


















Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Motivation and Objectives Applications of Research Design and Methodology Implementation Tools Different/Updated Artifacts Windows 8.1 Windows 10
Typology: Lecture notes
1 / 26
This page cannot be seen from the preview
Don't miss anything!



















The importance of Operating System Security has been well known for the last twenty- five years. While there have been great strides in the development of mechanisms for application space security mechanisms the area of operating system security has largely been neglected. Today’s trends of distributed computing and the increased possibility for malicious attacks have shown the need to implement mandatory control mechanisms and policy flexibility. This paper discusses the need for greater operating system windows 10 security analysis and mandatory access mechanisms.
This aim of this an analysis of the security of Windows 10. The primary objective of the analysis was to investigate how secure the operating system actually is. A technical overview of the system, and in particular of its security features, is given. The system security was analyzed and practical intrusion attempts were made in order to verify known vulnerabilities and find new ones. The paper concludes that there are ample opportunities to improve the security of Windows 10. Computer systems and especially their protection mechanisms must be penetration resistant. However, most, or perhaps in Windows 10 operating systems have security holes which make them vulnerable. The aim of this project is security analysis of windows 10 by applying penetration testing and other experiments which is in the form of stress testing exposing weakness in the system. The original goal of these experiments was to find a quantitative measure of operational security. The aim of windows 10 security shows that some common security problems are found windows 10 such as ⮚ Improper input validation. ⮚ Weak Cryptographic algorithms. ⮚ Weak authentication protocol. ⮚ Insecure bootstrapping ⮚ Configuration mistakes.
The best way to analyze Windows 10 is to create a realistic investigation. For the beginning of the project it may be acceptable to export the Windows 10 registry and analyze data from the .reg file, but eventually there should be a logical image pulled from a computer in order to recreate a more professional scenario. Although the project could start by pulling an image from a Virtual Machine in VMware, it would be more beneficial to create real data on a physical machine. This machine could be a laptop; however a tablet with a GPS chip in it would be more realistic due to the potential GPS-related artifacts. The tablet will be connected to a Microsoft account, and a Windows Phone should also be connected to this same account
The application of Research is that we should analyses the window 10 security. We would be able to find out the vulnerabilities in Windows 10. In which component of Windows 10 security holes are present.
The scope of windows 10 security analysis provides three important points about security that are
The best way to analyze Windows 10 is to create a realistic investigation. For the beginning of the project it may be acceptable to export the Windows 10 registry and analyze data from the .reg file, but eventually there should be a logical image pulled from a computer in order to recreate a more professional scenario. Although the project could start by pulling an image from a Virtual Machine in VMware, it would be more beneficial to create real data on a physical machine. This machine could be a laptop; however, a tablet with a GPS chip in it would be more realistic due to the potential GPS-related artifacts. The tablet will be connected to a Microsoft account, and a Windows Phone should also be connected to this same account. Fake data should be generated via both devices by connecting to various Wi-Fi networks and using maps and social networking apps. After the data has been generated, the device should be imaged using a write-blocker, FTK Imager, and a Workstation. The extraction may be more difficult on a tablet since the SSD cannot be extracted without destroying the tablet, so alternate extraction methods should be researched. With the data extracted the analysis can begin, and the artifacts can be compared. Attempts to import into Encase 7, FTK 5.0, or Autopsy can be made, but it is expected that there may be problems since they will not recognize Windows 10.
The best way to analyze Windows 10 is to create a realistic investigation. For the beginning of the project it may be acceptable to export the Windows 10 registry and analyze data from the .reg file, but eventually there should be a logical image pulled from a computer in order to recreate a more professional scenario. Although the project could start by pulling an image from a Virtual Machine in VMware, it would be more beneficial to create real data on a physical machine. This machine could be a laptop; however, a tablet with a GPS chip in it would be more realistic due to the potential GPS-related artifacts. The tablet will be connected to a Microsoft account, and a Windows Phone should also be connected to this same account. Fake data should be generated via both devices by connecting to various Wi-Fi networks and using maps and social networking apps. After the data has been generated, the device should be imaged using a write-blocker, FTK imager, and a Workstation. The extraction may be more difficult on a tablet since the SSD cannot be extracted without destroying the tablet. So alternate extraction methods should be researched. With the data extracted the analysis can begin, and the artifacts can be compared. Attempts to import into Encase 7, FTK 5.0 or Autopsy can be made, but is expected that there may be problems since they will not recognize windows 10.
The equipment used in Windows 10 security Analysis are
VMware Version 11. Memory 4GB Processor 1 (Intel Core i7) Hard Drive 60GB Operating System Windows 10 Build 9926 Computer Name Lcdivm Time Zone GMT-5(Eastern) User Name [email protected]
From the start button, click "Settings" and then click "Privacy" and click the "General" tab on the left sidebar. Under that tab you'll see a few sliders where you can toggle certain features on or off. The top toggle button is the most important as it disables the advertising ID for each user. But, if you want to cover your bases, you should go ahead disable the rest of the options as well. After turning off the options under the general tab, you can jump down to the next tab down, "Location," and turn off location data for all apps or specific ones. That's not necessarily new to Windows 10, but it's something that many security-conscious folks like to do. Next, you'll want to head down to the tab labeled "Speech, inking, and typing." Here you can disable Cortana from gathering information about you by clicking the "Stop getting to know me" button towards the middle of the screen. Keep in mind, clicking this will also disable Cortana and dictation.
Moving on, click the "Other devices" tab at the bottom of the list. Under this tab you'll be able to turn off the "Sync with devices" feature. In the example given by Microsoft, this could be used for connecting with beacons, which are typically used for advertising purposes. If you want to kill this feature, slide the first button to the off position. If you want, you can also turn off syncing for trusted devices as well. Now, back out to the general settings and click "Network and internet." In that window click "Manage Wi-Fi settings" toward the middle of the screen.
One of the most fundamental forensic artifacts in an investigation is the recycle bin. When crimes are committed on computers, one of the first locations to check for evidence is almost always the Recycle Bin. As a result, we will focus on analyzing the recycling bin in Windows 10 as a primary step. For this analysis we took two nearly identical VMs running Windows 8.1 and Windows 10 and generated data for the recycle bin. Both VMs were logged in to two separate Microsoft accounts, and were running the latest Windows updates as of March 2
, 2015. Office was also installed on both VMs.
Since Windows 7, Recycle bin artifacts for each user are found in the following location: DRIVE:$RECYCLE.BIN\SID For each file that is deleted, a pair of files is placed in the recycle bin. One file starts with the file name of $I and the other with $R, but both end in the same 6 random characters and the original extension. A screen shot is shown below.
The $I format contains metadata including the file size, deleted time and the file path. The $R file contains the deleted file itself. The $I file is formatted in the following manner in Windows 8.1: Windows 8.1 $I Recycle Bin Format Offset Length in bytes Description 0 8 Begins with 01 8 8 File Size in bytes 16 8 Deleted Time (In 64 bit Windows timestamp format) 24 520 File path In Windows 10, the contents are still split into these $I and $R files, but the organization of the $I file is slightly different. Metadata about File Actual file stored
Windows 10 $I Recycle Bin Format Offset Length in bytes Description 0* 8 Ends in 02 8 8 File Size in bytes 16 8 Deleted Time (In 64 bit Windows timestamp format) 24* 4 File Path Length 28* Dependent upon file path length File path *** =** Changed in Windows 10
Thumbnail artifacts can be important to investigators when dealing with potential evidence found in images. In some versions of Windows, thumbnail data is maintained even when the image itself is deleted. Windows XP had a thumbs.db file that stored the thumbnail image of every file untilWindows 7 removed this functionality and replaced the thumbs.db folder with a thumbcache.db file located in: C:\Users<USERNAME>\AppData\Local\Microsoft\Windows\Explorer The thumbs.db file returned in Windows 8 and kept caches of thumbnails in the same folder as Windows XP. Below is a screenshot of the thumbs.db in Windows 8.1 and the absent file in Windows 10.
Figure 1 Pictures folder in Windows 8.1 (Left) vs. Windows 10 (Right) Windows 10 removes the thumbs.db file once again, storing the thumbnails in the same location as Windows 7: C:\Users<USERNAME>\AppData\Local\Microsoft\Windows\Explorer. The file header for Windows 10's thumbnail cache is only slightly different from 8.1, and it’s a very simple change. Windows 10 has the value of 0x20 instead of 0x1F at offset 4. When one converts these two hex values to decimal figures, they are 31 and 32 respectively. Below are two screenshots comparing the two file headers of the thumbcache file. Figure 2 Windows 8.1 thumbnail cache header (Below) Although a minor change, it affects the tools that help investigators view thumbnail caches, and these tools will need to be updated to become compatible with Windows 10. One item to note is that the thumbnails.db files were present in Windows 10 build 9926, but they are no longer present in build 10049, so it’s possible this behavior may change before release. Differing Byte Header s
In terms of OneDrive logs, it still looks like folders that aren’t synced all the time are stored in the OneDrive TraceArchive and TraceCurrent .ETL files.
The SyncEngine file in this directory is the most common file found. The .odl file extension is most often used in C++ applications and references many .cpp files such as “filetransferwatcher.cpp” and ”localchanges.cpp.” Each file is created with a timestamp and is exactly 1,025 KB. These files appear to be logs of operations that have been performed, but because of the .cpp file references it’s possible that they are used for the actual function of One Drive syncing. When a file is synced to One Drive, a SyncEngine file is created and the file will sync filenames and file hashes among the other logs. It’s possible that One Drive is submitting these hashes to the One Drive servers to verify file integrity. Unlike other artifacts below, these logs only contain files that are physically on the computer.
TraceArchive.ETL and TraceCurrent.ETL are logging files which appear to contain the remnants of the smart folder feature in Windows 8.1. Unfortunately, while event viewer can open them, it doesn’t produce any useful or readable information. However, analyzing the file in notepad seems to work for rudimentary forensics. Below is a screenshot of the contents of the ETL file which references files that are stored only on One Drive and not physically stored on the device.
SyncDiagnostics.log is a logging file which displays the operations currently being run on the computer. When These files can be opened by event viewer, but they don’t reveal any content in the logs, so they might be modified forms of ETL files. It’s possible that the logging of data that isn’t physically on the drive is a functionality feature leftover from Smart Folders.
Prefetch files are used to power Superfetch, Microsoft's system of optimizing program startup speeds and boot times. By analyzing the times in which user’s open files, Windows can learn the user's behavior and eventually preload the programs before they are launched. Because this information is stored for superfetch, it also makes it ideal for forensic investigators. The location for these prefetch files is located at C:\Windows\Prefetch.
C:\Users<USERNAME>\AppData\Local\Packages\Microsoft.Windows.Spartan_cw5n1h2t xyewy\AC#!001\S partan
Within this folder there are 3 obvious artifact locations which will be described below. Caches are stored separated in different folders for each page that is cached. The names appear to be random hashed values, and this content is arranged very similarly to Internet Explorer’s cached files.
Below are the cached files of Project Spartan side by side with the cached files of IE. The format looks to be identical.
One of the most commonly used applications on all mobile platforms is the Facebook application. Released in 2013, the Facebook Windows application runs on all Windows 8. and Windows 10 devices. Below is a detailed analysis of the artifacts found in the Modern