Skip to content

Latest commit

 

History

History
78 lines (44 loc) · 3.5 KB

2- Collecting Non-volatile Information.md

File metadata and controls

78 lines (44 loc) · 3.5 KB
Raw

Windows Forensic Investigation (2- Collecting Non-volatile Information) 💡

Intro

As discussed in a previous post, the investigation process in a Windows machine has 8 steps that begins with gathering volatile data and ends with analyzing text-based logs and Windows event logs.

you can read about the first step here.

Definition

The focus of the second stage is collecting non-volatile data, or the data that persists even after the system has been shut down.

Hard drives are where non-volatile data is typically stored, however it can also be found in swap files, slack space, and unallocated storage space. Smart phones, USB storage devices, and CD-ROMs are other non-volatile data storage devices.

Examples of non-volatile data are: photos, emails, pdf and word documents, spreadsheets and other valuable “deleted” files.

Steps

You can use these steps to conduct non-volatile data collection:

1. Examining File Systems

dir /o:d

to check the time and date of the OS installation, check finished automatic update and to give priority to recently dated files.

2. Examine Extensible Storage Engine (ESE) Database

ESE is used by many Microsoft software like Active Directory, Windows Mail, Windows Search, and Windows Update Client, etc.

· ESEDatabaseView (nirsoft.net)

to view and analyze ‘.edb’ files such as:

Windows Search Index: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\windows.db

Windows updates information: C:\windows\SoftwareDistribution\DataStore\DataStore.edb

3. Detecting Externally Connected Devices to the System

· DriveLetterView (nirsoft.net)

to list all the drives even currently unplugged.

· DevCon.exe (Microsoft)

to document devices that are attached to the system.

4. Slack Space

· DriveSpy (Digital Intelligence)

to collect all the slack space in an entire partition into a file.

5. Collecting Hidden Partition Information

· find & mount (findandmount.com) · Partition Logic (partitionlogic.org.uk)

to collect the information from the hidden partition and to perform many useful tasks on partitions.

6. Web Browser Cache, Cookies, Temporary Files

· Chrome cache view (nirsoft.net) · MZ cache view (nirsoft.net) · Chrome cookies view (nirsoft.net) · MZ cookies view (nirsoft.net)

nirsoft.net offers efficient tools to view cache and cookies of most of web browsers.

7. Analyzing Windows Thumbnail Cache

· Thumbcache Viewer (github) · Thumbs Viewer (github)

to open thumbcache***.db files inside_ C:\Users\UserProfile]\AppData\Local\Microsoft\Windows\Explorer directory for example.