Tuesday, March 12, 2013

How to forensic examine a drive with PC Back / Rollback Rx and with an active Windows password.

Some computer vendors sell OEM copies of Windows with pre-build clean snapshots: if a customer wishes a full cleanup (after been infected by virus, for example), all he has to do is to press a key during boot, and the computer shortly becomes as it was when came from the store.

This is possible because they use a piece of software that applies rootkit techniques to mask the HD contents: the software remaps the disk sectors on the fly, so the disk Windows sees is not the same disk that would appear if the disk was plugged in as an external drive.

The effect of this in forensic is disastrous: when a examiner tries to use forensic tools to access the drive's filesystem, all he sees is the pre-build one, with no user created content.

But, when an image of the drive is booted in a virtualized enviroment (or as primary drive in a real computer), the more interesting user modified content appears, since the snapshot software is loaded in initialization and is allowed to do it's tricks.

Some copies of PC Back / Rollback Rx are shipped with a boot screen that allows to manage snapshots (activated with the Home key), but some vendors (like Positivo) uses copies with limited functionality in which the only available choice is to rollback to the factory default installation.

So, the first solution is to simply:

1-(not fully tested)-Try to access the management screen

  1. Image the drive.
  2. Boot the copy (virtually or in a real computer, your choice).
  3. Press 'Home' during boot.
  4. If the management screen appears, try to delete the factory snapshot.
I wasn't luck enough yet to pass step three, since the versions I came across were all limited and didn't offer the management screen at all.

Maybe this could be done buying a full version of the software. Or maybe not, who knows?
Well, let's include this as an untested solution:

2-(untested)-Buy the full program 

  1. Contact the developers and ask for free help.
  2. On failure, ask for payed help.
  3. On success, let us know that it worked.

The third, and natural (and tested), solution would be: 

3-Boot a copy of the drive and mirror itself from inside

  1. Image the drive.
  2. Boot the copy (virtually or in a real computer, your choice).
  3. From inside the running copy, use some program like FTKImager to copy the drive again.
This solution may present two problems:
  1. Prograns running at initialization may erase important evidence.
  2. If Windows is configured with a unknown password, you won't be able to run FTKImager or anything else. You would end up stuck in the login screen. Chntpwd won't help eider, since the registry it sees is from the factory-default system, not the user modified one.
Then we reach the fourth, and more complex (and also tested), solution:

4ยบ-The find-BCD-replace-it technique

  1. Make 3 images of the drive: A, B and C.
  2. Put A as primary drive and B as secondary. Boot that (virtually or in a real computer, your choice).
  3. Restore the system to the factory-default state (A will be modified).
  4. Boot A and B again.
  5. Install EasyBCD on A.
  6. Use EasyBCD to make a second entry in boot menu, pointing to B.
  7. Export the new BCD to a file outside A and B (a pendrive will do). It is important that new BCD isn't bigger than the old one.
  8. Restart the system, hit F10, and select this new second boot option, to boot B. The factory-default system should be installed automatically in B.
  9. Shutdown the system.
  10. In a forensic station, use WinHex, bgrep, or whatever to find where in C is the working BCD. To do that, search the disk for all occurrences of "NewStoreRoot". For each occurrence, locate the string "regf", a few bytes back (4000 or so). That's a possible BCD beginning position candidate.
    • Example using bgrep in linux: 
      • #bgrep '4e657753746f7265526f6f74' C.dd
      • Then find "regf" near each ocurrence:
      • #hexedit C.dd
      • Hit Enter, insert occurrence position, go up, find "regf", write down the position (be carefull with position truncation at the left column)
  11. For each BCD position candidate, copy the new BCD exported at step 7 over the candidate. This will replace the old BCD in the middle of the disk with the new one.
    • Example using linux (the candidate position here is 79951704064):
      • dd if=exportedBCD of=C.dd seek=79951704064 bs=1 conv=notrunc 
  12. After each try, prepare a system using C as primary drive and B as secondary.
  13. Boot C and B.
  14. At boot, hit F10 and check if the second boot option appears.
  15. If it does not appear, that's not the wright candidate yet. Go back to step 11 and try again.
  16. When the second boot option appears, select it. That will boot B, but will also work on C, so the user created content will be visible.
  17. B will boot, with a relatively clean OS, and no unknown password.
  18. C will show user created content.
  19. Use FTKImager or similar software to copy the first primary drive (C) to an external drive.
The find-BCD-replace-it technique could be adapted to find and replace sethc.exe or utilman.exe with cmd.exe, to just overcome the password problem. It would be a little simpler, but wouldn't avoid initialization of user installed programs.

Maybe this technique could work with other similar software, like COMODO Time Machine, Norton GoBack and RestoreIT, but I haven't tested it with those.