ADFIRWMC - 3. Files of Forensic Interest
Each and every one of these artifacts are a deep world of details all to themselves but I tried to boil them down for this list. We will cover most of these in greater detail further in this course.
- NTFS Master File Table ($MFT)
- Description: Each file on an NTFS volume is represented by a record in a special file called the master file table (MFT).
- Importance: ★★★★★
- This contains the vast majority of the filesystem information for an NTFS volume.
- Once parsed, you can establish file paths and variety of timestamps that make timelining events easier.
- So much info can be derived from the MFT that I refuse to try to explain it here.
- Line to add to collection script:
$filestocollect += 'c:\$MFT'
- NTFS Transaction Log ($LogFile)
- Description: NTFS is designed to be recoverable in case something borks. To do that, every file operation is logged so in case of unexpected system shutdown due to power error or critical system failure, the operating system can recover the status of file system to the previous status with saved information in $LogFile file.
- Importance: ★★★☆☆
- While you can pull off some geeky cool stuff from the data in the $LogFile, I usually don’t need to dig into it much because the MFT is largely full of the relevant info.
- Line to add to collection script:
$filestocollect += 'c:\$LogFile'
- NTFS Change Journal ($Usnjrnl:$J)
- Description: Update Sequence Number Journal is a feature of NTFS which maintains a record of changes made to the volume. Whenever a change is made to the volume, a record is added to the file. Each record is identified by a 64-bit Update Sequence Number or USN. (For this reason Change Journals are sometimes called USN Journals.) Each record in the Change Journal contains the USN, the name of the file, and information about what the change was.
- Importance: ★★★☆☆
- This is another one of those files you don’t need on a day to day basis, mostly for the deep forensic dives where you need to know exactly what changes took place at the volume level during a period of time.
- Using the $MFT, $LogFile, and $USNJrnl:$J in concert can paint a very high fidelity picture of file system events. Using them together can help shed light on things like timestomping.
- Line to add to collection script
$filestocollect += 'c:\$Extend\USNjrnl:$J'
- System Registry Hives
- Description:
- Importance:
- Line to add to collection script:
$filesigs += '^c:\\Windows\\System32\\config\\.*'
- User Registry Hives
- Description:
- Importance:
- Lines to add to collection script:
$filesigs += '^c:\\Users\\.*\\ntuser.dat$'
$filesigs += '^c:\\Users\\.*\\AppData\\Local\\Microsoft\\Windows\\usrclass.dat$'
- Windows Event Logs
- Description:
- Importance:
- Line to add to collection script:
$filesigs += '^c:\\Windows\\System32\\winevt\\Logs\\.*.evtx$'
- Prefetch Files
- Description:
- Importance:
- Line to add to collection script:
$filesigs += '^c:\\Windows\\Prefetch\\.*\.pf$'
- Application Experience Service Artifacts
- Description:
- Importance:
- Line to add to collection script:
$filesigs += '^c:\\Windows\\AppCompat\\Programs\\Amcache.hve$'
$filesigs += '^C:\\Windows\\AppCompat\\Programs\\RecentFilecache.bcf$'
- Jump Lists
- Description:
- Importance:
- Line to add to collection script:
$filesigs += '^c:\\Users\\.*\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\.*$'
- Shortcuts
- Description:
- Importance:
- Line to add to collection script:
$filesigs += '^c:\\Users\\.*\\AppData\\Roaming\\Microsoft\\(Windows|Office)\\Recent\\.*\.lnk$'
- USB First and Last times used
- Description:
- Importance:
- Line to add to collection script:
$filesigs += '^C:\\Windows\\inf\\setupapi.dev.log$'
- Browser Artifacts
- Description: Turns out the internet works faster if people don’t download things they have already downloaded before. To keep track of all the places you have been and the files you have locally cached already, browsers store a ton of info in a variety of databases.
- Importance: ★★★★★
- This is a pretty important item to grab because it collects information on Windows Explorer in addition to Internet Explorer.
- Lines to add to collection script:
- IE
$filesigs += '^c:\\Users\\.*\\AppData\\.*\\Microsoft\\Windows\\WebCache\\.*'
- FireFox
$filesigs += '^c:\\Users\\.*\\%\AppData\\.*\\Mozilla\\Firefox\\Profiles\\.*.default\\.*'
- Chrome
$filesigs += '^c:\\Users\\.*\\AppData\\.*\\Google\\Chrome\\User\ Data\\Default\\.*'
- This will grab all of the associated files from all of the profiles
- IE