Previously, the importance of the computer image and some basics were presented for performing an investigation of a computer – see Digital Forensics: An Introduction and Digital Forensics: The Value of Metadata. Now we can dive in deeper to see some of the things that Windows does to make life easier and covering one’s tracks more difficult.
The Windows Registry is the database that stores configuration settings and options for Microsoft Windows operating systems. If you have ever opened RegEdit (the Windows Registry Editor), you have probably noticed that the Registry can be a weird and mysterious place. Certain items have entries that make sense, while others appear to be cryptic and nonsensical.
Tools exist to parse the registry and make the entries readable. RegRipper is a set of Perl scripts that can parse the different Registry files and give you a nice readable report with its findings. As with everything in forensics, it cannot parse everything, but most of the popular applications are included. New filters are being added all the time as new applications or updates are released that may change the Registry settings.
Shortcut files (files that have a .lnk extension) are used extensively in Windows to create pointers to actual files, applications, or folders. Shortcuts can be found in the Recent items, Jump lists, and many other places. Shortcuts contain the path to the original file, volume information (drive letter or Share name), and the MAC (Modify date, Access date, Creation date) dates for the shortcut. Existence of a shortcut may be proof that a file existed on a particular computer, even if it has been deleted.
Jump lists are used by Windows to allow the user to “jump” to items they frequently use or have recently used. Jump lists contain shortcut files. The shortcut may still exist after a file has been deleted or let the investigator know if the file was copied to another volume or flash drive. The Exiftool application can be used to easily parse and display MAC date/times and metadata information for shortcuts.
The Windows Event Logs can be useful for more than just providing information for troubleshooting a Windows or application problem. The Event Logs can be used to determine if/when something happened and what systems or resources were involved/accessed. Knowledge of Event Log IDs is necessary, but Google can be valuable for determining critical Event Log IDs. One ID of note is 1102, which is created whenever the Event log is cleared, a possible sign that a user is up to no good.
The Thumbcache database contains thumbnails of every picture ever viewed by a user on that computer, even if they are deleted. There are four different Thumbcache databases, containing different sized thumbnails, and every user on that computer will have their own Thumbcache database. The Thumbcache database is located in the Users home directory (C:\Users\Username\AppData\Local\Microsoft\Windows\Explorer). The Thumbcache Parser or Thumbcache Viewer utilities can be used to view the contents of the Thumbcache.
In the next segment, we will look at some of the suites of software available that can simplify an investigation.
Tech Talk Live is the only conference of its kind in the region specifically designed for IT pros in education.
1020 New Holland Avenue, Lancaster, PA 17601