Hackers of India

Mining Digital Evidence in Microsoft Windows – Answering Who, When, Why and How?

 Chetan Gupta 

2007/12/09

Microsoft Windows presents a number of avenues to the Forensic investigator to establish the most critical questions during any investigation - Who, When, Why and How? There is a wealth of information available in the Windows system which can help the investigator establish a chain of events, identify the possible cause of any untoward activity and gather non-refutable evidence to prosecute the perpetrator. Some of the evidentiary avenues that would be highlighted in this presentation are as follows:

  1. Windows Registry as a critical avenue of information – MRU Lists, MUI cache, UserAssist and so on
  2. NTFS Data structures and MFT analysis
  3. Understanding and Cracking EFS
  4. Analyzing File System Metadata – the mystery of timestamps
  5. Analyzing Windows Memory contents – how to conduct Live Response?
  6. Using Event Logs to establish a timeline of events.
  7. Web Usage profiling
  8. Analyzing Prefetch, Recycle Bin artifacts and shortcut files
  9. Analyzing slack space and detecting hidden/formatted partitions.
  10. Understanding and analyzing Thumbs.db