Data Recovery, File Systems, Forensics 101, Mobile Devices

Windows 8 File History Analysis

1. What is File History

File History is a new backup service introduced in Windows 8. By default this feature is off and to turn it on, user has to select a backup location – either a network drive or external storage media. Thus, it does not allow user to use the same disk. File History backs up files of the Libraries, Desktop, Contacts and Favorites folders. There is an option to exclude any folder(s) that users don’t want to backup. Notice that File History is unable to backup your folders synced with cloud storage service(s). According to Microsoft, “File History doesn’t back up files on your PC that you have synced with SkyDrive, even if they’re in folders that File History backs up.” Once turned on, File History automatically backs up the folders after every hour by default; however this interval can be changed easily in advanced settings. In addition, at any time, user can manually run the service. File History appears as fhsvc in the Task Manager and some associated dlls are fhcfg.dll, fhcpl.dll and fhsvcctl.dll.

1.1. How Does File History Work?

The idea behind backing up through File History is to trace USN journal. USN stands for Unified Sequence Number. It is a way to record changes on NTFS volumes. Though it is an old feature of Windows file-system but the idea of using it to backup is new and introduced in Windows 8 in the form of File History. Information that USN journal holds are USN date, MFT entry, Sequence Number, parent MFT, USN number, attributes, filename and type change. It does not contain file content or path. Note that the File History keeps a track of changed files by appending the timestamp in a file name. It has a database of files for example, MyABC.doc under Documents would be saved as:

MyABC (2013_10_03 03_37_37).doc

MyABC (2013-11_03 04_55_20).doc

This way it maintains a log of files along with their versions. Files are backed up on an external media or a network share folder. A user can manually turn ON and OFF the File History backup at will. If the external device is connected and the File History option is turned on, it will check the files after every 3600 seconds (1 hour) by default. A user has different options to set backup frequency between every 10 minutes to daily (i.e. every 24 hours). File History service (fhsvc) runs in the background, waking up at defined time interval and checks for a USN change. Two working possibilities when File History is ON are discussed below.

CASE 1- When the backup drive is available

If the external/network drive is available, it backs up the new copies of modified files to the given drive unlike saving only the modified content in case of differential backup. Therefore, it is certainly a space eating process. Remember that File History keeps a track of changed files by appending the timestamp in a file name.

CASE 2- When the backup drive is not connected or network drive is offline

One cannot turn on the File History from the OFF state if the drive is not selected but if the service is in ON state and one removes the drive, File History starts caching the changed file version and when the drive becomes available, it dumps the cache to the drive and flushes the cache. Examining of this cache folder might be useful to see previous version of the file.

1.2. Cache Examination

File History caches different versions of files when the backup media storage is temporarily unavailable/offline. Once the media is connected and service is run again, it flushes all cache to that media. A user has an option to choose offline cache size. It ranges from 2% to 20% of the disk. The default size is 5% of the disk. The important question from a forensic examiner perspective is that where is this cache located and how to examine it? It is located at C:\Users\(username)\AppData\Local\Microsoft\Windows\FileHistory\Data. A new cache folder is created every time File History service checks for update and each folder is named as  number in sequence. For example folder 30, 31, 32 etc, which contain only the files/folders changed since the last check.

The cache folders get their name in sequence. In the case where File History doesn’t see any change it just skips that folder number. For instance, assume a case where the File History saving copies of Documents after every 10 minutes. Initially the File History was saving files on an external live media. Then the media was pulled out at 10:30 AM. At 10:33 AM, user modifies a test.docx in Documents and saves it. We notice that a folder name 30 is created at 10:37 AM containing test.docx. After 5 minutes, user does some modifications and saves test.docx again. Another folder 31 is created at 10:47 (right after 10 minutes), storing the changed version of the file. Then for next 30 minutes no changes were made, no new folder appears. After 30 minutes, user modifies the same docx once again and this time a new folder 34 was created. Why 34? If we do math here; 30 minutes period accommodates 3 versions if backup time is set to 10 minutes (30/10 = 3). Now add 3 to the last version i.e. 31+3=34. Thus, even if no new folder appeared and it jumped from 31 to 34 indicating that it kept a record of all those periods even when no changes were made. A forensic analyst can review these folders in sequence to speculate when and what changes were made by looking at cache folders.

2. Volume Shadow copy Service

Advent of File History does not replace Volume Shadow copy Service (VSS) completely in Windows 8. Creation of restore points still count on VSS service. However, the difference is, in Windows 7, user had an option to list ‘Previous Versions’ of a file/folder resulted after every restore but in Windows 8, this facility has been taken away. Thus one can no longer use it for documents recovery purpose. In the next section, we are going to compare File History and VSS in older versions of Windows.

3. Volume Shadow vs. File History

Both backup services work on different principles. Some of the main differences are highlighted below.

Volume Shadow copy Service

File History

Not suitable for recovering user created files and folders like documents, pictures and music because it runs less frequently Targets mainly user created files and folders e.g. Libraries, Desktop, Contacts and Favorites. Backups after every hour by default therefore is more reliable.
No limitation of backing up files/folders on the drive. It backs-up almost entire HDD. Limitation of backing up only files under certain folders i.e. Libraries, Desktop, Contacts and Favorites.
Used for both user files backup and system backup (e.g. registry and system files). Only for user files backup. Users still rely on VSS for system backup.
Takes the snapshot of the entire file-system and saves the modified content only. Employs USN journal feature to compare files and save the modified version with a new name.
Utilizes the space smartly since VSS saves only the modified content (differential backup) In case of any change, File History saves entire files and eats up more space.
Typically saves the copies on local disk. Meant to save the copies on external storage media.

Table 1

4. File History Folder on Disk

File History  folder exists both on the external drive and local disk but in this section, we are going to discuss about the one present on the local disk. The default location of this folder is  C:\Users\(username)\AppData\Local\Microsoft\Windows\FileHistory. This folder is absent if the user never used a File History feature (assuming user did not manually delete it after it was created). There are two sub-folders in the File History, namely, Configuration and Data. Data folder is typically empty and Configuration folder have several files (as shown in the chart below).

F1

4.1. File History – Timestamp Examination

Our examination shows that the modified time of the FileHistory folder is the one when the service was first run. Config files are usually modified when there is any modification of configuration data that it records such as File History service is OFF or ON, external drive, backup folders, backup interval etc. Catalog files are database type files and according to our understanding, it contains the list of the name and path information regarding backup files and folders. These files are typically updated when the service is run. Timestamp examination might provide important clues from forensic point of view.

4.2. Configuration Folder

Appears to hold two index database files (.edb) and two configuration files (.xml).

4.3. Data Folder

Appears to be a staging area.

5. File History – Config File Examination

Below is given a sample Config file (with mostly default settings). This file contains a great deal of information regarding File History. Following section will discuss how this file can be helpful in answering some of the investigative questions.

<?xml version=”1.0″ encoding=”UTF-8″?>
<DataProtectionUserConfig SchemaVersion=”1″>
<UserName>Username</UserName>
<FriendlyName>Username</FriendlyName>
<PCName>V-FIT</PCName>
<UserId>9902c0a7-195d-95de-9e6c-ce4c87e3161e</UserId>
<Library>
<LibraryName>Desktop</LibraryName>
<Folder>C:\Users\Username\Desktop</Folder>
</Library>
<Library>
<LibraryName>*7b0db17d-9cd2-4a93-9733-46cc89022e7c</LibraryName>
<Folder>C:\Users\Username\Documents</Folder>
<Folder>C:\Users\Public\Documents</Folder>
</Library>
<Library>
<LibraryName>*2112ab0a-c86a-4ffe-a368-0de96e47012e</LibraryName>
<Folder>C:\Users\Username\Music</Folder>
<Folder>C:\Users\Public\Music</Folder>
</Library>
<Library>
<LibraryName>*a990ae9f-a03b-4e80-94bc-9912d7504104</LibraryName>
<Folder>C:\Users\Username\Pictures</Folder>
<Folder>C:\Users\Public\Pictures</Folder>
</Library>
<Library>
<LibraryName>*491e922f-5643-4af4-a7eb-4e7a138d8174</LibraryName>
<Folder>C:\Users\Username\Videos</Folder>
<Folder>C:\Users\Public\Videos</Folder>
</Library>
<UserFolder>C:\Users\Username\Contacts</UserFolder>
<UserFolder>C:\Users\Username\Desktop</UserFolder>
<UserFolder>C:\Users\Username\Favorites</UserFolder>
<LocalCatalogPath1>C:\Users\Username\AppData\Local\Microsoft\Windows\FileHistory\Configuration\Catalog1.edb</LocalCatalogPath1>
<LocalCatalogPath2>C:\Users\Username\AppData\Local\Microsoft\Windows\FileHistory\Configuration\Catalog2.edb</LocalCatalogPath2>
<StagingArea>      <StagingAreaPath>C:\Users\Username\AppData\Local\Microsoft\Windows\FileHistory\Data</StagingAreaPath>
<StagingAreaMaximumCapacity>23736614707</StagingAreaMaximumCapacity>
<StagingAreaWarningThreshold>17802461030</StagingAreaWarningThreshold>
</StagingArea>
<AvailabilityPolicies>
<TargetAbsenceTime>5</TargetAbsenceTime>
<TimeInUnprotectedState>3</TimeInUnprotectedState>
</AvailabilityPolicies>
<RetentionPolicies>
<RetentionPolicyType>DISABLED</RetentionPolicyType>
<MinimumRetentionAge>3</MinimumRetentionAge>
</RetentionPolicies>
<DPFrequency>3600</DPFrequency>
<DPStatus>DISABLED</DPStatus>
<Target>
<TargetName>TOSHIBA EXT</TargetName>
<TargetUrl>H:\</TargetUrl>
<TargetVolumePath>\\?\Volume{174bfe69-2583-11e3-bea0-0c84dcebc4ca}\</TargetVolumePath>
<TargetDriveType>FIXED</TargetDriveType>
<TargetConfigPath1>Username\V-FIT\Configuration\Config1.xml</TargetConfigPath1>
<TargetConfigPath2>Username\V-FIT\Configuration\Config2.xml</TargetConfigPath2>
<TargetCatalogPath1>Username\V-FIT\Configuration\Catalog1.edb</TargetCatalogPath1>
<TargetCatalogPath2>Username\V-FIT\Configuration\Catalog2.edb</TargetCatalogPath2>
<TargetBackupStorePath>Username\V-FIT\Data</TargetBackupStorePath>
<TargetWarningThreshold>98</TargetWarningThreshold>
</Target>
</DataProtectionUserConfig>
Sample config file

6. File History – Registry Examination

Registry could be a good place to find potential evidence related to FileHistory on or off, last backup time etc; three of them are mentioned as follows.

1- Upon turning on the File History, a value C:\Users\Username\AppData\Local\Microsoft\Windows\FileHistory\Configuration\Config gets added with data  0×00000001, inside the key HKLM\SYSTEM\CurrentControlSet\Services\fhsvc\Parameters\Configs. It disappears when the service is turned off.

2- There is another registry key that can be used to determine the state (ON or OFF) of the File History is

HKLM\SYSTEM\CurrentControlSet\Services\fhsvc\Start: 0×00000003 (OFF)

HKLM\SYSTEM\CurrentControlSet\Services\fhsvc\Start: 0×00000002 (ON)

3- Registry analysis can also let the examiner know about last backup time. The registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FileHistory contains a value ‘ProtectedUpToTime’ with timestamp data in 64 bit hex value big endian format.

7. File History – Event Log Examination

Examination of event logs could be a vital step in timeline analysis and co-relating the findings. Log files related to File History can be found in Applications and Service Logs -> Microsoft -> Windows. We found following two interesting event files:

  • WHC under FileHistory-Core
  • File History Backup Log under FileHistory-Engine

The entries of Information level in WHC appears whenever File History runs, stops, turns off or on. On the other hand, File History Backup Log records warnings or error messages, for instance, file was not backed up due to xyz error, unusual condition was encountered during finalization of a backup cycle for configuration, unable to scan user libraries for changes and perform backup of modified files for configuration.

8. Forensic Analysis

In the this section, we are going to wrap up the topic by answering some questions possibly raised in any investigation.

8.1. When did the File History first run?

The modified time of the folder FileHistory noticed to be the time when the FileHistory option was turned on for the first time. According to our observation, it remains unmodified (Refer section 5.1). If user deletes this folder and run the File History option again, a new FileHistory folder is created with the modified time same as the creation time and of course that would not reflect the original time when File History was first run.

8.2. What is the current state of service, ON or OFF?

This information can be extracted from the registry examination (discussed in section 7) and also from the config file examination (refer to sample config in section 6). Value of DPStatus is DISABLED when the current state of File History is off, otherwise ENABLED.

F2

8.3. When did the File History last run?

Looking at timestamps give some idea of the activity but verifying your findings by other means is very important in any examination. Turning ON or running the File History usually updates the modified time of config files as well as catalog files. Another place to check the timestamp of last time the backup run is registry (refer to section 7). But note that these timestamps might NOT match. Since running the service does not necessarily backs up, one might STOP the service OR run the service when the drive is disconnected. In such cases, you will notice discrepancy. One should also check out event logs to verify (refer to section 8).

8.4. When did the File History last back up?

The registry key, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FileHistory provides a timestamp when the system performed a successful backup. Again, it is not necessary that File History run time is same as File History backup time, since one may pause or stop the process in the middle. Probably, this is why the value of the registry key is especially named as ‘ProtectedUpToTime’ (see Figure 2 and Figure 3). Also check event logs (refer it section 8).

F3

The value of the ProtectedUpToTime can be decoded using DCode tool.

F4

8.5. What is the name and type of device used to back up?

Config file contains the information about the backup device name, type, url etc. In our case, TOSHIBA is the name of the external drive and H: is the drive letter (illustrated in Figure 2).

8.6. What is the time set for automatic trigger?

DPFrequency is the field in the config file that defines the time after which the backup process repeats automatically. The time is saved is in seconds. By default, the DPFrequency is 3600 (60*60=1 hr), shown in Figure 2.

8.7. Which folders are set to be backed up?

The answer to this question can also be found in the config file. Given below is an example, refer to sample config in section 6 for complete list of folders.

<Library>
<LibraryName>Desktop</LibraryName>
<Folder>C:\Users\Username\Desktop</Folder>
</Library>
<Library>
<LibraryName>*7b0db17d-9cd2-4a93-9733-46cc89022e7c</LibraryName>
<Folder>C:\Users\Username\Documents</Folder>
<Folder>C:\Users\Public\Documents</Folder>
<UserFolder>C:\Users\Username\Contacts</UserFolder>
<UserFolder>C:\Users\Username\Desktop</UserFolder>

8.8. What is the retention policy?

Check out config file for this information as well. By default it is ‘Forever’ and that means retention policy is DISABLED.

<RetentionPolicies>
<RetentionPolicyType>DISABLED</RetentionPolicyType>
<MinimumRetentionAge>1</MinimumRetentionAge>
</RetentionPolicies>

If one changes the policy to let say 1 year, it would reflect on the config file as follows.

RetentionPolicies>
<RetentionPolicyType>AGELIMIT</RetentionPolicyType>
<MinimumRetentionAge>12</MinimumRetentionAge>
</RetentionPolicies>

9. Closure

This article studies Windows 8 File History and compares it with Volume Shadow Service. It examines various artifacts including cache and registry linked with File History service to answer some basic investigative questions. It also talks about event log analysis briefly. The purpose of this research is to reinforce the importance of File History examination and draw a parallel between different artifacts to connect the dots.

10. References

Bright, P. (2012, July 10). A step back in time with Windows 8′s File History. Retrieved November 20, 2013, from ars technica: http://arstechnica.com/information-technology/2012/07/a-step-back-in-time-with-windows-8s-file-history/

Microsoft. (2013, November 16). New File History feature. Retrieved November 17, 2013, from Windows Dev Center-Desktop: http://msdn.microsoft.com/en-us/library/windows/desktop/hh848055(v=vs.85).aspx

Microsoft. (n.d.). Set up a drive for File History. Retrieved November 13, 2013, from Windows: http://windows.microsoft.com/en-us/windows-8/set-drive-file-history

OMeally, Y. (2009, April 21). Technet Blogs. Retrieved November 10, 2013, from System Center Configuration Manager Team Blog: http://blogs.technet.com/b/configmgrteam/archive/2009/04/21/how-configuration-manager-backup-uses-the-volume-shadow-copy-service.aspx

Sinofsky, S. ( 2012 , July 10). MSDN Blogs . Retrieved November 15, 2013, from Protecting user files with File History: http://blogs.msdn.com/b/b8/archive/2012/07/10/protecting-user-files-with-file-history.aspx

About Nasa Quba & Kausar Khizra

Nasa Quba and Kausar Khizra graduated from University of Central Florida with MS degree in Digital Forensics. They are addicted to learn and work on diverse challenging projects and spread the knowledge to society.

Discussion

4 thoughts on “Windows 8 File History Analysis

  1. If you were to use ilooKIX and select VSS and XFR as a post process, you will recover the volume shadow and deleted previous VSS. It may not recover all deleted VSS, but other solutions don’t see any…….

    Posted by Ian Brownlie | November 26, 2013, 1:04 pm
  2. Thanks for your helpful research.. I am sure this will come in handy.

    Posted by rjpear | November 29, 2013, 2:05 pm

Trackbacks/Pingbacks

  1. Pingback: Daily Blog #160: Saturday Reading 11/30/13 : Learn DFIR - December 1, 2013

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 2,043 other followers

%d bloggers like this: