Windows Forensics Analysis — Windows Artifacts (Part I)

Image for post
Image for post
https://pixabay.com/illustrations/fingerprint-brush-identity-search-2108872/

What Are Forensics Artifacts?

Forensics artifacts are objects that have forensic value. Meaning any objects that contain data or evidence of something that occurred. Such as logs, registry and hives to name a few.

  • Browsers.
  • Windows Error Reporting Forensics (WER).
  • Remote Desktop Protocol (RDP) Cache.

Recycle Bin Forensics

The windows recycle bin contains some great artifacts for forensics analysis. We have the “$I” files and the “$R” files containing the metadata and the contents of the deleted files respectively.

C:\$Recycle.Bin\SID*\$IxxxxxxC:\$Recycle.Bin\SID*\$Rxxxxxx

Browsers Forensics

Web browsers contain a wealth of information, from cookies and navigation history to cached website data and downloaded files. All of this information can be a gold mine during a forensic investigation.

Windows Error Reporting (WER) Forensics

C:\ProgramData\Microsoft\Windows\WER\ReportArchiveC:\ProgramData\Microsoft\Windows\WER\ReportQueueC:\Users\XXX\AppData\Local\Microsoft\Windows\WER\ReportArchiveC:\Users\XXX\AppData\Local\Microsoft\Windows\WER\ReportQueue

RDP Cache Forensics

Sometimes attackers use RDP to move laterally through the network. When using the “mstsc” client provided by windows to connect via RDP.

C:\Users\XXX\AppData\Local\Microsoft\Terminal Server Client\Cache

Conclusion

That’s it for today, i hope you enjoyed reading and that you learned something along the way.

Written by

#ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store