Event ID for 'Hide Folders'

I'm 99.99% sure file system attributes never touch registry.

Anything closely related to FS events is usually never logged by anything, more so when it comes to FS meta like attributes. MS have some built in FS object event logging (turned off by default ) but it is horrible, generates a tonne of data that is useless and non-specific, and was probably written by an alien from Alpha Centauri

Haven't heard if any forensics suites can dig this up from somewhere deep within the MFT or somesuch, but if anyone knows, please let us know in this thread.

I think you would get an entry in the USNjrnl for attribute change. Not sure if you can use this to determine what the change was (i.e. to hidden rather than say read only).

Such an event would certainly be logged in the $LogFile. You can extract it and then parse it with https://github.com/jschicht/LogFileParser to see. The file have limited history though, but you may be lucky. Assuming the Windows 8 installation is on the default FS (NTFS).

And if you can't find it in the current volume, you can grab $LogFile from shadow copies if present. You can even find $LogFile transactions in the hibernation file (hiberfil.sys), but don't extract that file from a shadow copy as it will not contain its original data there.

I have a case where most of the evidence are in folders that have been set to 'hidden'.

Does anyone know if there is an Event ID or even a registry key that will show when this was set.

The only way to be sure is to test it. Which means getting hold of Process Monitor from Sysinternals (it's free), learn how to use it (there are some videos in the 'Learn More' part that introduce the tool), and then set it up to report relevant system log or registry operation from all the programs that may be involved when you change the attribute (which are at least Explorer.exe, and the console command ATTRIB.EXE, but may be just anything, depending on your set-up).

Then let ProcMon run while you toggle the hidden attribute in all the ways that are interesting, and see if that changes registry or writes a log file entry in any way.

If it does (or appears to do so), you may need to add further testing to ensure that it's your action that does it, and not something else. But you're at least getting close.

If it doesn't, … it probably doesn't affect registry or logs in any way, but again you may want to consider if your experiment was correctly set up. (Like enabling event logging, etc.)

For example, if you are considering tracing $LogFile events with Procmon, you need to disable the predefined exclusion of $LogFile-related events

Page 10-14 is interesting in this document
http//forensicinsight.org/wp-content/uploads/2013/07/F-INSIGHT-Advanced-UsnJrnl-Forensics-English.pdf

Also, take a look at the tool on page 9.

Page 10-14 is interesting in this document
http//forensicinsight.org/wp-content/uploads/2013/07/F-INSIGHT-Advanced-UsnJrnl-Forensics-English.pdf

Also, take a look at the tool on page 9.

Thank you - quite useful )