Windows System

Forensics
Module -1: How Windows Works
Preface

• Assumptions derived from this particular series of courses

– Teach a group of talented students the practice of digital forensics
– Address multiple platforms and disciplines
– Include all necessary forensics foundations and skills
– Provide as much detail as required to produce functional skills
• Further assumptions implied:
– Students will have studied all the basics of IT
– Networking and OS fundamentals:
o Networking/internetworking with TCP/IP
o Platform (operating system) operation and management
The Practice of Forensic Analysis Revisited

• Forensic analysis is probably the most advanced discipline in all of cyber

security.
• The goal is to able to detect and understand the malicious activities of
“threat actors.”
• This requires the detection, analysis, and reverse engineering of
“artifacts.”
• Artifacts are the remains of human-caused events—including events
caused by human-engineered software.
• Most artifacts are left behind from usual human activity and the software
we use on a daily basis. This is the “normal.”
• The target of forensic analysis is the “not normal.”
The Challenge of Digital Forensic Analysis in Practice

• It is so highly technical that few people can function effectively as

generalists. We have to have technical specialities:
– Network behavior, detection, and analysis
– Operating system behavior, detection and analysis across major platforms such as:
o Various server platforms including Windows/Linux/Unix versions
o Various desktop platforms including Windows/Linux/MacOS versions
o Mobile platforms mainly including both iOS and Android
o Niche platforms such as industrial control systems, IoT devices, etc.
– Basically anywhere local and networked computing can take place
• While the goals stay the same—and many of the tools do as well—the
techniques and approaches are dictated by the basics of the platforms.
• Each requires a very specific understanding of how they work under
normal conditions.
Understanding How Things Work in Windows

• Understanding Operating Systems

• The Boot Sequence Revisited
• Windows Background and Support Processes
• Interlude: Dynamically Linked Libraries (DLLs)
• Windows Local Login and Authentication
Understanding Operating Systems

• An OS is simply the master program on any given platform that launches

when the system is booted.
– It manages all of the software and hardware on the computing device.
– It performs tasks such as file, memory, and process management, as well as
interaction with peripheral devices (keyboards, displays, network interfaces, etc.).
– It provides a user (or multiple users) with access to all of these.
• While the basic goals of each different OS is the same, there are vast
differences in how each accomplish these goals.
The Boot Sequence in Review

• BIOS/UEFI
– When the system is powered on, firmware—the lowest level of software
programmed into the actual hardware—begins the boot process by locating the OS
software to launch.
• OS Load
– An OS kernel is located and executed.
– This in turn identifies its resources such as hardware devices and the filesystems
they support.
– Filesystems are mounted so that the kernel can access the necessary initial services
to execute.
The Boot Sequence (cont.)

• System Configuration
– The initial services will have been configured to run in specific ways depending on
the intended use of the system itself.
– It may be a server intended to provide network-based services to multiple users.
– It may be a more “single user” system with a graphical interface for ease of use by
an “end user.”
• Loading System Utilities
– In any case system utilities will be executed to provide the services required:
o “Background” utilities which run without the necessity of user input in order to provide
users with the necessary ability to interact with the system.
o “Foreground” utilities which provide users with the actual system interactivity.
User Authentication

• Once the system has booted, a user (or users) will be provided with the
ability to interact with and use the system for its intended purposes.
• Most commonly, this requires some form of authentication:
– Some systems allow totally anonymous use (such as HTTP).
– Some systems allow activity based on “role-based” authentication (belonging to a
particular group).
o In Active Directory, systems must authenticate to join the Domain.
o They become part of the group of Domain-controlled systems, and inherit configurations
and policies for role-based behavior.
– Most systems require individual authentication, even to join the allowed group.
• These days individual multi-factor authentication is commonly required to
defend against the brute-forcing of credentials.
Windows Background and Support Processes

• Depending on the system’s configuration many background/support

services are launched when Windows boots. Here are a few of the most
common, in typical order of execution:
– ‘csrss.exe’ or “Client/Server Runtime Subsystem”
o This essential service is responsible for console operation.
o It cannot be shut down without crashing the system.
– ‘wininit.exe’ or “Windows Initialization”
o This process is responsible for subsequent services being started at boot.
o It remains running as the parent process of many other processes.
– ‘services.exe’ or “Service Control Manager”
o This is the process that starts, stops, and interacts with other system services.
o It handles both startup and shutdown.
More Windows Background/Support Services

• Here are a few more critical services that start at boot:

– ‘svchost.exe’ or “Service Host”
o This essential process implements “shared services” so that a number of other services
can share the process and reduce resource consumption.
o It loads a number of DLLs (discussed in detail next).
– ‘sppsvc.exe’ or “Software Protection Platform Service”
o This service is crucial to ensuring the authenticity and legality of software running on
Windows.
– ‘lsass.exe’ or “Local Security Authority Subsystem”
o This service is responsible for providing Active Directory authentication and interaction.
o A high CPU usage by this process can indicate problems with connectivity to the
expected Domain Controller.
Even More Windows Background/Support Services

• A final few more critical processes that start at boot:

– ‘smss.exe’ or the “Session Manager Subsystem”
o This is also known as the “Windows Session Manager”.
o It stays in the background to monitor the status of other processes.
– ‘taskhost.exe’ or the “Host process for Windows Tasks”
o It is the host for all DLL-based services that start after boot.
o It handles scheduling of tasks.
– ‘explorer.exe’ or “Windows Explorer”
o This process launches the Start Menu, Taskbar, Desktop, and File Manager.
o This is the main program for user interaction with the system after login.
• Pretty much everything a user runs will be initially executed by one of
these last two processes.
Interlude: Dynamically Linked Libraries (DLLs)

• Much of Windows’ (and other OSs) process functionality depends on the

provision of “dynamically linked libraries” (DLLs).
• These DLLs are groupings of common functions that many applications
will need to perform within the OS, particularly when interacting with
the OS kernel and with other applications.
– Rather than require each application developer to write original code to perform
these operations, the necessary functionality can be “inherited” by linking the
application code to generic libraries.
– DLLs can provide their functionality to multiple programs at the same time.
• This helps to promote code reuse and efficient memory usage.
DLL Interlude Continued

• The use of DLLs is done through the programmer’s calls to specific

“application program interfaces” (APIs).
• The main entry point for applications to get to these libraries is the
execution of “rundll32.exe”. This provides the API to a vast library of
basic Windows functionality.
• Depending on the version of Windows, these DLLs are either called
from:
– C:\Windows\SysWOW64
– C:\Windows\System32
• They provide everything from support for various languages/keyboard
layouts to Internet services to PowerShell functionality, or even simply the
implementation of dialog boxes in the GUI.
• Browse those directories just to get a sense of what’s there!
More on DLLs

• When a Windows program makes an API call for a specific function,

commonly rundll32.exe gets loaded into the process table in memory
and is visible there.
– However, the individual function call being made to any particular DLL can be quite
transparent in Windows.
– See the output of Volatility’s pstree plugin for reference.
• By comparison, the ‘lsof’ utility in Linux will show all of the “shared
objects” (Linux’s equivalent to DLLs) being opened and called by all the
programs in memory.
Windows Local Login and Authentication

• When logging on to a Windows system that is not connected to a

domain it is simply password-based.
• By default, the passwords that are set by the user are stored locally as
two hashes: “LAN Manager” (LM) and “New Technology LAN
Manager” (NTLMv1).
• LAN Manager (LM)
– 14-character limit
– The password is split into two 7-character uppercase strings
– Each are hashed separately
– No salt
Password Salting

• Fixed-length entropy included in the password hash

• Countermeasure against brute forcing
NTLMv1

• 16 character “challenge/response”
• Still no salt
• Interception of challenges leads to “pass-the-hash” attacks.
– The password never needs to be known.
– The hash itself is sufficient for authentication
• Solution: Active Directory and Kerberos
Module Quiz