Can Computer Investigations Survive Windows XP? - An Examination of Microsoft Windows XP and its Effect on Computer Forensics
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Can Computer Investigations
Survive Windows XP?
An Examination of Microsoft Windows XP
and its Effect on Computer Forensics
December 2001
by Kimberly Stone and Richard Keightley
2001 Guidance Software All Rights ReservedExecutive Summary
Windows XP, Microsoft’s latest operating system, has arrived and is now appearing on
computers slated for forensic investigation. Computer forensics examiners are now using
Windows XP as a platform on which they conduct forensic analysis. This white paper will
examine Windows XP both as a platform utilized by an examiner for computer forensics
investigations and as a subject file system for computer forensics analysis.
There is some uncertainty regarding how to conduct a computer forensic analysis of an XP
system. Some have speculated that Windows XP may significantly hamper the ability to
conduct computer forensic investigations. This paper will test this theory and will also propose
Windows XP as a viable choice as a forensic operating system.
This study was conducted using EnCase® software. EnCase is a fully integrated Windows-based
computer forensic software application that provides investigators with means of analyzing all
electronic data contained on computer drives for forensic evidence purposes.
Introduction
Windows XP appears to be an improved operating system, touting increased stability, increased
user friendliness, more features, and (of more importance to forensic investigators everywhere)
increased security. The two main security issues with Windows XP are the "secure erase"
(otherwise termed "scrubbing") feature when deleting files and the built-in file-encryption
feature.
This analysis illustrates that a proper forensic analysis of an XP system requires a clear
understanding of how Windows XP and its NTFS file system works and stores data. Otherwise,
those in the security industry may be confused by speculation and myths that have propagated
with the release of the operating system.
While Windows XP comes in both a Home edition and Professional edition, these tests were
conducted on the Professional edition alone, as the Home version is (for the most part) a
stripped-down version of the Professional.
Definition of terms used in this paper is available at the end of the document.
Section 1 Tests: Windows XP as a Forensics Platform
Like any new operating system from Microsoft, Windows XP needs both additional hard drive
space than its predecessor (1.5 GB for a full install) and more RAM. Microsoft recommends that
users have 128 MB of RAM installed on their computers. Most reports from the field recommend
256 MB, especially if one is going to take advantage of such features as support for multiple
users. Keeping Microsoft’s recommendation in mind, all tests were conducted on a typical mid-
range PC (Gateway GP7-600 P-III @ 600 MHz computer with 128 MB RAM), using EnCase v3.16.
[Note: forensic examiners typically use high-end systems with substantial memory and data
storage.]
.Windows XP White Paper 2Investigative Methods
To prepare for this portion of the study, an 8.4 GB drive was wiped, partitioned and formatted in
NTFS (a requisite to take advantage of the file-encryption abilities in Windows XP). A substantial
number of files were then copied to it; some were encrypted and others deleted to mimic the
file patterns found on a typical XP hard drive.
The hard drive was then connected via an IDE interface
using a FastBloc™ (a physical write-block device
manufactured by Guidance Software). The setup of the
FastBloc unit in Windows XP was simple. One is required to
install a generic “disk drive” driver in Windows ‘98 and
Windows 2000, but Windows XP detected and installed the
driver for the FastBloc quickly, with no browsing or
prompting on our part.
The next step was to acquire the drive physically in both Windows XP Professional and Windows
2000 (SP2), once each with NO compression and once each with BEST compression.
No compression
• Windows 2000: 15 minutes, 6 seconds
• Windows XP: 14 minutes, 45 seconds
Best compression
• Windows 2000: 30 minutes, 16 seconds
• Windows XP: 30 minutes, 2 seconds
XP acquired the test drive faster than Windows 2000 in every test.
EnCase Media Acquisition with FastBloc
Compression:
BEST
Windows XP
Windows 2000
Compression:
NONE
0.00 10.00 20.00 30.00 40.00
Time (minutes)
Windows XP edges out 2000 in FastBloc acquisitions
Having acquired an evidence file, XP was primed to be stressed some more. Next, a battery of
EnCase 3.16 functions in both Windows 2000 Professional (sp2) and Windows XP Professional
were run. Knowing XP's need for memory, it was speculated that Windows 2000 would beat XP
in every test, but this was not the case.
.Windows XP White Paper 3Five more tests were conducted:
Test 1: Evidence File Verification
Evidence File Verification
Windows XP Windows XP
10.3 minutes
Windows 2000
Windows 2000 0.00 2.00 4.00 6.00 8.00 10.00 12.00 14.00
Time (minutes)
10.1 minutes
Windows 2000 just defeats XP in evidence file verification
Test 2: Hash Drive Command
Hash Drive
Windows XP
Windows XP
10.6 minutes
Windows 2000
Windows 2000 0.00 2.00 4.00 6.00 8.00 10.00 12.00 14.00
Time (minutes)
10.5 minutes
Windows 2000 beats XP in the hash drive command
.Windows XP White Paper 4Test 3: 1 Keyword Search
1 Keyword Search
Windows XP Windows XP
15.75 minutes
Windows 2000
Windows 2000 0.00 5.00 10.00 15.00 20.00
Time (minutes)
16 minutes
Windows 2000 barely loses to XP in the 1-keyword
Test 4: 10 Keyword Search
10 Keyword Search
Windows XP Windows XP
102.5 minutes
Windows 2000
0.00 20.00 40.00 60.00 80.00 100.00 120.00
Windows 2000 Time (minutes)
60.75 minutes
Windows 2000 comes up strong in the 10-term keyword search
Test 5: Page-Down in Gallery (While Previewing in FastBloc)
Page down in Gallery while Previewing
Windows XP Windows XP
8 seconds
Windows 2000
0.00 0.10 0.20 0.30 0.40 0.50 0.60 0.70 0.80 0.90 1.00
Windows 2000 Time (minutes)
6 seconds
2-second differential multiplied over and over again
.Windows XP White Paper 5EnCase gallery view
Results of the above five tests:
As demonstrated above, Windows 2000 barely beats Windows XP in most of the tests, lagging
behind in the one-term keyword search, but coming up strong in the ten-term keyword search.
One of the most interesting results came from using the command while
previewing graphics thumbnails on the test media. Windows 2000 beat Windows XP by a full two
seconds. While this is not much time for one page down command, considering the potential
number of times one is likely to tap the key during a preview, this time-differential
increases dramatically.
The above data shows that EnCase runs solidly on Windows XP and, in some functions, even
faster than on Windows 2000.
.Windows XP White Paper 6Section II Forensic Analysis of Windows XP Media
Introduction
Many computers are now shipping with Windows XP Home or Professional editions. It is
imperative for computer forensic professionals to familiarize themselves with this file system to
know what to expect when an XP case arrives for examination. In this document we will identify
1) the technical aspects of the Windows XP file system; 2) how files are stored and deleted; and
3) the rumored “automatic data scrubbing” feature.
Creating, storing, and deleting data is the base function of all file systems. How the data is
created, where it’s stored and what occurs when it is deleted are questions that are constantly
posed to investigators. Recovering data in each of the above stages is also a challenge. A
number of concerns are raised when a new operating system is encountered. Investigators must
determine how to proceed with investigations, where to look and what findings to expect. This
white paper will address these concerns and cover the aforementioned “data scrubbing.”
Many features of the NTFS file system are cited in this document. These features are not new to
the NTFS file system and are therefore not explained thoroughly. The NTFS file system is a
complicated file system.
Testing Phases
EnCase version 3.16 was used for all of the following tests, in which the basic functions of the
Windows XP’s file system were examined.
PHASE I – FILE SYSTEM
Windows XP Professional edition (version 5.1, build 2600) was installed on a 4 GB drive that was
previously wiped. During the install an administrator account was created. The computer was
shut down and the hard drive imaged. By default, Windows XP installs the NTFS file system;
however, the FAT32 file system is also an option when installing XP. The NTFS system was installed
and examined.
The NTFS system files were examined first. These are the files installed during the format of an
NTFS volume. They existed in the same manner as Windows 2000.
.Windows XP White Paper 7System File Windows NT Windows 2000 Windows XP
MFT X X X
MFT Mirror X X X
Log File X X X
Volume X X X
Attribute Def. Table X X X
Root Filename Index X X X
Cluster Bitmap X X X
Partition Boot Sector X X X
Bad Cluster File X X X
Secure File - X X
UpCase Table X X X
Quota Table X - -
The folder structure was as follows: $Extend, Documents and Settings, Program Files, Recycler,
System Volume Information, and Windows. This is essentially the same as Windows 2000, except
the Windows directory is now WINDOWS instead of WINNT.
The structure of the Master File Table (MFT) was examined and some very minor changes were
noted in the MFT records; otherwise the structure is exactly the same. Navigating through the
MFT record headers and file attributes was straightforward as the techniques were the same as
used with previous version of NTFS.
The file data is stored both resident and non-resident, just as it is in all versions of NTFS.
PHASE II – FILE STORAGE
Several tests were conducted to determine how files are stored in the Windows XP, NTFS
environment. Windows XP was booted and three small text files were created on the volume.
The drive was subsequently imaged and the three small files were examined. They were all
stored as resident data in the MFT.
Windows XP was booted and five large image files were created. The drive was subsequently
imaged and the images were examined. The files were all stored as non-resident data. The MFT
data attribute contained pointers (data runs) to the data.
Overall, the storage process behaves in the same way that it did in prior NTFS systems. This
provided a good platform for testing the deletion process.
.Windows XP White Paper 8PHASE III – FILE DELETION
The first step in the investigation of XP media was analyzing the process of resident file deletion.
A series of tests were conducted in which resident files were created, recycled, and deleted
from the recycler. EnCase was used to examine the results. The recycling process remains the
same as with previous version of Windows in NTFS: the file’s MFT record is recreated with a new
recycle bin filename. The deletion process is the same as well; the MFT records containing the
resident data remained in the MFT, marked for deletion, until overwritten by a new MFT record.
As a final test for resident data 150 resident files were created on the volume. All were recycled
and deleted. The drive was imaged and the evidence file opened with EnCase. EnCase
properly undeleted all of the resident deleted files.
A series of tests were conducted with non-resident files, which were created, recycled, and
deleted from the recycler. EnCase was used to track the MFT records, data runs and the clusters
occupied by the files during the testing process. When the files were recycled and deleted, the
MFT records remained in the MFT, marked for deletion, until overwritten by a new MFT record.
The data remained intact in the previously allocated clusters until overwritten by another file. The
recycler process remains the same as with previous version of Windows in NTFS. As a final test for
non-resident files, 150 files were created with non-resident data. All were recycled and deleted.
The drive was imaged and opened with EnCase. EnCase properly undeleted all of the non-
resident deleted files.
Figure 1: Deleted files on an XP drive displayed by EnCase
.Windows XP White Paper 9PHASE IV – THE SCRUBBING FEATURE
Windows 2000 and XP now contain a “scrubbing” feature that has caused some worry and
confusion. The feature is a command-line program included with Microsoft Windows 2000 & XP
that provides an alternate method for managing the EFS (Encrypting File System). The version of
the cipher tool included with XP is intended to overwrite, or “scrub” data, obliterating residue of
data within unallocated clusters. The program makes three passes of writes over unallocated
space. The first pass is hex 00, the second hex FF and the last pass is random characters, making
residual data underlying those clusters effectively impossible to recover. The cipher tool would
appear to comply with the Department of Defense 5220.22-M disk-sanitizing standard, which
states:
"Non-Removable Rigid Disks" or hard drives must be sanitized for reuse by
"Overwriting all addressable locations with a character, its complement, then a
random character and verify."
Tests were conducted in which the cipher tool was used to wipe all unallocated clusters from the
root folder. After the program completed the wiping, the drives were imaged.
Example Program Output:
To remove as much data as possible, please close all other applications while
running CIPHER.
Writing 0x00
.................................................................................................
..
Writing 0xFF
.................................................................................................
...
Writing Random Numbers
.................................................................................................
...
Results: All unallocated space was filled with random values (which greatly affected file
compression in the evidence file); however, the cipher tool affected only the unallocated
clusters and a very small portion of the MFT; 10-15 records were overwritten in the MFT, and the
majority of the records marked for deletion went untouched). The utility does not affect other
items of evidentiary interest on the typical NTFS partition, such as: file slack, registry files, the
pagefile and file shortcuts.
In terms of its anticipated end-user adoption, the cipher feature is a burdensome command-line
utility that is difficult to find and operate. Notably, the cipher function is available on the
Professional version, but included in the Home version of XP and Windows 2000. Despite some
speculation, the function is not set by default or even selected for repeated execution on an
ongoing basis. The cipher must be executed from a command-line each time the user wants to
employ it. There is very little documentation supporting this feature, which is largely intended for
programmers and system administrators for use in limited circumstances.
.Windows XP White Paper 10CONCLUSIONS AND RECOMMENDATIONS
Windows XP is a valid forensic operating environment with similar performance results to
Windows 2000.
This examination of the Windows XP file system demonstrates that the operating system will
introduce new challenges for investigators. Windows XP will introduce the NTFS file system into
home computers. Investigators are just now reporting an increase in residential Windows 2000
cases; however, most are still FAT 32 file systems. It is very likely that the near future will bring the
NTFS file system into the forefront of computer forensic investigations. With the use of proper
tools and examination methods, evidence can be located and explained.
The scrubbing feature is a part of Windows XP, but it is not all that it was initially thought to be. It
is a command line tool that is difficult to use, time consuming and nothing more than a good
wiping utility. The average computer user will not know how to use it, and even if it is used
evidence artifacts still remain in certain system files.
Because of the inherent complexity of file systems and their interaction with the operating
system, all investigators who wish to properly examine and understand evidence found in the
NTFS file system should obtain formal forensic based training on the NTFS file system. Guidance
Software offers such training in the advanced computer forensics course.
DEFINITION OF TERMS
Deleted: A file deleted manually (“emptied”) from the Recycle Bin.
EFS: Encrypting File System
Evidence File: An EnCase evidence file.
MFT: Master File Table
Non-resident: Used to refer to a file that is too large to be stored in the MFT. Its disk
location is stored in the MFT by one or more pointers to the data.
Recycled: A file placed in the Recycler.
Resident: Used to refer to a file small enough to be stored with that file’s MFT record.
Shut Down: Will infer that the computer was shut down using the normal Windows
“Shut Down” command.
Wiped: Space on a hard drive that has been overwritten with a hex character,
typically \x00, but could be anything or even random characters.
.Windows XP White Paper 11ABOUT THE AUTHORS
Richard Keightley is a graduate of Kenyon College in Ohio and has been working with computers
and networks for the past ten years. Rich is Senior Technical Services Specialist at Guidance
Software and has been giving support and consultation to computer forensics investigators for the
past two years.
Kimberly Stone graduated from the University of California Los Angeles with a degree in computer
science and has been working in programming and Web development for the past four years.
Kimberly is a Junior Programmer at Guidance Software.
CONTACT INFORMATION
For more information, please contact:
Guidance Software
572 E. Green St., Ste. 300
Pasadena, Ca 91101
Phone: (626) 229-9191
Email: info@EnCase.com
www.EnCase.com
.Windows XP White Paper 12You can also read
