Every now and then, I get email from readers who have difficulties, and some areas come up more often. I also learn a few things as time goes by, and I gain some valuable pointers from colleagues who share my interests. Therefore, I want to update or amend a few procedures as well as review some of the more basic steps that folks may overlook.
1. Building and booting EUFI/GPT systems and remembering the registry edit
A little while back, I posted on building VMs from UEFI/GPT systems, found most often in Windows 8. Since then, I’ve seen more of these outfits arrive in my shop, as the use of Windows 8 and large disk grows. If you document your target system before an exam, which requires accessing the setup in most cases, you’re sure to recognize that the setup doesn’t resemble the BIOS of old. There’s a sample screenshot in the above post. Even if you dive straight away into your exam, you’ll find a clue when you study the partitioning of your target image file:
X-Ways Forensics users will receive the answer to the clue without having to guess. The GPT partitioning style with the four partitions, including the MS reserved partition, mean that you have a UEFI system. The FAT32 partition likely holds your EFI boot data:
The first reminder is that we usually must edit the registry and at least one user’s password to boot into Windows 8. Since the beginning of my blog, I described how to build your VM by selecting the option for a SCSI disk in VMware.
That option required an edit to the registry to enable the LSI SCSI service to start on boot:
After mounting our VM, we loaded the target’s System hive into our own registry. We navigated to the proper control set’s Services key and then to the LSI_SCSI subkey. There, we edited the Start value’s data to 0x00, as above.
Well, what happens if you find a System hive that looks like this:
As you can see, there is no LSI_SCSI key. If you find this to be the case, you have a couple of choices. You can start over and select the LSI Logic SAS option as in the Virtual Machine Wizard screenshot above that displays the controller types. Then, edit the registry by setting the first LSI_SAS controller’s Start value data to 0x00. A quicker alternative is to edit the mounted registry hive and your VMX file by replacing the highlighted line the next screenshot with the one that follows. Of course, if you examine the target registry in your forensic tools you can determine the configuration before you even consider building a VM.
Replace the above parameter with this one:
Please don’t forget to insert the firmware = “efi” parameter that I described in earlier posts! If you edit the VMX and your VM hangs, reboot into the Boot Manager, which you usually can access by pressing F2 a few times during the boot process. There, just select the virtual VMware Virtual SCSI disk and hit Enter.
2. Password removal
Back here, I described the Windows 8 feature that allows users to log on to their systems with MS Account credentials. This feature allows both local and online logon. The required password strength makes a hash attack a little more difficult. However, the most important thing to remember is that, to gain access to the system, a password is required. You cannot “blank” the password using tools like the Linux-based boot CD or NTPwedit. You must change the password. Although some tools ostensibly allow you to change the password, I’ve found that they fail in that regard. I still know of only one tool (commercial, but cheap) that works: Reset Windows Password (RWP), which is available at http://www.passcape.com/reset_windows_password and produced by Passcape Software. I described its use and a UEFI workaround process here.
The workaround arose from the need to edit the password on a UEFI/GPT MS Account system with a tool on a bootable ISO/CD. In hindsight, I should have suggested a quicker approach, which I will describe here. As seen in one of the above screenshots, we edited our VMX file to enable the EFI firmware. Passcape’s RWP is not yet available for use on a bootable UEFI, USB device. So, if you use RWP or any tool on a bootable ISO, you need to re-edit your VMX as follows:
Once you re-edit the VMX file, you can boot to a non-EFI medium. Just remember to change it back to EFI thereafter, or you system will not boot to Windows (“operating system not found” message). I’ll add that RWP also allows you to invoke regedit and several other utilities directly from within the application.
3. Shadow Volumes and Russian Dolls
This is another topic that folks bring up occasionally. If we mount a shadow volume directly from an image or from an image that we boot in VMware, we’ll find that the shadow volume, itself, contains a System Volume Information (SVI) folder that contains shadow volumes. Let’s say that we mount a shadow volume that was created on October 1, 2014, and was the earliest shadow volume in our target system. When we look in the SVI folder of that mounted shadow volume, we may find a shadow volume that was created on September 1, 2014. Now, it seems logical to assume that we can mount the latter shadow volume and go back in time even further, perhaps to the date when the system first was used. We can’t. I’ve tried a few approaches, including running vssadmin against the mapped shadow volume and attempting to boot the mapped shadow volume. Neither method worked. I wasn’t able to boot a shadow volume, even by reconstructing a physical disk with that volume. I also ran this theory by one of the world’s leading Windows forensics experts, Troy Larson, who, not surprisingly, thought about this concept long before I did. In short, Troy suspected that the shadow volume files and other data within a mounted shadow volume were incomplete and could not be reliably processed by the system. Remember that shadow volumes really are “difference” files that depend on one another, and inconsistencies in any of them can affect their functionality.
NOTE: I’d like to direct readers to the comment posted by Joachim Metz. He’s done a great job of documenting shadow volumes and provided a link to a paper that he published. His comment and paper may provide the precise answer.
For those who want to play around with UEFI, VMware has preview edition available that affords some undocumented (buggy) enhancements, so be careful if you give it a shot. That’s all for now.