Insights Blog

Windows Forensic Essentials Blog Series

Windows 10 Jump List Forensics: When Microsoft released Windows 7, a new artifact was released to the forensic world, Jump Lists.  Since that time most examiners have become used to examining this artifact and reporting on the results. Jump Lists are potentially a valuable source of evidence that can point directly to a user’s interactions with the computer.
Examining the Windows 10 Recycle Bin: One of the most overlooked artifacts on a Windows computer is the Recycle Bin. The Recycle Bin has been with the Windows operating system since Windows 95 (although a similar function was available in MS-DOS 6).  Naturally over time it has evolved to its current implementation.
Leveraging Windows Event Logs in Examinations: Windows Event Logs can potentially be used by an examiner to show what a user has done on a computer.  They can be used to assist in answering the question “could this happen?” Let’s look at how Event Logs can assist examiners in their case analysis.
Windows Volume Shadow Copies: Despite being around since the halcyon days of Windows Vista, there is still a lot of questions surrounding the Volume Shadow Copy Service.  Further some confusion has been expressed on the difference between a Volume Shadow Copy (VSC) and System Restore Points (SRP) available previously on Windows XP.
Analyzing USB Entries in Windows 7: With the proliferation of cheap external USB devices, it is becoming incumbent on examiners to determine if any USB attached storage has connected to the computer. Knowing that an external USB attached storage device has been connected to the computer; and more importantly who connected the device, can have a huge impact on your examinations.
Why Windows Ram Should Be Part of Triage: Analyzing the contents of RAM has been a hot button topic for some time now.  It makes sense in a lot of ways, after all RAM is a block of storage, so why not image it. There is little doubt that RAM can contain an innumerable amount of important information, but how does imaging RAM fit into your process when you are collecting data at the scene?
Windows Registry Demystified – Part One: The Windows Registry is a centralized hierarchical database that contains both system and user information and settings for Windows computers.  These settings can be anything from a user’s desktop background to the time zone setting for the computer.
Windows Registry Demystified – Part Two: Expanding on the concepts from part one, we start looking at some Registry to see how tools parse out and display this data.

BlackBag Team
Latest posts by BlackBag Team (see all)