Windows Forensics
Content Leader: Jess Garcia - Last Updated: April 16, 2007
Index
-
Windows Startup Information
-
Environment Variables
-
Processes
-
Registry
Common Windows Files
User Files
-
Thumbs.db
-
Thumbs.db is in Microsoft's OLE 2 Compound Document format. It's the same format that MS Office uses. http://jakarta.apache.org/poi/index.html
-
Cumulative file where thumbs for viewed images are stored. Even if you delete the images, the thumbs will remain.
-
There is just one time attribute associated to it.
-
Viewers:
-
Index.dat
-
Documents and Settings\NTUser.dat
-
Recycle Bin
-
The Recycle Bin has sub-Recycle Bins for each user on the system.
-
There is an index file (INFO2) which keeps track of where was what..
-
Deletion time: located in the INFO2 file
-
New name of the file after deletion:
-
eg: D<vol.letter>1.<ext> (eg: Dc1.bmp)
-
eg: D<vol.letter>2.<ext> (eg: Dc2.jpg)
-
File entries are 800 bytes long
-
You can find where the deletion information can be found!
-
If the SHIFT key is pressed while deleting it will not leave traced in the Recycle Bin.
-
If the drive letter dissapears (00) from the INFO2 entry it means that the file was either permanently deleted or restored.
-
There is a Unicode version of the file name.
-
Timestamp is located 12 bytes before the Unicode filename & spans for 8b
-
The UserID is the latest 3 or 4 digits of the RECYCLER sub-folder entry Actually the whole string is the long UserID as it can be found in the SAM
-
Remember that the person who deleted the file may or may not be the owner of the file.
-
Link Files
-
.lnk extension
-
Timestamp is found at an offset of 24 spanning for 28 bytes.
-
4 bytes before the referenced filename you can file the volume serial number
-
Info (TBC):
-
File Flags
-
File Attrs
-
Shortcut Display Mode
-
CWA Times
-
Vol. Label
-
Media Type
-
Volume Serial
-
File Length
-
Base Path
-
Target Exists
-
Internet Explorer
-
Favorites
-
History
-
Tools: NetAnalysis, Pasco
-
Cache
-
Cookies
-
Fields: Key, Value, Host, Secure, Modified Date, Expiration Date.
-
Firefox
-
Favorites
-
History
-
Cache
-
Cookies
-
Passwords
-
Downloads
Operating System Files
-
Pagefile.sys
-
Hiberfil.sys
-
%SYSTEMROOT%\System32\Config\Default
-
%SYSTEMROOT%\System32\Config\SAM
-
%SYSTEMROOT%\System32\Config\Security
-
%SYSTEMROOT%\System32\Config\Software
-
%SYSTEMROOT%\System32\Config\System
-
%SYSTEMROOT%\System32\Config\AppEvent.evt
-
%SYSTEMROOT%\System32\Config\SecEvent.evt
-
%SYSTEMROOT%\System32\Drivers\Etc\Hosts
-
%SYSTEMROOT%\System32\Drivers\Etc\LMHosts
-
%SYSTEMROOT%\System.ini
-
%SYSTEMROOT%\Win.ini
-
Print Spool Files
-
Under %SYSTEMROOT%\System32\Spool\Printers
-
SHD
-
The first 2 bytes identify the OS which generated the file:
0x4B49 -> Windows 9x
0x6649 -> Windows NT
0x6749 -> Windows 2000/XP
6849 -> Windows Server 2003
-
Contents:
User who printed the job
User who is notified when the job is completed.
Document Name
Printer Port Name
Printer Name
-
The relevant information is at the position by the contents of location 14h.
-
SPL
-
Format can be: RAW or EMF
Users
Gral. Information
-
Time Zone
-
Registry Entries:
-
HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformation\StandardName
-
HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformation\DaylightName
-
Look in the Event Log for Timezone changes
-
Windows XP activation info resides in:
-
C:\Windows\System32\wpa.dbl - C:\Windows\System32\wpa.bak
-
USB drives:
-
Registered (forever) in ControlSet\Enum\USBSTOR
-
One entry for each device.
-
There exists a WXP SP2 hack to make a removable drive read-only in Windows.
References
