USB Artifact Analysis Using Windows Event Viewer, Registry and File System Logs

A USB mass storage device yields a lot of artifacts when connected to a system. These artifacts are persistent in nature and are retained even after the system has been shut down and the information they contain may assist in carrying out forensic analysis on a suspect system. In this paper, we demonstrate how Windows Event Viewer can be used to find forensic artifacts in a suspect system for investigative purposes. We also discuss the potential that Windows registry holds to identify USB devices’ information that have been connected to the system, to corroborate our findings from Windows Event Viewer. Finally, we use the Windows 10 file system to extract log details that contain the setup information of a USB device that was connected to the system the very first time, and obtain the necessary identifiers and time stamp details.

Constructing a Lightweight Key-Value Store Based on the Windows Native Features

In this paper, we propose a method to construct a lightweight key-value store based on the Windows native features. The main idea is providing a thin wrapper for the key-value store on top of a built-in storage in Windows, called Windows registry. First, we define a mapping of the components in the key-value store onto the components in the Windows registry. Then, we present a hash-based multi-level registry index so as to distribute the key-value data balanced and to efficiently access them. Third, we implement basic operations of the key-value store (i.e., Get, Put, and Delete) by manipulating the Windows registry using the Windows native APIs. We call the proposed key-value store WR-Store. Finally, we propose an efficient ETL (Extract-Transform-Load) method to migrate data stored in WR-Store into any other environments that support existing key-value stores. Because the performance of the Windows registry has not been studied much, we perform the empirical study to understand the characteristics of WR-Store, and then, tune the performance of WR-Store to find the best parameter setting. Through extensive experiments using synthetic and real data sets, we show that the performance of WR-Store is comparable to or even better than the state-of-the-art systems (i.e., RocksDB, BerkeleyDB, and LevelDB). Especially, we show the scalability of WR-Store. That is, WR-Store becomes much more efficient than the other key-value stores as the size of data set increases. In addition, we show that the performance of WR-Store is maintained even in the case of intensive registry workloads where 1000 processes accessing to the registry actively are concurrently running.

Windows Essentials Before We Start

This chapter summarizes the basic concepts related to the most targeted and widely used Windows operating system. The chapter explains Windows architecture and authentication process along with different Windows operating system tools including Windows management instrumentation command-line (WMIC), recycle bin, msinfo32, netsh (network shell), Windows services console, Windows registry, event viewer, NBTSTAT (NetBIOS over TCP/IP Status), system file checker, group policy editor, Windows firewall, Windows task manager, MSCONFIG utility, netstat (network statistics) utility, Attrib command, diskpart utility, etc. The chapter provides details of Windows powershell, an integrated scripting environment (ISE) for executing the commands at runtime as well as for developing and testing PowerShell scripts along with net commands and netsh commands. These tools are useful for diagnosing and testing the security level or condition of existing Windows installation. The Windows virtual machines created as part of experimental setup discussed as in first chapter of this book can be used to exercise the windows commands and utilities mentioned in this chapter.

Disk based Forensics Analysis

Today computer systems have become integral part of our life. Its penetration in personal and organizational level has increased rapidly in last couple of years. Majority of data is now present in digital form which includes personal data like photos and videos, government documents, secrete and confidential reports of organizations, etc. This change in technology is also adopted by criminals to perform their illegal activities. Use of computers for performing crimes has increased therefore it has become necessary for investigator to collect and process evidences from suspect’s computer. Windows 7 has become mainstream operating system for users and thus its forensics investigation is becoming important. There are various places in Windows 7 which can be used in forensics analysis; some of the areas of interest are windows registry and the underlying NTFS file system. Registry contains valuable information that can be helpful for the forensics analysis. Registry contains the basic information like date when Operating System installed, owner name and the advanced information such as the software installed on system, history of recently used documents and so on, which will help the analyst to decide the way of further analysis of system depending on the its environment. The NTFS file system is native file system for Microsoft’s Windows 7 which is used to manage files present on disk. Suspect can hide data in the file system using its Alternate Data Streams feature. He/She can also remove evidence present on disk by deleting files containing evidences. It is important for forensic investigator to get back the evidences from hidden and deleted files by suspect. In this paper we have proposed and implemented tool that will be useful for performing forensics analysis of windows 7 registry, underlying NTFS file systems Alternate Data Streams and recovery of deleted files. This tool will helps in saving efforts and time of investigator in its investigation.