Sometimes you need to have artifacts but you haven’t enough storage or time to capture a full image of the system. So you should gather the most important artifacts related to solving the case. However, it may not be legally acceptable to gather only custom content images of Windows forensic artifacts, as opposed to full disk images.
In certain legal or regulatory contexts, it may be required to acquire a complete and verifiable copy of the digital storage device, including all unallocated space, in order to ensure the integrity and authenticity of the evidence. This is because custom content images can be seen as incomplete and potentially less reliable, as they do not capture the full extent of the storage device and may not provide a complete chain of custody.
It’s important to follow appropriate legal and regulatory guidelines when gathering digital forensic evidence, and to consult with experts in the field if necessary. In some cases, it may be necessary to use tools or procedures that meet specific legal or regulatory requirements to ensure the admissibility of the evidence in court or other legal proceedings.
In this post we’ll discuss about Windows artifacts that should be gathered from target machine to investigate them.
FTK (Forensic Toolkit) Imager is a digital forensics tool used to capture images of a digital storage device, such as a hard drive, USB drive, or memory card. FTK Imager can create a custom content image by selecting specific files or folders from the storage device. Here’s how to capture a custom content image using FTK Imager:
- Download and install FTK Imager from the AccessData website.
- Launch FTK Imager and select the “Create Disk Image” option from the “File” menu.
- Select the storage device that you want to create the custom content image from.
- Choose the “Logical” option to capture a logical image of the storage device.
- In the “Select Data to Image” section, choose the “Files” option to capture specific files or folders.
- Click the “Add” button to select the files or folders that you want to include in the custom content image. You can navigate through the file system using the tree view, or you can enter the file path directly.
- If you want to exclude specific files or folders from the custom content image, click the “Exclude” button and select the items you want to exclude.
- In the “Image Destination” section, choose where you want to save the custom content image. You can save it to a file, a physical drive, or a network location.
- Choose the compression level for the image file, if desired.
- Click the “Start” button to begin capturing the custom content image.
- Once the imaging process is complete, you can verify the image using the “Verify Image” option from the “File” menu.
Your custom image must include but not limited to:
SAM
SOFTWARE
SECURITY
SYSTEM
Path: %windir%\System32\config
SAM, SOFTWARE, SECURITY, and SYSTEM are registry hives that contain important information about user accounts, installed software, security policies, and system settings. These registry hives are located in the %windir%\System32\config folder.
USRCLASS.dat
USRCLASS.LOG[ ]
Path: %appdata%\..\Local\Microsoft\windows\
USRCLASS.dat and USRCLASS.LOG[ ] are files that contain user-specific registry settings and can be found in the %appdata%..\Local\Microsoft\windows\ folder.
$MFT
$LogFile
$I30
$data
$Bitmap
$EXTEND
$MFT, $LogFile, $I30, $data, $Bitmap, and $EXTEND are files that are part of the NTFS file system and contain information about the files and directories on the system. These files can be found in the root of each NTFS volume.
.evtx
*.evtx files are event logs that contain information about system and application events. These files can be found in the %SystemRoot%\System32\winevt\Logs folder.
%appdata%
The %appdata% folder contains application data for the current user, including settings and temporary files.
Prefetch
Path: %windir%\prefetch
The Prefetch folder, located in the %windir%\prefetch folder, contains information about the applications that have been run on the system.
pagefile.sys
hiberfil.sys
Path: %SystemDrive%\
pagefile.sys and hiberfil.sys are system files that contain data used by the operating system when managing system memory and power management.
Webcache.dat
Path: %appdata%\..\Local\Microsoft\windows\
Webcache.dat is a file used by the Microsoft Edge web browser to store browsing history and other information. This file can be found in the %appdata%..\Local\Microsoft\windows\ folder.
SRUDB.dat
Path: %windir%\system32\SRU\SRUDB.dat
SRUDB.dat is a file that contains information about system resource usage and can be found in the %windir%\system32\SRU\ folder.
INF
Path: %systemdrive%\windows\inf
INF files are used by Windows to install device drivers and contain information about the hardware and software installed on the system. These files can be found in the %systemdrive%\windows\inf folder.
AmCache
Path: \%SystemRoot%\AppCompat\Programs\Amcache.hve
AmCache.hve is a file that contains information about the applications that have been run on the system and can be found in the %SystemRoot%\AppCompat\Programs\ folder.
AppCompatCache (ShimCache)
Path: HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache
The AppCompatCache (ShimCache) contains information about the compatibility of applications on the system and can be found in the HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache registry key.
*.PST
*.OST
*.PST and *.OST files are used by Microsoft Outlook to store email data.
Thumbs.db
thumbcache_[…].db
Path: %userprofile%\AppData\Local\Microsoft\Windows\Explorer
Thumbs.db and thumbcache_[…].db files are used by Windows to store thumbnail images and can be found in the %userprofile%\AppData\Local\Microsoft\Windows\Explorer folder.
*.lnk
Path: %AppData%\Roaming\Microsoft\Windows\Recent
*.lnk files are shortcut files that can be found in the %AppData%\Roaming\Microsoft\Windows\Recent folder.
Jumplist
Paths: %AppData%\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
%AppData%\Roaming\Microsoft\Windows\Recent\CustomDestinations
Jumplist files contain information about recent activity for applications and can be found in the %AppData%\Roaming\Microsoft\Windows\Recent\AutomaticDestinations and %AppData%\Roaming\Microsoft\Windows\Recent\CustomDestinations folders.
When gathering artifacts, it’s important to be aware of the potential impact on the target system and to follow proper forensic procedures to ensure the integrity of the data. You must to follow proper forensic procedures and document the process to maintain the integrity of the evidence.
