domingo, 23 de diciembre de 2018

#DFIR: "UserNotPresent", When does Windows understand that the user is not present?

Hi, minions:

Although it was introduced with Windows 2000, it was not until the preparation of the research material "Think twice before you insert it", that I presented at the CONPilar Congress in April 2018, when I realized the great information that can be stored in the files '.etl', (Event Trace Log); of the relevance that artifact may have in forensic analysis. The exposed presentation was about the trace that we can find, so much in Systems Windows 7 as in Systems Windows 10, relative to the devices USB that have been connected to a System, under several assumptions. Since then I have played with several '.etl' files. Not with all that exist, because we can find many files '.etl' within a Windows System, in many different locations, (Over 100).

Shortly afterwards, in June 2018, I read a very interesting article by Nicole Ibrahim in David Cowen's Blog, entitled "ETW Event Tracing for Windows and ETL Files", where she talked about this type of artifacts and where, in addition, she presented a new tool developed by G-C Partners to parse and analyze more easily the information contained in these files: ETLParser.

A few days ago, Lorenzo Martinez asked me about a type of file '.etl' with which I had not played yet. Specifically he asked me if I had investigated the files contained in the 'SleepStudy' folder, because he had seen that I had already 'fought' with a few '.etl' files. Exactly, he was especially interested in the file 'UserNotPresentSession.etl', because of the huge amount of information that could be found within that file. His interest was in knowing exactly when those files are created. Theoretically, the file 'UserNotPresentSession.etl' captures data that is related to energy when the user is not present. So I decided to run a series of tests and write this article to answer this question: When does Windows understand that the user is not present? 

I haven't been able to find any easy to explain definition of this kind of logs. I haven't seen too many detailed references to these '.etl' files in the Microsoft documentation, (Or I haven't been able to see it).


Event Trace Log files, (Log files in binary format), are known as trace logs and store messages generated during sessions, at the start and end of sessions. These messages consist of an event trace log. And this event tracking is done through the 'Event Tracing for Windows, (ETW)' sessions, which is a tool used mainly by developers and system administrators. Its main mission is the analysis of statistics, performance and debugging, (Although we are interested at the forensic level). These files work at the System kernel level and provide information from different sources, from different resources and origins, as well as the System event files '.evtx'. In fact, they are automatic loggers that are directly related to this type of events and can be viewed with Windows' own event viewer, (Most of it). 

Within this type of files is recorded much, a lot and very diverse information with very interesting data. They track events for applications. Displays information about controllers that start and stop, (Think of controllers as applications). That is to say, they can show us information that goes from the applications that have been executed, up to the USB devices that have been connected and up to a list of the files and directories of all element that has contact with the System. 

Not all systems contain all '.etl' files and the same '.etl' files are not present on all systems.

If the files '.etl' were introduced with Windows 2000, it was not until Windows 8.1 that 'SleepStudy' was introduced, which is a tool that uses Windows to implement a new standby power model. SleepStudy tracks System activity and provides general information about each session, including uptime and downtime. This type of session begins when the System enters the new modern standby mode and ends when it leaves that state.

How does the 'SleepStudy' function work? This utility works in conjunction with the 'powercfg.exe' utility and by default will give us a three-day report, in a '.html' format. Its basic use is done through
powercfg.exe /SleepStudy
The first thing that is observed in the report is the basic information of the System, followed by an interactive table where it will show us the information of each of the records it has recorded. These logs will show us information related to the beginning of the state of each session, with the duration time and the state that has generated it, (active, standby, hibernated or shutdown), besides another type of information.

And if we select a date from this table it will take us to the detailed information of that session where the processes in execution can be seen, at the moment of the generation of that log, with the name of the user that has invoked it.

This already tells us what kind of information we are going to find in these kinds of tracking files.

According to Microsoft documentation the parameters can be configured to return information from the last 28 days. But, for example, in my physical System you will find information from the date of installation until the last creation of the trace record.

After this brief introduction to the files '.etl' and the 'SleepStudy' function, it is time to return to the question that is the object of this article: When exactly is the content of the 'SleepStudy' folder generated? When does Windows understand that the user is not present?

To perform a series of quick tests with several assumptions I have chosen to use a Windows 10 System, version 10.0.17134.112, virtualized under VirtualBox and newly installed, and my own Windows 10 System, version 10.0.17134.472 to contrast and verify results. Both systems feature a local 'Romance Standard Time' time zone. Unless otherwise indicated, the reflected time will be the local time of the System. 

My tests

I am going to expose the last tests that I have carried out in chronological order, (It will help me to order the material and I believe that it will serve for a greater understanding). I recommend that you pay special attention to time stamps and file sizes.

The first thing I do is delete all the contents of the 'SleepStudy' and ScreenOn' folders, with the system turned off. (For that reason, the creation date of the 'UserNotPresentSession.etl' file differs from the date of last system installation).

I switch off the computer and do not switch it on again until 07.07 hours on 21 December 2018. At 07.08 hours the login screen appears in the system, but I don't make it effective until 07.10 hours. Two files appear. A file 'UserNotPresentSession.etl' inside the folder 'SleepStudy' and a file 'ScreenOnPowerStudyTraceSession-2018-12-21-07-08-28.etl' inside the folder 'ScreenOn'. Both files were created at 07.08. A few minutes before making the login effective on the system.

That is, the files 'UserNotPresentSession.etl' and 'ScreenOnPowerStudyTraceSession-YYYY-MM-DD-HH-MM-SS.etl' are created by the system without the need for any user to log on to it, during computer boot-up.

I connect the charger of the computer at 07.37 hours and the file 'ScreenOnPowerStudyTraceSession-2018-12-21-07-37-14.etl' is created inside the 'ScreenOn' folder. There are no changes to the 'SleepStudy' folder. I am reckless and at 07.56 hours I disconnect the battery of the computer in order to eliminate unnecessary noise. Another new file 'ScreenOnPowerStudyTraceSession-2018-12-21-07-56-50.etl' appears again in the 'ScreenOn' folder. There are still no changes to the 'SleepStudy' folder.

That is, when a charger is connected and disconnected to a computer system, it creates different 'ScreenOnPowerStudyTraceSession-YYYY-MM-DD-HH-MM-SS.etl' files for each of the events, such as connecting the charger, disconnecting the charger, charging the battery or discharging the battery.

I proceed to leave the computer without user interaction, inactive, without turning off the screen or suspending the system, to resume activity at 08.28 hours and 11.54 hours. Two new files 'user-not-present-trace-2018-12-21-21-08-28-45.etl' and 'user-not-present-trace-2018-12-21-11-54-42.etl' appear. There are no changes to the 'ScreenOn' folder.

I proceed to perform the same operation, but this time with some applications raised to resume activity at 13.06 hours. A new file 'user-not-present-trace-2018-21-13-06-14.etl' appears. There are still no changes in the 'ScreenOn' folder.

That is to say, even if the screen is not turned off or the system suspension is not activated, if the user stops interacting with the system for a while it will generate a file 'user-not-present-trace-YYYY-MM-DD-HH-MM-SS.etl', when the user resumes the activity.

At the same time, at 13.06 hours, I configure the system so that the screen turns off after one hour and I stop interacting with the system, with some applications raised, to resume activity at 16.45 hours. When the system activity is resumed it can be seen that a file 'ScreenOnPowerStudyTraceSession-2018-12-21-14-06-25.etl' and a file 'user-not-present-trace-2018-12-21-16-45-39.etl' have been created.

In other words, when the system is configured to shut down the monitor, and it becomes effective, a 'ScreenOnPowerStudyTraceSession-YYYY-MM-DD-HH-MM-SS.etl' file is created, right at the moment the screen is turned off, and a 'user-not-present-trace-YYYYY-MM-DD-HH-MM-SS.etl' file is created, right at the moment the user resumes activity with the system.

At 17.06 hours I proceed to program the suspension of the system to a time of hour. When the computer is suspended, it remains started but in low power mode. The applications are still open so that when the system is activated, it immediately returns to the state in which it was left. I stop interacting with it so that it becomes effective, resuming the activity at 18.52 hours, the time when the login screen appears, but I do not become effective until 18.55 hours. After logging in and starting the interaction with the system, the creation of a new file 'ScreenOnPowerStudyTraceSession-2018-12-21-18-06-25.etl' and a file 'user-not-present-trace-2018-12-21-18-52-05.etl' is appreciated.

That is to say, when the suspension of a computer is programmed, and this suspension becomes effective, a new file 'ScreenOnPowerStudyTraceSession-YYYY-MM-DD-HH-MM-SS.etl' is generated, right at the moment when the computer enters this suspension state, and a new file 'user-not-present-trace-YYYYYY-MM-DD-HH-MM-SS.etl', right at the moment when the activity with the system is resumed, even though the login is not effective.

I am very intrigued by how files are created after a period of inactivity, even though no screen shutdown or system suspension mode is configured. In order to try to find a time pattern, to know from what moment the system thinks that there is no active user, I decided to stop interacting with the system and resume the activity with several downtime.

At 21.17 hours I resume the activity of the system to block the desk at 21.18 hours. I login at 21.40 and see that a new file 'user-not-present-trace-2018-12-21-21-40-57.etl' has been created. No changes to the 'ScreenOn' folder.

In other words, when the user's session is blocked, a new file 'user-not-present-trace-YYYYY-MM-DD-HH-MM-SS.etl' appears at the time of the next login.

At 21.48 hours I leave the computer inactive, without switching off the screen and without suspension, until 07.28 hours the next day, (22 December 2018), at which time I resume the activity and find myself a single new file 'user-not-present-trace-2018-12-22-22-07-28-28.etl'. No changes to the 'ScreenOn' folder.

At 07.53 hours I close the user's session, without restarting the computer, and make a new login at 08.00 hours. But in this case there are no new files or modifications in any of the folders 'SleepStudy' or 'ScreenOn'.

In other words, if a user exits the session and login again, there will be no changes to the system.

At 08.10 I restart the computer, and the login screen appears at 08.11. After making the login effective, at 08.15 hours, I notice that the file 'UserNotPresentSession.etl' has been modified at 08.11 hours, when the login screen appears, and has removed its content to return to its original size of 64 KB. On the other hand, we have no new file 'user-not-present-trace-YYYYY-MM-DD-HH-MM-SS.etl' and a new file 'ScreenOnPowerStudyTraceSession-2018-12-22-08-11-16.etl' has been generated in the 'ScreenOn' folder.

In other words, when the system restarts, (Or starts after a shutdown), the file 'UserNotPresentSession.etl' is modified, deleting its previous content to start storing the information of the new session and a new file 'ScreenOnPowerStudyTraceSession-YYYYY-MM-DD-HH-MM-SS.etl' is generated, just during system startup, without the user having to log in.

At 0823 hours I proceed to hibernate the system. When the system hibernates, the computer is turned off, but the applications are still open. When the computer starts, it will return to the state in which it was left. I resume the system activity at 09.02 hours, when I start up and the login screen appears, which I don't effective until 09.05 hours. At that moment I go to check the possible changes and I realize that has generated a new file 'ScreenOnPowerStudyTraceSession-2018-12-22-22-08-23-05.etl' and a file 'user-not-present-trace-2018-12-22-09-02-18.etl'.

That is, when the system hibernates a new file 'ScreenOnPowerStudyTraceSession-YYYY-MM-DD-HH-MM-SS.etl' is generated at the same moment of hibernation and when the system is reactivated, before the user makes the login effective, another file 'user-not-present-trace-YYYYYY-MM-DD-HH-MM-SS.etl' is generated.

At 09.13 hours I disconnect the power cable from the computer to force a sudden shutdown. I start the equipment at 09.25 hours. The login screen appears at 09.26 hours, but I don't do it until 09.28 hours. Here I find that the file 'UserNotPresentSession.etl', again, has been modified and has returned to its original size of 64 KB. I find myself with a new file 'abnormal-shutdown-user-not-present-trace-2018-12-22-09-25-40.etl', which contains exactly the size of the previous file 'UserNotPresentSession.etl'. I also find a new file 'ScreenOnPowerStudyTraceSession-2018-12-22-09-25-59.etl'.

That is to say, when a sudden system shutdown occurs, the original 'UserNotPresentSession.etl' file is renamed by another new file 'abnormal-shutdown-user-not-present-trace-YYYY-MM-DD-HH-MM-SS.etl', which contains in its name the date of the start of the computer, after disconnection, and keeps the modification date that corresponds to the date of the last system boot, before disconnection. The system 'creates' another file 'UserNotPresentSession.etl', with the date of the computer boot modification, and with its default size. And the system also creates another file 'abnormal-shutdown-user-not-present-trace-YYYY-MM-DD-HH-MM-SS.etl', with the date of the computer boot.

I carry out the same operation, but this time from the button of the computer, in case it could act differently from the previous one. I do not turn on the equipment until 08.27 hours the following day, (23 December 2018). Remember that the date the system was last switched on was at 00.12 hours. After logging into the system, I find myself in the same situation as before. The original file 'UserNotPresentSession.etl' is renamed to 'abnormal-shutdown-user-not-present-trace-2018-12-23-08-27-36.etl', which presents in its modification date the date of the last system start-up, prior to the sudden shutdown, and in its own name the date of start-up, after the sudden shutdown. A new file 'UserNotPresentSession.etl' is 'created'. And a new file is generated 'abnormal-shutdown-user-not-present-trace-2018-12-23-08-27-44.etl', which presents in its name the date of the last on, after the disconnection.

This has already answered the question I decided to write this article about: When does Windows understand that the user is not present? When and how are the files generated inside the 'SleepStudy' and 'ScreenOn' folders?

But let's go one step further...

Comprehending, understanding and interpreting data

The 'SleepStudy' folder, with its first files 'UserNotPresentSession.etl' and 'ScreenOnPowerStudyTraceSession-YYYYY-MM-DD-HH-MM-SS.etl', is created on the same date that the System was installed on the computer.

The file 'UserNotPresentSession.etl' is unique and the system will always work on it, with the creation date as a reference, with an initial size of 64 KB. This means that this file is not deleted with every shutdown and power-up of the computer. It is only modified and updated with each system boot for each session, (which does not mean for each user login). In other words, the file 'UserNotPresentSession.etl' will tell us when the system was installed and when the computer was last booted, based on its creation and modification dates respectively.

The files 'user-not-present-trace-YYYY-MM-DD-HH-MM-SS.etl' vary in size, depending on the information they contain. They can be traced back from the installation of the System itself and will always contain, both in their time stamps and in their name, the date on which the user has resumed activity with the System, after a period of inactivity.

ScreenOnPowerStudyTraceSession-YYYYY-MM-DD-HH-MM-SS.etl' files, when processed by the system, will always have a size of 64 KB. These files are updated, complementing its information, as new files are generated, one with the other. Once a trace record of this type has been saved to generate another one, it becomes 128 KB in size. All successfully recorded 'ScreenOnPowerStudyTraceSession-YYYY-MM-DD-HH-MM-SS.etl' files are 128KB in size. However, if there is an electrical disconnection of the computer it will not finish its tracking process and will still maintain its size of 64 KB. So, if we find a file, other than the one the system is using, with a size of 64 KB, we can determine that there has been a sudden shutdown of the system. If we look at the creation and modification dates we can understand how one file complements another, because the creation date of the new file will coincide with the modification date of the other file, which has a size of 128 KB. These files are generated every time the system is started (without the need to log in), and every time the computer screen is turned off, (whether by programming, suspension, hibernation or shutdown), or every time the charger is connected and disconnected, in the case of a portable computer. In other words, the file 'ScreenOnPowerStudyTraceSession-YYYYY-MM-DD-HH-MM-SS.etl' will indicate when the system has entered the new standby mode and when the equipment has been started. 

The 'abnormal-shutdown-user-not-present-trace-YYYY-MM-DD-HH-MM-SS.etl' files are nothing more than the last 'UserNotPresentSession' file, which has been renamed after a sudden shutdown. These files will display in its own name the date of the boot after disconnection and in its modified date they will display the date of the last boot before disconnection.

Let's go back for a moment to the report generated by the 'SleepStudy' utility and let's pay attention to some details. Because these files are fed from different resources and sources.

On 21 December, at 18.06.25, the team was suspended for a period of 45.43 minutes. Activity was resumed in the system at 18.52.41 hours. This coincides with the generation of the files 'ScreenOnPowerStudyTraceSession-2018-12-21-18-06-25.etl', when it goes into suspension, and 'user-not-present-trace-2018-12-21-18-52-05.etl', when activity in the system is resumed. If we select the date when the system goes into suspension, it will take us to the 'System Power State: Standby' section. In this section the first thing that is appreciated is that its information comes from the 'Event Viewer Logger', located in "C:\Windows\System32\winevt". And we can find all the session information related to that trace record.

If we go to the next section, 'System Power State: Active', when the activity in the system is resumed, the first thing we see is that its information comes from 'SRUM database', located in "C:\Windows\System32\sru". And from that section we get applications and services that were running at that time, with the user who caused them.

The file 'SRUDB.dat' can be analyzed very easily with the tool 'srum_dump'.

It stores, among other things, all executables that have been opened, indicating the user profile that has opened it.

Regarding the analysis of these files, in my opinion, I think the best way to do it is with the 'ETLParser' tool. This tool can parse all files within a directory. But, if we have some date, some event that interests us, something, why not extract the files that interest us and introduce them, one by one, in a separate folder?

Its operation is simple, by means of the system symbol. And the result will be a file '.csv' and a database '.sqlite'. Both files are very easy to process. For example, I'm in favor of using 'Timeline Explorer' to open the generated '.csv' file. At first, with small searches, the data obtained can be processes running in that tracking session, with the user who caused them. 

Including executables opened from other external units.

Or information about the disks installed in the system.

Thus, if we continue with the example of the suspension of the system in which the activity is resumed at 18.52 hours on December 21 and we proceed to analyze the file 'user-not-present-trace-2018-12-21-18-52-05.etl', we find, by way of example, names of applications that present their execution route; a time stamp that contains the exact date in which the equipment went into suspension; the name of the event, which in this case indicates that the suspension of the applications begins; the provider that the information... You can find a lot of information, very useful, (I do not want to go too deep into it).


In my opinion, knowing how the 'SleepStudy' folder works and its contents, as well as knowing the exact moment when the different tracking files are generated, is something really useful and interesting. Firstly, we can relate the own time stamps of all those files that have been generated. If we contrast the information obtained with the information provided by the Windows Registry itself, through, above all, the last shutdown and login dates, we can understand much better what type of activity a system has had. When was the System last shut down? When was the computer turned on?When was the login effective in the System? When was it suspended? When was the activity resumed? What was running during 'X' inactivity time? Was there any new application open when the activity resumed in the System? Has an external unit been connected during the different states of the different sessions?... I believe that all these questions can be answered with the timely study of these tracking files. I faithfully believe that studying the time stamps of these '.etl' files and analysing its content will help us to understand the famous question: What happened?

That's all.

No hay comentarios:

Publicar un comentario