The 21st century is the century of revolution and change. The transformation of the analog world into a digital world has raised new challenges and opportunities for technology lovers.

New forensic challenges arise with the introduction of newly released and latest operating systems. While on one hand, these newly released versions of Windows are aimed at making things easier for users, many of the functions (such as auto play, file indexing) performed by your operating system for your convenience can actually be used against you. And to deal with these types of inconvenience Operating System Forensics is used.

Operating System Forensics refers to the process of finding; extracting and analyzing evidences present in the operating system of any computerized device used by the victim, or suspected computer system involved in any security incident. Most commonly used operating systems include Microsoft Windows, Linux and Mac. They are often the most common target and source of criminal activities.

Windows Forensics, include the process of conducting and performing forensic investigation of system which run on windows operating system. It includes analysis of incident response, recovery and auditing of equipment used in executing criminal activity. In order to accomplish such intricate forensic analysis, the investigator should possess extensive knowledge of the Microsoft Windows operating systems. [1]

The average user is mostly unaware of the fact that their newly upgraded operating system is leaving tracks of their activity. It is essential for users to know that valuable pieces of sensitive and confidential information are stored in Windows Artifacts. These artifacts can be used to recreate and restore the account history of a particular user.

Some of the artifacts of Windows operating system include are:

  1. Root user Folder
  2. Desktop
  3. Pinned files
  4. Recycle Bin Artifacts
  5. Registry Artifacts
  6. App Data Artifacts
  7. Favorites Artifacts
  8. Send to Artifacts
  9. Swap Files Artifacts
  10. Thumb Cache artifacts
  11. HKey Class Root Artifacts
  12. Cookies Artifacts
  13. Program files Artifacts
  14. Meta Data Artifacts
  15. My Documents Artifacts
  16. Recent Folder Artifacts
  17. Restore Points Artifacts
  18. Print Spooler Artifacts
  19. Logo Artifacts
  20. Start menu Artifacts
  21. Jump lists

Information collected from any of these artifacts can be used to recreate the account history of a user. [2]

Windows Forensics Methodology:

Most of the systems store data related to the current session in temporary from across registries, cache and RAM. This data is easily lost when the user switches the system off, resulting in loss of the session information. Therefore, the investigators need to extract it as priority. The methods involved are as follows:

  1. Collection of Volatile Information: Volatile Information includes System Time; Logged on Users, Network Information, Open Files, Network Connections, Network Status, Process Information, Command History, etc.
  2. Collection of Non-Volatile Information: Non-Volatile Information remains unchanged when a system is shut down. For example- Emails, word processing documents, spread sheets and various deleted files, etc.
  3. Windows Memory Analysis: Memory of a system refers to the storage space where the system saves important data required for processing, such as application files, virtual memory, etc. this space contains files and metadata required for functioning of the in-built and external applications. Investigators can analyze this space to find the installed application, recent events and other relevant data.
  4. Windows Registry Analysis: It contains potential information which is of evidential value and can support forensic analyst in exploring the different aspects of forensic investigation. The investigator can directly interact through any intermediary application; the most common are the GUI registry editors that come with Windows- regedit & regedt32.
  5. Cache, Cookies and History Analysis: OS uses applications called browsers to connect with internet and allow users to access the external servers and cloud data. The browsers save data on the system in the form of cache, cookies and history. Investigators can gather this information and analyze it to find the type of connections the system had made, protocols it used, websites visited, content accessed and downloaded.
  6. Windows File Analysis: Windows uses special files to store the data to operate the in-built functions such as print, store, restore etc. Analyzing these files will help investigators find the functions victim or attacker used and defines timeline of events easily.
  7. Metadata Investigation: Metadata is the information related to data stored on a system or a device. It contains details such as type of file, time of creation and modification; location etc. investigators can extract metadata to find the internal details of any file or application.
  8. Event Logs Analysis: Logs are sequential record of events that have occurred or performed over a system. All the operating systems have ability to store these records. Investigators can build timeline based on these logs and find exact time and location of the attack.

Windows Forensics Tools:

  1. OS Forensics
  2. ProDiscover Forensic
  3. Event Log Explorer
  4. Memory Viewer
  5. RegScanner
  6. Registry Viewer
  7. Windows Forensic Toolchest (WFT), etc. [1]

References:

  1. CHFI Module 6, “Operating System Forensics”.
  2. Mare, A.L. (2014), “Windows Forensics & Security” [Online] (https://articles.forensicfocus.com/2014/04/14/windows-forensics-and-security/) Accessed on 4/6/2018.