File history is a service that is new to Windows and it is not enabled by default, most likely, since a dedicated drive needs to be selected to host the history of files.
It creates a folder structure resembling the actual hierarchical structure of the original file location including the name of the machine where it came from.
T:\>tree FileHistory
Folder PATH listing for volume VOLUME_NAME
Volume serial number is ####-####
T:\FILEHISTORY
└───<UID>
└───<MACHINE_NAME>
├───Configuration
└───Data
└───C
└───Users
└───<UID>
├───Contacts
├───Desktop
├───Documents
├───Favorites
│ └───Dell
├───Music
├───Pictures
└───VideosBy default, libraries, desktop, contacts, and favorites are backed up. The configuration settings can be examined for the configured drive and follow the traditional mounted device analysis to locate the actual drive.
C:\Users\<UID>\AppData\Local\Microsoft\Windows\FileHistory\Configuration\Config#.xml
Excerpt from the configuration file shows drive details where the file history will be located
<Target>
<TargetName>ThawSpace0</TargetName>
<TargetUrl>T:\</TargetUrl>
<TargetVolumePath>\\?\Volume{8c66088c-9e66-11e3-8252-806e6f6e6963}\</TargetVolumePath>
System log file
C:\Windows\System32\winevt\Logs\Microsoft-Windows-FileHistory-Core%4WHC.evtx
C:\Users\<UID>\AppData\Local\Microsoft\Windows\FileHistory\Configuration\Config#.xml
Excerpt from the configuration file shows drive details where the file history will be located
<Target>
<TargetName>ThawSpace0</TargetName>
<TargetUrl>T:\</TargetUrl>
<TargetVolumePath>\\?\Volume{8c66088c-9e66-11e3-8252-806e6f6e6963}\</TargetVolumePath>
System log file
C:\Windows\System32\winevt\Logs\Microsoft-Windows-FileHistory-Core%4WHC.evtx
The documents and their changes are saved in the corresponding directory marked with UTC time stamps.
T:\FileHistory\<UID>\<MACINE_NAME>\Data\C\Users\<UID>\Documents>dir
Volume in drive T is VOLUME_NAME
Volume Serial Number is F4A8-C897
Directory of T:\FileHistory\<UID>\<MACHINE_NAME>\Data\C\Users\<UID>\Documents
03/02/2014 09:29 PM 15,544 Report Template (2014_03_03 03_45_37 UTC).odt
02/26/2014 08:49 AM 83,619 Report Template (2014_03_03 03_45_37 UTC).ott
03/02/2014 09:48 PM 14,450 Report Template (2014_03_03 04_09_19 UTC).odt
02/26/2014 08:49 AM 83,610 Report Template (2014_03_03 05_04_56 UTC).odt
The default settings would suggest a long term forensic value of these files since they will be kept "forever" and backed up every hour. Even though, I could see multiple instances of backed up files, the File History event log did not show any activity. This process will need further investigation to learn if the default values will trigger as they are set by default and if the event log will be generated by these events.
Some people might miss the Previous Version tab in the file properties, but there is a simple way around this change in Windows 8.1, just look at the file's property using a null session.
The above syntax will work on any drive and the file property will show the Previous Version tab, but populating it with values will also need further investigation since just creating restore points did not populate it all.
Thus, it seems like there is no backup of the file at all looking at it this way. The old fashioned looking at the shadow volumes still works like it did in Windows 7.
vssadmin list shadows /for=c:|findstr Contained
Contained 1 shadow copies at creation time: 2/25/2014 3:15:33 PM
Contained 1 shadow copies at creation time: 2/26/2014 9:43:36 PM
Contained 1 shadow copies at creation time: 2/28/2014 2:16:11 PM
Contained 1 shadow copies at creation time: 3/2/2014 11:08:45 PM
So, the restore points exist, but the question was if the restore points contained the changes of the files or not. To test it, I have deleted a couple of files ( Report Template.odt and .ott ) and removed them from the recycle bin. The files were gone.
Since the shadow volumes existed, I used the Shadow Explorer to drill down into the file structure with that tool.
Sure enough, the files were still there waiting to be restored. The time stamp was not accurate besides the oldest time stamp, but the command line method captured them more accurately.
The command line method also allowed to access and copy the deleted files out of the volume shadow.
C:\Windows\system32>vssadmin list shadows /for=c:|findstr GLOBALROOT
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4
C:\Windows\system32>mklink /d c:\shadow_copy3 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\
symbolic link created for c:\shadow_copy3 <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\
C:\Windows\system32>cd c:\shadow_copy3\Users\<UID>\Documents
c:\shadow_copy3\Users\<UID>\Documents>dir
Volume in drive C is OS
Volume Serial Number is E828-D083
Directory of c:\shadow_copy3\Users\<UID>\Documents
02/26/2014 08:49 AM 83,610 Report Template.odt
02/26/2014 08:49 AM 83,619 Report Template.ott
Conclusion
Volume shadow copies will be accessible in cases on the secondary storage devices like before, but it will be more important to also collect removable storage devices and look for File History based evidence not just as a single source, but also to validate volume shadow copy based located evidence to show human interaction with the digital data. The long history of file changes might reveal human intention as related to digital data manipulation. As always, understanding the process is IT, but interpreting the relevant artifacts and connecting those artifacts to human interaction is what forensic investigations are all about.
No comments:
Post a Comment