Forensic Analysis of Windows Systems
for those who perform forensic analysis of Windows systems, what types of things concern you about these systems? What areas do you wish you knew more about, or could collect corraborating information concerning? Are there areas that you wish you could look into? What kinds of things keep you up at night?
Well, one thing that I get back to, from time to time, is that I could use a way to determine exactly which files were installed by which program at a certain time…
Of course you trace all files with the same date and time, but that does not ensure you find all the files… Is there a better way? (I know there is, but I don't know how…)
…a way to determine exactly which files were installed by which program at a certain time…
One way to do this is to look at the application itself. Open the .exe file using Dependency Walker, and see which modules are used.
Another way is to get your hands on the actual installation package (if possible) and run it on a test system using InControl5.
Sometimes when doing forensics, you need to do some research, that has little to do w/ the system you're investigating. Sometimes this includes running your own tests, sometimes it involves getting in touch with a vendor.
The printer spool is the place to check for printed files. Problem is the files created in the print process are very temporary and Windows xp and 2000 are particularly good at deleting them. It's great if you can recover something of interest, but you're never going to be able to say that this is all that was printed. You can find the EMF graphic files in unallocated, but you will only be able to guess at when they were deleted. I recently examined two computers from a busy office. One was running Windows 98 and the other 2000. I found about 2000 EMF files in unallocated. All but 10 were on the Window's 98 box. They were both used roughly equally, so that gives you an idea of how much more is generally recovered on the older systems. Even on the 98 machine I only recovered about 10 sets of .spl and .shd files. I would love to find another location for archives of printed files, but as far as I know this is it.
I would like some kind of consistent guide relating to artefacts found in the Windows registry. There ins't much info available relating to this area, and most of my knowledge has been gleened from self research, testing and trial & error. A definitive guide to Forensically examining the Windows registry for me would be a good research project. A check list type guide i.e. Typed URLS, UserAssist, MRU's, regisration details, Network user details, Protected Storage Area, etc…..
I second that Andy, I feel that we're only really scratching the surface of what the registry has to offer.
I hear what you're saying about the Registry…I've already put together a presentation for an upcoming conference:
The presentation covers just that topic…mining the Registry for forensic artifacts.
A while ago, Chris Brown of TechPathways was nice enough to provide me with a license for ProDiscover/IR, so I've been able to use that to work on some things from a forensics aspect that I've only been able to do on live systems up until now. The other benefit of using ProDiscover is that Chris is adding Perl to it as it's scripting language. Hopefully, I'll be able to port over some of my current Perl scripts for live systems to PD and get the same results.
Anyway, Cory Altheide and I have finished our paper on tracking USB devices across Windows systems and submitted it to Elsevier for publishing. I haven't heard back yet as to whether or not it's been accepted…but it does provide some really good information with regards to USB storage devices connected to Windows systems. This information can be combined with information from shortcuts in the Recent folder, MRU lists, and even the Windows XP Prefetch directory to provide a great deal of valuable forensics information.
I've put together a spreadsheet breaking down various classes of artifacts, to include autostart locations and those for tracking user activity (ie, MRU listings, etc). I've had a couple of folks take a look at it and so far it looks fairly complete. What I've tried to do is list the artifact location, describe it in some detail, and provide MS references to it's funcationality. In that sense, it's not entirely complete…there are just some things that MS hasn't documented. I don't want to use other resources, as many simply lack credibility. I'm trying to verify some descriptions, through research and testing.
Now that the spreadsheet is almost complete, the next steps are to create an automated means of extracting the pertinent information, and then describing in detail what it means.
Thanks for your responses, everyone…