Electronic Evidence where to find in Files
Today we will talk about Electronic Evidence, where you can find in the files.
1. Windows Searches
Windows Search is a desktop search platform that has instant search capabilities for most common file types and data types, and third-party developers can extend these capabilities to new file types and data types. Because the searches are recorded in temporal order, an analyst can frequently see indications of the user’s thought process as he searched for particular files.
2. File Access
Four of the most useful digital artifacts to identify files opened or attempted to be opened are “LNK” files (pronounced as “link” files), Jump Lists, and several “most recently used” registry keys.
3. LNK files
LNK is a file extension for a shortcut file used by Microsoft Windows to point to an executable file. Shortcut files are used as a direct link to an executable file, instead of having to navigate to the executable.. LNK files contain some basic properties, such as the path to the executable file and the “Start-In” directory. LNK files contain a wealth of information including the modified, accessed, and created dates and times of the file opened.
4. Jump Lists
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.
Jump Lists come in multiple flavors:
– automatic (autodest, or *.automaticDestinations-ms) files
– custom (custdest, or *.customDestinations-ms) files
– Explorer StartPage2 ProgramsCache Registry values
As jump lists are essentially compound LNK files, they contain all the same information as LNK files, such as when each file was opened, modified, accessed, and created.
5. Most Recently Used (MRU) Registry Keys
There are several registry keys that track most recently used items. An analysis of these registry keys can help an analyst quickly identify files accessed.
The master RecentDocs key maintains a master list, organized in temporal order of the last 150 files or folders opened. By analyzing the order that particular files were opened, analysts have often been able to refute claims that a single type of file was opened by mistake.
7. Applications Specific Most Recently Used (MRU)
Each application in the Office suite has its own set of “FileMRU” (most recently used files) that tracks most recent files used and when they were opened.
Windows has some basic dialog boxes that all programs can use when a user opens or saves a file. These file names are saved as a part of the “OpenSavePIDMRU” registry key which is located under the “NTUSER.DAT \ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ ComDlg32\ OpenSaveMRU” registry key.