Forensic

Analysis
Hiranya Prasad Bastakoti
 Timeline Analysis

File Recovery

Registry Analysis
Contents
File Format Identification

Windows Features Forensics

Analysis
Overview
Forensic analysis in the context of digital forensics refers to the process of investigating and analyzing the digital
footprints left behind by users on computing devices.

The goal is to trace the actions of individuals using digital tools, particularly focusing on their behavior and
interactions with systems and devices

This involves identifying and examining digital artifacts left behind during interactions with the operating system and
software applications.

Forensic analysis involves capturing, examining, and interpreting digital traces left by users on their systems,
especially operating systems like Windows, to uncover evidence that may be used for legal or investigative purposes

Operating System Forensics:

Windows OS: Windows operating systems are well-known for leaving traces of user activity. These traces can
include browser history, file access times, application logs, and more.

Even when users attempt to delete evidence, advanced forensic techniques may still uncover traces that remain in
system logs, temporary files, or unallocated disk space.
 Windows Forensic Analysis
• More generally an investigator likes to access and analyse following areas in windows:
• Volatile information like, system time, logged users, open files, network information
and drives that are mapped shared folders etc. These and many more aspects will be
discovered in the next section under the windows volatile information head.
• Non-volatile information like file systems, registry settings, logs, devices, slack space,
swap file, indexes, partitions etc. these and many more will be discovered in coming
section under the heading non-volatile information.
• Windows memory like memory dumps and analysing dumps and other aspects.
• Caches, cookies and history analysis.
• Other aspects like recycle bins, documents, short cut files, graphics file, executable
files etc.
Timeline Analysis
Timeline analysis is a critical element in digital forensics, providing investigators with a chronological
view of events that occurred on a system.

Its primary goal is to answer the question of when specific activities took place, which is crucial in
many investigations.

By focusing on a specific timeframe, timeline analysis reduces the volume of data that needs to be
examined, improving efficiency.

This approach is particularly useful in malware investigations, where identifying the exact moment a
system was compromised can help trace the attack’s impact.

Forensic investigators use various data sources, such as system logs, file metadata, and network
traffic, to construct an accurate timeline that aids in uncovering key events and provides valuable
evidence for legal proceedings or incident response.
 • Autopsy is a powerful digital forensics tool used in timeline analysis to
automate the extraction and analysis of artifacts from a system's data.
• It helps investigators build a timeline of events by analyzing file system
metadata, such as creation, modification, and access timestamps, along
with system and application logs.
• Autopsy can also process event logs, browser history, and registry entries,
presenting this data in a chronological order.
• This aids forensic investigators in quickly identifying key actions, correlating
them with real-world events, and focusing on critical timeframes, thus
enhancing the efficiency and accuracy of the investigation.
Autopsy • Autopsy, starting from version 3.0.5, features an advanced timeline
interface that simplifies the process of creating a timeline from a forensic
image.
• This tool organizes artifacts based on their timestamps, offering a
comprehensive view of system events.
• Each file in the forensic image contains timestamps that indicate when the
file was created, accessed, changed, or modified, with operating systems
handling these attributes differently.
• For example, Windows tracks both creation and modification times, while
UNIX systems only track metadata changes.
 Creating Timeline in Autopsy :steps
• Launch Autopsy and create a new case or open an existing one.
• Navigate to the Tools menu and select Timeline.
• Autopsy will process the forensic image and populate the timeline data, which may take
some time depending on the image size.
• Once populated, the timeline can be viewed in three modes:
• Bar Chart (Counts): This mode shows the amount of data altered over a period,
offering a high-level overview.
• Detail Mode: Provides detailed event information, grouping related items, such as
files in the same folder or URLs from the same domain.
• List Mode: Displays events in a chronological list, from oldest to newest.
Autopsy’s timeline tool allows investigators to analyze forensic images efficiently by
providing multiple views of the data, making it easier to track system activities and
correlate events with specific timeframes.
File Recovery
In digital forensic investigations, analyzing deleted files plays a crucial
role in uncovering evidence.

To become a digital forensic examiner, it is essential to understand how

the Windows operating system deletes files, identify the locations where
deleted files may still reside, and apply effective methods or techniques
for investigating these files.

For instance, retrieving metadata from deleted files can provide critical
support in criminal investigations.
 • Autopsy simplifies file recovery by automating the
process.
• Autopsy provides an efficient way to recover deleted
files from forensic image files, including data from slack
space, without requiring manual intervention by the
forensic examiner.
• To recover deleted files, create a case, enable the
Undeleting PhotoRec Carver module in the ingest settings, and
select Process Unallocated Space.
Files Using • Autopsy retrieves data from unallocated space and
displays it under Views ➤ Deleted Files.
Autopsy • PhotoRec is a free, open-source tool for recovering files
from various digital media, such as HDDs, USB drives, SD
cards, and CD-ROMs.
• It works standalone or alongside TestDisk, a tool for
recovering lost partitions and repairing non-bootable
disks.
 Windows Recycle Bin Forensics
• The Windows Recycle Bin temporarily stores deleted files, making it a valuable source of
evidence in digital forensics.
• In Windows XP and older systems, deleted files and their metadata are stored in the
"Recycler" folder and indexed in the INFO2 file.
• In newer versions (Vista and later), the "$Recycle.Bin" folder replaces "Recycler," with files
stored in user-specific subfolders named after their Security Identifier (SID).
• Metadata is stored in files beginning with "$I", while actual content starts with "$R",
eliminating the need for INFO2.
• Deleted files bypass the Recycle Bin when removed via Shift+Delete or from
removable/mapped drives.
• Tools like Rifiuti2 (for XP) and $I Parse (for modern systems) help extract file metadata.
• The Recycle Bin’s limited capacity (10% of the first 40GB, 5% beyond) ensures old files are
overwritten as space fills up, emphasizing the importance of timely forensic analysis.
 Data Carving
• Data carving is an advanced digital forensics technique used to recover
files or fragments from unallocated disk space or raw data without relying
on file system structures like the Master File Table (MFT).
• It identifies and reconstructs files based on patterns such as file headers
and footers, making it useful for recovering evidence when file systems
are corrupted or missing.
• This method is essential in criminal investigations and network forensics to
extract files from captured traffic.
• Data carving requires expert tools and skills to handle unstructured data
effectively.
 • File carving can be performed manually using a
Hex editor by identifying file headers, footers,
and patterns within raw data.
• The following are some free tools for conducting
file carving:
File Carving 1. Foremost (http://foremost.sourceforge.net)
with a Hex 2. Scalpel (https://github.com/sleuthkit/scalpel)
Editor 3. Jpegcarver (www.seedstech.net/jpegcarver)
4. L ist of data recovery (including some file
carving) tools from forensics wiki
(www.forensicswiki.org/wiki/Tools:Data_Recovery)
Registry Analysis
The Registry is a core component of the Windows operating system, acting as a
centralized database that stores essential configuration and operational
information.

It contains critical data required for the OS and installed applications to function,
such as user settings, system configurations, and application preferences.

Almost every action performed by a Windows user, including installed programs,

connected devices, and user activities, leaves traces in the registry.

This makes it a vital source of evidence in digital forensic investigations,

providing insights into user behavior, system usage, and potential malicious
activity.
Architecture of Windows Registry
• The registry is a hierarchical database that stores
Windows system configuration settings for hardware,
software applications, and the operating system in
addition to the user’s preferences and the computer’s
and applications’ usage history.
• Registry data is structured in a tree format, where each
node in the tree is called a key.
• A key can contain other keys (subkeys) in addition
to data values.
• The Windows registry consists of five primary root
folders, known as hives.
• These hives are the top-level directories in the
registry and are displayed on the left side of the
registry editor when opened, with all other keys
initially collapsed.
Windows Registry Root Folders (Hives)
• Root hives are classified into volatile and nonvolatile types.
• Nonvolatile hives, such as HKEY_LOCAL_MACHINE and HKEY_USERS, are stored on the
hard drive.
• Volatile hives exist only during system runtime and must be captured while the system is
active for analysis.
Methods to Examine the Registry:
• Using a Forensic Image: Analyze registry files stored in the C:\Windows\System32\Config
folder (or equivalent OS directory).
• Live Analysis: Access the registry directly via the Windows built-in Registry Editor.
Accessing Registry Editor:
• Press Win + R to open the Run dialog.
• Type regedit and click OK.
• Each hive corresponds to specific registry files except HKEY_CURRENT_USER, which is
stored in the user profile folder.
Acquiring Windows Registry
• Windows registry files can be acquired during a full system or hard drive
acquisition or as a separate "Registry Image" for analysis.
• Tools like AccessData FTK Imager can extract registry files from a live system
by:
• Running the tool from a USB drive.
• Selecting the option to acquire registry files.
• Saving the extracted files for further forensic analysis.
 • Forensic tools analyze acquired registry files
to investigate:
• Automatic Startup Locations: Registry keys
store programs set to launch during Windows
Registry startup, revealing potential malware entries
(e.g., keyloggers).
Examinatio • Tools like Autoruns can analyze these keys.
• Installed Programs: Registry keys also track
n installed and uninstalled applications,
providing evidence of tools like encryption
software, which may suggest hidden data.
• Tools like RegScanner can identify registry
values based on search criteria.
USB Device Forensics

• Windows registry maintains logs of connected USB devices, providing details like
vendor ID, product ID, serial number, connection times, and associated users.
• Key registry locations include:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR (device
history).
• HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices (drive letter mappings).
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Mo
untPoints2 (user-specific USB connections).
• Tools like USBDeview automate USB device investigations, showing device details,
first connection time, and last usage.
• However, devices using Media Transfer Protocol (MTP) leave no registry traces,
requiring specialized tools such as USB Forensic Tracker (USBFT).
Key Tools
• AccessData FTK Imager: Extracts registry files.
• Autoruns: Identifies startup programs and registry keys.
• RegScanner: Searches for specific registry values.
• USBDeview: Provides USB connection history and metadata.
• USB Forensic Tracker (USBFT): Investigates MTP-connected USB
devices.
 • Signature analysis involves comparing file headers
and extensions against a known database to
identify attempts to disguise a file's original type,
such as altering its extension to mislead
investigators.
File Format • In Windows, every file has a unique signature,
typically located within the first 20 bytes of the file.
Identificatio • This signature can be manually verified using tools
like Notepad or a Hex editor.
n • To streamline this process, a free tool called
HexBrowser can be used.
• HexBrowser, designed for Windows, can identify
over 1,000 different file types, making file analysis
faster and more efficient.
To use
HexBrowser
Steps:
• Visit www.hexbrowser.com and
download the HexBrowser tool.
• Launch the program, click the "Open"
button from the main menu, and select
the suspect file.
• The results will be displayed in the right
pane of the program window.
Autopsy
• Autopsy can identify file extension
mismatches by enabling the “Extension
Mismatch Detector” module.
• To configure this feature, navigate to
Tools ➤ Options ➤ File Extension
Mismatch, where you can customize the
search by adding or removing extensions
to suit your case requirements
• The results of the mismatch analysis are
displayed in the Results tree under
“Extension Mismatch Detected” .
Windows Features Forensics Analysis
Windows operating system provides numerous features that enable
users to optimize or customize its functions, making it more user-
friendly and adaptable to individual preferences.

These features, while enhancing usability, can also serve as valuable

sources of digital evidence during investigations.

Examining these built-in functionalities is crucial because they often

leave behind artifacts—traces of user activity or system changes—
that can provide insights into how the system was used.
Windows Forensic Artifacts
 • The Windows Prefetch feature speeds up application
loading by creating a Prefetch file the first time an
application is executed.
• This file records the loaded components and the last
execution time, enabling quicker subsequent launches.
• From a forensic perspective, Prefetch files can reveal
previously executed programs, even if they have been
Windows uninstalled, as the files persist in the
Prefetch C:\Windows\Prefetch folder.
• Prefetch files are named with the application name, an
Analysis eight-character hash of its execution location, and the .PF
extension.
• The Prefetcher’s configuration can be found in the
Windows registry under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\Session Manager\Memory
Management\PrefetchParameters.
 • Windows creates thumbnail cache files to store previews of
image files (e.g., JPEG, BMP, PNG) and some documents
(e.g., DOCX, PDF) for quicker viewing.
• These thumbnails, stored in thumbs.db on older systems or
in thumbcache_xxx.db on newer versions , can remain
even after the original files are deleted, providing valuable
forensic evidence.
Windows
• Modern Windows systems store thumbnail caches in
Thumbnail %userprofile%\AppData\Local\Microsoft\Windows\Explo
rer, organized by size with an index file.
Forensics • Tools like Thumbs Viewer can extract thumbnails from
various cache files, including Thumbs.db and
thumbcache_xxx.db, and is available for download at
https://thumbsviewer.github.io.
 AutomaticDestinations-ms and CustomDestinations-ms
• AutomaticDestinations-ms and
CustomDestinations-ms files store Jump List
data in Windows.
• The former tracks recently accessed files,
while the latter records pinned items.
• Both are located in the
\Users\<username>\AppData\Roaming\Micro
soft\Windows\Recent directory and are
named with a unique AppID (16 hexadecimal
digits) identifying the associated application.
• These files help track user activity, and
identifying the AppID reveals the application
linked to the data.
• Resources like Forensics Wiki and GitHub
provide lists of Jump List AppIDs for analysis.
LNK File Forensics
 Contd..
• LNK files hold a wealth of useful information about the computer at which
the file was first created time in addition to the computer where it resides
currently.
• LNK files are forensically valuable because they reveal the following
information:
1. MAC time attributes (Creation, Modification, and Access time) for
the LNK file itself and for the linked file.
2. The user’s previous activities on the computer; for example, if a
suspect moves a file into a USB drive or deletes it permanently from
his/computer, the associated LNK file will still exist, giving valuable
information about what has executed on the target system before.
3. Linked file size.
4. Original path of the linked file.
5. The serial number and name of the volume that held the linked file.
6. The network adapter MAC address and original network path of the
original computer.
Windows File Analyzer (WFA)
• Windows File Analyzer (WFA) is a free, portable
tool that decodes and displays data from
specialized Windows files like LNK files, Prefetch
files, Index.dat, and Thumbnail Databases.
• It allows users to analyze shortcut files and extract
forensic information from specific directories.
• It helps uncover user activities, file paths,
timestamps, recently executed programs, browser
history, and image preview data, aiding in system
activity reconstruction.
Event Log Analysis
• Event Log Analysis is crucial in forensics to track user actions and system events on a Windows
machine.
• Windows event logs record important hardware and software activities, such as failed logins, low
memory, and excessive disk access, aiding in issue diagnosis and predicting future problems.
• Key log elements include the username, event ID, source, computer name, date and time, and a
description of the event. Older Windows versions (2000, XP, 2003) use the EVT format, storing logs
at \Windows\system32\config.
• Modern versions (Vista and later) use the EVTX format, with logs located at
\Windows\System32\winevt\Logs. Five event types are recorded:
• Error: Critical issues, e.g., service failures.
• Warning: Potential issues that may escalate.
• Information: Successful operations, e.g., app activity.
• Success Audit: Successful security events, e.g., logins.
• Failure Audit: Failed security events, e.g., login attempts.
Microsoft recommends monitoring specific event logs for signs of compromise, accessible through
Event Viewer in the Control Panel.
Contd.