|Figure 1 - Compact.exe and its command usage info|
The command 'compact /exe <file>' will compress any file (not just exe)
Lets get to the point, how does this impact forensics?Well, as of now, no tools will recognize and decompress these files. Hence, you can't read, keyword search or extract these files in their original uncompressed form.
Here is a list of tools tested so far:
|Tool||Version||Support (as of 10/26/2016)|
How it works?System compression utilizes reparse points and creates a new Alternate Data Stream (ADS) having the name 'WofCompressedData'. The compressed data is stored here. Reparse points are an NTFS feature that allow custom implementation like this. However this means that other applications that are not aware of this custom implementation will not be able to read/write to that file. In encase (or other forensic tools), you can see the file and the WofCompressedData stream. Clicking on the file just shows the contents to be all zeroes. Clicking on the stream, you can get the compressed data, but as of now, no automatic transparent decompression (as it does with NTFS compressed files). This is seen in screenshot below.
Note - This isn't to be confused with WOFF compression, which is a compression scheme used in Web Open Font Format!
|Figure 2 - Encase shows the WofCompressedData stream. The file's original data was all text.|
|Figure 3 - Files DW20.exe and upgrader_default.log are compressed here|
|Figure 3 - Notepad trying to view upgrader_default.log file (which is compressed)|
Workarounds (till supported is added in by tool developers)
For LinuxIf you use SIFT or another Linux system to do your forensics, the fix is simple. A few months back, Eric Biggers wrote a plugin to handle this. Its a plugin to the ntfs-3g FUSE driver. Its available here:
For this, you will first need to download, compile and install the latest version of the ntfs-3g driver (but not from Tuxera, that one is missing a file!); then proceed to download, compile and install the above mentioned plugin. You can get this working on SIFT with roughly the following steps:
2. Unzip and extract the file downloaded.
3. Open Terminal and browse to the extracted folder.
4. Compile and install using commands:
./configure4. Go to https://github.com/ebiggers/ntfs-3g-system-compression and download the entire code as a zip file.
sudo make install
5. Unzip and extract the archive.
6. Open Terminal and browse to the extracted folder.
7. A few more tools need to be installed to compile this, so run the following commands:
sudo apt-get update8. Run following commands to generate a configure script:
sudo apt-get install autoconf automake libtool
mkdir m49. Compile and install
./configure10. If all went well (without errors), you are done!
sudo make install
Now you should be able to view and read those files normally, all decompression is handled on the fly automatically!
|Figure 4 - No errors seen listing or reading files after installing the system compression plugin|
For WindowsIf you use Windows as your host machine for forensics processing, then you should only use a Windows 10 machine for processing evidence files that contain windows 10 images. This applies to tasks such as antivirus scanning, where you would typically share the entire disk out using Disk emulation (if you use Encase) which allow windows to parse and interpret the disk. This would only work (to read system compressed files) if the host system is Windows 10.
If you are looking to identify the system compressed files, you could filter on all files with ADS streams that have the name 'WofCompressedData'.
Fortunately, by default windows only compresses system files (EXE/DLL in windows and system32) and not user files, so you should mostly be fine. However, users can compress any file manually using the compact command.