One of the challenges of investigating Windows machines is the way that NTFS is set up. This means that it can be difficult to work out whether what you're looking at refers to a general property of the file system, or to a property that is specific to an application. The further along in your investigative career you are of course, the more adept you will become at making such distinctions, however, it is worth bearing in mind particularly for early career investigators.
Beyond the basic filesystem challenges, the way in which Windows systems are constantly updating can bring up further obstacles to digital forensic investigations. What worked on a machine running Windows 7 may not work on one that's running Windows 8.1; Windows 10 is a minefield of new and intriguing forensic elements (not to mention the increased privacy concerns it has brought up, leading to a rise in the number of users who are implementing their own data obfuscation and personal privacy measures). And heaven forbid you end up with a machine so old that modern forensic software has forgotten how to analyze it!
The way Windows 10 runs is of particular interest to forensic examiners, not just because it is being forcibly rolled out to users everywhere, but also because the structure of how things are organised has changed significantly. We will look at this in more detail towards the end of this book, where a full chapter will be devoted to the forensic analysis of machines running Windows 10, but broadly speaking, the difference from a forensic perspective comes from the fact that applications and programs don't just have different names; they work in a slightly different way. End users are increasingly looking for more lightweight, quick to run devices that make their work and personal lives easier, which means that, in turn, technology companies such as Microsoft are turning to collaborations with other entities and making the personal computer less of a single, standalone piece of equipment and more of a portal to data stored elsewhere. It is quite possible to seize a device where the documents are stored on Google Drive; voice and video call communications on Skype; Instagram is an application accessed on the PC rather than - or as well as - on a smartphone; Facebook isn't a website visited via an internet browser but an application in its own right.
Notwithstanding the legal challenges concerning international cloud data storage that we have already discussed, having such a wealth of separate applications to analyze makes cases much more complex. The fact that users can also add or create their own programs makes for an increasingly complex and often labyrinthine investigative methodology.
For this reason, it is becoming more and more necessary to narrow down an investigation as quickly as possible, working out which kinds of applications and services a user may require to perform the activity for which they are being investigated. Again, this is not always easy to do; we can but try!
Triage, international collaboration, and the technical understanding of investigators are all of paramount importance to digital forensic investigations, now more than ever before. In the Windows Forensics Cookbook, we hope to give you a base upon which you can build your own investigative techniques.
- https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0, accessed 07/02/2017
- https://dfrws.org/sites/default/files/session-files/pres-tor_forensics_on_windows_os.pdf, accessed 09/02/2017
- https://articles.forensicfocus.com/2016/05/02/the-investigative-challenges-of-live-streamed-child-abuse/, accessed 09/02/2017
