Windows Forensics Analysis — Windows Artifacts (Part II)
This is a continuation to my first article “Windows Forensics Analysis — Windows Artifacts (Part I)”. Please give it a read if you haven’t already.
In today’s article and as promised, ll be covering more windows artifacts. So without further ado let’s jump right in.
LNK Files Forensics
“.lnk” files are windows shortcut files. That link or point to other files or executables for ease of access.
From a forensics point of view, these files contain a valuable set of information that can help during an investigation or an incident response.
Here are some of the information contained inside of “.lnk” files.
- Original path of the target file.
- Timestamp of both the target and the “.lnk” file (Created, Modified, Accessed).
- File Attributes (System, Hidden…etc.)
- Details about the disk.
- Remote or local execution.
- MAC address of the machines.
- Etc.
To extract and parse the contents of these files you’ll require some tools, fortunately we’re not short on those. Here a two of them.
To understand more about “.lnk” files I suggest you read Magnet Forensics’s blog post titled “Forensic Analysis of LNK files” and watch this introductory video tutorial by 13Cubed titled “LNK Files and Jump Lists”.
Jump Lists Forensics
Jump Lists are a windows feature introduced with Windows 7. They contain information about recently accessed applications and files.
Two forms of jump lists can be created in windows.
- “AUTOMATICDESTINATIONS-MS” : Which are jump lists created automatically when the users opens a files or an application. They are Located in the following directory.
C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
- “CUSTOMDESTINATIONS-MS” : As their name indicated these are custom made jump lists, created when the users pins a file or an application. They are located in the following directory.
C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
To make sense of the information found inside these files we can use many tools. Below are two of my favorites.
- JLECmd by Eric Zimmerman
- JumpList Explorer by Eric Zimmerman
- Windows Jump List Parser
Also you can check the resources listed below to understand a bit more about this topic.
Prefetch Files Forensics
Preftech Files are a very valuable set of artifacts for anyone doing forensics analysis. They contains a wealth of information about applications that have been run on a system such as
- Application name
- Application path
- Last execution timestamp
- Creation timestamp
- Etc.
Prefetch files can be found in the following directory.
C:\Windows\Prefetch\
To make sense of these files and the information available within. We require some tools. Fortunately we have just that.
Below are some tools that can help us parse these files.
I highly encourage you to read more about Application Prefetching and Prefetch Files as they are truly great forensic artifacts.
Below are some resources to get you started.
- Forensic Analysis of Prefetch files in Windows — Magnet Foreniscs
- Forensics Wiki — Prefetch Files
- Digital Forensics Prefetch Artifacts
- Prefetch Forensics
Note : Application Prefetching is enabled by default in all windows version from windows XP to windows 10 and it is disabled on windows server operating systems (Can be enabled).
Conclusion
This conclude the second part of this series. I hope you enjoyed reading and that you learned something along the way.
You can check the first part below.
In the next part we’ll be taking a look at yet another set of great windows artifacts. Here is a sneak peak at what we’re gonna be covering next.
- ShimCache / AppCompatCache
- Amcache
- UserAssist
- Shellbag
Thanks for reading.
NB : I want this series to be a reference to anyone doing windows forensics analysis including myself. So I’m open to any questions, suggestions or feedback.
Hit me up on twitter @nas_bench