WINDOWS 10 SECURITY ANALYSIS, Lecture notes of Computer Science

Motivation and Objectives Applications of Research Design and Methodology Implementation Tools Different/Updated Artifacts Windows 8.1 Windows 10

Typology: Lecture notes

2012/2013

Available from 02/13/2022

kaleembugti77
kaleembugti77 🇵🇰

4 documents

1 / 26

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Introduction
Motivation and Objectives
The importance of Operating System Security has been well known for the last twenty-
five years. While there have been great strides in the development of mechanisms for
application space security mechanisms the area of operating system security has largely been
neglected. Today’s trends of distributed computing and the increased possibility for malicious
attacks have shown the need to implement mandatory control mechanisms and policy
flexibility. This paper discusses the need for greater operating system windows 10 security
analysis and mandatory access mechanisms.
AIM
This aim of this an analysis of the security of Windows 10. The primary objective of
the analysis was to investigate how secure the operating system actually is. A technical
overview of the system, and in particular of its security features, is given. The system security
was analyzed and practical intrusion attempts were made in order to verify known
vulnerabilities and find new ones. The paper concludes that there are ample opportunities to
improve the security of Windows 10.
Computer systems and especially their protection mechanisms must be penetration
resistant. However, most, or perhaps in Windows 10 operating systems have security holes
which make them vulnerable. The aim of this project is security analysis of windows 10 by
applying penetration testing and other experiments which is in the form of stress testing
exposing weakness in the system. The original goal of these experiments was to find a
quantitative measure of operational security. The aim of windows 10 security shows that some
common security problems are found windows 10 such as
Improper input validation.
Weak Cryptographic algorithms.
Weak authentication protocol.
Insecure bootstrapping
Configuration mistakes.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a

Partial preview of the text

Download WINDOWS 10 SECURITY ANALYSIS and more Lecture notes Computer Science in PDF only on Docsity!

Introduction

Motivation and Objectives

The importance of Operating System Security has been well known for the last twenty- five years. While there have been great strides in the development of mechanisms for application space security mechanisms the area of operating system security has largely been neglected. Today’s trends of distributed computing and the increased possibility for malicious attacks have shown the need to implement mandatory control mechanisms and policy flexibility. This paper discusses the need for greater operating system windows 10 security analysis and mandatory access mechanisms.

AIM

This aim of this an analysis of the security of Windows 10. The primary objective of the analysis was to investigate how secure the operating system actually is. A technical overview of the system, and in particular of its security features, is given. The system security was analyzed and practical intrusion attempts were made in order to verify known vulnerabilities and find new ones. The paper concludes that there are ample opportunities to improve the security of Windows 10. Computer systems and especially their protection mechanisms must be penetration resistant. However, most, or perhaps in Windows 10 operating systems have security holes which make them vulnerable. The aim of this project is security analysis of windows 10 by applying penetration testing and other experiments which is in the form of stress testing exposing weakness in the system. The original goal of these experiments was to find a quantitative measure of operational security. The aim of windows 10 security shows that some common security problems are found windows 10 such as ⮚ Improper input validation. ⮚ Weak Cryptographic algorithms. ⮚ Weak authentication protocol. ⮚ Insecure bootstrapping ⮚ Configuration mistakes.

Methodology Introduction

The best way to analyze Windows 10 is to create a realistic investigation. For the beginning of the project it may be acceptable to export the Windows 10 registry and analyze data from the .reg file, but eventually there should be a logical image pulled from a computer in order to recreate a more professional scenario. Although the project could start by pulling an image from a Virtual Machine in VMware, it would be more beneficial to create real data on a physical machine. This machine could be a laptop; however a tablet with a GPS chip in it would be more realistic due to the potential GPS-related artifacts. The tablet will be connected to a Microsoft account, and a Windows Phone should also be connected to this same account

Applications of Research

The application of Research is that we should analyses the window 10 security. We would be able to find out the vulnerabilities in Windows 10. In which component of Windows 10 security holes are present.

Scope and Limitations

The scope of windows 10 security analysis provides three important points about security that are

  1. Multi-factor authentication
  2. Separation of Corporate and Personal data.
  3. Trusted apps. The Limitation of this project is Hardware resources. The windows 10 require latest and costly hardware resource such processor, hard disk space, RAM and Graphic card.

The best way to analyze Windows 10 is to create a realistic investigation. For the beginning of the project it may be acceptable to export the Windows 10 registry and analyze data from the .reg file, but eventually there should be a logical image pulled from a computer in order to recreate a more professional scenario. Although the project could start by pulling an image from a Virtual Machine in VMware, it would be more beneficial to create real data on a physical machine. This machine could be a laptop; however, a tablet with a GPS chip in it would be more realistic due to the potential GPS-related artifacts. The tablet will be connected to a Microsoft account, and a Windows Phone should also be connected to this same account. Fake data should be generated via both devices by connecting to various Wi-Fi networks and using maps and social networking apps. After the data has been generated, the device should be imaged using a write-blocker, FTK Imager, and a Workstation. The extraction may be more difficult on a tablet since the SSD cannot be extracted without destroying the tablet, so alternate extraction methods should be researched. With the data extracted the analysis can begin, and the artifacts can be compared. Attempts to import into Encase 7, FTK 5.0, or Autopsy can be made, but it is expected that there may be problems since they will not recognize Windows 10.

Implementation

Implementation Tools

The best way to analyze Windows 10 is to create a realistic investigation. For the beginning of the project it may be acceptable to export the Windows 10 registry and analyze data from the .reg file, but eventually there should be a logical image pulled from a computer in order to recreate a more professional scenario. Although the project could start by pulling an image from a Virtual Machine in VMware, it would be more beneficial to create real data on a physical machine. This machine could be a laptop; however, a tablet with a GPS chip in it would be more realistic due to the potential GPS-related artifacts. The tablet will be connected to a Microsoft account, and a Windows Phone should also be connected to this same account. Fake data should be generated via both devices by connecting to various Wi-Fi networks and using maps and social networking apps. After the data has been generated, the device should be imaged using a write-blocker, FTK imager, and a Workstation. The extraction may be more difficult on a tablet since the SSD cannot be extracted without destroying the tablet. So alternate extraction methods should be researched. With the data extracted the analysis can begin, and the artifacts can be compared. Attempts to import into Encase 7, FTK 5.0 or Autopsy can be made, but is expected that there may be problems since they will not recognize windows 10.

SoftwareRequirements/Tools

The equipment used in Windows 10 security Analysis are

  1. VMware Workstation 11.
  2. FTK Imager
  3. Windows 10 Preview Build 9926 and Build 10049
  4. Laptop/ tablet capable of running Windows 10
  5. Nirsoft Suite The Software and Hardware setup was the following: ⮚ Single VMW are machine ⮚ One Nokia Lumia 635

VM Hardware

VMware Version 11. Memory 4GB Processor 1 (Intel Core i7) Hard Drive 60GB Operating System Windows 10 Build 9926 Computer Name Lcdivm Time Zone GMT-5(Eastern) User Name [email protected]

Software Installed.

From the start button, click "Settings" and then click "Privacy" and click the "General" tab on the left sidebar. Under that tab you'll see a few sliders where you can toggle certain features on or off. The top toggle button is the most important as it disables the advertising ID for each user. But, if you want to cover your bases, you should go ahead disable the rest of the options as well. After turning off the options under the general tab, you can jump down to the next tab down, "Location," and turn off location data for all apps or specific ones. That's not necessarily new to Windows 10, but it's something that many security-conscious folks like to do. Next, you'll want to head down to the tab labeled "Speech, inking, and typing." Here you can disable Cortana from gathering information about you by clicking the "Stop getting to know me" button towards the middle of the screen. Keep in mind, clicking this will also disable Cortana and dictation.

Moving on, click the "Other devices" tab at the bottom of the list. Under this tab you'll be able to turn off the "Sync with devices" feature. In the example given by Microsoft, this could be used for connecting with beacons, which are typically used for advertising purposes. If you want to kill this feature, slide the first button to the off position. If you want, you can also turn off syncing for trusted devices as well. Now, back out to the general settings and click "Network and internet." In that window click "Manage Wi-Fi settings" toward the middle of the screen.

Different/Updated Artifacts

Recycle Bin

One of the most fundamental forensic artifacts in an investigation is the recycle bin. When crimes are committed on computers, one of the first locations to check for evidence is almost always the Recycle Bin. As a result, we will focus on analyzing the recycling bin in Windows 10 as a primary step. For this analysis we took two nearly identical VMs running Windows 8.1 and Windows 10 and generated data for the recycle bin. Both VMs were logged in to two separate Microsoft accounts, and were running the latest Windows updates as of March 2

nd

, 2015. Office was also installed on both VMs.

Recycle Bin Analysis

Since Windows 7, Recycle bin artifacts for each user are found in the following location: DRIVE:$RECYCLE.BIN\SID For each file that is deleted, a pair of files is placed in the recycle bin. One file starts with the file name of $I and the other with $R, but both end in the same 6 random characters and the original extension. A screen shot is shown below.

The $I format contains metadata including the file size, deleted time and the file path. The $R file contains the deleted file itself. The $I file is formatted in the following manner in Windows 8.1: Windows 8.1 $I Recycle Bin Format Offset Length in bytes Description 0 8 Begins with 01 8 8 File Size in bytes 16 8 Deleted Time (In 64 bit Windows timestamp format) 24 520 File path In Windows 10, the contents are still split into these $I and $R files, but the organization of the $I file is slightly different. Metadata about File Actual file stored

Windows 10 $I Recycle Bin Format Offset Length in bytes Description 0* 8 Ends in 02 8 8 File Size in bytes 16 8 Deleted Time (In 64 bit Windows timestamp format) 24* 4 File Path Length 28* Dependent upon file path length File path *** =** Changed in Windows 10

Thumbnails

Thumbnail artifacts can be important to investigators when dealing with potential evidence found in images. In some versions of Windows, thumbnail data is maintained even when the image itself is deleted. Windows XP had a thumbs.db file that stored the thumbnail image of every file untilWindows 7 removed this functionality and replaced the thumbs.db folder with a thumbcache.db file located in: C:\Users<USERNAME>\AppData\Local\Microsoft\Windows\Explorer The thumbs.db file returned in Windows 8 and kept caches of thumbnails in the same folder as Windows XP. Below is a screenshot of the thumbs.db in Windows 8.1 and the absent file in Windows 10.

Figure 1 Pictures folder in Windows 8.1 (Left) vs. Windows 10 (Right) Windows 10 removes the thumbs.db file once again, storing the thumbnails in the same location as Windows 7: C:\Users<USERNAME>\AppData\Local\Microsoft\Windows\Explorer. The file header for Windows 10's thumbnail cache is only slightly different from 8.1, and it’s a very simple change. Windows 10 has the value of 0x20 instead of 0x1F at offset 4. When one converts these two hex values to decimal figures, they are 31 and 32 respectively. Below are two screenshots comparing the two file headers of the thumbcache file. Figure 2 Windows 8.1 thumbnail cache header (Below) Although a minor change, it affects the tools that help investigators view thumbnail caches, and these tools will need to be updated to become compatible with Windows 10. One item to note is that the thumbnails.db files were present in Windows 10 build 9926, but they are no longer present in build 10049, so it’s possible this behavior may change before release. Differing Byte Header s

In terms of OneDrive logs, it still looks like folders that aren’t synced all the time are stored in the OneDrive TraceArchive and TraceCurrent .ETL files.

SyncEngine.odl

The SyncEngine file in this directory is the most common file found. The .odl file extension is most often used in C++ applications and references many .cpp files such as “filetransferwatcher.cpp” and ”localchanges.cpp.” Each file is created with a timestamp and is exactly 1,025 KB. These files appear to be logs of operations that have been performed, but because of the .cpp file references it’s possible that they are used for the actual function of One Drive syncing. When a file is synced to One Drive, a SyncEngine file is created and the file will sync filenames and file hashes among the other logs. It’s possible that One Drive is submitting these hashes to the One Drive servers to verify file integrity. Unlike other artifacts below, these logs only contain files that are physically on the computer.

Trace.ETL

TraceArchive.ETL and TraceCurrent.ETL are logging files which appear to contain the remnants of the smart folder feature in Windows 8.1. Unfortunately, while event viewer can open them, it doesn’t produce any useful or readable information. However, analyzing the file in notepad seems to work for rudimentary forensics. Below is a screenshot of the contents of the ETL file which references files that are stored only on One Drive and not physically stored on the device.

SyncDiagnostics.log

SyncDiagnostics.log is a logging file which displays the operations currently being run on the computer. When These files can be opened by event viewer, but they don’t reveal any content in the logs, so they might be modified forms of ETL files. It’s possible that the logging of data that isn’t physically on the drive is a functionality feature leftover from Smart Folders.

Prefetch Files

Prefetch files are used to power Superfetch, Microsoft's system of optimizing program startup speeds and boot times. By analyzing the times in which user’s open files, Windows can learn the user's behavior and eventually preload the programs before they are launched. Because this information is stored for superfetch, it also makes it ideal for forensic investigators. The location for these prefetch files is located at C:\Windows\Prefetch.

C:\Users<USERNAME>\AppData\Local\Packages\Microsoft.Windows.Spartan_cw5n1h2t xyewy\AC#!001\S partan
Within this folder there are 3 obvious artifact locations which will be described below. Caches are stored separated in different folders for each page that is cached. The names appear to be random hashed values, and this content is arranged very similarly to Internet Explorer’s cached files.

Below are the cached files of Project Spartan side by side with the cached files of IE. The format looks to be identical.

Facebook App:

One of the most commonly used applications on all mobile platforms is the Facebook application. Released in 2013, the Facebook Windows application runs on all Windows 8. and Windows 10 devices. Below is a detailed analysis of the artifacts found in the Modern