Windows Artifacts Forensics

Artifacts.. Sounds like what? Let us leave to the thought. Why artifacts are important?

* 91.8% traffic comes from computers using Windows as their Operating System.

* As an examiner or a practitioner, most likely you will encounter a system that runs Windows.

Artifacts, Technically speaking for an examiner are the mines he can mint for data. In one or the other workshops or places, you must have encountered something called the windows registry. This is the most invaluable source of forensic artifacts for all analysts. It keeps a track of all user activities as well as applications. And that is all an examiner needs to begin with. Knowing the binary logic is important because all windows registries are based on these binary values and their interpretation only.

Press windows button + R to go to the run dialog box,

Type regedit and you are here.

We could suggest you to use the open-source tools which are in flying numbers, but will they every make you a real Forensics Examiner? To get to the real thing doing things the real way is important to learn the basics.

To instruct, we will go through one type of registry to understand the process.(OpenSavePidlMRU)

1. Go to the Windows Registry.

2. Navigate to HKEY_CURRENT_USER>Software>Microsoft>Windows>Explorer>ComDlg32>OpenSavePidlMRU

3. Click on the type of file you want to check and here on the left you have the files you can open to check the open/save history.

4. In the similar fashion, you can check other artifacts depending on your analytic skills.

Going through the applications was one thing, now you can go through USB devices.

1. Go to the Windows Registry.

2. Navigate HKEY_LOCAL_MACHINE>SYSTEM>ControlSet001>Enum>USBSTOR.

3. Here is the list of the devices ever connected.

4. If you need you can use the popular USBDeview which can give you more arranged data.

5. Once you learn about all the artifacts, then you should go about learning how to read these artifacts.

The device IDs for USB mass storage devices in Usbstor.inf take the usual form for USB device IDs composed by using information in the USB device’s device descriptor:

USB\VID_v(4)&PID_d(4)&REV_r(4)

Where:

v(4) is the 4-digit vendor code that the USB committee assigns to the vendor.

d(4) is the 4-digit product code that the vendor assigns to the device.

r(4) is the revision code.

Then we can go over to the sqlite files in the User>AppData Folders and browse those databases for more info.

These are all the artifacts that you need to know. To go one step ahead.