Digital Forensics

Data Acquisition

What is Data Acquisition?

Definition: Data acquisition is the process of creating a forensic copy (called
an "image") of the contents of a storage device, such as a hard drive, SSD, or
USB.

Important Rule: You should never investigate or modify the original image.
Always create a working copy and preserve the original to maintain evidence
integrity.

Volatility of Storage Mediums (from most to least volatile):

1. CPU Registers – Change with every instruction; lose content instantly if power
is cut.

2. Cache Memory – Fast memory inside the CPU, contents are lost quickly.

3. RAM – Stores active data like running programs, erased when the system shuts
down.

4. Disk Data – More stable; stays even after shutdown unless intentionally
deleted.

5. External and Secondary Storage – Least volatile; stored for long-term use and
usually duplicated.

Types of Data Acquisition:

1. Static Acquisition

Performed when the system is powered off.

Targets non-volatile data like files on the hard drive.

Safer and more reliable because data won’t change during the process.

2. Dynamic Acquisition

Performed on a live (running) system.

Captures volatile data like RAM, running processes, and open connections.

Digital Forensics 1
 Important in incident response scenarios, but riskier due to live system
changes.

3. Dead Acquisition

Similar to static, but done without using the OS.

Often uses hardware tools or bootable disks to bypass the OS and directly
access the disk.

Storage Formats for Acquired Data:

1. Raw Format

A bit-for-bit copy of the source disk with no compression or metadata.

Most compatible with forensic tools.

Tool example: dd command in Linux/UNIX system

dd if=/dev/sda of=/mnt/usb/[Link]
dd if=/dev/sda of=/mnt/usb/[Link] bs=1G

2. Advanced Forensics Format (AFF)

Developed to save space and include metadata and checksums.

Supports compression and integrity verification.

Stores data in 16MB blocks for efficient processing and transport

Live Data Acquisition – What to Collect:

When acquiring data from a live system, prioritize collecting:

1. System Information

OS name/version, product key, computer hostname, list of user accounts,

device manufacturer, CPU details, RAM size.

2. OS Configuration

Time zone, system uptime, installed languages, updates, and hotfixes.

3. RAM Dump & Running Processes

Snapshot of system memory and a list of active programs—very useful in

malware analysis.

4. System Logs

Digital Forensics 2
 Includes security logs, application logs, and event history that help track
user/system activity.

5. Network Configuration

Network Interfaces (NICs), IP addresses, MAC addresses, routing tables,

and open port

Common Tools for Acquisition:

1. Write Blocker

2. Bootable Disks
These are external operating systems (like Linux Live CD) that can be run
on the suspect’s computer without booting into its native OS.

Allows the investigator to collect data without the OS making changes to

the evidence

in many cases , the investigator will exfiltrate the evidence using external disk
with USB connection , but while connecting the disk the data might be altered ,
so What we can do ?

USB Write Blocking in Windows (When Write Blocker is Not

Available):
Used to stop Windows from modifying external USB drives:

Steps:

1. Open regedit

2. Navigate to : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control

3. Create a new key: StorageDevicePolicies

Digital Forensics 3
 4. Inside it, create a new DWORD (32-bit) value called WriteProtect

5. Set its value to 1 (this enables write protection)

Digital Forensics 4
 6. Restart the system to apply the changes

Result: USB devices become read-only — Windows will not write anything to
them

3. FTK Imager
one of the most famous tools in the forensics world. The tool allows the
investigator to acquire various types of storage devices and store them in
different formats for analysis

the important thing is when taking image from the disk is to save the
verification results and document them as part of chain of custody

Digital Forensics 5
Digital Forensics 6
Digital Forensics 7
Digital Forensics 8
Digital Forensics 9
Digital Forensics 10
 4. BriMor Labs – Live Response Collection
A scripted framework for collecting system information from a live
machine Includes tools and scripts to gather logs, memory, user data,
processes, and more.

Often used in incident response and malware investigations

5. Volatility Framework
Volatility Framework is an open-source memory forensics tool written in
Python It is used to extract digital artifacts from memory dumps (RAM)

Digital Forensics 11
 Allows investigators to get a detailed snapshot of system activity during
runtime, such as: Running processes , Open files , Loaded DLLs ,
Suspicious behaviors , Network connections

Especially useful for malware analysis and incident response

supports memory dump by raw format and crash dump , hibernation file ,
virtual machine snapshot

Microsoft Crash Dump —> a file automatically created by

Windows during system crashes (such as the blue screen of
death). This file contains a copy of the data stored in RAM at
the moment of the crash, including active processes, open
files, and potentially malware that caused the crash. The
crash dump can be a valuable source of forensic evidence

Hibernation File ([Link]) —> generated when a system

enters hibernate mode. The system writes the entire
contents of RAM including open applications and processes
—into a file called [Link] on the hard drive. When the
system resumes, this data is reloaded into RAM, restoring
the exact state from before hibernation
Virtual Machine Snapshots —> which are memory
snapshots from virtual machines (e.g., VMware or
VirtualBox), used to analyze virtualized environments

Digital Forensics 12
 Other Forensic Tools:

Bulk Extractor
Scans disk images and extracts useful patterns: ( URLs, emails, IP
addresses Credit card numbers , Domain names , AES keys , Wordlists for
password cracking )

Operates without parsing file system structures

Validating Evidence Integrity:

Use cryptographic hash functions to generate a digital fingerprint of the
evidence (MD5 - SHA-1 - SHA-256 )

Exploring Evidence
Once an image has been acquired, the next step is to mount it in read-only
mode. This is critical to avoid making any accidental or unwanted changes to
the evidence. Some forensic exploration tools may contain bugs or
vulnerabilities that could modify the content if mounted in read/write mode,
potentially destroying the validity of the image

Tools Used for Exploring Forensic Images on windows —> FTK Imager ,
OSFMount , Arsenal Image Mounter

Example command in Linux:

mount -o ro,loop,show_sys_files,streams_interface=windows,offset=2048
[Link] /mnt/case1

Digital Forensics 13
 Data Representation & Files Examination

File Identification
File Type Detection Methods

Structure-based: Common in Linux. Depends on how the file is organized

internally.

Signature-based: Common in Windows. Relies on unique binary patterns

(magic numbers).

Extension-based: Based on the file’s extension, such as .docx , .jpg , .exe .

Important Locations for Metadata Analysis

1. Magic Number: A unique sequence of bytes at the start of a file used to

identify its type.

2. File Header: Contains basic information such as file name, size, author,
creation date, and format.

3. MFT Records (Master File Table): Part of NTFS. Stores metadata for each file
including attributes and timestamps.

NTFS and MFT

NTFS is a file system format used by Windows. It supports advanced features

like file compression, encryption, and metadata storage.

The MFT stores one or more records for every file. Each record contains
information like the file’s name, permissions, and timestamps.

The first 24 MFT records are reserved for system files.

Deleted files still have MFT records until that space is reused.

File Header

Found at the beginning of most files helps determine how to open, process,
and classify a file.

Contains metadata like file size, type, author, and more.

Not all files have headers (for example, plain text files).

You can use a hex editor to inspect headers and trailers.

Types of Metadata

Digital Forensics 14
 1. System Metadata: Managed by the operating system. Includes file size,
location, permissions, ownership, and last accessed/modified times.

2. Substantive Metadata: Describes the file content itself (e.g., what the file is
about).

3. Embedded Metadata: Stored inside the file, such as EXIF data in images.

4. External Metadata: Stored outside the file but still linked to it (e.g., in a
document management system).

Key OS Metadata Attributes

Create: When the file was first created (not the content).

Access: Last time the file was opened, moved, or copied.

Modify: Last time the content of the file changed.

EM (Entry Modified): Last time any attribute (like name or size) was changed.

These attributes are critical for forensic timelines during investigations.

DMS (Document Management System)

A system that manages and logs documents, user access, and editing history.

Examples include OpenKM.

DMS systems generate metadata records to track and organize files.

Investigators must understand how metadata is stored in DMS before

extracting it.

Temporary Files

Created by applications or the OS for short-term data storage If not deleted

properly, they can reveal valuable information.

Word and other apps use temporary files while editing documents.

If a crash occurs, temp files may remain on the system.

Swapping and Caching

Swapping: If RAM is full, the OS uses part of the hard drive as temporary
memory.

Caching: Browsers and other apps store files temporarily to speed up loading.

Data Hiding Locations

Digital Forensics 15
 ADS (Alternate Data Streams): in the NTFS file system (used by
Windows), there's a feature called ADS (Alternate Data Streams).
This allows you to store additional data inside a file without
changing its visible size or appearance.

💡 To neutralize the data exfiltration through ADS threat , move the

suspicious file to FAT32 partition as it does not support ADs , so the
hidden data will be gone.

ADS Detection Tools

Tools like [Link] and ADS Detector help reveal hidden data.

Converting files to FAT32 removes ADS, as it is an NTFS-only feature

Registry : The Registry is a big directory that contains

configuration files related to how the operating system (OS) or
applications work

Digital Forensics 16
 What does the Registry look like from the inside?
The Registry is organized into directories called "Keys".

Each Key contains one or more "Values", and each Value holds specific Data.
The Windows Registry exists only on Windows operating systems.

Metadata: Can contain hidden data not visible in normal file

views.

DOCX file Analysis

Old Microsoft Office formats like DOC, PPT, and XLS were binary files that stored
both content and formatting. These formats were used in older versions like Word
2003. They have been replaced by XML-based formats such as DOCX, XLSX, and
PPTX , which are easier to parse, more secure, and structured as compressed
folders containing XML files.

legacy DOC file consists of three main parts:

1. MainStream:
This is the core part of the DOC file. It contains the main document data, such
as text and formatting, and includes the header, which holds metadata like
document size, properties, and more. The header also contains the File Info
Block, which maps out the locations of different elements inside the file.

2. SummaryStream:

Contains a summary of the document, including metadata like the owner of

the file.

3. TableStream:

Stores embedded objects like tables and images. The File Info Block from the
header is used to locate these objects within the document.

Digital Forensics 17
 Benefits of XML Format (used in DOCX):
The shift to XML-based formats (like DOCX) makes parsing easier and more
secure compared to older binary formats.

DOCX files are actually compressed folders that store metadata (such as in the
docProps directory) in the form of XML files.

The app and core subfolders usually contain metadata XML files about the
document.

Microsoft Office can also embed macro scripts inside DOCX files, which can
be exploited if not handled securely

Pdf analysis

1. Header
The Header within the PDF contains the version of the used PDF.
In this example, we have PDF 1.4 between two comment symbols % %

The non-printable ASCII values are typically used to tell the application to expect
a binary data not just text.

2. PDF Body
The body of a PDF file contains the main content that the reader sees. This content
includes: (Text , images , Flash elements , Strings , Javascript code )

Digital Forensics 18
 Each piece of data is called an object. Objects are the building blocks of a PDF file.

Every object has a unique ID and a generation number (updated if the object is
changed).

An object starts with obj and ends with endobj .

3. Streams
A stream is a section inside the PDF that stores large or related data (like images,
videos, or flash). It's placed between stream and endstream .

Streams are compressed to save space on disk.

During forensic analysis, you might need to decompress and decode streams
to extract hidden or malicious content.

4. Suspicious Keywords to Watch For

When analyzing PDFs for malicious behavior, look for keywords that may indicate
suspicious or dangerous content:

🔹 JavaScript
Keywords like:

JavaScript

JS

RichMedia

Indicate that JavaScript code is embedded, which may be used to exploit

vulnerabilities in PDF readers.

🔹 Actions
Look for:

OpenAction

Launch

Named

Acroform

These trigger automatic actions when the PDF is opened. These actions can be
abused to run malicious commands or scripts.

🔹 URL

Digital Forensics 19
 If the file contains URL , it might try to connect to an external attacker’s server to
download more malicious code (payload).

🔹 Encryption
Keywords like:

Encrypted

enc

Mean that some content in the PDF is encrypted and might be hiding data or
scripts.

5. XREF Table (Cross Reference Table)

This table helps the PDF reader quickly find the location of all objects inside
the file.

It maps object numbers to their exact position (offset) within the file.

1 . 0 1774 —> 0 indicates the objects start from object 0 , 1774 indicates that
the number of entries in the table is 1774.
2 . (f/n) indicate whether the object is in use (n) , or not (f)

6. Trailer

Digital Forensics 20
 The trailer is the last section of the file.

It always begins with the word trailer and ends with the %EOF string.

The content of the trailer is contained within the << >> signs.

The Size field, indicates the number of entries within the xref table.

The Root field points to the root object of the PDF structure (like the
document catalog)

The Info field points to the metadata object of the document

The startxref field, indicates the offset of the xref table (761439 bytes in this
case).

Tools
1. peepdf : it will parse the pdf showing you (header information , objects ,
version m …..)

Digital Forensics 21
 EXE File Analysis
EXE Files are executable files that contain instructions the processor reads
and executes.

On Windows, these files come with the .exe extension, but on Linux, they have
other extensions like ELF or Binary Format.
The EXE file contains a part called the Header and another part called
Sections. The Sections contain the code and data.

In the Header, you will find information about the Exported Functions, which
are the functions the EXE can use to perform specific tasks.

The PE (Portable Executable) file is not always an EXE.

It may contain executable code such as a DLL (Dynamic Link Library), and a
DLL file cannot be executed directly like an EXE just by double-clicking it.

Sometimes, the EXE file uses code from a DLL file through "Importing".

(The code inside the DLL file is divided into smaller parts we call "Functions".)

This means that when the EXE needs to use code from the DLL, it does not
need to include the entire DLL inside the EXE file.

Instead, it asks the DLL to Export a specific Function so it can execute it,
which makes Linking easier.

But Importing is not the only way to run DLL code in Windows.

There's also a Windows system EXE file called rundll32, whose job is to take
the DLL name and the Function name that you want to execute and then run it
directly.

Digital Forensics 22
 [Link] <dll_file>,<entry_point>

check timestamp , as some compilers add a fixed time such as Delphi

compilers add 1997 as date of creation

Resource Section in the PE (Portable Executable)

Header
In the PE (Portable Executable) file format (used in Windows executables, DLLs,
etc.), the Resource Section ( .rsrc ) is a critical part that stores embedded binary
resources like icons, images, dialogs, menus, version information, and other static
data used by the program.

Common PE (Portable Executable) Sections

Contains the executable code (machine instructions). This is the main

.text
program logic.

Stores global/static variables that are initialized and modified at runtime

.data
(e.g., int x = 5; ).

Holds read-only data (constants, string literals, etc.). Cannot be modified

.rdata
at runtime.

Contains embedded resources (icons, dialogs, menus, version info, fonts,

.rsrc
etc.).

Stores import tables (lists of external functions/DLLs the executable

.idata
depends on).

Rare. Contains export tables (for DLLs, lists functions exposed to other
.edata
programs).

Used in 64-bit PE files for exception handling (stores unwind info for
.pdata
functions).
.reloc Contains relocation data (address adjustmen

In the world of malware analysis, the .rsrc (Resource) section is a prime target for
investigators—and for good reason. Attackers frequently exploit this section to
conceal malicious activities, making it a goldmine for defenders who know where
to look.

static analysis:
involves analyzing the EXE without running it. This includes analyzing the PE
header (Basic Static analysis) or reverse engineer the content/code of the EXE and

Digital Forensics 23
 view the assembly code or the CPU language (Advanced Static Analysis).

analyzing the suspicious PE , in sandbox like [Link] , but remember

that advanced hacker can deceive antivirus solutions

CFF explorer is a good tool form which you can start check headers

Portable Execution (PE) File Format

1. DOS Header

Signature: Always starts with MZ (hex: 0x5A4D).

Purpose: Provides backward compatibility with DOS. If the program is run in a DOS
environment, it shows a message like:
This program cannot be run in DOS mode.

Key Field: e_lfanew – This is an offset to the PE Header (very important).

2. DOS Stub

Located immediately after the DOS Header.

Contains a small piece of x86 code for legacy systems.
Not important for modern analysis, but required for compatibility.

3. PE Signature

Digital Forensics 24
 Found at the offset specified in e_lfanew.

Always starts with the 4-byte signature: PE\0\0.

Marks the start of the actual PE file structure used by Windows

4. File Header
This is the Common Object File Format header. It contains metadata about the PE
file.

Machine Type of CPU (e.g., 0x14c for x86, 0x8664 for x64)
NumberOfSections Number of sections in the binary
TimeDateStamp Compile time (in UNIX timestamp)
Characteristics Flags indicating properties (e.g., executable, DLL)

5. Optional Header

Despite the name, this is mandatory for executable files.

Key Fields:

AddressOfEntryPoint RVA where execution starts

ImageBase Preferred base address in memory

Digital Forensics 25
 SizeOfImage Total size of the loaded image in memory
Subsystem Type of application (e.g., GUI, Console)
DllCharacteristics Flags like ASLR, DEP, etc

6. Section Table
Describes the layout of each section in the PE file.

Common Sections:

.text Contains executable code

.data Initialized global and static variables

.rdata Read-only data (like strings, import table)

.rsrc Resources (icons, dialogs, bitmaps

Digital Forensics 26
 the important thing is to compare virtual size with raw size

Virtual Size:
This indicates how much memory space the sections will need when the PE
(Portable Executable) is loaded into memory.

Raw Data:
This section specifies the size required on disk. Usually, the size of the raw data on
disk is close to the size of the data when loaded in memory.
If the size of the section in memory is larger than usual, this could indicate that the
code has been packed or compressed.

dynamic analysis:
This method involves either running the PE within a contained environment (Virtual
Machines) and monitor its behavior using some tool (Basic Analysis) or running the
PE code step by step within a debugger and monitor its behavior (Advanced
Analysis)

Disks
Analysis is divided into four layers :

1. Physical media

2. Volume

3. File system

4. Application and OS

Digital Forensics 27
 ‫‪Abstraction Layer‬‬

‫‪1. Physical Media Analysis‬‬

‫وده أعمق مستوى من ‪ (Sectors)،‬المقصود‪ :‬تحليل القرص الصلب على مستوى القطاعات‬
‫‪.‬التحليل‬

‫‪2. Volume Analysis‬‬

‫وده بيديك معلومات عن ‪)،‬إلخ ‪ C: D: ...‬زي( المقصود‪ :‬تحليل الأقسام اللي على الهارد‬
‫‪Partitions.‬الـ‬

‫‪3. File System Analysis‬‬

‫عشان تقدر توصل للملفات )‪ (NTFS – FAT32 – EXT4...‬المقصود‪ :‬تحليل نظام الملفات‬
‫‪.‬والمجلدات‬

‫‪4. File Analysis‬‬

‫‪Digital Forensics‬‬ ‫‪28‬‬

 ‫ تبدأ تحللها بعمق‬،‫ بعد ما توصل للملفات‬:‫ تشوف( المقصود‬Metadata – ‫تحلل صور – مستندات‬
– PDF …).

HDD components

1. platter : store the digital evidence.

2. spindle : spin the platter.

3. Head : is concerned with reading or writing on the platter.

4. Actuator : mechanical arm , that move the head for reading or writing in an
axis directions.

5. power connector

6. jumper block : used to configure the hard drives priority connected to the
same cable

7. IDE Connector : used to connect the HDD to the main board.

Digital Forensics 29
 There are Two physical addressing methods
1. CHS : relative to Cylinder , Head , Sector (0,0,1) which mean sector 1 and
cylinder 0 and head 0 , this addressing method use three bytes for the
addressing {10bits for Cylinders , 6bits for Sectors , 8bits for Heads} , and
the maximum size for the disk is 8.1 Gb

Digital Forensics 30
 2. LBA : Uses a single number to address each sector, and to convert CHS to
LBA address use this equation :

LBA Address = ((( Cylinder x HeadsPerCylinder) + Head ) x SectorsPerTrack) +

Sector -1

Question :
Consider a disk with 16 heads per cylinder, and 63 sectors per track. What will the
LBA address be for the CHS Address(2,3,4?)
Answer:
LBA Address = ((( 2 x 16 ) + 3 ) x 63 ) + 4 −1 = 2208

Some Interfaces Types :

1. ATA : used as an interface with storage devices (HDD), currently is referred
to as PATA , and you will encounter them , as they haven’t retired yet , but
it weren’t flexible , so it was updated to SATA which do not need any
special configuration or a jumper.

1. ATAPI : uses the PATA , SATA interface but , used as a protocol with CD-
ROMs and Zip-Drives,

2. SCSI : Small Computer System Interface that commonly used with servers.

SOLID State Device ( SSD )

First: What is an SSD?
SSD (Solid State Drive) is a type of modern storage device.

The difference between it and the traditional HDD is that:

It has no mechanical moving parts like the old hard drive (HDD).

It relies entirely on electronic chips to store data.

Digital Forensics 31
 It is much faster in reading and writing.

What does it use for storage?

The SSD uses something called:

NAND Flash Memory

This is a type of electronic memory that can store data even if

the power is turned off (non-volatile).

Types of NAND Flash:

There are many types of NAND, and one of the most common is MLC (Multi-
Level Cell).

This type stores more than one bit per cell, providing higher capacity but
slower speed compared to other types like SLC.

The Chips Themselves:

A single chip in an SSD can range in size from 1 GB to 64 GB.

So the entire SSD consists of multiple chips combined to give you the final
storage size (like 256GB, 512GB, etc.).

Internal Storage Structure of the SSD:

1. Pages:
This is the smallest unit the device can read or write.

Its standard size is typically 4 KB.

2. Blocks:
Each block consists of multiple pages.

For example: a block may contain 128 pages.

🔁 The important difference:

Reading and writing happen at the page level.

Erasing happens at the block level.

So:

Digital Forensics 32
 If you want to delete data from the SSD, you must erase the entire block, even if
only one page inside it has changed!

volume and partitions

A disk is the actual hardware.
• A volume : is a part of the disk that you can use to store data, like dividing a
book into chapters.
• A partition : is a division of the disk

Partition ‫ مش شرط تظهر‬.‫تقسيمة داخلية من الهارد‬.

Volume ‫ وحدة التخزين اللي بتظهرلك في‬This PC ‫ وعليها اسم زي‬C:

Partition type
There are two main portioning types
• Master boot record (MBR), known previously as IBM DOS
• GUID Partion table (GPT)

Master boot record (MBR)

• Supports up to 4 primary partitions
• Can only handle disks up to 2TB in size.
• Older and less reliable (used since the 1980s)

MBR structure

Code Area : It stores information about the partition and the operating system so
that when the computer boots up, it can access it, search for the OS, and know
where to boot from.

the Boot Code is 446 bytes and is used to start the operating system
Master Partition Table : It contains all the information about the partition , It
includes where the partition starts and where it ends.

Digital Forensics 33
 Boot Record Signature : It checks the OS signature to verify its authenticity and
determine whether it is trusted or not.

MBR Lab time

first we must choose drive templete on 010 editor

Trasnfer sector number , retlative sector and total sector to decimal to be easy
in reading

Digital Forensics 34
 Relative Sector : the begining of the partition
total sector : total number of sector in the partition

Modifying anything in the partition's structure won't have a major impact—

unless changes are made to the relative sector or the total sector. In that case,
the partition will become corrupted

How to find thhe begining of the sector if the image corrupted ?

search for NTFS in ASCII its the begining in any partition

Digital Forensics 35
 GUID Partion table (GPT)
• Supports unlimited partitions (practically up to 128 in most
systems).
• Can handle disks larger than 2TB.
• More modern and reliable (used with UEFI systems).

GPT structure

What is the Protective MBR?

This is a clever trick used for backward compatibility:

Older systems and software only recognize MBR, and they might think a GPT
disk is unallocated or corrupted.

Digital Forensics 36
 To prevent this, a fake partition entry (type 0xEE) is placed at the beginning of
the disk.

This fake partition:

Covers the entire disk if it’s smaller than 2TB.

Covers the first 2TB only if the disk is larger than that.

GPT Header:
Located at LBA #1, it includes:

The address of the backup GPT Header

The starting LBA of the first partition

The last usable LBA

And other metadata about the disk structure

GPT Backup:
A backup GPT Header and Partition Table is located at the end of the disk.

This ensures recovery in case the main GPT data is damaged.

Hidden Protected Area

it is an area on the disk that is invisible to the operating system which
means vendors could store data that can not be erased with basic
operating system formatting of the drive.
Tools to detect existence of HPA

1. hdparm

2. TSK (The Sleuth Kit)

3. ATATool

4. EnCase by Guidance Software

File system

FAT

‫ايه فائدة ال‬File system:

1-‫بنستخدمه في انه يعمل‬tracking‫لل‬files‫الي موجودة على ال‬disk‫او ال‬partition
2-‫بينظم ال‬Files‫وال‬directories‫بحيث إن الوصول ليهم يبقى سهل‬
3-‫" انك تقدر تتنقل بين الملفات بكل سهولة‬
4-‫بيقدر حتى يعمل‬tracking‫ل أسماء الملفات وال‬sectors‫الي متخزن عليها ال‬file‫وغيره‬

Digital Forensics 37
 ‫لما انت بتعمل‬delete‫لفايل معين انت مش بتمسح الداتا الفعلية للفايل ده " ولكن انت‬
‫بتمسح ال‬
pointer‫الي بيعمل‬pointing‫و‬tracking‫للفايل ده " ( وبالتالي ال‬file system‫مش هيعرف‬
‫يوصلها‬
)، ‫لكن الداتا الفعلية موجودة لحد ما يتكتب عليها زي ما اتكلمنا قبل كده‬

Sector vs cluster
sector in hard desk , cluster in file system
A sector is the smallest unit of storage on a disk, and its size is usually fixed at
512 bytes (especially on traditional hard drives).

On the other hand, a cluster is a group of one or more sectors.

So, the size of a cluster can vary depending on how many sectors are
combined within it.
For example:

1 cluster = 4 sectors → Cluster size = 4 × 512 bytes = 2048 bytes (2 KB)

This flexibility in cluster size helps the file system manage data more efficiently
depending on disk size and format

he number of sectors per cluster is determined during the formatting process

of a disk or partition. It depends on the size of the partition or disk — larger
partitions typically have larger clusters to reduce overhead and improve
performance.

You can find the number of sectors per cluster in the Boot Record, which
stores key information about the file system structure

File Allocation Table

The File Allocation Table is a linked list of all the clusters. It
contains the status of the cluster and the pointer to the next cluster
in the chain.

Digital Forensics 38
 In summary, the bits that make up a file are stored in clusters. All the filenames
on a file system, their starting clusters, and their lengths are stored in
directories.
And the location of each cluster on the disk is stored in the File Allocation
Table. We can see that we started with a raw disk composed of bits and
organized it to define what group of bits refers to what file stored on the disk.

FAT12, FAT16, FAT32 – What do the numbers mean?

Type Bits Used to Address Clusters Maximum Clusters

FAT12 12 bits 2¹² = 4,096

FAT16 16 bits 2¹⁶ = 65,536

FAT32 ~28 bits (part of 32 bits) 2²⁸ ≈ 268 million

Why is this important?

If you use FAT12, you can only manage a small number of clusters (≈4096).

That limits how large the disk/partition can be.

For larger storage devices, you need FAT16 or FAT32 to efficiently manage
more space

FAT structure

FAT12 , 16

Digital Forensics 39
 FAT32

Understanding FAT File System Structure (Hierarchical View)

1. The File System includes 4 main types of FAT, specifically:

FAT12

FAT16

FAT32

exFAT

2. FAT32 has a specific structure and is widely used.

3. FAT32 is divided into four main regions:

Reserved Region

FAT1

FAT2

Data Region

4. The Reserved Region contains important system data and consists of 32

sectors.

5. Inside the Reserved Region, you will find:

Boot Sector

FSINFO

Boot Strap

Reserved Sectors

Digital Forensics 40
 1- Boot sector
FAT 12 , 16

FAT32

2- FISINFO
The block contains some information required by the operating system
while cluster allocation/deallocation to files

3- Boot Strap
There isn’t much to be said about it , the end disk signature is 0x55AA

2- FAT Area
Files could have more than one cluster so, the first cluster will have the number
of the next one in the chain of clusters till it reach EOF.

💡 The first Cluster is #2 as #0 , #1 are reserved

How to Look at The FAT entries??

1. go to boot sector
2. check the value in “ Reserved No. of Sectors” section.

Digital Forensics 41
 3. then go to the sector value found in the section above.
3- FAT Data Area

FAT use the 8.3 naming convention : 8 character for the name , 3 for the
extension.
FAT32 systems have two types of directory entries:

1. Short File Name : has limitation of 8 character used for name , and
characters are in ascii.

2. Long File Name : support name up to 255 characters , but the structure can
only hold 13 chars for the name and characters will be in Unicode.
Example : eLearnSecurity DFP [Link] is a file has 25 chars , this will
lead
to :

3. SFN Entry = (ELEARN~[Link])

4. LFN Entry #1 holding (eLearnSecurit)

5. LFN Entry #2 (y DFP Course.)

6. LFN Entry #3 (doc)

Deleting a File

1. When the file is deleted , the first character in the file name will be 0xE5

Digital Forensics 42
 2. The content still exists on the disk .

3. the cluster entries for the file are all zeroed out.

NTFS

NTFS Features

Alternate Data Streams

A file is a stream of data organized in a file system. Alternate data streams
(ADS) is a feature in NTFS that allows files to have multiple streams of data
stored in a single file. Internet Explorer and other browsers use Alternate Data
Streams to identify files downloaded from the internet (using the ADS Zone
Identifier). Malware
has also been observed to hide their code in ADS.

Journaling
It means that the file system uses a log file ($LogFile) to store all metadata
changes that happen to the volume , this helps the file system to heal itself
in case of any uncommitted changes to the data structure

Digital Forensics 43
 ‫‪Volume Shadow Copy‬‬
‫‪The NTFS file system‬‬
‫‪keeps track of changes made to a file using a feature called Volume Shadow‬‬
‫‪Copies. Using this feature, a user can restore previous file versions for‬‬
‫‪recovery or system restore. In recent ransomware attacks, ransomware actors‬‬
‫‪have been noted to delete the shadow copies on a victim's file systems to‬‬
‫‪prevent them from recovering their data.‬‬

‫؟‪ Volume Shadow Copy‬يعني إيه‬

‫تخيل كده إنك كتبت ملف على الجهاز بتاعك‪ ،‬وعّد لت عليه كتير‪ ...‬وفجأة عايز ترجع لنسخة‬
‫‪.‬أقدم منه‪ ،‬قبل ما التعديل يحصل‬

‫ودي ببساطة بتصور ‪ Volume Shadow Copy،‬هنا بييجي دور حاجة في ويندوز اسمها‬
‫‪ (Snapshot).‬نسخة من الملف أو من الهارد بالكامل في لحظة معينة‪ ،‬كأنها لقطة سريعة‬

‫يعني لما يحصل مشكلة في ملف‪ ،‬أو يتلغى بالغلط‪ ،‬أو يتفيرس‪ ،‬تقدر ترجع لنسخة أقدم‬
‫‪.‬منه بكل سهولة‬

‫؟)‪ (Ransomware‬طب إيه عالقتها بالّر انسوم وير‬

‫الهاكرز اللي بيعملوا فيروس الفدية عارفين إنك ممكن ترجع ملفاتك من النسخ دي‪،‬‬
‫‪:‬فبيعملوا حركة وسخة في الأول‬
‫يمسحوا النسخ القديمة دي كلها قبل ما يشفروا ملفاتك‪ ،‬علشان يقطعوا عليك طريق‬
‫‪.‬الرجوع‬
‫تقدر ترجع ملفاتك من غير ما تدفع‪ ...‬لكن لو اتمسحت‪ Shadow Copies، ،‬يعني لو في‬
‫‪.‬تبقى في ورطة‬

‫‪$UsnJrnl‬‬
‫‪It stands for the Update Sequence Number (USN) Journal. It is present in the‬‬
‫‪$Extend record. It contains information about all the files that were changed in‬‬
‫‪the file system and the reason for the change. It is also called the change‬‬
‫‪journal.‬‬

‫وظيفته‬ ‫بيتحذف من‬

‫العنصر‬ ‫بيحتفظ بإيه؟‬ ‫مفيد في إيه؟‬
‫الأساسية‬ ‫المهاجم؟‬

‫بياخد نسخة‬
‫كاملة من ملفاتك‬ ‫غالًب ا‪ ،‬عشان‬
‫نسخ قديمة من‬ ‫‪،‬استرجاع ملفات‬
‫‪VSS‬‬ ‫أو النظام في‬ ‫يمنعك ترجع‬
‫الملفات‬ ‫‪System Restore‬‬
‫لقطة( وقت معين‬ ‫ملفاتك‬
‫)‪Snapshot‬‬

‫بيسجل أي تعديل‬
‫الأحداث‪ :‬اتعدل؟‬ ‫مش دايًم ا‪ ،‬بس‬ ‫تتبع التعديالت‪،‬‬
‫‪USN Journal‬‬ ‫بيحصل على أي‬
‫اتحذف؟ اتنقل؟‬ ‫ممكن يتمسح‬ ‫التحقيق الجنائي‬
‫ملف أو فولدر‬

‫‪Digital Forensics‬‬ ‫‪44‬‬

 ‫وظيفته‬ ‫بيتحذف من‬
‫العنصر‬ ‫بيحتفظ بإيه؟‬ ‫مفيد في إيه؟‬
‫الأساسية‬ ‫المهاجم؟‬

‫بيسجل العمليات‬
‫أوامر النظام زي‬ ،‫استرجاع النظام‬
‫اللي بتحصل في‬ ‫صعب يتمسح‬
$LogFile rename, move, ‫تحليل بعد‬
‫ الـ‬NTFS ‫لحظة‬ ‫بسهولة‬
create ‫الحوادث‬
‫بلحظة‬

Master File Table

Like the File Allocation Table, there is a Master File Table in NTFS. However, the
Master File Table, or MFT, is much more extensive than the File Allocation
Table. It is a structured database that tracks the objects stored in a volume.
Therefore, we can say that the NTFS file system data is organized in the Master
File Table. From a forensics point of view, the following are some of the critical
files in the MFT:

$MFT
The $MFT is the first record in the volume. The Volume Boot Record
(VBR) points to the cluster where it is located. $MFT stores information
about the clusters where all other objects present on the volume are
located. This file contains a directory of all the files present on the
volume.

MFT Zone
NTFS reserves a portion of the disk called the MFT Zone to avoid $MFT

fragmentation.

The MFT Zone size is about 12.5% of the total disk space.

If the MFT Zone becomes full, the $MFT can become fragmented, which
might impact performance.

Digital Forensics 45
 $Boot
The $Boot file (located in entry number 7 in the MFT) contains something
called the VBR, which helps the system locate the MFT on the disk, since it is
essentially just a file like any other.

‫ علشان منتلخبطش تاني دلوقتي ال‬MFT ‫بيبقي موجود في اول البارتشن وبياخد اول‬
‫ في الميه من الهارد اول لما الجهاز بيفتح في ريكورد اسمه‬12.5 Virtual boot
record(VBR) ‫ موجود في‬$boot ‫ بيشاور للجهاز علي مكان ال‬MFT

MFT Explorer
MFT Explorer is one of Eric Zimmerman's tools used to explore MFT files. It is
available in both command line and GUI versions. We will be using the CLI
[Link] -f <path-to-$MFT-file> --csv <path-to-save-results-in-csv>

MFT Attribute

Digital Forensics 46
 Record Header : The NTFS file system is organized into a structure of records,
where each file or folder is stored within a specific record in the Master File
Table (MFT) and record header is the number of the record wich file is stored in

$STD-INFO : Contains metadata like creation/modification times and

permissions

$FILE-NAME : Stores the file name and additional timestamps..

$DATA : Holds the actual file content. Can be resident or non-resident

If the file size is ≤ 1024 bytes, the file’s actual content (stored in the $DATA

attribute) can be embedded directly within the MFT entry. This is known as
a resident attribute.

If the file size exceeds 1024 bytes, the content becomes non-resident, and
the MFT entry stores pointers (run list) that reference the location of the
actual data on disk clusters outside the MFT

The $STANDARD_INFORMATION and $FILE_NAME attributes look very

similar in terms of the data they contain. However, the
difference is that $STANDARD_INFORMATION holds the metadata of
the file, and an attacker can modify it — for example,
changing the Date of Modification, which is part of a well-
known attack called Time Stomp.

On the other hand, the $FILE_NAME attribute is related to the

file system itself, and the attacker cannot access or modify
it easily. That’s why it is considered more reliable during
forensic investigations

Digital Forensics 47
 NTFS Attributes
1. Resident Attribute : it’s content come directly after it , like
$STANDERED_INFORMATION.

2. Non-resident Attribute : the content is not within the MFT entry , like $DATA
, $ATTRIBUTE_LIST

Virtual Cluster Number (VCN) : This describes the sequence number of the
cluster associated with a file or attribute regardless of where it is in the file
system.

Logical Cluster Number (LCN) : This is the cluster number that is relative
to the first cluster after the VBR of the volume

File And Ram slack

File Slack
it the space that is allocated to a file but it is not used

If we had a disk with cluster size of 4KB and a file ([Link]) of 8KB is
allocated in cluster number 100 , then both cluster 100 , 101 are allocated
for the file , If [Link] is deleted , the content is still exist , but if a new file
([Link]) of
5KB is allocated to that cluster (100) , the two cluster will allocated to the
new file , and the rest of the cluster 101 will contain data from the first file.

Digital Forensics 48
 Ram Slack
the free space in last sector of the file , which is filled with random data from
RAM

File carving
File Carving is a data recovery technique used to recover deleted or lost
files without relying on the file system structure.

It works by identifying files based on their internal content, such as file

headers and footers, rather than file table entries

How File Carving Works:

Scans raw disk content for known file signatures (headers/footers).

Reconstructs files based on:

Header-footer matches

File structure patterns

Known file content (e.g., strings, patterns)

Special Case: Carving JPEGs from Thumbnails

Digital Forensics 49
 Thumbnails (small preview images) can remain even if the original JPEG is
deleted.

Techniques like Image Pattern Matching or structure matching can

reconstruct lost or fragmented images

Carving Techniques
1. Header-Footer Carving → Uses known start and end bytes of a file type.

2. Header + Max File Size → If footer is missing, assumes a reasonable file

size from header only.

3. File Structure-Based Carving→ Recovers files based on expected

structure of a certain file type.

4. Content-Based Carving → Looks for specific patterns or strings inside raw

data

Windows Artifact

Evidence of execution

Windows Prefetch files

‫ النظام بيبدأ يتتبع شوية معلومات عن التشغيل ده علشان‬،‫لما تشغل أي برنامج في ويندوز‬
‫يساعدك في تشغيله أسرع المرة الجاية‬.
When a program is run in Windows, it stores its information for future use. This
stored information is used to load the program quickly in case of frequent use.
This information is stored in prefetch files
Prefetch files have an extension of .pf . Prefetch files contain the last run times
of the application, the number of times the application was run, and any files
and device handles used by the file. Thus it forms an excellent source of
information about the last executed programs and files.

We can use Prefetch Parser ([Link]) from Eric

Zimmerman's tools for parsing Prefetch files and extracting
data

[Link] -f <path-to-Prefetch-files> --csv <path-to-save-csv>

Digital Forensics 50
 Similarly, for parsing a whole directory, we can use the
following command:
[Link] -d <path-to-Prefetch-directory> --csv <path-to-save-csv>

Application compatibility cache ( shimcache )

ShimCache is a mechanism used to keep track of application compatibility with
the OS and tracks all applications launched on the machine. Its main purpose in
Windows is to ensure backward compatibility of applications. It is also called
Application Compatibility Cache (AppCompatCache). It is located in the
following location in the SYSTEM hive:
SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

ShimCache stores file name, file size, and last modified time of the
executables. Our go to tool, the Registry Explorer, doesn't parse ShimCache
data in a human-readable format, so we go to another tool called
AppCompatCache Parser, also a part of Eric Zimmerman's tools. It takes the
SYSTEM hive as input, parses the data, and outputs a CSV file that looks like
this:

AmCache
The AmCache hive is an artifact related to ShimCache. This performs a similar
function to ShimCache, and stores additional data related to program
executions. This data includes execution path, installation, execution and
deletion times, and SHA1 hashes of the executed programs. This hive is located
in the file system at:
C:\Windows\appcompat\Programs\[Link]

Information about the last executed programs can be found at the following
location in the hive:
[Link]\Root\File\{Volume GUID}\

This is how Registry Explorer parses the AmCache hive:

Digital Forensics 51
 Amcahce VS Shimcahce VS Prefetch
Shimcache
Feature Amcache Prefetch
(AppCompatCache)

Registry file Registry (part of the Files stored in the

Storage Type
( [Link] ) System hive) Prefetch folder

Tracks executed Application Speeds up

Purpose
programs compatibility tracking application startup

Program name, run

Program name, Program name and path
Records What? count, last execution
path, hash, etc. (not always exact)
time

Shows timing and

Shows which Shows program
Forensic Value frequency of
programs were run execution history
execution

Timestamp
Relatively accurate Weak or missing Very accurate
Accuracy

Windows 10 Timeline

‫ علشان‬،‫ النظام بيخزن سجل بالتطبيقات والملفات اللي استخدمتها مؤخًر ا‬،10 ‫في ويندوز‬
‫ الميزة دي اسمها‬.‫يسّه ل عليك ترجع لها تاني‬
Timeline

Windows 10 stores recently used applications and files in an SQLite database

called the Windows 10 Timeline. This data can be a source of information about
the last executed programs. It contains the application that was executed and
the focus time of the application. The Windows 10 timeline can be found at the
following location: C\Users\<username>\AppData\Local\ConnectedDevicesPlatform\
{randomfolder}\[Link]

We can use Eric Zimmerman's [Link] for parsing

Windows 10 Timeline

[Link] -f <path-to-timeline-file> --csv <path-to-save-csv>

Digital Forensics 52
 Windows Jump Lists
Windows introduced jump lists to help users go directly to their recently used
files from the taskbar. We can view jumplists by right-clicking an application's
icon in the taskbar, and it will show use the recently opened files in that
application. This data is stored in the following directory: C:\Users\
<username>\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\[Link]

We can use Eric Zimmerman's [Link] to parse Jump

Lists

[Link] -f <path-to-Jumplist-file> --csv <path-to-save-csv>

Shortcut Files
Windows creates a shortcut file for each file opened either locally or remotely.
The shortcut files contain information about the first and last opened times of
the file and the path of the opened file, along with some other data. Shortcut
files can be found in the following
locations:
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\

C:\Users\<username>\AppData\Roaming\Microsoft\Office\Recent\

We can use Eric Zimmerman's [Link] (Lnk Explorer) to

parse Shortcut files

[Link] -f <path-to-shortcut-files> --csv <path-to-save-csv>

THUMBCACHE
Windows automatically generates thumbnails for images to help them load
faster when reopening folders. Even if the original image is deleted, the
thumbnail may still remain.

Before Windows 7, thumbnails were stored in [Link] (a hidden file in the

same folder).

From Windows 7 onwards, they are stored centrally in files like

thumbcache_32.db , where the number indicates thumbnail size.

Multiple sizes are supported via the folder View options.

Digital Forensics 53
 You can use Thumbcache Viewer to extract thumbnails from [Link] and
[Link] . Note: these files do not store the original image's file path.
The tool [Link] lets you access [Link] , a database that stores
Windows search history, including info on deleted or renamed files

Volume Shadow Copy ( VSS )

Volume Shadow Copy (VSS) is a Windows feature that automatically creates
snapshots of files and folders, even when they are in use. These are known as
"Restore Points". Instead of saving full copies, VSS tracks only block-level
changes, saving space while allowing file recovery.
Snapshots are created automatically during events like Windows Updates,
driver installations, or manually by users or programs. By default, Windows 7
allows VSS to use up to 5% of the drive space. Older snapshots are deleted
when space runs out.
From a forensic perspective, VSS is useful for recovering deleted files, registry
keys, and logs. Even if an attacker deletes or alters data, previous snapshots
may still contain untouched versions.
Tools: vssadmin, mklink, ShadowCopyView, libvshadow, Shadow Explorer, VSC
Toolset

Digital Forensics 54
 File History
File History is a file-level backup feature introduced in Windows 8. It
automatically saves copies of important files (like those in Libraries, Desktop,
Favorites, and Contacts) every hour by default. Backups are stored on external
drives, and if unavailable, 5% of the internal disk is used as a cache.
From a forensic perspective, File History can help identify which files were
backed up, the user and device involved, backup frequency, and storage
location. It also allows recovery of deleted or modified files

Recycle Bin
When a file is deleted in older versions of Windows like XP, the actual content
of the file remains in the Recycle Bin, but the filename is changed. The name
starts with the letter "D" to indicate it was deleted, followed by the drive letter
and the deletion order. For example, a file called "[Link]" means it was the
first file deleted from the C partition. At the same time, a file named "INFO2" is
created inside the Recycle Bin, which stores metadata such as the original path
of the deleted file, the time of deletion, and file size

Digital Forensics 55
 In modern Windows versions (Vista and later), the system replaces the INFO2
file with a new format. Now, when a file is deleted, two separate files are
created: the first one starts with "$R" and contains the actual content of the
deleted file, and the second starts with "$I" and stores metadata related to the
deleted file. Both filenames are followed by six random characters

Each partition has its own hidden Recycle Bin folder named "$[Link]".
Inside it, each user has their own folder named by their unique SID (Security
Identifier). To view these folders, you must enable hidden items in File Explorer
or use the command "dir /a" in the Command Prompt. If you're inside the C
drive and type "dir /a", you'll see the $[Link] directory. Navigating inside
it and using the same command will show the SID folders for different users.
Each SID represents a user, for example, the Administrator usually has a RID
ending in 500

Digital Forensics 56
 To examine deleted files for a specific user, go into the SID folder related to that
user. You'll find deleted file pairs starting with $R and $I. You can copy these

Digital Forensics 57
 files to a new folder on your desktop, such as one called "Recycle". After
copying, you can open the $R files directly to see their content.

To analyze the metadata inside the $I files, you can use a tool like "$I Parser".
You give it the folder containing the $I files and choose a location to save the
output, often as an Excel sheet. The tool extracts useful forensic information
like the original file path, time of deletion, file size, and version

IE/Edge history
‫ وهي إن متصفح‬،‫ في حاجة مهمة وغريبة شوية‬Internet Explorer ‫ أو‬Microsoft Edge
‫مش بس بيحتفظ بتاريخ المواقع اللي دخلت عليها‬،

Digital Forensics 58
 ‫ حتى لو ما اتفتحتش من المتصفح‬،‫لكن كمان بيخزن كل الملفات اللي اتفتحت على الجهاز‬
‫!أصًال‬
‫ يعني لو فتحت ملف‬PDF ‫ أو صورة أو مستند‬Word ‫ ممكن يظهر في تاريخ‬،‫من جهازك‬
‫ التصفح الخاص بـ‬Edge ‫ أو‬IE، ‫وده لأن السيستم بيستخدم المتصفح أحياًن ا كجزء من عملية‬
‫الفتح‬.
An interesting thing about the IE/Edge browsing history is that it includes files
opened in the system as well, whether those files were opened using the
browser or not. Hence, a valuable source of information on opened files in a
system is the IE/Edge history. We can access the
history in the following location:
C\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat

you can use Autopsy to do so in the attached VM. For doing that, select Logical
Files as a data source.

It will then ask you to select the path from which you want files to be analyzed.
You can provide the path to the triage folder.

Digital Forensics 59
 In the Window where Autopsy asks about ingest modules to process data,
check the box in front of 'Recent Activity' and uncheck everything else.

You will be able to view local files accessed in the Web history option in the left
panel.

Digital Forensics 60
 This is what it will look like in the right panel.

External Devices/USB device forensics

Setupapi dev logs for USB devices When any new device is attached to a
system, information related to the setup of that device is stored in the
[Link] . This log is present at the following location:
C:\Windows\inf\[Link]

This log contains the device serial number and the first/last times when the
device was connected.

Registry Artifact

Windows Registry

Digital Forensics 61
 The Windows Registry is a collection of databases that contains the system's
configuration data. This configuration data can be about the hardware, the
software, or the user's information. It also includes data about the recently
used files, programs used, or devices connected to the system
The Windows registry consists of Keys and Values. When you open the
[Link] utility to view the registry, the folders you see are Registry Keys.
Registry Values are the data stored in these Registry Keys. A
Registry Hive is a group of Keys, subkeys, and values stored in a single file on
the disk.

The registry on any Windows system contains the following five root keys:

1. HKEY_CURRENT_USER

2. HKEY_USERS

3. HKEY_LOCAL_MACHINE

4. HKEY_CLASSES_ROOT

5. HKEY_CURRENT_CONFIG

Hives containing user information

Apart from these hives, two other hives containing user information can be
found in the User profile directory. For Windows 7 and above, a user’s profile
directory is located in C\Users\<username>\ where the hives are:

1. [Link] → This file is located at: C:\Users\<username>\[Link] It is

loaded (mounted) to the HKEY_CURRENT_USER registry key when a user logs in. It
contains user-specific settings like program activity, desktop preferences,
timestamps, etc.

2. [Link]→ This file is located at : C\Users\

<username>\AppData\Local\Microsoft\Windows\[Link]

It contains data related to the user interface (UI), such as window layout
preferences, and sometimes contains evidence of file or application usage.

Digital Forensics 62
 Transaction Logs and Backups
transaction logs like a journal — they record recent changes made to the
registry hives. When Windows updates the registry, it writes the changes to
these logs before updating the actual hive. So, transaction logs might contain
newer data that isn’t yet saved in the main registry files.
These logs are saved with the same name as the registry hive, but with a .LOG

extension, and you’ll find them in the same folder as the hive — usually
C:\Windows\System32\Config . For example, the transaction log for the SAM hive will be
named [Link] . Sometimes, there might be more than one log file (like
SAM.LOG1 , SAM.LOG2 , etc.).
On the other hand, registry backups are just saved copies of the registry
hives. Windows automatically copies these hives every 10 days into the folder:
C\Windows\System32\Config\RegBack . These backups are useful when you want to
check older or deleted registry data during a forensic investigation.

Artifact
1. OS Version
SOFTWARE\Microsoft\Windows NT\CurrentVersion

2. Current control set

The hives containing the machine’s configuration data used for controlling
system startup are called Control Sets. Commonly, we will see two Control
Sets, ControlSet001 and ControlSet002, in the SYSTEM hive on a machine. In
most cases (but not always), ControlSet001 will point to the Control Set that the

Digital Forensics 63
 machine booted with, and ControlSet002 will be the last known good configuration.
Their locations will be:
SYSTEM\ControlSet001 || SYSTEM\ControlSet002

3. Computer Name
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

4. Time Zone Information

For accuracy, it is important to establish what time zone the computer is
located in. This will help us understand the chronology ofthe events as they
happened. For finding the Time Zone Information, we can look at the following
location:
SYSTEM\CurrentControlSet\Control\TimeZoneInformation

5. Network Interfaces and Past Networks

The following registry key will give a list of network interfaces on the machine
we are investigating SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

Digital Forensics 64
 Each Interface is represented with a unique identifier (GUID) subkey, which
contains values relating to the interface’s TCP/IP configuration. This key will
provide us with information like IP addresses, DHCP IP address and Subnet
Mask, DNS Servers, and more. This information is significant because it helps
you make sure that you are performing forensics on the machine that you are
supposed to perform it on
The past networks a given machine was connected to can be found in the
following locations:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed

These registry keys contain past networks as well as the last time they were
connected. The last write time of the registry key points to the last time these
networks were connected.

6. shutdown time
HKLM\System\ CurrentControlSet \Control\Win dows\ShutdownTime

Digital Forensics 65
 7. defender settings
• HKLM\Software\Microsoft\Windows Defender

8. firewall rules
• HKLM\System\FireWallPolicy\FireWallRules

Digital Forensics 66
 9. uninstaller
The Uninstall key in the Windows Registry shows info about installed programs
like name, version, publisher, and uninstall command. It helps know what was
installed or removed. Its main locations are:
Software\Microsoft\Windows\CurrentVersion\Uninstall

10. App Paths

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

Digital Forensics 67
 11. Autostart Programs (Autoruns)
The following registry keys include information about programs or commands
that run when a user logs on.
[Link]\Software\Microsoft\Windows\CurrentVersion\Run

[Link]\Software\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The following registry key contains information about services:

SYSTEM\CurrentControlSet\Services

Notice the Value of the Start key in the screenshot below.

In this registry key, if the start key is set to 0x02, this means that this service
will start at boot.

12. SAM hive and user information

Digital Forensics 68
 The SAM hive contains user account information, login information, and group
information. This information is mainly located in the following location:
SAM\Domains\Account\Users

The information contained here includes the relative identifier (RID) of the user,
number of times the user logged in, last login time, last failed login, last
password change, password expiry, password policy and password hint, and
any groups that the user is a part of.

13. Recent Files

Windows maintains a list of recently opened files for each user. As we might
have seen when using Windows Explorer, it shows us a list of recently used
files. This information is stored in the NTUSER hive and can be found on the
following location:
[Link]\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Most Recently Used). It also categorizes them by file type, such as .pdf, .jpg,
.docx, etc. If you want to find recently used PDF files, you can check the key:
[Link]\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pdf . Additionally,

Registry Explorer displays the last opened time for each file.

Digital Forensics 69
 14. Office Recent Files
Just like Windows Explorer keeps track of recently opened files, Microsoft
Office also keeps a list of recent documents, stored in the [Link] hive.
The path depends on the Office version, for example:
[Link]\Software\Microsoft\Office\15.0\Word for Office 2013 (15.0). Starting from Office
365, this information is linked to the user’s Microsoft account (Live ID) and can

Digital Forensics 70
 be found at: [Link]\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU . This
key stores the full path of recently opened Office files.

15. ShellBags
When a user opens a folder on Windows, it opens in a specific layout (like icon
size or sorting order). Users can customize this layout per folder. Windows
stores this information in the registry to remember each folder's view settings,
which can also help forensic analysts identify which folders or files were
recently accessed.
This data is stored in the user's registry hives, specifically in:

[Link]\Local Settings\Software\Microsoft\Windows\Shell\Bags

[Link]\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

[Link]\Software\Microsoft\Windows\Shell\BagMRU

[Link]\Software\Microsoft\Windows\Shell\Bags

Since Registry Explorer doesn’t clearly show ShellBag data, a tool called
ShellBag Explorer by Eric Zimmerman is used to parse and display this
information in a readable format. This tool is especially useful in forensic
investigations to trace user activity on folders—even if they were deleted or
moved.

16. Open/Save and LastVisited Dialog MRUs

When you open or save a file in Windows, a dialog box appears to let you
choose a location. Windows remembers the last places you opened or saved
files. This information is saved in the registry and can help identify recently
used files or folders.

You can find this data in these registry paths:

[Link]\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU

[Link]\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

Digital Forensics 71
 These keys store info about the last opened or saved locations used by the
user

17. Windows Explorer Address/Search Bars

Another way to identify a user's recent activity is by looking at the paths typed
in the Windows Explorer address bar or searches performed using the
following registry keys, respectively.
[Link]\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

[Link]\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

18. UserAssist
Windows tracks programs launched by the user through Windows Explorer (not
command line) using the UserAssist registry key. This key records the program
name, the time it was opened, and how many times it was executed. It's stored
in the user's [Link] file under a path that includes the user's unique
GUID:
[Link]\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

This helps identify user activity based on program usage history

19. BAM / DAM

Digital Forensics 72
 BAM (Background Activity Monitor) and DAM (Desktop Activity Moderator)
are Windows features that track background app activity and help manage
power consumption as part of the Modern Standby system. In the registry,
BAM and DAM store data about which programs were run, their full paths, and
when they were last executed. This information is saved under the user’s SID
(Security Identifier) at these locations:

SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}

SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}

Registry Explorer can be used to view this data in a readable format.

20. Device identification

The following locations keep track of USB keys plugged into a system. These
locations store the vendor id, product id, and version of the USB device
plugged in and can be used to identify unique devices. These locations also
store the time the devices were plugged into the system.
SYSTEM\CurrentControlSet\Enum\USBSTOR

SYSTEM\CurrentControlSet\Enum\USB

21. First/Last Times

Similarly, the following registry key tracks the first time the
device was connected, the last time it was connected and the last time
the device was removed from the system.

Digital Forensics 73
 SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-
9453-a19231573b29}\####

In this key, the #### sign can be replaced by the following digits to get the
required information:

Value Information

0064 First Connection time

0066 Last Connection time

0067 Last removal time

22. USB device Volume Name

The device name of the connected drive can be found at the following location:
SOFTWARE\Microsoft\Windows Portable Devices\Devices

💡 [Link]
Cheat-Sheet

Digital Forensics 74