Tuesday, June 26, 2012

Sans DFIR Summit 2012 - Slides

Today I was honored to present my first topic on Windows 8 Forensics at the SANS DFIR Summit in Austin. I want to thank Rob Lee and the entire SANS support staff for the encouragement for me to present and their dedication to putting on an incredible Speaker lineup.

Here is the slides and notes from my presentation, as well as a link to the research I have done previously on the Windows 8 Refresh. The data from the slides and presentation are current as of 6/24/2012. The Research paper may still need to be updated. 

What is coming next from me?

I am currently doing research on Storage Spaces that I hope to present to GFIRST in August. 

Windows 8 provides a new capability called Storage Spaces enabling just that. In a nutshell, Storage Spaces allow:
  • Organization of physical disks into storage pools, which can be easily expanded by simply adding disks. These disks can be connected either through USB, SATA (Serial ATA), or SAS (Serial Attached SCSI). A storage pool can be composed of heterogeneous physical disks – different sized physical disks accessible via different storage interconnects.
  • Usage of virtual disks (also known as spaces), which behave just like physical disks for all purposes. However, spaces also have powerful new capabilities associated with them such as thin provisioning (more about that later), as well as resiliency to failures of underlying physical media.

Tuesday, June 12, 2012

Windows 8 Forensic - File History

This research ties in with the Sans Webcast here

With the release of Microsoft’s new Operating System Windows 8, they have introduced a few new features that increase the capabilities of the operating system storage and backup offerings. In this article I will be covering the File History Services and its capabilities.

According to Microsoft, File History Service (fhsvc) is used to protect user files from accidental loss by copying them to a backup location[1]. File History Service is not enabled for any user by default, but upon connecting a removable media device, you will get an option to use this device as a backup location. Since File History Services is configurable by each user, it is enabled on a user by user instance. At the default level File History service will automatically protect the Default System Libraries (Music, Documents, Videos and Pictures), Files on the Desktop, Contacts and users favorites. Users can also create new libraries to include in the backup solution, or exclude currently backed up libraries from future backups.

When the File History Service is enabled numerous artifacts are created on both the local machine, and the target backup location. These artifacts include Event Logs, Registry settings, configuration files and incremental file backups in the target directory.

Some limitations of the File History Service is that the backups are not at block-level and do to the way that it handles login credentials it is unable to backup EFS files. The service itself runs as in the background as a local service using the local user credentials. [2] It is because the service runs as a local user account that each user must set up their custom configuration to File History.

The rest of the research can be found here
RegRipper Plugin for the HKU FileHistory Key is here

Monday, June 11, 2012

Let's Get This Party Started

About eight months ago I started a journey that has changed my skillsets and make choices to become more active in the DFIR community. It hasn’t been the easiest journey, but this roller coaster ride has been awesome.
On Tuesday June 12th I will be participating in my first webcast where I am the primary presenter. Being nervous does not go far enough to describe my current mental state. I am exhausted, running on fumes, and ready to crash hard, but all that is offset with the excitement of where this wild ride is taking me.

Over the course of the next three months, I will be presenting 3 different 1hr talks, and a quick 6 min talk. If I have not conquered my fear of public speaking by the end of August something is wrong.

In this talk I will take a look at the new FileHistory Services that Microsoft has released in Windows 8. I will discuss briefly what it is, how it’s configured, Artifacts created, and even release my first RegRipper Parser.

Windows 8 Forensics (pt 1 – Recovery Artifacts) at DFIR SUMMIT – PrincipalGroup10 to save 10%
In this talk I will look at the Recovery Options that are included in Windows 8, these are Restore Points, Refresh Points and System Reset. I will touch on how they are different, configurations artifacts that are created and the challenges that face forensic investigation regarding them.

In this talk I will look at the Backup and Storage Solutions that are included in Windows 8 and how they will impact investigation with the inclusion of Storage Spaces and Storage Pools, as well as more information on the File History Services.

While I know that I have no one to compete against with the Webcast on 6/12, I am up against some incredible Information Security professionals at both Summit and GFirst. The DFIR Summit is filled with some of the most talented researchers and professionals out there presenting on various Topics.

While the GFirst conference actually has a couple of Sessions at the same time as mine that I would love to attend. If you are in the Atlanta area, and interested in a Free top notch conference I would highly recommend this one.