Forensic Blogs

An aggregator for digital forensics blogs

by

Windows Fall Creator Introduction

Pick Up Where I Left Off: Windows Innovative New Feature Coming Soon?

This spring, the Windows Fall Creator team will research a new Microsoft feature coming out over the next few months. The Windows Fall Creator/Redstone 4 update will provide users with the ability to continue right where they left off on other devices, as well as after power state changes. It is similar to Apple’s Auto Resume feature, except that it will be cross-platform enabled.

 

 

The Project

Before the release of the Windows Fall Creators Update, Pick Up Where I Left Off was discussed as a cross-platform version of Apple’s Handoff and Auto Resume features.   Our focus is on how it works, where the information is stored, and the security risks involved.  The official launch of “Pick Up Where I Left Off” has been delayed until the Windows Redstone 4 Update.  This update should be rolling out at some point this spring. While the Pick Up Where I Left Off feature isn’t available yet, pieces are through which we can start to see its functionality.

Our Procedure

We have researched and played around with the pieces of Pick Up Where I Left Off that are available.  After that, we joined the Windows Insider Program to get preview builds of the Redstone 4 update. This will allow us to test the actual feature before it’s released to the general public. We have created 4 virtual machines to run this preview build of Windows 10. These machines will be used to test different aspects of the feature. The following scenarios will be tested: the feature with only one person who uses the computer, the feature with two people who use the same computer, and one person who uses two different computers with the feature. After, we will test the feature out with cross-platform smartphones and a Microsoft Surface Pro.

Conclusion

The next step for our project will be researching the current Insider’s build for Windows 10. We will experiment using the new features it has to offer. After the Redstone 4 Update is released, we will experiment using the feature on that version of Windows.  By the end of this project, we hope to have an understanding of what Pick Up Where I Left Off is doing behind the scenes. We also hope to learn about its functionality and implications. Stay tuned for more updates to come and follow us on Twitter @ChampForensics,  Instagram @ChampForensics and Facebook @ChamplainLCDI.

References

Bowden, Z. (2015, October 30). Windows 10 Redstone: Continuum to be big focal point with new ‘Continuity-like’ features. Retrieved February 12, 2018, from https://www.onmsft.com/news/windows-10-redstone-continuum-to-be-big-focal-point-with-continuity-like-features

Bright, P. (2017, May 11). Microsoft reaches beyond Windows with Timeline and Pick Up Where I Left Off. Retrieved February 12, 2018, from https://arstechnica.com/information-technology/2017/05/timeline-and-cortana-make-windows-better-even-when-youre-not-using-it/

Brink, S. (2018, January 09). Turn On or Off Cortana Pick up where I left off in Windows 10. Retrieved February 12, 2018, from https://www.tenforums.com/tutorials/82752-turn-off-cortana-pick-up-where-i-left-off-windows-10-a.html

Brink, S.  (2017, April 11). Windows 10 help and support forum. Retrieved February 12, 2018, from https://www.tenforums.com/windows-10-news/81566-what-s-new-windows-10-creators-update.html

Hay, R. (2017, August 31). Cortana’s “Pick up where you left off” Feature is almost Windows Timeline Light. Retrieved February 12, 2018, from http://www.itprotoday.com/windows-10/cortanas-pick-where-you-left-feature-almost-windows-timeline-light

Martin, J. (2018, January 23). Microsoft is experimenting with some radical new features in Windows 10, including sets. Retrieved February 12, 2018, from https://www.techadvisor.co.uk/new-product/windows/windows-10-fall-creators-update-3496959/

TinsleyNET Admin. (2017, October 25). Windows 10 “Fall Creators Update” [Web log post]. Retrieved February 8, 2018, from https://www.tinsleynet.co.uk/2017/windows-10-1709/#more-1397

The post Windows Fall Creator Introduction appeared first on The Leahy Center for Digital Investigation.

by

Application Analysis Update 1

Introduction

This project focuses on searching for artifacts left by common desktop applications. We will be analyzing each application within Windows 10. It is the second most popular version of windows. We began by generating data on virtual machines with the chosen applications. The next step is to use various forensic tools to extract information that could be of forensic interest. This includes any artifacts that could be relevant either for security or for use in a forensic investigation.

Analysis: Web App Security

In this project, we will be analyzing artifacts left by three different apps: Steam, Lastpass, and Fitbit.  Based on LastPass’s emphasis on security, we expect that it will yield the least amount of artifacts. Likewise, Steam is notorious for not keeping chatlogs on the user’s side, whether PC or on a mobile device. As such, it would make sense to assume that the amount of information stored on the host is minimal. But, Fitbit may save crucial information on the host for offline use of the app.

Choosing the Applications

In narrowing the list of possible applications down, there were many reasons why we chose each app. This includes its large number of users, how important it was that the application is secure, as well as for other traits based on the purpose of the app.

Steam

Application

The first app, Steam, is a gaming and social media platform common on PCs. It has a massive user base of over 125 million. Steam is well known for not retaining chat logs. Steam saves achievements on the servers rather than the host. Due to the large amount of information that the app could store on the host, our team chose it as a viable candidate. Our team is planning to look for artifacts related to in game actions as well as any action done on Steam (Wishlist, login info, Screenshots, etc). Our team will also be looking for any artifacts that have any personal information as well as information about friends of that user.     

Last Pass

Application

LastPass is a password manager that is available as a desktop and mobile app, as well as an extension on many browsers. The application is popular for its security, as well as the simple design. It has a user base of over 7 million people. LastPass can contain passwords for many websites, making it a target for attacks. It is also available without purchasing the subscription, making it even more popular.

Fitbit

Fitbit is a brand of fitness tracker. The device syncs using Bluetooth to a personalized account through a PC or mobile device. Fitbit has a user base of over 10 million people, and is popular among a variety of ages. The information is viewable online, on a mobile device, or through the desktop application. Fitbit logs movement and allows users to log other health information in the app. Fitbit then uses this information to display progress over time.

Conclusion

As of now, all teams have made excellent progress on analyzing the artifacts generated by the applications. We hope that the artifacts we generate will help us determine potential threats and dangers to the apps we are using. The results from the information our team has gathered are not finalized yet. But we are eager to share our results with you when they are.   

Like all members of the LCDI, we welcome and encourage feedback. To give us any feedback you have, use the comment section below.

You can read our past research into other applications here.

Like the Leahy Center for Digital Investigation (LCDI) on Facebook and follow us on Twitter to get notified of more project updates.

The post Application Analysis Update 1 appeared first on The Leahy Center for Digital Investigation.

by

VMWare Analysis Update 1

Introduction

The VMWare Analysis team is researching the differences between a Windows 7 machine and Windows 7 virtual machine (VM) as well as the changes between a Windows 10 machine and VM. The end goal for this project is a quad comparison between the both operating system versions and their respective VMs.  

VMWare/Physical Machines Used

Three VMs have been set up for this project: a Windows 7 VM; Windows 10 VM; and a SANS SIFT VM running Ubuntu. The SANS SIFT is a free VM built by SANS DFIR (Digital Forensics and Incident Response). It has a variety of Digital Forensics tools, such as Volatility and Bulk Extractor. This VM is being used for memory forensics analysis of the four machines. The VMWare Analysis team is going to be extracting, analyzing, and comparing Windows artifacts. These include Prefetch files, LNK files, Jump Lists, and Windows Memory.

Progress

Thus far, the team has completed datagen and analysis of the Windows 7 machine and Windows 7 VM. Both machines used the same data generation process to keep the results consistent. There are a few specific things that we analyze for the comparisons. One is network information within the registries. Another is what changes VMware tools makes to the virtual machine. And the last is general information on artifacts. This includes where the system stores them and what information they reveal about the system.

VMWare

The team was having troubles generating Prefetch data for Notepad, Notepad ++, and Adobe Reader. After a few minutes of troubleshooting, the team discovered that the Prefetch folder only allows up to 168 “.pf” files at one time. The folder had reached capacity and could not fit files for those applications.

Conclusion

So far, the only identified difference between the VM and the Machine is in the prefetch files. The Windows 7 Machine had 140 prefetch files, while the VM only had 114. It is also noted that the VM image contained a prefetch for VMware (VMTOOLSD.EXE-CD82EC13.pf). The physical machine did not.

VMWare

In the upcoming weeks, the VMware analysis team is planning on starting the Windows 10 physical machine and VM. Once we complete data generation and analysis, we’ll start comparing differences between the virtual machine and physical machine. We’ll also compare Windows 10 and Windows 7.

Like the Leahy Center for Digital Investigation (LCDI) on Facebook and follow us on Twitter to get notified of more project updates.

The post VMWare Analysis Update 1 appeared first on The Leahy Center for Digital Investigation.