6️⃣

Windows Forensics
Windows Artifacts

1- .lnk Files (Shortucts)

.lnk File : it is a data abject contains information that can be used access another data object , it is a metadata file
for Microsoft windows platform and interpreted by windows shell.

Metadata Found :

1. Path of target file 4. Network volume share name

2. the size of the target when it was last accessed 5. Distributed link tracking information

3. serial number of the volume where the target was 6. Different attributes(read-only, hidden,..)
stored.

Path:

1. C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent

2. C:\Users\%USERNAME%\Downloads

It contains the MAC time of the target file .

💡 when a file is created in a MS office and is first saved , a link file is created in Recent folder and Office Recent
folder , the one in Office Recent contains the embedded dates , but the one in Recent don’t

Tools : —>LECmd.exe
LECmd.exe -d "C:\..\ Recent " --csv "c:\temp" --html c:\temp --xml c:\temp\xml -q

2- ThumbCache
Thumbnails : when the user use the Thumbnails or Filmstrip views from the Windows folder viewing option , a
small thumbnail will be created and stored in a single file.

Forensic Value :

1. deleted pictrues with it’s version , and the file name and the date of last modificatoin. (cases related to photo)

Location :
C:\Users\[Username]\AppData\Local\Microsoft\Windows\Explorer

💡 Each Thumbcache has it’s own size , and Each size has a separate database
{thumbcache_32.db,thumbcache_256.db}

To map the pictures to the original path as the path dosen’t apper within the tools , you can
map the pictures from Extensible Storage Engine database located in
C:\ProgramData\Microsoft\search\Data\Applications\Windows only use esentutl.exe /p
.\Windows.edb

TOOLS —> thumbcache_viewer ,thumbs_viewer

3- Volume Shadow Copy

Windows Forensics 1
 Volume Shadow Copy Service : is a set of COM APIs that implements a framework to allow volume backups to be
performed while applications on a system continue to write to the volumes.

You can think of VSC a snapshot for a specific point back in time .

Mechanism :

1. VSC tracks changes to blocks of data on the disk rather than logical files in their entirely

2. when you mount the VSC , it will appear as a mirror of the whole contents of the volume that was monitored.

Windows limits the maximum disk space consumed by VSC snapshots is 5% of the volume size.

When they are created?

the VSS create snapshots based on

1. A service pack is installed 3. New driver is installed

2. Windows update is done 4. On a daily basis via scheduled tasks.

Forensic Value

recover {Files , registry keys, log entries,..}

Tools —> Vssadmin + mklink

1. cmd as administrator run vssadmin.exe list shadows To List All Shadow Copies

2. mklink /D demo \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

3. open

File History : Windows 8 introduced the file history backup which changes the way backups were used ,as the
backups in pervious versions could be only maintained using default system , but in Win8 the backups are stored
in removable media and remote network shares.

File History will back up {Libraries , Desktop items , Favorites,Contacts}

Forensic Value

1. Directories selected by user 4. Where the backups are stored

2. Pc name

Windows Forensics 2
 3. ID of User who did the backup

Location in Windows

C:\Users\%Username%\AppData\Local\Microsoft\Windows\FileHistroy\Data
C:\Users\%Username%\AppData\Local\Microsoft\Windows\FileHistroy\Configuration\

4- JumpLists
jumplists : are available on all taskbar icons for applications. Their purpose is to allow easy access to common
tasks for the given application.

Location

1. C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

2. C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

💡 AutomaticDestinations : are created by the operating systems , CustomDestinations : are created when a
user pins a file to an application via taskbar.

the details of applications that have been pinned to the taskbar are also recorded in registry
values Favorites , FavoritesResolve in
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband

there are other locations needed to be checked such as

1. C:\Users\%USERNAME%\AppData\Roaming\Microsoft\InternetExplorer\Quick Launch\User Pinned\TaskBar

5- Libraries
they are a list of monitored folders {Documents, Pictures, Music, Videos} which used to assist users to find their
media

Location

C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

6- Windows Search History

A search index allows users to quickly search for data and files in the file system due to indexing of files

Forensic Value

Knowing the time and the date when a user searched for a specific keyword on the machine.

all searched saved in Windows.edb file.

Location
%ProgramData%\Microsoft\Search\Data\Applications\Windows
Tools —> ESEDatabaseView from NirSoft.

7- Windows Recycle Bin

when a file i placed into the Recycle Bin , previous versions of Windows renames it using :

1. C : it is a fixed character that will always be present

2. <Drive Letter> : refers to the volume

3. <Index#> : a count of the number of deleted files currently tracked by the Recycle Bin

4. <FileExtension> : the original extension.

5. INFO2 file contains the metadata of the deleted file.

Windows Forensics 3
 SO , the new renamed file (DC2.exe) is the deleted file , INFO2 file contains the metadata .

Analyzing $Recycle.Bin in new versions

when deleting a file , windows creates two files $I<ID_String>.extension , $R<ID_String>.extension

1. $I : this file contains the metadata of the deleted file .

2. $R : this file contains the raw content of the deleted file.

$I contains the {file size, date of deletion, the original name and path}

Tools ——>Rifiuti , $I_Parse(GUI)

.\rifiuti-vista.exe -x -z 'C:\$Recycle.Bin\S-1-5-21-3459457667-847189511-749124871-1001\'

💡 to recover the deleted file , copy the $R file to your desktop and use it as the original file.

8- Prefetch Files (evidence of execution)

they are files introduced during WIN XP with the aim to reduce boot and application loading times.

Mechanism.

Windows Cache Manager tracks the first 2 min of boot processes and the first 10 seconds of all other applications
startup, to speed up the loading process.

Prefetch files contains :

1. executable name 1. last time the application ran (10 seconds earlier)

2. absolute path to the exe 2. list of all DLLs used by this program

3. no. of times the program ran

Location
C:\Windows\Prefetch

💡 sometimes you might come across systems that have no prefetch files in their directory , then you go to
check the registry key for prefetch settings located in
HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\MemoryManagement\PrefetchParameters 0 (no
prefetch) , 1 (apps prefetching only) , 2(boot prefetching only)

Tools —> PECmd

PECmd.exe -d C:\Windows\Prefetch --csv "c:\temp" --csvf prefetch.csv

9- ShimCache
Application compatibility cache used by windows to quickly identify the applications that require special
compatibility settings to run,

Windows Forensics 4
 provides compatibility for older softwares running in newer versions of windows .

Forensic Value

1. executable or script file name and full paths 3. The Standard information last modified date

2. whether the file actually ran on the system (just 4. size of the binary file
browsed through explorer.exe)

💡 when you open windows explorer not even run any program , all executables that you can see will be
shimmed, if you maximize the windows and new executables appear so you can see , it will shimmed when
you reboot or shutdown.

Locations

1. Cache location found in this key registry

HKLM\SYSTEM|CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache

2. Stored in C:\Windows\System32\Config\SYSTEM

Tools ——> AmcacheParser

10- Registry Hives

Default Security Identifiers (SIDs)

1. S-1-0-0 : A group with no number 1. S-1-5-2 : Users logging on via network

2. S-1-1-0 : A group that includes all users 2. S-1-5-7 : Anonymous logged on Users

3. S-1-2-0 : Users who logged on locally 3. S-1-5-18 : The OS itself

4. S-1-2-1 : Users on the physical console 4. S-1-5-20 : Service account

5. S-1-3-0 : the user who created a new object 5. S-1-5-21-?????-500 : the system’s Administrator

6. S-1-5-32-544 : group of all administrator

7. S-1-3-1 : the primary group of the user who created the

new object

Registry ArtiFacts
1. Time Zone

SYSTEM\ControlSet###\Control\TimeZoneInformation

Windows Forensics 5
 2. Windows Product Info

SOFTWARE\Microsoft\WindowsNT\CurrentVersion

3. Windows Computer Name

SYSTEM\ControlSet00#\Control\ComputerName\ComputerName

4. Windows Services

SYSTEM\ControlSet00#\Service\
SYSTEM\ControlSet00#\Service\<name>\Start : value inside this subkey determine how the service behave {0=
Boot ,1=system, 2=automatic,3=manual,4=disabled }

5. Windows DHCP config

SYSTEM\ControlSet00#\Services\Tcpip\Parameters\Interfaces\{GUID}\DhcpIPAddress

6. Legal Notice & Text (appear to the user at logon screen)

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

7. NTFS Last Accessed

SYSTEM\ControlSet###\Control\FileSystem

8. Autoruns

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

9. Installed Applications

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

10. Firewall state (0=off , 1=on)

(Private) SYSTEM\ControlSet###\Services\SharedAccess\Parameters\Firewallpolicy\StandardProfile\EnableFirewall

(Public) SYSTEM\ControlSet###\Services\SharedAccess\Parameters\Firewallpolicy\PublicProfile\EnableFirewall

(Domain) SYSTEM\ControlSet###\Services\SharedAccess\Parameters\Firewallpolicy\DomainProfile\EnableFirewall

11. Remote Desktop (RDP 1=off, 0=on)

SYSTEM\ControlSet###\Control\TerminalServer\fDenyTSConnections

12. Network History

Windows Forensics 6
 (Cache) HKLM\SOFTWARE\Microsoft\Windows NT\CurrenVersion\NetworkList\Nla\Cache

(Networks not part of domain) HKLM\SOFTWARE\Microsoft\Windows

NT\CurrenVersion\NetworkList\Nla\Signatures\Unmanaged\

(Networks part of domain) HKLM\SOFTWARE\Microsoft\Windows

NT\CurrenVersion\NetworkList\Nla\Signatures\managed\

(profiles contains last connected , Connection Type (little endian)) HKLM\SOFTWARE\Microsoft\Windows

NT\CurrenVersion\NetworkList\Nla\profiles

13. Shutdown Time (little endian)

HKLM\SYSTEM\ControlSet001\Control\Windows\ShutdownTime

14. Applint_Dlls

It is a value contains a list of all DLLs that will be loaded automatically when any user-mod application linked to
user32.dll is launched

💡 if an attacker add a malicious DLL to this value , its code will be injected into every launched applications

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Applnit_DLLs

15. Recycle Bin (1=Bypass ,0=Not)

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{GUID}\NukeOnDelete

16. Last User Logged In

SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser

17. User Sessions

During a live Windows session , the logged on user are recorded in this volatile path

SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\<#number of
sessions>\LastLoggedOnSamUser

18. Local Users (name, Pass, Login Date,..)

SAM\Domains\Users

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

SAM\SAM\Domains\Account\Users\<32-bit-hex>\UserPasswordHint

(User Lgoin tile) SAM\SAM\Domains\Account\Users\<32-bit-hex>\UserTile

19. User Account Control (UAC)

Enable Users to perform common tasks as non-admins

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Policies\System\EnableLUA

20. User Assist Keys

tracks user’s interactions via Windows Explorer

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

21. Last Registry Key Was Viewed

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

22. Explorer Open and Save MRUs

track files and directories that accessed in Open and Save as menues

Windows Forensics 7
 (Recently Accessed) HKEY_USERS\
{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDIg32\LastvisitedPid

(Apps executed from Run menu ) HKEY_USERS\

{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

(Recent files opend ) HKEY_USERS\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

(Remote Desktop MRU) HKEY_USERS\{SID}\Software\Microsoft\Terminal Server\Client\Default|Servers\

23. IE Typed URLS

URLs typed by Users in internet explorer

NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs

11- ShellBags
ShellBags : are set of windows registry keys located in NTUSER.dat , USERClass.dat that maintain view , icon,
position and size of folders when using Widows Explorer

Forensic Value

Inforemation persists even when the original directories ,files and physical devices have been removed.

may assist the examiner in looking at the broader picture when only a piece is known.

Location
(NTUSER.dat) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU
(USERClass.dat) HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\
(USERClass.dat) HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

Tools ——> ShellBagsExplorer

12- USB Forensics

USB not only means that USB device , but any external device attached to the computer using a USB interface
(Printer, camera ,..)

Location

1. Registry Location

(vendor, product, revision number) HKLM\SYSTEM\ControlSet00?\Enum\USBSTOR

(Mounted Devices) HKLM\SYSTEM\MountedDevices

2. System Log Files

C:\Windows\INF\

Windows Forensics 8
 C:\Windows\

(When was the device installed)

HKLM\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_\E0D55E6CE281F540
{83da6326-97a6-4088-9453-a1923f573b29}\0064
(The last date+time device was connected)
HKLM\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_\E0D55E6CE281F540
{83da6326-97a6-4088-9453-a1923f573b29}\0066

(The last date+time device was removed)

HKLM\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_\E0D55E6CE281F540
{83da6326-97a6-4088-9453-a1923f573b29}\0067
Tools —> Registry Explorer , USBDeviceForensics , RegRipper

13- Browser Forensics

Nearlly all web browsers maintain the following

1. History : Date and time for visited websites , all URLs

2. Cache : Store local copies of data that is retrieved.

3. Cookies

Location

Internet Explorer
1. (Autocomplete data) HKCU\Software\Microsoft\InternetExplorer\Intelliforms\Storage1Autocomplete

HKCU\Software\Microsoft\InternetExplorer\Intelliforms\Storage2Typed URLs

2. (Cache)

\%UERPROFILE%\AppData\Local\Microsoft\Windows\Temporary\Internet Files\

3. Bookmarks

\%UERPROFILE%\Favorites

3. Cookies

\%UERPROFILE%\AppData\Local\Microsoft\Windows\Cookies\Low

14- Skype Foreniscs

skype is widely used worldwide.

Location
C:\Users\<UserName>\AppDara\Romaing\Skype\<>skype-id\
Tools —>skype log viewer , Skyperious

Windows Forensics 9