SecureArtisan

My Road to Digital Forensics Excellence

Stability Index and Reliability

Posted by Paul Bobby on January 17, 2011

While conducting an investigation in to removable media, on a Windows Vista 64bit computer, several searches had led me to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib09

A REG_MULTI_SZ value, called ‘Counter’, contains the following sample text:

Perlib-Counter

Which lead me to the tool “Reliability and Performance Monitor”.

Perfmon

I have never looked at the “reliability monitor” before – but it contains something very interesting. A nice looking timeline of stuff.

Reliability Monitor

Here’s a sample from the “Software (Un)Installs” section:

Software (Un)Installs

Sweet! Another 4n6 timeline artifact that may be immune to file system cleaners and uninstallers. How about those external devices?

External Devices

Okay enough of that – what about deadbox analysis? On my test system, the files of interest are located in the path “C:\ProgramData\Microsoft\RAC\PublishedData”:

File Location

The ‘SWIT’ file contains the Software (Un)Install information, AFL is Application Failures, HFL is Hardware Failures, etc.

Let’s manually decode so that we can enscript them.

The following screenshot represents the record for Microsoft Silverlight, v4.0.51204.0, that indicates there was a successful Configuration Change made on January 8th, 2011 at 08:00:49 EST.

Record Breakdown

Here we go:

Bytes 0-15 represent a 128bit Windows SYSTEM timestamp. (See here)

typedef struct _SYSTEMTIME {
WORD wYear;
WORD wMonth;
WORD wDayOfWeek;
WORD wDay;
WORD wHour;
WORD wMinute;
WORD wSecond;
WORD wMilliseconds;
} SYSTEMTIME,
*PSYSTEMTIME;

The cool thing here is that the time is available for analysis as opposed to just the date that is presented in the Perfmon MMC.

The next 128bytes contain a Unicode string representing the application. This byte stream is read until a NULL terminated string is found. In this case, “Microsoft Silverlight”. And to make sure you are paying attention, this field is reusable and can contain SLACK information! Woot.

The next 128bytes contain a Unicode string representing the version of the application. This byte stream is read until a NULL terminated string is found. In this case, “4.0.51204.0″. This field can also contain SLACK information.

The last 12 bytes contain the encoded events (I reversed these, couldn’t find a spec).

Four bytes at Offset 272 (the Purple bytes):

    0×00 = Install
    0×01 = Uninstall
    0×02 = Ignore field

Four bytes at Offset 276 (the green bytes):

    0×00 = Configuration change
    0×01 = Application install
    0×02 = System Update install

Four bytes at Offset 280 (the blue bytes):

    0×00 = Failure
    0×01 = Success

Writing a parsing tool for this is now cake.

Here’s an example from my own SWITable.DAT file that illustrates slack data (or what I’m calling slack data).
SWIT Slack

About these ads

One Response to “Stability Index and Reliability”

  1. D. Collins said

    When I originally read this post, I incorporated the SWIT data into an Enscript and was getting tons of good timeline info from it. I don’t know if you have seen it, but it appears that these files have been replaced by “RacWmiDatabase.sdf”. I am assuming that this took place during a Windows Update, since all my machines are showing the same thing now.
    The format appears to be a SQL Compact database, originally designed for PocketPC. Not sure how easy it will be to script time/dates out of it now.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: