Windows Forensics

To date, much of the literature and tools have focused on Unix/Linux-based forensic analysis. The Unix/Linux (*nix) environment provides many capabilities not natively present on the Windows platform, including the ability to mount drives as read-only, perform complex regular expression queries on content, and obtain easy hardware-level drive access (as opposed to partitionlevel). No good forensic analyst discounts the value of the tools available on a platform such as Linux, and all would do well to become familiar with these tools; indeed, this book directly references several Windows ports of decades-old *nix tools as well as Cygwin-based tools. Any complete forensics lab has at least one Linux environment either native or running through a virtual machine product such as VMWare. Additionally, a large number of today's top analysts are specialists in these environments, and they will continue to be critical to forensic analysis.

Despite the historical grounding of computer forensics in the *nix world, the Windows environment is ubiquitous in many organizations today. Depending on whom you ask, Windows penetration ranges from 85 percent to 97 percent of all computer-based operating system installations in the United States. Even the low-end figures illustrate that Windows remains the dominant operating system by a large margin and the one that analysts are most likely to encounter in a corporate setting. As Windows usage has grown, so has the support for Windows-based forensic tools and techniques. Companies such as Guidance Software and NewTechInfosystems (NTI) produce Windows-based forensic suites, and Sysinternals produces support tools that are invaluable assets in any toolbox. Also, capabilities not generally present in the *nix world such as remote drive acquisition (at the hardware level) are being introduced and changing the dynamics of forensic response.

At the same time, new challenges are being presented to the forensic analyst. Encrypted File System (EFS), SYSKEY, and products like Microsoft Passport assist in providing increased security for the Windows environment, but they can make the job of the forensic analyst more difficult. The specifics of these tech nologies as well as everything from Windows file systems to Internet Explorer history files are currently relevant to most corporate investigators , but no comprehensive single source for this information is currently available. For the corporate investigator , this means having to cobble together information from numerous sources and apply *nix techniques to the Windows environment.

By providing a Windows-focused guide in terms of the target machines as well as the analysis tools, this book endeavors to provide *nix experts with the detailed workings of the Windows operating systems that pertain to forensic analysis. It also aims to provide solid grounding for Windows experts looking to break into the exciting and challenging world of computer forensics.

Not all investigations return the expected results. Investigating anomalous behavior can lead to unexpected findings (possibly the best example being Cliff Stoll's Cuckoo's Egg ). One unusual-sounding referral from our help desk illustrates this and highlights a potential pitfall for investigators.

CASE STUDY: THE MYSTERY TYPIST

One afternoon my security team received an email message from our IT help desk. Attached was the re-created transcript of a user conversation and an unusual Microsoft Word document. The transcript was along the lines of the following:

• User: Someone broke into my computer and is typing odd messages to me when I use Microsoft Word.

• Help Desk: What type of messages, sir?

• User: Meaningless phrases, but I think he has a camera trained on me.

• Help Desk: Why do you think he has a camera trained on you, sir?

• User: He only types the messages when I'm in Word, and sometimes he types things related to phone conversations I'm having.

• Help Desk: Is it happening right now?

• User: Yes. He's typing things about our conversation right now. Should I hang up the phone?

• Help Desk: Save the document and send us a copy. We'll call security and have them come by.

When we opened the attached document, it appeared to be a standard memo with random phrases inserted, including pieces of the user's side from the previous conversation. An investigator was sent down to talk with the user and analyze the machine.

Faced with a likely lack of stored evidence (the user had saved only the one document we already had), the investigator tried to see whether she could reproduce the problem. She opened several documents, typed miscellaneous messages, recorded all incoming and outgoing network traffic, and found nothing unusual. A secondary search of running processes and an anti-virus and anti-spyware check likewise turned up nothing.

After spending several hours analyzing and monitoring the user's laptop, the investigator called the user in to attempt to duplicate more precisely his actions. The user began typing in Microsoft Word, and no extraneous words appeared. After a few moments, the user began to get frustrated and used several expletives, which did appear on the screen. At that point, the investigator realized it was not actually a security breach; the user had accidentally turned on Windows voice recognition and every time he made a phone call, the mystery typist re-appeared!