Just like a fingerprint, a file can leave behind evidential traces, well after it has been deleted. Here we explore what kinds of information can be recovered after a file has been deleted. Take for example a business owner suspicious of their ex-employee. The owner believed their ex-employee took sensitive information and copied it into …
Prefetch
Windows creates prefetch files whenever any application is run for the very first time, this helps speed up the loading times for an application. For an investigator this can allow for in depth analysis of a user's application history. Knowing when and what applications are executed can provide an understanding of the intent of the …
Shellbags
On a Windows computer, everything related to a users preferences in Windows explorer are kept in a file known as a Shellbag. A Shellbag stores data such as what sort order the files are in and whether icons, lists or details are displayed. Accordingly, you can determine whether a folder has ever been accessed by …
Jump Lists
Jump lists are a feature of the Windows Taskbar and Start Menu, allowing a user to quickly access common tasks and files associated with a program by right-clicking on the program. Windows records a history of these recently accessed files stored, even when not directly viewable by the user. Jump lists can provide us with …
Accessing of Files and Folders
When a user accesses a file or folder, the operating system records information in a range of different locations. Each of these unique artifacts provideinformation that can be used as evidence in both forensic investigations and incident response matters. Some examples of the evidence that can be found when analysing artifacts are: Determining if and …
Windows Event Logs
Windows event logs are the gold standard when it comes to forensic and incident response investigations as they contain vast records of activity on a system. Event logs are split into three categories; application, security and system. Some of the key event log artifacts we we commonly analysed during a forensic investigation include: Authentication EventsLogon …
USB Devices – Tracing Usage
When everything is ones and zeros, how do we locate meaningful evidence relating to the unauthorised use of USB devices? There are four key identifiers we search for as follows: Volume NameDrive LetterVolume Serial NumberDevice Serial Number Volume Name The volume name is simply a name the user gives a ‘volume’ or ‘partition’, and there …
Shortcut (LNK) Files
Shortcut files, also known as LNK files, are created by windows automatically whenever a user opens a file. They allow the operating system to quickly and securely access a file. In some cases a LNK file is created by the user for quick access to a location. A LNK file contains metadata that can then …
Open/Save and Most Recently Used
When a user opens an application like Microsoft Word they will have the ability to see a list of most recently accessed documents. This list is stored by the operating system in what's called ‘the Windows Registry’. This stores a log of files under the ‘open/save MRU’ (Most Recently Used) registry key, storing records of …
Dates and Times
When sifting through the evidence of USB devices on a machine, an important factor is identifying when each device was used. This is a key part of putting a user behind the keyboard or when we need to be able to correlate the USB activity to other personally identifying activity on the device. The first …
Forensic Tech 