Question

List three different digital artifacts contained within a Windows operating system and how they can be used by a forensics analyst during a digital forensics investigation.

Answer 1

Answer:

Windows contains various Digital Artifacts that have very important information related to the activities performed by the computer user. These digital artifacts in Windows play a crucial role in digital forensics examination. Some of the digital srtifacts are givn below.

1. Registry Files
2. Event Log
3. Links Files
4. Recycle Bin
5. Internet Browser History
6. Prefetch Files

Lets taik about the first 3 artifacts in details -

Registry Files - Windows registry files are very important digital artifact for any forensic investigator. The registry contains system setting for programs, hardware devices, user preferences, and operating-system and configurations.for Windows operating system. The registry keeps the records of Operating System and program settings but it also monitors and records user-specific data. Most of the time users do not interact with the registry but they interact indirectly with it via installation routines, applications, and programs, such as Microsoft Installer files because whenever a new application is installed or uninstalled window require to make changes in Registry files. The Windows Registry is accessed and configured using the Registry Editor program, a free registry editing utility included by default with every version of Microsoft Windows going back to Windows 95.
Registry Editor isn't a program you download. Instead, it can be accessed by executing regedit from the Command Prompt or from the search or Run box from the Start menu.
The registry contains registry values located within registry keys (folders that contain more data), all within one of several registry hives (folders that categorize all the data in the registry using subfolders). Making changes to these values and keys using Registry Editor change the configuration that a particular value controls.
The registry is constantly referenced by Windows and other programs. When you make changes to nearly any setting, changes are also made to the appropriate areas in the registry, though these changes are sometimes not realized until you reboot the computer. Windows Registry backup files are saved as REG files.

Event Log -  Event log stores events related to the users of that operating system like when user logged in or out in the system, which program were frequently used, when user performed system changes, application specific events etc. Event log information because it provides lots of useful user specific information about the access of system. This event log information files have headers for the particular file and headers for the particular entries and both have the unique identifier (signature) “LfLe” included in their structure. These structures are all well-known and it is not difficult to write tools that parse the event records that these logs contain in a binary form and also extract them from the unallocated space. Parsing a binary form is valuable because the header clusters of the event log files may output a number of event records in the particular file, whereas if you parse it in a binary form extra event records may be produced. The Event Log file extension is “.evt.”
An open source tool can be used to extract information, like "evtparse.pl", to parse the information from the relevant .evt files. Evtparse.pl simply extracts the data and outputs the event record information, while evtrtp.pl not only produces the event record data but also scans this data and outputs information concerning the regularity of different SIDs, sources for the event records, and the data range of all entries located in the file as well (statistics). Such information comes in handy when an analyst is searching for a bustle that happened on the machine at a given time. For instance, if an investigator parses an event log in search of a particular event ID or a specific event, he/she can see whether it is present within the file or whether the date range of the accessible event entries includes the exposed window or whether events of interest exist within the given time frame when the incident occurred and can save himself/herself a substantial amount of time by moving to a different source of data if the search brings no results.
The latest editions of Windows replaces the event logging mechanism of the previous Windows versions, such as Windows NT, 2000, XP, and 2003. The Windows event log mechanism is much more complicated;

LINK files - Have you notices or created Shortcuts files on your system. Yes, shortcuts files are created when a user or the operating system creates shortcut files for the files which are frequently used, double clicked or accessed from system drives such as attached storage. Such kinds of shortcut files are called link files they provided a link to original file. By accessing these link files, an investigator can find the activity of window such as the time and location from where these files have been accessed.

All these artifacts can be accessed manually by forensic experts or through various programming code and through specially designed tools to extract relevant information.

Thanks