Tag Archives: artefact locations

Windows XP Restore Points

I know XP is going the way of the Dodo, which is why I wanted to write this post. As blogs and posts update and keep up with the latest versions of Windows I find it harder and harder to … Continue reading

Posted in Introduction, Windows Forensics, Windows Registry Forensics, Windows XP | Tagged , , , , , , | Leave a comment

Mounted Devices Key

Here is a screen capture of a Mounted Devices key. As you can see it can appear quite daunting. In a previous blog post I covered how a USB Mass Storage devices would simply convert ASCII to Hex and use … Continue reading

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged , , , , , , | Leave a comment

Research: Decoding LanmanServer\Shares

For my first fully independent research topic I chose to look at the registry key created when an object is shared. This all started with a job we were investigating recently where the indicators we were given did not turn … Continue reading

Posted in Cyber, Research, Shared Folders, Windows Forensics, Windows Registry Forensics | Tagged , , , , , , , , | 6 Comments

Link Files

Link (lnk) files are a valuable source of information in a forensic investigation and should not be casually overlooked. What are Link files? Link files are created by the system when a file is opened, even if that file is … Continue reading

Posted in Link FIles, Windows Forensics | Tagged , , , , , | Leave a comment

Jump Lists

What is a Jump List? A Jump List looks something like: From left to right we have; Windows Media Player Start Menu, Wordpad Internet Explorer Jump Lists were introduced in Windows 7 to allow frequently used files/tasks/webpages to be selected … Continue reading

Posted in Jump Lists, Windows Forensics | Tagged , , , , , , , , | Leave a comment

Chrome – Basics

Google Chrome, or just Chrome, is (at the time of writing) the most popular web browser by a fair amount. Twice as popular as Mozilla’s Firefox. Chrome stores its artefacts in SQLite, JSON (JavaScript Object Notation) and SNSS (Session Saver) … Continue reading

Posted in Browser Forensics, Chrome, Google Chrome, Windows Forensics | Tagged , , , , , , , , , | Leave a comment

Internet Explorer – Basics

As IE comes bundled with Windows as standard it is often the browser (of choice?) used by a lot of organisations. Larger organisations are also often slower to update IE, in my experience, as they have integrated business critical applications … Continue reading

Posted in Browser Forensics, Internet Explorer, Windows Forensics | Tagged , , , , , , , | Leave a comment