Common Locations of Windows Artifacts

GIAC Certified Forensic Examiner Objective:

Analysis and Profiling of Systems and Devices, Host and Application Event Log Analysis

The candidate will demonstrate an understanding of the artifacts created by the Windows operating system during the execution of programs, system start up and use of removable devices.

Overview

The development of this document is funded by the Department of Labor's (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48.

In this lab, students will enumerate hosts on the network using various tools by evaluating event, web, and tasks. Also, you will explore the startup, windows, and system32 folders.

outcomes

In this lab, you will learn to:

Examine Windows Event Logs, IIS Logs, and Scheduled Tasks
Examine the Startup, Windows, and System32 Folders

Courses

Digital Forensics Fundamentals Skill Lab

Key terms and descriptions

Users Folder

This folder stores the user’s profiles in Windows Vista, Windows 7, Windows 8, Server 2008, and Server 2012. In order for a user’s profile to be created within Microsoft Windows, the user must log in to the system at least one time.

Startup Folder

This location can be utilized by administrators (or hackers) to launch programs automatically at startup. A batch file or executable can be stored in a user’s startup folder or it can be stored where it will run for all users accessing the system.

Documents and Settings

This folder stores the user’s profiles in Windows 2000, XP, and Server 2003. In order for a user’s profile to be created, the user must log in to the system at least one time. Documents and Settings has been replaced by Users folder in current versions of the operating systems. However, it still exits as a reparse point on the newer versions.

Scheduled Tasks

Located in the Tasks folder within the Windows folder, this is the location where AT jobs are stored. AT jobs are tasks that are scheduled to run automatically, like backups or disks defragments. When hackers compromise a system, they may schedule malware to run automatically which provides them a backdoor.

Prefetch

This folder exists so that the Windows operating system can load certain executable files faster after system startup. The prefetch files have a .pf extension and often can provide someone investigating a system clues about what programs ran.