Program execution analysis in Windows: A study of data sources, their format and comparison of forensic capability

Singh, Bhim; Singh, Upasna

doi:10.1016/j.cose.2018.01.006

Cited by 16 publications

(11 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The IconCache.db file is located in the %UserProfile%\AppData\ Local\ folder and contains information about the executed application path, but not the icon image data. It is known that the application records are stored in the order of execution and remain even after the program is removed, making it useful for forensic analysis [16].…”

Section: Iconcachedbmentioning

confidence: 99%

A reference database of Windows artifacts for file‐wiping tool execution analysis

Joo

Lee

Jeong

2023

Journal of Forensic Sciences

View full text Add to dashboard Cite

Anti‐forensic technology can play an effective role in protecting information, but it can make forensic investigations difficult. Specifically, file‐wiping permanently erases evidence, making it challenging for investigators to determine whether a file ever existed and prolonging the investigation process. To address this issue, forensic researchers have studied anti‐forensic techniques that detect file‐wiping activities. Many previous studies have focused on the effects of file‐wiping tools on $MFT, $LogFile, and $DATA, rather than on Windows artifacts. Additionally, previous studies that have examined Windows artifacts have considered different artifacts, making it difficult to study them in a comprehensive manner. To address this, we focused on analyzing traces in 13 Windows artifacts of 10 file‐wiping tools' operations in the Windows operating system comprehensively. For our experiments, we installed each file‐wiping tool on separate virtual machines and checked the traces that the tools left behind in each artifact. We then organized the results in a database format. Our analysis revealed that most of the tools left traces on other artifacts, except for JumpList, Open&SavePidlMRU, and lnk. There were also some cases where traces remained on the other three artifacts. Based on our research, forensic investigators can quickly identify whether a file‐wiping tool has been used, and it can assist in decision‐making for evidence collection and forensic triage.

show abstract

Section: Iconcachedbmentioning

confidence: 99%

A reference database of Windows artifacts for file‐wiping tool execution analysis

Joo

Lee

Jeong

2023

Journal of Forensic Sciences

View full text Add to dashboard Cite

show abstract

“…Other examples of OS functionalities and services that yield valuable artifacts are the AmCache [14], thumbcache files [15], JumpLists [16,17], Windows Search Indexer [18], Cortana digital assistant [19,20], and the system resource usage monitor (SRUM) [21], to name just a few. Singh and Singh give a broad overview of the forensic artifacts created whenever Windows OS executes an application [22]. In [20], the same authors analyze the digital forensic arti- provided new forensic artifacts.…”

Section: Related Workmentioning

confidence: 99%

“…The execution of Your Phone application in a PC leaves the usual Windows artifacts such as Prefetch, SRUM, Jump Lists, ShimCache, Timeline, to name just a few [22]. Additionally, thumbnails of the photos/screenshots may exist in Windows's thumbcache.db [15].…”

Section: Other Artifactsmentioning

confidence: 99%

Digital forensic artifacts of the Your Phone application in Windows 10

Domingues

Frade

Andrade

et al. 2019

Digital Investigation

View full text Add to dashboard Cite

Your Phone is a Microsoft system that comprises two applications: a smartphone app for Android 7+ smartphones and a desktop application for Windows 10/18.03+. It allows users to access their most recent smartphonestored photos/screenshots and send/receive short message service (SMS) and multimedia messaging service (MMS) within their Your Phone-linked Windows 10 personal computers. In this paper, we analyze the digital forensic artifacts created at Windows 10 personal computers whose users have the Your Phone system installed and activated. Our results show that besides the most recent 25 photos/screenshots and the content of the last 30-day of sent/received SMS/MMS, the contact database of the linked smartphone(s) is available in a accessible SQLite3 database kept at the Windows 10 system. This way, when the linked smartphone cannot be forensically analyzed, data gathered through the Your Phone artifacts may constitute a valuable digital forensic asset. Furthermore, to explore and export the main data of the Your Phone database as well as recoverable deleted data, a set of python scripts-Your Phone Analyzer (YPA)-is presented. YPA is available wrapped within an Autopsy module to assist digital practitioners to extract the main artifacts from the Your Phone system.

show abstract

“…Jump list information is maintained on a per application basis. However, not all applications create jump lists; these include host-based applications such as Regedit, Command Prompt and Run [12]. This chapter presents a methodology for recovering deleted jump list entries in Windows 10 systems.…”

Section: Introductionmentioning

confidence: 99%

Recovery of Forensic Artifacts from Deleted Jump Lists

Singh

Sharma

et al. 2018

Advances in Digital Forensics XIV

Self Cite

View full text Add to dashboard Cite

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

show abstract

Program execution analysis in Windows: A study of data sources, their format and comparison of forensic capability

Cited by 16 publications

References 11 publications

A reference database of Windows artifacts for file‐wiping tool execution analysis

A reference database of Windows artifacts for file‐wiping tool execution analysis

Digital forensic artifacts of the Your Phone application in Windows 10

Recovery of Forensic Artifacts from Deleted Jump Lists

Contact Info

Product

Resources

About