RITx: CYBER502x Computer Forensics

Course Unit 7: Windows Forensics Analysis 7.1 Windows Forensics Analysis

ABOUT THIS VIDEO

Besides the artifacts covered in the previous video, we will also look into other important
artifacts created by Windows including Internet history, jump lists, logs, etc., that forensics
investigators can use to uncover information.

More Windows Artifacts

1. Start of transcript. Skip to the end.

2. >> Nowadays, the internet has become an important part of our life.

3. We use the internet to search any information,

4. including directions, jobs, social events, and more.

5. Chandra Levy was an intern at the Federal Bureau of Prisons

6. in Washington D.C. who disappeared in May 2001.

7. Computer investigators who examined Levy's laptop computer determined

8. that the laptop was used to search for the location of a historic house in Rock Creek Park.

9. This was Chandra Levy's last search.

10. Her skeleton was later found in Rock Creek Park.

11. Searching and examining suspect web browsing activities are a crucial step

12. in forensic investigation.

13. Forensic examiners usually search through web cache and the history files

14. to collect information, such as the URLs that a user visited, cookies,

15. pages downloaded, and the time of access.

16. Before IE 10, the IE stored user browser history in an index.dat file.

17. The location of this file varied based on the OS.

18. Since Explorer, IE 10, this information is stored in a central database located

19. at C and in a web cache directory.

20. Both EnCase and FT Case support internet history viewing for all well-known browsers

21. to reconstruct a subject's internet activity.

 RITx: CYBER502x Computer Forensics
Course Unit 7: Windows Forensics Analysis 7.1 Windows Forensics Analysis
22. They can also search browsing activities from an allocated space.

23. The free tool, Pasco, which means browse in Latin, was developed to pass the index.dat file

24. and output the information in an index.dat file.

25. Pasco will execute Windows through Cygwin, Mac OS, Linux, and other BSD platforms.

26. For file facts, the internet history file downloads cookies

27. and forms stored in that [inaudible] files.

28. Safari stores internet history, bookmarks,

29. and the download information in .plist files [phonetic].

30. And it stores cookie information in .binarycookies.

31. Please be aware that if a user enables private browsing web browsers, some of the browse --

32. browser history may not be available.

33. Privacy protection tools, such as Tracks Eraser Pro or Ccleaner may also delete browser history.

34. Now let's look at what evidence a printer might leave behind.

35. Printing involves a spooling process.

36. The local print provider writes the file's contents to a spool file, .spl,

37. by creating graphics file, .emf, for every page.

38. It stores printing metadata in a shadow file, .shd.

39. It's then saved, both the spool file and the shadow file,

40. on a local disk to protect a print job until a printing process completes.

41. Therefore, for each print job, two files are created.

42. The shadow file contains information about the print job, such as the owner, the printer,

43. the name of the file printed, the fully qualified path,

44. and the printing method, in our case, the EMF.

45. The spool file contains file contents in .emf pictures.

46. Shadow file and the spool files are deleted after the print job completes.

47. However, these files may still exist in an allocated spaces or Windows memory page file.

48. Data carving techniques can be used to carve out the EMF graphics from spool files.
 RITx: CYBER502x Computer Forensics
Course Unit 7: Windows Forensics Analysis 7.1 Windows Forensics Analysis
49. The covering printed files provide forensic examiners additional evidences

50. for investigation.

51. Jumplists are a new Windows 7 feature that provides the user with quick access

52. to the documents and the tasks that are frequently or recently used.

53. On the taskbar, jumplists appear for applications that you have pinned

54. to the taskbar, and applications that are currently running to provide you a list

55. of recently-accessed documents

56. or frequently-accessed destinations, depending on the application.

57. For example, if you open two Microsoft Word files, and then right click Microsoft Word icon

58. on the taskbar, you will see these two documents listed.

59. By default, jumplists show the ten most recently-accessed file

60. or frequently accessed destination per application.

61. Forensic examiners are particularly interested in information stored in jumplists.

62. This includes the [inaudible] to the targeted file or directory, along with the Mac times,

63. the computer name, and the Mac addresses the targeted file resides, the last access date

64. and time, and the application used to open the file.

65. There are two types of jumplists, automatic and a custom jumplists.

66. The automatic jumplists located in user profile, and under automatic destinations,

67. are created automatically by OS when a user launches applications or access files.

68. These files follow a compound file binary format, with a link information embedded.

69. Customer jumplists, located in user profile and under customer destinations,

70. are created when a user pings an item.

71. This file are link format streams appended to each other.

72. There's more information about jumplists in the resource section

73. of this unit, for those interested.

74. Why is this artifact important for forensic analysis?

75. From the forensic analysis perspective,

 RITx: CYBER502x Computer Forensics
Course Unit 7: Windows Forensics Analysis 7.1 Windows Forensics Analysis
76. the existence of automatic jumplists is an indication of a user activity on the system,

77. and provide investigators with a variable proof that a user accessed a file.

78. Also, even if the files have been deleted, they are still included on the jumplist.

79. The [inaudible] information of the deleted targeted file may lead investigators

80. to identify more evidence.

81. Here is one scenario.

82. A jumplist contains information about a Word file stored in a USB stick.

83. The investigator obtains the proof that the susceptor accessed this file with the name

84. of the file, it's [inaudible] pass, as well as the date and the time of the last access.

85. Now, the investigator can request or search for this USB stick to recover more evidence.

86. Jumplists analysis is important for solid [inaudible] analysis,

87. allowing investigators discover file's existence on the disk after the file has been wiped

88. through SSD garbage collection process.

89. Windows also has other artifacts, such as Shadow copies, Windows PreFetch, Control Panel,

90. ShellBag, and others that are important for forensic investigation.

91. The [inaudible] post in the resources section provides a brief overview of the artifacts

92. and registries that help Windows forensic analysis.

93. If you are interested in learning more details, please read a couple of slides

94. in the appendix part of this set of slides.

95. Now let's move onto the next important topic, event logs.

96. Windows stores various events in three event logs, in a binary format,

97. SECEVENT, SYSEVENT, and an APPEVENT.

98. Windows Event Viewer is used to read this log files.

99. Application logs in APPEVENT contain events logged by programs or applications.

100. For example, a file error logged by a database program.

101. The events that are logged and the amount

102. of detail provided are determined by the application developer.

 RITx: CYBER502x Computer Forensics
Course Unit 7: Windows Forensics Analysis 7.1 Windows Forensics Analysis
103. System log contains events that are predetermined by the system server,

104. and they're logged by system components.

105. An example of events can be failing to load a driver.

106. Both the application log and the system log shows three different types

107. of events, error, warning, and information.

108. Security log records security events, such as a log in, file accesses, or modification attempts

109. as successful or failed, depending on what was request to be on it.

110. These events are controlled by the auditing functions of the various resources and systems.

111. By default, these events are not recorded.

112. Security logs are only viewable by administrators.

113. For example, Windows logs successful user logon, logoff, or failed logon,

114. logoff events under the security event log.

115. For certain operating systems, the event ID of 4624 indicates a successful log on.

116. The event ID of 4625 means a failed logon.

117. The event ID of 4634 indicates a successful logout.

118. And then 540 means a successful network logon.

119. Please be aware that sophisticated attackers may alter event logs by selectively editing

120. or deleting entries to hide their malicious actions.

121. An investigator should always be vigilant about the malicious actions

122. and then look for inconsistent evidence.

123. End of transcript. Skip to the start

 RITx: CYBER502x Computer Forensics
Course Unit 7: Windows Forensics Analysis 7.1 Windows Forensics Analysis
Check Your Understanding
2 points possible (ungraded)

When a document is printed, which of these files are created during the spooling
process? (Select all that apply)

A shadow file (.SHD) that contains information about the print job

A spool file (.SPL) that contains the documents contents

A temp file (.TMP) for temporally storing the information about the print job.

All of the files above are created during the printing process.

True or False: If a jumplist contains the information of an application, it indicates

that a user accessed the application at certain time, even if the application has
already been deleted and is unrecoverable.

True

False