While it is impossible to describe all possible artifacts that may be of interest in any given investigation, this chapter aims to describe how to find some artifacts that are very common to look for. The chapter first describes how to find information such as install date and time zone settings from the Windows registry. Next, the chapter provides a rather detailed description of how to analyze a partition table in order to ensure that all drive space is allocated to a partition. An overview of how to search for deleted files is also included. A lot of good information can be found in file metadata, which includes information such as when a file was created and by who. Analyzing different kinds of metadata is described before the chapter presents an approach on how to analyze log files. The end of this chapter is a discussion on how to analyze unorganized data such as unpartitioned disk space or slack.
KeywordsMetadata Windows registry Partition analysis
- AccessData. (2013). AccessData forensics. AccessData group.Google Scholar
- EaseUS. (2017). EaseUs partition recovery wizard. Available online: https://www.easeus.com/partition-recovery/ [Fetched: 2017-07-01].
- Guidance Software. (2016). EnCase computer forensics II. Guidance Software.Google Scholar
- Knutsson, T. (2016). Filesystem Timestamps: What Makes Them Tick? SANS InstituteGoogle Scholar
- Rusbarsky, K. L. (2012). A forensic comparison of NTFS and FAT32 file systems. Available online: http://www.marshall.edu/forensics/files/RusbarskyKelsey_Research-Paper-Summer-2012.pdf [Fetched: 2017-07-06].
- SoftXpantion. (2009). Metadata in Microsoft Office and in PDF documents. Available online: https://www.soft-xpansion.eu/files/cc/Metadata.pdf [Fetched: 2017-07-06].
- Zacker, C. (2014). Installing and configuring Windows Server 2012 R2. Wiley.Google Scholar