Windows Forensics

Windows Disk Forensics

Windows forensics is the collection of evidence from a computer running the Windows operating system. Evidence we can collect includes, but isn't limited to:

  • Browser and webmail analysis forensics is a crucial aspect of digital forensics that deals with analyzing the usage of web browsers and webmail services by individuals or organizations. In this article, we will discuss how web browser and webmail analysis forensics can be useful in digital forensics investigations, the types of data that can be recovered, and the tools used for analysis. Learn more.
  • Shell item forensics is an essential aspect of digital forensics that deals with analyzing various artifacts created by the Windows operating system. These artifacts provide valuable information that can help investigators understand the activities of a user on a computer. In this article, we will focus on three important artifacts - shortcut files, shellbags, and jump lists - and highlight their usefulness in digital forensics investigations. Learn more.
  • Cloud storage has become an essential part of our digital lives. People and organizations use cloud storage to store and share their data. However, as with any technology, there are potential security risks associated with cloud storage. In this article, we will discuss the importance of cloud storage file and metadata examinations in digital forensics investigations. Learn more.
  • Email are a crucial communication tool for both individuals and organizations. However, they are also a source of digital evidence that can be used in digital forensics investigations. Email forensics involves the analysis of emails, email servers, and email clients to identify evidence related to a criminal activity or a security breach. In this article, we will discuss the types of email forensics (host, server, web), the importance of email forensics, and the specifics of Microsoft 365 and Google Workspace (G Suite) email forensics. Learn more.
  • TypedPaths is a forensic artifact found in the Windows operating system. This artifact can be useful in digital forensics investigations as it contains information about the file and folder paths that a user has accessed on their computer. Learn more.
  • Windows registry is a crucial component of the operating system that contains important configuration settings for software and hardware installed on a computer. In digital forensics investigations, registry forensics is the process of analyzing the Windows registry to identify evidence related to criminal activities or security breaches. Learn more.
  • RecentDocs is a forensic artifact found in the Windows operating system. This artifact can be useful in digital forensics investigations as it contains information about the files and documents that a user has recently accessed on their computer. Learn more.
  • Deleted files are often the first thing our clients want us to find. They're what someone doesn't want you to know and what YOU need to know. We deploy a variety of countermeasures to find out what someone wanted hidden.
  • Thumbs.db is a hidden file that is automatically created by the Windows operating system when a folder containing images or videos is accessed. The file contains thumbnail images of the files in the folder, allowing users to view the contents of the folder more quickly. Thumbs.db is typically found in the same directory as the images or videos it represents and can be accessed using digital forensics tools. Learn more.
  • Browser history contains useful forensic artifacts that an Internet browser leaves on a hard drive. Browser history can include websites a user has visited, files downloaded, and the search terms someone used in search engines like Google, Yahoo! or Bing. Browser history is also useful for legal teams in building character profiles.
  • Most Recently Used (MRU) Documents consists of a list of the last 10 files that were accessed on a computer. Deleted files still show up in the MRU, which (along with other corroborating evidence) can prove that file exfiltration has occurred. The MRU is also crucial in proving that a user had knowledge of a file.
  • Windows Desktop Search, which is in Windows VISTA and later, indexes files on a computer. This allows a forensic investigator to gain partial contents of indexed documents and emails. It can also indicate the existence of hidden and deleted files.
  • USB Discovery is a process that lets us see the Windows log of all USB devices that have ever been attached to a computer, along with first date the devices were installed, the serial number, the manufacturer, the user who installed the device, and the last time the USB device was used. When combined with other forensic techniques, USB Discovery can prove that data was copied to a USB device.
  • Wireless Network Discovery makes use of the fact that Windows keeps a record of every WiFi network a computer connects to and (in rare cases) every WiFi network the computer came within range of. This can allow us to pinpoint unauthorized locations the computer has been to.
  • Mobile Device Backups, which are simply copies of a user's device, can be recovered with digital forensics methods that crack passwords and open up the backup to examination.