Module 4

Windows and Unix Forensics Investigation

Windows Recycle Bin Forensics, Data Carving, Windows Registry Analysis, USB Device Forensics, File Format Identification, Windows Features
Forensics Analysis, Windows 10 Forensics, Cortana Forensics

Investigating Unix Systems - Reviewing Pertinent Logs, Performing Keyword Searches, Reviewing Relevant Files, Identifying Unauthorized User
Accounts or Groups, Identifying Rogue Processes, Checking for Unauthorized Access Points, Analyzing
CONDUCTING A WINDOWS INVESTIGATION
After you’ve set up your forensic workstation with the proper tools and
recorded the low-level partition data from the target image, you are ready to
conduct your investigation. The following basic investigative steps are required
for a formal examination of a target system:
● Review all pertinent logs.
● Perform keyword searches.
● Review relevant files.
● Identify unauthorized user accounts or groups.
● Identify rogue processes and services.
● Look for unusual or hidden files/directories.
● Check for unauthorized access points.
● Examine jobs run by the Scheduler service.
● Analyze trust relationships.
● Review security identifiers.
WHERE EVIDENCE RESIDES ON WINDOWS SYSTEMS
● Volatile data in kernel structures
● Slack space, where you can obtain information from previously deleted files that are
unrecoverable
● Slack space is the unused space at the end of a file cluster. For example, if the cluster
size is 4 KB and the file size is 3 KB, there will be 1 KB of slack space left in the
cluster.
● Free or unallocated space, where you can obtain previously deleted files, including
damaged or inaccessible clusters
● The logical file system
● The event logs
● The Registry, which you should think of as an enormous log file
● Application logs not managed by the Windows Event Log Service
● The swap files, which harbor information that was recently located in system
RAM (named pagefile.sys on the active partition)
● Special application-level files, such as Internet Explorer’s Internet history files
(index.dat), Netscape’s fat.db, the history.hst file, and the browser cache
● Temporary files created by many applications
● The Recycle Bin (a hidden, logical file structure where recently deleted items can
be found)
● The printer spool
● Sent or received email, such as the .pst files for Outlook mail
Recycle Bin Forensics

● Windows recycle bin was first introduced in windows 95 which contains files that
have been deleted by users.
● For instance when a user deletes the file the file directly goes into recycle bin
without deleting it permanently.
● This is the default behaviour of windows.
Besides this you can also delete permanently by pressing the shift key it will delete
the file without moving into recycle bin.
● Recycle bin can hold artifacts which are consider valuable source for digital
evidence.
Different version of windows have different recycle bin filename and location.

In windows 95/98/me there was single file called info2.

C:\RECYCLED\INFO2
it contains metadata about each deleted files like it’s original path, file size and date/time when it was deleted.

In windows NT/2000/XP the INFO2 file was still present. But now in recycler folder it’s with a sub folder called SID(Security
Identifier)
C:\RECYCLER\SID*\INFO2
so whenever user deletes a file it creates SID file. Each SID subfolder contains its own info2 file

From windows Vista and later the recycler path was renamed as C:\$Recycle.Bin\SID*\$I and C:\$Recyecle.Bin\SID*\$R where
$I contains meta data of the deleted file and $R contains actual deleted file.

Now it discards the need of INFO2 which was in older versions of windows.
Inside a Recycle Bin you may find files which begin with either '$I' or '$R'. A file
beginning with '$I' will contain data about a file that has been deleted

The first file begins with the value “$R” followed by a random string – this file
contains the actual contents of the recycled file.

Parse Application
Run $I File menu Select CSV file , it will return CSV file of all parsed files

When the user elects to empty the Recycle Bin,

–Windows deletes the file (such as DC0.txt) in the Recycle Bin and also deletes
the INFO file
–More sophisticated techniques are then needed to recover the files
 Recycle BiN
The recycle bin is a system folder of Windows
–Operates in accordance with different rules than those govern standard folders
–The folder is named as –“Recycled” in Windows 95/98
–“Recycler” in Windows NT/2000/XP
E.g., open a dos window and go to c drive –Type cd recycler
–It will open up the recycle bin folder
“File Allocation Table” or FAT is created at the start of the drive so that each piece of information in the
file can be found by the host computer.
New Technology File System NTFS
Each folder is named using unique Security identifier (SID)
Recycle BiN
When a file is deleted, it is moved to the Recycle Bin
–On windows NT/2000/XP, the first time a user puts a file in the recycle bin, a subfolder is created in
c:\recycler
–The subfolder is named with the user’s SID and contains its own INFO file, making it possible to
determine which user account was used to delete a file
When a file is deleted, it results in three steps:
–1) the deletion of the file’s folder entry in the folder in which the file resided
–2) the creation of a new folder entry for the file in the Recycle Bin
–3) the addition of information about the file in a hidden system file named INFO (or INFO2
depending on windows systems) in the Recycle Bin
There is an INFO2 file which contains an index of all the files that have been deleted, along with some
metadata about the recycled files. The INFO2 file will contain the original path, file size, and when the file was
deleted.
The Recycle Bin in Windows Vista / 7 The contents of the recycle bin has changed in
Windows Vista/7
The name of the folder itself has changed to “$Recycle.bin”

–Open dos command prompt and go to c drive –Type cd $Recycle.bin

The INFO2 file that is present in Windows 2000/XP/2003 has been removed

In Windows Vista, two files are created when a file is deleted into the recycle bin
–Both file have the same random looking name, but the names are preceded with a
“$R” or “$I”
–The file with the “$R” at the beginning of the name is actually the data of the deleted file
–The file with the “$I” at the beginning of the name contains the path of where the file
originally resided, as well as the date and time it was deleted
 Case study: Viewing Recycle Bin using EnCase How do you view recycle bin using
EnCase?
–(you do not have to acquire the disk)
–Locate recycle bin using EnCase –
Locate the systems ids
–Locate the deleted files
USB Device Forensics

Windows keeps a history log of all previously connected USB devices along with their
connection times in addition to the associated user account which installs them. The
Windows registry also stores important technical information for each connected USB
device such as vendor ID, product ID, revision, and serial number.

Windows stores USB history-related information using five registry keys, where each
key offers a different piece of information about the connected device. By merging
this information together, investigators will have an idea of how an offender has used
removable devices such as a USB to conduct/facilitate his/her actions.
1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR Here
you will find all USB devices that have been plugged into the operating system since its
installation. It shows the USB vendor ID (manufacturer name), product ID, and the device
serial number

(note that if the second character of the device serial number is “&,” it means the
connected device does not have a serial number and the device ID has been generated by the
system). See Figure 8.1 for a list of previously connected USB devices on the author’s
machine.
History of USB connected devices
2. HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices The
MountedDevices subkey stores the drive letter allocations; it
matches the serial number of a USB device to a given drive letter
or volume that was mounted when the USB device was inserted.
3.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentV
ersion\Explorer\MountPoints2 This key will record which user was
logged into Windows when a specific USB device was connected.
The key also includes the “Last Write Time” for each device that
was connected to the system.
4. HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Enum\Usb This key holds
technical information about each connected USB device in addition to the last time the
subject USB was connected to the investigated computer.

5. Identify the first time device was connected: Check this file at
\Windows\inf\setupapi.dev.log for Windows Vista, 7, and 8, and at
\Windows\inf\setupapi.upgrade.log for Windows 10.
On Windows XP, this file will be located at \Windows\setupapi.log. Search in this file for a
particular USB device’s serial number to learn when it was first connected to the subject
system (in local time).
To automate the process of finding information about the current
and previous USB connected devices, you can download a free tool
by Nirsoft that can perform all the tasks we just did manually; this
tool is called USBDeview
(www.nirsoft.net/utils/usb_devices_view.html ).

After executing this tool on the target system, extended information

(e.g., device name/description, device type, serial number, and
much more) about each connected USB device will appear.
 the Last Plug/Unplug Date represents the first time that the device was connected to the system. This date does not
change when the same device is repeatedly reinserted. The “Created Date” represents the last time that the same
device was attached to the system.
Unfortunately,
not all USB device types will leave traces in Windows registry as
we have described, for instance, USB devices that use media transfer protocol
(MTP) when connecting with computers.

Devices equipped with the modern Android OS versions in addition to

Windows phones and Blackberry all use the MTP protocol; this protocol does
not leave traces in the Windows registry when a USB device is connected to a
Windows computer. This necessitates a specialized tool to handle the
investigation of such artifacts.
USB Detective (https://usbdetective.com) supports detecting USB devices that use the
MTP protocol to connect to Windows. It also offers rich features for thoroughly
investigating connected USB devices, like creating timelines of all unique
connection/disconnection and deletion timestamps for each device; however, you need to
upgrade to the professional paid version to use all features.

To conclude this section, a USB device connected through an MTP connection needs
special treatment to acquire its traces from a Windows machine; consult your computer
forensic software documentation for the availability of such a feature.
ADDITIONAL READING

More information about USB devices and MTP can be found at

• SANS DFIR Summit presentation: https://digital-forensics.sans.
org/summit-archives/dfir14/USB_Devices_and_Media_Transfer_Protocol_Nicole_Ibrahim.pdf
• Nicole Ibrahim’s series of blog posts about this topic:
http://nicoleibrahim.com/part-1-mtp-and-ptp-usb-device-research/

Note! USB Forensic Tracker (USBFT), available at

http://www.orionforensics.com/forensics-tools/usb-forensic-tracker/ , is a free, comprehensive suite for investigating
USB devices. It supports Windows, Linux, and Mac and can retrieve USB device connection artifacts from live
systems, mounted forensic images, or volume shadow copies.