Windows Artifacts

Fahri Korkmaz
11 min readMar 19, 2021

--

Description

This article contains Windows Artifacts that can be useful in case of a forensic investigation of a Windows machine.

File recovery

Sometimes malware or suspects try to hide their activity by deleting certain files. Deleting files on Windows first moves these files into the Recycle Bin. But it is also possible to “delete” files directly without moving them to the Recycle Bin. In most cases, especially on mechanical hard drives, only the pointer inside the Master File Table (MFT) is deleted. The file still remains on the disk, until it is overriden. But SSDs have another approach on deleting files. For SSD there is a “TRIM” function. This function gets called, when deleting a file from a SSD, making it impossible to recover. The implementation of this “TRIM” function depends on the operating system. Some OSs delete the file immediately, other OSs call the TRIM function after some period. Nevertheless, investigating signs of deleted files should be part of a forensic investigation.

To understand, how it is possible to recover files after they are deleted from the Master File Table, we should look how files are stored on the hard drive. Files usually have a header, a body and sometimes a footer. The header contains some information about the file, e.g. the magic number. The magic number describes what type of file this is, e.g. PE executable, JPG file. The body contains the actual information. The footer will indicate that the file ends there. The footer is needed if the file format has not a fixed size or the header does not contain the size of the file. In order to detect deleted files, we have to look for these headers and footer on the hard drive. There are automated tools, such like the open source tool “Autopsy”. Autopsy has a module called “PhotRecCarver”, which will search for deleted files automatically. The forensic examiner, then has to analyze these results.

Also the Recycle Bin should be part of an investigation. Different Windows versions have different Recycle Bin locations. Also the structure of the Recycle Bin depends on the Windows version. Following are the characteristics for specific Windows versions:

Windows 95/98/Me

  • Location: %SystemDrive%\RECYCLED

Windows XP:

  • Location: %SystemDrive%\Recycler
  • The Recycler folder contains a folder with each users’ SID
  • Inside the folder with the user’s SID there is a file called INFO2 and the deleted files
  • The INFO2 file contains metadata about the deleted files
  • The maximum size of the Recycle Bin is 10% of the hard drive’s size

Windows Vista and later:

  • Location: %SystemDrive%\$Recycle.Bin
  • The $Recycle.Bin folder contains each users’ SID
  • Under the users’ SID there are files which begin with $I and $R

When a file is deleted two files are created:

  • $R file contains the actual file that was deleted
  • $I file contains the metadata of the deleted file

Ways to delete a file on Windows:

  • Move to recycle bin: DELETE Key; Right-click -> delete
  • Permanently delete file: del command; rmdir command; SHIFT + DELETE; deleting files which are stored on a network share

Tools

Further Information

Data Carving

This is an advanced way to recover files. Data Carving does not use the underlying file structure to recover files. This is especially useful if the file system is missing or corrupted. Data Carving uses magic numbers to identify files on the hard drive.

Tools

Windows Registry

The Windows Registry is a hierarchical database. It stores many information and should be examined during a forensic investigation. The Windows Registry stores Windows System Configuration for hardware, software and operating system, user’s preferences, computer and application usage history. The Registry data is stored in a tree format. Each node is called a key. The Registry contains five root hives: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_CONFIG.

There are two types of registry hives:

  • Volatile: HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_CLASSES_ROOT
  • Non-volatile: HKEY_LOCAL_MACHINE, HKEY_USERS

You can inspect the registry by acquiring a forensic image of the hard drive. Some registry hives can also be inside a RAM image. Volatility can extract registry keys and hives inside a RAM image. Also the registry can be investigated during live acquisition, e.g. by using the default Windows Registry Editor.

Automatic Startup

  • The registry contains programs that should run automatically after reboot
  • Persistence mechanism for malware

Further information

Installed Programs

  • The registry keeps track of installed programs for each user
  • Keep in mind that not all programs install a registry key, e.g. Portable programs
  • Relevant Keys:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INSTALLER\PRODUCTS<PRODUCT CODE>\SOURCELIST\NET

HKEY_CLASSES_ROOT\INSTALLER\PRODUCTS<PRODUCT CODE>\SOURCELIST\NET

USB Device Forensics

  • The Windows regsitry keeps track of previously connected USB drives
  • These informations may be acquired through the registry keys: Connection times, Associated User, Technical information
  • Note that USB devices that use the Media Transfer Protocol (MTP) won’t leave traces inside these registry keys

Registry Keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR:

  • USB devices plugged into operating system since its installation
  • Informations: USB vendor ID, Product ID, Device Serial Number
  • If the device serial number has a “&” as its second character, then this is a serial number generated by Windows

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices:

  • Stores drive letter allocations
  • Matches serial number of a USB device

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

  • You can get information about which user was logged in when a specific USB device was plugged in
  • Includes “Last Write Time”

HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Enum\Usb

  • Contains technical information about the USB drive
  • Contains last time the device was connected

You can also identify the first time a USB device was connected to the PC. Just search for the serial number inside the following log:

  • Windows XP: %SystemDrive%\Windows\setupapi.log
  • Windows 7 and 8: %SystemDrive%\Windows\inf\setupapi.dev.log
  • Windows 10: %SystemDrive%\Windows\inf\setupapi.upgrade.log

Tools

Most recently used list

  • Logs the most recently accessed files
  • Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word*\File MRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPid1MRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\OpenSavePid1MRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

Tool

Further information

Network Analysis

  • Connections to the Internet or the Intranet are also logged inside the Registry

Informations that can be obtained:

  • Network cards
  • Wireless connection profiles (Name, IP, subnet mask, DHCP)
  • Date connection first created and date connection took place

Registry Keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCardsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowNT\CurrentVersion\NetworkList\Nla\Cache\IntranetHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\UnmanagedHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\WirelessHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Windows Shutdown Time

  • This registry key records when the system was last shutdown
  • Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows
  • Node: ShutdownTime
  • This value is stored in binary, the tool DCode can be used to decode the value

Printer Information

  • HKEY_CURRENT_USER\Printers: Holds settings of the current default printer
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print: Contains additional subkeys that hold information about installed printers
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\printername: View the properties of currently installed printers

Deleted Registry Keys

  • Eric Zimmerman’s Registry Tool can be used to view deleted keys
  • Also registry key backups can be used to recover deleted keys. These backups are located at %SystemDrive%\Windows\System32\config\RegBack.

Informations about the System

  • Install Date: Microsoft\Windows NT\CurrentVersion
  • Time Zone Information: ControlSet001\Control\TimeZoneInformation
  • Daylight settings: ControlSet001\Control\TimeZoneInformation
  • Users on the System: SAM\SAM\Domains\Account\Users
  • Registered Owner: SOFTWARE\Microsoft\Windows NT\CurrentVersion

Userassist

  • Record of all executable programs recently launched in addition to the frequency of usage (number of executions) for each recorded program
  • Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
  • UserAssist will only record programs launched via Windows Explorer (programs via command line are not recorded)
  • Encoding: ROT13
  • Tool for decoding: UserAssit-View

Windows Features

Prefetch files

Prefetch files were introduced in Windows XP. They are used to speed up application startup. When an application is started up for the first time, then Winows will record the first 10 seconds of the startup. Windows will store which DLL are loaded, and will save the names of them into the Prefetch file. So Windows can load this DLLs faster next time. Also Prefetch files contain the name of the executable, last time the executable was executed and how many times the application was run.

  • Prefetch Configurations: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
  • Prefetch files location: C:\Windows\Prefetch
  • Prefetch file name: <application name>-<8 char hash of location where the app was run from>.pf

Metadata

The Prefetch files contain the following metadata:

  • Executables name
  • Run count
  • Volume related information
  • Size of the Prefetch file
  • Files and directories used during application startup

Timestamps

Prefetch files contain the following timestamps:

  • Last run time of the application
  • Volume creation time

Tools

See Also

Windows Thumbnails

Windows will store thumbnails of graphics, videos and document inside a thumbnail cache file called thumbcache_NN.db. This can tell an investigator which file existed, because thumbnails are not deleted after a file is deleted.

  • Thumbcache Location: %userprofile%\AppData\Local\Microsoft\Windows\Explorer
  • Tool: Thumbs Viewer

Jump Lists

Jump Lists are introduced in Windows 7. Jump Lists can be used by applications to give the user quick access to certain actions. Web browsers use this feature quite often. If you right click on the Firefox Icon in your taskbar, then you should see web sites which you accessed quite often. This feature uses Jump Lists.

  • Configuration: Win+i > Personalization > Start
  • Location: %userprofile%\AppData\Roaming\Microsoft\Windows\Recent\

AUTOMATICDESTINATIONS

  • Automaticly created when user opens an application or accesses a file
  • Location: %userprofile%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
  • File name: *.automaticDestinations-ms
  • File Format: OLE Compound files

CUSTOMDESTINATIONS

  • Created when user pins a file to start menu or task bar
  • Location: %userprofile%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
  • Filename: *.customDestinations-ms
  • Tool: Jump List View

Files are named using relevant application name (AppID)

  • Consists of 16 hexadecimal digits
  • folowed by “.customDestinations-ms”/”.automaticDestinations-ms”

LNK Files

“LNK” files are shortcut files that can be autogenerated by Windows or can be generated by the user. “LNK” files point to another application or file. LNK files can contains the following informations:

  • MAC time attributes (Creation, Modification, Access Time) for LNK file and linked file
  • User’s previous activities on Computer
  • Linked file size
  • Original path of the linked file
  • Serial number and name of the volume that held the linked file
  • Network adapter MAC address and original network path of the original computer
  • Extension: .lnk

Locations:

  • %userprofile%\AppData\Roaming\Microsoft\Windows\Recent
  • %userprofile%\AppData\Roaming\Microsoft\Office\Recent
  • Also other locations are possible

Tools

Event Log Analysis

Windows will log certain events. This can help an investigator to understand what a user has done at what particular time.

Locations

Windows 2000, XP, 2003:

  • EVT Format
  • Files: Application, System, Security
  • Location: %SystemDrive%\Windows\System32\config

Vista and newer:

  • Windows XML event log (EVTX) format
  • Location: %SystemDrive%\Windows\System32\winevt\Logs

Types of Event Logs

  • Error: Indicates that a significant problem has occured
  • Warning
  • Information: Indicates successfull operation
  • Success Audit: Successfull security event (e.g. Successful login reported)
  • Failure Audit

Main Elements of every Event Log

  • User
  • Event ID
  • Source
  • Computer
  • Date and time
  • Description

Tools

Hidden Hard Drive Partition

Most computer vendors will create a hidden hard drive partition. This partition is used to store a recovery image of the stored operating system. Also hidden partition can contain data and files of interest. To find hidden partition you can use Microsoft’s DisPart Utility.

Windows Minidump File

When Windows crashes and a bluescreen is shown, this file gets created. The minidump contains a copy of the memory at the time the crash happened.

  • Location: %SystemDrive%\Windows\Minidump

Tools

Pagefile.sys, Hiberfil.sys, Swapfile.sys

These files are required for proper functioning of the Windows operating system.

  • Location: %SystemDrive%

Pagefile.sys

  • Virtual Memory
  • Location stored in Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\Memory Management

Hiberfil.sys

  • Used to support the hibernation feature
  • Aproximate size: 3/4 of RAM
  • Earlier Version of Windows (7, Vista) stored kernel session, device drivers, application data
  • Modern versions of Windows (8, 10) stores only kernel session and device drivers

Swapfile.sys

  • Used to store the idle and other nonactive objects ejected from teh RAM memory
  • When user accesses an idle process, its information is shifted to the RAM again
  • Fixed size in modern Windows versions (8, 10): 256 MB

Windows Volume Shadow Copies

Volume Shadow Copy Service (VSS) coordiantes the creation of consistent snapshot of data at a specific point in time for each partition where it is activated. Volume Shadow Copies can be used to recover corrupted files. Also it can be used to restore deleted files or examine registry hives. But they are only available if NTFS is the underlaying file strucutre. This feature was introduced in Windows XP.

Tool to extract snapshots:

Notification Area Database

This feature was introduced in Windows 8. Any application that generates a systray notification will record this notification in a centralized database.

  • Database Location: %userprofile%\AppData\Local\Microsoft\Windows\Notifications
  • Database Name: wpndatabase.db
  • Location of images displayed on Start Menu/Within Notifications: %userprofile%\AppData\Local\Microsoft\Windows\Notifications\wpnidm
  • Format: Sqlite
  • “ArrivalTime” and “ExpiryTime” are stored in decimal format

Tools

  • DB Browser for Sqlite

Cortana Forensics

Cortana is a personal assisstant, that was introduced in Windows Phone 8.1. This assisstant is capable of learning the user’s habits. But keep in mind that this feature can be turned of by the usere.

Extensible Storage Engine (ESE) database locations:

  • %userprofile%\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\AppData\Indexed D\INdexedDB.edb
  • %userprofile%\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\ESEDatabase_CortanaCoreInstance\CortanaCoreDb.dat

Forensical valuable information insided “CortanaCoreDb.dat”:

  • User geolocation
  • Reminders
  • Where and when reminders triggered

Cortana voice command (wav audio files):

  • %userprofile%\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\Speech

Tools

Windows Application Compatibility

The Application Compatibility database is used to identify compatibility issues within Windows applications. Metada inside the Shimcache is written to the Registry during system shutdown. This cache contains file name, file size, file last modified times, and last execution time of the application. What metadata the Shimcache holds, depends on the version of Windows. A tool to parse the Shimcache is ShimCacheParser. For further information see Leveraging the Application Compatibility Cache in Forensic Investigations

Windows SRUM

The System Resource Usage Monitor (SRUM) can be used to determine if an application was executed. This makes the SRUM very useful during Incident Response. This Windows feature collects statistics about executed programs on Windows. The “Task History” tab of the Windows Task Manager makes use of the SRUM database. The database is stored in ESE format. Keep in mind that the SRUM is cached and then written periodically into the registry. This may result in tools not able to pick up recently executed programs. SRUM can be acquired through Volume Shadow Copies or with FTK imager.

Commands to acquire through VSS:

  • vssadmin list shadows
  • mklink /d SRUM <path to shadow volume>\

Windows MACB Timestamps (NTFS Forensics)

Stand for:

  • Modified
  • Accessed
  • Changed ($MFT Modified)
  • Birth (file creation time)

Stored at:

  • $STANDARD_INFO ($SI): Stores metadata, e.g. flags, file SID, set of MACB; can be manipulated by user space processes
  • $FILE_NAME ($FN): Contains MACB times, file name, file length; Can only be modified by system kernel

Tools:

  • Antiforensics tool: TimeStomp (Can only modify $SI, not $FN)
  • Tool: analyzeMFT

Windows NTFS Attributes ($I30 Files)

  • Evidence of deleted or overwritten files may be present within the slack of the $I30 file
  • Tool: INDXParse

Shellbags

  • Shellbags store the view preferences of the user
  • Shellbags can be used to determine which folder were accessed by a particular user

Locations:

  • NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
  • NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
  • UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • UsrClass.dat\Local Settings\Software\Microsoft\Shell\Bags
  • UsrClass.dat Location: \Users\<user>\AppData\Local\Microsoft\Windows

RDP Forensics

  • The RDP Profile Cache can be used to reassemble sections of the screen.

RDP Profile Cache Location:

%userprofile%\AppData\Local\Microsoft\Terminal Server Client\Cache

Tools:

RDP Event Logs:

Scenarios:

  • RDP Successful Logon
  • RDP Unsuccessful Logon
  • RDP Session Disconnect (Window Close)
  • RDP Session Disconnect (Start > Disconnect)
  • RDP Session Reconnect
  • RDP Session Logoff

Further readings:

Volume Shadows

  • Technology that can create volume or file snapshots, even if they are in use
  • Implemented as service
  • Works on Windows NTFS or ReFS filesystems
  • Volume Shadows can be stored locally or remotely

Useful commands:

  • List current Volume Shadows vssadmin list shadows
  • Symbolik link to volume shadow mklink \d <dir> <shadow_copy_volume>\

NTFS Journal

  • The NTFS Journal keeps track of the reason behind changes, such as file creation, deletion, encryption, directory creation, deletion
  • Stored under hidden folder: $Extend\$UsnJrnl
  • To access the Journal you will need raw access to filesystem
  • MFT journal contains MFT entry number, this can be used to recover deleted files

Tools:

Further reading:

Further Ressources

References

--

--