We covered the second part of Windows OS forensics where we demonstrated gathering artifacts from the file system. We covered extracting artifacts by recovering deleted data, examining and parsing prefetch files, Windows 10 timeline, jump lists, shortcuts and USB devices. We used forensics tools such as Autopsy EZ Tools. This was part of the Cyber Defense pathway.. This was part of TryHackMe Windows Forenscis 2 Cyber Defense track.

Challenge Description

Learn about common Windows file systems and forensic artifacts in the file systems.

Room Answers

How many addressable bits are there in the FAT32 file system?

What is the maximum file size supported by the FAT32 file system?

Which file system is used by digital cameras and SD cards?
Parse the $MFT file placed in C:\users\THM-4n6\Desktop\triage\C\ and analyze it. What is the Size of the file located at .\Windows\Security\logs\SceSetupLog.etl

What is the size of the cluster for the volume from which this triage was taken?

There is another xlsx file that was deleted. What is the full name of that file?

What is the name of the TXT file that was deleted from the disk?

Recover the TXT file from Question #2. What was written in this txt file?

How many times was gkape.exe executed?

What is the last execution time of gkape.exe

When Notepad.exe was opened on 11/30/2021 at 10:56, how long did it remain in focus?

What program was used to open C:\Users\THM-4n6\Desktop\KAPE\KAPE\ChangeLog.txt?

When was the folder C:\Users\THM-4n6\Desktop\regripper last opened?

When was the above-mentioned folder first opened?

Which artifact will tell us the first and last connection times of a removable drive?

Windows Forensics Artifacts

I learned that artifacts are basically traces of activity left behind on a system. While the first part of the series likely covered the registry, this video makes it clear that the file system is an equally crucial place to dig for clues.

When it comes to data acquisition for file systems, I discovered that the standard practice is to perform disk cloning or create a disk image of the entire operating system. The video mentioned FTK Imager as a go-to tool for Windows, and dd for Linux, which I found helpful to know.

I also got a good refresher on the differences between file systems, specifically FAT32 and NTFS. I recalled that FAT32 is an older system with limitations, like a smaller file size capacity (the video mentioned 32GB). NTFS, on the other hand, is the modern Windows file system that overcomes these limitations. I noted down its key features: it handles larger file sizes, has strong security features (like encryption), includes journaling (which helps with recovery after crashes by tracking changes), and supports compression to save space. A critical component of NTFS that I learned about is the MFT (Master File Table).

The MFT is pretty central to file system forensics. I now understand that it holds information about every single file and directory on an NTFS volume. It’s the very first record on the volume and even contains a Log File for transactional logging due to the journaling feature. This makes the MFT a primary target for finding artifacts. The video showed how to use MFTCmd.exe from Eric Zimmerman’s suite of tools to explore it.

I found the section on recovering deleted files particularly interesting. I always thought deleting a file meant it was gone, but I learned that when a file is deleted, only its MFT entry is marked as available; the actual content remains on the disk until it’s overwritten. This means that specialized wiping tools are needed for secure deletion. The video also demonstrated using Autopsy to recover these seemingly “deleted” files, which was pretty cool.

Beyond the MFT, I discovered several other key artifact locations within the file system:

  • Prefetch Files (located at C:\Windows\Prefetch): These store information about executed programs, including how many times and when they were last run. I saw how PECmd.exe can be used to analyze them.
  • Windows 10 Timeline: This stores recently used applications in an SQLite database. WxTCmd.exe is the tool for exploring this.
  • Windows Jump Lists: These are those handy shortcuts that show recent files. They provide insights into recently opened files and programs, and JLECmd.exe can analyze them.
  • Shortcut Files (.lnk) (found in C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent): These reveal recently opened files and documents, and LECmd.exe is used for their analysis.
  • USB Device Information: While the registry is a source, I learned that the setupapi.dev.log file in C:\Windows\INF also logs connected devices.

I saw how to:

  • Use MFTCmd.exe to analyze the MFT and a boot file to find information like the volume’s cluster size.
  • Recover deleted files using Autopsy, identifying files marked with a red ‘X’ and extracting a hidden note from a deleted text file.
  • Analyze prefetch files with PECmd.exe to determine execution times and counts for programs like gkape.exe.
  • Analyze the Windows 10 timeline with WxTCmd.exe to find out how long Notepad was in focus.
  • Analyze jump lists with JLECmd.exe to determine which program opened a specific changelog file.
  • Look for external device connection times in the setupapi.dev.log file.

Technical Commands from the Terminal

Here are the technical commands I extracted from the video, which were used to analyze various file system artifacts:

  • mftcmd.exe -f <path_to_mft_file> --csv <output_directory_path>
    • Example: mftecmd.exe -f C:\THM\disk\mft --csv C:\Users\THM\Desktop
  • mftcmd.exe -f <path_to_boot_file> --csv <output_directory_path>
    • Example: mftecmd.exe -f C:\THM\disk\boot --csv C:\Users\THM\Desktop
  • pecmd.exe -d <path_to_prefetch_directory> --csv <output_directory_path>
    • Example: pecmd.exe -d C:\THM\triage\C\Windows\Prefetch --csv C:\Users\THM\Desktop
  • wxtcmd.exe -f <path_to_activitiescache.db> --csv <output_directory_path>
    • Example: wxtcmd.exe -f C:\THM\triage\C\Users\thm4n6\AppData\Local\ConnectedDevicesPlatform\L.WIN-R375N042410\ActivitiesCache.db --csv C:\Users\THM\Desktop
  • jlecmd.exe -d <path_to_automatic_destinations_directory> --csv <output_directory_path>
    • Example: jlecmd.exe -d C:\THM\triage\C\Users\thm4n6\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations --csv C:\Users\THM\Desktop
  • lecmd.exe -d <path_to_recent_items_directory> --csv <output_directory_path>
    • Example: lecmd.exe -d C:\THM\triage\C\Users\thm4n6\AppData\Roaming\Microsoft\Windows\Recent --csv C:\Users\THM\Desktop

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles