Windows Forensics Analysis — Windows Artifacts (Part I)
When doing windows forensics analysis, it can be quite overwhelming to see the large amount of artifacts that one needs to collect and sift through, assuming that you already know what you’re looking for. In the case that you don’t, suddenly this becomes twice as hard.
In this series, my goal is to compile a list of the most useful windows artifacts in one place. Talk about how they can be useful in our investigation and link some tools and resources for further reading.
What Are Forensics Artifacts?
Forensics artifacts are objects that have forensic value. Meaning any objects that contain data or evidence of something that occurred. Such as logs, registry and hives to name a few.
In this first part, we will be looking at the following artifacts:
- Recycle Bin.
- Browsers.
- Windows Error Reporting Forensics (WER).
- Remote Desktop Protocol (RDP) Cache.
Without further ado, let’s get started.
Recycle Bin Forensics
The windows recycle bin contains some great artifacts for forensics analysis. We have the “$I” files and the “$R” files containing the metadata and the contents of the deleted files respectively.
We can find these artifacts in the following path.
C:\$Recycle.Bin\SID*\$IxxxxxxC:\$Recycle.Bin\SID*\$Rxxxxxx
The “$I” files can be parsed using the “$I Parse” tool that can be downloaded from here.
To learn more about these files I recommend that you watch this introductory video by “13Cubed” simply titled “Recycle Bin Forensics”.
Browsers Forensics
Web browsers contain a wealth of information, from cookies and navigation history to cached website data and downloaded files. All of this information can be a gold mine during a forensic investigation.
Due to the many existent web browsers out there (Chrome, Firefox, Edge, IE, Opera, Safari…etc.). I will not be covering this topic in this article instead; I highly suggest you check my article on browser forensics to learn more about this.
Windows Error Reporting (WER) Forensics
“The error reporting feature enables users to notify Microsoft of application faults, kernel faults, unresponsive applications, and other application specific problems” — Microsoft Docs
This feature can provide us with artifacts that indicates program execution. If a malicious program crashes during its execution.
Here are the paths that we should take a look at to find these artifacts.
C:\ProgramData\Microsoft\Windows\WER\ReportArchiveC:\ProgramData\Microsoft\Windows\WER\ReportQueueC:\Users\XXX\AppData\Local\Microsoft\Windows\WER\ReportArchiveC:\Users\XXX\AppData\Local\Microsoft\Windows\WER\ReportQueue
Journey Into Incident Response has a great article about this titled “Exploring Windows Error Reporting” that I highly recommend you read.
RDP Cache Forensics
Sometimes attackers use RDP to move laterally through the network. When using the “mstsc” client provided by windows to connect via RDP.
It automatically creates cache files containing sections of the screen of the machine we are connect to that are rarely changing. In order to improve performance.
These caches files are a great piece of forensic evidence. We can find them in the following path.
C:\Users\XXX\AppData\Local\Microsoft\Terminal Server Client\Cache
Using a tool like “bmc-tools” by ANSSI-FR, we can extract the images stored inside these cache files.
To see it in action, once again 13Cubed has a great video on this that you can check here.
Conclusion
That’s it for today, i hope you enjoyed reading and that you learned something along the way.
Check out part II below, for more amazing windows artifacts.
Thanks for reading.
NB : I want this series to be a reference to anyone doing windows forensics analysis including myself. So I’m open to any questions, suggestions or criticism.
You can contact me via twitter @nas_bench