File History: Deconstructing the Catalog

e

hi um I'm Ken Johnson thank you for coming um today we're going to talk about file history and and how to deconstruct its database catalog so I am a senior associate at KPMG uh examine evil I chase the bad guys I up malware I look at your network and tell you everything that you're doing wrong um depending on which client you ask I'm a har haringer of bad news they don't like me at all especially when I'm on a plane getting ready to fly out and I say hey check this IP yeah we see it yeah it's bad you're infected no we're not how do you know that it's a zero day by I know thanks so

today we're going to identify the key artifacts of the file history catalog um and how we can use that for Fric analysis to actually see what files were on our system without doing a deep dive onto the mft file table so file history what is it it is a backup solution that is integrated into Windows 8 8.1 Windows 10 and more than likely anything else Windows SPL that's out in the future it is off by default but it's enabled per user by user um it does automatic backups and it's very configurable you can decide how long you're going to retain the backups you're how long um it backs up for the frequency that it backs up up where it backs up so when

you're going to configure file history if you're looking at it initially this is what it looks like you get your file history off in this case I would be backing up to my removable disc drive e um that's the size I got to back up in um Windows 10 it's a little bit cleaner and it says it's on again I'm backing up to my removal Drive E when I last backed up for difference between Windows Windows 10 actually now in windowss 10 I can click run now instead of having a set one so it allows me to if I made changes and I let's say I have a it backs up every six hours if I need

it do it now I can do that um this is what it looks like when it's on on Windows 8 again we don't have the run now option so our file history is we can decide how frequently it backs up every 10 minutes 20 minutes hour every 12 hours once a day um how much of the disc space it's going to write to and cash locally the reason it'll cash locally is if my backup location is not available such as Network issue being down you don't have thri plugged in um how of or how long going it'll be retained for so are we going to do it monthly delete every year every two years or if we're going to require the

user to delete these files so again file history benefit it's it's an automatic backup when it's turned on um once you have it turned on a you could forget about it as long as it's got the connection once it reconnects it backs up it'll create a new version for your paet you back up um it also retains all your previous versions um said it's good to be back up user data lesses the impacts it's a lot easier to recover and it's integrated into Windows 8 Windows 10 um one of the reasons why there's a lesser impact is in the Enterprise environment if we are nice M coming through and the Machine gets infected restore back and not lose

any of your user data so again virus executed the system restor go back to the file history we're back to normal so artifacts graded with when you use file history we've got registry entries we have some event logs we've got our configuration datas our catalog databases and our non-sync data the non-sync data will only be on the host not on the backup location so on the storage location we've got our configuration files our catalog database and our sync data this is where we can find

artifacts um on the host it be under the user profile of the account that started it into the file history or into remote storage for example um we got my file history testing the new location my username and machine that's from and benath that I've got my configuration and my data sets um within the configuration data you have catalog one catalog two which are identical backups and config one and config two which are identical um configuration that's what the configuration file looks like it will tell you when it's backing up where it's backing up from what directories it's backing up by default Windows 10 will back up all the Dory that Microsoft creates so your

documents desktop favorites it also will do if you got live it'll back up anything from your Live directory that's stored locally as well that's new in Windows 10 um also tells you where it's going to back up to um so in here we've got the username the friendly name the friendly name is inherited if I'm using a Windows Live account so whatever my Windows Live ID is this little show show there the PC name that is turned on the user ID is unique to the PC that you're on um get in the libraries we have our video spold our music our documents this is all default Windows if I do a new one um be called a

user file and the cataloges are under the configuration catalog one catalog 2 day bases the size that we're going to be backing up to how much we're going to allow it to use in this case it tells you um if the retention policy is disabled enabled how long we're retain it for the frequencies in seconds um and if it's enabled this is where we're backing up to in this case it's a remote server that's the file path on that remote server we can see that the host share file history new location is is where I'm backing up to when the drive is at 98% full it'll gives me a nice warning so it looks like if it's a

removable drive so remote drive it says Target Drive is remote for removable it's removable it also gives you the good of the volume um this is what it looks like when you look at the backup folder as you see each one of our directories has their own directories in there um this is while our files look like each one is appended with the UTC time when it was backed up so our catalog which is very important it contains every transaction that it's done on its backup when it's backed it up the strings the file pads this allows you to actually figure out what was on the box what's now no longer on the box the duration that was on the

box or at least in the location and like I said this is going to be found in our catalog one database fth um I use either onew or aoft online the onewar it throws some errors using Windows 8 Windows 10 um unless I do it from a th Drive once I do it from a th drive it's fine but I can export all my tables from at once the near soft um I've never had an issue with it on any OS I've ran it on um but I have to export my tables individually so this is what

it looks like in

my and the one where I can actually browse to my different tables and get my information at this point it's very confusing you have to bounce back and forth able us to understand what you're looking at um this is what noft look like noft is almost as convoluted and confusing but this it tells you when it was backed up um doing this research and looking at it you're bouncing back and for between the table making notes it's fine if you only have half a dozen entries but consider it backs up everything in those directories including the desktop inii very quickly it gets

unmanageable so our kop tables are the M objects the backup set file Global library namespace and strings strings is pretty much the only one that is what it sounds like it's the strings of the file paths file names um the myis object is basically our data schema there's very limited information in there from an analyst aspect from the backup this allows you to back up the session number um time stamp and so you can understand when the time and when the backup process happened um so and also be able to compare when it was there when it's not there the table columns on there is ID and timestamp for the file table it tracks our information related to the files

that we're backing up um last Stone file path on the host file size when it was backed up um got the ID the parent the child the state um the T captured is the cycle that was first found in um the TQ is that we're waiting for it to be backed up so if you do not have your back location there when it was queed um as long as it's been backed up there will not be a q entry there or a valid Q it'll be the most recent one and the D update is one was last updated um the global is the last successful backup time the target director size and other values based on where you're backing up

to um here's our Global tables there quite a bit of information but it's there's four or five FS that you're interested in the library table it tracks the individual libraries that to be backed up so whenever you add a new one it'll be intered here based on the string and everything else um the Child ID the ID for the table when it was created is it still visible um if there's any number in there besides the value of the 2147 that value is when it was last seen in that path so if they move it it'll change to New Path which is then for update to a new entry so the Nam space table it tracks

our information related to the file the library location um it'll include the file name the path the attribute metadata um the Mac times for the file so this is important if you're doing some file analysis on hey when was this on my box um all that's stored into the database that way again you don't have to do your mft you don't have to recover it it's all right here it's all based off the usn journal value for the file um the name space the file attributes we share that again this is the original file not the backup file it's file as it was on your host machine when it was created when it was modified um the parent ID the status of

it when it was first there the user journal entry that it was created in or updated in um and the string table is again it's file path file directory file name all the com so when I do my analysis on this I look at the backup set the name space the strings and the file so the old way before I started doing some access or Excel I guess was to come in here um

so right here on our Nam space um the Child ID of 20 to 38 for the F attribute so reme for shot ID of 20 parent ID of 21 I would have to then come back to my name space or my strings and we'd have to come down here so file 20 was my desktop ini and it was

in my Ls up is user profile PP is um public profile so if you see those you give you an idea where they're stored at this get very time consuming when we are doing our research so said if you've got multiple ones you're tracking notes so I went on ahead and created a spreadsheet that we'll do all the analysis for us this is what it looks like um you start having to upload or import the values of each of the tables that you want to record

and then once they're all input you go into the initial Tab and let's hope this works

so now we have our values um we have my file here which was found in this location it that was a user journal entry value on when it was modified this is the when it was created based on the map time of the file the original file um this is one it was last modified this is the first file history instance that it was found in um um this is the last one so if it show if we got date in here it was either moved or deleted from that location so now we can actually quickly run through and see what files we still have on the box where it was at whether or not it's still present without having

to go back and cross reference the strings to the backup sets to the name space um so it's much quicker it's much easier

and when you're done we actually have a cleanup and it goes through and deletes everything so you can save it off and then you're ready for the next

one and we're done so any questions on this aspect yes the application of this really if you were to say boost someone's flash drive that they've been backing up to you could go through this and easily pull out posibly sensitive data or you could do that um your law enforcement you grab a box the guy says no I don't have any Kitty PN on here um I've deleted it oh look at these thumb drives oh look in this catalog database I can actually see your kitty Point directories and these are when you had it on here or if you find a collection of other thumb drives and you're looking at a single laptop and you come across three different file

histories each pointed back to a different machine now you've got more systems you can actually look at because now you know where else he's had access to what else he's backing up to with this pulling back the window or the uh one drive from Microsoft anything that he has on the cloud that he also has synced locally you now can have a copy of so it gives you a better idea what's there um usually if you want to know if a file has been on a system that's deleted you either drop it into uh in case fdk xways and look to see if it's in deleted files or you carve the mft the user drill if it's in a location

that's being backed up it will show up here it was in the backup cycle um so that way you don't have to carve the mft you don't have to pull that out this is one file you have to pull yes sir um so the question is can I lock this down using Group Policy unfortunately it's either on or it's off by Group Policy nope it's either on or it's off um Microsoft there's been talk that they may change that but their idea is they want a user to be able to quickly back it up um there's a lot of risk right now with in in the Enterprise allowing the users to enable it just because people

are not backing up to secure locations yes sir uh I gu once again talking the subject in security you know I it's cool feature thanks Microsoft for offering it but do they offer any sort of encryption option for it on that level too if you are backing up to an encrypted drive it's encrypted it's your responsibility for encryption so the question was does Microsoft offer any encryption into it it's like almost any other backup software if you want encryption you have to add it yes sir um try to recover files if you aom depends on where it's backed up and how bad that so the question was if um my file or my machine is compromised

by ransomware can I use this to back it up so like I said it depends on where it's being backed up to if the ransomware has already infected that backup location there's there's nothing we can do um if you back it up nightly to a thumb drive and you disable remove that thumb drive there's a chance you can pull it back um Windows 8 does anybody have Windows 8 Windows 10 in the Enterprise or any familiarity with it um so with Windows 8 they released three total three different recovery options um you have your old standby of the restore point that we all know and hate um then they also offered a refresh and a reset so so they refresh there's

two options with that either the default system refresh or a custom refresh the default is everything that has been installed on the box it's from Microsoft when you go to refresh it it refs everything back or anything you bought from the Microsoft store so your office appliances are there but your custom um so like when I redo my forensic box my in case has to be reinstalled all my malware tools have to be reinstalled um if I use that option or I can do a custom option and that's where I install my system get exactly how I want it then I create a gold build as it my back my refresh so now if I ever get hit with a

virus or my yearly clean up my stuff I just refresh back um I've had some luck in ransomware um doing that but not enough to fill safe with for for me if I'm getting hit with rans somewhere I'm just blown it away it's I'm not I'm not concerned about it of course I keep my data in like five different areas so it's paranoia um they also offer a what is it refresh res the reset is their rewipe and reinstall the OS um it either does the Mark everything as deleted and install a brand new Os or it's do a a random wipe across the hard drive and then install the OS so Microsoft's got some options for

recovery but if you're using file history and you're backing up to REM location and then let's say you do a reset or a restore um the restore you'll actually keep your user created files so you don't lose that but on a reset I can then link back to my file P or my file directory or file history directory and then restore everything from there so there's options but again it's Mal or how safe do you honestly feel I mean you've already got it in there once are are you sure you've gotten rid of it my my belief is if I've got infected I'm BL it away so any other questions yes maam

soory file history in Windows 8 is the new version of pre previous version they've kind of rolled it away it still runs on the same concept um sounds like that's iing yeah but it's answer it it is at the same time it's it's the same

thing so this is one of my backup locations and as you can see we've got it it'll append it with the most recent time stamps I can actually have multiple versions in there um and this is stored offline

and there is a way to so so Microsoft decided that if you have one drive you can't back up to one drive using file history because they don't trust one drive you also can't back up to a hard drive on the local machine again if your machine gets compromised you want to be able to save it but actually if you map those back as like a network share Microsoft doesn't understand that and you can back it up to one drive you can back it up to another Mach another hard drive on box any other questions okay so let's do the dangersous and and this is what I love about file history so there is a

configuration point of file history that once you know what you're looking for it becomes very dangerous and it's fun from a red team aspect so in our configuration file the line that I like is this string right here that's when I get the best hits on so we go to Google we type in that string and actually gotten some more gotten better but this used to be what I'd see on all of them so we have our unscared Nas that they're backing up Windows 8 too or Windows 10 they're backing up all their files too um there's our configuration file so then I go to see configuration where I can actually see

it so on Dan's laptop and I feel I have the right to pick on Dan because I've talked to Dan before so that should be data there's our C drive there's our users there's Dan's account um let's take a look at documents we have documents now so it's kind of fun from user standpoints but uh last year I presented this at um Isis and Asus in Atlanta and that's a big physical and digital security conference and I was going through my deck and I was looking at some of my use cases my demos of this I'm like that company name looks familiar they were one of the vendors downstairs um one of their CEOs who left

like four years previously had all of his data that had all of their data I knew their financials for the last 15 years I knew all their HR I knew everything about this company um because they allowed again this this goes back it's not a file history issue in itself it's an enduser issue it's a security around our data once he left the network once he left the company she never had the access to it anyway but it was being backed up on his own home server on his home boxes to a Naas based on time stamp and everything else Recon he hadn't touched it in years but that doesn't mean I didn't access it it doesn't mean

somebody else didn't access it so I went down and actually talked to him at first they didn't believe me so they sent somebody up to my talk um and I I blacked out all their data but the guy's like that name does look familiar so when he came up I actually showed him where it was after the talk so it's that whole thing is this is a great tool but in an Enterprise level if you're not securing it if you're not locking it down and you allow your users to back up to a location you're not controlling it's a very good chance that this data is out when I first started doing this research about 18 months ago

I had 10 pages on Google of this data and those was the first 10 pages um it's gone down now I don't see nearly as many I'm disappointed um there's an FTP site that actually will grabb all these because they see these as ftps and you can search on this and I I've seen Fortune 10 data out there um because we're pushing data out to our users we're not understanding what we're giving them permission to and we're afraid to lock things down so from an attacker standpoint now since I now know how to deconstruct a catalog I can get any data set up there I can know what else he's had access to I can know if he's actually worth

trying to fish trying to get more information from and what else may be on that computer that I may have interest in so this is all fun it's all games but it's also very dangerous in what we do so any questions on that

aspect all right thank you [Applause]

I'm still quick on this talk