We covered the second part of Windows OS forensics where we demonstrated gathering artifacts from the file system. We covered extracting artifacts by recovering deleted data, examining and parsing prefetch files, Windows 10 timeline, jump lists, shortcuts and USB devices. We used forensics tools such as Autopsy EZ Tools. This was part of the Cyber Defense pathway.. This was part of TryHackMe Windows Forenscis 2 Cyber Defense track.

Get Computer Forensics Notes

The Complete Practical Web Application Penetration Testing Course

Challenge Description

Learn about common Windows file systems and forensic artifacts in the file systems.

Video Highlights

we will learn about forensic artifacts in other places. We will learn about the different file systems commonly used by Windows and where to look in these file systems when looking for artifacts. We will identify locations and artifacts to prove evidence of execution, file/folder usage or knowledge, and external device usage. We will also cover the basics of recovering deleted files. We will use Eric Zimmerman’s tools to parse information present in the artifacts for most of this room. We already used Registry Explorer and ShellBags Explorer in the previous room. For some of the tasks, we will use Autopsy.

Understanding the file systems makes it easier to know how files are deleted, recovered, and wiped. As we learned in the previous two tasks, a file system stores the location of a file on the disk in a table or a database. When we delete a file from the file system, the file system deletes the entries that store the file’s location on the disk. For the file system, the location where the file existed is now available for writing or unallocated. However, the file contents on disk are still there, as long as they are not overwritten by the file system while copying another file or by the disk firmware while performing maintenance on the disk.

Similarly, there is data on the disk in different unallocated clusters, which can possibly be recovered. To recover this data, we have to understand the file structure of different file types to identify the specific file through the data we see in a hex editor. However, we will not cover that in this room. What we will do, is to use a tool that does this work for us and identifies deleted files in a disk image file.

Windows Prefetch files

When a program is run in Windows, it stores its information for future use. This stored information is used to load the program quickly in case of frequent use. This information is stored in prefetch files which are located in the C:\Windows\Prefetch directory.

Prefetch files have an extension of .pf. Prefetch files contain the last run times of the application, the number of times the application was run, and any files and device handles used by the file. Thus it forms an excellent source of information about the last executed programs and files.

We can use Prefetch Parser (PECmd.exe) from Eric Zimmerman’s tools for parsing Prefetch files and extracting data.

Shortcut Files

Windows creates a shortcut file for each file opened either locally or remotely. The shortcut files contain information about the first and last opened times of the file and the path of the opened file, along with some other data. Shortcut files can be found in the following locations:

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\

C:\Users\<username>\AppData\Roaming\Microsoft\Office\Recent\

We can use Eric Zimmerman’s LECmd.exe (Lnk Explorer) to parse Shortcut files.

Room Answers

How many addressable bits are there in the FAT32 file system?

What is the maximum file size supported by the FAT32 file system?

Which file system is used by digital cameras and SD cards?
Parse the $MFT file placed in C:\users\THM-4n6\Desktop\triage\C\ and analyze it. What is the Size of the file located at .\Windows\Security\logs\SceSetupLog.etl

What is the size of the cluster for the volume from which this triage was taken?

There is another xlsx file that was deleted. What is the full name of that file?

What is the name of the TXT file that was deleted from the disk?

Recover the TXT file from Question #2. What was written in this txt file?

How many times was gkape.exe executed?

What is the last execution time of gkape.exe

When Notepad.exe was opened on 11/30/2021 at 10:56, how long did it remain in focus?

What program was used to open C:\Users\THM-4n6\Desktop\KAPE\KAPE\ChangeLog.txt?

When was the folder C:\Users\THM-4n6\Desktop\regripper last opened?

When was the above-mentioned folder first opened?

Which artifact will tell us the first and last connection times of a removable drive?

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles