Tuesday, December 9, 2014

File History Research - Part 1

Greetings fellow blog readers, it has been a long time since I have posted something substantial out there related to my research.

Over the last year my research has focused at Deconstructing the artifacts that are created by the file history service that was introduced in Windows 8 and is still present in Windows 10.

I plan to release the full research over the next few months, but felt it was time to pass along some of the artifacts that I have identified.

Please provide any feedback or ask for clarification if it is needed.

Thank you.

**************

1.   Windows File History Overview

With the release of the Windows 8 operating system Microsoft released a new feature called File History that if enabled will protect user created files in case of system failure, corrupted file or if a file is accidentally delete. By default the user created data that is protected can be found in the Microsoft defined Libraries, Favorites, Contacts and Desktop directories. Users can also add custom directory locations to be protected by File History.

The File History feature is controlled by the File History Services, starting in Windows 8.1 this service replaces the Volume Shadow Service that was used in previous versions to handle the creation of Volume Shadow Copies and system restore points. In order to use the File History feature it must be enabled by each individual user and configured prior to use. Configuration options for File History include backup location which can be either a local attach drive or a network share, how often modified files are saved, retention policy, and cache size of the target drive. The File History feature can also be disabled by group policies. (Snow, 2014)

The File History feature allows for a single active backup location for each account that it is configured on, although multiple accounts can have file history back-up to the same storage location. For example the account “BOB” can only configure file history to back up to one location at a time, if “BOB” would like to back up to a different location he would need to change file history to point to the new location. While the location known as “Smith_Cloud_Storage” could hold the file history back-up location for both the users “BOB” and “SALLY”.

The File History feature is compatible with encryption such as Microsoft BitLocker, the newly introduced storage space feature in Windows 8 and Server 2012. The target backup drive can be trusted and shared across local home networks with Home Groups. (Mackie, 2012) Limitation of File History include that the backups are not block-level copies and that it is unable to backup EFS files due to a limitation on how the service runs as a local user account. (Johnson, 2012)

1.1.Registry Artifacts

There are three locations in the registry that will contain File History values if this service has been enabled on the computer. One is located in the HKU while two are tied with the HKLM keys.

A registry key will be created in the NTUSER.dat file for each user that enables the file history service. This key will be found in the Software\Microsoft\Windows\CurrentVersion\File History. Within this key there is a subkey named ProtectedUpToTime which is a 64 Bit Hex Value – Big Endian, when this value is decoded it will show when the last backup happened.

Another area in the registry that will contain keys of importance is HKLM\System\Controlset001\Services\fhsvc. Within this subkey, there is a parameter key that shows the location of the configurations values for every user that has File History enabled on the system.  The third location which contains information on how File History interacts with the home group. This value can be found in at the subkey located at HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\FileHistory. These values will indicate if file history will share the backup location as a trusted location, the URL of the targeted directory, the drive mapping of the connected computer, what type of drive the data is being backed up and the share name of the location.

1.2.Config#.xml Analysis

The config1.xml and config2.xml is created on both the host and the remote location. These XML files contain configuration variables for the file history backup process. The artifacts that can be collected from the config#.xml files can be classified in one of the following artifact types:
Artifact Type
Description
Local Host Information
The values included in the local host information types will provide references to the UserName, User FriendlyName, PCName and the User GUID for the machine.
Library
The values included in the library types reference both the default Microsoft defined libraries and the user created libraries that are to be included in the file history backup process.
Staging Area
The values included in the staging area types reference where the file history is cached when the target location is not available, as well as the maximum size of the staging area.
Policies Configuration
The values include in the policy configuration types will reference the frequency of backups, and length of retention.
Target Host Information
The values included in the target host types will reference the target location that is being used by the file history process to back up to. This include the TargetDrive, TargetName, and warning threshold for maximum size.

Understanding the config#.xml allows for the identification of unknown hosts that have access to a storage location as well as the identification of unknown devices that have been used for storage.

1.2.1.   Local Host Artifacts

The local host artifacts contain information related to identifying the local host and the location of the configuration files. The values represented in these artifacts are inherited from system information and either local user or Windows Live information associated with the user account that configured the file history service.

Artifact
Description
UserName
This is the account name that configured the file history service. This will be the userprofile name and may either be local or it will be the users firstname as it is registered with Windows Live
FriendlyName
This is the account’s first and last name as registered locally or with the Windows Live account.
PCName
This is the hostname of the computer that this file history is configured on.
UserID
This is the Unique GUID of the user for the computer that the file history service is configured on.
LocalCatalogPath#
This is the path to the Local Catalog#.edb file. By default this file path should always be:
C:\Users\\AppData\Local\Microsoft\Windows\FileHistory\Configuration\Catalog1.edb

1.2.2.   Library Artifacts

The library artifacts contain information related to the libraries that are included in the file history backup. These entries will include both Microsoft defined libraries and directories as well as user defined libraries directories. Each entry in the library artifacts may contain a library ID and a folder path. The ID is identical between Windows 8, Windows 8.1 and Windows 10. By default the file history process will back up the following libraries with the associated library ID and directories:
Library or Directory
Description
Music
This library will contain all locations on the local host that music files are stored if the user included the location in the library. This library has a library ID which is: *2112ab0a-c86a-4ffe-a368-0de96e47012e
Videos
This library will contain all locations on the local host that video files are stored if the user included the location in the library. This library has a library ID which is: *491e922f-5643-4af4-a7eb-4e7a138d8174
Documents
This library will contain all locations on the local host that user created documents and similar are stored if the user included the location in the library. This will also include SkyDrive if this is enabled on the system This library has a library ID which is: *7b0db17d-9cd2-4a93-9733-46cc89022e7c
Pictures
This library will contain all locations on the local host that pictures are stored if the user included the location in the library. This library has a library ID which is: *a990ae9f-a03b-4e80-94bc-9912d7504104
Contacts
This is a directory that stores user contacts. There is no library ID associated with this entry.
Desktop
This is a directory for the desktop, any item that is saved on the desktop and is not a lnk file should be copied. There is no library ID associated with this entry
Favorites
This is a directory that stores user favorites. There is no library ID associated with this entry

1.2.3.   Staging Area Artifacts

The staging area artifacts are related to the local staging cache that is used to backup data when the target backup location is not available. The values that are seen here include staging area file path and the capacity of the staging area for caching.
Staging Area Option
Description
StagingAreaPath
This is the local file path for the local staging area used to cache the backup files when the target location is not available. By default this path will be:
C:\Users\\AppData\Local\Microsoft\Windows\FileHistory\Data
StagineAreaMaximumCapacity
This is the maximum storage size in bytes.
StagineAreaWarningThreshold
This is the threshold for warning the user when the capacity is near full, this value is in bytes.

1.2.4.   Policies

The policies artifacts are related to the policies that are defined for the file history process. These policies include retention, backup frequency, and those related to a missing target location.
Policies Artifacts
Description
TargetAbsenceTime
This value alerts the user if the target backup location has not been available for five consecutive backup attempts. The default value is 5.
TimeInUnprotectedState
This value determines how many file history states will be retained while the target backup location is not available. The default value is 3.
RetentionPolicyType
This value will either be ENABLED or DISABLED depending if the retention policy is set. The default value is DISABLED.
MinimumRetentionAge
This value represents the minimum age in days that a file will be retained. The default value is 365.
DPFrequency
This value represents the frequency of the file history backup process in seconds. The default value is 3600.
DPStatus
This value will either be ENABLED or DISABLED depending on if the file history service is configured to run. The default value is ENABLED.

1.2.5.   Target

These values include reference to the target location that is being used by the file history process to back-up to.
Target Artifact
Description
TargetName
This is the name of the target backup location. This can either be a file path, hostname, or friendly name of a removable storage device.
TargetUrl
This is the name of the target backup location. This can either be a file path, hostname, or friendly name of a removable storage device. If the TargetName value is a hostname, than this value will be a file path for the backup location on the target machine.
TargetDriveType
This value represents the drive type that the file history back-up is being written to, values can be REMOTE or REMOVABLE.
TargetConfigPath#
This is the path for the config#.xml file on the target location. The default value is: \\Configuration\Config#.xml
TargetCatalogPath#
This is the path for the catalog#.edb database on the target location. The default value is: \\Configuration\Catalog#.edb
TargetBackupStorePath
This is the path for the file history backup data to reside. The default value for this is \\Data
TargetWarningThreshold
This value is the warning threshold that the user is alerted on when the capacity reaches this level. The default value is 98, which is 98% capacity.

Part 2 can be found here

No comments:

Post a Comment