When doing Windows Forensic Analysis, it can be quite overwhelming to see the large amount of data that one needs to collect, assuming you know what you are looking for. In case you don’t know what are you looking for, the entire process becomes twice as hard.
In this article we will be discussing following topics:
- What is Windows Forensic Analysis?
- What are Forensic Artifacts?
- Top Open-Source Tools for Windows Forensic Analysis
What is Windows Forensic Analysis?
Windows Forensic Analysis focuses on 2 things:
- In-depth analysis of Windows Operating System.
- Analysis of Windows System Artifacts.
Windows artifacts are the objects which hold information about the activities that are performed by the Windows user. The type of information and the location of the artifact varies from one operating system to another. Windows artifacts contain sensitive information that is collected and analyzed at the time of forensic analysis.
What are Forensic Artifacts?
Forensic artifacts are the forensic objects that have some forensic value. Any object that contains some data or evidence of something that has occurred like logs, register, hives, and many more. In this section, we will be going through some of the forensic artifacts that a forensic investigator look for while performing a Forensic analysis in Windows.
1. Recycle Bin
The windows recycle bin contains some great artifacts like:
- $1 file containing the metadata. You can find this file under the path C:\$Recycle.Bin\SID*\$Ixxxxxx
- $R file containing the contents of the deleted files. This file can be located under the path C:\$Recycle.Bin\SID*\$Rxxxxxx
- $1 file can be parsed using a tool $1 Parse.
2. Browsers
Web browsers contain a lot of information like:
- Cookies.
- Cached website data.
- Downloaded files.
3. Windows Error Reporting
This features enables user to inform Microsoft about application faults, kernel faults, unresponsive application, and other application specific problems. This feature provides us with various artifacts like:
- Program Execution, if a malicious program crashes during program execution.
- You can locate these artifacts at the following locations:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive C:\Users\XXX\AppData\Local\Microsoft\Windows\WER\ReportArchive C:\ProgramData\Microsoft\Windows\WER\ReportQueue C:\Users\XXX\AppData\Local\Microsoft\Windows\WER\ReportQueue
4. Remote Desktop Protocol Cache
When using the “mstc” client that is provided by the Windows, RDP can be used to move laterally through the network. Cache files are created containing the sections of the screen of the machine to which we are connected to and that is rarely changing. These cache files can be located in the directory:
C:\Users\XXX\AppData\Local\Microsoft\Terminal Server Client\Cache
Tools like BMC-Tools can be used to extract images stored in these cache files.
5. LNK Files
.lnk files are the windows shortcut files. LNK files link or point to other files or executables for ease of access. You can find following information in these files:
- The original path of the target file.
- Timestamp of both the target files and the .lnk files.
- File Attributes like System, Hidden, etc.
- Details about the disk.
- Remote or local execution.
- MAC address of the machines.
You can use tools like Windows LNK Parsing Library or LECmd to parse the contents of these files.
6. Jump Lists
They contain information about the recently accessed applications and files. This feature was introduced with Windows 7. Two types of Jump Lists can be created in Windows:
- AUTOMATICDESTINATIONS-MS: These jump lists are created automatically when a user opens a file or an application. They are located under the path: C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
- CUSTOMDESTINATIONS-MS: These jump lists are custom made and are created when a user pins a file or an application. They are located under the directory C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
You can use tools like JumpList Explorer, JLECmd, or Windows JumpList Parser to parse Jump lists.
7. Prefetch Files
These files contain a wealth of information like:
- Application Name.
- Application path.
- Last execution timestamp.
- Creation timestamp.
These files can be located under the directory: C:\Windows\Prefetch\. You can use tools like Windows Prefetch Parser, WinPrefetchView, or PECmd.
Top Open-Source Tools for Windows Forensic Analysis
In this section, we will be discussing some of the open-source tools that are available for conducting Forensic Analysis in the Windows Operating System.
1. Magnet Encrypted Disk Detector
This tool is used to check the encrypted physical drives. This tool supports PGP, Safe boot encrypted volumes, Bitlocker, etc. You can download it from here
2. Magnet RAM Capture
This tool is used to analyze the physical memory of the system. You can download it from here
3. Wireshark
This is a network analyzer tool and a capture tool that is used to see what traffic is going in your network. You can download it from here
4. RAM Capture
As the name suggests, this is a free tool that is used to extract the entire contents of the volatile memory i.e. RAM. You can download it from here
5. NMAP
This is the most popular tool that is used to find open ports on the target machine. Using this tool you can find the vulnerability of any target to hack. You can download it from here
6. Network Miner
This tool is used as a passive network sniffer to capture or to detect the operating systems ports, sessions, hostnames, etc. You can download it from here
7. Autopsy
This is the GUI based tool, that is used to analyze hard disks and smartphones. You can download it from here
8. Forensic Investigator
This is a Splunk toolkit which is used in HEX conversion, Base64 conversion, metascan lookups, and many more other features that are essential in forensic analysis. You can download it from here
9. HashMyFiles
This tool is used to calculate the SHA1 and MD5 hashes. It works on all the latest websites. You can download it from here
10. Crowd Response
This tool is used to gather the system information for incident response. You can download it from here
11. ExifTool
This tool is used to read, write, and edit meta information from a number of files. You can download it from here
12. FAW (Forensic Acquisition of Websites)
This tool is used to acquire web pages image, HTML, source code of the web page. This tool can be integrated with Wireshark. You can download it from here
In 2024, there is such a large variety of forensic tools available in the market. Some are free and open-source and some tools charge annual or monthly fees. You just need to identify your requirements and choose a tool that best suits your requirements.