Chapter 5 - Windows Forensic Analysis

Abstract

This chapter provides technical methods and techniques to help practitioners extract and interpret data of investigative value from computers running Windows operating systems. An important aspect of conducting advanced forensic analysis is understanding the mechanisms underlying fundamental operations on Windows systems such as the boot process, file creation and deletion, and use of removable storage media. By understanding how to aggregate and correlate data on Windows systems, digital investigators are better able to get the “big picture” (such as an overall theory of user action and a timeline), as well as overcoming specific technical obstacles. It is not surprising that the majority of systems that digital investigators are called upon to examine run a Windows operating system. Whether investigating child pornography, intellectual property theft, or Internet Relay Chat (IRC) bot infection, it is a safe bet that knowledge of Windows operating systems, and its associated artifacts, will aid investigators in their task. It is important for forensic examiners to understand the Windows startup process for a number of reasons beyond simply interrupting the boot process to view and document the CMOS configuration. Ever since examiners figured out that there might be more to a file than meets the eye, they have been interested in Metadata, the information that describes or places data in context, without being part of the data that is the primary focus of the user. There are two types of metadata: file system metadata and application (or file) metadata.