"Frost" artefact, filelist.dbs and messages.dbs

Last time I had to do Frost I VM'd the machine and went through the data that way. It stored a lot of useful information that could be pulled out.

U mean that u virtualize the evidence and investigate in the evidence?

Yeah using VMware workstation or Virtualbox depending on what you have available. We use VFC3 ( version 4 now available) and then you can get a view of how the user would have seen it.
Caveat is any deleted data wouldn't be shown, but it can save a lot of time decoding files

Fine, i will try it. For evidencev-irtualization i use openlv. What ist VFC3 or VFC4. Can u give more information, like url.

Thanks

VFC is essentially a commercial version of openlv. On top of generating your VMX and VMDK files, it performs a lot of useful things like Windows password bypass, and I think it also does some funky stuff under-the-hood like changing the registry so that common hardware configuration issues can be avoided.

It isn't especially cheap, but it is pretty good at what it does if you don't want to spend a lot of time configuring your VM - just a few clicks and off you go.

you can also use forensic explorer (paid tool), or follow the steps listed on justaskweg.com