Abstract

Microsoft Windows presents a number of avenues to the Forensic investigator to establish the most critical questions during any investigation - Who, When, Why and How? There is a wealth of information available in the Windows system which can help the investigator establish a chain of events, identify the possible cause of any untoward activity and gather non-refutable evidence to prosecute the perpetrator. Some of the evidentiary avenues that would be highlighted in this presentation are as follows:

1. Windows Registry as a critical avenue of information – MRU Lists, MUI cache, UserAssist and so on
2. NTFS Data structures and MFT analysis
3. Understanding and Cracking EFS
4. Analyzing File System Metadata – the mystery of timestamps
5. Analyzing Windows Memory contents – how to conduct Live Response?
6. Using Event Logs to establish a timeline of events.
7. Web Usage profiling
8. Analyzing Prefetch, Recycle Bin artifacts and shortcut files
9. Analyzing slack space and detecting hidden/formatted partitions.
10. Understanding and analyzing Thumbs.db