Finding and Analyzing Windows System Artifacts with IEF


New with the Business and OS artifacts module in Internet Evidence Finder (IEF) v6.4, we have added a number of valuable Windows operating system artifacts that will help investigators gain insight into details about a system and its users. IEF will now search for File System Information, Jump Lists, LNK Files, Network Share Information, Operating System Information, Shellbags, Startup Items, Timezone Information, USB Devices, User Accounts, Windows Event Logs and Windows Prefetch Files. These artifacts can be broken down into two categories: system artifacts and artifacts focused around a user’s activity. Here we will discuss system artifacts and how they are relevant to your investigation.

System artifacts include File System Information, Network Share Information, Operating System Information, Timezone Information, User Accounts and Windows Event Logs. Event logs are unique as they contain details about what is happening on the system as well as user activity.

File System Information

Most forensic investigators are familiar with the common file systems and their storage structures that enable investigators to analyze and recover data; Brian Carrier’s book File System Forensic Analysis[i] illustrates this best.

IEF supports the analysis of a wide range of file systems for both PCs and mobile devices including FAT, NTFS, ExFAT, EXT2, EXT3, EXT4, HFS+, HFSX, and YAFFS2. The File System Information artifact gives investigators additional details about the installed file system for all volumes and partitions found on their drive or image being analyzed. Details include the file system type, volume serial number, capacity, sector and cluster information, including several other indicators that might be of value in your examination.

Most forensic tools will automatically organize file system details and apply the appropriate sector and cluster sizes to parse a given file system. However, sometimes it’s necessary to dig a little deeper and perform some manual analysis as these details are essential for the analysis and recovery of any files stored within.

Network Share Information

The next system artifact recovered by IEF is the Network Share Information. This information is pulled from a user’s NTUSER.dat registry hive and will reveal any network shares that are, or have previously been, mounted by the user along with the associated drive letter if available. We will first look at the Map Network Drive MRU:

HKCU\ Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

This location stores a list of network drives the user has mapped through the “Map Network Drive Wizard” in Windows. The last write time of this key will reveal the date in which the user mapped the drive.

The next location that stores valuable network share data is also stored in the NTUSER.dat under Network:

HKCU\Network\

This location stores a sub-key for every network share mounted to a particular drive letter. The RemotePath value will provide the investigator with the path that was mapped to that drive letter.

Finally, the MountPoints2 key also stores a wealth of information about any network shares mounted by the user:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

This key will list a number of additional folders mounted by the user. One interesting point is that the key will replace any of the backslashes (\) with pounds (#) displaying a share normally mounted as \\192.168.1.1\share as ##192.168.1.1#share.

IEF will recover any data from these registry locations and display any relevant data that it was able to parse into the Report Viewer for analysis.

Providing investigators a list of network shares for each user helps reveal any additional sources of potential evidence that might be stored on another system on the network.

Operating System Information

Much like the other system artifacts discussed here, most forensic examiners will be familiar with the artifacts associated with the operating system installation information stored in the registry keys below:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

HKLM\SYSTEM\CurrentControlSet\Control\Windows

IEF is now able to recover OS details such as name, version, Product ID and Keys, which service pack is installed, as well as the installed and last shutdown timestamps associated to a given Windows installation:

Two artifacts of note are the install date and last shutdown time, which can be valuable to investigators trying to gauge a timeline of events around the date Windows was installed, and the last time the system was shutdown. Some examiners might notice that the last logon time for a user is sometimes after the last shutdown time noted in the registry. There are a number of scenarios that could make this occur, most often the system was simply powered off or unplugged without going through the proper Windows shutdown process, preventing the system from writing the new time to the ShutdownTime value.

Timezone Information

One simple yet very important artifact is the system timezone information stored in the Windows registry. Windows stores a number of timestamps in both local and UTC time. Understanding which timestamp is which, and how they relate to the timezone set by the system, is essential to understanding the timeline of events of an incident. Timezone information is stored in the following key in the SYSTEM hive:

HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

IEF will parse the standard and daylight savings timezone offsets that can be used to calculate the local time of any timestamp set in UTC for a given date. Most forensic tools, including IEF, allow investigators to set the time to the local time of the system being investigated. This allows the examiner to view the timestamps as they would have occurred during the incident.

User Accounts

User account information is stored in the SAM registry hive and will list all of the default and user created accounts for a given system.

SAM\Domains\Account\Users\

IEF will pull account name, type, groups, login count, whether the account is disabled or a password is required, timestamps around last login, last password change and last incorrect password login.

One interesting note for investigators analyzing Windows Vista systems or newer –  you might notice that there are duplicate entries in the User Accounts artifact. For Windows Vista, Microsoft created a backup of each registry hive located at:

[ROOT]\Windows\System32\config\RegBack

For the most part these entries will match but there is the potential if one hive becomes corrupt that there is a backup available.

Finally, one additional registry key to mention is the ProfileList key under the SOFTWARE hive:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList

While the SAM hive stores login information for all local accounts, the ProfileList key stores information on all users who have logged into a system, including domain users, which can be valuable for examiners investigating intrusions or compromised accounts over a network.

Windows Event Logs

Windows event logs store a wealth of information about a system and its users. Depending on the logging level enabled and the version of Windows installed, event logs can provide investigators with details about applications, login timestamps for users and system events of interest. For Windows 2000, XP and 2003, event logs are stored as .evt files in the ROOT\Windows\system32\config folder and are typically grouped into three categories: Application, System and Security. Windows Vista and newer changed the way they handle event logs and they are now stored as XML files with an .evtx extension at ROOT\Windows\system32\winevt\Logs. Vista also introduced several new event logs in addition to the application, system and security logs found in Windows XP/2003. Now the logs are separated into two categories: Windows logs and Applications and Services logs. Under the Windows logs, there are two new logs available to examiners: Setup and Forwarded Events. Under Applications and Services logs, Windows will store a number of additional logs for various applications installed on the system.

IEF will collect these logs for investigators as well as carve additional logs from unallocated space that might have been deleted. Typically a Windows system stores a lot of event logs but there are a few that are quite valuable for examiners depending on your investigation. Logon events, including both successes and failures, are helpful to determine what user is logging into what systems. The security event logs contain details on the account as well as the method in which they are logging in (i.e. local vs network).

Overall, Windows contains a wealth of information and artifacts around the system that can be quite valuable to investigators. With these new additions to IEF, examiners can enjoy the same features and efficiency they already get when investigating Internet artifacts and evidence.

Here are some other resources worth taking a look at:

As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie(dot)mcquaid(at)magnetforensics(dot)com.

Jamie McQuaid
Forensics Consultant, Magnet Forensics

 

[1] Carrier, Brian, File System Forensic Analysis, Addison-Wesley, 2005