Operating System Forensics
- 1. Operating system Forensics Importance of operating system forensics • Ultimately, in a forensic examination, we are investigating the action of a Person • Almost every event or action on a system is the result of a user either doing something • Many events change the state of the Operating System (OS) • OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world Goal: Extract and interpret data of investigative value from computers running Windows operating systems There are many versions of windows out there: Some of the older versions are outdated and are no longer used: Windows 9x, NT, ME, 2000, XP Windows boot sequence Windows startup: Why relevant for forensics? 1. Interrupt the boot process to view and document the CMOS configuration 2. Explain which files were altered in the startup process E.g., if an evidentiary system was accidentally booted, demonstrate that no user-created files were modified 3. Determine which version of the OS was running and when was installed 4. Examine the startup process for signs of tampering E.g., important when investigating malware Startup in Windows NT and later All NTFS computers perform the following steps when the computer is turned on:
- 2. Contamination concerns with Windows: • When you start a Windows XP NTFS workstation, several files are accessed immediately The last access date and time stamp for the files change to the current date and time. • May destroy any potential evidence. E.g., that shows when a Windows workstation was last used. • Determining which files are changed upon startup and shutdown can be done using some forensic tools. Relevant Windows data structures: NTFS Windows Registry Windows Event Log Windows Registry: The Registry is the heart and soul of Windows OSes and a wealth of information can be recovered: • System configuration • Devices on the system • User names • Personal settings and browser preferences • Web browsing activity • Files opened • Programs executed • Passwords Registry access activity • Virtually everything done in Windows refers to or is recorded into the Registry The RegMon program can be used to display registry activity in real time
- 3. • Registry access barely remains idle: the registry is referenced in one way or another with every action taken by the user Windows Event Log Whenever an event, such as a user logging on or off, occurs, the operating system logs the event. An event can be any occurrence that the OS or a program wants to keep track of or alert the user about. Windows has a centralized log service to allow apps and OS to report events that have taken place: • Application (example: Database message) • System (example: driver failure) • Security (example: Logon attempt, file access) Example of detailed event tracking: Detailed Event tracking can include the following events: #528 – Successful Login (The user authenticate to the system) #592 – A new process has been created (application is launched) #560 – Object Open (a file is requested) #567 – Object Access (the file is modified and saved) #564 – Object Deleted #562 – Handle Closed (the file has been closed) #593 – A Process Has Exited (the application was terminated) Windows artifacts of user activities: Volatile information • Open network connections • Running processes Non-volatile information • Hidden files • Slack space • Swap files • Index.dat files • Windows Search index • Unallocated clusters • Unused partitions • Hidden partitions • Registry settings • Windows event logs
- 4. Operating System Forensics Tool: PassMark OSForensics: PassMark OSForensics allows you to identify suspicious files and activity with hash matching, drive signature comparisons, e-mails, memory and binary data. It lets you extract forensic evidence from computers quickly with advanced file searching and indexing and enables this data to be managed effectively. Features Discover Forensic Evidence Faster • Find files faster, search by filename, size and time • Search within file contents using the Zoom search engine • Search through email archives from Outlook, ThunderBird, Mozilla and more • Recover and search deleted files • Uncover recent activity of website visits, downloads and logins • Collect detailed system information • Password recovery from web browsers, decryption of office documents • Discover and reveal hidden areas in your hard disk • Browse Volume Shadow copies to see past versions of files Platforms: Windows XP SP3, Vista, Win 7, Win 8, Win 10, Server 2000, 2003, 2008, 2012. Available for both 32-bit and 64-bit platforms. Requirements: Minimum 1GB of RAM. (4GB+ recommended) 200MB of free disk space, or can be run from USB drive DEMO: Scenario: Artifact: Physical Pendrive (Transcend 8 GB Pendrive) Software used: PassMark OSForensics Goal: 1) To extract the image and do live forensics 2) Identify the deleted files and pictures used for committing cyber crime.
- 5. Fig1.0, PassMark OSForensics Dashboard
- 6. Fig 1.1, Create a New Case
- 7. Fig 1.2, Provide Case details and Target location for forensics image.
- 8. Fig 1.3, Target location created Successfully. Fig 1.4, Select the option ‘Deleted File Search’ in the Dashboard.
- 9. Fig 1.5, Select the target partition i.e. Transcend Pendrive and click on Search as show in the figure. Fig 1.6, Current files and folders available inside the Artifact (Physical Pendrive). Fig 1.7, Identified the deleted files and folders in the Pendrive.
- 10. Fig 1.8, Analysing a deleted image file. Fig 1.9, Analysing a deleted text document file.