19: Windows Forensics, etc.


Today: Windows forensic artifacts demos, then some by-request stuff.

Midterm should be graded soon. Best case end of this week. More likely by some point next week.

Windows Forensics

Today we'll do a few minutes on each of the tools I talked about last class, this time with live demos.

Remember, It's usually a reasonable idea to start by flsing the entire drive image (and saving to a file), so that you can later grep for files of interest. (I will pull some of them directly from my Windows VM so that you can see how they're created as I go.)

Side note: How do you show Hidden, etc., files within Windows? See https://support.microsoft.com/en-us/help/14201/windows-show-hidden-files for details.

Thumbs.db / thumbcache

Most versions of Windows cache "thumbnails" of image files that are stored in users directories and opened by the user. Various tools can process these thumbnails, such as scalpel.

Windows 7: This data has been moved to a centralized database located in \Users\%username%\AppData\Local\Microsoft\Windows\Explorer.

Note Scalpel is a little finicky about configuration files.

Copy thumbcache to directory, then:

/Users/liberato/src/scalpel/scalpel -o 256 thumbcache_256.db

Side note: Building Scalpel. You can download and build it (under a Unix-y OS) yourself or find packages, depending upon your OS.

lnk files

LNK files are Windows shortcuts.


Users might create them deliberately, but they are also created when files are opened by a user (to place in the "Recents" folder). Various tools exist to parse these files, for example, liblnk.

Demo using liblnk: copy lnk file to directory then:

/Users/liberato/src/liblnk/lnktools/lnkinfo Marc\ Liberatore.jpg\ -\ Shortcut.lnk

Browser information

Depending upon the version of Windows, the browser information (cache, users-typed URLs, etc.) lives in various places. Tools exist to parse and extract relevant information (libmsiecf for example):

~/src/libmsiecf/msiecftools/msiecfexport index.dat |less

There are similar tools for IE10+:



As per last class, you can see various entries in the registry and learn about the recent use of the computer.

Demo regedit on running instance of Windows:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
  • HKLM \SYSTEM\MountedDevices : list of mounted devices
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\ : similar
  • HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR: additional information about mounted USB storage devices
  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\GUID: recent network configuration
  • HKLM\SOFTW ARE\Microsoft\WZCSVC\Parameters\Interfaces\GUID: wireless configuration
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist: recent user access, though ROT13ed!

There are various resources online listing registry keys of interest; I'll post links to some of them on the course schedule page. (Feel free to post other you might find on Piazza.)

Again, various tools are available to parse the registry forensically (for example, libregf).

Partial printer files

.SPL files are spoolfiles, that is, the file Windows creates when preparing to send a file to a printer. Find the EMF marker, then go back 41 bytes, carve from there.

Then you have an EMF file, which is an enhanced Windows Metafile. These are most easily viewed on Windows, since the are typically parsed with Windows API functions.

(Demonstrate by pulling spoolfile from C:\Windows\System32\spool\PRINTERS)

Note it's not perfect; depending upon the print driver the text in particular is often transcoded in a way that's not legible.


Why are we doing all this? Recall from Lecture 01:

A forensic investigation has several goals, depending on the context. Typically, the primary goals are to

  1. Determine if there is evidence that a crime, tort, or policy violation has been committed;
  2. Identify the related events and actions that occurred;
  3. And identify who might be responsible.

In many criminal investigations, the goal of the investigator may additionally include determining the motive and intent of the perpetrator, corroborating alibis of the innocent, and verifying statements of witnesses. Moreover, criminal investigators need to preserve a demonstrable link between the artifacts we find at a crime scene and our later presentation of the evidence in court.

So, given a scenario, you are looking for evidence that supports or refutes that scenario, and possibly digging deeper.

Boot sectors and JMPs

This has come up after class a few times. If we look at the boot sector of most drives (at the start) and within partitions, we see it starts with a jump instruction. Malware alert!


PGP is general suite of encryption/decryption/signature algorithms that's typically considered in the context of email.

Problems of PKI: centralized vs distributed.

What do signatures really show? That someone who controls your key signed something.

What does use of PGP really do, arguably:

  • protect messages in transit and when on remote servers
  • make email search difficult (if stored encrypted)
  • signal that your messages are worth collecting to TLA
  • make acquiring your key (for decryption) attractive -- and can then be used to sign
  • introduce key management headaches generally

In practice PGP has been a failure except in very limited circumstances that also require strong operational security practices.

Unclear if secure chat will go the same way: what's your attacker model?