Logs → Who logged in
- Browser Logs → What user browsed
- Memory → What was active
- Shadow Copies → What changed over time
BitLocker
BitLocker / Whole Disk Encryption
- Personal identity information (PII) and trade secrets caused by computer theft has become more of a concern
- Whole disk encryption tools offer the following features:
- Preboot authentication
- Full or partial disk encryption with secure hibernation
- Advanced encryption algorithms
- Key management function
- To examine an encrypted drive, decrypt it first
Notes:
- IT people sometimes use the same kind of encryption for every piece of information
- In order to do this you need to have the Trusted Platform Module (TPM) that makes encryption random keys
- Getting more critical nowadays
- CloudFlare generates a key based on the location of bubbles in a big lava lamp!
- Yes, there are tools to try to bypass this encryption but it is hard.
Examining Microsoft BitLocker
- BitLocker is Microsoft's utility for protecting drive data
- Hardware and software requirements are as follows:
- A computer capable of running Windows Vista or later
- The TPM microchip, version 1.2 or newer
- A computer BIOS compliant with Trusted Computing Group (TCG)
- Two NTFS partitions
- The BIOS configured so that the hard drive boots first before checking other bootable peripherals
Examining Third-Party Dick Encryption Tools
- BitLocker can only encrypt NTFS drives
- If you want to encrypt a FAT drive, you need a third-party solution
- Available third-party WDE utilities include the following:
- BROADCOM
- Endpoint Encryption
- Jetico BestCrypt Volume Encryption