Recovering deleted data from the Windows registry

The Windows registry serves as a primary storage location for system configurations and as such provides a wealth of information to investigators. Numerous researchers have worked to interpret the information stored in the registry from a digital forensic standpoint, but no definitive resource is yet available which describes how Windows deletes registry data structures under NT-based systems. This paper explores this topic and provides an algorithm for recovering deleted keys, values, and other structures in the context of the registry as a whole.     

USB Storage Device Forensics for Windows 10

Significantly increased use of USB devices due to their user‐friendliness and large storage capacities poses various threats for many users/companies in terms of data theft that becomes easier due to their efficient mobility. Investigations for such data theft activities would require gathering critical digital information capable of recovering digital forensics artifacts like date, time, and device information. This research gathers three sets of registry and logs data: first, before insertion; second, during insertion; and the third, after removal of a USB device. These sets are analyzed to gather evidentiary information from Registry and Windows Event log that helps in tracking a USB device. This research furthers the prior research on earlier versions of Microsoft Windows and compares it with latest Windows 10 system. Comparison of Windows 8 and Windows 10 does not show much difference except for new subkey under USB Key in registry. However, comparison of Windows 7 with latest version indicates significant variances.     

Windows系统存储区DPAPI的解密技术研究

目的在电子数据取证过程中,数据的加解密经常是取证人员关注的重点。数据保护接口(DPAPI)作为Windows系统提供的数据保护接口被广泛使用,目前主要用于保护加密的数据。其特性主要表现在加密和解密必须在同一台计算机上操作,密钥的生成、使用和管理由Windows系统内部完成,如果更换计算机则无法解开DPAPI加密数据。通过对DPAPI加密机制的分析,以达到对Windows系统存储区的DPAPI加密数据进行离线解密的目的。方法通过深入研究分析Windows XP、Windows 7、Windows 10等多款操作系统的DPAPI加密流程和解密流程,确定系统存储区数据离线解密主要依赖于系统的注册表文件和主密钥文件。结果利用还原后的解密流程和算法,以及系统的注册表文件和主密钥文件,可以正常解开DPAPI加密数据。结论该方法可达到对Windows系统存储区的DPAPI加密数据进行离线解密的目的。     

针对进程用户空间的电子数据取证方法研究

进程用户空间中的信息往往与特定用户的特定操作行为直接关联,对于证据链的建立意义重大.从数目繁多的用户空间数据结构中筛选出最重要的三种：进程环境块、线程环境块与虚拟地址描述符,说明其定位方法,并重点讨论其结构格式的电子数据取证特性,为内存空间电子数据取证提供了新的思路与方法.实例分析部分,则以目前广泛使用的Windows 7操作系统为应用背景,说明了所述方法的具体应用.     

Extracting Windows command line details from physical memory

Current memory forensic tools concentrate mainly on system-related information like processes and sockets. There is a need for more memory forensic techniques to extract user-entered data retained in various Microsoft Windows applications such as the Windows command prompt. The command history is a prime source of evidence in many intrusions and other computer crimes, revealing important details about an offender’s activities on the subject system. This paper dissects the data structures of the command prompt history and gives forensic practitioners a tool for reconstructing the Windows command history from a Windows XP memory capture. At the same time, this paper demonstrates a methodology that can be generalized to extract user-entered data on other versions of Windows.     

Reverse engineering of ReFS

File system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is the current file system used by Windows for the system volume, but this may change in the future. In this paper we will show the structure of the Resilient File System (ReFS), which has been available since Windows Server 2012 and Windows 8. The main purpose of ReFS is to be used on storage spaces in server systems, but it can also be used in Windows 8 or newer. Although ReFS is not the current standard file system in Windows, while users have the option to create ReFS file systems, digital forensic investigators need to investigate the file systems identified on a seized media. Further, we will focus on remnants of non-allocated metadata structures or attributes. This may allow metadata carving, which means searching for specific attributes that are not allocated. Attributes found can then be used for file recovery. ReFS uses superblocks and checkpoints in addition to a VBR, which is different from other Windows file systems. If the partition is reformatted with another file system, the backup superblocks can be used for partition recovery. Further, it is possible to search for checkpoints in order to recover both metadata and content.Another concept not seen for Windows file systems, is the sharing of blocks. When a file is copied, both the original and the new file will share the same content blocks. If the user changes the copy, new data runs will be created for the modified content, but unchanged blocks remain shared. This may impact file carving, because part of the blocks previously used by a deleted file might still be in use by another file. The large default cluster size, 64 KiB, in ReFS v1.2 is an advantage when carving for deleted files, since most deleted files are less than 64 KiB and therefore only use a single cluster. For ReFS v3.2 this advantage has decreased because the standard cluster size is 4 KiB.Preliminary support for ReFS v1.2 has been available in EnCase 7 and 8, but the implementation has not been documented or peer-reviewed. The same is true for Paragon Software, which recently added ReFS support to their forensic product. Our work documents how ReFS v1.2 and ReFS v3.2 are structured at an abstraction level that allows digital forensic investigation of this new file system. At the time of writing this paper, Paragon Software is the only digital forensic tool that supports ReFS v3.x.It is the most recent version of the ReFS file system that is most relevant for digital forensics, as Windows automatically updates the file system to the latest version on mount. This is why we have included information about ReFS v3.2. However, it is possible to change a registry value to avoid updating. The latest ReFS version observed is 3.4, but the information presented about 3.2 is still valid. In any criminal case, the investigator needs to investigate the file system version found.     

Forensic analysis of the Windows registry in memory

This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.     

Forensic analysis of the Windows registry in memory

This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.     

Forensic artefacts left by Windows Live Messenger 8.0

Windows Live Messenger – commonly referred by MSN Messenger – is the most used instant messaging client worldwide, and is mostly used on Microsoft Windows XP.Previous examination into MSN Messenger concludes that few traces reside on the hard disk after MSN usage [Dickson M. An examination into MSN Messenger 7.5 contact identification. Digit Investig 2006;3]. In this article the opposite is concluded based on user settings, contact files and log files. With the use of file signatures and known file structures it is possible to recover useful information when deleted. Programs such as Forensic Box can help to analyse artefacts which are left behind after the use of Windows Live Messenger.     

NTFS volume mounts,directory junctions and $Reparse

The NTFS file system underlying modern Windows Versions provides the user with a number of novel ways in which to configure data storage and data paths within the NTFS environment. This article seeks to explain two of these, Volume Mount Points and Directory Junctions, such than when they are encountered the forensic examiner will have some information as to their use and structure.     

A Forensic Exploration of the Microsoft Windows 10 Timeline

The Microsoft Windows operating system continues to dominate the desktop computing market. With such high levels of usage comes an inferred likelihood of digital forensic practitioners encountering this platform during their investigations. As part of any forensic examination of a digital device, operating system artifacts, which support the identification and understanding of how a user has behaved on their system provide a potential source of evidence. Now, following Microsoft's April 2018 build 1803 release with its incorporated “Timeline” feature, the potential for identifying and tracking user activity has increased. This work provides a timely examination of the Windows 10 Timeline feature demonstrating the ability to recover activity‐based content from within its stored database log files. Examination results and underpinning experimental methodologies are offered, demonstrating the ability to recover activity tile and process information in conjunction with the Windows Timeline. Further, an SQL query has been provided to support the interpretation of data stored within the ActivitiesCache.db .     

Using shellbag information to reconstruct user activities

Built into Microsoft Windows is the ability for the operating system to track user window viewing preferences specific to Windows Explorer. This information, which is called “ShellBag” information, is stored in several locations within the Windows Registry in the Windows Operating System. This paper introduces a novel method to examine ShellBag information within Registry snapshots to reconstruct user activities. It compares different states of ShellBag information within consecutive Registry snapshots in order to detect ShellBag-related user actions. Nine detection rules are proposed on the basis of analyzing the causality between user actions and updated ShellBag information. This approach can be used to prove that certain interactions between the user and system must have, or must not have happened during a certain time period.     

DigLA – A Digsby log analysis tool to identify forensic artifacts

Since the inception of Web 2.0, instant messaging, e-mailing, and social networking have emerged as cheap and efficient means of communication over the Web. As a result, a number of communication platforms like Digsby have been developed by various research groups to facilitate access to multiple e-mail, instant messaging, and social networking sites using a single credential. Although such platforms are advantageous for end-users, they present new challenges to digital forensic examiners because of their illegitimate use by anti-social elements. To identify digital artifacts from Digsby log data, an examiner is assumed to have knowledge of the whereabouts of Digsby traces before starting an investigation process. This paper proposes a design for a user-friendly GUI-based forensic tool, DigLA, which provides a unified platform for analyzing Digsby log data at different levels of granularity. DigLA is also equipped with password decryption methods for both machine-specific and portable installation versions of Digsby. By considering Windows registry and Digsby log files as dynamic sources of evidence, specifically when Digsby has been used to commit a cyber crime, this paper presents a systematic approach to analyzing Digsby log data. It also presents an approach to analyzing RAM and swap files to collect relevant traces, specifically the login credentials of Digsby and IM users. An expected insider attack from a server security perspective is also studied and discussed in this paper.     

Forensic artefacts left by Pidgin Messenger 2.0

Pidgin, formerly known as Gaim, is a multi-protocol instant messaging (IM) client that supports communication on most of the popular IM networks. Pidgin is chiefly popular under Linux, and is available for Windows, BSD and other UNIX versions. This article presents a number of traces that are left behind after the use of Pidgin on Linux, enabling digital investigators to search for and interpret instant messaging activities, including online conversations and file transfers. Specifically, the contents and structures of user settings, log files, contact files and the swap partition are discussed. In addition looking for such information in active files on a computer, forensic examiners can recover deleted items by searching a hard drive for file signatures and known file structures detailed in this article.     

Forensic carving of network packets and associated data structures

Using validated carving techniques, we show that popular operating systems (e.g. Windows, Linux, and OSX) frequently have residual IP packets, Ethernet frames, and associated data structures present in system memory from long-terminated network traffic. Such information is useful for many forensic purposes including establishment of prior connection activity and services used; identification of other systems present on the system’s LAN or WLAN; geolocation of the host computer system; and cross-drive analysis. We show that network structures can also be recovered from memory that is persisted onto a mass storage medium during the course of system swapping or hibernation. We present our network carving techniques, algorithms and tools, and validate these against both purpose-built memory images and a readily available forensic corpora. These techniques are valuable to both forensics tasks, particularly in analyzing mobile devices, and to cyber-security objectives such as malware analysis.     

Medical devices; revocation of cardiac pacemaker registry. Food and Drug Administration, HHS. Final rule

The Food and Drug Administration (FDA) is issuing a final rule to revoke a regulation requiring a cardiac pacemaker registry. The registry, which was mandated by the Deficit Reduction Act of 1984, requires any physician and any provider of services who requests or receives Medicare payment for an implantation, removal, or replacement of permanent cardiac pacemaker devices and pacemaker leads to submit certain information to the registry. The information is used by FDA to track the performance of permanent cardiac pacemakers and pacemaker leads and by the Health Care Finance Administration (HCFA) to administer its Medicare payment program for these devices. This action is being taken to implement an act to Repeal An Unnecessary Medical Device Reporting Requirement passed by Congress in 1996 to remove the cardiac pacemaker registry to eliminate duplicative and unnecessary reporting.     

Obtaining forensic value from the cbWndExtra structures as used by Windows Common Controls,specifically for the Editbox control

The Windows Common Controls is a library which facilitates the construction of GUI controls commonly used by Windows applications. Each control is an extension of the basic ‘window’ class. The difference in the extension results in one control over another; for example, an Edit control as opposed to a Button control. The basic window class is documented by Microsoft and the generic information about a Window can be extracted, but this is of very limited use. There is no documentation and very little research into how these extensions are laid out in memory. This paper demonstrates how the extension bytes for the Edit control can be parsed leading to identification of previously unobtainable data which reveal information about the state of the control at runtime. Most notably, the undo buffer, that is, text that was previously present in the control can be recovered – an aspect which traditional disk forensics would simply not provide. The paper explains why previous attempts to achieve similar goals have failed, and how the technique could be applied to any control from the Windows Common Controls library.     

Private browsing: A window of forensic opportunity

The release of Internet Explorer 10 marks a significant change in how browsing artifacts are stored in the Windows file system, moving away from well-understood Index.dat files to use a high performance database, the Extensible Storage Engine. Researchers have suggested that despite this change there remain forensic opportunities to recover InPrivate browsing records from the new browser. The prospect of recovering such evidence, together with its potential forensic significance, prompts questions including where and when such evidence can be recovered, and if it is possible to prove that a recovered artefact originated from InPrivate browsing. This paper reports the results of experiments which answer these questions, and also provides some explanation of the increasingly complex data structures used to record Internet activity from both the desktop and Windows 8 Applications. We conclude that there is a time window between the private browsing session and the next use of the browser in which browsing records may be carved from database log files, after which it is necessary to carve from other areas of disk. It proved possible to recover a substantial record of a user's InPrivate browsing, and to reliably associate such records with InPrivate browsing.     

Forensic analysis of Telegram Messenger for Windows Phone

This article presents a forensic analysis methodology for obtaining the digital evidence generated by one of today's many instant messaging applications, namely “Telegram Messenger” for “Windows Phone”, paying particular attention to the digital forensic artifacts produced. The paper provides an overview of this forensic analysis, while focusing particularly on how the information is structured and the user, chat and conversation data generated by the application are organised, with the goal of extracting related data from the information. The application has several other features (e.g. games, bots, stickers) besides those of an instant messaging application (e.g. messages, images, videos, files). It is therefore necessary to decode and interpret the information, which may relate to criminal offences, and establish the relation of different types of user, chat and conversation.