Archives For August 2009

Flash cookies have been a hot topic lately with the release of an excellent research paper titled Flash Cookies and Privacy.  Flash Cookies, or local Shared Objects in Macromedia parlance, are a great example of a forensic artifact that has existed for a long time but was virtually ignored until someone decided to shine some light on it.  Whenever I see new research about problematic privacy controls, I immediately get out my notepad, because I know that I am going to find some great artifacts that can help in my forensic investigations.

Note: This post originally appeared on the SANS Forensics blog

In Part 1 of this post, we explored defragmenter usage in Windows XP, specifically trying to gain more information about user activity when we see the following in the Prefetch directory:

Figure 1: Defrag entries shown from C:WindowsPrefetch directory
Figure 1: Defrag entries shown from C:\\Windows\\Prefetch directory

Vista made many file system changes, modifying some of  the XP artifacts we relied upon in Part 1 and adding some artifacts that can greatly simplify our investigation.  Importantly, Vista ships with a default scheduled task for a full volume defragmentation every Wednesday evening at 1am.    This is in addition to the limited defrags conducted by the Prefetch / Superfetch components.   Thus we should expect to see even more defragmenter activity on a Vista machine.  Taking this into consideration, we will perform the same analysis that we did for Windows XP.

We will focus on the two primary methods a user can invoke the Windows Defragmenter tool:

  1. Running defragmenter from a graphical user interface (GUI)
  2. Running defrag from the command line using defrag.exe

Continue Reading…

I have seen the following Windows Prefetch entries in nearly every Windows XP / Vista machine that I have reviewed over the past several years. Their existence always reminds me of the imperfect nature of information gained via individual artifacts. Does this mean that a user ran the Microsoft Defragmenter application on July 16, 2009 at 1:19PM? Or was the defragmenter started automatically by Windows? The defragmenter tool has been used very effectively as an anti-forensic tool since it was first introduced. In cases where data spoliation could be important, it is critical for the examiner to be able to identify any overt actions by a user. Complicating this is that starting with Windows XP, the operating system conducts limited defragmentation approximately every three days. [1] This post seeks to identify forensic artifacts which can help us determine if a user initiated the defrag application.

 

Figure 1: Defrag entries in C:\Windows\Prefetch directory

Figure 1: Defrag entries in C:\Windows\Prefetch directory

We will focus on two primary methods a user can invoke the Windows Defragmenter tool:

  1. Running defragmenter from a graphical user interface (GUI)
  2. Running defrag from the command line using defrag.exe

 

Continue Reading…