First Looks: Basic Investigations of Windows Vista Lance Mueller P A G E 1 NTFS Version OS NameOS VersionReleased Date NTFS v 1.2Windows NT July 1993 NTFS v 1.2Windows NT4.04.0August 1996 NTFS 3.0Windows February 2000 NTFS 3.1Windows XP5.1September 2001 NTFS 3.1Windows April 2003 NTFS 3.1Windows Vista6.0November 2006 P A G E 2 NTFS Version P A G E 3 Symbolic Links P A G E 4 Last Access Dates The last access dates in Windows Vista are no longer updated when a file is accessed. Microsoft explains that with all the new file system transactional journaling, it was somewhat of a performance hit, so they have disabled them by default. In Windows Vista, this feature is enabled by default. This feature can be turned off via a registry key. This default setting obviously has a severe impact on how some types of cases are analyzed and examiners should take great care when using these date stamps as part of their analysis. P A G E 5 $USNJRNL The USN Journal is a NTFS logging mechanism that logs various transactions that occur on the file system. This feature is available in Windows 2000, Windows XP and Windows 2003, but it is disabled by default. In Windows Vista, this feature in enabled by default, thus causing a verbose log to be created of various file system changes. These changes are written to an internal NTFS metadata file named $USNJRNL and specifically into an alternate data stream of that file. Various artifacts such as filenames, date stamps an MFT record numbers can be located in this journal and it should be inspected and or searched in Unicode when looking for specific filenames. P A G E 6 Operating System Versions Feature availability of different Vista Versions: BitLocker Enterprise & Ultimate (Enterprise only when member of domain) Windows Volume Shadow Service (VSS) Business, Enterprise & Ultimate Encrypting File System (EFS) - Business, Enterprise & Ultimate Able to join domain - Business, Enterprise & Ultimate Remote Desktop server - Business, Enterprise & Ultimate Offline files and folder support - Business, Enterprise & Ultimate IIS Web Server - Business, Enterprise & Ultimate P A G E 7 Directory Structure Changes In the previous figure you can see several Junctions are now used to redirect to a different location, such as Documents and Settings folder and the Default User folder. C:\Documents & Settings > C:\Users (Junction) C:\Users\All Users > C:\ProgramData (Symbolic Link) C:\Users\Default Users > C:\Users\Default (Junction) P A G E 8 Directory Structure Changes Under each user folder, there are additional folders and Junction points. P A G E 9 Directory Structure Changes The following chart shows where each Junction shown in the previous figure points to: \Application Data-> \ \AppData\Roaming \Cookies->\ \AppData\Roaming\Microsoft\Windws\Cookies \Local Settings->\ \AppData\Local \My Documents->\ \Documents \NetHood->\ \AppData\Roaming\Microsof\Windows\Network Shortcuts \PrintHood->\ \AppData\Roaming\Microsof\Windows\Printer Shortcuts \Recent->\ \AppData\Roaming\Microsof\Windows\Recent \SendTo->\ \AppData\Roaming\Microsof\Windows\SendTo \Start Menu->\ \AppData\Roaming\Microsoft\Windows\Start Menu \Templates->\ \AppData\Roaming\Microsof\Windows\Templates P A G E 10 Directory Structure Changes Under the Documents folder there are three additional Junctions: \Documents\My Music-> \ \Music \Documents\My Picture-> \ \Pictures \Documents\My Videos-> \ \Videos P A G E 11 In addition, the C:\Users\AppData\Local folder contains three additional Junctions. This folder structure is where the Internet history information is now stored. P A G E 12 Public Folders In Windows XP, a folder named All Users was located under the Documents & Settings folder which served as a structure that was accessible by all users. In Vista, this has been changed and is called Public. Any files or folders located under the public folder are accessible by everyone. Note that the structure in a live machine is different that what is seen from a forensic view. P A G E 13 Registry Several new registry files have been added to Windows Vista. The following list represents all the registry hives on a default Vista system: C:\Boot\BCD C:\Windows\System32\config\RegBack\SECURITY C:\Windows\System32\config\RegBack\SOFTWARE C:\Windows\System32\config\RegBack\DEFAULT C:\Windows\System32\config\RegBack\SAM C:\Windows\System32\config\RegBack\COMPONENTS C:\Windows\System32\config\RegBack\SYSTEM C:\Windows\System32\config\BCD-Template C:\Windows\System32\config\COMPONENTS C:\Windows\System32\config\DEFAULT C:\Windows\System32\config\SAM C:\Windows\System32\config\SECURITY C:\Windows\System32\config\SOFTWARE C:\Windows\System32\config\SYSTEM C:\Windows\winsxs\x86_microsoft-windows-b..-bcdtemplate- client_31bf3856ad364e35_ _none_25edb26a062d63a9\BCD-Template P A G E 14 Registry The users NTUSER.DAT file is still located in the root of the users root folder (C:\Users\ ). Notice that Windows Vista now uses the REGBACK folder instead of the REPAIR folder that Windows 2000/XP/2003 use for backup copies of the registry. P A G E 15 Registry virtualization Windows Vista now contains a feature called registry virtualization as part of a security enhancement. This feature ensures that users who are not administrators cannot write t certain parts of the registry, especially during software installation. If a program tries to write to a specific registry key that is protected, the installation program will be seamlessly redirected to a virtual registry key contained within the users personal registry hive (NTUSER.DAT). Any write attempt by a non administrator to the: HKEY_LOCAL_MACHINE\Software registry key(s) causes the system to redirect the write into a virtual store in the users profile: HKEY_USERS\ _Classes\VirtualStore\Machine\Software P A G E 16 RECYCLE BIN The contents of the recycle bin has changed in Windows Vista and the name of the folder itself has changed to$Recycle.bin. The INFO2 file that is present in Windows 2000/XP/2003 has been removed. In Windows Vista, two files are created when a file is deleted into the recycle bin. Both file have the same random looking name, but the names are proceeded with a $R or $I. The file with the $R at the beginning of the name is actually the data of the deleted file. The file with the $I at the beginning of the name contains the path of where the file originally resided, as well as the date and time it was deleted. P A G E 17 RECYCLE BIN P A G E 18 RECYCLE BIN In addition, it is important to note that the users recycle bin is created the first time the user logs into their account, not the first time a file/folder is deleted as in Windows 2000/XP/2003. P A G E 19 Event Logs The Windows event logs have changed dramatically in Windows Vista. A new XML fie format is being used for the event logs and a new extension of EVTX is now used. The files are now located in: C:\Windows\System32\winevt\Logs\ There are now approximately 30 different event logs that Windows Vista reports events to. Currently these logs can only be read by the native Windows Vista Event Viewer (eventvwr), although an EnCase EnScript is under development. P A G E 20 Windows Photo Gallery The Windows Photo Galley is an application that is designed to make it easy to collect, categorize and edit your digital photos and videos. The Windows Photo Gallery can connect directly to digital devices such as cameras or removable media and then import the photos into the gallery. The photos that are imported into the gallery are stored into the users Pictures directory under their profile.