Windows Forensics

Windows Disk Forensics

Windows forensics is the collection of evidence from a computer running the Windows operating system. Evidence we can collect includes, but isn't limited to:

  • Deleted files are often the first thing our clients want us to find. They're what someone doesn't want you to know and what YOU need to know. We deploy a variety of countermeasures to find out what someone wanted hidden.
  • Thumbs.db is what lets you see a preview of a folder before you open it. It does this by using thumbnails. Forensics analysis of thumbs.db files can prove that a user was in a specific folder, and it can contain information about deleted files.
  • Browser history contains useful forensic artifacts that an Internet browser leaves on a hard drive. Browser history can include websites a user has visited, files downloaded, and the search terms someone used in search engines like Google, Yahoo! or Bing. Browser history is also useful for legal teams in building character profiles.
  • Most Recently Used (MRU) Documents consists of a list of the last 10 files that were accessed on a computer. Deleted files still show up in the MRU, which (along with other corroborating evidence) can prove that file exfiltration has occurred. The MRU is also crucial in proving that a user had knowledge of a file.
  • Windows Desktop Search, which is in Windows VISTA and later, indexes files on a computer. This allows a forensic investigator to gain partial contents of indexed documents and emails. It can also indicate the existence of hidden and deleted files.
  • USB Discovery is a process that lets us see the Windows log of all USB devices that have ever been attached to a computer, along with first date the devices were installed, the serial number, the manufacturer, the user who installed the device, and the last time the USB device was used. When combined with other forensic techniques, USB Discovery can prove that data was copied to a USB device.
  • Wireless Network Discovery makes use of the fact that Windows keeps a record of every WiFi network a computer connects to and (in rare cases) every WiFi network the computer came within range of. This can allow us to pinpoint unauthorized locations the computer has been to.
  • Mobile Device Backups, which are simply copies of a user's device, can be recovered with digital forensics methods that crack passwords and open up the backup to examination.