encryptionwin7配置

MicrosoftNetworkSecurityWindows7:CurrentEventsintheWorldofWindowsForensicsTroyLarsonSeniorForensicProgramManagerNetworkSecurity,MicrosoftCorp.
MicrosoftNetworkSecurityWhereAreWeNowVista&Windows2008–BitLocker.
–Format-Wipesthevolume.
–EXFAT.
–EventLogging—format,system,scheme.
–VirtualFolders&Registry.
–VolumeShadowCopy.
–Links,HardandSymbolic.
–ChangeJournal.
–RecycleBin.
–Superfetch.
MicrosoftNetworkSecurityWhereAreWeNowWindows7&Window2008R2–UpdatedBitLocker.
–BitLockerToGo.
–VHDs—Bootfrom,mountas"Disks.
"–XPMode.
–FlashMediaEnhancements.
–Libraries,StickyNotes,JumpLists.
–ServiceandDrivertriggers.
–I.
E.
8,InPrivateBrowsing,TabandSessionRecovery.
–EvenmoreVolumeShadowCopy.
MicrosoftNetworkSecurityDigitalForensicsSubjectMatterExpertise"Stack"ThankstoEoghanCasey.
FileSystemsNTFS,FAT32,EXFATFvevol.
sysMount,Partition&VolumeManagersApplications—e.
g.
,I.
E.
,etc.
OSArtifacts"Disk"MicrosoftNetworkSecurityWindows7"Disk"Notedisksignature:2E1400320x1b8-1bbMicrosoftNetworkSecurityWindows7"Disk"HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0Diskpart>AutomountscrubMicrosoftNetworkSecurityVista"Disk"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\1&19f7e59c&0&Signature2E140032Offset100000Length114FD00000MicrosoftNetworkSecurityPartitionsandVolumesFileSystemsNTFS,FAT32,EXFATFvevol.
sysMount,Partition&VolumeManagersApplications—e.
g.
,I.
E.
,etc.
OSArtifacts"Disk"VirtualHardDrivesCreateAttachDetachDeleteMicrosoftNetworkSecurityBitLocker:Windows7Duringinstalling,Windows7createsa"SystemReserved"volume—enablingsetupofBitLocker.
InVista,theSystemvolumewasgenerally1.
5GBormore.
MicrosoftNetworkSecurityBitLocker:VistaPhysicallevelviewoftheheaderofthebootsectorofaVistaBitLockerprotectedvolume:–0xEB52902D4656452D46532D–R-FVE-FS-MicrosoftNetworkSecurityBitLocker:Windows7PhysicallevelviewoftheheaderofthebootsectorofaWindows7BitLockerprotectedvolume:–0xEB58902D4656452D46532D–X-FVE-FS-MicrosoftNetworkSecurityBitLocker:Windows7Vista&Windows2008cannotunlockBitLockervolumescreatedwithWindows7or2008R2.
ForensicstoolsmaynotrecognizethenewBitLockervolumeheader.
MustuseWindows7or2008R2toopen(andimage)BitLockervolumesfromWindows7or2008R2.
MicrosoftNetworkSecurityBitLockerRevieworImagingFileSystemDriverFvevol.
sysVolumeManagerApplicationUserModeKernelModeFVEVOL.
SYSsitsunderneaththefilesystemdriverandperformsallencryption/decryption.
Oncebooted,Windows(andtheuser)seesnodifferenceinexperience.
Theencryption/decryptionhappensatbelowthefilesystem.
MicrosoftNetworkSecurityBitLockerRevieworImagingFileSystemDriverFvevol.
sysVolumeManagerApplicationUserModeKernelModeMicrosoftNetworkSecurityBitLockerRevieworImagingThe"More/Lessinformation"buttonwillprovidetheBitLockervolumerecoverykeyidentification.
MicrosoftNetworkSecurityBitLockerRevieworImagingBitLockerRecoveryKey783F5FF9-18D4-4C64-AD4A-CD3075CB8335.
txt:BitLockerDriveEncryptionRecoveryKeyTherecoverykeyisusedtorecoverthedataonaBitLockerprotecteddrive.
Toverifythatthisisthecorrectrecoverykeycomparetheidentificationwithwhatispresentedontherecoveryscreen.
Recoverykeyidentification:783F5FF9-18D4-4CFullrecoverykeyidentification:783F5FF9-18D4-4C64-AD4A-CD3075CB8335BitLockerRecoveryKey:528748-036938-506726-199056-621005-314512-037290-524293MicrosoftNetworkSecurityBitLockerRevieworImagingEntertherecoverykeyexactly.
MicrosoftNetworkSecurityBitLockerRevieworImagingViewedorimagedaspartofaphysicaldisk,BitLockervolumesappearencrypted.
MicrosoftNetworkSecurityBitLockerRevieworImagingToviewaBitLockervolumeasitappearsinitsunlockedstate,addressitasalogicalvolume.
MicrosoftNetworkSecurityBitLockerRevieworImagingMicrosoftNetworkSecurityFileSystemsFileSystemsNTFS,FAT32,EXFATFvevol.
sysMount,Partition&VolumeManagersApplications—e.
g.
,I.
E.
,etc.
OSArtifacts"Disk"MicrosoftNetworkSecurityFileSystemsSinceVistaSP1,Formatwipeswhileitformats.
http://support.
microsoft.
com/kb/941961Diskpart.
exe>CleanallMicrosoftNetworkSecurityFileSystems-Vista&Windows7NTFS–Symboliclinkstofiles,folders,andUNCpaths.
Bewarethe"ApplicationData"recursionloop.
Cf.
Linkfiles.
–Hardlinksareextensivelyused(\Winsxs).
–Disabledbydefault:UpdateLastAccessDate.
–Enabledbydefault:TheNTFSChangeJournal($USN:$J).
TransactionalNTFS($Tops:$T).
MicrosoftNetworkSecurityFileSystems-Vista&Windows7ThevolumeheaderofanEXFATvolume.
DoyourforensicstoolsreadEXFATMicrosoftNetworkSecurityOSArtifactsFileSystemsNTFS,FAT32,EXFATFvevol.
sysMount,Partition&VolumeManagersApplications—e.
g.
,I.
E.
,etc.
OSArtifacts"Disk"MicrosoftNetworkSecurityOSArtifacts—Recycle.
Bin[Volume]:\$Recycle.
Bin–$Recycle.
BinisvisibleinExplorer(viewhiddenfiles).
–PeruserstoreinasubfoldernamedwithaccountSID.
–NomoreInfo2files.
–Whenafileisdeleted—movedtotheRecycleBin—itgeneratestwofilesintheRecycleBin.
–$Iand$Rfiles.
$Ior$Rfollowedbyseveralrandomcharacters,thenoriginalextension.
Therandomcharactersarethesameforeach$I/$Rpair.
$Ifilemaintainstheoriginalnameandpath,aswellasthedeleteddate.
$Rfileretainstheoriginalfiledatastreamandotherattributes.
Thenameattributeischangedto$R******.
ext.
MicrosoftNetworkSecurityOSArtifacts—Recycle.
BinNotethedeleteddate(inblue).
MicrosoftNetworkSecurityOSArtifacts—Recycle.
BinMicrosoftNetworkSecurityOSArtifacts—FolderVirtualization–PartofUserAccessControl—Standardusercannotwritetocertainprotectedfolders.
C:\WindowsC:\ProgramFilesC:\ProgramData–Toallowstandardusertofunction,anywritestoprotectedfoldersare"virtualized"andwrittentoC:\Users\[user]\AppData\Local\VirtualStoreMicrosoftNetworkSecurityOSArtifacts—RegistryVirtualizationVirtualize(HKEY_LOCAL_MACHINE\SOFTWARE)Non-administratorwritesareredirectto:HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Keysexcludedfromvirtualization–HKEY_LOCAL_MACHINE\Software\Classes–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows–HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNTMicrosoftNetworkSecurityOSArtifacts—RegistryVirtualizationLocationoftheregistryhivefilefortheVirtualStore–IsNOTtheuser'sNTUSER.
DAT–Itisstoredintheuser'sUsrClass.
dat\Users\[user]\AppData\Local\Microsoft\Windows\UsrClass.
datInvestigationofVista-Windows2008R2requirestheinvestigatortoexamineatleasttwoaccountspecificregistryhivefilesforeachuseraccount.
–NTUSER.
DAT–UsrClass.
datMicrosoftNetworkSecurityOSArtifacts—LibrariesMicrosoftNetworkSecurityOSArtifacts—Libraries\Users\[account]\AppData\Roaming\Microsoft\Windows\Libraries.
MicrosoftNetworkSecurityOSArtifacts—LibrariesLibrariesareXMLfiles.
MicrosoftNetworkSecurityOSArtifacts—LibrariesMicrosoftNetworkSecurityOSArtifacts—ShellThe"Recent"foldercontainslinkfilesandtwosubfoldersat\User\[Account]\AppData\Roaming\Microsoft\Windows\Recent.
MicrosoftNetworkSecurityOSArtifacts—ShellMicrosoftNetworkSecurityOSArtifacts—Shell"AutomaticDestination"filesareintheStructuredStoragefileformat.
MicrosoftNetworkSecurityOSArtifacts—ShellMicrosoftNetworkSecurityOSArtifacts—ShellMicrosoftNetworkSecurityOSArtifacts—ChkdskLogs\SystemVolumeInformation\ChkdskMicrosoftNetworkSecurityOSArtifacts—Superfetch\Windows\PrefetchMicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyVolumeshadowcopiesarebitleveldifferentialbackupsofavolume.
–16KBblocks.
–Copyonwrite.
–VolumeShadowcopy"files"are"difference"files.
TheshadowcopyserviceisenabledbydefaultonVistaandWindows7,butnotonWindows2008or2008R2.
"Differencefiles"resideintheSystemVolumeInformationfolder.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyShadowcopiesarethesourcedataforRestorePointsandtheRestorePreviousVersionsfeatures.
Usedinbackupoperations.
Shadowcopiesprovidea"snapshot"ofavolumeataparticulartime.
Shadowcopiescanshowhowfileshavebeenaltered.
Shadowcopiescanretaindatathathaslaterbeendeleted,wiped,orencrypted.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyVolumeshadowcopiesdonotcontainacompleteimageofeverythingthatwasonthevolumeatthetimetheshadowcopywasmade.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyTheVolumeShadowCopydifferencefilesaremaintainedin"\SystemVolumeInformation"alongwithotherVSSdatafiles,includinganewregistryhive.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopy\SystemVolumeInformation\Syscache.
hveMicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyMicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyMicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyvssadminlistshadows/for=[volume]:MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyMicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyShadowcopiescanbeexposedthroughsymboliclinks.
Mklink/dC:\{test-shadow}\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyVolumeShadowscanbemounteddirectlyasnetworkshares.
netsharetestshadow=\\.
\HarddiskVolumeShadowCopy11\MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopy>psexec\\[computername]vssadminlistshadows/for=C:>psexec\\[computername]netsharetestshadow=\\.
\HarddiskVolumeShadowCopy20\PsExecv1.
94-Executeprocessesremotely.
.
.
testshadowwassharedsuccessfully.
netexitedon[computername]witherrorcode0.
>robocopy/S/R:1/W:1/LOG:D:\VSStestcopylog.
txt\\[computername]\testshadowD:\vssTestLogFile:D:\VSStestcopylog.
txt.
.
.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyOtherwaystocallshadowcopies:–\\localhost\C$\Users\troyla\Downloads(Yesterday,July20,2009,12:00AM)–\\localhost\C$\@GMT-2009.
07.
17-08.
45.
26\–MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyC:\Users\Troyla\Desktop\fau-1.
3.
0.
2390a\fau\FAU.
x64>ddif=\\.
\HarddiskVolumeShadowCopy11of=E:\shadow11.
dd–localwrtTheVistaFirewallFirewallisactivewithexceptions.
Copying\\.
\HarddiskVolumeShadowCopy11toE:\shadow11.
ddOutput:E:\shadow11.
dd136256155648bytes129943+1recordsin129943+1recordsout136256155648byteswrittenSucceeded!
C:\Users\Troyla\Desktop\fau-1.
3.
0.
2390a\fau\FAU.
x64>Shadowcopiescanbeimaged.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyImagesofshadowcopiescanbeopenedinforensicstoolsandappearaslogicalvolumes.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyDatathathasbeendeletedcanbecapturedbyshadowcopiesandavailableforretrievalinshadowcopyimages.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyEveryshadowcopydatasetshouldapproximatethesizeoftheoriginalvolume.
Amountofcasedata=(numberofshadowcopies)x(sizeofthevolume)+(sizeofthevolume).
10shadowcopies=692GBMicrosoftNetworkSecurityApplications—I.
E.
8FileSystemsNTFS,FAT32,EXFATFvevol.
sysMount,Partition&VolumeManagersApplications—e.
g.
,I.
E.
,etc.
OSArtifacts"Disk"MicrosoftNetworkSecurityApplications—I.
E.
8"C:\ProgramFiles(x86)\InternetExplorer\iexplore.
exe"-privateMicrosoftNetworkSecurityApplications—I.
E.
8Cachedataappearstobewritten,thendeleted.
MicrosoftNetworkSecurityApplications—I.
E.
8ResidualcachefilesfromInPrivatebrowsing.
MicrosoftNetworkSecurityApplications—I.
E.
8Tabandsessionrecovery—anewsourceforhistoricalbrowsinginformation.
\User\[Account]\AppData\Local\Microsoft\InternetExplorer\RecoveryMicrosoftNetworkSecurityApplications—I.
E.
8Recoveryfile:NotetheStructuredStoragefileformat.
MicrosoftNetworkSecurityApplications—I.
E.
8MicrosoftNetworkSecurity2009MicrosoftCorporation.
Allrightsreserved.
Microsoft,Windows,WindowsVistaandotherproductnamesareormayberegisteredtrademarksand/ortrademarksintheU.
S.
and/orothercountries.
TheinformationhereinisforinformationalpurposesonlyandrepresentsthecurrentviewofMicrosoftCorporationasofthedateofthispresentation.
BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationprovidedafterthedateofthispresentation.
MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIEDORSTATUTORY,ASTOTHEINFORMATIONINTHISPRESENTATION.