2 - Windows Forensics.pdf

Here’s a compact summary of the second set of slides on Windows Forensics II:

1. Registry Forensics:

   The Windows registry stores key system and user data in different “hives” such as:

   • SAM: User information (timestamps, usernames).
   • SECURITY: Security settings and system Security IDs (SIDs).
   • SYSTEM: System configurations like DNS and hardware info.
   • SOFTWARE: OS and application configurations.
   • NTUSER.dat: Stores user preferences and timestamps.

   Located on disk: C:\Windows\system32\config

2. Event Logs:

   • Windows event logs capture system and user activities, including timestamps, usernames, and event details. These logs can be vital for tracking system actions and identifying suspicious events.

3. Link Files:

   • LNK files are shortcuts that reveal user interactions with files or folders. They contain metadata such as timestamps, volume labels, and paths, and are useful for uncovering file access history.

4. Prefetch Files:

   • These files track information about executed programs (e.g., .exe and DLL files) to speed up future executions. They store metadata such as last run times and execution counts, aiding in understanding program usage on the system.

5. Thumbnail Cache:

   • A cache storing image thumbnails, useful for recovering deleted images. It retains timestamps and can reveal information even after the files are deleted.

6. Recycle Bin:

   • In Windows Vista and later versions, deleted files are stored in the $Recycle Bin folder with associated metadata files ($R and $I) which record the original file path and deletion time.

7. External Devices:

   • USB and external device connections are logged in the registry. Each device has a Unique Instance Identifier (UII) that can help trace its connection history across systems.

8. Pagefile and Hibernation Files:

   • Pagefile.sys and Hiberfil.sys store data swapped from RAM, potentially containing sensitive information like passwords or IP addresses.

9. Restore Points and Shadow Copies:

   • System restore points capture backups of system files and registry hives, providing forensic value by preserving historical system states and USB device connections.

These slides continue from the first set, diving deeper into Windows artefacts, focusing on forensic techniques to analyze user actions, system logs, and connected devices.