Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Windows Forensics Cookbook

You're reading from   Windows Forensics Cookbook Over 60 practical recipes to acquire memory data and analyze systems with the latest Windows forensic tools

Arrow left icon
Product type Paperback
Published in Aug 2017
Publisher
ISBN-13 9781784390495
Length 274 pages
Edition 1st Edition
Concepts
Arrow right icon
Authors (2):
Arrow left icon
Oleg Skulkin Oleg Skulkin
Author Profile Icon Oleg Skulkin
Oleg Skulkin
Scar de Courcier Scar de Courcier
Author Profile Icon Scar de Courcier
Scar de Courcier
Arrow right icon
View More author details
Toc

Table of Contents (13) Chapters Close

Preface 1. Digital Forensics and Evidence Acquisition FREE CHAPTER 2. Windows Memory Acquisition and Analysis 3. Windows Drive Acquisition 4. Windows File System Analysis 5. Windows Shadow Copies Analysis 6. Windows Registry Analysis 7. Main Windows Operating System Artifacts 8. Web Browser Forensics 9. Email and Instant Messaging Forensics 10. Windows 10 Forensics 11. Data Visualization 12. Troubleshooting in Windows Forensic Analysis

Identifying evidence sources

As any digital forensic investigator will know, one of the main challenges posed by almost any case is the sheer amount of data and number of sources available to be worked through. A useful skill to have is the ability to look through the sources of evidence involved with a case and make a value judgement as to which will probably be the most useful.

From the beginning of the case, this can take the form of ascertaining which physical items to remove from a crime scene—computers and mobile phones are almost always seized, but what about USB sticks, smart televisions, and satellite navigation systems? How do you even get a WiFi connected refrigerator into a Faraday bag?

Jokes aside, once an investigator has identified the items from which they are going to attempt to extract evidence, the next hurdle is to work out which bits of evidence will be the most relevant, and where those can be found.

In Windows systems, there are several elements that will prove to be useful across many different types of investigations. While some will vary from case to case—looking for evidence of intellectual property theft or financial fraud will differ hugely from the sources you'd be locating in a child protection investigation, for instance on the whole, the following sources of evidence can generally provide useful information from which you can then extrapolate further.

In older Windows versions (around the time of XP and 2000), there were fewer programs to deal with, and therefore fewer sources of potential evidence, but there was also less room for confusion. XP was when Windows began to support the NT filesystem, which gave a boost to the previous FAT setup and allowed for more in—depth analysis of the system.

Prefetch files were introduced in XP, and swiftly became one of the most pertinent sources of evidence, which is still the case today. The aim from a user experience perspective was essentially to speed things up. Prefetch files take note of which programs are used most frequently and make sure that those programs are pre-loaded into the memory, so that when a user boots up a machine and then tries to access one of the programs, it will load more quickly. From a forensic point of view, this means that prefetch files provide a wealth of information regarding a user's general computer habits—which programs they use most often, and to some extent, how they are being used. Prefetch files are stored in the %SystemRoot%Prefetch directory and will be discussed in more depth in Chapter 7, Main Windows System Artifacts.

Subsequent Windows updates introduced increasingly complex elements, one of the most pertinent of which is BitLocker.

BitLocker provides full volume encryption and also includes a version for portable devices, called BitLocker To Go. Provided that the password is known, decryption of BitLocker information is relatively straightforward and can be performed using a range of forensic software, some of which will be detailed later in this book. The simplest way to ascertain whether a volume has been encrypted using BitLocker is to look for -FVE-FS- in the volume header. Once this has been determined and the password has been found or recovered, tools such as FTK or EnCase can be used to decrypt the information.

Around the same time BitLocker was introduced, with the release of Windows Vista, the way in which user accounts are structured within Windows also changed. This is mainly noticeable from the perspective of the user themselves, in that the main change is that many system-wide modifications that could previously be made by any user can now only be made by an administrator. This can also be an important point forensically, particularly in cases where a computer has multiple users, only one of whom has access to the administrative password.

Internet Explorer and its successor, Microsoft Edge, have been overhauled repeatedly throughout the years. We will take a much closer look at Edge later on in this book, however, for the moment, it is possible to say that there is a wealth of information to be found within internet browsers. Arguably one of the most important elements within Internet Explorer is the cache, which contains information regarding the pages a user has visited and any content that has been downloaded.

Private browsing is one of the most commonly misconceived options by the end users of Windows systems: while this may prevent other people in the household from uncovering a users secret internet habits, it is of course still open to forensic investigation.

Increasingly, we are seeing users becoming more aware of the level of information that can be gleaned using digital forensic methods, and in recent years, privacy options within operating systems, applications, and programs have become a growing concern for many computer users. This has led to a gradual yet steady rise in the installation and usage of alternative software such as the Tor browser, which purports to be able to prevent others from uncovering the true location of the end user. However, even these methods are not impervious to forensic investigation, as demonstrated at the Digital Forensics Research Workshop 2015 by Epifani et al.

Any attempt at obfuscation or extensive deletion of data should spark a level of suspicion in the mind of an investigator; anti-forensic methods are becoming more and more widespread, but so in turn are the methods forensic analysts can use to uncover the elements users were trying to hide.

You have been reading a chapter from
Windows Forensics Cookbook
Published in: Aug 2017
Publisher:
ISBN-13: 9781784390495
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime