Digital Forensics Midterm Exam Review: Key Artifacts

Prefetch Artifacts

Files created by Windows OS (%SystemRoot%\Prefetch) to speed up application startup process. Created when an application is run from a specific location for the first time.

Naming Convention

ExecutableName-HASH.pf (Hash relates to the execution path).

Forensic Value of Prefetch

Evidence of program execution (Executable name, path, run count).

Creation timestamp of .pf file

May indicate the first run time.

Last modification timestamp of .pf file

Indicates the last run time.

Windows 8+ Prefetch

Stores the last 7 run timestamps if run more than once.

Volume information in Prefetch

Includes path, creation timestamp, serial number.

Maximum Files in Prefetch

WinXP-7: 128; Win8-10: 1024.

Important Note on Prefetch

Disabled by default on Server OS and systems with SSDs.

Analysis Detail of Prefetch

Prefetch snapshot created ~10 seconds after execution. Captures library/file references.

Autopsy Tool

Use 'Recent Activity' ingest module. View results under Data Artifacts > Run Programs.

WinPrefetchView

Standalone utility to read .pf files directly from the system or extracted folder (C:\Windows\Prefetch) and display stored information.

Windows Search Artifacts

Desktop search platform (Vista+) indexing content, properties for files, email, etc.

Database File for Windows Search

Windows.edb.

Format of Windows Search Database

Extensible Storage Engine (ESE).

Location of Windows Search Database

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.

Forensic Value of Windows Search

Valuable source of evidence (files, images, videos, directories, Outlook data) indexed often without user awareness.

Tools for ESE

EseDbViewer, WinSearchDBAnalyzer.

Windows Store Artifacts

Relates to applications installed, managed, and uninstalled via the Microsoft Store (Windows 10).

Log Database for Windows Store

StateRepository-Machine.srd (SQLite format).

Location of Windows Store Log Database

%SystemDrive%\ProgramData\Microsoft\Windows\AppRepository\.

Forensic Value of Windows Store

Log of applications installed via the store and their updates.

Tools for Windows Store

SQLite database browser (e.g., DB Browser for SQLite).

ThumbCache Artifacts

Hidden system files storing thumbnail images of multimedia files for graphical view in Explorer (replaces legacy Thumbs.db).

Location of ThumbCache Artifacts

%SystemDrive%\Users\

Forensic Value

Graphical evidence of file existence and user viewing, even if the original file is deleted.

Forensic Value

Used by Law Enforcement to prove file presence.

Forensic Value

Contains metadata: Original file details, cache ID, header checksum, data offset/type/size, potentially timestamps (created, accessed, modified).

Volume Shadow Copies (VSCs)

Point-in-time copies of volumes created by Volume Shadow Copy Service (VSS). Introduced in WinXP (as System Restore Points), enhanced in Vista/7+.

Functionality of VSCs

Backs up critical system files, Registry hives (block-level clone).

Forensic Value of VSCs

Recover deleted files (if deleted after VSC creation); Understand user activity before an incident; Access previous versions of files; Retrieve historical system state (system files, registry hives).

Limitations of VSCs

Only captures state at the time of creation. Prior changes are lost.

Limitations of VSCs

Block-level cloning might miss minor file changes.

Limitations of VSCs

Service can be disabled by user/policy.

Limitations of VSCs

Disk space allocation limits can prevent saving or cause automatic overwriting.

Limitations of VSCs

Not guaranteed evidence source, but a valuable aid.

Tool for VSC Analysis

ShadowExplorer.

Purpose of ShadowExplorer

Allows browsing of VSCs created by Win Vista/7/8/10/11 VSS.

Use Case of ShadowExplorer

Especially useful for Windows Home editions (which lack built-in access) but helpful for all editions. Provides a GUI to navigate VSC contents.

Process for VSC Analysis

1. Mount forensic image (Tool: OFSMount).

Process for VSC Analysis

2. List available VSCs for the target drive (Command: vssadmin list shadows /for=:). Note the Shadow Copy Volume path (e.g., \?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX).

Process for VSC Analysis

3. Create a local directory (e.g., D:\VSS\).

Process for VSC Analysis

4. Create a symbolic link from the local directory to the Shadow Copy Volume (Command: mklink /d ).

Process for VSC Analysis

5. Analyze the contents of the linked folder using forensic tools (Tool: FTK Imager, add evidence type 'Contents of a Folder').

Hibernation File

Stores a compressed copy of RAM contents when the system hibernates.

Location of Hibernation File

C:\hiberfil.sys (Root directory, hidden by default).

Forensic Value of Hibernation File

Preserves volatile data (RAM contents) that is lost on shutdown. Can reveal running processes, network connections, open applications/state, internet activity (visited sites, credentials), malware activity (even if removed later).

Page File

Swap file / virtual memory. Used by Windows to store RAM data when physical RAM is full.

Location of Page File

C:\pagefile.sys (Root directory, typically).

Forensic Value of Page File

Contains remnants of RAM data. Evidentiary information (applications, network traffic, malware remnants), visited websites/URLs, cleartext protocols (HTTP/FTP), indicators of compromise (IOCs). Valuable even if data is no longer in active RAM.

Tool for Examining Hibernation and Page File

bulk_extractor.

Functionality of bulk_extractor

Scans disk images or files without parsing file systems. Extracts information like email addresses, URLs, etc. Creates histograms of found features. Known for speed and thoroughness due to ignoring file system structure and parallel processing capability.

Task Scheduler

Windows job scheduler for running programs/scripts at predefined times/intervals.

Location of Task Scheduler

C:\Windows\Tasks OR C:\Windows\System32\Tasks (XML files).

Analysis of Task Scheduler

Extract and view XML files (e.g., using Notepad++).

Temporary Files

Files created by OS or applications (esp. graphics/media editors) to hold data temporarily. Often not deleted, leading to wasted space.

Typical Locations for Temporary Files

%systemdrive%\Windows\Temp, %userprofile%\AppData\Local\Temp.

Forensic Value of Temporary Files

Can contain remnants of data processed or user activity.

Jumplists

List of recent files accessed per application.

Location of Jumplists

C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\

Naming Convention for Jumplists

{ApplicationID}.automaticDestinations-ms.

Forensic Value of Jumplists

Shows files accessed by specific applications. Created time = First access; Modified time = Last access.

Tool for Jumplists

JumplistExplorer.

Shortcut (LNK) Files

Files automatically created when a user opens, uses, or creates a file/folder. Links point to the target, its parent, and grandparent folders.

Locations for Shortcut Files (Win 7/8/10)

C:\Users\$USER$\AppData\Roaming\Microsoft\Windows\Recent\ and C:\Users\$USER$\AppData\Roaming\Microsoft\Office\Recent\ (Office specific)

Forensic Value of Shortcut Files

Evidence of file/folder access, usage, and existence.

Event Log Artifacts

Logs maintained by Windows recording system, application, and security events.

Locations for Old Event Logs

C:\Windows\System32\config\ (Files: SysEvent.evt, AppEvent.evt, SecEvent.evt). File extension: *.evt.

Locations for New Event Logs

C:\Windows\System32\winevt\Logs\ File extension: *.evtx.

Forensic Value of Event Logs

Tracking user access to files, successful/failed logins, application usage, audit policy changes, permission changes, system/driver issues, service start/stop.

Analysis Tool for Event Logs

Use Windows Event Viewer (built-in) or PsLogList. Filter by Event ID. Correlate timestamps (consider time zone differences).

Account Management Events

Record creation/modification of accounts (user, computer) and groups (security-enabled global, local, universal) on the system where the change occurred (local machine or DC).

Account Logon vs. Logon Events

Account Logon: Authentication process (verifying credentials). Occurs where the account authority resides (DC for domain, local system for local accounts). Logon: Access process (gaining access to a resource after authentication). Recorded on the system being accessed.

Successful Logon

Differentiates between interactive (local) and remote/network access. Provides account name and source host (IP/hostname) for remote logons.

Failed Logon

Indicates potential password guessing/spraying. Provides source host information. Failure reason codes give specifics.

User Logoff

Records session termination. Can be inconsistent. Logon ID links logon/logoff events. Helps estimate session duration for interactive logons.

Explicit Credentials Logon

Indicates use of alternate credentials (e.g., RunAs, UAC elevation).

Special Privileges Assigned

Indicates elevated access was granted to a session.

NTLM Authentication

Use of NTLM protocol. On non-DCs, often indicates local account usage, which can be suspicious in domain environments.

Session Reconnect/Disconnect

Relates to RDP sessions or Fast User Switching. Session Name field ('Console' vs. 'RDP') differentiates.

Browser Artifacts

Critical for understanding user internet activity, attack vectors, source of compromise.

Data Types

History (visited URLs, timestamps, visit count), Cache (downloaded images, scripts, docs), Cookies (session management, tracking), Typed URLs, Session data, Downloads, Form data (logins, searches), Favorites.

Internet Explorer (Legacy) Storage

index.dat files (various locations).

Internet Explorer (Modern) Storage

ESE Database (WebCacheV*.dat) in AppData\Local\Microsoft\Windows\WebCache\.

Chrome, Firefox, Safari, Opera Storage

Primarily SQLite databases. Check Freelist for deleted records.

Internet Explorer History Location

Users\$USER$\AppData\Local\Microsoft\Windows\History\ (Legacy); ...\WebCache\ (Modern).

Firefox History/Data Location

Users\$USER$\AppData\Roaming\Mozilla\Firefox\Profiles\.default\places.sqlite.

Chrome History/Data Location

Users\$USER$\AppData\Local\Google\Chrome\User Data\Default\History.

Internet Explorer Temp Files Location

Users\$USER$\AppData\Local\Microsoft\Windows\Temporary Internet Files\ (Legacy); ...\INetCache\ (Modern).

Browser Usage Artifact Categories

History, Cache, Cookies, Typed URLs, Sessions, Most visited sites, Screenshots (if applicable), Financial info, Form values (Searches, Autofill), Downloads, Favorites.

Email Artifacts

Common investigation area; contains personal/business communication.

Email Key Components

Headers, Text Body, Attachments. Also: flags, certificates, read receipts.

Windows Mail Location

Users\\AppData\Local\Comms\Unistore\data\3\.

Microsoft Outlook Location

Users\\AppData\Local\Microsoft\Outlook\ (stores .pst or .ost files).

Email Header Analysis

First step in email forensics. Detects spoofing/phishing. Reveals message path and metadata. Read Received: headers from bottom to top.

Informational Email Header Fields

From:, To:, Cc:, Bcc:, Date:, Subject:, Reply-To:, Content-Type:.

Technical Email Header Fields

Return-Path: (bounce address), Received: (servers/IPs message traversed, timestamps), Message-ID: (unique message identifier), MIME-Version:.

Security Email Header Fields

DKIM-Signature: (authenticity check via DNS), SPF: (checks if sending server is authorized via DNS), X- Headers (custom headers for spam filters, tracking, etc.).

Email Analysis Tools

Autopsy (Email Parser ingest module), MXToolbox Email Header Analyzer (online tool for parsing).

Windows Registry Definition

Central hierarchical database storing vital configuration data for OS, hardware, software, and user settings. Acts as a system log file.