Windows Computer Forensics
Windows’ Operating System continues to change with respect to its forensic artifacts and what they mean. A deeper dive into the Registry, Master File Table, Shadow Copies, Recycle Bin and Shellbags helps the examiner uncover what may have happened on the computer.
A shadow copy is a restore point created by Microsoft when a Windows update is installed or when new software is installed. The idea is that Windows can restore the computer to the state it was in prior to the new software or update being installed. Included in the shadow copy (restore point) is the recycle bin and registry. Valuable forensic information about the computer at the time the restore point was taken is available to the experienced investigator.
All of the USB devices connected to the computer as well as their serial numbers can be extracted from the registry. This has become very useful when someone steals information from their former employer. We are able to tell that they are indeed returning the actual USB drive that the data was copied onto. LNK (Link) files are also invaluable in determining what files may be contained on a USB drive that was copied from the former employees computer. A LNK file is created showing the drive letter of the USB drive and the file name if that file was opened on the USB device. Through this analysis, we can determine the names of some of the files or directories located on that USB drive.
Shellbags are entries that are stored in the computer registry and contain information about the folders that have been viewed, including their size, view, icon and position of a folder when using Windows Explorer. When the analysis of the shellbags is combined with the analysis of the LNK files a pattern can emerge of what files and folders were present on the USB key (or computer) even after they have been deleted.
Almost all programs running on a Windows operating system have some type of entries in the registry. What is most useful is when those programs store logging or audit data about their use. In one case a program that could be bought on the Internet had a secure delete function built into it. The program tracked the file names and sizes of the files that were securely deleted. This evidence became crucial to the investigation after the accused claimed that he had never run the program to erase evidence.