March 3, 2015 in Forensic Analysis
One of the lesser known features of Windows 8 was an introduction of Parental Control. The idea is that you can change an account type to one that can be used by children. Such account can be then both managed by parents and also (what’s very interesting) regularly monitored.
I was curious what it means from a forensic perspective and did a quick test to see what I can find out.
How to set it up?
- Create a new account.
- Tick the box to mark it as child’s account
- You are done.
- You can go to Account / User settings and set up the Family Safety options + activity reporting. By default, it’s all enabled.
- Simply log off as a current user and log on as a child’s account
- What you will immediately see after logging on is a notification in the right corner of the screen saying ‘This account is monitored by Family Safety’
- Run a couple of apps
Note: I didn’t test the web sites in this test; I am not 100% sure, but setting modification are probably traced as well – it’s all subject to further research
In my case I ran:
- cmd.exe, from there I ran calc.exe and spawned another copy of cmd.exe
- In the new cmd.exe I ran notepad and again, started a new instance of cmd.exe
- In the final cmd.exe instance, I launched mspaint/pbrush.exe
- Eventually I also launched Task Manager via CTRL+SHIFT+ESC
- I ran it this way hoping that PID relationship will be preserved
Analyzing the evidence
- I then logged off and logged on as Admin user to review the logs
- I went to the User Settings again and… saw this:
- That was surprising
- I started Process Monitor and went back to the logs.
- Luckily, Process Monitor highlighted a file of interest:
- Now it was easy. I opened it up in MMC:
- Looks like the Built-in reviewing panel ignores some Windows applications.
- While reviewing the data in MMC I noticed the events are NOT sorted according to time (granularity of time is too low and all timestamps are ‘equal'; this is kinda… stupid)
- Exporting to CSV and TSV doesn’t help as timestamps are truncated to granularity of seconds
- Exporting to XML does help as timestamps are preserved with fractions e.g. 2015-03-03T17:21:49.447501700Z so we can use it to sort events properly
- You can export the logs to an XML file via command line using wevtutil
wevtutil qe /lf “c:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx” > xml
- Once you parse this data and cherry-pick what you need you can end up with a table as below (I loaded it into Excel and sorted it by time):
Nice! So we got the log of all applications loaded during the test and following the sequence as listed earlier.
The SerializedApplication column contains a serialized pair of a full path to an executable followed by the window title of the application. The serialization seems to be based on an alphabet made up of 0-9a-z and each string is prefixed with two characters that represent the length of the string.
The best is to explain it via examples:
000000000000000000000000000000000000111111111111111111111111111111111111 0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz 05Paint 07Notepad 0nFirst Sign-in Animation 0pWindows Command Processor 0vc:\windows\system32\notepad.exe 17c:\windows\system32\oobe\firstlogonanim.exe
I am not sure what TimeUsed means.
Parents can specify what apps can be ran by a child. There is also a way to block content according to rating & only allow certain list of websites (web filtering). In other words, it can work as a (kinda primitive) security control to limit access to both web sites and applications. Other options include time limits and game usage restrictions.
Configuration of Parental Control is preserved under the following key:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Parental Controls
Adding filters for web means that the entries will be created under the following key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Parental Controls\Users\<SID>\Web\Overrides
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Parental Controls\Users\<SID>\DesktopApps
With the filtering on, we got yet another artifact to look at which may be handy in determining what applications have been used on the system and when.