Monthly Archives: April 2016

Windows boot performance diagnostics. Part 1

Have you ever seen that your computer starts booting slowly? Or it slowly restores its state from hibernation. Maybe you observe performance issues when shutdown or hibernate process? In this article, I will show you how you can use Event Log Explorer to find performance problems linked with the startup/shutdown/hibernate/resume processes.

Starting from Windows Vista, Microsoft provides a bunch of event logs for different system purposes. In Windows Event Viewer, these logs are located in a special branch: “Applications and Services Logs”. Windows records performance diagnostics events into Microsoft-Windows-Diagnostics-Performance/Operational event log. To open this log in Windows Event Viewer, open Applications and Services Logs branch, then open Microsoft, then open Windows, then select Diagnostics-Performance and click on Operational. In Event Log Explorer you can do it easier: open your computer in the tree, then open Microsoft-Windows folder and then click Microsoft-Windows-Diagnostics-Performance/Operational.

Now you can see a list of different diagnostic events. As you can see, events with the same event ID may have different types – Warning, Error and Critical. It looks like these event types depend on the duration of the startup/shutdown process. Another observation – theses events contain many important parameters internally, but you can’t see them in the event description (Windows Event Viewer doesn’t display them as well). The only way to display these parameters is to double click on the event to display event properties and switch to XML tab.

Compare:

Unfortunately, I didn’t find a detailed documentation about all these events, so I did some research. First, I got meaning of events in Microsoft-Windows-Diagnostics-Performance:

Event ID	Event Description
Boot Performance Monitoring
100	Windows has started up
101	This application took longer than usual to start up, resulting in a performance degradation in the system startup process
102	This driver took longer to initialize, resulting in a performance degradation in the system start up process
103	This startup service took longer than expected to startup, resulting in a performance degradation in the system start up process
104	Core system took longer to initialize, resulting in a performance degradation in the system start up process
105	Foreground optimizations (prefetching) took longer to complete, resulting in a performance degradation in the system start up process
106	Background optimizations (prefetching) took longer to complete, resulting in a performance degradation in the system start up process
107	Application of machine policy caused a slow down in the system start up process
108	Application of user policy caused a slow down in the system start up process
109	This device took longer to initialize, resulting in a performance degradation in the system start up process
110	Session manager initialization caused a slow down in the startup process
Shutdown Performance Monitoring
200	Windows has shutdown
201	This application caused a delay in the system shutdown process
202	This device caused a delay in the system shutdown process
203	This service caused a delay in the system shutdown process
Standby Performance Monitoring
300	Windows has resumed from standby
301	This application caused a delay during standby
302	This driver caused a delay during standby while servicing a device
303	This service caused a delay during hybrid-sleep
304	Creation of the hiber-file was slower than expected
305	Persisting disk caches was slower than expected
306	Preparing the video subsystem for sleep was slower than expected
307	Preparing Winlogon for sleep was slower than expected
308	Preparing system memory for sleep was slower than expected
309	Preparing core system for sleep was slower than expected
310	Preparing system worker threads for sleep was slower than expected
350	Bios initialization time was greater than 250ms (logo requirement) during system resume
351	This driver responded slower than expected to the resume request while servicing this device
352	Reading the hiber-file was slower than expected
System Performance Monitoring
400	Information about the system performance monitoring event
401	This process is using up processor time and is impacting the performance of Windows
402	This process is doing excessive disk activities and is impacting the performance of Windows
403	This driver is using up too many resources and is impacting the performance of Windows
404	This driver is waiting longer than expected on a device
405	This file is fragmented and is impacting the performance of Windows
406	Disk IO to this file is taking longer than expected
407	This process is using up too much system memory
408	Many processes are using too much system memory
Desktop Window Manager Monitoring
500	The Desktop Window Manager is experiencing heavy resource contention
501	The Desktop Window Manager is experiencing heavy resource contention

Since we research boot/shutdown/standby/resume performance, we should pay attention to 1xx, 2xx and 3xx events. We can see that events 100, 200 and 300 are basic events followed by 1xx, 2xx and 3xx which give extra information about the problem.

E.g. I can see two events

Event 100 :

Windows has started up:
    Boot Duration        :              34857ms
    IsDegradation        :              0
    Incident Time (UTC)  :              18.11.2015 23:58:10

Event 102:

This driver took longer to initialize, resulting in a performance degradation in the system start up process:
    File Name             :              mssmbios
    Friendly Name         :              System Management BIOS Driver
    Version               :              6.1.7600.16385 (win7_rtm.090713-1255)
    Total Time            :              1027ms
    Degradation Time      :              1026ms
    Incident Time (UTC)   :              18.11.2015 23:58:10

So we can see that System Management BIOS Driver caused the delay in the system boot up.

Unfortunately sometimes events 100, 200 and 300 occur alone without followed events. In this case it is impossible to detect the reason of the delay using Diagnostics-Performance event log.

You should pay attention to parameters of Event 100 (Microsoft-Windows-Diagnostics-Performance):

                 
 System
 ...
 EventData          
                 BootTsVersion 2
                 BootStartTime  2015-11-18T20:58:10.671600300Z
                 BootEndTime    2015-11-18T20:58:10.671600300Z
                 SystemBootInstance     89
                 UserBootInstance          84
                 BootTime           34857
                 MainPathBootTime       12657
                 BootKernelInitTime      21
                 BootDriverInitTime       3101
                 BootDevicesInitTime    18
                 BootPrefetchInitTime  0
                 BootPrefetchBytes        0
                 BootAutoChkTime         0
                 BootSmssInitTime          5084
                 BootCriticalServicesInitTime    436
                 BootUserProfileProcessingTime             2683
                 BootMachineProfileProcessingTime    0
                 BootExplorerInitTime   848
                 BootNumStartupApps  24
                 BootPostBootTime        22200
                 BootIsRebootAfterInstall           false
                 BootRootCauseStepImprovementBits 0
                 BootRootCauseGradualImprovementBits          0
                 BootRootCauseStepDegradationBits    4
                 BootRootCauseGradualDegradationBits             0
                 BootIsDegradation         False
                 BootIsStepDegradation               false
                 BootIsGradualDegradation        false
                 BootImprovementDelta              0
                 BootDegradationDelta 0
                 BootIsRootCauseIdentified       true
                 OSLoaderDuration         735
                 BootPNPInitStartTimeMS           21
                 BootPNPInitDuration    1342
                 OtherKernelInitDuration            332
                 SystemPNPInitStartTimeMS     1665
                 SystemPNPInitDuration              1776
                 SessionInitStartTimeMS             3451
                 Session0InitDuration    2088
                 Session1InitDuration    339
                 SessionInitOtherDuration          2656
                 WinLogonStartTimeMS               8536
                 OtherLogonInitActivityDuration             587
                 UserLogonWaitDuration             3551

Most of parameters are self-descriptive.

Pay attention that BootTime= MainPathBootTime + BootPostBootTime

MainPathBootTime is the time (in milliseconds) from when the Windows Logo first appears on screen and until your desktop or logon prompt is presented.

BootPostBootTime is the time (in milliseconds) from the logon screen or desktop showing up and until the system become actually usable (the system has reached 80% idle).

In many cases (but not in my sample), the problem with long boot time is linked with Windows Prefetcher – you will see that BootPrefetchInitTime is set to a large value, e.g. 60000 or more. In this case you can play with Superfetch service and Superfetch caching parameters (registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters). If you have just changed your HDD or SSD, you should re-run the assessment in Performance Information and Tools applet (or just run Winsat command as winsat.exe diskformal) to make Windows use the best prefetch strategy.

Now you have some background information about Diagnostics-Performance events. In the next part I will show how Event Log Explorer helps to detect boot performance issues.

9 Vendors of Digital Forensics You May Have Missed. Part 2

In the previous post we talked about 010 Editor, Event Log Explorer, ElcomSoft and Oxygen forensic solutions. In this blog post, we continue the brief review of prominent forensic tools.

Next on our list is Belkasoft.

Belkasoft Evidence Center 2016

Belkasoft Evidence Center is an all-around forensic solution to pinpoint, extract and review digital evidence stored on desktop computers, laptops and mobile devices.

The Belkasoft product supports a wide range of devices. It can parse physical and logical drives, virtual machines, mobile device backups, JTAG, UFED images and chip-off dumps. Belkasoft Evidence Center performs an automated search for evidence and seamlessly identifies 700+ types of digital artifacts. Once the search is over, you can apply various filters for more granular results.

Belkasoft restores damaged or incomplete SQLite databases, and retrieves removed records and cleared history. It can glean crucial information from online chats and social networks, private browsing sessions, cleared browser history, cloud usage history, and more.

SQLite, Registry, and PList viewers enable the user to target specific data types and, ultimately, get more evidence than an automatic search would unveil. Other in-built analysis tools include File System Explorer, Hex Viewer and Type Converter for multi-aspect low-level examination of the content.

Belkasoft Evidence Center is deeply integrated with EnCase Version 7. This enables forensic investigators to obtain a multitude of evidence types supported by Evidence Center through the familiar EnCase interface. The integration is made possible with the free “BelkasoftDataImport” plugin.

Rusolut’s Visual Nand Reconstructor

Rusolut is a manufacturer of Visual Nand Reconstructor (VNR), a comprehensive hardware and software data recovery and forensic analysis solution for damaged flash devices. The Reconstructor allows you to retrieve data from a multitude of Flash memory formats. The unique feature of Rusolut’s product is the ability to automate data structure recognition and dramatically speed up the recovery process.

The embedded base of NAND chips and controller configurations caters to most known chips. The database is subject to regular updates by the Rusolut team and their tech partners. A built-in file system viewer operates with the most commonly used file systems – FAT and NTFS.

VNR makes reverse engineering easy with special modes of data visualization and multi-tier descriptions of image structure. The special scrambler extraction mode enables successful data decryption even with new devices.

Despite its complex functionality, VNR offers a user-friendly interface with unified controls to help restore and analyze data in a more efficient manner. These include automatic analysis features that facilitate image reconstruction and data recovery. Check out the elaborate documentation to see if your investigation finds the right solution with Rusolut.

Passware Kit Forensic

Passware focuses on password recovery and caters to numerous use cases. Its Kit Forensic is a comprehensive evidence discovery solution that detects and decrypts all password-protected items on a computer.

Passware helps to recover or reset passwords for 200+ document types, including Windows, Word, Excel, QuickBooks, Access, Acrobat, etc. Kit Forensic scans for encrypted evidence, and performs live memory analysis and batch processing.The software works smoothly with BitLocker, TrueCrypt, FileVault2 and PGP; it supports GPU, TACC, Distributed Computing, and Rainbow Tables. Kit Forensics integrates easily with Guidance EnCase v7 in case the user needs to match collected data across two systems.

Check out the references and learn how Passware tools have resolved real situations; for instance, their operations on cracking otherwise undecipherable passwords in child pornography cases. In those projects, Passware helped investigators from the Swedish and US police forces with equally successful results.

Passcovery

Passcovery Co. Ltd. offers forensics, corporate and home users performance-driven password recovery.

Their flagship Passcovery Suite successfully operates with Microsoft Office, OpenOffice, PDF, ZIP/RAR, iOS/Blackberry back-ups, TrueCrypt volumes and WPA/WPA2 handshakes. The Suite uses an embedded macro language for sophisticated password generation assignments. The key focus of Passcovery is fast retrieval of data. The software boasts great recovery speeds, as well as optimization for AMD/ATI and NVIDIA video cards. Passcovery detects your CPU type and operates accordingly to deliver optimal performance. Whenever possible, it employs GPU password recovery with AMD and NVIDIA video cards.

Plus, Passcovery can leverage multiple video cards at the same time.

PasswordLastic

PasswordLastic is another password retrieval solution focused on Microsoft Windows and Office products.

The tool offers an online password cracking service that helps to crack Word and Excel documents in no time. Office Password Recovery Lastic supports MS Word, Excel, PowerPoint, Outlook and Access files, as well as embedded VBA projects.

Windows Password Recovery Lastic helps to restore access to the operating system. Run the software on an available computer and create a bootable USB stick or CD/DVD. Boot from it on the required computer and reset the password for any of the previous accounts. Plus, the program saves password hashes for in-depth cracking and recovery of previously removed passwords.

Other standalone versions cater to Outlook, Excel, Word and VBA projects. Easy-to-use and effective tool for average users and forensic experts alike.

Bottom line

If you are interested in professional forensic tools, make sure you research the market. Digital forensics is entering a golden era in terms of technology, and the offering is abundant, so define your goals and budget first, then determine which one addresses your particular investigative needs.

Event Log Explorer Forensic Edition Preview

Several days ago, we published a preview of the new edition of Event Log Explorer software – Forensic Edition! Here I will show what benefits you can get from this edition. First, I should say that currently it is fully compatible with the standard edition of Event Log Explorer – it uses the same workspace, the same settings and currently the same registration key. By default, it installs itself into another folder, so you can use both editions concurrently. By the way, the forensic edition preview is available at
http://eventlogxp.com/download/elex_fe_setup.exe

What should you pay attention to?

You can find a new button on the tool bar – Add imaged computer.

How it works. When you have a forensic image, you can mount it as a disk on your computer. And this command lets you add this imaged computer to the tree, and then view event logs from it.

Example:
I currently don’t have forensic images, but I have an old hard drive and connected it to my computer for tests. It is drive E:. I click “Add imaged computer” button and get this dialog:

Event Log Explore tries to detect a mounted system drive automatically – it found it in my case, but if it wouldn’t find, just type correct path to the Windows folder on the mounted disk.

Type any name in “Friendly name” field, and press OK.

Now you can see that this “computer” has been added to the tree and you can open it and view event logs.
Let’s try to open any log from this imaged computer, e.g. Application. Double click on Application and the event log will appear as a log file.

Pay attention to the icon that appears on the log icons area. Commonly it appears when you set a description server. But now it notifies you that Event Log Explorer will try to get descriptions from the mounted disk, when if it failed to find them locally. Whenever Event Log Explorer tries to get event description, it will try to get it locally first (as always), but if the description is not available, it will open registry on the mounted disk, find a resource file that contains event description and try to extract the description from this file. Note that if you research this disk not only with help of Event Log Explorer, but with e.g. Registry Editor and opened registry files (loaded them as hives), you should unload the hives, or Event Log Explorer won’t be able to open them. If you want disable getting descriptions from the imaged computer, just double click on that icon and uncheck “If no description available, get it from imaged disk” option.

What else

We disabled functionality that lets you modify event logs, such us clear log command, modifying event log properties.

What’s next?

We are planning to add the following features to forensic edition:

Timeline creation
Opening heavily damaged evtx files
Opening evt and evtx fragments
Features you will requested to add!

9 Vendors of Digital Forensics You May Have Missed. Part 1

Looking for a solid solution to unravel computer-stored evidence? Need a deeper insight into what’s happening on your PC or a suspect’s device, looking to restore or crack an essential password? Check out this brief review of unheralded yet powerful forensic tools.

The most common definition of computer forensics is the procedure of detecting and analyzing evidence collected from digital media, i.e. hard drives, portable devices, etc. Digital evidence should be handled carefully. Incapable hands may ruin crucial data so it becomes incomplete, compromised or unfit for further investigation. In order to help automate forensics, the computer science and software industry has come up with a plethora of professional programs. Police departments, investigation agencies and enterprises across the globe employ IT forensic tools at scale and face an overchoice of available solutions.

Computer forensics embraces different software categories. Broadly defined, it not only includes file viewers/analysis and disk and data capture tools, but also email analysis, registry forensics, network and database forensics, event log analysis, password recovery, mobile device analysis and other solution types.

Some of these, like EnCase and FTK, are globally acknowledged within the forensics community and power users. EnCase encompasses a whole suite of digital investigation solutions. These include products for forensics, e-discovery, cyber security and security analytics purposes. Data restored by EnCase have been used as evidence by multiple court systems, e.g., in the cases of the BTK Killer and the murder of Danielle van Dam.

FTK by AccessData also fits perfectly into forensic experts’ inventory. FTK Imager, a well-known data preview and imaging program, enables the user to analyze files and folders on local HDDs, network drives, and CDs/DVDs.

Other tools reveal and prove great technological potential, taking ever growing popularity among dedicated experts. And we’d like to take a closer look at a few more forensic solutions, highly recommended to add to your computer forensic arsenal. A disclaimer: we are rolling out the tools in random order so there is no rating associated with the review.

Tools

010 Editor

010 Editor is a professional text/hex editing software program by SweetScape.

The program allows you to edit any file, drive or process on the computer. Using binary templates, 010 Editor can help parse a binary file into an intelligible data structure. The software includes standard editing functionality with Cut, Copy and Paste commands, as well as support for large files and unlimited Undo/Redo actions.

010 is, in fact, a suite of editing tools. The Text Editor works with text files, XML, HTML, Unicode, UTF-8 files, C/C++ source code, etc. The Hex Editor helps the user to edit binaries and interpret binary data. The Process Editor investigates and modifies memory in running processes. The Disk Editor scans your hard drive, memory keys, flash drives, and CD-ROMs for issues, and provides immediate troubleshooting. 010 Editor allows you to analyze and edit binary files with advanced tools: Full Find, Replace, Find in Files, and Replace in Files functionality for various data types. You can also perform binary comparison, count byte occurrences and visualize data.

Event Log Explorer

Event Log Explorer by FSPro Labs is an advanced software solution for event analysis. The tool provides a deep insight into Microsoft Windows/Windows Server system logs, and covers all aspects missed by the standard Event Viewer.

The program collects valuable evidence by reviewing events registered by the operating system.

Users can consolidate events from multiple sources (event logs or files) into a single view – a dramatically important feature for timeline analysis. You can filter events by any relevant criteria using predefined filters or ample custom options, including regular expressions for event description.

Event Log Explorer provides direct access to EVT and EVTX files (without Windows API). This feature enables the user to view even corrupt event logs or read EVTX files under Windows XP.

In case you need to match event logs with other forensic tasks (e.g. timeline analysis), Event Log Explorer offers the Export Events feature. Events can be exported to multiple formats including HTML, Excel or text.

When you work with event log files, a computer may be lacking text descriptions of analyzed events. Event Log Explorer enables the user to retrieve event descriptions from another source.

Another forensic issue solved by this software is time correction. In the course of an investigation, you may encounter event logs from different time zones. The time zone correction feature helps you make necessary modifications and unify collected data.

Event Log Explorer fits a broad audience, including IT forensics, system administrators, security audit agents, in-house R&D, etc.

ElcomSoft solutions

ElcomSoft presents a product line aimed at forensic experts, law enforcement, military, and intelligence agencies. One of ElcomSoft’s core competencies is password cracking.

The Password Recovery Bundle enables authorized organizations and individuals to unlock disks, encrypted files and documents protected with publicly available applications. Another solution by ElcomSoft – iOS Forensic Toolkit – enables the user to acquire precise images of iOS devices. You can get access to all passwords and encryption keys on a select device and decrypt the image of its file system. iOS Forensic Toolkit also provides a passcode retrieval option to access passcode-protected evidence.

ElcomSoft Phone Breaker helps to establish access to password-protected iOS backups, Apple iCloud, Windows Phone and BlackBerry 10 backups. The tool supports fast and handy logical acquisition of data, restores the original password with GPU acceleration or helps retrieve data directly from the cloud.

A couple of years ago, ElcomSoft got overwhelming coverage in global news when its software was misused by hackers to expose a celebrity’s nude selfies grabbed from Apple iCloud. Paradoxically, the FBI and CIA tend to employ the same tools for their causes.

Oxygen Forensic Suite

Oxygen Forensic Suite is a solution designed to collect evidence from mobile devices to support your investigation cases. The software gathers versatile data (OS, manufacturer, IMEI number, serial number), messages (SMS, MMS, email) and contacts.

Using Oxygen Suite, you can recover removed messages, call logs and calendar info, as well as access mobile device data and documentation. All gleaned information can be visualized in granular reports, in case you need to see the big picture.

Unlike many competitors who focus on market leaders only, Oxygen Forensic Suite supports a large number of devices based on iOS, Android, Windows Phone, BlackBerry and Symbian operation systems. Similar to ElcomSoft, Oxygen provides cloud-forensics services acquiring data from iCloud, Google and Microsoft Live. Oxygen Forensic Suite is easy to use, yet offers powerful controls, such as the ability to pull data from multiple mobile devices at the same time.

As with many forensic tools, Oxygen provides a timeline feature to glean the culprit’s habits, whereabouts and communications prior to or during the incident. In addition, the Social Graph feature helps to quickly detect evidence and unveil social connections between multiple devices. Oxygen supports data parsing for 300+ unique apps to analyze communication and shared content, and effectively recovers SQLite database records.

These four merited solutions conclude the first part of our forensic tool roundup. The review is to be continued in the next blog posting. Stay tuned for Part 2, and feel free to share your feedback!