The Windows operating system uses what are called prefetch files to speed up the program starting process. It will store a list of all the files and DLLs used by the program when started in order to preload these files into the memory when the program starts to make it faster to start. Each executable has a prefetch file which contains the following:

The prefetch files are located at %SystemRoot%\Prefetch, and each file has a "pf" extension. The naming schema of these files consists of adding the executable name in capital letters, followed by -, and then an eight character hash of the application's start location, as shown in Figure1 for the calc.exe Windows native tool:

Figure 1: A prefetch file example

If you find two different pf files on the same executable, this means that either there are two executables with...

Some programs need to perform specific events at a specific time in the Windows environment. To do this, Windows allows programs to create what is called a scheduled task. Tasks are stored in C:\Windows\System32\Tasks. Each task is stored in the XML file format, which contains the user who created the task, the time or the trigger of the task to take place, and the path to the command or the program that will be executed, which is the task itself. Starting from Task Scheduler 2.0, which was first introduced with Windows Vista, the trigger can be calendar-based or an event, such as starting the task when a specific event is logged to the event log system. The actions can also be: running the program, sending an e-mail, or viewing a message to the user.

In the live system, the investigator can open the tasks using the usual Task Scheduler. From the forensic image, the investigator can extract the tasks from C:\Windows\System32\Tasks, where each file is a single task in the XML...

When the user uses the Thumbnails or Filmstrip views from the Windows folder viewing options, a small thumbnail version of the pictures will be created and stored in a single file. This file is located in the same directory as the pictures in Windows XP and named Thumbs.db. The Thumbs.db file has a thumbnail version of the existing and also deleted pictures. Thumbs.db is a hidden file, and usually the user ignores it:

Figure 5: Files viewing options

If the user has deleted the pictures but hasn't delete the Thumbs.db file, it will be possible to recover the thumbnail version of the pictures deleted from that directory, which provide a good clue about the pictures' contents. Besides the thumbnail version of the picture, Thumbs.db contains the file name and the date and time of the last modification.

This Thumbs.db file is very important in cases related to pictures, such as child pornography cases.

Starting from Windows 7, the process of handling thumbnails files changed. All...

When a user deletes file with the normal deletion process, the file actually doesn't leave the HDD. It will be only marked as deleted on the filesystem, and all the file's metadata and contents will continue existing on the hard disk until it is overwritten by another file's metadata and content. This will allow the user to recover such a file if it was deleted by mistake, for example. The deleted files will be located in what is called a Recycle Bin in the Windows OS.

Usually, the advanced forensics tools will be able to find and view the deleted files if the system still has their metadata and can read them without carving. However, if the investigator only has the recycle bin file and needs to understand which files were deleted, this can be done by analyzing the Recycle Bin folder.

The name of the Recycle Bin differs from one version of Windows to another. In Windows versions 95 and 98, the location is under the system partition in a folder named RECYCLED. From Windows...

The ordinary user of the Windows system can create a shortcut to any file in the system. The shortcut is like a pointer to a specific file from another location in the filesystem. The user creates this file to achieve easy access to some locations or files in the filesystem.

The Windows operating system creates shortcut files for the recently opened files by default in the following locations:

Windows XP saves the shortcut files at the following location:

Windows stores these shortcut files if the user has opened data or media files in the system. It stores the timestamps, the name and location of the original file, and the volume name.

The importance of these link files is that they won't be deleted even if the original file was deleted from the system specially in the automatically created...

So, in this chapter, we discussed different extra Windows artifacts that are important to digital forensics analysis. We discussed the prefetch files, and how they can be used to track a malicious executable that ran within the system. We also showed the Windows tasks that can be used to preserve a malware existence in the infected Windows system. Then, we showed you how to investigate the photos existing in the system even after deletion using the Thumbcache files. By mentioning deletion, we discussed the Recycle Bin and its structure in different Windows OS versions. In the end, we discussed the shortcut or .lnk files and illustrated how to read their data and their forensic importance.

As opening a malicious URL or opening malicious attachments are the most common ways to infect a machine, in the following chapter, we will discuss browser forensics and show you how to track user activities and investigate the visited websites using different tools with different browsers. Also...