Tech Talk Live Blog

Digital Forensics: Windows Tools

Brian Steigauf

Previously, the importance of the computer image and some basics were presented for performing an investigation of a computer – see Digital Forensics: An Introduction and Digital Forensics: The Value of Metadata. Now we can dive in deeper to see some of the things that Windows does to make life easier and covering one’s tracks more difficult.


The Windows Registry is the database that stores configuration settings and options for Microsoft Windows operating systems. If you have ever opened RegEdit (the Windows Registry Editor), you have probably noticed that the Registry can be a weird and mysterious place. Certain items have entries that make sense, while others appear to be cryptic and nonsensical.

Tools exist to parse the registry and make the entries readable. RegRipper​ is a set of Perl scripts that can parse the different Registry files and give you a nice readable report with its findings. As with everything in forensics, it cannot parse everything, but most of the popular applications are included. New filters are being added all the time as new applications or updates are released that may change the Registry settings.

Shortcut/LNK files

Shortcut files (files that have a .lnk extension) are used extensively in Windows to create pointers to actual files, applications, or folders. Shortcuts can be found in the Recent items, Jump lists, and many other places. Shortcuts contain the path to the original file, volume information (drive letter or Share name), and the MAC (Modify date, Access date, Creation date) dates for the shortcut. Existence of a shortcut may be proof that a file existed on a particular computer, even if it has been deleted.

Jump Lists

Jump lists are used by Windows to allow the user to “jump” to items they frequently use or have recently used. Jump lists contain shortcut files. The shortcut may still exist after a file has been deleted or let the investigator know if the file was copied to another volume or flash drive. The Exiftool application can be used to easily parse and display MAC date/times and metadata information for shortcuts.

Event Logs

The Windows Event Logs can be useful for more than just providing information for troubleshooting a Windows or application problem. The Event Logs can be used to determine if/when something happened and what systems or resources were involved/accessed. Knowledge of Event Log IDs is necessary, but Google can be valuable for determining critical Event Log IDs. One ID of note is 1102, which is created whenever the Event log is cleared, a possible sign that a user is up to no good.


The Thumbcache database contains thumbnails of every picture ever viewed by a user on that computer, even if they are deleted. There are four different Thumbcache databases, containing different sized thumbnails, and every user on that computer will have their own Thumbcache database.  The Thumbcache database is located in the Users home directory (C:\Users\Username\AppData\Local\Microsoft\Windows\Explorer). The Thumbcache Parser or Thumbcache Viewer​ utilities can be used to view the contents of the Thumbcache.

In the next segment, we will look at some of the suites of software available that can simplify an investigation.​

Tech Talk Live Blog Comment Guidelines:

One of our main goals at Tech Talk Live is to build a community. It is our hope that this blog can be a forum for discussion around our content. We see commenting as an integral part of this community. It allows everyone to participate, contribute, connect, and share relevant personal experience that adds value to the conversation. Respect counts. We believe you can disagree without being disagreeable. Please refrain from personal attacks, name calling, libel/defamation, hate speech, discriminatory or obscene/profane language, etc. Comments should keep to the topic at hand, and not be promotional or commercial in nature. Please do not link to personal blog posts, websites, or social media accounts that are irrelevant to the conversation. This is considered self-promotion. We welcome links that help further the conversation and reserve the right to delete those we deem unnecessary. The appearance of external links on this site does not constitute official endorsement on behalf of Tech Talk Live or Lancaster-Lebanon Intermediate Unit 13. You are solely responsible for the content that you post – please use your best judgment. We reserve the right to remove posts that do not follow these guidelines.

Leave a Reply

Your email address will not be published. Required fields are marked *


Tech Talk Live is the only conference of its kind in the region specifically designed for IT pros in education.

1020 New Holland Avenue, Lancaster, PA 17601

(717) 606-1770