Sei sulla pagina 1di 83

University of Strathclyde

First Look at the


Windows 7 Forensics
Forensic implications of the new Windows 7

Piotrek Smulikowski
01/09/2009

This dissertation was submitted in part fulfilment of requirements for the degree of
MSc Forensic Informatics

Department of Computer and Information Sciences


University Of Strathclyde
First Look at the Windows 7 Forensics Piotrek Smulikowski

Abstract

Microsoft is ready for shipment of its new mainstream Operating System - Windows 7.
From 22nd of October most of new computers will be sold with the new system. It is the
intention of this paper to prepare computer forensic professionals for the challenges it can
potentially bring and what impact it is likely to have on forensic examination.

Through the comprehensive research and the detailed analysis of the introduced features,
it was possible to identify the prospective problems, that examiners can encounter, and
document them. However, also new sources of evidence were discovered, replacing old and
discarded sources.

This paper provides a first look at the Windows 7 from the computer forensic perspective
and is designed to help digital investigators in better understanding but also more effective
forensic analysis of the system.

II
First Look at the Windows 7 Forensics Piotrek Smulikowski

Table of Contents
Declaration ................................................................................................Error! Bookmark not defined.
Abstract.....................................................................................................................................................................II
Acknowledgments ..................................................................................Error! Bookmark not defined.
Table of Contents ................................................................................................................................................ III
List of Tables.......................................................................................................................................................V
List of Figures................................................................................................................................................... VI
1. Introduction .............................................................................................................................................. 1
1.1. Rationale ................................................................................................................................................. 1
1.2. Deliverables ........................................................................................................................................... 3
1.3. Project constraints .............................................................................................................................. 3
1.4. Audience....................................................................................Error! Bookmark not defined.
1.5. This Document...................................................................................................................................... 4
2. Background Research / Literature Review .................................................................................. 6
1. Windows 7 Development versions .................................................................................................. 8
2. Windows 7 final editions ..................................................................................................................... 9
3. Internet Explorer 8.............................................................................................................................. 11
3.1. InPrivate – Stealth Browsing ....................................................................................................... 11
3.2. Suggested Sites .................................................................................................................................. 13
3.3. Session Recovery .............................................................................................................................. 14
3.4. Index.dat files..................................................................................................................................... 16
4. Folder Structure ................................................................................................................................... 19
4.1. Libraries ............................................................................................................................................... 19
4.2. Windows Search and Federated Search .................................................................................. 20
4.3. User folders......................................................................................................................................... 21
5. New Taskbar and Jump List ............................................................................................................. 23
6. BitLocker ................................................................................................................................................. 28
6.1. BitLocker in Windows Vista ......................................................................................................... 28
6.1.1. Introduction ................................................................................................................................... 28
6.1.2. Authentication Methods ............................................................................................................ 28

III
First Look at the Windows 7 Forensics Piotrek Smulikowski

6.1.3. BitLocker Identification............................................................................................................. 29


6.1.4. BitLocker Acquisition ................................................................................................................. 31
6.2. BitLocker in Windows 7................................................................................................................. 32
6.2.1. Introduction ................................................................................................................................... 32
6.2.2. BitLocker To Go ............................................................................................................................ 32
6.2.3. BitLocker To Go Identification................................................................................................ 34
6.2.4. BitLocker To Go Acquisition .................................................................................................... 37
6.2.5. BitLocker changes........................................................................................................................ 38
6.3. Windows 7 BitLocker Conclusions ............................................................................................ 39
7. Registry Analysis.................................................................................................................................. 41
7.1. Introduction........................................................................................................................................ 41
7.2. Registry locations ............................................................................................................................. 42
7.2.1. Time Information..................................................................................................................... 42
7.2.2. Most Recently Used................................................................................................................. 43
7.2.3. UserAsisst ................................................................................................................................... 45
7.2.4. Autoruns...................................................................................................................................... 47
7.2.5. Network information.............................................................................................................. 47
7.2.6. Mounted Devices...................................................................................................................... 48
7.2.7. USB Device Information ........................................................................................................ 49
7.2.8. Internet Explorer ..................................................................................................................... 50
8. Miscellaneous new Features and Changes................................................................................. 51
8.1. Location and Sensors API.............................................................................................................. 51
8.2. exFAT / FAT64 .................................................................................................................................. 53
8.2.1. exFAT Identification.................................................................................................................... 53
8.3. Partition Table ................................................................................................................................... 54
8.4. XP mode................................................................................................................................................ 56
8.5. Biometrics and Fingerprint support ..............................Error! Bookmark not defined.
8.6. Uninstall Process ...................................................................Error! Bookmark not defined.
8.7. Mix.......................................................................................................................................................... 57
8.8. UAC..............................................................................................Error! Bookmark not defined.

IV
First Look at the Windows 7 Forensics Piotrek Smulikowski

9. Methodology .......................................................................................................................................... 58
9.1. Hardware and Software used ...................................................................................................... 60
10. Conclusions ............................................................................................................................................ 62
10.1. Research Achievements............................................................................................................. 62
10.2. Actual Constraints........................................................................................................................ 64
10.3. Reflections on Research..................................................Error! Bookmark not defined.
10.4. Final Conclusions ......................................................................................................................... 64
10.5. Future Work................................................................................................................................... 65
References: ................................................................................................Error! Bookmark not defined.
Bibliography......................................................................................................................................................... 67
APPENDIX A – Windows 7 Editions Comparison Chart..................................................................... 74

List of Tables

Table 1 Windows 7 Editions comparison (Protalinski, 2009) ............................................................ 9


Table 2. Behaviour of the Internet Explorer 8 InPrivate mode (Zeigler, 2008). ....................... 11
Table 3. Data stored during InPrivate session. Source: Windows Internet Explorer
Help ........................................................................................................................................................... 12
Table 4. File names and their respective application that store Jump List data ....................... 26
Table 5. Required Values for BitLocker stored in boot sector of an encrypted
volume (Hunter, 2006) ...................................................................................................................... 30
Table 6. Short naming convention for root hives .................................................................................. 41
Table 7. Registry paths and corresponding files.................................................................................... 42
Table 8. Differences and similarities in registry key locations between Windows
XP and Windows Vista. ...................................................................................................................... 45
Table 9. USB Information gathering process. Adapted from (SANS Forensics Blog,
2009)......................................................................................................................................................... 50
Table 10. Hardware and Software Specification of used PCs ........................................................... 60
Table 11. Windows 7 editions comparison chart source WIKIPEDIA........................................... 75

V
First Look at the Windows 7 Forensics Piotrek Smulikowski

List of Figures

Figure 1. Contents of the SuggestedSites.dat file, viewed in Hex editor. Visited


URLs are underlined in Blue and Referrer URLs are highlighted in yellow.................. 13
Figure 2. Contents of SuggestedSites.dat file with visible header underlined in red
and IE Browser version highlighted in yellow. ........................................................................ 14
Figure 3. Contents of the Active folder. In this example normal and InPrivate
modes are used and have multiple tabs open. Note: this screenshot comes
from Windows XP. ............................................................................................................................... 15
Figure 4. Contents of an example tab file. URL is highlighted in grey and page
name is in yellow.................................................................................................................................. 16
Figure 5. index.dat file parsed with Pasco and imported by Excel ................................................. 18
Figure 6. XML code in library-ms file. The included folder path is highlighted in
grey............................................................................................................................................................ 20
Figure 7. Contents of Search Connector configuration file. The domain search
provider is highlighted in grey ....................................................................................................... 21
Figure 8. Start Menu properties window, allows user to disable the Jump List and
customize contents of the start menu.......................................................................................... 24
Figure 9. Contents of the Jump List recent items file viewed in hex editor. Path to
recent 'cos.png' file is highlighted in grey. This particular file, stores recent
items list for Microsoft Paint. .......................................................................................................... 25
Figure 10. BitLocker Encrypted volume header of a boot sector in Windows Vista
viewed in Hex editor (Hargreaves & Chivers, 2007) ....................................... 31
Figure 11. Group Policy allow forcing users to encrypt USB sticks, (Funk, 2008) ................... 33
Figure 12. BitLocker To Go Reader window allows viewing files and exporting to
local machine. Screenshot taken from Windows Vista ......................................................... 34
Figure 13. BitLocker To Go encrypted portable drive......................................................................... 34

VI
First Look at the Windows 7 Forensics Piotrek Smulikowski

Figure 14. Contents of the BitLocker To Go encrypted portable drive.


BitLockerToGo.exe file is clearly visible, Screen shot taken from
Windows Vista. ..................................................................................................................................... 35
Figure 15. FAT32 volume encrypted with BitLocker To Go. MSWIN4.1 OEM Nam
is highlighted in yellow and FAT32 file system highlighted in grey ................................ 35
Figure 16. BitLocker signature found on BitLocker To Go encrypted volume -
highlighted in yellow. Additionally original Computer Name, Drive Letter
and Date were also found - highlighted in grey. ...................................................................... 36
Figure 17. Header of NTFS drive encrypted with BitLocker To Go viewed in Hex
editor. The BitLocker singature -FVE-FS- is at 0x03 offset - highlighted in
yellow. Interestingly it is marked as FAT32 file system highlighted in grey................ 36
Figure 18. BitLocker signature found on encrypted NTFS volume - highlighted in
yellow. Computer name, Drive letter and Date were also found -
highlighted in grey............................................................................................................................... 37
Figure 19. Image shows binary data for the example UserAssist value. Underlined
in red is the obfuscated program path, in green is the decoded path.
Highlighted in yellow is the counter number and in blue is the time stamp
in Hex........................................................................................................................................................ 46
Figure 20. Output from Date/Time converting application DCode. Highlighted in
yellow is the time stamp from above example (see previous figure).............................. 47
Figure 21. exFAT partition signature 'EXFAT' ........................................................................................ 53
Figure 22. fdisk recognizes exFAT as NTFS with partition id=7...................................................... 54
Figure 23. Output from mmls tool, exFAT is recognised as NTFS................................................... 54
Figure 24. fdisk recognized two partition as NTFS............................................................................... 55
Figure 25. mmls tool displays the details and locations of the two partitions. ......................... 55
Figure 26. The output from the fsstat tool with details of the System Reserved
(left) and Windows 7 partitions (right). ..................................................................................... 56

VII
1. Introduction
Microsoft Windows is by far the most popular Operating System among typical computer
users, as a result it has a great impact on computer forensics. Therefore there is no doubt
that the introduction of the Windows 7 will have its footprint on forensics. The big question
is what impact it is going to have, whether the existing methods will become obsolete or
maybe there will be no forensically significant changes at all. Early opinions, suggest that
digital investigators will not be forced to change their careers just yet. However
information regarding the forensic issues of Windows 7 is very limited, there is no single
detailed resource on the topic. This paper attempts to fill in the gap. It is intended that the
research will provide forensic examiners with the starting point, first look at the issues
surrounding the new Windows analysis. Through the in-depth discussion and examination
of some of the relevant features, the study produced certain interesting findings.

The paper is primarily aimed at the forensic examiners to aid them in the analysis of the
new Windows 7 based computer. It is hoped that after reading the research, forensic
investigators will gain more confidence when faced with the new system. Additionally
through the analysis of the new sources of evidence, examiners will be able to produce
stronger evidence. Various functionalities include features that work in examiner’s favour
or against it. The challenges that the Windows 7 will bring could potentially have an impact
of the forensic analysis. This research attempted to analyse and document them to raise
examiners awareness.

However, this is the first detailed analysis of the Windows 7 seen from the forensic point of
view, while it may be regarded as comprehensive it is by no means the complete exhausted
reference. It will take time and lots more research to achieve this and this paper tries to
form a basis but also encourage for further studies on the topic.

1.1.Rationale
The introduction of new software can bring a wide range of changes that potentially affect
compatibility. This is especially true in the case of an Operating System which provides a
basic functionality and platform for other software; it is a system that coordinates all
computer actions. Since other applications rely on it, the way that they work is heavily
dependent on the OS. Software for Apple Mac OS will not work on MS Windows Vista
because it handles guest applications and data very differently. This is to be expected when
it comes to different competitor’s platforms, however it can also be the case even on the
same platform. For instance an application written for a Windows XP may or may not work
under the Vista environment. Fortunately, over time, software developers modify their
products so they work under the new system. The incompatibility issues may also affect

1
First Look at the Windows 7 Forensics Piotrek Smulikowski

Windows 7, however very few have been reported so far. It is important to remember that
the problem can affect forensics both ways: Windows 7 as (a) a target PC or (b) analysis
platform. While studying software alternatives, the research may reveal such problems
with tested collection of applications.

The research aims to discover the differences in the forensic analysis process between the
new system and previous versions of Windows, namely Vista and XP. Windows XP was
used as the main consumer OS for nearly 6 years, whereas the Vista will be replaced by the
Windows 7 after little over 2.5 years. Given this much shorter development time it is not
expected large amount of new features. Speculation suggests that this is refined version of
the Vista, and some even say that it is what Vista was meant to be. Microsoft has dropped
the introduction of the new Windows File System which would have had a very significant
impact on forensic analysis. It is also possible that very few changes actually affect the
process but this is the reason why this research is important; to find any major differences,
if any, to the forensic analysis procedures.

Certainly, the time it will take for Windows 7 to be adopted by the majority of the PC
market will be substantial and, similarly in the computer crime world, it will slowly gain
popularity. Although in current financial climate forecasts about computer sales vary but
the Windows market share should be preserved. This means that when Windows 7 is
released, 93% of new home computers sold, will be with this Operating System (NET
APPLICATIONS, 2009). Therefore it is going to become the main OS used by home users
and it is safe to assume that criminals will start using the new system as well, and the
sooner forensic specialists become familiar with the system the better.

The main beneficiaries of this study are thought to be forensic investigators and
researchers. Analysts will learn how important to the analysis process the changes are,
which techniques still apply, what could be a new source of forensic evidence. It will help to
them to choose appropriate techniques in order to recover as much evidence as possible
from the new system.

Results from the study could form a solid basis for further forensic research on the more
specific issues of the Windows 7. The aim is to provide researchers with an overview of the
new features and overall changes to the system architecture and how important they are to
the forensic analysis process. If the research finds substantial differences that require
further, more in depth analysis they could become a basis for more detailed and focused
study. However, if findings from the research state that there are no changes to the forensic
analysis procedure, it could still be considered as a successful study since there is no other
published research, at least at the time of writing, which tries to examine the new system.
Therefore it might be beneficial to the computer forensic community to establish that as a

2
First Look at the Windows 7 Forensics Piotrek Smulikowski

fact, if this is the case. Hence, regardless of the findings of the research, it can still be
valuable paper in a forensic field, provided of course that the research has been properly
executed.

Literature available on the topic of Windows 7 and forensics is very limited and it is
believed that this paper would fill this particular gap and possibly encourage forensic
community to undertake further work in this field.

Last but not least from my personal point of view I hope to learn more about the forensic
analysis of Windows based computers. During the course of my studies I got to know many
techniques applicable for the Microsoft system but I realise that further development of my
practical and theoretical knowledge is required to become good and effective investigator. I
believe that extensive research of the platform can give me ‘an edge’ when applying for
employment after graduation. This is why I treat this research very seriously and hope that
it could open doors for me upon successful completion of the project.

1.2.Deliverables
The following quote comes from the research proposal and discusses the deliverables:

“When the research will be finished the following deliverables are expected:

 Review of the changes that have an impact on the forensic analysis.


 Comparison to the previous Windows systems analysis process.
 Identification of the new sources of evidence if such exists.
 Review and validation of the old, known evidence sources.
 Evaluation of the tools with regard to the new system.
 Draft of the forensic analysis procedure of the Windows 7. (not a key requirement)“

The research aims to deliver few different objectives, all oriented around the forensic
analysis of the Windows 7. First being a review of the changes and new features that could
potentially affect the examination. It is partially theoretical study of new features in order
to highlight the forensically significant ones but also it includes the practical approach
where features are examined on the actual PC running Windows 7.

1.3.Project constraints
The research is focused around Windows 7 which is not yet a finished product. This
provides a strong argument for undertaking the study because it ensures the novelty factor.

3
First Look at the Windows 7 Forensics Piotrek Smulikowski

However it also introduces the risk that the final product will vary substantially from the
version examined. As a result it could potentially void results from the research. However,
the version examined (RC) is thought to be very similar to the final version with only minor
cosmetic changes rather than changes in core functionality and features so this should not
affect the results.

Additionally, in order to improve the relevance of the research it would be desirable to wait
until the final version is publically available. However, due to the fact that deadline for the
research is nearly two months before official release it is infeasible to do so.

Due to the fact that there is very little information on the topic it is difficult to find any new
sources of evidence. The Operating System is very complicated in its nature therefore it is
nearly impossible to identify all changes by manual exploration or uninformed search.
Structures like Windows Registry are incredibly complex and it would be impractical to
crawl through all registry keys and check for any evidence. This problem is addressed by
employing informed search which limits data set to the most likely candidates. For
instance, rather than analyzing all new features only those that could potentially be storing
any evidence would be analyzed, thus maintaining a balance between accurate results and
effective use of time. In addition, attempts will be made to contact experts in Windows
forensics, including Microsoft staff.

Another constraint that may have an impact on one of the deliverables is the availability of
forensic software. Forensic software packages like, for example, EnCase tend to be very
expensive. Moreover many manufacturers do not publish evaluation versions, and while
this might stop ‘warez’ community from reverse engineering or devising anti-forensic
techniques it also makes it very difficult to accumulate a collection of software to evaluate
its behaviour on a new version of the Operating System. While majority of investigators
work on integrated forensic packages like EnCase, FTK or X-Ways Forensics there are also
free alternatives. Fortunately, selections of tools from a wide range of freeware and open
source software can be easily assessed.

As with many projects, the time limit is a crucial constraint that effectively shapes the
whole research. Therefore effective time management is highly important in order to bring
research to a successful conclusion. Regular meetings with supervisor ought to help keep
progress on track.

1.4. This Document


This paper was written as a dissertation for MSc Forensic Informatics course at the
Strathclyde University. The project was guided by Lothian and Borders Police department.

4
First Look at the Windows 7 Forensics Piotrek Smulikowski

As requested in the departmental guidelines the font size is 12. However, the 1.15 line
spacing was used in order to reduce paper wastage, which was agreed with the supervisor.

References are submitted in Harvard – Leeds style, following patterns outlined in


Postgraduate Handbook. Special plug-in for Microsoft Office Word 2007 is used in order to
keep consistency of referencing (CODEPLEX, MICROSOFT, 2009).

5
First Look at the Windows 7 Forensics Piotrek Smulikowski

2. Background Research
At the time of writing the research Windows 7 has not yet been released to the public. As
mentioned before with a release of any new version of Windows there is a lot of talk
around it. Windows 7 has already made headlines but they mostly focus on the usability of
the system, its performance, compatibility or pricing. Many Information Technology web
portals and magazines have published a wide variety of articles and tutorials regarding the
new features included in Windows 7. One such example is the article from Ars Technica
about its Graphical User Interface (BRIGHT, P, 2008). In addition many independent
websites are rising that are exclusively dedicated to the new Windows such as
windows7news.com.

Microsoft is actively working on expanding its knowledge base available through Microsoft
TechNet Library website (MICROSOFT), where IT professionals can find useful resources
about Microsoft products. This portal contains, among others, articles on BitLocker,
AppLocker or Security Enhancements of Windows 7. This knowledge base is oriented
mainly towards developers or security specialists.

There is, however, very little information available on the new OS from the forensic point of
view. All of the existing sources are limited to individual posts on forensic community
forums or blogs. No articles are published on the subject and the gap has not been filled by
Microsoft. According to an anonymous source, the Redmond based company delivers
closed seminars for Law Enforcement agencies, which are not disclosed to the public. Some
of these materials were made available, with permission, for the purpose of this research.

One of the most popular forums with a strong forensic community is forensicfocus.com. So
far there have been only few discussions involving the new Windows. For instance, user
oasol reported the first case based on Windows 7 (OASOL, 2009). Whereas user jenskr
reported that some of the major forensic packages are compatible with 32 bit version of
Windows 7 (JENSKR, 2009).In order to learn more details about the new OS in context of
forensics a forum thread was created and although it had large number of the views very
little response was noted. User MMachor reported that the 7 “is really from a forensic
aspect very similar to Vista” and suggested that Recycle Bin, Prefetch and some other areas
examined by him have not changed (MMAHOR, 2009) but he fails to go in to greater detail.

The blog run by Harlan Carvey (user keydet89), the author of many forensic publications
including Windows Forensic Analysis book, provides details of certain aspects of Windows
7 forensics (CARVEY, Harlan, 2009). He suggests that usability features like Jump List are
“going to be a gold mine for an analyst”. This view is shared by other testers too; they
believe that it can provide information similar to Most Recently Used registry keys. Carvey

6
First Look at the Windows 7 Forensics Piotrek Smulikowski

also confirmed compatibility of his own tool RegRipper (CARVEY, Harlan and Shavers,
Brett, 2009) designed to extract forensic data from registry hives, and upon loading
registry keys from the Windows 7 he was able to view evidence data as expected. Due to
the tool’s component build some plug-ins responded better than others to the changes in
new system. Analysis of unsuccessful extractions of data can help to determine differences
between new OS and its predecessors. Carvey also announced, shortly after presentation of
his second edition of the book, that the third edition would include forensic analysis of the
new Microsoft OS incarnation.

An article from Didier Stevens’ blog reported that UserAssist key in registry, which holds
shortcuts to most frequently used applications displayed in start menu in Windows, is
obscured with Vigenère cipher unlike ROT-13 in previous versions (STEVENS, Didier,
2009). It was first found on Beta version of Windows 7, however it was then reverted back
to the ROT-13 in RC version. Former Microsoft developer, Steve Riley claims that it was
used by their team in order to more easily identify changes after a system upgrade and was
only introduced for development purposes and therefore it was not necessary to be carried
forward to final version. Later research showed that the cipher was indeed changed back to
ROT-13 in the RC version.

Although, as shown above, some information with regard to forensics and Windows Seven
is available it is still very sparse and incomplete; there is obvious lack of one integrated
source of information that could form an early reference for examiners. Blogs can be very
knowledgeable source however it is not easy to find all the information available if it is
spread over many different sites.

Because of the lack of information on Windows 7, reference sources about Vista were
analysed in order to help with verifying new features in the updated system. These can
help to make ‘informed’ analysis of the new system. If some features were newly
introduced in the previous system they are likely to be changed or improved upon and this
could potentially create new sources of evidence.

After Windows Vista was released back in January 2007 many examiners wondered how it
was going to affect the forensic analysis process. It was not long before the first articles
were published. One of the first was the “Notes on Vista Forensics” part One and Two by
Jamie Morris founder of Forensic Focus (MORRIS, Jamie, 2007) posted a little over a month
after release. It provided “ a high level look at what we know now about those changes in
Vista which seem likely to have most impact on computer forensic investigators” (MORRIS,
Jamie, 2007).

7
First Look at the Windows 7 Forensics Piotrek Smulikowski

Lecturers from Cranfield University published a paper called: “Potential Impacts of


Windows Vista on Digital Investigations”, that follows a similar approach but that goes into
greater detail (HARGREAVES, C and Chivers, H, 2007). It analyzes new features and system
changes from the forensic perspective.

Another interesting paper was presented at the Computer and Enterprise Investigation
Conference 2007 (CEIC)(MUELLER, Lance, 2007) by Lance Mueller from Guidance Software
(GUIDANCE SOFTWARE INC., 2009), the company that created EnCase. The author
undertook a detailed examination of changes introduced in Vista like e.g. NTFS file system
update.

1. Windows 7 Development versions


When Microsoft released Vista in January 2007, Windows XP had been on the market since
October 2001, which means that its lifespan was over a five and half years. The new system
did not have a good start with numerous ‘Vista Issues’ including mainly the performance
and compatibility problems. This has resulted in the relatively low popularity of the Vista.
Microsoft decided to shorten the life of Vista to just two and a half years in favour of the
new version. Obviously, Vista is still going to be supported by Microsoft; however, the main
development is dedicated to the Windows 7. Close to the date of finishing the Windows 7,
Microsoft released Service Pack 2 for Vista, to help to bring it up to date especially in the
light of Windows 7. The newest OS has been well received by testers and is expected to
have much better start based on early pre-order sales figures. According to the BBC:
“Amazon said that sales of Windows 7 in the first eight hours it was available outstripped
those of Windows Vista's entire 17 week pre-order period” (BBC NEWS UK, 2009).

Microsoft released the first build of the Windows 7 to the public on the 9th of January 2009.
Build 7000 was a Beta release signifying an early development stage, however it provided
the first insights into the feature sets available in the final version. Some of the big changes
were discarded, like the new file system replacement of the NTFS, which would have an
enormous affect on forensics in general, and file recovery in particular. It became a very
popular download, and many IT savvy people tried it, including some forensic examiners
like Harlan Carvey - author of the previously referenced blog posts. The reception it
received was much better in comparison to Vista. However, it was a popular belief that the
new system did not carry many changes; that it was just an improved Vista. This view was
reinforced when Steve Ballmer, Microsoft’s CEO, said: “Windows 7 will be more like
Windows Vista, but a lot better!” (PARRISH, Kevin, 2008). On 5th of May 2009 Microsoft
made Release Candidate (RC) public. Version 7100 addressed feedback from testers and
GUI improvements but feature changes were minor (MSDN BLOG, 2009).

8
First Look at the Windows 7 Forensics Piotrek Smulikowski

Since the first announcement about Windows 7, Microsoft has moved the expected release
date numerous times and some has suggested it might be as late as mid 2010. However, as
development versions were progressing, it seemed as if the final date would be much
earlier. On 2nd of June 2009, Brandon LeBlanc wrote on Windows Blog and confirmed that
the General Availability date is 22nd of October 2009 (LEBLANC, Brandon, 2009). Although,
developers and OEM Manufacturers were meant to be getting the final version sooner.

Few weeks later on 24.07.2009 Windows 7 was finally signed off by internal testing group
which meant that it met quality control and reached Release To Manufacturing (RTM)
status (LEBLANC, Brandon, 2009). At this point build 7600 was released to OEM
Manufacturers for deployment purposes.

2. Windows 7 final editions


As with Vista, Windows 7 comes in wide variety of editions. However the line up has
changed slightly. With 6 different versions available varying feature sets. Emil Protalinski
from Ars Technica (PROTALINSKI, Emil, 2009) compared them:

 Windows 7 Starter (worldwide via OEM only): up to three concurrent applications, ability to join a
Home Group, improved taskbar and JumpLists

 Windows 7 Home Basic (emerging markets): unlimited applications, live thumbnail previews and
enhanced visual experience, advanced networking support

 Windows 7 Home Premium (worldwide): Aero Glass and advanced windows navigation, improved
media format support, enhancements to Windows Media Center and media streaming, including Play
To, multi-touch and improved handwriting recognition

 Windows 7 Professional (worldwide): ability to join a managed network with Domain Join, data
protection with advanced network backup and Encrypting File System, and print to the right printer
at home or work with Location Aware Printing

 Windows 7 Ultimate (worldwide): BitLocker data protection on internal and external drives,
DirectAccess for seamless connectivity to corporate networks based on Windows Server 2008 R2,
BranchCache support when on networks based on Windows Server 2008 R2, and lock unauthorized
software from running with AppLocker

 Windows 7 Enterprise (volume licenses): same as Ultimate, includes the following improvements:
DirectAccess, BranchCache, Search, BitLocker, AppLocker, Virtualization Enhancements,
Management, as well as Compatibility and Deployment.

Table 1 Windows 7 Editions comparison (PROTALINSKI, Emil, 2009)

9
First Look at the Windows 7 Forensics Piotrek Smulikowski

To sum up: Starter is designed for low spec hardware – Netbooks, with heavily limited
features. Home Basic edition is only for emerging markets whereas Home Premium,
Professional and Ultimate are mainstream editions, available for retail sale. Enterprise is
available only via Volume Licenses. Upgrading will only be available to mainstream
editions. Analogically to Vista one installation disk can support all editions, the type of
licence is determined on a basis of Product Key.

Due to the European Commission decision that Microsoft had violated European
competition law by offering Internet Explorer (IE) browser as a default browser, the
company decided to remove IE from the European version of Windows 7 (CLARKE, Gavin,
2009). As a result the special version called ‘Windows 7 E’ would not allow upgrades and
so making the cost of the new Windows higher as only the full version would be sold. The
issue was eventually resolved by introducing the ‘Web Browser Ballot’ screen allowing for
choice of alternative browser (FIVEASH, Kelly, 2009).

For a detailed comparison of the Windows 7 editions please see Appendix A.

10
First Look at the Windows 7 Forensics Piotrek Smulikowski

3. Internet Explorer 8
Internet Explorer 8 (IE8) is the newest Web Browser developed by Microsoft as the default
browser for Windows. It is bundled in Windows 7 but it is also offered as a recommended
update for an IE7 on Vista or XP. Therefore some investigators may have already
experienced examination of the new version. However it is important to note that there are
substantial differences between releases for different platforms, XP in particular, due to
improvements in privilege management on newer platforms. The newest release claims
significant enhancements in security such as Click-Jacking prevention or Cross Site
Scripting filters.

3.1. InPrivate – Stealth Browsing


Microsoft followed other browser makers like for instance Safari and introduced stealth
mode in the newest version. The InPrivate feature allows browsing the internet without
leaving traces on a local machine. Certainly it has an impact onto forensic analysis of the
new browser as an investigator has very little, if any, chances of reconstructing suspect’s
online activity. By default when user starts a browser, the standard mode is launched and
user activity is recorded in a normal manner, it is when user enables the InPrivate
browsing (Safety > InPrivate Browsing) that the stealth mode is launched in another
window. Behaviour of the browser changes only for the InPrivate session, thus if user has
had standard window open, its history would be stored as normal, whereas the activity
within the stealth mode window would be discarded. According to IE Microsoft Blog
(ZEIGLER, Andy, 2008) InPrivate Browsing changes the behaviour in the following way:

 New cookies are not stored


o All new cookies become “session” cookies
o Existing cookies can still be read
o The new DOM storage feature behaves the same way
 New history entries will not be recorded
 New temporary Internet files will be deleted after the Private Browsing window is closed
 Form data is not stored
 Passwords are not stored
 Addresses typed into the address bar are not stored
 Queries entered into the search box are not stored
 Visited links will not be stored

Table 2. Behaviour of the Internet Explorer 8 InPrivate mode (ZEIGLER, Andy, 2008).

Analysis showed that the wording of the above list (Table 2) is crucial because it means
that only new history entries are not recorded. However, all other attributes such as Cache
are recorded but deleted when the InPrivate windows is closed. It opens a possibility for

11
First Look at the Windows 7 Forensics Piotrek Smulikowski

those files to be recovered by specialist data recovery tools. Alternative explanation (Table
3. Data stored during InPrivate session. Source: Windows Internet Explorer HelpTable 3) of
the browser behaviour in the InPrivate mode comes from the Internet Explorer Help.

Information How it is affected by InPrivate Browsing


Cookies Kept in memory so pages work correctly, but cleared when you
close the browser.
Temporary Internet Stored on disk so pages work correctly, but deleted when you close
files the browser.
Webpage history This information is not stored.
Form data and This information is not stored.
passwords
Anti-phishing cache Temporary information is encrypted and stored so pages work
correctly.
Address bar and search This information is not stored.
AutoComplete
Automatic Crash ACR can restore when a tab crashes in a session, but if the whole
Restore (ACR) window crashes, data is deleted and the window cannot be
restored.
Document Object The DOM storage is a kind of "super cookie" web developers can
Model (DOM) storage use to retain information. Like regular cookies, they are not kept
after the window is closed.
Table 3. Data stored during InPrivate session. Source: Windows Internet Explorer Help

When privacy mode was first announced in 2008, it soon was unfavourably known as a
‘porn mode’ as it was believed to cover all browsing tracks. It produces mixed feelings in
system administrators’ community since it could create opportunity for employees to
abuse online access. Some argued that it should be disabled (AARON, 2009), what can be
done setting up a Group Policy.

According to Microsoft the InPrivate functionality is designed to stop casual computer


users from “gaining access to the browsing history”. The IE team suggest that it should be
possible to retrieve the online activity: “The feature isn’t designed to protect a user from
security experts or forensic researchers” (SHARP, John, 2008).

Shortly after a Beta version has been released it was examined by the investigators from
the FoxIT forensic firm and it was found that it was possible to determine visited websites
(SHARP, John, 2008). Christian Prickaerts claims that the feature is “mainly cosmetic” and
that: “For a forensic investigator, retrieving the browsing history should be regarded as
peanuts. The remaining records in the history file still enable me to deduce which websites
have been visited” (SHARP, John, 2008). It is important to emphasise that tests were
undertaken on the Beta version and unfortunately the method used by researchers was not
disclosed.

12
First Look at the Windows 7 Forensics Piotrek Smulikowski

Furthermore a Delete Browsing History window ( Safety > Delete Browsing History >
Preserve Favorites website data ) now provides option for tracking data for websites
marked as Favourites. Essentially if a user added msn.com to Favourites then Temporary
Internet files and cookies would be preserved even though the other history data has been
deleted using IE8.

To complement Microsoft’s care for user’s privacy, InPrivate filtering feature was
developed (ZEIGLER, Andy, 2008)
2008).. If enabled by user, it informs him about tracking
attempts by a third party websites and allows blocking such attempts. User can specify his
own list of blocked sites or use list predefined by Microsoft.

3.2.Suggested Sites
The new
ew Suggested Sites feature aims to deliver website recommendation based on other
users’ online activity. If user opt
opt-in to use this feature, his history is analyzed and sent to
Microsoft servers where stripped from identification data data, it contributes to suggestions
suggestion
database. Most commonly visited websites in user’s category would be recommended to
him the system.. It is important to note that no information iiss collected while InPrivate
session is enabled.

The Suggested Sites capability has its own binary file called SuggestedSites.dat that is
stored in C:\Users\<username>\AppData
AppData\Local\Microsoft\Windows\Temporary
Temporary Internet
Files\Low\ folder. The file is create
created automatically when user opts-in in to use the feature and
its default size is 5,121 KB, regardless of the contents. Its structure is different to the
index.dat therefore it cannot be parsed by a Pasco tool (JONES, Keith, 2003).
2003) Microsoft did
not publish any documentation of th this particular format. When loaded into Hex editor a
certain pattern can be seen.

Figure 1.. Contents of the SuggestedSites.dat file, viewed in Hex editor. Visited URLs are underlined
underli in Blue and
Referrer URLs are highlighted in yellow.

Figure 1 presents contents of the file where each of the new entries is marked by ‘
character and followed by a visited URL
URL, here underlined in blue. Next
ext is the page name as
appears on the top bar of the browser and finally is the R
Referrer URL, highlighted in yellow.

13
First Look at the Windows 7 Forensics Piotrek Smulikowski

Rest of the data is currently not recognized. The header of the file is also different to
index.dat files. It contains unidentified data
data, followed by Internet Explorer version at the
0x60 offset as it can be seen at the Figure 2.

Figure 2. Contents of SuggestedSites


Sites.dat
.dat file with visible header underlined in red and IE Browser version
highlighted in yellow.

According to the details of the Suggested Sites functionality the above file does not record
history during the HTTPS sessions or InPrivate mode. Additionally, in order to provide
user with a control, the functionality is designed to delete the particular history entries if
user decided to delete the record from the browser history
history.. In a forensic examination,
examination
analysing data in a history index.dat file should take priority since it provides more
information. However, in a scenario where user deleted the history using third party
software rather than built in method, there is a high possibility that the SuggestedSites.dat
file was left. Currently it is the latest version of CCleaner that is capable of removing the file
(PIRIFORM LTD, 2009) on a live system since it is protected by the OS.

3.3.Session Recovery
Microsoft boasts great improvements in the stability of a new browser. Developers spent a
lot of effort on improving reliability thus new technologies like for instance Automatic Tab
Crash Recovery were introduced. It is designed to isolate single tab that crashed from the
rest, so that the other tabs are not affected. However, in order to implement this feature
developers had to introduce monitoring mechanism that records current and previous
browsing session. These are stored in the following folders:

14
First Look at the Windows 7 Forensics Piotrek Smulikowski

Windows 7, Vista C:\Users\<username>\AppData\Local\Microsoft\


Internet Explorer\Recovery\Active
\Last Active

Windows XP C:\Documents and Settings\<username>\Local


Settings\Application Data\Microsoft\Internet
Explorer\Recovery\Active
\Last Active

The Active folder stores current session data, whereas Last Active folder keeps previous
browsing session data. Once a current session is closed, the contents of the Active folder
are moved to the Last Active directory, thus overwriting the previously stored session.
Deleting the browser history also causes removal of the folder contents.

The session data is recorded even in InPrivate mode however, once a window is closed it
automatically deletes contents of Active folder. In fact it is deleted only if the iexplore.exe
process terminates successfully. However, if the whole application or the whole system
crashes, the contents of Active folder are not deleted. This could create an opportunity for
forensics to recover details of InPrivate session which would be otherwise difficult to
obtain. Applications of this method are mostly limited to the scenario where suspect was
caught in ‘action’ and officer at the scene simply pulled the power plug.

Each of the folders contains two types of files: RecoveryStore.{xxxxxxxx-xxxx-xxxx-xxxx-


xxxxxxxxxxxx}.dat and {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.dat, which are created on-
the-fly whenever IE8 is used. The first type is used as a manager for other files, one
instance is created for each of the browsing modes – normal and InPrivate, regardless of a
number of windows opened. Latter type represents a single Tab and is created whenever a
new one is opened. Figure 3 presents Active folder, in this case, two modes are used,
normal and InPrivate, because two RecoveryStore files exists. On top of that multiple tabs
are open. Please note that although the screenshot was taken from Windows XP the
browser behaviour in this case is the same as in Windows 7.

Figure 3. Contents of the Active folder. In this example normal and InPrivate modes are used and have multiple
tabs open. Note: this screenshot comes from Windows XP.

15
First Look at the Windows 7 Forensics Piotrek Smulikowski

The file names are Globally Unique Identifiers (GUID) generated randomly by Windows. It
is important to note that file names are generated they remain the same regardless of the
contents. Therefore if a suspect used a single browser window and with a single tab for
many websites, the contents of a file will change but the file name will persist.

Because the files are in a binary format, they have to be analysed with a hex editor. The
RecoveryStore files do not seem to contain any comprehensible data, it is the tab files that
bring more information when analysed. Figure 4 shows an example where, website URL
and its name are stored in file.

Figure 4. Contents of an example tab file. URL is highlighted in grey and page name is in yellow.

However, the structure of the tab files can be very complex since the same file is used for as
long as the corresponding tab is open. Therefore, if user was only using one tab for many
different sites, all browsing history would be stored in a single file. It can be confusing as
different sites seem to be nested in one another using some unknown data structures. The
order in which the URLs appear varies and it may seem chaotic. Nevertheless in all tested
examples, the first URL that is in a file was always the most recent URL.

In addition tab files can also store page specific content such as html, java scripts or xml.
These are stored after a tab history, in the second part of file. As a result a tab file can
increase in size substantially, from the initial 5KB, for an empty tab.

3.4.Index.dat files
Changes made to IE8, in comparison to IE7 mostly focused on adding new features rather
than on redesigning the whole structure. Therefore backward compatibility is being
maintained. This has a positive impact on a forensic analysis because it allows examiner to
adopt familiar techniques and tools in order to retrieve valuable information.

As in previous versions the index.dat file is used as a store for all web related data, such as
cache, history or cookies. Each of these artefacts – containers, has its own folder and a
index.dat file within it. The IE7 on Vista has introduced Protected Mode which is limited
privilege mode for browsing internet, for increased security. As a result, within each of

16
First Look at the Windows 7 Forensics Piotrek Smulikowski

containers a new folder called Low exists which holds Protected Mode sub-container.
Additionally when the Internet Explorer is in the Protected Mode all add-ons are installed
in a Virtualized location and a registry key:

Virtualized Location C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary


Internet Files\Virtualized

Virtualized registry HKCU\Software\Microsoft\Internet Explorer\Internet Registry


key

Containers are spread around the user’s profile application data and their locations are
consistent with previous versions:

Cache
Container for storing cacheable web content like images, pages, scripts. Every entry has a source
URL and name of the file in Content.IE5 folder. Files are stored until expiry date is reached

C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet
Files\Content.IE5\index.dat

Visited Links
Stores clicked URL links and AutoComplete data, used to highlight visited links.

C:\Users\<username>\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

History
History container for specific time frame between start date and end date.

C:\Users\<username>\AppData\Local\Microsoft\Windows\History\History.IE5\
MSHist01<startdate><enddate>\index.dat

Cookie
Container for mapping individual Cookie files to their associated URLs with additional metadata

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

RSS Feeds Cache


Stores record of RSS feeds added by user

17
First Look at the Windows 7 Forensics Piotrek Smulikowski

C:\Users\<username>\AppData\Local\Microsoft\Feeds Cache\index.dat

Due to the fact that the format of the index.dat files has not changed, examiners can use
existing tools to analyse user’s web activity for instance, Pasco by Keith Jones (JONES,
Keith, 2003). It parses the binary file and exports the tab delimited text file. Figure 5 shows
parsed contents of a IE8 Cache.

Figure 5. index.dat file parsed with Pasco and imported by Excel

Paths to the individual containers (PERNICK, Ari, 2006) remained unchanged therefore a
lot of current forensic tools should be compatible with the new IE version correctly. One of
the examples, apart from the Pasco are the NirSoft applications (SOFER, Nir, 2009). They
manage to successfully retrieve cache files history or even certain passwords. However, as
in Vista, most of the tools should be run ‘as Administrator’, in order to overcome privilege
limitations.

18
First Look at the Windows 7 Forensics Piotrek Smulikowski

4. Folder Structure
With the release of Windows Vista the Documents and Settings folder was discarded and
user profile was moved to Users folder using the Known Folder Id system. Although it did
not affect programs functionality thanks to the Reparse Points, but it required time for
users to get feel comfortable using it.

In Windows 7 there are no such differences in a physical directory structure. However


there are differences in a logical layout. Microsoft introduced the Library functionality
which allows users to have all their files in one logical location yet having actual files
distributed all over the PC or even network. Idea is similar to an audio playlist and
collection of mp3 files.

Introduction of Libraries allowed for more advanced search capabilities called Federated
Search. In addition Microsoft brought back the old naming scheme in a format of e.g. ‘My
Documents’.

4.1.Libraries
Default Libraries are Documents, Music, Pictures, Videos, however, user can add his own
types. One of the main requirements is that a folder that is added to the Library has to be
indexed, as it allows for a fast searching of the contents.

Fortunately, since the new scheme affects how a third party programs handle for example
‘Save file as’ dialog box functionality, Microsoft documented Libraries feature in detail
(KIRIATY, Yochay and Fliess, Alon, 2009).

The individual library files are named in the following format: <libraryname>.library-ms
for example Music.library-ms and are stored in the following folder:

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Libraries\

Files are stored in the XML hence their structure is clear, after initial header tags, every
folder that is included in the library wrapped with the following code:
<searchConnectorDescriptionList>
<searchConnectorDescription publisher="Microsoft" product="Windows">
<description>@shell32.dll,-34577</description>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>true</isSupported>
<simpleLocation>
<url>knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}</url>
<serialized>MBAAAE…. </serialized>

19
First Look at the Windows 7 Forensics Piotrek Smulikowski

</simpleLocation>
</searchConnectorDescription>

From the forensic point of view


view, the most important field is the <url>, as it shows the path
to the folder included in library. In this case it is one of the known folders e.g. Downloads.
Figure 6 shows contents of the .library-ms ms file where highlighted in grey is the path to a
winhex folder added by user.

Figure 6. XML code in library


library-ms
ms file. The included folder path is highlighted in grey

Once the feature becomes commonly used by end userss then this could prove to be
valuable source of information of user’s setup, where important files are being kept.
kept
Microsoft believes
lieves that Libraries could be a structure for all user files. The advantage being,
being
that user can add folders from all locally av
available resources, such as an external hard
drive, HomeGroup or a network. Examiner then could easily find important storage
devices,
vices, locations which were used and include them in the investigation.

Additionally, because indexing is a prerequisite for a folder to be part of a Library, indexed


locations can be investigated in order to find user specified places. They are recorded in
Registry in the following key:

HKLM\SOFTWARE\Microsoft\Windows
Windows Search
Search\CrawlScopeManager\Windows\
SystemIndex\WorkingSetRules
WorkingSetRules

4.2.Windows
Windows Search and Federated Search
Windows Search 4.0 has been introduced as an update for the Vista; however,
however the
introduction of Libraries extended the applications of the search engine. Arrangement View
allows to customize the view of library contents based on a metadata, for example in the
Pictures Library, ‘by Year’ view would organise all photos in stacks fo
forr different years.
Another feature, called Search Filter Suggestions
Suggestions, allows user to select a predefined
metadata filter and a value, in order to view files matching that criteria. Therefore, if user

20
First Look at the Windows 7 Forensics Piotrek Smulikowski

wants to find music files of a specific genre, he can ei


either
ther select ‘genre:’ filter or type it in,
then possible genre types would be suggested for him to select.

Search functionality can be extended even further with the Federated Search. It allows
sending queries to external data sources, such as databases o orr web content, as long as they
support OpenSearch technology. In practice, user can simply download Search Connector
file (*.osdx) and then query contents of the website, all via Windows Explorer. Such
configuration files exist for popular websites such as YouTube or Flickr (DMEX, 2008).
2008)
When user downloads and runs the *.osdx setup file, a
searchname>.searchconnector-ms file is created and stored in <username>\Searches\
<domainsearchname>.searchconnector <username>
folder. The contents of the file are stored in XML format, the most interesting field, from the
forensic perspective, is the <domain> where domain of the host is recorded, as seen on
Figure 7.

Figure 7.. Contents of Search Connector configuration file. The domain search provider is highlighted in grey

Additionally, as in Vista, user can save specific search query if it is being reused. The Saved
Search details are stored in <searchname>.search
<searchname>.search-ms file also in the same folder
<username>\Searches\. The XML file has three significant fields:

 <scope> - determines locations to be searched e.g. C: C:\Users


Users
 <kindList> - specifies what kind of a ffile it is e.g. email
 <condition> - filters the results

These search techniques will most likely be used by advanced users, therefore examiners
will probably rarely need to investigate these artefacts. However if this method is used by a
suspect it could add
dd important information to investigation.

4.3.User folders
Windows 7 has old, XP style, names for default user folders, unlike Vista which introduced
different layout of user profile files. As a result the Documents folder is by default named
‘My Documents’,s’, other folders like Music, Pictures and Videos are also affected. When
folders were examined in WinHex, which shows physical structure of files, it became clear
that these folders are Reparse Points to the standard, Vista
Vista-style
style folders. Reparse Point is
an implementation of a junction on NTFS file system, whereas junctions are logical links

21
First Look at the Windows 7 Forensics Piotrek Smulikowski

pointing to another folder on Operating System level. They are transparent; hence user
rarely notices a difference between an actual folder and a Reparse Point.

Since the actual locations of the folders are consistent with the layout known from
Windows Vista, forensic examiner can simply examine already known folders within the
C:\Users\<username>\ location.

22
First Look at the Windows 7 Forensics Piotrek Smulikowski

5. New Taskbar and Jump List


One of the most prominent GUI feature in Windows 7 is the new Taskbar and the
integrated Jump List; designed as an interactive combination of quick launch shortcuts with
taskbar buttons, plus application specific common tasks. It allows user to have access to
most frequent tasks such as ‘Play next song’ in Windows Media Player, directly from the
taskbar. Additionally user can also choose the most recent or frequent files handled by this
application. This part of functionality is significant to forensics, as it could provide new
sources of evidence.

Since the Windows 7 Beta was released, this feature was talked about, also in forensics
community. Harlan Carvey said: “from a forensic perspective, this "Jump List" thing is just
going to be a gold mine for an analyst, much like RecentDocs and UserAssist keys have been
since Windows 2000” (CARVEY, Harlan, 2009).

Microsoft encourages developers to make use of these new functionalities in their software,
to further integrate application to the Operating System. The company provides them with
detailed documentation, video tutorials and walkthroughs on how to implement the new
taskbar functionality. However, as with other features, little is known about how the
features work or where data is being stored. After an extended research, on Microsoft
Developers Network the following was found:

In addition to updating its list of recent documents, the Shell adds a shortcut to the
user's Recent directory. The Windows 7 Taskbar uses that list and Recent directory to
populate the list of recent items in the Jump Lists. (YOCHAYK, 2009)

Therefore, it is clear that recent files displayed in Jump List are the same as in the
<username>\Recent directory. This data is simply duplicated, only presented in a more
approachable manner to the user.

Anytime you double click on a file type with a registered handler [application that
supports the file type], before Windows launches your application it automatically
calls SHAddToRecentDocs on your application's behalf. This inserts the item in the
Windows Recent list and eventually into the Jump List Recent Category. (YOCHAYK,
2009)

The above fragment explains mechanism in which items are added to the Windows Recent
list and the Recent folder, what forms a basis for the Jump List recent items.

In addition to the recent and frequent lists, developers can add their own customized item
list. This is the part that could make investigation of the Jump List worthwhile. Unless an
application uses customized item list, by default a Jump List would only contain items from

23
First Look at the Windows 7 Forensics Piotrek Smulikowski

the Recent directory. In such scenario, investigator can much easier navigate into the
directory to view links to recently accessed documents or location rather than trying to
find data artefacts in the system. However user can also ‘pin’ an item, in order to
permanently keep it in the Jump List, which would be recorded in jump list data store but
could
uld be removed from the Recent directory.

The Jump List feature is enabled by default, however user can disable it from the Control
Panel > Taskbar and Start Menu in the second tab called Start Menu as seen on Figure 8.
The first option records recent applications displayed in a start menu and the second
checkbox switches on or off the Jump List functionality. This is also the only way to clear
the list, user has to un-tick
tick the box and click apply, then if needed the function can be re-
re
enabled but with the emptied list. The pinned items remain in the list until being removed
by a user. Further customization can be done by clicking the Customize button, where user
can, among other things, add the recent items to the start menu like in previous versions of
Windows.

Figure 8.. Start Menu properties window, allows user to disable the Jump List and customize contents of the start
menu.

From the forensics


rensics standpoint this feature can indeed become a valuable source of
information, especially if suspect deleted contents of the <username>\Recent folder. Until
very recently it has not been known where the recent item data is stored. Although some
suggested
ted that it might be in registry stored on a per
per-application
application basis, however, there was
evidence that it was not the case (JODO3333, 2009).. This lack of information from
Microsoft has frustrated some of beta testers. Later, one of the users from the forum
suggested that the path to the files is:
C:\Users\<Username>\AppData\Roaming
Roaming\Microsoft\Windows\ Recent\automaticDestinations
utomaticDestinations,
this is in fact
act the correct path as it was unofficially confirmed by Microsoft in their
presentation for Law Enforcement only (MICROSOFT LAW ENFORCEMENT TECH TEAM,
2009).

24
First Look at the Windows 7 Forensics Piotrek Smulikowski

Automatic Destination folder contains files responsible for the recent items on a Jump List.
Every program that has items recorded in the list has its file stored in this directory. Files
names are in a format XXXXXXXXXXXXXXXX.automaticDesitnations-ms, where name is about 16
digit long and the extension is ‘automaticDestination-ms’. When the Jump List feature is
disabled, the contents of the folder are cleared. User can still perform tasks available for the
application, however, no recent files are stored. Files are binary and it is not easy to
understand the contents, especially as some of them can get large and complex. The default
number of the recent items stored is 10 but it can be changed by a user. The order in which
items are added to the list remains unclear. All files paths that are stored in the file, are part
of application’s Jump List. The Figure 9 shows sample content of the Automatic Destination
folder and clear text stored in the Jump List file, this particular file belongs to the Microsoft
Paint application. The contents of the binary file seem chaotic however, forensic examiner
should be able to determine the file paths recorded in the recent item list.

Figure 9. Contents of the Jump List recent items file viewed in hex editor. Path to recent 'cos.png' file is
highlighted in grey. This particular file, stores recent items list for Microsoft Paint.

Numerous tests on different machines revealed that a naming pattern seems to appear: the
file name represents specific application which is fixed. As an example the following file
1b4dd67f29cb1962.automaticDesitnations-ms is a store file for Windows Explorer.
Analogically some of the other common applications were identified as seen in the Table 4:

File name Application


1b4dd67f29cb1962. Windows Explorer
918e0ecb43d17e23. Notepad
74d7f43c1561dc1e. Windows Media Player
99189dc15d887da6. Windows Disc Image Burner

25
First Look at the Windows 7 Forensics Piotrek Smulikowski

adecfb853d77462a. Microsoft Word 2007


b3f13480c2785ae. Paint
5c450709f7ae4396. Firefox
9fda41b86ddcf1db. VLC player
23646679aaccfae0. Acrobat Reader 8.0
Table 4. File names and their respective application that store Jump List data

In order to identify the pattern the files in the AutomaticDestination folder were viewed in
a Hex editor and contents were compared against recent items in the Jump List. Once type
of a program was known it was cross checked with files on different computers. This kind
of naming model was present on the 3 tested machines. However, because no
documentation is available, it has not been possible to verify if the pattern is true for every
PC or installation.

When the Jump List feature is disabled, the contents of the folder are cleared. User can still
perform tasks available for the application, however, no recent files are stored. Additionally
it was noted that the Windows Explorer’s recent items list behaves slightly differently than
the rest. If user navigates to the e.g. readme.txt file and opens it, the handling application’s
Jump List is updated but so is the Windows Explorer’s list. However if a user navigates only
to the folder but does not open any files, the Jump List does not record the path. This is
presumably because, no file was open no target was selected and destination path was not
confirmed.

Microsoft has also identified another folder with files responsible for the Jump
List(MICROSOFT LAW ENFORCEMENT TECH TEAM, 2009):

C:\Users\<Username>\AppData\Roaming\Microsoft\Windows\Recent\customDestinations

It stores files in similar format e.g. 74d7f43c1561dc1e.customDestinations. It is unclear what


exactly these files contain but it is believed that they allow applications to have their own,
custom ‘destinations’ or tasks. When examined files contain various tasks for instance
‘Start InPrivate Browsing’ just like Internet’s Explorer 8 task.
This theory goes in line with the Jump Lists (in development stage known as Destination
Lists) description given by Microsoft:

The Destination List is automatically populated based on frequency and recency of use
for file-based applications. Additionally, an application can define custom destinations,
enabling it to monitor its own destination usage and their semantics. Applications can
also define Tasks (actions within the application that users will find convenient to
access directly, for example, composing an e-mail) to appear in their menus. (OIAGA,
Marius, 2009)

26
First Look at the Windows 7 Forensics Piotrek Smulikowski

According to this extract Automatic Destinations folder is designed to store frequent and
recent items only, whereas the Custom Destinations folder holds applications specific
destinations or tasks.

As a result, forensic investigator should only be concerned with the AutomaticDestinations


directory as it records the user activity. As previously mentioned this can be successful
mainly if the user attempts to manually delete his Recent folder contents. In this case he
would only delete links stored in that directory, with the Destinations folders remaining
due to being hidden and protected by the OS.

27
First Look at the Windows 7 Forensics Piotrek Smulikowski

6. BitLocker
This section discusses the encryption software from Microsoft, bundled in, first Windows
Vista and now, Windows 7. The section is divided into two parts, Windows Vista BitLocker
and Windows 7 BitLocker, each of them providing details of identification and acquisition
of encrypted volume. Unlike the rest of this paper, this section talks about Vista
functionality with a purpose to highlight the subtle differences but also similarities
between the two. Because the core functionality of the Vista BitLocker remained the same
it would be impossible to discuss forensic analysis of the Windows 7 without providing
details of the previous version.

6.1.BitLocker in Windows Vista

6.1.1. Introduction
BitLocker Drive Encryption was first introduced to Windows Vista as an encryption feature
mainly for portable computers. It was designed to protect user’s data by encrypting the
whole volume making it practically impossible to decrypt without password or recovery
key. BitLocker was one of the most talked about security feature in Vista upon its release,
although it was only available in top end editions, Enterprise and Ultimate.

Due to the number of high profile cases, data loss is considered as a serious issue, in 2007
alone HM Revenue and Customs (HMRC) lost 25 million records, in 2008 National Health
Service (NHS) led the charts (585, 2009) (BBC NEWS, 2009). Taking this into account,
Microsoft targeted encryption feature to government and business users rather than main
stream consumers Because of the attention this feature drawn, it is documented
extensively by Microsoft, although not all details are exposed. In addition many
independent researches were undertaken involving BitLocker capability in Vista.

6.1.2. Authentication Methods


BitLocker can operate using five different authentication modes depending on hardware
specification or user’s preference.

 TPM only: volume encryption key in the microcontroller


 USB startup key: volume encryption key on the USB startup key
 TMP + USB startup key: volume encryption key in the microcontroller and USB
startup key

28
First Look at the Windows 7 Forensics Piotrek Smulikowski

 TPM + PIN: volume encryption key in the microcontroller + correct PIN is entered
 TPM + USB startup key + PIN: volume encryption key in the microcontroller and
USB startup key + correct PIN is entered

Microsoft developed the BitLocker to work with the Trusted Platform Module (TPM)
hardware chip (from version 1.2) build in to a computer’s motherboard. This method set
BitLocker apart from typical encryption solutions. The encryption keys are stored on a
protected volume and in a TPM chip. During system boot up process the integrity of the
Operating System and hardware is verified and on the successful completion of the check
the TPM microcontroller releases the encryption key to continue system boot up. If the
protected volume is removed from the original system and connected to other PC, it may be
impossible to access the data. Jesse Kornblum claims that: “Decrypting the data without the
keys stored in the TPM is infeasible” (KORNBLUM, Jesse, 2009).

However the TPM modules are not commonly used, even now, two years after the
BitLocker for Vista was released. Therefore Microsoft provided another options: to decrypt
volume by entering PIN number or by plugging in USB startup flash drive containing the
encryption key, combination of the two methods is also possible. The USB only method
does not have any hardware requirements therefore it can be used on any modern
computer. The key stored on USB flash drive is 124 byte long, hidden, read-only, binary file
with the name of the following format (GUID): xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.bek
where x is a hexadecimal digit(HARGREAVES, C and Chivers, H, 2007). Encryption method
supported by BitLocker is AES either 128 or 256 bit with Diffuser, by default BitLocker is
set to 128 bit with Elephant Diffuser enabled (FERGUSON, Niels, 2006). As many forensic
investigators know, it makes it practically impossible to crack with current computing
power. If, for any reason, all methods are unavailable to a user, it is possible to decrypt the
volume by entering 48 digit recovery key (using function keys), generated at the initial
setup. More details of authentication process are available at Microsoft’s documentation
(MICROSOFT TECHNET LLIBRARY, 2009).

Apart from the TPM capable motherboard BitLocker also requires System Volume partition
formatted with the NTFS file system. Its size in Vista is minimum 1.46 GB and its assigned
Drive Letter is S:. Partition is not encrypted and holds “files that are needed to load
Windows after BIOS has booted the platform” (MICROSOFT TECHNET LLIBRARY, 2009).

6.1.3. BitLocker Identification


When computer with BitLocker enabled is running, it is possible to identify the encrypted
volume, although Administrator rights are required for all of them (STEWART, Barrie,

29
First Look at the Windows 7 Forensics Piotrek Smulikowski

2007). It should be noted that initially investigator should check which edition of Vista is
run as only the Enterprise and Ultimate have the BitLocker capability. Additionally, if a
system does not have a 1,46 GB S: partition, the BitLocker could not be running on the
system due to its requirements.

The most recommended way to check the presence of the BitLocker is via the Command
Line Interface (CLI) using the manage-bde.wsf script.

 Using command line with administrative permissions navigate to


C:\Windows\System32\
 Run the following command: cscript manage-bde.wsf –status
 Information about each partition is displayed together with encryption and
authentication methods.

Alternative methods to identify encrypted volume include checking status in Control Panel
> BitLocker Drive Encryption or simply by viewing the Computer Management window
with disk Management Snap-in.

These methods are applicable in Live Response scenario where an investigator is at the
working and unlocked PC. However, in a case where the machine has been seized and is
examined in a forensic lab, investigators can view the BIOS Parameter Block (BPB) to
determine if the volume is encrypted with the BitLocker (HUNTER, Jamie, 2006). It is based
at the first 0x54 bytes of the first sector and can be recognized by the following values:

Offset Size Field Required Value for BitLocker


0x03 8 Signature ‘-‘,’F’,’V’,’E’,’-‘,’F’,’S’,’-‘
0x0B 2 BytesPerSector
0x0D 1 SectorsPerCluster One of 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40 or 0x80
0x0E 2 ReservedClusters 0x0000
0x10 1 FatCount 0x00
0x11 2 RootEntries 0x0000
0x13 2 Sectors 0x0000
0x16 2 SectorsPerFat 0x0000
0x20 4 LargeSectors 0x00000000
0x38 8 MetadataLcn
Table 5. Required Values for BitLocker stored in boot sector of an encrypted volume (HUNTER, Jamie, 2006)

The actual header of a boot sector of encrypted volume can be seen in Figure 10.
Highlighted in yellow is the file system signature: -FVE-FS. In depth information about the
identification of BitLocker is available from the (STEWART, Barrie, 2007, pp.22-24).

30
First Look at the Windows 7 Forensics Piotrek Smulikowski

Figure 10. BitLocker Encrypted volume header of a boot sector in Windows Vista viewed in Hex editor
(HARGREAVES, C and Chivers, H, 2007)

The identification of the encrypted volumes is essential, since it can potentially save the
whole examination. If during Live analysis examiner fail to recognise BitLocker and
switches off the machine without searching for a recovery key, on a next boot up, volume
will be locked and possibility for finding recovery key would be only possible if suspect had
a recovery key backed up on other seized media or written on some paper.

6.1.4. BitLocker Acquisition


Hargreaves and Chivers suggest that once encrypted volume has been identified,
investigators should always look for a recovery key (HARGREAVES, C and Chivers, H,
2007), which, as mentioned before, is generated at the initial setup. The file name is in
GUID format e.g.: CE6B4C60-8F3B-11DE-BE35-62A555D89593.txt and its contents are in plain
text. If, however, no keys are found, performing logical disk image of the encrypted volume
is possible. It allows to image data in decrypted form for further analysis. Although the
process is not forensically sound this could be the only successful method of capturing the
data.

The aforementioned BitLocker Command Line Interface enables investigators to manage


recovery keys (STEWART, Barrie, 2007). By typing the following command cscript manage-
bde.wsf –protectors –get C: -sek G:\ it is possible to export the recovery key for the
volume C: onto the USB drive G:. Additionally examiner can also attempt to duplicate the
recovery key via the Control Panel > BitLocker Drive Encryption > Manage BitLocker Keys.
Examiner can export keys, print them or reset them. If Active Directory is used by
organisation it can be configured to backup recovery keys, hence investigator should be
aware that system administrator might have access to backup recovery keys.

Renowned Computer Forensics and incident Response expert, Lance Mueller, posted a
quick tutorial on how to identify BitLocker running on a live system. The video shows how
to disable the BitLocker in order to “seize the hard drive and then later image and examine
the date without having the key protectors” (MUELLER, Lance, 2008). It can be disabled
with the following command: cscript manage-bde.wsf –protectors –disable C:

31
First Look at the Windows 7 Forensics Piotrek Smulikowski

6.2.BitLocker in Windows 7
BitLocker in Windows 7 has some minor differences in a way that it functions from
Windows Vista, however it has a new major feature introduced BitLocker To Go. This
section discusses changes that appeared since BitLocker for Vista.

6.2.1. Introduction
While BitLocker proved to be secure encryption solution for computers it did not stop Data
Loss breaking news. With the increase of popularity, cheap prices and high capacities USB
flash and portable drives created serious threat to data security. Ministry of Defence alone
admitted to loss of eighty seven USB sticks in 5 years, all of them contained classified data
(PAGE, Lewis, 2008). Windows 7 BitLocker addressed this problem by extending the
encryption to removable devices.

Microsoft accepted feedback from system administrators and even admitted that
deployment of the BitLocker Drive Encryption in Vista was “was more cumbersome than it
needed to be” (MICROSOFT TECHNET , 2009). Before, administrators had to repartition the
drive for the system volume to be loaded, which on a large scale can be lengthy and costly
process. Now, the system volume partition is created upon the Windows 7 installation
process.

In addition, Microsoft Developers granted greater control over the BitLocker to system
administrators by introducing Group Policies changes, Data Recovery Agents (DRA) and
other improvements to make deployment more efficient.

All these changes, although not big or revolutionary, can have great impact on popularity of
the Windows 7 BitLocker. Encryption of USB sticks can impact directly digital forensics as
until now investigators relatively rarely have to deal with encrypted flash drives. If
Microsoft’s solution will be easy, efficient and robust it might change the current situation.

6.2.2. BitLocker To Go
After BitLocker has been first introduced, it could only encrypt single Vista partition, with
the Vista Service Pack 1 (SP1) functionality was extended to fixed volumes - another
partitions. Now it includes removable storage devices. BitLocker To Go is the new feature
implemented in Windows 7 BitLocker allows encrypting portable flash or hard drives

32
First Look at the Windows 7 Forensics Piotrek Smulikowski

(FUNK, Troy, 2008).. Portable drives can be of either FAT, FAT32, exFAT or NTFS file
system.

Authentication methods are different than the OS volume encryption.

 Passphrase – complex PIN number combination, Group Policy allow controlling


complexity and length
 Smart Card – card stores strong key but Smart Card Reader required
 Automatic Unlocking – allows trusted PCs to remember passphrase and unlock USB
drive automatically

BitLocker To Go is highly integrated in Windows Environment making it quick and easy to


enable the feature. It could be managed straight from the Windows Explorer context menu;
user
er can simply right click on a drive to enable BitLocker, unlock drive or manage
authentication methods and keys. This feature can be used even if normal BitLocker is not
enabled. Tests have shown that if during Windows 7 installation user chooses not to create
c
System Reserved partition - required for BitLocker volume encryption – he can still use
portable drive encryption.

In enterprise environment Group Policy can be setup to force BitLocker To Go usage on any
USB connected drive. If user refuses, a driv
drive will be set to read-only
only mode, as can be seen
on Figure 11.

Figure 11.. Group Policy allow forcing users to encrypt USB sticks, (FUNK, Troy, 2008)

In order to support encrypted drives on older Windows Operating Systems, BitLocker to Go


Reader is automatically installed to every protected drive. It is a Windows Explorer – like
application that, after successful au
authentication,
thentication, allows files to be read from the encrypted
volume.

33
First Look at the Windows 7 Forensics Piotrek Smulikowski

Figure 12.. BitLocker To Go Reader window allows viewing files and exporting to local machine. Screenshot taken
from Windows Vista

Figure 12 presents the BitLocker To Go Reader window after authentication. Individual


files or folders can be exported to local machine. No write operation can be performed
though, it requires Windows 7 BitLocker.

6.2.3. BitLocker To Go Identification


As with the other types of BitLocker encryption there are several methods to determine
that USB stick is encrypted by this particular encryption application. Identification is
especially easy when a portable dri
drive
ve is connected to the Windows platform PC since the
lock icon is displayed against the drive in My Computer as seen on Figure 13.
13

Figure 13
13. BitLocker To Go encrypted portable drive.

However if, the drive is examined on other platforms the icon is not displayed. This was
tested on the Ubuntu 8.04 and Mac OS X 10.5. For alternative system, other means for
identification are available. When tthe
he drive is opened, characteristic files are visible:
BitLockerToGo.exe, , COV 0000.ER, Read Me.url , language files and multiple PAD XXXX.NG files.
Figure 14 shows the contents of the encrypted drive.

34
First Look at the Windows 7 Forensics Piotrek Smulikowski

Figure 14.. Contents of the BitLocker To Go encrypted portable drive. BitLockerToGo.exe file is clearly visible,
Screen shot taken from Windows Vista.

Please note that although


h drive this particular does not contain any data, it is filled with
encrypted data containers PAD XXXX.NG files with size 0 bytes and one big file COV 0000. ER
containing 98% of the volume size.

Alternative identification method is possible which is in


independent
dependent from the Operating
System. By looking at the binary data in Hex editor, examiner can determine whether the
volume is encrypted with BitLocker To Go.

FAT32
At first USB drive with FAT32 file system was used for experiments. Although there is no
clear
lear evidence of BitLocker in header there is a hint. OEM Name for the file system is set to
MSWIN4.1 which correctly identifies file system as FAT type, see Figure 15.. However, modern
Windows OS tend to name the FAT as MSDOS5.0, which could indicate that BitLocker might
be installed on a volume.

Figure 15.. FAT32 volume encrypted with BitLocker To Go. MSWIN4.1 OEM Nam is highlighted in yellow and
FAT32 file system highlighted in grey

35
First Look at the Windows 7 Forensics Piotrek Smulikowski

Once the encrypted volume is viewed in Hex, examiner can search for BitLocker signature:
‘-FVE-FS-’. In the experiment, when the search was performed multiple instances of the
signature were found and surprisingly the other information was detected as well. At the
0x88 offset from the signature, Computer name, Drive Letter and Date of the PC were
encryption was initiated were found as seen at the Figure 16.

Figure 16.. BitLocker signature found on BitLocker To Go encrypted volume - highlighted in yellow. Additionally
original Computer Name, Drive Letter and Date were also found - highlighted in grey.

Unfortunately it was not possible to verify whether this was standard for every setup
having only access to one Windows 7 Ultimate PC. However if it was the case it could prove
that the USB drive was connected to the specific PC and BitLocker To Go was enabled from
that PC at the particular time. It could also aid examiner in searching the Recovery Key for
the portable
ble drive by pointing him/her to the recorded PC

NTFS
Although the NTFS is not a recommended file system for USB flash drives, some might use
BitLocker To Go to encrypt portable USB hard drives where it is a default system. The file
system was tested in order
der to verify what kind evidence can be extracted and if findings
from the FAT32 are applicable to the NTFS formatted drive.

Figure 17. Header of NTFS drive encrypted with BitLocker To Go viewed in Hex editor. The BitLocker singature
sing -
FVE-FS- is at 0x03 offset - highlighted in yellow. Interestingly it is marked as FAT32 file system highlighted in
grey.

36
First Look at the Windows 7 Forensics Piotrek Smulikowski

Figure 17 presents the header of the NTFS drive which was encrypted with BitLocker To
Go. The BitLocker signature can be seen in yellow but surprisingly it is showing as the
FAT32 (in grey) volume. When n compared the Figure 15 and Figure 17 there are some
differences found in the
he structure of headers, though they follow similar fashion. Encrypted
NTFS volume has BitLocker signature as the OEM Name but is inappropriately marked as
FAT32, whereas encrypted FAT32 volume has MSWIN4.1 as OEM Name and the file system
is properly recognized
nized but there is no clear indication that the volume is encrypted.

Both encrypted file systems share an interesting characteristic of recording the Computers
Name, Drive Letter and Date of the encryption. NTFS drive was also searched for the
BitLocker signature -FVE-FS- and after some of the instances of the signature the details of
encryption were found as displayed on Figure 18.

Figure 18. BitLocker signature found on encrypted NTFS volume - highlighted in yellow. Computer name, Drive
letter and Date were also found - highlighted in grey

Additionally the encrypted NTFS volume was not recognised on a Windows Vista OS, it
prompted to formatt a drive. When the USB stick was connected to the Ubuntu 8.04
computer it was not mounted neither. The fsstat tool for viewing details of file systems
(CARRIER, Brian) also failed to determine the NTFS, although it handled encrypted volume
of FAT32 correctly. In contrast the aforementioned tools mmls and fdisk recognized it as the
NTFS.

6.2.4. BitLocker To Go Acquisition


Acquiring forensically sound image of the portable dev
device
ice seems to be an easy task. It is the
encryption that can create challenges. Taking physical image means that the contents will
be encrypted therefore data will be unreachable. As shown in previous section it is possible
to establish which PC was BitLock
BitLocker
er encryption enabled on. During the installation process

37
First Look at the Windows 7 Forensics Piotrek Smulikowski

user can either save recovery key on local machine or print it off. Unless paper with printed
recovery key can be located, it is most likely that the key is stored on the local computer.
The format of the recovery key file name changed slightly: BitLocker Recovery Key
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.txt. If user selected automatically unlock option it is
possible that once a USB drive is plugged into the trusted PC it can be instantly decrypted
allowing for logical imaging.

In a Live Response scenario where USB drive was found unlocked, examiner can simply
right click on a drive in ‘My Computer’ and select Manage BitLocker field to export recovery
key. However, investigator can also simply perform logical image of the decrypted drive.

Unlocking the drive with recovery key has become much easier since Windows Vista. Once
a window asking to enter the password pops up, user can click ‘Forgot my Password’ and
follow wizard and simply type in the recovery key.

6.2.5. BitLocker changes


BitLocker developers put an emphasis on the user experience in Windows 7 BitLocker, as a
result the initial setup process was simplified. System administrators can quickly enable
BitLocker on multiple machine and control settings with extended capability by Group
Policies. Home users can follow easy to use wizards to enable BitLocker without the hassle
of repartitioning the hard drive to accommodate the 1,5 GB System Volume. All these and
other improvements have made the whole process more user friendly and feature more
usable.

With Windows 7 BitLocker the System Volume partition, volume used by BitLocker to
verify integrity of the hardware and pre-startup authentication (MICROSOFT TECHNET,
2009) – it is created automatically during the initial setup, if user selected default settings.
If user performed custom installation and hard drive contained other partitions prior to
Windows 7 installation, System Volume partition will not be created. However if user opts
in to use BitLocker at the later stage partition will be automatically created during
BitLocker setup. Therefore a lot of burden was taken off the end user and it is now
embedded in the automated process. The partition is now being called System Reserved and
has no Drive Letter assigned, therefore cannot be accessed through the Windows Explorer
in order to avoid any accidental changes from being made. Additionally its size was limited
to 100MB, so more space is available for user’s data.

When Vista BitLocker was first launched, it only allowed to encrypt the Operating System
Volume (C:), which was extended to additional fixed volumes with the Vista Service Pack 1.
However in order to encrypt the Data drives the C: drive had to be encrypted as well. The

38
First Look at the Windows 7 Forensics Piotrek Smulikowski

Windows 7 BitLocker not only allows encrypting portable drives regardless if the
encryption is enabled on the Windows 7 volume but also the fixed volumes. As a result
examiner can find scenarios where Windows 7 drive is not encrypted but D: Data drive is.
In this case it can be assumed that suspect could be storing incriminating data on the
encrypted volume. It is important to remember about all the artefacts that the data on
encrypted partition left on Windows 7. Therefore investigator might be able to recover
history of files executed or viewed, thumbnails and more, since they are all stored on
Windows 7 partition. This is also true for removable drives and BitLocker To Go.

Enterprises using Windows 7 BitLocker will benefit from the Data Recovery Agents (DRA)
technology which is a new, certificate based key protector. The certificate contains public
key that is applied to any drive that is mounted across the organisation. Because it is stored
centrally, therefore an investigator can request from system administrators to decrypt
encrypted volume using the DRA. IT departments have now granular control thanks to
extended Group Policies.

BitLocker for Windows Vista could be manage using the Command Line Interface via
already discussed script and had to be run by cscript manage-bde.wsf command. The same
functionality is now provided by the manage-bde.exe executable placed in the same folder as
before: C:\Windows\System32\

The identification of the BitLocker encrypted volume has not changed since the previous
version. Similar can be said about acquisition process. According to Microsoft information
provided during a Presentation on BitLocker (FUNK, Troy, 2008) did not indicate any
changes in basic workings of BitLocker, therefore procedures that applied to Vista
BitLocker are still valid for Windows 7 BitLocker. Unfortunately this has not been
examined due to technical problems in the experiment lab.

6.3.Windows 7 BitLocker Conclusions


Developing team, responsible for the changes introduced in Windows 7 BitLocker, put
much effort in making it more accessible for not only administrators in large organisation
but also for end users. No doubt that data loss is an important issue and public awareness
increases. By employing encryption technologies like BitLocker many news headlines could
be avoided. Public’s data would not be disclosed to unauthorised people and businessmen
could be confident that their sensitive data is not disclosed to competitors by simple
human error.

As good as it sounds for governments and business use it creates number of challenges for
Computer Forensics. With the range or improvements the BitLocker is certainly more

39
First Look at the Windows 7 Forensics Piotrek Smulikowski

appealing to potential users, which in effect can mean increase in number of encrypted
volumes to analyze for digital forensic experts. It is true that since BitLocker functionality is
available only in most expensive Windows 7 editions, many normal home users will not be
able to encrypt their hard drives or USB drives. However it is likely that due to
improvements in user experience more people with Enterprise or Ultimate editions would
start using it.

Just before the release of the Windows Vista BitLocker, Andy Woodward wrote the paper
with the following title: ‘BitLocker - the end of digital forensics?’ (WOODWARD, Andre,
2006).He claimed that very few digital forensic examinations will involve BitLocker
encrypted volumes. Although it might have been true with Vista BitLocker, the
improvements in Windows 7 BitLocker can change the situation.

40
First Look at the Windows 7 Forensics Piotrek Smulikowski

7. Registry Analysis
This section is devoted to the Windows Registry. It examines the kind of information that is
stored and can be retrieved by examiner. Due to its complex structure, only fraction of the
registry was examined, it is by no means a complete list. In line with the main idea of this
paper to show what has changed with respect to the forensic analysis of Windows system,
it is focused on new sources of evidence. In addition some most common registry keys
were evaluated in order to verify their relevance in the new system.

7.1. Introduction
While for Windows Registry lies at the core of the Operating System, for a forensic analyst
it can be a goldmine of evidence. It stores settings and options for the whole system,
therefore it can deliver large amount of forensically valuable information. Since its first
appearance in Windows 3.1 it has grown into extremely complex data structure. Although
there is no documentation from Microsoft, there are plenty of resources about forensic
analysis of the registry. In fact it is so important artefact that Harlan Carvey considers
writting a book about forensic analysis of the Windows Registry (CARVEY, Harlan, 2009).
In depth analysis of the Registry, lies far beyond scope of this research, which is focused on
the discovery of new and evaluation of already known sources of evidence.

During the research three methods of information gathering were employed. Firstly, paper
called “A Windows Registry Quick Reference” by Derrick J. Farmer(FARMER, Derrick, 2007)
was reviewed and a form a basis of the research. While the reference was based on the
Windows XP, registry keys presented by the author were verified against the Windows 7
registry in order to show any differences. Secondly the RegRipper software (CARVEY,
Harlan and Shavers, Brett, 2009) was run against registry hive files from the test Windows
7 PC. The application is designed to automatically extract information stored within
registry files. If output from the software was flagged ‘not found’, it flagged a difference in
registry structure and contents. Thirdly, registry was browsed in order to identify new
possible sources of evidence.

The Table 6 presents popularly used naming conventions applied in this paper.

Short Name Full Name


HKCR HKEY-_CLASS_ROOT
HKCU HKEY_CURRENT_USER
HKLM HKEY_LOCAL_MACHINE
HKU HKEY_USERS
HKCC HKEY_CURRENT_CONFIG
Table 6. Short naming convention for root hives

41
First Look at the Windows 7 Forensics Piotrek Smulikowski

Although the Registry viewed by standard Registry Editor (regedit.exe) appears to be a


single database, it is in fact highly integrated collection of files. The Table 7 lists files
responsible for registry hives. Please note that Windows 7 and Vista include additional files
(CARVEY, Harlan, 2009, p.161), marked with the * sign.

Registry Hive File Path


HKLM\System C:\Windows\System32\config\SYSTEM
HKLM\SAM C:\Windows\System32\config\SAM
HKLM\Security C:\Windows\System32\config\SECURITY
HKLM\Software C:\Windows\System32\config\SOFTWARE
HKU\User SID C:\Users\<username>\NTUSER.DAT
HKU\Default C:\Windows\System32\config\DEFAULT
HKLM\Components* C:\Windows\System32\config\COMPONENTS
Usrclass.dat* C:\Users\<username>\AppData\Local\Microsoft\
Windows\usrclass.dat
Table 7. Registry paths and corresponding files

7.2.Registry locations
This part considers various registry key locations which could possibly be a source of
forensic evidence. Due to a large amount of different locations, this section is technical and
for reference mostly.

7.2.1. Time Information


Establishing the time of the Operating System is crucial to a computer forensic
investigation. Examiner should be able to establish precisely when particular event
happened. Windows 7 follows the fashion set by previous Windows systems.

Time Zone Information


Registry key holding information about the system time. Most important values are ActiveTimeBias,
Bias, DaylightBias, StandardBias.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\

Using those values examiner can calculate different times necessary for his investigation.
Formulas(FARMER, Derrick, 2007) are following:

 UTC = Local Time + ActiveTimeBias


 Local Time = UTC – ActiveTimeBias

42
First Look at the Windows 7 Forensics Piotrek Smulikowski

 Standard Time = Bias + StandardBias


 Daylight Time = Bias + DaylightBias

Time is represented minutes, therefore decimal value is a number of minutes(MICROSOFT


MSDN LIBRARY, 2009).

In addition to establishing the system’s time, Registry can provide examiner with LastWrite
time for a particular key. Although the time stamp for each value is not recorded it can still
be very helpful to know then the key was changed, especially in a case where a registry key
has single value. In addition the time stamp from the registry key can be compared against
other time stamps existing on a system.

The LastWrite value can be obtained with multiple tools like e.g. RegRipper, however at
Live response scenario it might be possible to export the whole registry to text file. The
benefit of that are keys having LastWrite values shown for every key but also that the
keyword search through text file is instantaneous. However, with time since OS installation
the registry can gain in size enormously.

Moreover, as with Vista, the Windows 7 does not automatically record Last Access time on
NTFS volume. Microsoft by default disabled the update to reduce performance overhead,
which in turn caused examiners to loose very important source of evidence. The value
accountable for that setting is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem>NtfsDisableLastAcces
Update

7.2.2. Most Recently Used


Most Recently Used files commonly known as MRUs, store details of recently used objects.
This list was adopted from the Registry reference document (FARMER, Derrick, 2007) and
it was compared against registry keys available in Windows 7. Please note that if certain
functionality was not enabled some keys may be not available.

Content Windows XP Windows 7

Search Files Software\Microsoft\Search HKCU\Software\Microsoft\Windows


Assistant\ACMru\5603 \CurrentVersion\Explorer\WordWh
eelQuery
Internet Search Software\Microsoft\Search N/A
Assistant Assistant\ACMru\5001
Printers, Software\Microsoft\Search N/A
Computers and Assistant\ACMru\5647
People

43
First Look at the Windows 7 Forensics Piotrek Smulikowski

Pictures, music, Software\Microsoft\Search N/A


and videos Assistant\ACMru\5604
XP Start Menu - Software\Microsoft\Windows\CurrentVer The same as in XP
Recent sion\Explorer\RecentDocs
R. Desktop - Software\Microsoft\Terminal Server N/A
Connect Client\Default [MRUnumber]
Run dialog box Software\Microsoft\Windows\CurrentVer The same as in XP
sion\Explorer\RunMRU
Regedit - Last Software\Microsoft\Windows\CurrentVer The same as in XP
accessed key sion\Applets\Regedit
Regedit - Software\Microsoft\Windows\CurrentVer The same as in XP
Favorites sion\Applets\Regedit\Favorites
MSPaint - Software\Microsoft\Windows\CurrentVer The same as in XP
Recent Files sion\Applets\Paint\Recent File List
Mapped Software\Microsoft\Windows\CurrentVer N/A
Network Drives sion\Explorer\Map Network Drive MRU
Computer Software\Microsoft\Windows\CurrentVer HomeGroup:
searched via sion\Explorer\FindComputerMRU HKLM\SOFTWARE\Microsoft\Windows
Windows \CurrentVersion\HomeGroup\HME\M
Explorer embers
WordPad - Software\Microsoft\Windows\CurrentVer The same as in XP
Recent Files sion\Applets\Wordpad\Recent File List
Common Dialog Software\Microsoft\Windows\CurrentVer The same as in XP
- Open sion\Explorer\ComDlg32\LastVisitedMRU
Common Dialog Software\Microsoft\Windows\CurrentVer The same as in XP
- Save As sion\Explorer\ComDlg32\OpenSaveMRU
WMP XP - Software\Microsoft\MediaPlayer\Player HKCU\Software\Microsoft\MediaPl
Recent Files \RecentFileList ayer\Preferences>
Last_Location_26
WMP XP - Software\Microsoft\MediaPlayer\Player N/A
Recent URLs \RecentURLList
OE6 Stationery Identities\{CLSID}\Software\Microsoft N/A
\Outlook Express\5.0\Recent
list 1 - New Mail
Stationery List
* No Outlook
OE 6 Stationery Identities\{CLSID}\Software\Microsoft N/A
\Outlook Express\5.0\Recent
list 2 - New
Stationery Wide List
* No Outlook
Mail
PowerPoint - Software\Microsoft\Office\10.0\PowerP HKCU\Software\Microsoft\Office\
Recent Files oint\Recent File List 12.0\PowerPoint\File MRU
Access - Software\Microsoft\Office\10.0\Common HKCU\Software\Microsoft\Office\
Filename MRU \Open Find\Microsoft 12.0\Access\Settings
Access\Settings\File New
Database\File Name MRU
FrontPage - Software\Microsoft\FrontPage\Explorer HKCU\Software\Microsoft\Office\
Recent lists \FrontPage Explorer\Recent File List 12.0\FrontPage\File MRU
Excel - Recent Software\Microsoft\Office\10.0\Excel\ HKCU\Software\Microsoft\Office\
Files Recent Files 12.0\Excel\File MRU
Word - Recent Software\Microsoft\Office\10.0\Word\D HKCU\Software\Microsoft\Office\
Files ata 12.0\Word\File MRU
Win Explorer N\A HKCU\Software\Microsoft\Windows
Typed Paths \CurrentVersion\Explorer\TypedP
aths

44
First Look at the Windows 7 Forensics Piotrek Smulikowski

Table 8. Differences and similarities in registry key locations between Windows XP and Windows Vista.

7.2.3. UserAsisst
This particular registry key is known among examiners as a potentially rich source of
evidence. It was used since Windows 2000 and it is still used in Windows 7. Operating
System uses it to record “objects that user has accessed on the system such as Control
Panel applets, shortcut files, programs, documents, media, etc.”(FARMER, Derrick, 2007).
Unlike the Prefetch, it stores that information not system wide but on a per-user basis.

As already mentioned in the

45
First Look at the Windows 7 Forensics Piotrek Smulikowski

Background Research section the Beta version of Windows 7 had keys obfuscated in
Vigenère cipher unlike all previous versions of Windows. However, when the RC and final
version was examined it became apparent that the ROT-13 or Caesarean cipher was used
again. This simple cipher is based on a rule that each letter is replaced by the letter 13
spaces away from it in alphabet or in this case ASCII table. For example K:\uryvk.rkr
translates into X:\helix.exe. By recommendation from the Windows Registry Quick
Reference (FARMER, Derrick, 2007) the web based translation script (EDOCEO, 2009) was
used to quickly decode the file names.

The UserAssist values can be found at:


HKEY_CURRENT_USER\Software\Microsoft\Windows\Explorer\UserAssist\{GUID}\Count. By
default there are two GUID keys in User Assist. Carvey suggested checking the GUID in
HKCR\CLSID\ (CARVEY, Harlan, 2007, p.168). Although the method was successful in
previous Windows versions, it did not provide any results. In fact, the whole registry was
searched without success. It is however safe to assume that behind both GUID are
Operating System applications responsible for interaction with the system Shell.

When RegRipper software was run against the Windows 7 RTM NTUSER.DAT file, no
UserAssist keys were retrieved. The registry was manually examined and it became clear
why the application did not extract any information. The data field is 72 bytes long as
opposed to 16 bytes as in Vista and its predecessors. Due to the lack of documentation
about new data structure it was necessary to analyse and understand its contents and
behaviour. Derrick J. Farmer (FARMER, Derrick, 2007) explained the structure of the
previous format, where the fifth byte (offset 0x05) was a counter of how many times the
application was run, however the counter starting value is 5. The last 8 bytes compose time
stamp of a last access. In his book Harlan Carvey adds (CARVEY, Harlan, 2007) that the data
is divided into DWORD – 4 bytes.

In order to examine behaviour of the new format, new application has been downloaded
and executed for the first time – registry value for the applications was created. Application
was then closed and the data for that value was recorded and compared with subsequent
reiteration of the process. After multiple attempts it was possible to identify which bytes
recorded the counter number and the time stamp. With more data to be examined it was
difficult to establish which was recording what. Eventually it appeared that the 5th byte still
is a counter number but the starting value is 00. The timestamp is the 60th - 68th byte (15 -
17 DWORD). The Figure 19 presents the binary data for specific program where the count
number is highlighted in yellow and time stamp in blue.

46
First Look at the Windows 7 Forensics Piotrek Smulikowski

Figure 19. Image shows binary data for the example UserAssist value. Underlined in red iiss the obfuscated
program path, in green is the decoded path. Highlighted in yellow is the counter number and in blue is the time
stamp in Hex.

The time stamp is in hexadecimal fo


format; by using software like DCode (DIGITAL
DETECTIVE GROUP LTD, 2009) it is possible to decode time stamp into human readable
form. Figure 20 shows the time stamp for the application run in the above example
(highlighted in yellow) and the converted date in bold.

Figure 20.. Output from Date/Time converting application DCode. Highlighted in yellow is the time stamp from
above example (see previous figure)

7.2.4. Autoruns
Applications automatically loaded on a system startup are recorded in various registry
keys. It can be important to establish if any malicious software was running on a suspect

47
First Look at the Windows 7 Forensics Piotrek Smulikowski

PC. Sysinternals Autoruns (SYSINTERNALS, 2009) application can easily provide all that
information.

Windows XP Windows 7
HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce The same as XP
HKLM\Software\Microsoft\Windows\CurrentVersion\policies N/A
\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run The same as XP
HKCU\Software\Microsoft\Windows NT\CurrentVersion N/A
\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run The same as XP
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce The same as XP
<username>\Start Menu\Programs\Startup <username>\AppData\Roaming\Mi
crosoft\Windows\Start
Menu\Programs

7.2.5. Network information


Windows records the wireless networks connected to the host PC. It stores a profile of the
network its SSID identification name together with some more details, such as creation
date, last connected and gateway MAC address. Depending on the context, this information
can be highly important to the forensic investigation. In Windows XP the Zero
Configuration Service was used however the Vista and Windows 7 manages networks
differently.

The time stamp is in unusual format: d9 07 08 00 03 00 13 00 01 00 39 00 02 00 14 02,


where each 2 bytes form little endian value. The decoding technique is following:

Year = d907 > 07d9 = 2009


Month = 0800 > 0008 = August {Jan = 1, Feb = 2...}
Weekday = 0300 > 0003 = Tuesday {Sunday = 1, Monday =2...}
Day = 1300 > 0013 = 19
Hour = 0100 > 0001 = 1 am
Minutes = 3900 > 0039 = 57
Seconds = 0200 > 0002 = 02

The complete decoded time stamp is: Tuesday, 19 August 2009 01:57:02

This method was posted on Mark McKinnon’s blog (MCKINNON, Mark, 2009).

Wireless Network information


Records profiles of previously connected Wireless Networks. First key stores timestamps and SSID,
second key stores Gateway’s details: MAC address, SSID name.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

48
First Look at the Windows 7 Forensics Piotrek Smulikowski

NT\CurrentVersion\NetworkList\Profiles\{GUID}\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\NetworkList\Signatures\

Additionally, details of individual connections are recorded, IP address, DHCP server and
more. The time stamp is stored in big endian Unix 32 bit hex value, DCode can be used to
translate the value.

Network Connection information


Records details of the connection, IP address DHCP server information, domain, time stamps etc.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\
Parameters\Interfaces\{GUID}

7.2.6. Mounted Devices


NTFS devices that are mounted to the Windows System are recorded together with a letter
assigned to them. The binary data for the values \DosDevices\x: can be used to identify the
specific devices.

Mounted Devices
Lists previously connected drives.
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

7.2.7. USB Device Information


When user connects removable device, Windows records details of that device in registry
and file system. The process of gathering all information has changed since Windows XP
but is the same as on Vista. Couple of steps are required to retrieve all tracks:

1. Write Down Vendor, Product, Version


HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR Disk&Ven_SanDisk&Prod_Cruzer&Rev_7.01

2. Write Down Serial Numbers

49
First Look at the Windows 7 Forensics Piotrek Smulikowski

HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\D 0877500A0302335E&0\
isk&Ven_###&Prod_####&Rev###\

3. Determine Drive Letter Device Mapped To


HKLM\SOFTWARE\Microsoft\Windows Portable G: PortableApps
Devices\Devices > FriendlyName

Look for Serial Number or Vendor and Product

4. Write Down Volume GUIDs


HKLM\SYSTEM\MountedDevices \??\Volume{c76d273c-8e40-11de-9db3-
001a6b41face}
Look for Serial Number or Vendor and Product

5. Find User That Used The Specific USB Device


NTUSER.DAT HKU\Software\Microsoft\Windows\ User1
CurrentVersion\Explorer\MountPoints2

Search for Device GUID

6. Determine Last Time Device Connected – check Last Write for a key
HKLM\SYSTEM\CurrentControlSet\Control\Device Last Write Time: 26/08/2009 - 13:31
Classes\{53f56307-b6bf-11d0-94f2-
00a0c91efb8b}

Look for Serial Number or Vendor and Product

7. Discover First Time Device Connected


C:\Windows\inf\setupapi.log >>> [Device Install (Hardware initiated) -
USB\VID_0781&PID_5151\0877500A0302335E]
>>> Section start 2009/08/21 11:56:08.045
Perform search for Serial Number ...

Table 9. USB Information gathering process. Adapted from (SANS FORENSICS BLOG, 2009)

Please note that not every USB device has its own Serial Number.

7.2.8. Internet Explorer


Internet Explorer is highly integrated into the Windows OS and therefore into the Registry.
Although the current 8th version differs a lot in its capabilities, the information stored in
registry reminds older versions. It is ruled by compatibility issues, and the new features are
only added to an already existing structure. Internet Explorer information is stored
primarily in two registry keys.

Internet Explorer

50
First Look at the Windows 7 Forensics Piotrek Smulikowski

Registry keys store information used by Internet Explorer 8. First Key holds data about History,
Cache or Cookies. Second Key keeps data about e.g. Suggested Sites but one of the most important
keys is the TypedURLs, which records URLs that user typed in. Additionally the path to download
folder is stored in a root of this key
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\

HKCU\Software\Microsoft\Internet Explorer\

Internet Explorer can store data entered into username and password fields if user agrees
to use the feature. IE7 and IE8 uses different method of storing credentials data, passwords
are encrypted with the URL of the page that the password was entered. Therefore if URL
still exists in history, it might be possible to decode the data.

AutoComplete Passwords
Stores usernames and passwords remembered by the Internet Explorer, respectively Storage1 and
Storage2
HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage1\

HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\

51
First Look at the Windows 7 Forensics Piotrek Smulikowski

8. Miscellaneous Features and Changes

8.1. Location and Sensors API


Microsoft has introduced native support for sensor devices which allows different sensors
to be used without the need for any third party software, due to a standardized Application
Programming Interface (API). Sensors supported include devices like for instance Light
Sensor, Accelerometers 3D or even Human Proximity Sensor.

In addition, the platform allows for Location sensors such as Global Positioning System
(GPS) to be used. Software based solution can also be applied, therefore applications like
“IP resolver that provides location information based on an Internet address, a cellular
phone tower triangulation that determines location based on nearby towers, or a Wi-Fi
network location provider that reads location information from the connected wireless
network hub” (MICROSOFT MSDN, 2009). The types of sensors used depend on hardware
or software availability. Also this feature is limited to Home Premium, Professional and
Ultimate. The feature is enabled by default but can be disabled by user via the Control
Panel.

This functionality could be of a special interest to forensic investigators because it could


provide them with the exact location of a computer and its user at a specific time. Since
analysis of the information goes beyond computer or online activity it could be of extreme
value to the investigation. Investigators could potentially get actual location of a criminal
from his end, rather than trying to track him down from their end by usage of IP address
tracing. This method could help to counter anti-forensics techniques like usage of TOR
networks to obscure IP address location (TOR PROJECT INC, 2009). Law enforcement
agencies would not have to go through lengthy and troublesome procedures of Regulation
of Investigatory Powers Act 2000 (RIPA) requests from Internet Service Providers (ISP).

Actual applications that would use the location data would be mostly third party, as
currently the only Windows native application using the data is a Weather widget. As a
result 3rd party developers decide on how their data that is stored and this is likely to vary
between applications. According to documentation (MICROSOFT MSDN, 2009), a user is
warned every time that the new program tries to access the location data.

Data artefacts left behind on a system are unclear, since it was impossible to test the
feature without an appropriate hardware device or software. According to Microsoft
Developers Network (MSDN) reference, the API provides software with two means of
retrieving location from the sensor; one is by usage of C++ or second by scripting languages
(MICROSOFT MSDN, 2009). Methods would call a system function to get the location and

52
First Look at the Windows 7 Forensics Piotrek Smulikowski

that could be used by application or e.g. online script. The documentation does not state if
the data is stored anywhere on a system in local files.

The Event Viewer keeps a log (Event Viewer > Custom Views > Location Activity) of all
applications trying to access the location data. It is very unlikely that the actual location is
stored in this log. However, theoretically if an application, that sends a request for the data,
records this fact then it might be possible to tie this information with the request stored in
a log. According to the MSDN not every request is stored but only the first successful and
any failed requests are logged until application restarts (MICROSOFT MSDN , 2009).
Depending on the scenario this information might be enough to retrieve the location.

This particular source of evidence also has flaws because the key limitation is the
requirement for the criminal to have a hardware or software sensor and associated
connectivity. Taking a GPS receiver as an example, a good signal reception to at least three
GPS satellites is required to determine the location. As a result it means that the criminal
would need to have hardware capable of running Windows 7 in a correct edition, therefore
a laptop, excluding Netbook category, with a GPS receiver. The criminal would also need to
be outdoors or at least in the environment with clear sky view for a receiver to find a ‘fix’ –
signal. Considering that GPS adapters, either USB or Bluetooth, are rarely used it becomes
clear that this potential evidence has many limitations.

There are however other scenarios were this source could really contribute evidence to
investigation. The mobile network has the potential to be the most feasible solution, due to
its growing popularity. Therefore, if a criminal had a laptop connected to the internet via a
USB broadband dongle his approximate location could be logged by the Localisation
platform.

Another case would be if a criminal used a laptop on a local Wireless network as it would
be possible for his location to be identified by locating the Wi-Fi network. This type of
localisation is being developed as an alternative to GPS system for indoor or metropolitan
environments, where buildings block the satellite signals (YU-CHUNG CHENG, Yatin
Chawathe, John Krumm, 2005). Although this is still not a common solution it creates an
opportunity.

The last example application could be in a case of a ‘grooming’ investigation where the
undercover investigator is in contact with a criminal. Even if the criminal did not have
location sensors, the investigator could send a Trojan that had hidden within, for example a
picture, that would retrieve the location data like IP address or other information and send
back to the investigators. Although the success of such method would depend on many

53
First Look at the Windows 7 Forensics Piotrek Smulikowski

aspects such as the security setup of the criminal’s PC, the opportunity for exploitation of
this feature exists.

8.2. exFAT / FAT64


The extended File Allocation Table (exFAT) is the new file system designed for high
capacity portable flash drives. Unlike some early speculations it is not a replacement for the
NTFS file system. First included in Windows Vista Service Pack 1 and Windows Embedded
CE 6.0 and now supported by the Windows 7. Main advantages of exFAT over FAT32 are
increased file size support from 232 to 264 bytes, large capacity drive support (32GB +) and
lower performance overheads(DAVAK, 2008). It is better suited to flash drives than NTFS
because it does not have a journal system and therefore preserves the longevity of the
drive since no single location is being constantly overwritten. However, it comes at the cost
of reliability of the file system.

The main drawback of the system is the lack of support from older systems or other
platforms which reduces the portability of the exFAT drive. Microsoft has released an
optional update for XP users available from the Windows Update website (MICROSOFT,
2009). However, since it is a proprietary file system, other platforms are disadvantaged
and it will require time until such support becomes widespread. The file system is a default
for SDXC cards - the newest large capacity SD cards with 32+ GB of storage (SD
ASSOCIATION, 2008).

8.2.1. exFAT Identification


From the forensic perspective it is important to note that exFAT supports UTC time rather
than a Local time when recording time stamps. The file system signature – OEM Name
‘EXFAT’ can be found in the 0x03 Byte offset, as shown on Figure 21:

Figure 21. exFAT partition signature 'EXFAT'

54
First Look at the Windows 7 Forensics Piotrek Smulikowski

Some tools like for example UNIX based fdisk do not recognise the partition type and
identify it as NTFS partition as seen in Figure 22.

Figure 22. fdisk recognizes exFAT as NTFS with partition id=7

Analogically, the Brian Carrier’s mmls tool for viewing partition tables (CARRIER, Brian)
recognizes it as the NTFS partition, see Figure 23.

Figure 23. Output from mmls tool, exFAT is recognised as NTFS

8.3.Partition Table
By default, during the Windows 7 installation process two partitions are created: Backup
and Windows volume. First is a hidden letter-less partition called System_Reserved, which
is used for backup purposes but also BitLocker if enabled. Its size is 100MB, which was
reduced from the 200MB in Windows 7 Beta version. Users cannot access it via the
Windows Explorer because it has no drive letter assigned to it, therefore it is not even
displayed. It is done on purpose to avoid curious users changing important files, which was
common for Vista’s 1.5GB partition. BitLocker uses this partition to store boot information
that is executed during the authentication process. It is however possible not to create the
partition, if user installs the Windows 7 on a drive where other partitions already exist,
volume is not created.

Second partition is a C: drive system volume with the Windows 7 OS. Possibly due to the
size of modern hard drives, Microsoft decided not to give an option to format with any
other file system than NTFS. As a result it is standard file system on all Windows 7 volume.

55
First Look at the Windows 7 Forensics Piotrek Smulikowski

The fdisk tool shows two partitions being recognized as NTFS, their start and ending
points, see Figure 24.

Figure 24. fdisk recognized two partition as NTFS

The mmls tool (CARRIER, Brian) outputs the physical location of the two partitions, first one
being the System Reserved and the second Windows 7 volume. It also confirms that both
are formatted with the NTFS, (see Figure 25).

Figure 25. mmls tool displays the details and locations of the two partitions.

The fsstat tool (CARRIER, Brian) was used to view details of each partition which can be
seen on Figure 26.

56
First Look at the Windows 7 Forensics Piotrek Smulikowski

Figure 26. The output from the fsstat tool with details of the System Reserved (left) and Windows 7 partitions
(right).

The fsstat tool was developed as part of the Sleuth Kit (CARRIER, Brian, 2009) by Brian
Carrier years before Windows 7 release, this possibly why it recognizes volumes as the
Windows XP.

As with the Windows Vista, the Volume Boot Record is still located in the 2048 sector of the
hard drive.

Forensic analysts should be familiar with the Windows 7 partition setup for obvious
reasons. Examination of the structure of the hard drive plays crucial part in the digital
investigation.

8.4.XP mode
Although Windows 7 has had few major compatibility problems reported it is still a big
improvement comparing to its predecessor Widows Vista. This was confirmed throughout
the whole research, where it worked faultlessly on many different hardware and software
setups. However, Microsoft wanting to avoid the situation from early 2007 incorporated
the Windows XP Mode to the new OS.

57
First Look at the Windows 7 Forensics Piotrek Smulikowski

It is designed to overcome any possible incompatibility issues by running virtualized


windows XP Operating System. The XP is highly embedded into the Windows 7, offering
seamless operation (MICROSOFT VIRTUALISATION TEAM, 2009), however as with any
virtualized system there is a performance overhead. The feature is primarily designed for
Enterprises where support for legacy software is required but everyday users can also
benefit from it.

It comprises of the Microsoft Virtual PC and Windows XP SP3, unclear if Home or


Professional edition, free to download for Windows 7 Professional, Enterprise and Ultimate
owners. Compatible hardware is still required; processor needs to support either Intel’s
Virtualisation Technology or AMD-V, which can be verified by free tool SecurAble (GIBSON,
Steve, 2008).

Unfortunately, due to the lack of supported hardware available for this research, the
feature could not be examined for forensic artefacts. It is believed that it could potentially
create new sources of evidence.

8.5.Mix
Unlike its predecessors Windows 7 is not shipped with embedded email client. Windows
XP included the Outlook Express as a default client and Vista came with the Email client,
however, Microsoft decided to exclude the functionality from the newest system. Instead
Windows Live Essentials package includes the Mail – new email client and other
applications such as Messenger or Photo Gallery. Because it is not built into the system it is
not included in this research, although it certainly carries significant footprint on forensics.

If examiners would decide to use the Windows 7 as the forensic platform, it is important to
note that, as in Windows Vista, all forensic applications and tool should be run ‘As
Administrator’ in order to avoid program malfunctions. This is due to the User Account
Control (UAC) privilege limitations.

58
First Look at the Windows 7 Forensics Piotrek Smulikowski

9. Methodology
Various different research methodologies were used throughout the research. The choice
of a method depended on the examined feature. Due to a variety of different aspects of
Windows 7 every feature discussed was independent and differed from another. Therefore,
it posed a challenge to approach the problem in a best possible manner.

During a Background Research a lot of time was devoted for gathering information
available about the topic. Due to the novelty of the research area there was very few
sources of information. As a result, literature review in a strict sense was very limited,
because there is no literature about the Windows 7 forensics. No books or even research
papers were published up to or during the writing of the research, at least to the best of
author’s knowledge. This lack of information about the particular subject reinforced the
novelty factor of this research.

The only available sources of information were online resources. Some examiners shared
their initial experiences of the new system on their blogs or forums. However, they either
failed to go in detail or focused on very specific aspects only. Although these were
incomplete and sparse pieces of information, they did help, especially in identifying
possible sources of forensic evidence.

At this stage it was believed that it could be highly beneficial to get the information from
the source. However Microsoft is a giant enterprise and it seemed nearly impossible to get
their attention. After long research it was discovered that Chris Ard, an Investigative
Consultant with Microsoft’s Law Enforcement Support Team, was scheduled to deliver a
presentation (ARD, Chris, 2009) on forensic aspects of Windows 7 on a Crimes Against
Children Conference in Dallas, USA. Email contact was initiated and Chris agreed to shed
some light on the new Windows forensics. Because it was still a month before conference,
he did not have facts confirmed through detailed analysis. However, he was kind enough to
share his findings about possible sources of evidence. Interestingly Chris Ard said “there
isn’t any guidance from the product development team regarding the changes that affect
forensic investigations” even for Microsoft’s own forensic team. This Microsoft’s ‘every man
for himself’ approach only stressed the importance of this research, to share the findings
with the community. Findings from Chris Ard were very helpful and together with other
known information it formed a basis for the research. Identification of the potential sources
of forensic evidence was considered a key factor of research success. However, it was
believed that new sources of evidence would be found during the analysis process as
having the basic structure was crucial.

As mentioned before, the documentation of Windows 7 is very limited, both by Microsoft


and forensic community. The purpose of this paper is to focus on impact that the Windows

59
First Look at the Windows 7 Forensics Piotrek Smulikowski

7 has on forensic examinations and not the Vista. It was then necessary to learn the impact
that Vista had on forensic analysis in order to help identifying new features in comparison
to its predecessors. In addition studying multiple papers on this subject helped to find the
balance between technical and theoretical approach. Also, how to create competent
document focused on forensic examiners.

Once the potential sources were identified, the examination of individual aspects started.
Due to the great variety of the features and their scope, it was impossible to employ a single
methodology. Therefore each of them had to be approached individually with research
methods tailored to its characteristics. However, in order to ensure the overall quality of
examination, general modus operandi model was adopted. If a feature in question was a
newly introduced it was researched in depth to gain thorough understanding of its
operation; if possible it was practically examined and eventually forensic conclusions were
drown and if needed the process would reiterate until satisfying conclusions could be
drawn. Not all features created new sources of evidence, therefore if no findings were
discovered, it was concluded that there is no impact on forensic analysis process. If,
however new sources were found, significant effort was inputted to document new
artefacts. Some of them were successfully analyzed and produced comprehensive results,
whereas others still require a more in depth research, possibly an extensive and dedicated
future study.

When Internet Explorer 8 was examined in search for potential forensic evidence, at first it
appeared that few changes would have little effect on the forensics. However as the
research progressed, more interesting aspects were discovered. At the beginning it was
approached by analysing new features introduced into the IE8 with the purpose to
recognise if it could potentially create new artefacts, data files. Next, the functionality of
features was analysed for the same purpose. At the end if any data files were found, they
were examined to produce detailed documentation. Although in some cases structures
were so complex that comprehensive documentation would require lengthy in depth study
for example the session recovery files. As with other sections the feature was reviewed
from the forensic perspective in order to identify its impact.

Another section that required highly tailored approach was the BitLocker. Because of the
complexity of BitLocker and its potentially high impact onto the forensic analysis, it was
decided to first study the BitLocker for Windows Vista and then to discuss the Windows 7
BitLocker. This approach was believed to addresses the fact that the new version is more of
an evolution from its predecessor rather than a complete replacement. To discuss the
Windows 7 BitLocker alone would leave reader clueless about the functionality that it
shares with its predecessor and effectively render incomplete examination.

60
First Look at the Windows 7 Forensics Piotrek Smulikowski

The Registry section also required separate consideration. Because of the technical nature,
it was bound to consist of mainly registry key locations. Some additional comments were
made to clarify to a reader what each key contains and why it is important to an
examination. Moreover, the registry as a structure remained the same for many versions of
Windows, only the contents changed. As the Windows XP registry was analyzed in depth, it
is well documented by researchers. One of the papers (FARMER, Derrick, 2007) provided a
reference for forensic examiners and as a result it formed a basis for the examination of
Windows 7 registry. All keys included in the paper were verified against the new registry.
Any significant changes were examined in detail for example the UserAssist keys. In
addition the RegRipper software (CARVEY, Harlan and Shavers, Brett, 2009) was used to
help identifying the updated registry keys. Additionally through browsing potentially
significant keys it was possible to identify new, important registry keys or values.

9.1.Hardware and Software used


Throughout the whole research wide variety of hardware and software setups were used.
It was primarily driven by a desire to examine the final version of the Windows 7 in order
to ensure that the results are applicable and comparable with what examiners can
encounter. Therefore it was crucial to obtain the latest version, which became possible on
the 6th of August 2009, when Microsoft released the final, RTM build to MSDN subscribers.

Soft/Hardware Desktop Laptop Netbook


OS version Windows 7 RTM Pro Windows 7 RTM Pro Windows 7 RC Ultimate
Windows 7 RC Ultimate Windows Vista Home Ubuntu 8.04
Premium Windows XP SP3
CPU 2,6GHz Pentium 4 1,8GHz Intel C2D 1,6 GHz Intel Atom
Memory 1 GB @ 333MHz 2GB@667MHz 1,5GB@533MHz
Hard Disk 40GB 160GB 320GB
Network LAN LAN, WIFI LAN, WIFI
Graphics ATI Radeon 9660 Pro Integrated Integrated
Table 10. Hardware and Software Specification of used PCs

Table 10 presents the hardware and the software specifications of the PCs used for the
examination. primary PC was the desktop computer with the Windows 7 installed, whereas
other PCs were used to verify results. In addition the Netbook was used as the analysis
machine with the Ubuntu 8.04 with the Sleuth Kit (CARRIER, Brian, 2009) and other open

61
First Look at the Windows 7 Forensics Piotrek Smulikowski

source forensic tools. The Windows 7 PCs had the X-Ways Forensics and WinHex installed
(X-WAYS, 2009). The author of the tools was kind enough to provide demo version of the X-
Ways Forensics software.

Great majority of results was obtained with the RTM version although some features for
example BitLocker was only available in Ultimate version hence the RC version was used.
However there was no reports that it undergo any changes in the RTM product.

62
First Look at the Windows 7 Forensics Piotrek Smulikowski

10. Conclusions
This section concludes the findings of the research, outlining achievements of the study by
also analysing weakness. Next, is the review of the obstacles faced during the research.
Later, author discusses his reflections about the research. The next section covers overall
conclusions of the research. Last is the discussion of the recommended future work with
regard to this topic.

10.1. Research Achievements


The expected deliverables set before the study, were based on an initial research about
changes to the new system. It was a common believe that because the system is an
evolution of the Vista, it would not have many forensically significant changes. Therefore
the deliverables were expected to include forensic analysis experiment of the Windows 7
and comparison to the older systems. Additionally the software compatibility was aimed to
accompany the results to help examiners choosing their toolkit. Finally, the optional
requirement was the Windows 7 Forensic Analysis Draft to guide examiners through the
process.

While it is still believed that the fulfilled deliverables could form a complete reference to
the Windows 7 forensics, it has quickly been recognised that it would require significantly
more time than the two months and only one researcher. Once the research started it
became clear that the amount of time required to examine all features was highly
underestimated at the beginning. However there was no means to provide correct
estimation, since the changes on the new system were very sparsely, if at all, documented.
Therefore the deliverables were reviewed in order to identify the requirements of the
highest priority. It was decided that the analysis of the forensically significant features is
the primary objective since this is what will have real impact on the forensic investigation.
Not only it can help examiners, but also forensic software developers could benefit from
the research findings, as they could address the new sources of evidence in their software.

Thanks to the comprehensive research on the system changes it was possible to


successfully identify the features that could create new sources of evidence. Various
information gathering methods were employed including reading available documentation,
contacting experts and thorough online search. The identification proved to be successful
when source from Microsoft confirmed which features are likely to affect the forensics
(MICROSOFT LAW ENFORCEMENT TECH TEAM, 2009). Moreover this research uncovered
more sources of evidence than it was suggested by the materials provided by Microsoft.

63
First Look at the Windows 7 Forensics Piotrek Smulikowski

During the analysis stage some features did not produce new sources of evidence, whereas
others did. Furthermore some changes were discovered to have a potentially great impact
on the forensics. However, regardless of the outcome, the detailed analysis of the features
alone can be considered as an achievement. Even if no evidence could be found, it means
that the feature has been recognized as forensically insignificant and can be excluded from
the forensic examination.

Great deal of time was devoted to IE8 analysis, since online activity is often the cause for
the investigation in the first place. Some could argue that the browser is not Windows 7
specific and could be omitted however it is still the default browser for the new Windows.
What is more, the information contained in section devoted to the IE8 could also benefit
the investigators examining other Windows systems, with the IE8 Vista in particular. The
section included detailed analysis of the InPrivacy browsing capability, identification and
examination of the Suggested Sites and Session Recovery artefacts. Although very little
information was available, it was attempted to document the feature from forensic
perspective.

Some of the user experience improvements also produced new sources of evidence. The
much talked about Jump List feature was examined and produced interesting results.
Although due to its complexity it was not possible to document the component in depth,
however it was possible to retrieve history records. Other new functionality analysed – the
new search capability, produced information about the remote location that suspect was
accessing.

The BitLocker analysis also delivered vast amount of information important to examiners.
The introduction of the portable drives encryption can have a significant impact on the
examinations. Although the research did not provide examiner with a way round the
BitLocker protection, which is a hardly possible task, it provided means to identify an
encrypted volume. Besides some other minor changes were reviewed and crucially the
potential impact of the updated BitLocker was discussed.

Among many other findings, the analysis of the Windows Registry produced a quick
reference of important registry entries. In particular, the UserAssist keys were analysed
and decoded, in effect highly valuable, user activity data was extracted. This evidence
source was one of the most commonly investigated data artefacts in previous versions of
Windows. Hence it was highly important to decode and document the new format.

64
First Look at the Windows 7 Forensics Piotrek Smulikowski

10.2. Actual Constraints


Now that a research is finished it is safe to say that limitations outlined in the Project
Constraints section were correctly identified. All combined composed a substantial
challenge for the success of the research. The major obstacle was the most obvious one -
time limitation. Having more time would benefit the project with more in depth analysis of
the new features, allow for meeting all set requirements and provide more time for a
writing the report. However as with all academic research there is a deadline that needs to
be adhered to. Appropriate time management was in place, although there was a room for
an improvement. In spite of this the topic was thoroughly researched and produced
significant results.

Initially the complexity of the Windows Operating System was understated, as were the
changes in comparison to Windows 7’s predecessors. It was when the identification
finished and examination stage started, that it became clear that the project was too
ambitious. It required intensive research, variety of different experiments to understand
the forensic significance of discussed feature. Lack of documentation posed a real
challenge, since for many tasks it was necessary to employ reverse engineering techniques.

Moreover the availability of the forensic software was indeed a great obstacle. Since, as
expected, manufacturers do not post demonstration versions online, they had to be
requested and depending on delivery method it can take long time. The EnCase demo
arrived after over 3 weeks and its functionality was heavily limited making it impossible to
examine the Windows 7 forensic image. The X-Ways Forensics was sent electronically but
the trial version only worked on a C: drive of the system. Although it was very helpful for
feature analysis process it was not feasible to perform analysis of the image. In addition to
the time constraints it was also decided that since software compatibility could not be
performed on multiple products it could not form a comprehensive review, therefore the
deliverable was abandoned.

However one of the problems happened to resolve itself when Microsoft decided to release
Windows 7 final version to MSDN subscribers (LEBLANC, Brandon, 2009). However at the
time the news was published, it was unclear whether it would include Academic Alliance –
student subscription. Fortunately, it did, therefore previously obtained results could have
been verified and experiments replicated.

10.3. Final Conclusions


This research delved into the Windows 7, three months prior to its official release in order
to investigate changes made to the new system and their impact on forensics. It has

65
First Look at the Windows 7 Forensics Piotrek Smulikowski

compiled and verified majority of information regarding the new Windows and its analysis.
In addition it has attempted to document some of the new features identified as
forensically significant. Through the examination of their behaviour and the produced data
artefacts, research has discovered new potential sources of evidence. Moreover, a selection
of already recognised evidence sources was evaluated against the new platform.

Shortly after the release of the Beta version of the new Windows, many had an impression
that little has changed since the predecessor, that it was evolved version of Vista, “but a lot
better!” as Microsoft’s CEO said (PARRISH, Kevin, 2008). Despite the fact that Windows 7
does not bring a revolution to Windows OS family, it may have its footprint on Windows
forensics. Firstly its positive reception, suggests that it may quickly become vastly popular,
therefore examiners will be very likely to face a computer with the new system. Secondly,
developers focused on adding more functionality which in turn created new sources of
evidence. Improvements to the user experience generated more forensic artefacts with
features like the Jump List and the Suggested Sites or the Session Recovery in the Internet
Explorer 8. However some features introduced new challenges to the forensic
investigations such as the portable drive encryption or the privacy internet browsing. Ease
of use combined with the perceived privacy can affect their popularity. Therefore this
research tries to raise awareness and provide examiners with identification techniques in
order to help them to approach analysis in best possible manner.

This study attempted to cover in detail most of the forensic issues surrounding the
Windows 7 however it certainly had not exhausted the topic. In fact it is thought to be quite
the opposite. Hopefully it will attract the forensic community to further research in more
specific areas of the subject. And primarily that it will aid computer forensics investigators
when faced with the windows for the first time.

10.4. Future Work


On top of already covered aspects, more in depth analysis of certain features would be the
next improvement. Due to the lack of a compatible hardware Windows XP Mode or
Location API could not be fully examined. Both can potentially be valuable source of
evidence. Additionally other functionalities that were not discussed because they were
considered to have not changed like e.g. Recycle Bin or Prefetch (MMAHOR, 2009) could be
verified.

It is believed that fulfilling all set deliverables would add more practical side of the
research. The comparison of the results from the forensic analysis of windows 7 and its

66
First Look at the Windows 7 Forensics Piotrek Smulikowski

predecessors would certainly point out more of minor changes, whereas production of the
analysis draft could provide examiners with hands-on guide to Windows 7 examination.

Since this is only the first look at the Windows 7 forensics, there is plenty of further
research opportunities in this area. The paper was aimed to deliver a basis for forensic
examiners but also forensic researchers wanting to further expand the community’s
knowledge.

67
First Look at the Windows 7 Forensics Piotrek Smulikowski

Bibliography
585. 2009. Data Loss Examples in 2008. [online]. [Accessed 15 Aug 2009]. Available from:
<http://whereismydata.wordpress.com/2009/01/07/data-loss-examples-in-2008/>

AARON. 2009. Disable IE8 In-Private Feature. [online]. [Accessed 04 Aug 2009]. Available
from: <http://didyourestart.blogspot.com/2009/05/disable-ie8-in-private-feature.html>

ARD, Chris. 2009. Speakers. [online]. [Accessed 20 Jul 2009]. Available from:
<https://cacconference.org/Speakers.html#Chris_Ard>

BBC NEWS. 2009. Human error blamed for data loss. [online]. [Accessed 15 Aug 2009].
Available from: <http://news.bbc.co.uk/1/hi/england/lancashire/8003757.stm>

BBC NEWS UK. 2009. Windows 7 flies off virtual shelf. [online]. [Accessed 31 Jul 2009].
Available from: <http://news.bbc.co.uk/1/hi/technology/8151342.stm>

BRIGHT, P. 2008. First look at Windows 7's User Interface. [online]. [Accessed 22 Jul 2009].
Available from: <http://arstechnica.com/microsoft/news/2008/10/first-look-at-
windows-7.ars>

CARRIER, Brian. 2009. The Sleuth Kit. [online]. [Accessed 15 Aug 2009]. Available from:
<http://www.sleuthkit.org/sleuthkit/>

CARRIER, Brian. FSSTAT(1) manual page. [online]. [Accessed 15 Aug 2009]. Available from:
<http://www.sleuthkit.org/sleuthkit/man/fsstat.html>

CARRIER, Brian. MMLS(1) Manual Page. [online]. [Accessed 04 Aug 2009]. Available from:
<http://www.sleuthkit.org/sleuthkit/man/mmls.html>

CARVEY, Harlan. 2007. Windows Forensic Analysis DVD toolkit. USA: Syngress.

CARVEY, Harlan. 2009. search results for "Windows 7". [online]. [Accessed 31 Jul 2009].
Available from: <http://windowsir.blogspot.com/search?q=%22windows+7%22>

CARVEY, Harlan. 2009. Windows 7 Beta Registry. [online]. [Accessed 15 Aug 2009].
Available from: <http://windowsir.blogspot.com/2009/01/windows-7-beta-
registry.html>

CARVEY, Harlan. 2009. Windows Forensic Analysis DVD toolkit Second Edition. Syngres.

CARVEY, Harlan. 2009. Windows Registry Forensic Analysis. [online]. [Accessed 15 Aug
2009]. Available from: <http://windowsir.blogspot.com/2009/07/windows-registry-
forensic-analysis.html>

68
First Look at the Windows 7 Forensics Piotrek Smulikowski

CARVEY, Harlan and Brett SHAVERS. 2009. RegRipper. [online]. [Accessed 31 Jul 2009].
Available from: <www.regripper.net>

CLARKE, Gavin. 2009. Microsoft to bomb Europe with IE-free Windows 7. [online]. [Accessed
03 Aug 2009]. Available from:
<http://www.channelregister.co.uk/2009/06/11/microsoft_windows_ie_sku_europe/>

CODEPLEX, MICROSOFT. 2009. BibWord: Microsoft Word Citation and Bibliography styles.
[online]. [Accessed 31 Jul 2009]. Available from:
<http://www.codeplex.com/bibword/Release/ProjectReleases.aspx?ReleaseId=15852>

DAVAK. 2008. exFAT vs FAT32 vs NTFS. [online]. [Accessed 04 Aug 2009]. Available from:
<http://www.tech-recipes.com/rx/2801/exfat_versus_fat32_versus_ntfs/>

DIGITAL DETECTIVE GROUP LTD. 2009. DCode. [online]. [Accessed 15 Aug 2009]. Available
from: <http://www.digital-detective.co.uk/freetools/decode.asp>

DMEX. 2008. Windows 7 Search Federation Providers. [online]. [Accessed 04 Aug 2009].
Available from: <http://www.sevenforums.com/tutorials/742-windows-7-search-
federation-providers.html>

EDOCEO. 2009. ROT13 Coversions. [online]. [Accessed 25 Aug 2009]. Available from:
<http://edoceo.com/utilitas/rot13>

FARMER, Derrick. 2007. A Forensic Analysis of The Windows Registry; A Windows Registry
Quick Reference: For the Everyday Examiner. [online]. [Accessed 15 Aug 2009]. Available
from: <http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry>

FERGUSON, Niels. 2006. AES - CBC + Elephant Diffuser: A Disk Encryption Algorithm for
Windows Vista. [online]. [Accessed 15 Aug 2009]. Available from:
<http://download.microsoft.com/download/0/2/3/0238acaf-d3bf-4a6d-b3d6-
0a0be4bbb36e/BitLockerCipher200608.pdf>

FIVEASH, Kelly. 2009. Microsoft ditches Windows 7 E plans. [online]. [Accessed 03 Aug
2009]. Available from:
<http://www.theregister.co.uk/2009/08/03/microsoft_ditches_windows_e_plans/>

FORENSIC WIKI. 2009. BitLocker Disk Encryption. [online]. [Accessed 15 Aug 2009].
Available from: <http://www.forensicswiki.org/wiki/BitLocker_Disk_Encryption>

FUNK, Troy. 2008. BitLocker: Protecting data in Windows 7 and Windows Server 2008 R2.
In: Microsoft WinHec 2008. Microsoft.

69
First Look at the Windows 7 Forensics Piotrek Smulikowski

GIBSON, Steve. 2008. SecurAble: Determine Processor Security Features. [online]. [Accessed
15 Aug 2009]. Available from: <http://www.grc.com/securable.htm>

GUIDANCE SOFTWARE INC. 2009. Guidance Software. [online]. [Accessed 31 Jul 2009].
Available from: <http://www.guidancesoftware.com/>

HARGREAVES, C and H CHIVERS. 2007. Potential Impacts of Windows Vista on Digital.


[online]. [Accessed 2009 Jul 31]. Available from:
<http://www.forensicfocus.com/downloads/potential-impact-windows-vista.pdf>

HUNTER, Jamie. 2006. Detecting BitLocker. [online]. [Accessed 15 Aug 2009]. Available
from: <http://blogs.msdn.com/si_team/archive/2006/10/26/detecting-bitlocker.aspx>

JENSKR. 2009. Windows 7 and forensic tools. [online]. [Accessed 31 Jul 2009]. Available
from:
<http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&p=6529921#6
529921>

JODO3333. 2009. Microsoft Technet: Windows 7 forum: Jump List History Location? [online].
[Accessed 04 Aug 2009]. Available from: <http://social.technet.microsoft.com/Forums/en-
US/w7itprogeneral/thread/92b90228-2f08-4558-9c4d-6e66e103a5cf>

JONES, Keith. 2003. Pasco v1.0. [online]. [Accessed 03 Aug 2009]. Available from:
<http://www.foundstone.com/us/resources/proddesc/pasco.htm>

KIRIATY, Yochay and Alon FLIESS. 2009. Inside Windows 7: Introducing Libraries. [online].
[Accessed 04 Aug 2009]. Available from: <http://msdn.microsoft.com/en-
us/magazine/dd861346.aspx>

KORNBLUM, Jesse. 2009. Implementing BitLocker Drive Encryption for forensic analysis.
Digital Investigation., pp.75-84.

LEBLANC, Brandon. 2009. The Date for General Availability (GA) of Windows 7 is…. [online].
[Accessed 03 Aug 2009]. Available from:
<http://windowsteamblog.com/blogs/windows7/archive/2009/06/02/the-date-for-
general-availability-ga-of-windows-7-is.aspx>

LEBLANC, Brandon. 2009. Windows 7 has been Released To Manufacturing. [online].


[Accessed 03 Aug 2009]. Available from:
<http://windowsteamblog.com/blogs/windows7/archive/2009/07/22/windows-7-has-
been-released-to-manufacturing.aspx>

70
First Look at the Windows 7 Forensics Piotrek Smulikowski

LEBLANC, Brandon. 2009. Windows 7 Team Blog: When will you get Windows 7 RTM?
[online]. [Accessed 22 Jul 2009]. Available from:
<http://windowsteamblog.com/blogs/windows7/archive/2009/07/21/when-will-you-
get-windows-7-rtm.aspx>

MCKINNON, Mark. 2009. Decoding the DateCreated and DateLastConnected SSID values
From Vista/Win 7. [online]. [Accessed 26 Aug 2009]. Available from: <http://cfed-
ttf.blogspot.com/2009/08/decoding-datecreated-and.html>

MICROSOFT. 2009. Update for Windows XP KB955704. [online]. [Accessed 04 Aug 2009].
Available from:
<http://www.microsoft.com/downloads/details.aspx?FamilyID=1cbe3906-ddd1-4ca2-
b727-c2dff5e30f61&displaylang=en>

MICROSOFT. 2009. Windows 7 BitLocker Executive Summary. [online]. [Accessed 15 Aug


2009]. Available from: <http://technet.microsoft.com/en-
us/library/dd548341(WS.10).aspx>

MICROSOFT LAW ENFORCEMENT TECH TEAM. 2009. IE8 Trustworthy Computing and
InPrivate Browsing. In: Microsoft Law Enforcement. UK: Microsoft.

MICROSOFT LAW ENFORCEMENT TECH TEAM. 2009. Windows 7 Forensic Introduction.


In: Microsoft Law Enforcement. UK.

MICROSOFT MSDN. 2009. About Logging Location Activity. [online]. [Accessed 03 Aug
2009]. Available from: <http://msdn.microsoft.com/en-
us/library/dd756640(VS.85).aspx>

MICROSOFT MSDN. 2009. Introduction to the Sensor and Location Platform in Windows.
[online]. [Accessed 03 Aug 2009]. Available from: <http://msdn.microsoft.com/en-
us/library/cc974528.aspx>

MICROSOFT MSDN LIBRARY. 2009. Time_Zone_Information Structure. [online]. [Accessed


15 Aug 2009]. Available from: <http://msdn.microsoft.com/en-
us/library/ms725481%28VS.85%29.aspx>

MICROSOFT TECHNET. 2009. Windows 7 BitLocker Executive Overview. [online]. [Accessed


15 Aug 2009]. Available from: <http://technet.microsoft.com/en-
us/library/dd548341%28WS.10%29.aspx>

71
First Look at the Windows 7 Forensics Piotrek Smulikowski

MICROSOFT TECHNET. 2009. Windows BitLocker Drive Encryption Frequently Asked


Questions. [online]. [Accessed 16 Aug 2009]. Available from:
<http://technet.microsoft.com/en-us/library/cc766200(WS.10).aspx#BKMK_Partitions>

MICROSOFT. TechNet Library. [online]. [Accessed 22 Jul 2009]. Available from:


<http://technet.microsoft.com/en-gb/library/dd349779.aspx>

MICROSOFT TECHNET LLIBRARY. 2009. BitLocker Drive Encryption Technical Overview.


[online]. [Accessed 15 Aug 2009]. Available from: <http://technet.microsoft.com/en-
us/library/cc732774%28WS.10%29.aspx>

MICROSOFT VIRTUALISATION TEAM. 2009. Microsoft Virtual Pc : Three modes of Windows


XP Mode. [online]. [Accessed 28 Aug 2009]. Available from:
<http://blogs.technet.com/windows_vpc/archive/2009/08/27/three-modes-of-windows-
xp-mode.aspx>

MMAHOR. 2009. Windows 7 analysis. [online]. [Accessed 31 Jul 2009]. Available from:
<http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&p=6527312#6
527312>

MORRIS, Jamie. 2007. Notes on Vista Forensics, Part One. [online]. [Accessed 31 Jul 2009].
Available from: <http://www.securityfocus.com/infocus/1889>

MSDN BLOG. 2009. Some Changes Since Beta for the RC. [online]. [Accessed 03 Aug 2009].
Available from: <http://blogs.msdn.com/e7/archive/2009/02/26/some-changes-since-
beta.aspx>

MUELLER, Lance. 2007. Basic Investigations of Windows Vista. [online]. [Accessed 31 Jul
2009]. Available from:
<www.lancemueller.com/vistaceic2007.pptrvF_xTw8gBYPsg&sig2=4S4QVxRcY0oO7xTwN
L9eQQ>

MUELLER, Lance. 2008. BitLocker Incident Response. [online]. [Accessed 15 Aug 2009].
Available from: <http://www.youtube.com/watch?v=FQotTY1qqks>

NET APPLICATIONS. 2009. Top Operating System Share Trend. [online]. [Accessed 15 Aug
2009]. Available from: <http://marketshare.hitslink.com/os-market-share.aspx?qprid=9>

OASOL. 2009. Windows 7. [online]. [Accessed 31 Jul 2009]. Available from:


<http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&p=6530958>

OIAGA, Marius. 2009. Windows 7 User Interface - the Superbar (Enhanced Taskbar) A
Microsoft Perspective - Softpedia. [online]. [Accessed 15 Aug 2009]. Available from:

72
First Look at the Windows 7 Forensics Piotrek Smulikowski

<http://news.softpedia.com/news/Windows-7-User-Interface-The-Superbar-Enhanced-
Taskbar-97143.shtml>

PAGE, Lewis. 2008. MoD: We lost 87 classifed USB sticks since 2003. [online]. [Accessed 15
Aug 2009]. Available from:
<http://www.theregister.co.uk/2008/07/18/mod_secret_usb_sticks/>

PARRISH, Kevin. 2008. Ballmer says Windows 7 is Vista but improved! [online]. [Accessed 03
Aug 2009]. Available from: <http://www.tomsguide.com/us/Windows-Vista-7-
Microsoft,news-2789.html>

PERNICK, Ari. 2006. A bit about WinInet's Index.dat. [online]. [Accessed 04 Aug 2009].
Available from:
<http://blogs.msdn.com/wndp/archive/2006/08/04/WinInet_Index_dat.aspx>

PIRIFORM LTD. 2009. Version History. [online]. [Accessed 04 Aug 2009]. Available from:
<http://www.ccleaner.com/download/version-history>

PROTALINSKI, Emil. 2009. Six editions of Windows 7: better than Vista, still too many.
[online]. [Accessed 03 Aug 2009]. Available from:
<http://arstechnica.com/microsoft/news/2009/02/official-windows-7-skus-revealed-six-
editions.ars>

SANS FORENSICS BLOG. 2009. Computer Forensic Guide To Profiling USB Devices on Win7,
Vista, and XP. [online]. [Accessed 20 Aug 2009]. Available from:
<https://blogs.sans.org/computer-
forensics/files/2009/08/usb_device_forensics_vista_win7_guide.pdf>

SD ASSOCIATION. 2008. Developers: SDXC Massive Storage, Incredible Speed. [online].


[Accessed 04 Aug 2009]. Available from: <http://www.sdcard.org/developers/tech/sdxc>

SHARP, John. 2008. FoxIT Exposes IE8 Beta Privacy Limits. [online]. [Accessed 04 Aug 2009].
Available from: <http://authentium.blogspot.com/2008/08/foxit-exposes-ie8-beta-
privacy-limits.html>

SOFER, Nir. 2009. Web Browser Tools. [online]. [Accessed 04 Aug 2009]. Available from:
<http://www.nirsoft.net/web_browser_tools.html>

STEVENS, Didier. 2009. Didier Stevens Blog. [online]. [Accessed 31 Jul 2009]. Available
from: <http://blog.didierstevens.com/2009/01/29/quickpost-vigenere-is-beta-only/>

STEWART, Barrie. 2007. Forensic Implications of Windows Vista. [online]. [Accessed 03 Aug
2009]. Available from:

73
First Look at the Windows 7 Forensics Piotrek Smulikowski

<http://www.whereisyourdata.co.uk/data/modules/wfdownloads/singlefile.php?cid=4&li
d=9>

SYSINTERNALS. 2009. Autoruns for Windows v9.53. [online]. [Accessed 15 Aug 2009].
Available from: <http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx>

TOR PROJECT INC. 2009. Tor: Overview. [online]. [Accessed 03 Aug 2009]. Available from:
<http://www.torproject.org/overview.html.en>

WIKIPEDIA. 2009. Windows 7 Editions Comparison Chart. [online]. [Accessed 25 Aug 2009].
Available from: <http://en.wikipedia.org/wiki/Windows_7_editions#Comparison_chart>

WOODWARD, Andre. 2006. BitLocker - the end of digital forensics? In: Proceedings of 4th
Australian Digital Forensics Conference. Perth Australia: Edith Cowan University.

X-WAYS. 2009. Software for Computer Forensics, Data Recovery and IT Security. [online].
[Accessed 01 Aug 2009]. Available from: <http://www.x-ways.net/>

YOCHAYK. 2009. The Windows 7 Blog for Developers:Windows 7 Taskbar - Part 1. [online].
[Accessed 15 Aug 2009]. Available from:
<http://blogs.msdn.com/yochay/archive/2009/01/06/windows-7-taskbar-part-1-the-
basics.aspx>

YU-CHUNG CHENG, Yatin Chawathe, John Krumm. 2005. Accuracy Characterization for
Metropolitan-scale Wi-Fi. [online]. [Accessed 03 Jul 2009]. Available from:
<http://www.placelab.org/publications/pubs/IRS-TR-05-003.pdf>

ZEIGLER, Andy. 2008. IE8 and Privacy. [online]. [Accessed 03 Aug 2009]. Available from:
<http://blogs.msdn.com/ie/archive/2008/08/25/ie8-and-privacy.aspx>

74
First Look at the Windows 7 Forensics Piotrek Smulikowski

APPENDIX A – Windows 7 Editions Comparison Chart


This chart compares all editions of the Windows 7 based on their capabilities. This is the
most complete comparison chart available online.

Home Home
Starter Professional Enterprise Ultimate
Basic Premium
Cost & Features /
Availability Retail
OEM Emerging Retail and OEM Volume
and OEM
licensing markets licensing licensing
licensing
32-bit and 64-bit 32-bit
32-bit only Both Both Both Both
versions only
Maximum physical
memory (64-bit N/A 8 GB 16 GB 192 GB 192 GB 192 GB
mode)
Maximum CPU
1 1 1 2 2 2
chips supported
Home Group
Join only Join only Yes Yes Yes Yes
(create and join)
Cannot Cannot
Cannot
Backup and back up back up
back up to Yes Yes Yes
Restore Center[25] to to
network
network network
Multiple monitors No Yes Yes Yes Yes Yes
Fast user switching No Yes Yes Yes Yes Yes
Desktop Wallpaper
No Yes Yes Yes Yes Yes
Changeable
Desktop Window
No Yes Yes Yes Yes Yes
Manager
Windows Mobility
No Yes Yes Yes Yes Yes
Center
Windows Aero No Partial Yes Yes Yes Yes
Multi-Touch No No Yes Yes Yes Yes
Premium Games
No No Yes Yes Yes Yes
Included
Windows Media
No No Yes Yes Yes Yes
Center

75
First Look at the Windows 7 Forensics Piotrek Smulikowski

Windows Media
Player Remote
No No Yes Yes Yes Yes
Media
Experience[26]
Encrypting File
No No No Yes Yes Yes
System
Location Aware
No No No Yes Yes Yes
Printing
Remote Desktop
No No No Yes Yes Yes
Host
Presentation Mode No No No Yes Yes Yes
Windows Server
No No No Yes Yes Yes
domain joining
Support for
Windows Virtual Virtual PC Virtual PC
No Yes Yes Yes
PC[27] + Windows only only
XP Mode[28]
AppLocker No No No No Yes Yes
BitLocker Drive
No No No No Yes Yes
Encryption
BranchCache
No No No No Yes Yes
Distributed Cache
DirectAccess No No No No Yes Yes
Subsystem for
Unix-based No No No No Yes Yes
Applications
Multilingual User
No No No No Yes Yes
Interface Pack
Virtual Hard Disk
No No No No Yes Yes
Booting
Table 11. Windows 7 editions comparison chart. Source (WIKIPEDIA, 2009)

76