Windows Forensics Analysis — Windows Artifacts (Part II)

Image for post
Image for post
https://pixabay.com/illustrations/fingerprint-brush-identity-search-2108872/

LNK Files Forensics

“.lnk” files are windows shortcut files. That link or point to other files or executables for ease of access.

  • Timestamp of both the target and the “.lnk” file (Created, Modified, Accessed).
  • File Attributes (System, Hidden…etc.)
  • Details about the disk.
  • Remote or local execution.
  • MAC address of the machines.
  • Etc.

Jump Lists Forensics

Jump Lists are a windows feature introduced with Windows 7. They contain information about recently accessed applications and files.

C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

Prefetch Files Forensics

Preftech Files are a very valuable set of artifacts for anyone doing forensics analysis. They contains a wealth of information about applications that have been run on a system such as

  • Application path
  • Last execution timestamp
  • Creation timestamp
  • Etc.
C:\Windows\Prefetch\

Conclusion

This conclude the second part of this series. I hope you enjoyed reading and that you learned something along the way.

  • Amcache
  • UserAssist
  • Shellbag

Written by

#ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store