Wednesday, October 21, 2009

Windows 7 and the Future of Forensic Analysis

Okay, so I was in Redmond, WA, last week at some computer conferences (yes, plural) and was on-stage with Troy Larson while he waxed philosophic on forensicy stuff with respect to Windows Vista and beyond, including Windows 7. I've been noodling a lot of this over, and here's what I've come up with...

One of Troy's pet projects is Volume Shadow Copies (please, do not ask me about any of his other interests...), and I have to say, he's really one of the most knowledgeable folks I'm aware of on the subject of VSC and the needs of forensic analysts. Troy has some interesting things to say about how Volume Shadow Copies can be accessed, but one of the most interesting aspects is that one way to do this is by booting your acquired image via something like LiveView. Another means is to mount the image file as a drive letter from a like system. At that point, you can image the entire volume or dump only selected files.

Notice at no point did I say, "...insert your dongle...", or " this EnScript...". It turns out that Volume Shadow Copies can be enumerated and accessed via WMI, meaning that once you have an image mounted, you may be able to (haven't tried it yet) automatically process what you need.

I was doing some research into processing the new Windows Event Log format (new as of Vista and Windows 2008, that is...) for inclusion into timeline analysis, and what I've been able to find out is that if you extract the pertinent .evtx files from your acquired image, you may be able to process them via LogParser, but again...on a like system. Andreas Schuster did a great job in documenting the format, but .evtx files are a combination of binary, and binary XML...eesh! Note - you may need to consider using something like wevtxutil in your live response activities...

Okay, I'm not sayin' that commercial forensic analysis suites are no longer useful...after all, ProDiscover 6.0 allows you to access Volume Shadow Copies if you're accessing the remote system live via the servlet...which means that if you're using PD for live response, you can likely automate what you need via Perl-based ProScripts.

So where does that leave us? Folks, I'm gonna sound the ol' "the age of Nintendo forensics is over " trumpet yet again, and the dawn of the educated, knowledgeable, sofis...soffis......sophisticated responder is upon us!


DanMiami said...

Evidence found in Volume Shadow Copy files made a Federal case in Miami earlier this year. The story is found at and although not specified in the article, here is the part of the story that I refer to:

"Prosecutors are expected to call two people who corresponded with Zarabozo online to corroborate that they received his messages referencing travel to Cuba before the fateful trip.

In their filing, Zarabozo's lawyers note that a Miami-Dade police detective, Francisco Perez, searched almost 300,000 files, directories and artifacts on the computer in December, after the first trial.

'The various search terms revealed different results, including some terms that hit several hundred times (e.g., `Cuba') and some terms that did not hit at all (e.g., ''Joe Cool'),'' according to the defense motion to exclude the evidence.

'One search indicates that the word Bimini appeared in Mr. Zarabozo's hard drive, but the government examiner is unable to determine any other information about that hit, including what kind of file it appears in, when it was added to the hard drive or where it is located on the hard drive,'' the motion said.

In January, the presiding judge granted permission for the evidence to be used at trial, but postponed it for a few weeks to give Zarabozo's lawyers time to prepare their defense."

Rob said...

Volume Shadow Copies are good Voodoo! Law Enforcement has been playing with this potential Evidence "boon" for years (Vista Beta etc.).
As for the End of Nintendo forensics.. Heh..they will just upgrade us to Wii forensics.. I'm sure that Guidance and AD will come up with something to automate the process that we have been using ShadowExplorer to do manually. Too bad..cause manual forensics is FUN and makes you think..but who has time to do that when there is work to be

H. Carvey said...


GSI and AD moving to supporting this is still going to require (at this moment, anyway) the right set of DLLs, which is best done by having a like system.

Tony said...

Something else that Vista and beyond brings to the forensics table is the fact that the long format wipes the drive with zeros. Yes, it take a long time, but now, whether they know it or not every Windows Vista owner can wipe their drive with a utility that is part of Windows. No need to buy anything. See:

I haven't tested Windows 7 yet but I assume it will do the same thing.

I guess it hasn't come up because we all choose quick format to save time. Or has it? Has anyone had an examination where they had a wiped drive and couldn't explain it?


nieUK said...

Hi I wanted to share some findings of my research about Windows 7 Forensics. It was written as my dissertation for the MSc Forensic Informatics and it may lack some professionality but I havent seen these findings anywhere else. This blog has been very useful to me during my research so I wanted to contribute my bit as well. It is rather lenghty but it should be easy to skip to the most intersting parts just by picking the right headings

Blog entry can be found at:

Full research paper: