Forensic Case Files: Windows Update Did It! (Windows Forensics)

President of Tetra Defense, Cindy Murphy, shares her insights:

“I didn’t do it.”
– Bart Simpson

It Was Windows, Not Me… I Swear!!

I spent a lot of time in my law enforcement career digging through “who done it” details. As a detective, attributing an act (especially a crime) to the right individual is of utmost importance. It’s exceedingly common for someone who has done something wrong to point the finger at someone else. The hope is to escape responsibility in placing blame elsewhere. Once in a while, someone else DID do it.

When one points their finger, that finger typically points to another human being. But in this case, it was pointed at a Windows operating system update.

In today’s case study, our client was an employer who turned to Tetra, formerly Gillware Digital Forensics, for forensics assistance (specifically, Windows forensics) after an employee left for a competitor. The employer told us that within hours of notification that she intended to quit, the employee in question’s work computer came back to HR “wiped clean” almost as if by magic. They went on to say that her email, work documents, Salesforce, and Internet browsing activity, were all miraculously purged. When questioned, she claimed that a Microsoft Windows update was responsible for cleaning up her computer and that she had nothing to do with it.

Employee Misconduct or Windows Misconduct?

Our client was understandably skeptical. Their concern was that that the mysterious failed Microsoft Windows update was a cover-up for more nefarious activities. Had the suspected employee deleted her data on purpose? Had she taken sensitive data with her when she left? If so, had she shared that company data with the competitor? Was she in violation of her non-compete agreement?

Everyone knows that Microsoft Windows can be fickle. We all love to complain about Windows 10, particularly that sometimes it seems to have a mind of its own. Sometimes during Windows operating system updates, unexpected things can happen.

Our client didn’t want to confront the ex-employee without ammunition, and they didn’t want to engage in false accusations, either. They hoped that our forensic analysis could provide answers they needed to proceed with any potential legal action.

The Windows Forensic Analysis:

Windows Reset user interface in Windows Update control panel

Windows Reset user interface in Windows Update control panel

After we received the drive and imaged it, I dug in to see what I could find. The ex-employee hadn’t wiped the machine, that much was certain. Rather, their old computer appeared to have a brand new installation of Windows 10 Professional on it.

There was one non-standard user account on the machine named with the employee’s first name misspelled. The installation date, coincidentally, matched the evening before the employee put in her notice. Registry examination of SAM files on the hard drive revealed a previously existing user account that used the correct spelling of the employee’s name. Windows may do wacky things occasionally, but it won’t re-name and misspell a user account name as part of the normal update process.

A quick review of the file system showed many artifacts indicative of the Windows Reset having run its course. The user can access Windows Reset through Recovery Options in the Control Panel, and the user can choose to reset Windows and either keep their files or not. This procedure doesn’t happen on its own.

Windows Update Recovery Partition

Many laptops have a recovery partition for reinstalling Windows if something goes wrong. In this case, the computer was a Lenovo, and it had a recovery partition. When somebody runs the WindowsRE restore function, it updates the “date modified” and “date accessed” metadata for the recovery partition. I quickly discovered that the “modified” and “accessed” date/time stamps from the Lenovo Windows recovery partition reflected the night before the employee submitted her resignation. The clues were all adding up.

Lost Secrets of the Great “Windows.Old” Ones

My next clue came from a Windows.old folder in the file system. Since Windows Vista, Windows has created the Windows.old folder when the user upgrades from one version of Windows to another, as well as when you reset Windows. The Windows.old folder contains all the files and data from your previous Windows installation. If the user isn’t happy with the newest or changed version of their Windows operating system, they can use it to restore the old version of Windows. The Windows.old folder may delete automatically after 10 to 30 days depending on the version of Windows. In this case, it’s presence in a non-deleted state indicated that the change to Microsoft Windows happened recently.

The Windows Bluewire Push Button Page

The Windows Bluewire Push Button Page

$SysReset

I also found a $SysReset directory in the file system on the drive. This folder appears when a user performs a Windows system reset. Within the $SysReset directory is a log file named setupact.log that tracks the actions taken during a reset. I reviewed this file and found reference to the Windows “Bluewire Push Button Page.” This page is a direct reference to the user dialog box within Windows settings that lets the user perform a Windows reset.

The Bluewire Push Button Page provides an option to “Keep my files” and one to “Remove everything.” Conveniently, the setupact.log file tracks which option the user chooses when the reset occurs.  In this case, the ex-employee had chosen the “Remove everything” option.

Excerpt from setupact.log file

Excerpt from setupact.log file

This process removes user files and directories but does not overwrite the data. Most of the user’s data still existed as “Orphaned” files, some of which I could easily recover. Many preexisting system files such as registry artifacts move to the Windows.old directory during a reset and can be easily examined. Because the username had been renamed with a misspelling, sorting out new activity from the old was even easier.

The employee had also attached to her home wireless network when she reset-up Windows. And she entered user credentials to do so.

And as the saying goes, boom went the dynamite.

An Easy “Who Done It”

In this case, the mystery about who was responsible for the disappearance of the ex-employee’s files was quite easy to solve.  Multiple artifacts pointed to user activity – specifically the user doing a Windows Reset.

The reset process requires active user intervention to complete. Considering the number of steps a user has to go through to accomplish a reset, there’s little chance that it was accidental. Though a Windows update can seem to do a lot of mysterious things, our forensic footwork exonerated Microsoft’s handiwork in this case. Thankfully, update and reset activities are well-logged, and a good forensic investigator can unravel them after the fact.

Check out some related content on our blog: