Windows forensic keys: essential artifacts for digital investigation
Digital forensics is a complex field that requires in-depth knowledge of operating systems, networks, data analysis and the interaction between multiple technologies, among others. The main challenge lies in the identification, preservation and analysis of digital evidence without compromising its integrity.
In digital investigations, forensic artefacts are crucial because they provide key clues and evidence about the activities that have occurred on systems during an incident. By analysing these artefacts, forensic analysts are able to determine the following:
Reconstruct timelines of events, identifying when files were created, modified or deleted, when applications were run, or when network connections were made.
Identify user and attacker activities to detect user accounts that were logged in, applications that were run, or files that were opened or modified.
Detect malicious activity, such as malware traces, persistence techniques, lateral movement, and other indicators of compromise.
Provide evidence for legal investigations that can be presented during a trial.
In many cases, data is scattered in different areas of the system and may be volatile or difficult to detect. However, there are numerous artefacts in operating systems, which are relatively simple to collect and can provide crucial information for an investigation.
Types of forensic artefacts in Windows and their application in investigations
In the case of Windows environments, artefacts, such as event logs, prefetch files and registry keys, allow analysts to accurately reconstruct key activities and resolve a large part of security incident queries, all without the need for highly sophisticated techniques. Some of these key artefacts and how they can be used to reconstruct events and activities in the system are described below:
Event Logs: are essential for reconstructing system events and are useful for detecting intrusions, malicious activity or suspicious events. They are stored in files with extension .evtx in C:\Windows\System32\winevt\Logs\ and can be analysed using the Windows event viewer (accessible with the eventvwr.msc from start menu). Security logs, such as logs of failed logins (Event ID 4625) and successful logins (Event ID 4624), are critical in forensic investigations, as they can identify unauthorised access attempts and track user activity in a targeted manner. In addition, security policy change logs (ID 4719) record critical modifications to system configuration, which can indicate attempts at malicious tampering. Logs of interest may include Security.evtx, System.evtx, Application.evtx, among others. For example, to obtain failed logins, the following command can be used in PowerShell. This will display the time and event details for each failed login:
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4625} | Select-Object TimeCreated, MessagePrefetch: the Prefetch system in Windows stores data about the execution of applications to optimise their performance. However, in the field of cybersecurity and computer forensics, these files can be key to identifying suspicious or malicious activity. Prefetch files allow the reconstruction of the application execution timeline, even if the original executables have been deleted.
These files provide valuable information on:
Applications running on the system.
Execution timestamps, which help to establish chronologies of events.
Paths to the executable and associated files.
Prefetch files have the file extension .pf and are stored in the directory: C:\Windows\Prefetch\.
Each .pf file carries the name of the executable followed by a hash representing the path from which it was executed, which helps to differentiate between instances of the same program executed from different locations.
The behaviour and functionality of Prefetch has evolved with each version of Windows:
Windows XP through Windows 7: A Prefetch file is created each time an application is run, with a limit of 128 files.
Windows 8 and later: Prefetch is combined with Superfetch (SysMain), allowing up to 1024 files and recording more detailed information about the last application run.
Windows 10 and Windows 11: Prefetch maintains its integration with SysMain, optimising system performance and enabling more granular analysis of program execution activity.
Windows Server: In some versions, Prefetch is disabled by default to improve performance, but it can be enabled manually.
Prefetch files can be used by analysts to:
Identify malware execution: If a malicious executable has been removed, its trail can remain in Prefetch, indicating its name, location and execution date.
Detect lateral movement: Prefetch can reveal the execution of remote administration tools or scripts used to move laterally on a network.
Corroborate user activity: Allows verification of suspicious application usage in a specific time frame, useful for internal investigations or data leakage incidents.
Several forensic tools can be used to analyse Prefetch files:
PECmd: Developed by Eric Zimmerman, it allows you to analyse the detailed content of .pf files, including execution times and access paths.
WinPrefetchView: A graphical tool that displays detailed information about prefetch files, including file names accessed and last run dates.
PowerShell: Can be used to quickly list Prefetch files and the last time they were modified. Example:
Get-ChildItem -Path C:\Windows\Prefetch -Filter *.pf | Select-Object Name, LastWriteTimeLNK Files: LNK files (Windows shortcuts) contain detailed metadata about files and folders accessed by the user. These files can provide valuable information in forensic investigations by revealing:
When a file or folder was accessed.
Where the file was executed or opened from.
The storage device used, including serial numbers of USB drives, which is crucial for detecting data exfiltration.
The full path to the target file, even if it has been deleted or moved.
LNK files are useful for Forensic Investigations:
Detect malicious activity: These can identify the execution of suspicious tools, scripts or malicious programs that have left a shortcut.
Track data exfiltration: Store information about files copied or opened from removable devices (such as USBs), which can help detect data theft.
Reconstruct timeline of user activities: Useful for understanding the sequence of opening and accessing files, which is key in internal investigations or data leakage cases.
Recover information from deleted files: Even if the target file has been deleted, the shortcut retains details of the original location and date of access.
Shortcuts are commonly stored in: C:\Users\<usuario>\Desktop\
Or in the recent files folder: C:\Users\<usuario>\AppData\Roaming\Microsoft\Windows\Recent\,
While these folders store shortcuts to recently opened files, which can help to determine recent user activities C:\ Users\<usuario>\AppData\Roaming\Microsoft\Windows\Start Menu, C:\ Users\<usuario>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
To analyse LNK files, the following forensic tools can be used:
LECmd: Command-line tool developed by Eric Zimmerman that allows you to extract detailed metadata, including network paths, USB device serial numbers and timestamps.
ShellBagsExplorer: Useful for analysing paths and recently opened files, complementing the information in the LNKs.
PowerShell: Can be used to list shortcuts and the last time they were modified, which can indicate recent access to files or programs. For example:
Get-ChildItem -Path "C:\Users\<usuario>\AppData\Roaming\Microsoft\Windows\Recent" -Filter *.lnk | Select-Object Name, LastWriteTime
This will display the names of the shortcuts and the date they were last modified.
Windows Registry: is a key resource in forensic investigations, as it stores critical configurations of both the operating system and installed applications. This hierarchical data store contains information on:
Programs that start automatically: Crucial for identifying malware or persistence tools.
Connected USB devices: Enables tracking of data exfiltration or unauthorised storage connections.
Recently opened files: Useful for reconstructing user activity.
For example, with PowerShell, you can extract programs that start automatically using:
Get-ItemProperty -Path "HKLM:\SYSTEM\MountedDevices" | Select-Object *
And for connected USB devices:Get-ItemProperty -Path "HKLM:\SYSTEM\MountedDevices" | Select-Object *
This query displays information about connected USB devices, including serial numbers, allowing tracking of storage devices used for data exfiltration.
NOTE: The MountedDevices key does not reveal specific details about USBs, only drive letter assignments. To track USB connections, it is best to use USBSTOR.
Within the Windows Registry, there are valuable forensic artefacts, Shimcache and Amcache. These artefacts are useful for identifying applications running on the system:
Shimcache: This artefact is useful for identifying applications that have been run, but does not provide the exact time of execution. It is found in the registry key LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache To extract the data related to Shimcache, use the following command in PowerShell:
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" | Select-Object -ExpandProperty AppCompatCacheAmcache: Unlike Shimcache, Amcache provides more detailed information, such as the file's SHA1 hash, creation, modification and access dates, making it a valuable resource for determining when and how a file was executed. Amcache is located in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppCompatFlags\Amcache
To extract the data related to Amcache, use the following command in PowerShell:
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppCompatFlags\Amcache" | Select-Object *ShellBags: allow the user's navigation of the file system to be reconstructed, even if folders have been deleted. They store the settings of folders that have been opened and browsed, allowing to determine whether the user has accessed sensitive files or folders, or whether he has tried to hide his tracks. This data is stored in the registry under HKEY_USERS\<SID>\Software\Microsoft\Windows\Shell\BagMRU and HKEY_USERS\<SID>\Software\Microsoft\Windows\Shell\Bags. With PowerShell, you can also extract these keys. For example, to display the information related to the folders opened by the user:
Get-ItemProperty -Path "HKU:\<SID>\Software\Microsoft\Windows\Shell\BagMRU" | Select-Object *Recommended Tools for Register Analysis
- Registry Explorer: An advanced tool from Eric Zimmerman for exploring and analysing the Windows Registry with powerful search capabilities and support for multiple Registry file formats.
- RECmd: Also by Eric Zimmerman, useful for performing bulk searches and extractions of Registry data.
- RegRipper: Registry analysis tool that includes a collection of forensic-specific plugins, ideal for automating the extraction of relevant information.
Best practices in Windows forensic análisis
Forensic analysis on Windows systems requires the application of best practices to maximise the efficiency and accuracy of investigations.
Digital forensics cycle
The following are key recommendations for improving the analysis process using forensic artefacts:
Obtain an accurate, verifiable and reproducible forensic image of the system in order to be able to work on it without affecting the original system. This is the most important step, as incorrectly performed it can invalidate or render inadmissible all information collected in subsequent forensic work. The best method to create images is by means of physical write blockers.
Establish a detailed timeline of events that combines information from different artefacts. This will help analysts understand the sequence of activities that occurred in the system. With tools such as Plaso (Log2Timeline) and Timeline Explorer they can combine multiple data sources (Event Logs, Prefetch, logs, etc.) to build a coherent timeline to identify correlations and suspicious patterns.
Prioritise context-based analysis of the incident, as not all artefacts will have the same relevance in each case.
Identificar artefactos de alta prioridad: en una intrusión basada en red, los registros de eventos y las configuraciones de red del registro pueden ser más críticos.
Correlacionar datos entre artefactos: utilizar múltiples fuentes para validar hallazgos.
Automate repetitive tasks to speed up the analysis process, reduce human error and ensure more complete coverage, using tools to automatically collect and analyze important forensic data, providing pre-processed reports and simplifying manual review.
Verify the integrity of the evidence continuously throughout the analysis, ensuring that the results are reliable and can be presented in a legal context if necessary.
Recalculate and verify hashes before and after analysis of each artifact. This not only ensures that the evidence has not been tampered with, but also establishes a clear record of the chain of custody.
Recording all activity in an analysis log of each step taken, commands used, and tools applied is crucial, both for obtaining consistent results and for their validity in legal proceedings.
Review and validate results with multiple tools is essential to prevent false positives or negatives and to confirm the results of the analysis and provide a more complete picture.
Keep updated with new techniques and tools in the field of digital forensic analysis.
Conclusion
The collection and analysis of forensic artefacts is a critical process for investigating cybersecurity incidents, as it provides a detailed view of activities occurring within a system, many of which are not visible to the naked eye.
Prefetch analysis is an essential forensic technique for tracing the execution of applications on Windows. In modern versions such as Windows 10 and Windows 11, integration with SysMain has improved its analysis and optimisation capabilities. Understanding how it works and using the right tools allows forensic investigators to obtain key information about system activity and detect potential security threats.
In most cases, the systems affected by incidents are Windows environments, which represent a large part of the corporate and personal infrastructure. Successful forensic analysis on these systems depends to a large extent on a thorough understanding of their key artefacts, which allow tracing program execution, file accesses and critical system configurations.
Proper preservation and analysis of artefacts uncovers malicious activity that might go undetected, such as registry modifications or unauthorised executions, and enhances threat response capabilities.
