Monday, August 14, 2017

Memory Acquisition and Virtual Secure Mode

Starting in Windows 10 and Server 2016, Microsoft added the option to enable various forms of virtualization-based security (VBS).  This feature suite currently includes Credential Guard, Device Guard, Application Guard, and more.  All of these optionts leverage virtual secure mode (VSM), which includes a secure kernel and secure user mode component and is made possible through the use of a hypervisor.  On the forensics side, encountering a system with virtual secure mode or some form of virtualization-based security enabled can have an impact on your investigation.  This post is about one of the more significant impacts I’ve seen thus far: memory acquisition.

Physical memory is commonly acquired using a software-based memory acquisition tool such as winpmem, DumpIt, Magnet RAM Capturer, FTK Imager, or one of the several other options available.  These tools typically load a device driver into the kernel and subsequently read memory through mapping the \\Device\PhysicalMemory object, using a function such as MmMapIoSpace, or directly manipulating the page tables.  Many of these tools also share a similar trait: their use on a system with virtual secure mode enabled results in a system crash.

Result of attempted memory acquisition
Clearly, a BSOD while attempting to acquire physical memory from a system is not ideal.  If the system is an end-user machine, you will likely be left with a frustrated user (not to mention the obvious impact on your memory dump).  If the system is a more critical piece of the organization such as a server, the consequences of a system crash could extend well beyond the impact on your memory dump.  One way to avoid this scenario is to first determine whether virtual secure mode is enabled.

One of the easiest ways to determine if VSM is enabled on a live system is to check whether the “Secure System” process is running.  This is the process associated with the secure kernel and, in my experience, serves as the “trigger point” as to whether a system will crash when running several memory acquisition tools.  Simply put, if the “Secure System” process is running, make sure you are using a tool that plays nice with virtual secure mode.

Task Manager view of system with VSM enabled

Most of the memory acquisition tools I've tested on a system with VSM enabled result in a system crash shortly after the acquisition driver is loaded.  The tested tools include multiple versions of winpmem, Magnet RAM Capturer, FTK Imager, and older versions of DumpIt.  The table below lists some of the unsuccessful tools I've identified.  I should note that the DumpIt v3 issue was not necessarily related to VSM; rather, it was a lack of an EV certificate that prevented the DumpIt driver from loading in the first place.

Acquisition tools that failed with VSM enabled

Fortunately, there are tools that currently dump memory even when VSM is enabled.  The tools I’ve identified at this point are Belkasoft RAM Capturer, Comae Technologies' DumpIt v3.0.20170620, and Passmark osforensics v5.1.1001.  There are also some tools that I have not yet been able to test due to licensing issues or otherwise.  These include options such as WindowsSCOPE and the combination of F-Response with a separate acquisition tool.  If anyone has a specific tool or version they would like to see tested, let me know and I'd be happy to give it a shot and report the results as long as the tool is available to me.  

Monday, April 18, 2016

Fun with Recycle Bin $I Files & Windows 10

A few weeks back, I found myself in need of a free tool to parse $I files from Windows Vista+ recycle bins.  For anyone needing a refresher, $I files store metadata regarding the act of sending a file to the recycle bin in Windows Vista and later.  These $I files essentially replace the functionality of the INFO2 file used in Windows XP and store information such as the name and original path of a file before it was sent to the recycle bin as well as the time the file was sent to the recycle bin.  The file format itself is trivial to manually parse in a hex editor, but I wanted to be able to demonstrate the value of the $I files to students in a class I was teaching without the need for a hex editor.  I also wanted the students to be able to easily parse these files on their own.  I was aware of a couple of free tools that parse $I files, but couldn't find one that was exactly what I was looking for - so I decided to write one and provide it to my students. I doubt that I'm the only one to encounter this, so I've released this simple $I file parser in case someone else finds that they have a need for it.  The link is at the bottom of this post for those interested.

One of the intriguing things I came across in writing this tool is that $I files from Windows 10 recycle bins vary slightly from those in Vista through 8.1.  The change is not significant, but it is enough to potentially throw off some $I file parsers.  The slight change also provides us with the ability to distinguish between $I files originating from a Windows 10 system and those originating from a Vista/7/8/8.1 system.  This piece of information could be important in some instances.  For example, if you encounter an $I file in the unallocated space of a Windows 10 system, you could determine if that file was an artifact from a previous non-Windows 10 installation.  Given the ability to distinguish Windows 10 $I files from previous versions, I've included a version field in the output of my $I file parser so that this information is reported.

The difference I've noted between the Windows 10 $I file structure and that from previous versions of Windows is detailed below.

Windows 10 $I structure
$I structure prior to Windows 10

As you can see, the only structural change in the Windows 10 version appears to be the addition of the file name length field at offset 24.  This will typically result in $I files from Windows 10 systems being smaller than in prior versions since the $I file is only as large as it needs to be.  In prior versions, each $I file was a static 544 bytes.  While not structural, another change can be found in the header/version field.  The header field for Vista, 7, 8, and 8.1 is 0x01, while this field is 0x02 for Windows 10.  This makes it very easy to distinguish between the two versions when parsing.

For those interested, the link to download my $I file parser can be found on the download page here.

Thursday, July 16, 2015

Adobe Reader's Not-So-cRecentFiles

Version 11.0.07 of Adobe Reader, released in May 2014, introduced some interesting changes that can impact forensic examination.  With previous versions of Reader for Windows, the cRecentFiles subkey found in the Acrobat Reader subkeys of an NTUSER.DAT hive provided an examiner with the five most recent files accessed by Adobe Reader.  Information about these files was divided into five subkeys named “c1”, “c2”, “c3”, etc., with each subkey containing a bit of information about the accessed file.  Version 11.0.07 of Adobe Reader expanded this capability, tracking much more than just the five most recently accessed files.  Additional information is also recorded about each accessed file, as well as a list of the five most recently accessed folders.

The screenshot below shows the new look of the “c#” subkeys that store information about recent files accessed in Adobe Reader version 11.0.07 and above.  Note that the full path to these subkeys is found in a user's NTUSER.DAT hive under "\Software\Adobe\Acrobat Reader\<version>\AVGeneral\cRecentFiles\c#".
Values in a cRecentFiles\c# subkey
The new values added to the "cRecentFiles\c#"subkeys are “sDate”, “uFileSize”, and 
sDate value data
“uPageCount”.  The “uFileSize” and “uPageCount” are pretty self-explanatory, storing the size of the file in bytes and the number of pages in the accessed file, respectively.  The “sDate” value stores the last time that the file was accessed in Adobe Reader.  The “sDate” value type is REG_BINARY, but the value data holds a simple ASCII string of the timestamp.  Interestingly, the time zone offset of the system at the time the file is opened is included in the “sDate” value data.  If the time zone of the system is changed, the offset included in the “sDate” value is reflected accordingly for files that are later opened in Adobe Reader.  This provides examiners with a more more granular view of when files were accessed in Adobe Reader, as previous versions only allowed us to determine the last time the most recent PDF was accessed.

The five most recently accessed folders are also tracked by Adobe Reader version 11.0.07 and later in a "cRecentFolders" subkey under "HKCU\Software\Adobe\Acrobat Reader\<version>\AVGeneral".  Recently accessed folders are maintained in a
Values in a cRecentFolders\c# subkey
similar fashion as the recently accessed files, but the level of detail associated with each accessed folder is pretty minimal.  Each "c#" subkey provides us with the name and path of the accessed folder via the tDIText (or sDI) value, and we can correlate the Last Write time of the cRecentFolders subkey with time that the most recent folder was accessed.  

Perhaps the most significant change from a forensic perspective in Adobe Reader version 11.0.7 and later is the alteration to the number of files tracked in the cRecentFiles subkey.  Instead of the most five most recent files that are tracked in previous versions, Adobe Reader 11.0.7 appears to track the 50 most recently accessed files.  In version 11.0.9, the maximum number of recently accessed files jumps to 100.  After testing the current version of Adobe Reader DC, 100 still appears to be the maximum.  This means that you could have up to 100 “c#” subkeys under the cRecentFiles key!  After 100 documents have been accessed, the subkeys will be reused in a FIFO fashion as seen in previous versions of Adobe Reader (e.g. the contents of subkey c100 will be removed and replaced with the contents of c99).

cRecentFiles with 100 subkeys
Examiners should be aware of this additional functionality in Adobe Reader in order to take advantage of the historical information it provides.  The cRecentFiles subkey from a user's active NTUSER.DAT hive can provide a nice list of files accessed by Adobe Reader.  With later versions storing up to 100 "recently" accessed files, the cRecentFiles subkeys could end up storing files that were not-so-recently accessed as well.  Further, when combined with previous versions of the user's NTUSER.DAT hive from volume shadow copies, an examiner may be provided with quite a detailed history of files accessed using Adobe Reader. 

Wednesday, February 4, 2015

Leveraging the DeviceContainers Key

If you've ever examined registry artifacts related to a particular USB device, you've probably come across a value called "ContainerID".  For example, a flash drive's instance ID subkey of the USBSTOR key includes a ContainerID value.  Prior to Windows 8, a device's Container ID was probably of little interest to an examiner. However, beginning with Windows 8, a device's Container ID can be used to help profile a specific device and corroborate findings from other locations.  The CurrentControlSet\Control\DeviceContainers key of the SYSTEM hive on a Windows 8 machine holds a wealth of information, broken down by Container ID, about devices connected to the system.

Before dissecting the DeviceContainers subkey, it's important to understand what a container ID represents in the first place.  Starting with Windows 7, container IDs were used to identify a physical device on the system.  This Windows Dev Center page describes a container ID as "a system-supplied device identification string that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer."  This "system supplied identification string" is a GUID and is referenced in various locations, including the Enum\USBSTOR and Enum\USB subkeys of the SYSTEM hive, as the "ContainerID".  One thing to keep in mind is that all physical devices should be assigned a ContainerID - not just storage devices.  This means that when digging into the DeviceContainers key, many of the devices listed may be something other than storage devices (e.g. monitors, external speakers, keyboards, etc.).

DeviceContainers\ContainerID subkey structure
The screenshot on the right is an example of what you might see when browsing a device's DeviceContainers subkey.  The top node as well as the subkey to the BaseContainers key is named by the ContainerID value (the same one found in the USBSTOR key).  The Properties subkey contains eight different sets of.... well, properties.  The idea of useful information being found in a set of "Properties" subkeys is not new; Harlan blogged about the Properties subkeys within the USBSTOR key here and Yogesh Khatri wrote about it here as well.  This is a different set of properties, however, than what is found in the USBSTOR key.

While there are numerous bits of data available in the Properties subkey, I will only highlight a few of the items that may prove useful in a typical forensic examination. The table below summarizes some of the information about a device that is available from the DeviceContainers key.  As you can see, the device instance ID, "DeviceContainer_ModelName", and "DeviceContainer_PrimaryCategory" properties are available here in addition to two 64-bit FILETIME properties.  The "DeviceContainer_ModelName", and "DeviceContainer_PrimaryCategory" properties are defined in the devpkey.h file of the Windows 8.1 SDK.  In addition to the property subkey listed in the table below, the device instance ID is also available in the subkey named by the device's Container ID within the BaseContainers key.

The device instance ID is a valuable piece of information, as it contains the VID and PID of a device as well as the serial number or unique identifier of the device.  For example, when connecting a flash drive to a Windows 8.1 system, I found "USB\VID_090C&PID_1000\1009070810017910" to be the device instance ID associated with the flash drive.  In this case, you can see that "1009070810017910" is the serial number of the flash drive; this information can be corroborated with the USB and USBSTOR keys as well.

The DeviceContainer_ModelName helps describe the device - similar to the FriendlyName value of the USBSTOR key.  Examples of what I have seen in this property are "My Passport 0730", "iPhone", and "USB DISK".  The DeviceContainer_PrimaryCategory helps describe the purpose of the device.  Some examples of what I have noted in this property are "Storage", "Audio", and "Display Monitor".

There are also two 64-bit FILETIME timestamps that appear to be consistent with the first time the device was connected to the system.  Specifically, the "3464f7a4-2444-40b1-980a-e0903cb6d912\0007" property appears to contain the time the device driver installation started, while the "3464f7a4-2444-40b1-980a-e0903cb6d912\0008" property appears to contain the time the device driver installation completed.  This theory is supported by the file, which includes the start and end time of device driver installations.  Interestingly, these two timestamps are slightly different than the Install and First Install timestamps found in other Properties subkeys in the registry. Unfortunately I have not yet found a precise definition - such as that from a Windows SDK - for what these two timestamps officially represent.

One of the nice things about the DeviceContainers key is that it appears to group all physical devices that have been connected to a system into one place.  If an examiner is focusing solely on the USBSTOR key, he or she may miss the fact that an MTP device was connected or that a hard drive was connected using something other than USB.  While the DeviceContainers key may not necessarily provide information that cannot be found elsewhere, it serves as yet another source to help examiners corroborate findings from other locations on the system and may be critical in cases where the ordinary sources of device-related information are not available.  

Friday, February 21, 2014

Office 2013: More MRUs

Microsoft Office 2013 continues to yield very interesting artifacts related to user activity. Harlan recently posted about the "PendingChanges" subkeys in relation to PowerPoint, and I have previously posted about MS Word's "Reading Locations" subkeys as well as the last saved location metadata in Excel 2013 spreadsheets.  The registry, specifically the NTUSER.DAT hive, has been particularly interesting in terms of the Office 2013-related information it stores.   

In Harlan's earlier post, he identified references to the PowerPoint presentation he had opened in PowerPoint 2013 in the "File MRU" and "Place MRU" subkeys of "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\User MRU\LiveId_xxx". The "File MRU" and "Place MRU" subkeys appear to track files and directories recently accessed by the application, with the "Item 1" value corresponding to the most recently accessed item, "Item 2" the next most recently accessed, etc..

Office 2013 Sign in Option
When a user is not signed into a Live ID account, references to the files and directories recently accessed by PowerPoint, Word, and Excel are stored in the "HKEY_CURRENT_ USER\Software \Microsoft\Office\15.0\[programName]\File MRU" and "HKEY_ CURRENT_USER\Software \Microsoft\Office\15.0\ [programName]\Place MRU" subkeys.  When a user signs into a Live ID account (using the Office 2013 sign in option), the recently accessed files and directories appear to be tracked in "HKEY_ CURRENT_USER\Software\Microsoft\Office \15.0\[programName]\User MRU \LiveId_xxx\" under the respective File and Place MRU subkeys.

Interestingly, it appears that a new LiveId_xxx subkey is created each time a new Live ID account is signed in to through the Office 2013 interface.  Based on my limited testing thus far, the File and Place MRUs of each LiveId_xxx subkey appear to be updated independently from one another (updates depend on which Live ID account is signed in) as well as independent from the File and Place MRUs maintained when a user is not signed into a Live ID account.  This means that you could see multiple sets of File and Place MRUs per application, all within a single NTUSER.DAT hive!

HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel Subkey

As Harlan mentioned in his previous post, each Item # value in the File and Place MRU subkeys should contain data similar to "[F00000000][T01CF2DF40FEB4220][O00000000]*Z:\Files\Presentation1.pptx", with the value in the second set of brackets being a FILETIME structure that corresponds to the last time the file or directory was accessed from the application.  This means that not only do we have an independent File and Place MRU subkey for each Live ID account that signed in to the system (as well as a File and Place MRU for when the user is not signed into a Live ID account), but we are also provided with the last time each item within each MRU list was accessed.  

Regardless of whether a Live ID account was signed in or which Live ID account was used to access a file, usage history still appears to be recorded in the familiar RecentDocs subkey as well as the application's associated jump list.  These artifacts can serve to provide a file access history (regardless of the Live ID account used to access the file) as well as to help correlate and confirm data located in other artifacts.

Based on initial testing, the File and Place MRU list per Live ID account does not appear to be updated properly on Windows 7 running Office 2013.  More research will be necessary to determine the value and reliability of this artifact under Windows 7. The majority of my testing as it relates to the File and Place MRUs has been with Windows 8.1, which appears to be consistent in updating the appropriate MRU list.  I've only tested the addition of Live ID-associated File and Place MRUs with Word, Excel, and PowerPoint 2013, so the differences in MRUs as compared to previous versions of Office likely extend beyond these three applications.

Thursday, February 13, 2014

VSC Toolset Update

I've made various updates to VSC Toolset since its last public release in September 2012 and wanted to write a quick post about some of the updates for those interested. The most significant additions to the tool have been two new batch scripts: one for comparing the contents of a directory between two VSCs and one for extracting the USB device connection and disconnection events from one or more VSCs (based on the event log and Event IDs detailed here).  There have also been numerous user interface and general usability enhancements made to the tool.  Read on for more details, or you can skip to the VSC Toolset page to download the latest version.

CompareDirectory Batch Script

It can be helpful to see how the contents of a directory have changed over time.  For example, identifying how an employment contract has been updated, not updated, or even created and deleted over a period of time can be critical in accomplishing the goals of your examination.  VSC Toolset previously supported (and still supports) running a batch script utilizing diff.exe to compare two VSCs, but that may be overkill in many cases.  Being able to specify a particular directory for comparison is much quicker and helps to eliminate the noise found in the output of running diff.exe against the entire VSC.

The "CompareDirectory" batch script addition to VSC Toolset works by first creating a file listing of each directory to be compared using the "dir" command.  It then compares the two directory listings using diff.exe, generating output similar to the screenshot below.

CompareDirectory Batch Script Sample Output

EventLogUSB-Win7 Batch Script

In my last post, I introduced a batch script that can be executed against a Microsoft-Windows-DriverFrameworks-UserMode/Operational event log originating from a Windows 7 system to identify USB device connection and disconnection events.  In order to port over a version of the batch script compatible with VSC Toolset, I made a couple of slight modifications (primarily to the input variables).  Simply select the linked VSCs against which you want to execute the batch script and click "Run Command"; VSC Toolset takes care of the rest (with some help from Log Parser).  A separate CSV file containing the USB connection and disconnection events is created for each VSC the batch script is executed against.  Note that you'll need the LogParser.exe and LogParser.dll file in the same directory as the VSC Toolset executable for this batch script to work.  Log Parser can be downloaded here.

The real benefit in running the EventLogUSB-Win7 batch script against multiple VSCs is that it allows you to recover USB connection and disconnection events that have since rolled off the current DriverFrameworks-UserMode/Operational event log.  This can be invaluable in cases where the length of time a certain device was connected to the system is important and the time frame of interest is prior to the earliest event in the current DriverFrameworks-UserMode/Operational event log.

Other Updates

In addition to the CompareDirectory and EventLogUSB-Win7 batch scripts, various user interface and general usability enhancements to VSC Toolset were made.  These include tips in the output of some commands (e.g. CompareDirectory) to help make the output easier to understand and a few help buttons added to the interface in some situations (depending on which command is specified in the Command drop-down box) to clarify exactly what a specific parameter is requesting.  The file system view, visible after clicking "Browse Shadow Copy", has also been improved to allow for sorting by file name or date by clicking the appropriate column header.

To ease the burden of finding all of the supporting tools you'll need to take full advantage of VSC Toolset, I've added the download links and any special requirements for each on the VSC Toolset page.  This information was previously scattered across multiple blog posts.

I'm always open to and appreciate feedback, including suggestions for improvement and bug reports.  You can download the latest version of VSC Toolset here.

**Update 02-19-14**
Corey Harrell's auto_rip has been integrated into VSC Toolset.  Version 20140216 includes this update.

Friday, February 7, 2014

USB Device Tracking Batch Script

Last month, I wrote about utilizing the Windows 7 Event Log in USB device tracking.  In my previous post, I mentioned automating the process using Microsoft's Log Parser, but didn't go into much detail regarding how to do so other than a couple of Log Parser queries.  This post introduces a batch script that can be used to quickly identify USB storage devices that have been connected to and disconnected from a Windows 7 system based on information available from the Windows Event Log, specifically the Microsoft-Windows-DriverFrameworks-UserMode/Operational event log.

The Log Parser query described in my previous post identifies the connection and disconnection events associated with a given device identifier, but is limited in that it requires the user to have knowledge of the USB device identifier and must be executed for each device identifier of interest.  In many cases, an examiner will not have knowledge of the device identifier(s) that should be targeted or may be interested in a listing of connection and disconnection events within a particular time period (regardless of the device connected).  This batch script accepts a Microsoft-Windows-DriverFrameworks-UserMode/Operational event log as input and parses the connection and disconnection events associated with each unique USB device identifier, based on the connection and disconnection Event IDs described in my previous post (i.e. 2003 for connect, 2100 for disconnect).

The batch script performs three main steps:
  1. Scans the event log and generates a list of device identifiers
  2. Removes duplicate device identifiers from the list compiled in Step 1
  3. Queries the event log for connection and disconnection events associated with each unique device identifier
It may seem odd at first to remove duplicate device identifiers in Step 2, but this important step eliminates the duplicate entries that would otherwise be found in the script output and allows for quicker execution of the script (as each device identifier will be queried only once within the event log).

Example usage of evtx-usb.bat
The script output is in CSV format and may look something similar to the screenshot below.  The output includes the type of event (connect or disconnect), the device identifier, the time of the event, and the LifetimeID associated with the USB device connection session.

Sample output of evtx-usb batch script
As you can see, the screenshot above details three separate connection sessions for two different USB devices.  We know there are two separate devices because of the different device identifiers and we know there are three separate connection sessions by comparing the LifetimeID values.  For a refresher on the LifetimeID value, see my previous post.

The output of the batch script allows an examiner to easily pair connection and disconnection events using the LifetimeID value as well as quickly determine which devices may have been connected to the system at the same time by identifying different devices with the same LifetimeID.  Since the script output is in CSV format, filtering and sorting is easily accomplished using a spreadsheet editor.

Since the batch script relies on Microsoft Log Parser, you will need to download Log Parser here and ensure LogParser.exe and LogParser.dll are both in the same directory as the batch file.

The script is available for download here.