We covered the second part of Windows OS forensics where we demonstrated gathering artifacts from the file system. We covered extracting artifacts by recovering deleted data, examining and parsing prefetch files, Windows 10 timeline, jump lists, shortcuts and USB devices. We used forensics tools such as Autopsy EZ Tools. This was part of the Cyber Defense pathway.. This was part of TryHackMe Windows Forenscis 2 Cyber Defense track.
Challenge Description
Learn about common Windows file systems and forensic artifacts in the file systems.
Room Answers
What is the maximum file size supported by the FAT32 file system?
C:\users\THM-4n6\Desktop\triage\C\
and analyze it. What is the Size of the file located at .\Windows\Security\logs\SceSetupLog.etl
What is the size of the cluster for the volume from which this triage was taken?
What is the name of the TXT file that was deleted from the disk?
Recover the TXT file from Question #2. What was written in this txt file?
What is the last execution time of gkape.exe
When Notepad.exe was opened on 11/30/2021 at 10:56, how long did it remain in focus?
What program was used to open C:\Users\THM-4n6\Desktop\KAPE\KAPE\ChangeLog.txt?
When was the above-mentioned folder first opened?
Windows Forensics Artifacts
I learned that artifacts are basically traces of activity left behind on a system. While the first part of the series likely covered the registry, this video makes it clear that the file system is an equally crucial place to dig for clues.
When it comes to data acquisition for file systems, I discovered that the standard practice is to perform disk cloning or create a disk image of the entire operating system. The video mentioned FTK Imager as a go-to tool for Windows, and dd for Linux, which I found helpful to know.
I also got a good refresher on the differences between file systems, specifically FAT32 and NTFS. I recalled that FAT32 is an older system with limitations, like a smaller file size capacity (the video mentioned 32GB). NTFS, on the other hand, is the modern Windows file system that overcomes these limitations. I noted down its key features: it handles larger file sizes, has strong security features (like encryption), includes journaling (which helps with recovery after crashes by tracking changes), and supports compression to save space. A critical component of NTFS that I learned about is the MFT (Master File Table).
The MFT is pretty central to file system forensics. I now understand that it holds information about every single file and directory on an NTFS volume. It’s the very first record on the volume and even contains a Log File for transactional logging due to the journaling feature. This makes the MFT a primary target for finding artifacts. The video showed how to use MFTCmd.exe from Eric Zimmerman’s suite of tools to explore it.
I found the section on recovering deleted files particularly interesting. I always thought deleting a file meant it was gone, but I learned that when a file is deleted, only its MFT entry is marked as available; the actual content remains on the disk until it’s overwritten. This means that specialized wiping tools are needed for secure deletion. The video also demonstrated using Autopsy to recover these seemingly “deleted” files, which was pretty cool.
Beyond the MFT, I discovered several other key artifact locations within the file system:
- Prefetch Files (located at
C:\Windows\Prefetch
): These store information about executed programs, including how many times and when they were last run. I saw how PECmd.exe can be used to analyze them. - Windows 10 Timeline: This stores recently used applications in an SQLite database. WxTCmd.exe is the tool for exploring this.
- Windows Jump Lists: These are those handy shortcuts that show recent files. They provide insights into recently opened files and programs, and JLECmd.exe can analyze them.
- Shortcut Files (.lnk) (found in
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent
): These reveal recently opened files and documents, and LECmd.exe is used for their analysis. - USB Device Information: While the registry is a source, I learned that the
setupapi.dev.log
file inC:\Windows\INF
also logs connected devices.
I saw how to:
- Use
MFTCmd.exe
to analyze the MFT and a boot file to find information like the volume’s cluster size. - Recover deleted files using Autopsy, identifying files marked with a red ‘X’ and extracting a hidden note from a deleted text file.
- Analyze prefetch files with
PECmd.exe
to determine execution times and counts for programs likegkape.exe
. - Analyze the Windows 10 timeline with
WxTCmd.exe
to find out how long Notepad was in focus. - Analyze jump lists with
JLECmd.exe
to determine which program opened a specific changelog file. - Look for external device connection times in the
setupapi.dev.log
file.
Technical Commands from the Terminal
Here are the technical commands I extracted from the video, which were used to analyze various file system artifacts:
mftcmd.exe -f <path_to_mft_file> --csv <output_directory_path>
- Example:
mftecmd.exe -f C:\THM\disk\mft --csv C:\Users\THM\Desktop
- Example:
mftcmd.exe -f <path_to_boot_file> --csv <output_directory_path>
- Example:
mftecmd.exe -f C:\THM\disk\boot --csv C:\Users\THM\Desktop
- Example:
pecmd.exe -d <path_to_prefetch_directory> --csv <output_directory_path>
- Example:
pecmd.exe -d C:\THM\triage\C\Windows\Prefetch --csv C:\Users\THM\Desktop
- Example:
wxtcmd.exe -f <path_to_activitiescache.db> --csv <output_directory_path>
- Example:
wxtcmd.exe -f C:\THM\triage\C\Users\thm4n6\AppData\Local\ConnectedDevicesPlatform\L.WIN-R375N042410\ActivitiesCache.db --csv C:\Users\THM\Desktop
- Example:
jlecmd.exe -d <path_to_automatic_destinations_directory> --csv <output_directory_path>
- Example:
jlecmd.exe -d C:\THM\triage\C\Users\thm4n6\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations --csv C:\Users\THM\Desktop
- Example:
lecmd.exe -d <path_to_recent_items_directory> --csv <output_directory_path>
- Example:
lecmd.exe -d C:\THM\triage\C\Users\thm4n6\AppData\Roaming\Microsoft\Windows\Recent --csv C:\Users\THM\Desktop
- Example: