Friday, March 23, 2007

Vista Complete System Backup

Lately, I've been kicking around a few Vista Enterprise systems for testing and am working analyzing some of the "new features" of Vista. One such "new feature" is the Backup and Restore Center.
Microsoft decided to change the backup program a bit in this latest OS release. They finally moved away from the old interface they stole from Seagate and Veritas.

As you can see below, we now get the flashy GUI that tells us some interesting information. We can see when I made a complete disk image and when I tried out the shadow copy backup.


After making these backups I thought, hey wait..this has got to exist in the Registry. Like everything else in Windows there is indeed a Registry entry for the new Windows backup system.
You can check it out on your own systems here:
HKLM\software\Microsoft\Windows\CurrentVersion\WindowsBackup

Underneath there I found a few subkeys, one of which is SystemImageBackup.
In here I found a series of values which I exported:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup\SystemImageBackup]
"LastBackupResultHr"=dword:00000000
"LastBackupResultHrDetailed"=dword:00000000
"LastBackupTime"=hex(b):704ac9ebcc6dc701
"LastBackupLocation"="\\\\?\\Volume{2f147a6d-d29b-11db-8792-00188b27e7f8}"
"LastBackupDrive"="E:"
"LastSuccessfulBackupTime"=hex(b):704ac9ebcc6dc701
"LastSuccessfulBackupLocation"="\\\\?\\Volume{2f147a6d-d29b-11db-8792-00188b27e7f8}"
"LastSuccessfulBackupDrive"="E:"


Interesting eh? We can see a few values that should be easily recognizable and one that at first threw me off a bit. The LastBackupTime and LastSuccessfulBackupTime values are a little large for 32bit hex values aren't they? I had to do a little searching on this one because it's listed as a REG_QWORD rather than REG_DWORD. Well, QWORD is a 64 bit value in little endian. As evidenced by Dcode You can correlate the time stamps between the image above and the decoded hex datetime stamp



Now, if you look back to the first image you'll see that the image was created on my E: drive. Obviously the registry values I'm showing keeps track of the Volume Information GUID as well as the logical drive letter. Now you have a volume GUID to match up when you start looking for missing disks from a system you are investigating.

After looking at this I decided to try to write a perl script using the Parse-Win32Registry module but have had some difficulty getting it to work. I keep getting this error while trying to use dumpreg.bat. If anyone knows of a fix to this or what the cause is, let me know please.

C:\Perl\site\bin>dumpreg.bat -r f:\vistareg\SOFTWARE Microsoft\Windows\CurrentVe
rsion
Invalid key node type at offset 0x38c8
38c8 a8 ff ff ff 6e 6b 20 10 3b 06 6d b8 fc 67 c7 01 ....nk .;.m..g..
38d8 00 00 00 00 20 00 00 00 b5 0c 00 00 00 00 00 00 .... ...........
38e8 b0 47 74 00 ff ff ff ff 00 00 00 00 ff ff ff ff .Gt.............
38f8 c0 ba 00 00 ff ff ff ff 8c 00 a0 00 00 00 00 00 ................
3908 00 00 00 00 00 00 00 00 6d 00 5c 00 07 00 00 00 ........m.\.....
at dumpreg.bat line 41

There are several other subkeys I'm looking at under this Key, including the ones created for automatic backup schedules.

5 comments:

H. Carvey said...

hey, I saw your post in another forum...next time, email me directly.

I've seen this issue before, as well, but only with a very specific raw Registry file...the original SAM file on a system, I believe. The issue may come from the lack of a specific identifier in the sequence of events, in how the module does it's job.

Which version of the module are you using? I can check with the author...

Harlan

hogfly said...

Harlan,
Right-o I wasn't sure to be honest..given how picky some people are about direct contact. I grabbed version 0.25 from the trouchelle repository.

Anonymous said...

Interesting blog. One of my job responsibilities is is analyzing Vista and the rest of Microsoft's technologies from a forensics standpoint. I can share some of this work with you, if I knew how to reach you.

Harlan knows my email, both ntevidence and the @microsoft.

hogfly said...

tdog,
Cool. You can shoot an email to me at gmail. I look forward to any info you are willing to share.

H. Carvey said...

...given how picky some people are about direct contact

Not sure I follow...I've been in touch with James quite a bit. He asked me to ask you to send him some raw Registry file samples, as he doesn't have access to Vista:

jmacfarla at cpan dot org