Home - nurit-cyber/OperatingSystemForensics GitHub Wiki

Windows Table of Contents

Windows Jump Lists Artifacts
Windows LNK Files Artifacts
Windows Prefetch Files Artifacts
Windows Recycle Bin Artifacts
Windows Registry Hive Artifacts
Windows Registry Basics Artifacts
Windows Scheduled Tasks and Event Logs Artifacts
Windows Shell Bags Artifacts
Windows Thumbnail Caches Artifacts
Windows USB Artifacts
Windows Volume Shadow Copy Artifacts
Windows Search Artifacts

Intro to Windows Operating System Forensics

Windows Domain

Domains consist of three general types of computers: DC, Member Servers, Client Computers

User Accounts

Every user account has an SID, which records the accounts actions.
image
The SID can be found by the following

CMD: whoami /user
WMIC: wmic useraccount get,sid
WMIC + Username: wmic useraccount where name="USER" get sid

Forensic Analysis of Cut, Copy, Paste Operations

USE UTC
Modified
Accessed (Accessed timestamps do not change in Windows 10 if a file is opened)
Created
Entry Modified (needs some kind of Forensic Tool Kit)(Changes for every operation)
One is for $SIA and another for $FNA

Copying a file

Command line interaction with a file will present different changes than from the GUI or computer interface.
- created date - updated
- modified date - same
- accessed date - updated

Moving a file

- created date - same (unless if volume changes, i.e. file moved from C: to D:)
- modified date - same
- accessed date - same (unless if volume changes, i.e. file moved from C: to D:)

Modifying/Saving an existing file

- created date - same
- modified date - updated
- accessed date - same

Accessing a file

- created date - same
- modified date - same
- accessed date - same (Updated on Windows XP and prior or non-NTFS volume)

Command Line

echo hello > hello

This creates a new file titled hello with the body being "hello"

Tips and Tricks

Tools

Tools from Eric Zimmerman always need to be unzipped by 1zip or else the files may be corrupted.

It is possible to run a tool on a main machine against files in the VM.

  1. Open FTK Image to mount