WINDOWS

FORENSICS
By - Ahmed Medhat
Windows Artifacts
Windows objects that have information or forensic
values and contain data or evidence of something that
occurred related to the user activities. This means
that user activity is tracked by the OS which stores
evidences of these activities.
Originally, windows tracks user activity to facilitate
operations for the user and these objects were
developed for that reason.
At this part, we will discuss basics of these artifacts.

1
1- .LNK files
Definition: It’s a shortcut which points to a file and
used to access that file’s data object. windows creates
these shortcuts Instantly when a user opens a the
primary file.
Value: metadata (Path of target - Timestamps - The
size of the primary file when it was last accessed)
path:
\%USERPROFILE%\AppData\Roaming\Microsoft\
Windows\Recent Items
\%USERPROFILE%\AppData\Roaming\Microsoft\
office\Recent
Tools: LECmd or Exiftool (GUI in win)
LECmd.exe -d "C:\Anything\" --all --csv File.csv -q

2
2- Thumb nails
Definition: Data Base files which stores small pictures
that appears when a user Filmstrip views from the
Windows folder viewing options.
These files end with .db extension.
Value: Thumb nails of deleted pictures still exists if
user did not delete them, and these pictures could be
viewed by some tools.
Mapping the image to its path.
Also thumb nails contain picture version, file name
and last modified date and time.
path: \%USERPROFILE%\AppData\Local\Microsoft\
Windows\Explorer\
Tools: Thumbcache viewer -Thumbs Viewer
Also using Extensible Storage Engine (ESE) which is
stored in:
C:\ProgramData\Microsoft\Search\Data\Applications\
Windows\ Windows.edb to map to the image path,
this could happen by “Esentutil.exe /p Windows.edb”

3
3- Jump lists
Definition: List which appears when a user Rclick on
taskbar icon such as Internet Explorer or File Explorer.
It contains pinned, frequent accessed items and Links
to recent files.
They have two types:
1- Automatic Destination (created by OS)
2- Custom Destination (created by user when user
pins a file to an application via taskbar)
Jump files are named with: AppID.(jump list type)-ms
Value: MRU or most recently used files for the user
logged in the system.
Path: Those are hidden files which locate in:
\%USERPROFILE%\AppData\Roaming\Microsoft\
Windows\Recent\AutomaticDestinations
\%USERPROFILE%\AppData\Roaming\Microsoft\
Windows\Recent\CustomDestinations
Tools: JumpListsView

4
4- Libraries
Definition: list of folders used to find a file/sub folder
(Documents – Pictures – Videos – Camera Roll – ….)
Any folder can be added to any library by Rclick on it
and choose Include to library or create new one.
Value: must be checked as could hide suspicious files.
Path: %USERPROFILE%\AppData\Roaming\Microsoft\
Windows\Libraries

5
5- Windows Search History
Definition: Windows feature which saves the
searched items and keywords which the user
searched for.
Value: Date and Time when the user search
Path: \%USERPROFILE%\AppData\Local\Microsoft\
Windows\ConnectedSearch\History
Tools: ESEDatabaseView

6
6- Recycle Bin
Definition: Place where deleted files live.
It’s name changes based on versions:
Windows 95/98/ME → c:\Recycled
Windows NT/2000/XP → c:\Recycler
Windows Vista/Later → c:\$Recycle.bin
Each user has his own data In Recycler, $Recycle.bin
Value: deleted file’s metadata (date and time-size-
name and path)
Path: Recycle bin paths are hidden and can be
reached using CMD or other tools.
- Windows 95/98/ME → c:\Recycled\INFO2
- Windows NT/2000/XP → c:\Recycler\<SID>\INFO2
INFO2: tracks the file metadata
<SID>: user security identifier
NOTE: Windows renames every file in Recycler
Ex: if we delete C:\Downloads\Apple.png, it will be
C:\Recycler\<SID>\DC1.png

7
C: the file drive letter
1: index
.png: file extension
- Windows Vista/Later →
C:\$Recycle.bin\<SID>\$I****** (Has the metadata)
C:\$Recycle.bin\<SID>\$R****** (Has the actual file)
As shown, in windows vesta\later, every deleted file in
Recycle bin has two files, the one which starts with
($I) contains the deleted file metadata and the other
one ($R) contains the actual file.
Note that if we delete a folder, It’s ($R) will be a folder
which contains the actual names of the files in this
deleted folder.
Tools: We can retrieve information using CMD when
coping the ($I) file in .txt extension which will tell us
the real name and path of the actual file.
Or we can use tools such as $Iparse – rifiuti2 –
Recbin.exe – Autopsy – RecycleDump.py

8
7- VSS
Definition: Volume shadow copy services allows
making a backup for the volume and apps running
once a week (can be customized). It will appear as a
mirror of the whole contents of the volume that was
monitored. The output copy is called Retore points.
Value: Recovered files -Registries -logs
Path: c:\system volume information
Tools: VSSadmin, shadow copy view, shadow explorer,
VSC toolset
NOTE that the new File History feature in windows
makes option to back up files and saves copy in
external storage media and has value of backups
paths, user ID, PC name, directories backs up.
%USERPROFILE%\AppData\Local\Microsoft\Windows
\FileHistory\Data → for caches
%USERPROFILE%\AppData\Local\Microsoft\Windows
\FileHistory\Configuration\ → for xml configuration

9
8- Prefetch Files
Definition: we can say that it’s the summary of
monitoring processes and applications which are
launched during startup, the cache manger looks at
prefetch files as a cheat sheet to make the boot
process faster. This is happened by tracking the first 2
min of boot processes and the first 10 seconds of all
other applications startup.
These files are named by: [app name.extension]-[8
char from its hashed path].pf
Value: it’s considered as records for the apps which
launched on the system where we can know the
executable name, absolute path to the exe, no. of
times the program ran, list of all DLLs used by this
program.
Path: C:\windows\prefetch\
Tools: PECmd – winprefetch view

10
9- ShellBags
Definition: Windows registries (NTuser.dat,
USRclass.dat) which keep track on changes done by
the user to the position, view and size of icons or
folders windows and dialog when using folder
explorer.
Value: when we find shellbag for a folder, that means
this folder has been accessed before. This could help
the investigator when finding shellbags for a folder
which is not exist which is considered evidence, even
shellbags for external hard drives are exist. By this way
we can track user behavior.
Path:
\%USERPROFLE%\NTuser.dat
\%USERPROFLE%\AppData\Local\Microsoft\Windows
\USRclass.dat
Tools: shellbag explorer

11
10- ShimCache
Definition: component used for providing the
compatibility with old applications as to be run in
newer windows versions.
Value: executable name – path – date and time – last
modified date and time – knowing if the executable
ran on the system or not.
Path:
HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\AppCompatCache\AppCompatCache
%SYSTEMROOT%\AppCompat\Programs\
Tools: AmcacheParser

12
11- USB Forensics
Definition: We know that any USB device must have a
driver to connect to PC. Also, it has a unique serial
number (made by manufacturer or OS), and when
USB device disconnects from the system, details about
this USB device still found on the system specially in
Registry and System log files.
Value: Date and time when the USB installed and
removed, Type, Serial number and Drive letter where
it connects to.
Path:
1- Windows Registry
USBSTOR is key of interest and can be found in
HKLM\SYSTEM\CONTROLSET00#\ENUM\USBSTOR
by clicking on USBSTOR we can find information for
each USB connected to the system and under that key
there are USB keys which contain serial number key
under them.
USBSTOR → USB name → Serial number→ Properties

13
Under the Properties key we answer questions like:
When was the device installed?
{83da6326-97a6-4088-9453-a1923f573b29}\0064
What is the last date, time the device was connected?
{83da6326-97a6-4088-9453-a1923f573b29}\0066
What is the last date, time the device was removed?
{83da6326-97a6-4088-9453-a1923f573b29}\0067
2- System log files
1- C:\windows\INF → Where we can find
(setup.offline.log)
(setupapi.dev.log)
(setupapi.upgrade.log)
(setupapi.setup.log)
2- C:\windows\ → where we can find
(setupact.log)
(setup.err.log)
Tools: USBDeview – Register explorer

14
12- Registry
Using Registry Explorer we can check some artifacts:
1- Time Zone: includes system configuration such as
devices, services,
HKLM\SYSTEM\ControlSet###\Control\
TimeZoneInformation
2- Windows Product Info
Includes basic information about user windows
system such as (structure root, Product name,
Installation date and Registered owner)
HKLM\SOFTWARE\Microsoft\WindowsNT\Current
Version
3- Windows Computer Name
Computer name which appears in (NetBios)
HKLM\SYSTEM\ControlSet00#\Control\Computer
Name\ComputerName
4- Windows Services
Include list of services and how service behaves
SYSTEM\ControlSet00#\Service\

15
 Under each service we can find start key which
has value of [0: boot, 1: system, 2: automatic,
3: manual, 4: disabled]
5- Windows DHCP config
Includes DHCP IP addressing
HKLM\SYSTEM\ControlSet00#\Services\Tcpip\Par
ameters\Interfaces\{GUID}\DhcpIPAddress
6- Legal Notice & Text
Notice which apears to the user at logon screen
(Legalnoticetext, Legalnoticecaption)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVe
rsion\Policies\System\
7- NTFS Last Accessed
Last access time in registry is updated or not.
HKLM\SYSTEM\ControlSet###\Control\FileSystem
NTFSDisableLastAccess → (0: not updated,
1: updated)
8- Autoruns
Places where startup apps are running found.
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run

16
 HKLM\Software\Microsoft\Windows\
CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run
HKLM\Software\Microsoft\Windows\
CurrentVersion\RunOnce
Note that we can use AutoRuns tool
9- Installed Applications
Helps us when installed application does not
appear on desktop or has been uninstalled
HKLM\SOFTWARE\Microsoft\Windows\
CurrentVersion\Uninstall
HKLM\SOFTWARE\Wow6432Node\Microsoft\
Windows\CurrentVersion\Uninstall
10- Windows Firewall
Firewall is on state by default and we can look for
it’s state in some registry keys:
1- Private environment
HKLM\SYSTEM\ControlSet###\Services\Shared
Access\Parameters\Firewallpolicy\
StandardProfile\ EnableFirewall

17
 2- Public environment
HKLM\SYSTEM\ControlSet###\Services\
SharedAccess\Parameters\Firewallpolicy\
PublicProfile\EnableFirewall
3- Domain environment
HKLM\SYSTEM\ControlSet###\Services\
SharedAccess\Parameters\Firewallpolicy\
DomainProfile\EnableFirewall
EnableFirewall → (0: off, 1: on)
11- Remote Desktop
HKLM\SYSTEM\ControlSet###\Control\
TerminalServer\fDenyTSConnections
fDenyTSConnections → (0: off, 1: on)
12- Network Profiles
Include network and connection type
HKLM\SOFTWARE\Microsoft\WindowsNT\
CurrenVersion\NetworkList\profiles
We can find keys under profiles which are
network profiles and each one of renamed with
its GUID.

18
13- Network History
1- Network history cache
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrenVersion\NetworkList\Nla\Cache
2- Place tells me that networks not part of domain
HKLM\SOFTWARE\Microsoft\WindowsNT\
CurrenVersion\NetworkList\Nla\Signatures\
Unmanaged\
3-Place tells me that networks part of domain
HKLM\SOFTWARE\Microsoft\WindowsNT\
CurrenVersion\NetworkList\Nla\Signatures\
managed\
14- Network Interfaces and Past Networks
Network interfaces and their info such as IP
address, subnets, Domain, DHCP, etc.
HKLM\ SYSTEM\CurrentControlSet\Services\Tcpip
\Parameters\Interfaces
15- Shutdown details
HKLM\SYSTEM\Controlset001\control\windows

19
16- AppInit_DLLs
Includes list of DLLs which is called automatically
when app is run.
HKLM\Software\Microsoft\WindowsNT\
CurrentVersion\Windows\Applnit_DLLs
17- Windows Recycle Bin
We can find that if file has been bypassed recycle
bin or just moved to.
NTUSER.DAT\Software\Microsoft\Windows\Curre
ntVersion\Explorer\BitBucket\Volume\{GUID}\
NukeOnDelete
NukeOnDelete → (0: move to Recycle Bin,
1: bypass Recycle Bin)
18- Last User Logged In
We can know when was the last time a logging in
was occurred and who was the user.
SOFTWARE\Microsoft\Windows\CurrentVersion\
Authentication\LogonUI\LastLoggedOnUser
19- User Sessions
During a live Windows session , the logged on
user are recorded in this volatile path

20
 SOFTWARE\Microsoft\Windows\CurrentVersion\A
uthentication\LogonUI\SessionData\<session
number>\LastLoggedOnSamUser
20- Local Users
Where we can find name, login date\time,
passwords hints, etc
HKLM\SAM\Domains\Account\Users
21- User Account Control (UAC)
Enable Users to perform common tasks as non-
admins, it is on state by default and we can check
that at:
HKLM\SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\Policies\System\EnableLUA
EnableLUA → (0: disabled, 1: enabled)
22- User Assist Keys
Registry value which tracks user’s interactions via
Windows Explorer
NTUSER.DAT\Software\Microsoft\Windows\
CurrentVersion\Explorer\UserAssist
23- What key last viewed
Last registry key opened by user

21
 NTUSER.DAT\Software\Microsoft\Windows\Curre
ntVersion\Applets\Regedit\LastKey
24- Hidden file setting and extension
(Show\Hide) files and extensions are options for
user customization in file explorer.
NTUSER.DAT\Software\Microsoft\Windows\
Currentversion\Explorer\Advances\(Hidden or
HidefileExt)
25- Most recently used and opened
OS keeps track for MRU (Most Recently Used) files
and apps which are stored in NTUSER.DAT
1-CIDSizeMRU
Tracks size, position of file explorer screen.
2-Start menu run MRUs
Tracks list of apps which ran before
HKU\{SID}\Software\Microsoft\Windows\
CurrentVersion\ Explorer\RunMRU
3-RecentDocs MRUs
Includes no of recently opened files and
extension

22
 HKU\{SID}\Software\Microsoft\Windows\
CurrentVersion\Explorer\RecentDocs
4-Remote Disktop MRUs
Recent connection history and configuration
data for RDP
HKEY_USERS\{SID}\Software\Microsoft\
Terminal Server\Client\(Default or Servers)\
26- Most recently opened
Applications and files that have been opened
NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\ Explorer\ComDlg32
LastVisitedPidlMRU: Applications
OpenSavePidlMRU: Files
27- IE typed URLS and Setting
Typed URLs by user in Internet Explorer
NTUSER.DAT\Software\Microsoft\Internet
Explorer\MainTypedURLs
Internet explorer settings such as
(local page, start page, tabs, etc)
NTUSER.DAT\Software\Microsoft\Internet
Explorer\Main

23