Timezone

The analysis of artifacts and their timestamps are extremely useful in piecing together what occurred on a computer system. Almost every forensic artifact has date and time information, such as the last modified date of a document, the date of a user login, or the duration that a certain connection was in place. These times …

Thumbnails

As is often the case, Windows features can end up being useful evidence to forensic examiners. For example, the Windows operating system makes the experience of viewing files in Windows explorer smoother by using ‘thumbnails’ of images. When examining images, we often rely on “thumbs.db” files and the “thumbcache”, both of which serve generally the …

Deleted Files

Just like a fingerprint, a file can leave behind evidential traces, well after it has been deleted. Here we explore what kinds of information can be recovered after a file has been deleted. Take for example a business owner suspicious of their ex-employee. The owner believed their ex-employee took sensitive information and copied it into …

Prefetch

Windows creates prefetch files whenever any application is run for the very first time, this helps speed up the loading times for an application. For an investigator this can allow for in depth analysis of a user's application history. Knowing when and what applications are executed can provide an understanding of the intent of the …

Shellbags

On a Windows computer, everything related to a users preferences in Windows explorer are kept in a file known as a Shellbag.  A Shellbag stores data such as what sort order the files are in and whether icons, lists or details are displayed. Accordingly, you can determine whether a folder has ever been accessed by …

Jump Lists

Jump lists are a feature of the Windows Taskbar and Start Menu, allowing a user to quickly access common tasks and files associated with a program by right-clicking on the program. Windows records a history of these recently accessed files stored, even when not directly viewable by the user. Jump lists can provide us with …

Accessing of Files and Folders

When a user accesses a file or folder, the operating system records information in a range of different locations. Each of these unique artifacts provideinformation that can be used as evidence in both forensic investigations and incident response matters. Some examples of the evidence that can be found when analysing artifacts are: Determining if and …

Windows Event Logs

Windows event logs are the gold standard when it comes to forensic and incident response investigations as they contain vast records of activity on a system. Event logs are split into three categories; application, security and system. Some of the key event log artifacts we we commonly analysed during a forensic investigation include: Authentication EventsLogon …

USB Devices – Tracing Usage

When everything is ones and zeros, how do we locate meaningful evidence relating to the unauthorised use of USB devices? There are four key identifiers we search for as follows: Volume NameDrive LetterVolume Serial NumberDevice Serial Number Volume Name The volume name is simply a name the user gives a ‘volume’ or ‘partition’, and there …