4 Minutes

One forensic tool that can be used to analyze this type of data is EnCase Forensic available commercially or the freely downloadable open source digital forensic software called SIFT from SANS.

Windows

• ¹Shellbags: a.k.a. Registry Keys, are used by Windows systems to maintain the size, position, icon, and view of folders while using Windows Explorer.
  • (Importance) Shellbags pose significant value to a forensics investigator because of the possible clues left behind that can easily be traced through parsing. This includes the modification to files, timestamps, and size.
• ²ShimCache: a.k.a. application compatibility cache
  • (Importance) Some of the many artifacts left behind inside the Registry include what files have been executed in addition to when they were executed.

Continue reading →