Class: CYBR-405

Notes:

Analysis of Artifacts

Analysis of System Artifacts: Overview

Forensic software tools can identify and parse critical artifacts from various operating systems. It is important for the examiner to be familiar with how the software tools are capable of parsing a given artifact. The examiner should be able to manually perform the analysis and parsing of the artifact rather than simply rely on the tool.

In this module, we will discuss techniques for analyzing important artifacts found on digital evidence.

Artifact: A piece of evidence, such as text or a reference to a resource, that is submitted to support a response to a question.

Analysis of the Windows Registry

The registry for Windows operating systems contains information, settings, options, and other values for programs and hardware installed on the system.

It provides a vast amount of information if it can be located and properly interpreted.

Registry files can be important to forensic examiners because they represent snapshots of the computer's status at a particular point in time, and what actions occurred on the machine by a given user.

While versions of the Windows registry differ, they are all essentially composed of a configuration database.

Suppose a suspect created a restore point, installed hacking software on his computer, and hacked into a remote computer. He might afterward restore his computer to a previous state. The evidence of the installation of the hacking software wouldn't be found in the currently mounted registry.

However, the evidence of the installation would be present in the registry within a specific restore point because the system restore service created another restore point which captured a current snapshot of the system. This restore point would contain the registry information that existed when the suspect hacked into the remote computer.

Tools for Analyzing the Windows Registry

Forensics analysis of the Windows registry is built into various software programs such as Encase and FTK. These software tools combine each of these steps and produce a final report based upon the investigative findings. More information about the analysis of the Windows registry can be found at the following links:

• Windows Registry (Wiki)
• Windows Forensic Analysis Poster (SANS)
• How to Analyze USB Device History in Windows (Magnet Forensics)

If you are interested in exploring the structure of the Windows registry in more depth, a free online practice lab is available at Windows Registry Forensics.

• Windows Registry Forensics

Analysis of the Windows Event Logs

Windows event logs can assist in the examination involving computer and network attacks from both internal and external actors.

Monitoring the event log data is one way to detect anomalies on a network, including data breaches and tracking network intruders.

Microsoft Windows operating systems generate a variety of event logs. These event logs contain information such as failed logons, failed attempts to access secure files, and tampering with security logs.

c:\WINOWS\system32\Winevt\Logs\

???.EVTX

Event log entries usually include the following information:

• Date and time of event being recorded
• IPs and names of involved systems
• User account
• Event ID
• Description of the event

Security Log

The most important Windows event log for digital forensic analysis is the Security log which contains records of login/logout activity and other security-related events specified by the system's audit policy.
Examples of security events related to user logon and logoffs include the following event IDs:

• Logon - 4624
• Logoff - 4647

A useful source for searching for a specific Windows event ID with detailed explanations: Windwos Security Log Events

Recovery and Analysis of Volume Shadows

Windows Volume Shadows, also known as Volume Shadow Copy Service (VSS) or Volume Snapshot Service, is a Windows service that allows taking manual or automatic backup copies (snapshots) of computer files or entire disk volumes.

The forensic analysis of the volume shadows can be a potential source of evidence as data can be identified that has been created, deleted, changed, moved, or renamed on the evidence.

Volume Shadow Copies are snapshots of the system so examiners can track changes to a user's registry (NTUSER.dat) or to files and databases associated with applications on the system (for example databases in "Peer To Peer" file sharing cases), or recover deleted Windows event logs for analysis in computer intrusion or malware investigations.

The built-in vss.exe command can be used to view and manage the Volume Shadows on a live system. The difficulty is that the Volume Shadow Service has always been required to restore or examine any volume shadow copy that was stored on a given disk volume. This required examiners to mount the volume in their desired forensic tool and then use the Volume Shadow Service (vss admin) to retrieve the needed backup.

File Carving

When a file is deleted, it still remains on the disk until over-written by the file system. A deleted file (once emptied from the Recycle Bin) is said to be in unallocated space on the file system.

File carving is the process of reassembling computer files from fragments without file system metadata. The carving process makes use of knowledge of common file structures, information contained in files, and heuristics regarding how file systems fragment data. Fusing these three sources of information, a file carving system infers which fragments belong together. Most forensic tool suites feature automated file carving features.

Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries.

File Carving Example: JPEG

A relatively simple filetype to carve for is a JPEG image file. For this type of picture file, the file header is 0xFFD8FFE00010, featuring the text characters commonly referred to as "yoya JFIF," and the file footer is 0xFFD9. To carve for a deleted JPEG image file in unallocated space, mount the disk or disk image in a tool such as FTK Imager, select Hex view, then search for the beginning of the file header (FFD8FFE00010), then search for the file footer (FFD9), then copy the data out to a file saved with a .JPG file extension. This image shows the file header for a JPEG file.

Prefetch and LNK Files

Prefetch Files

Windows creates prefetch files every time an application is run from a particular location for the first time. This speeds up the loading of applications. Windows prefetch files feature a .PF file extension and are hidden by default. These files are stored at the following location:

C:\Windows\Prefetch

This directory may contain several hundred prefetch files (featuring .pf file extension) associated with applications executed on the system. This information includes:

• Number of times each application has been executed
• Instructions/variables
• Times the applications were last launched

This is a potential source of valuable evidence for a digital forensic examiner.

Prefetching
Process of loading information from the hard drive into memory prior to needing it.

Prefetch File Metadata

The prefetch file contains the file's metadata, which includes:

• File name
• File location
• Timestamps (when file was created, last accessed and file modified)
• Number of times the file was executed

These artifacts (pieces of evidence) found within prefetch files might answer the "what" and "where" an incident occurred, as well as "when" a particular activity occurred.

Prefetch Files and Time Stamping

Prefetch files can also reveal whether file time stamping may have occurred. When hackers compromise a system and alter the timestamps of a tool or an application, they may be unaware of information that can be captured in a prefetch file. If a computer contains a tool to perform time stamp manipulation, just the mere existence of this tool reveals nefarious activity.

Any file configured to automatically "autostart" does not register a prefetch file when it is created. If a prefetch file is deleted from the prefetch folder, both the timestamps and the number of times executed will reset.

Viewing Prefetch Files

To view the contents of prefetch files, the examiner must employ special software tools capable of parsing them. Examples include the following software tools:

• Windows File Analyzer
• WinPrefetchView
• Prefetch Parser
• Windows Prefetch Parser

Analysis of Recent (Link) Files

Recent or LNK files are shortcut files that link to an application or file and feature a .LNK or .Ink file extension. LNK files are generated by the user (as a shortcut to a document placed on the user's Desktop, for example), or automatically created by the Windows operating system.
Windows LNK files are generated when a user opens a local or remote file, giving the forensic examiner valuable information on what files and folders were accessed by a given user. LNK files may also be present showing access to files that may have been deleted or stored on external media or a network share.

Automatically generated LNK files containing the most relevant forensic evidence are created by Windows and Microsoft Office (associated with Microsoft Office files).

Windows LNK files have .Ink file extension and are stored at:

C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent

Microsoft Office LNK files have a .LNK file extension and are stored at:

C:\Users\<user>\AppData\Roaming\Microsoft\Office\Recent

Evidentiary Value of Recent (Link) Files

Windows LNK files will feature a .Ink file extension and Office link files will feature a .LNK extension (with upper case letters).

When Office documents are linked to both Windows and Office, LNK files will be generated for the same file activity.

The name of the LNK file will be the same as the source or target file and will include the original file extension of the target file, followed by the .Ink or .LNK file extension.

Evidentiary Value of Recent (Link) Files
LNK files typically contain the following items of evidentiary value:

• The original path of the target, or linked file.
• MAC times of the target file; not only will a LNK file contain timestamps for the LNK file itself, it will also contain file times for the linked file within its metadata as well.
• Information about the volume and system where the LNK file is stored (volume name, serial number, NetBIOS name, and MAC address of the host where the linked file is stored).
• Network details if the file was stored on a network share or remote computer.
• File size of the linked file (bytes).
• Microsoft Office LNK files will contain the user's security identifier (SID) that caused the LNK file to be created.

MAC Times
A form of metadata that records when files were modified, accessed, and created.

Software Tools For Parsing (Link) Files

Special forensic software tools for parsing the content of the LNK files include the following:

• AXIOM
• Windows LNK Parsing Utility
• LECmd

The image shows an example of the Windows LNK files.

Web, Email, and Chat Artifacts

EXIF Image File Metadata

Exchangeable Image File Format (EXIF) Image file metadata refers to data that provides information about the image. EXIF is a standard that specifies the formats for images, sound, and associated metadata tags applied by digital cameras, smartphones, scanners, and other devices that generate digital image files.

EXIF data can provide a treasure trove of information to investigators, including:

• Camera model
• Camera serial number
• Exposure setting
• Date and time picture was taken
• GPS coordinates
• GPS version ID
• Latitude and longitude
• Altitude
• GPS timestamp
• Image description
• Software used
• Author

Investigators can find images particularly useful for documenting evidence of a crime. EXIF data can also be easily viewed on Windows systems by right clicking on the image, selecting Properties then selecting the Details tab.

Analysis of Web Browser Artifacts

Web browsers generate significant artifacts that record user's online activity as well as local file access. This information can be a valuable source of evidence that can be used to show the following activity by a specific user account:

• Full url of webpages visited
• How many times the page was visited
• Title of the web page visited
• How the user accessed the web page (typed, linked, clicking a bookmark)
• Search terms used
• Files downloaded
• Files accessed on the local computer, attached devices or network shares
• Dates and times of the above activity

Locating Web Browser Artifacts on Windows Systems

The relevant data generated by web browsers are stored in database files as well as cached files stored in the Temporary Internet Files folder (on Windows systems).

Microsoft Edge and Internet Explorer

Microsoft Edge and Internet Explorer store history information in an Extensible Storage Engine (ESE) database format in the file WebCacheV01.dat. The Nirsoft forensic software tool ESEDatabaseView can be used for retrieving the content of the WebCacheV01.dat file stored at the following location:

C:\Users\<user>\AppData\Local\Microsoft\Windows\WebCache

Google Chrome

Google Chrome stores history information in an SQLite database in the History file. The software tool DB Browser for SQLite can be used to view the contents of this database that is stored at the following location:

C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\

Mozilla Firefox

Mozilla Firefox stores history information in an SQLite database in the places.sqlite file. The software tool DB Browser for SQLite can be used to view the contents of this database that is stored at the following location:

C:\Users\<user>\AppData\lRoaming\Mozilla\Firefox\Profiles\%PROFILE\%.default\

Private Browsing

Private browsing is a feature available in all popular web browsers such as:

• Microsoft Edge and Internet Explorer offer InPrivate Browsing
• Chrome uses Incognito Mode
• Firefox uses Private Browsing

Information such as cookies and temporary files are stored temporarily so webpages will work correctly. Data is deleted once the browsing session has ended. Since various browsers offer different levels of privacy, several browsers may leave certain artifacts from private browsing sessions.

Email Artifacts

Email can be stored locally on a computer's hard drive, on a web-based email system (such as Gmail or Yahoo!, for example), on the email service provider's message servers or, in the case of Enterprise email systems, on an Exchange database server located within the organization's network.

If the email is stored on a hard drive, the email is stored in a database file. When the email is deleted from the hard drive, it is possible to recover the email using forensic tools such as Paraben's E-mail Examiner and MailXaminer.

Email Artifacts: Web-based Email

For web-based email systems, recovering deleted emails may be more challenging. Depending on the user's settings, browsers may or may not store email content in the cache. If the information is cached, forensic investigators may be able to access it. Modern browsers are configured to not cache secure http (https) pages. Email fragments may be recoverable using certain software forensic tools such as Magnet Forensics AXIOM .

Chat Artifacts
Social media platforms provide easy ways for criminals to carry out illegal activities such as sex trading, pedophilia, drugs, and even recruitment into terrorist groups. An examiner should be aware that it is common for a suspect or victim to have many online social media accounts. In addition to sending files back and forth, these social media platforms allow for live chatting with friends. Capturing these chat artifacts is often critical evidence in a case.

In addition to the chat application database files stored on the computer or mobile device, locations that may contain evidence of chat communications include the following:

• Volatile memory (RAM)
• Browser cache
• Unallocated space
• Pagefiles

Facebook

Users can use Facebook on both mobile platforms as well as through the Facebook application installed on a Windows system. For Windows 10, the database files for the Facebook application are stored at:

C:\Users\<user>\AppData\Local\Packages\Facebook.Facebook_8xx8rvfyw5nnt\LocalStatel\<FACEBOOK ID>\DB

There are several SQLite database files that may be viewed using an SQLite browser:

• Analytics.sqlite
• FriendRequests.sqlite
• Friends.sqlite
• Notifications.sqlite
• Stories.sqlite
• Messages.sqlite

Recycle Bin, Printer, and VHD Files

Recycle Bin Artifacts

The Windows Recycle Bin is where a user sends a file and folders when they are deleted from the computer. However, just because the user sent the file or folder to the Recycle Bin does not mean they have been deleted.

For Windows systems, the Recycle Bin contains files that have been deleted by the user, but not yet flushed from the allocated file system. Therefore, the Recycle Bin may be a valuable source of evidence for an examiner.

Recycle Bin evidence is stored in two methods - depending on the Windows version.

Vista and Above

In Windows Vista and above, including Windows 10 and Windows 11 , the deleted files are moved to a folder named $Recycle.Bin containing a folder named with the user's SID. Windows no longer uses the INFO2 file. When a file is deleted, two files are created in the $\mathrm{\$}$ Recycle.Bin. The deleted file is renamed with $\mathrm{\$}$ R followed by random alphanumeric characters. The $\mathrm{\$}\mathrm{R}$ file contains the actual contents of the deleted file. The second file begins with $\mathrm{\$}1$ followed with the same alphanumeric characters as the $R file and contains the metadata for the deleted file: original filename, path, file size, and the date/time deleted.

XP

Windows XP stores deleted files in the "Recycler" folder under the user's Security Identifier (SID). An INFO2 file, contains an index of all the files that have been moved to the Recycler. The INFO2 file contains metadata about the recycled files: original path, file size, and the date/time of deletion by the user.

Printer Cache Files

Software running on Windows systems can be set to send data to a printer in either RAW or Enhanced Metafile Formats (EMF). In both of these formats, the result is the creation of a shadow file in the C:Windows\System32\spool\PRINTERS folder.

A RAW format is a straight graphic dump of the print job. In EMF mode, the pages to be printed are converted to separate EMF streams embedded within a file. Both the shadow (.SHD) and the spool (.SPL) files can contain printer information useful during a forensic examination.

Shadow (.SHD)

The shadow file (created when the job was sent to the printer) may contain information about the name of the printer, computer name, user account that created the print job, and files accessed to enable printing. The printer cache files may also contain the print processor selected, the application used to print the files, as well as the name of the files. The spool file contains the actual data to be printed.

Spool (.SPL)

The spool file contains the actual print job graphical data in RAW or EMF format. These files are rarely found in allocated space on the file system as they are deleted once the print job has been completed. They may be found in unallocated space, paging files and hibernation files through file carving for the unique file headers.

Virtual Hard Disk (VHD)

Someone trying to hide evidence of criminal behavior may use a Virtual Hard Disk (VHD) to store data. A VHD Disk image file format is for storing the complete contents of a hard drive. The disk image, replicates an existing hard drive and includes all data and structural elements. It can be stored anywhere the physical host can access.

A VHD is created through the Disk Management utility in Windows. There are two Virtual Hard Disk formats, VHD and VHDX.

A VHD has a capacity of up to 2040 GB and a VHDX can support 64 TB but is limited to Windows 8.x and later.

Hiding a VHD

A user wanting to hide incriminating files could create a virtual drive, mount it, place the data in it while it is mounted, and once unmounted, change the name of the VHD file's extension from VHD to some other extension. The user could also hide the VHD deep within the file system of the computer or move the VHD to an external USB drive. Once the VHD is unmounted, the VHD file can be copied and opened on any other Windows system. Data may be recoverable through file carving and keyword searches in an unprotected VHD file. A VHD can also be encrypted with BitLocker making it difficult to retrieve the contents without the recovery key.

The image provided to the right shows how a VHD will appear as a file with a VHD (or VHDX) file extension. A VHD may be mounted as a drive and assigned a letter. The user can disable the VHD from being mounted, resulting in no drive letter being assigned to the VHD, making it essentially a hidden storage repository.

Discovering a VHD

An examination of the Windows Registry may reveal evidence of the use of VHDs. The user's NTUSER.dat file RecentDocs, ComDlg32 and Most Recently Used (MRU) entries may show access to a VHD. Windows LNK files may also contain valuable information regarding VHDs on a Windows system.

The LNK file will include the Volume label and Volume serial number of the Disk Volume where the file or folder was stored. This information can be compared to those contained on the VHD itself.

The VHD file would need to be examined in a tool such as FTK Imager that will report the Volume label and Volume serial number for comparison to the information provided in the LNK file.

Windows Event Logs and VHD

Windows event logs typically log access to VHD files in the Windows Operational log (C:\System32\Winevt\Logs\VMicrosoft-Windows-VHDMP-Operational.evtx). An Event ID 1 indicates a VHD was 'surfaced' (mounted) and Event ID 2 showing a VHD was 'unsurfaced' (dismounted). The event log will include the VHD file path, name, and date/time of event. The image shows the surfacing of a VHD, Event ID 1.