Dr.

Ayoub Alsarhan
Faculty of Information Technology
The Hashemite University
ayoubm@hu.edu.jo

© McGraw Hill, LLC 1

 Windows Forensics Analysis

• In July 2018, the market share of the Windows operating system

(desktop version) range stood at 82.88%. This means that the
majority of personal computers worldwide run using this
operating system (using its different versions) (see Figure 7-1).
Obviously, a world running on Windows computers certainly
means that most of our digital forensic work involves
investigating this type of OS; knowing how to find your way
using Windows is a must for any digital forensics practitioner.

© McGraw Hill, LLC 2

 Windows Forensics Analysis

• Almost any event or state change on a system is considered a

result of a user action. A Windows user will leave traces while
using it; actually, Windows is notorious for leaving too many
traces at different places as a part of its normal use, compared
with other operating system types. Advanced Windows users—
who know how to delete and cover their traces—will not always
succeed in deleting all these traces, leaving valuable evidence
for digital forensic examiners to retrieve.

© McGraw Hill, LLC 3

 backup software

• Not all imaging and backup software creates forensic images.

For example, Windows backup creates image backups that aren't
complete copies of the physical device. Forensic images can be
created through specialized forensic tools, such as forensic
software. Some disk imaging utilities not marketed for forensic
use also make complete disk images.

© McGraw Hill, LLC 4

Image booting
• Being able to boot an image of acquired evidence into a
computer or using a virtual machine environment will give
investigators a perspective on suspect computer usage in an
entirely forensic manner. Of course, in order to work, the subject
forensic image must contain either a full HDD image or the
partition that contains the installed OS (e.g., C:\ drive when
acquiring a Windows machine).

© McGraw Hill, LLC 5

Image booting
• In addition to this, live booting will allow investigators to use
some techniques that cannot be performed easily using a static
analysis conducted by computer forensics software (e.g.,
cracking a Windows account password). Many computer
forensics suites offer the ability to boot from image files. You can
also convert the forensic image (e.g., DD or E01 format) into a
format compatible with the target virtual machine software (e.g.,
VMWare, VirtualBox, Hyper-V).

© McGraw Hill, LLC 6

Timeline Analysis
• Timeline analysis is considered an important element in most
digital forensics investigations, as it gives a holistic view about
the succession of events that have happened to the system of
question and is used to answer a main question in any
investigation: when did a specific activity take place? Timeline
analysis allows investigators to save their investigation time by
reducing the volume of data that needs to be investigated to a
specific timeframe (e.g., after the incident took place). Timeline
analysis is very important when investigating malware incidents
to identify when a system state has changed because of a
malware attack..

© McGraw Hill, LLC 7

Creating a Timeline Using Autopsy
• To generate a timeline of events for your case using Autopsy,
follow these steps:
1. Launch Autopsy and create a new case or launch an existing
one.
2. Go to the Tools menu ➤ Timeline.
3. Autopsy will need some time to populate the data for the
timeline.

© McGraw Hill, LLC 8

Creating a Timeline Using Autopsy
Autopsy can present data using three view modes:
• Bar chart (counts) mode: This mode offers less detail and is
intended to answer questions about how much data alteration
occurred in a given timeframe.
• Detail mode: This mode will give you details about events and
present those events to you using a unique clustering approach
(e.g., grouping all files in the same folder as one event and showing
all URLs that belong to one domain as one event).
• List mode: Similar to detail mode, but it shows the results in a list
organized from oldest to newest.

© McGraw Hill, LLC 9

Generate a Timeline Report Using Autopsy
1. Go to Tools menu ➤ Generate Report. The Generate Report
wizard appears; the first window allows you to select the report
format.
2. In our case, we select “Excel Report,” so we can play with the
data using the MS Excel spreadsheet program or any other
alternative program that can read Excel files like Apache
OpenOffice (www.openoffice.org). Click “Next” to continue.
3. The next window asks you to configure the returned results. You
have two options: All Results and Tagged Results. In our case, we
will select all results and click “Finish”; then, Autopsy will begin
the report generation process
© McGraw Hill, LLC 10
Generate a Timeline Report Using Autopsy

© McGraw Hill, LLC 11

Generate a Timeline Report Using Autopsy
4. After it finishes generating the report, Autopsy will show you the
link where your generated report is saved; click over this link to
open the file using your default program (see Figure 7-6).
5. Finally, click “Close” to close the Report Generation Progress
window.

© McGraw Hill, LLC 12

Generate a Timeline Report Using Autopsy
• Please note that as a part of autopsy’s initial analysis, it will list
the last seven days of activity—of web browsers (including web
searches), installed programs, operating system, and recent
changes to registry hives—of the supplied forensic image files in
the Data Explorer panel under the “Extracted Content” section.
remember that you need to activate the “recent activity” ingest
module in order to retrieve this result.

© McGraw Hill, LLC 13

Generate a Timeline Report Using Autopsy

© McGraw Hill, LLC 14

File Recovery
• Using Autopsy to recover deleted files does not require any
interference by the forensic examiner. All you need to do is just
to create the case as we did previously and select the “PhotoRec
Carver module” from the ingest modules (make sure that
“Process Unallocated Space” is selected); then, you are ready
to go. Autopsy will automatically retrieve data from unallocated
space of the supplied data source and show them in the Data
Explorer pane under Views ➤ Deleted Files.

© McGraw Hill, LLC 15

File Recovery
• The PhotoRec tool (www.cgsecurity.org/wiki/PhotoRec) is a
free, open source application that can be used as a standalone
application to recover files from different digital media devices
like HDDs, USB drives, SD cards (e.g., those in smartphones
and digital cameras), and CD-ROMs.
• PhotoRec can be used with TestDisk
(www.cgsecurity.org/wiki/TestDisk, from the same developer);
this is another open source program that is specialized in
recovering lost partitions and/or fixing the problem of
nonbooting disks, making them bootable again.

© McGraw Hill, LLC 16

Windows Recycle Bin Forensics
• The Windows recycle bin—first introduced in Windows 95—
contains files that have been deleted by users but still exist
within the system. For instance, when a user deletes a file (using
the standard delete button on the keyboard after selecting the
target file OR selecting a file, right-clicking it, and choosing
“Delete” from the pop-up menu), Windows moves the subject
file to the recycle bin without deleting it permanently. This is the
default behavior of Windows; however, a user can configure the
recycle bin settings to permanently delete files without moving
them into the recycle bin; besides, some users press and hold the
Shift key when deleting a file to delete it permanently without
moving it into the recycle bin..

© McGraw Hill, LLC 17

Windows Recycle Bin Forensics
• Different versions of Windows have different recycle bin file
names and locations. For Windows XP (formatted using the FAT
file system), deleted files are stored in the “Recycler” folder in
the root directory where Windows is installed (usually the C:\
drive), which in turn holds another important file named
“INFO2.”Both “Recycler” and “INFO2” are hidden files: you
must first display hidden files—including OS files—to display
them.

© McGraw Hill, LLC 18

Windows Recycle Bin Forensics
• Inside the “Recycler” folder, we can see one or more folders;
these folders are named according to each user’s specific
security identifier (SID) (e.g., S-1-5-21-2602240047-739648611-
3566628919-501); if a system has more than one user, then each
one will have its own folder that stores the deleted files
belonging to that user account.
• There is also another important file inside each user recycle bin
folder called “INFO2”; this file contains an index of all the files
that have been previously deleted by the user. It also contains
metadata about each deleted file like its original path, file size,
and date/time when it was deleted.

© McGraw Hill, LLC 19

Windows Recycle Bin Forensics
• With Vista and beyond (7, 8, 8.1, and 10), Windows has changed
both the recycle bin main folder and the way deleted files are
organized. For instance, deleted files are stored in a folder
named “$Recycle.Bin,” under which there is a subfolder for
each user on the system named using that user’s SID. The
“$Recycle.Bin” is stored under the C:\ drive (assuming
Windows is installed there). Now, in these modern versions of
Windows, when a file is deleted, Windows will move it into the
recycle bin as two files: one contains the actual data of the
recycled file (its name begins with “$R”), while the other
contains the deleted file’s metadata (its name begins with “$I”).
Obviously, this discards the need for the “INFO2” file from
older Windows versions, which was used to store recycled a
file’s metadata.

© McGraw Hill, LLC 20

Windows Recycle Bin Forensics
• The Windows recycle bin has limited storage capacity with
regard to the volume of deleted files that it can accommodate. In
Windows Xp, the recycle bin is configured by default to hold
10% of hard drive; if it fills up to maximum capacity, it will
delete the old files to make room for incoming deleted files. In
newer Windows versions like Vista and later, the default size is
10% of the first 40GB of the drive and 5% of the remaining
storage space that is above 40GB..

© McGraw Hill, LLC 21