Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

6. eCDFP: Certified Digital Forensics Professional > Windows Forensics > Flashcards

Windows Forensics Flashcards

1
Q

What is a .lnk file?

A
  • a data object that contains information that can be used to access another data object
  • shortcuts
  • metadata files specific interpreted by the Windows shell
  • 0x4C (4C 00 00 00) at offset 0 within the file
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is an important note about .lnk files?

A
  • the absolute path to the file is NOT store in the lnk file
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Where are the most common locations to find .lnk files?

A
  • My Recent Documents
    • \%USERPROFILE%\Recent
    • \%USERPROFILE%\Application Data\Microsoft\Office\Recent
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

.lnk timestamps?

A
  • when the file is opened, the MAC timestamps of the target file are read and stored within the associated link file
  • FILETIME format using 8 bytes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Tools for .lnk forensics?

A
  • Exiftool
  • Windows LNK Parsing Utility
  • LECmd.exe (Eric Zimmerman)
  • WinHex
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Thumbnails

A
  • when the user uses the Thumbnails or Filmstrip vies from Windows folder, a small thumbnail version is created
  • stored in thumbcache.db
  • %USERPROFILE%\AppData\Local\Microsoft\Windows\ Explorer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Volume ShadowCopy Service

A
  • VSS
  • a set of COM APIs that implements a framework to allow volume backups to be performed while applications on a system continue to write to the volumes
  • Windows service that provides snapshots for a specific point back in time
  • aka restore points
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Prefetch Files

A
  • windows cache manager (memory management system)
  • tracks the first 2 minutes of boot process and the first 10 seconds of all other applications startup
  • these results written to prefetch files
  • next time a system boots or a “prefetched” application executes, the cache manager can use these prefetch files like a “cheat sheet” to speed up the loading process
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Prefetch Content for Executables

A
  • executable’s name
  • absolute path to the executable
  • no. of times the program ran w/in the system
  • last time the application ran
  • list of DLLs used by the program
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Location of Prefetch Files

A
  • %SystemRoot%\Prefetch\

- .pf extension

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Prefetch Registry Keys

A
  • settings related to prefetch files are written in the following registry key;
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl Set\Control\SessionManager\Memory Management\PrefetchParameters
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

ShimCache

A
  • aka Application Compatibility Cache
  • allows Windows to track executable files and scripts that may require special compatibility settings to properly run
  • it is maintained within kernel memory
  • alternative to Prefetch if disabled
  • can track more items than prefetch
  • amcache.hve
  • %SYSTEMROOT%\AppCompat\Programs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Windows Registry

A
  • special type of file system
  • stores low-level system settings, application settings, and user preferences
  • two categories:
    • system registry files
    • user registry files
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Registry Structure

A
  • Hives: contain keys (directories) and values
  • Keys: directories
  • Subkeys: no difference between key and subkey
  • Values: store data (e.g. settings)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Registry Root Keys

A
  1. HKEY_CLASSES_ROOT
  2. HKEY_CURRENT_USER
  3. HKEY_LOCAL_MACHINE
  4. HKEY_USERS
  5. HKEY_CURRENT_CONFIG
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Common Hive Locations

A
  • BCD
  • SYSTEM
  • SAM
  • SECURITY
17
Q

HKLM

A
  • HKEY_LOCAL_MACHINE
  • contains system-wide configuration subkeys, as listed below:
    • BCD
    • HARDWARE
    • SAM
    • SECURITY
    • SOFTWARE
    • SYSTEM
18
Q

BCD

A
  • Boot configuration data replacing boot.ini
19
Q

HARDWARE

A
  • maintains description of the system’s hardware and all hardware device-to-driver mappings
20
Q

SAM

A
  • holds local account and group information
21
Q

SECURITY

A
  • stores system-wide security profiles and user-rights assignments
22
Q

SOFTWARE

A
  • stores system-wide configuration information not needed to boot the system
23
Q

SYSTEM

A
  • contains the system-wide configuration information needed to boot the system
24
Q

What does a Registry Key hold?

A
  • a signature found at offset 0x0
  • last write timestamp
  • major and minor revision numbers
  • the root cell offset
25
Q

What are the registry value types?

A
  • REG_BINARY
  • REG_DWORD
  • REG_DWORD_LITTLE_ENDIAN
  • REG_DWORD_BIG_ENDIAN
  • REG_EXPAND_SZ
  • REG_LINK
  • REG_MULTI_SZ
  • REG_NONE
  • REG_QWORD
  • REG_QWORD_LITTLE_ENDIAN
  • REG_SZ
26
Q

What is the best tool for Registry Analysis?

A
  • Registry Explorer
27
Q

Which registry key contains system configuration information such as device drivers and services?

A
  • HKEY_LOCAL_MACHINE\SYSTEM
28
Q

What are the most important Registry Artifacts?

A
  • ControlSet No. (device drivers and services)
  • Time Zone
  • Windows Product Info
  • Windows Computer Name
  • Windows Services
  • Windows DHCP Config
  • NTFS Last Accessed
  • Autoruns
  • Installed Applications
  • Windows Firewall
  • Remote Desktop
  • Network History
29
Q

What Registry Key contains the Windows Product information?

A
  • SOFTWARE\Microsoft\WindowsNT\CurrentVersion
30
Q

What Registry Key contains the Windows Computer Name?

A

SYSTEM\ControlSet00#\Control\ComputerName\ComputerName

31
Q

What Registry Key contains the Windows Services?

A

SYSTEM\ControlSet00#\Service

32
Q

What Registry Key contains the Autruns?

A
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunOnce
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run bzw.\RunOnce
  • Could also be found under HKCU
33
Q

What are important User registry artifacts?

A
  • Windows Recycle Bin
  • Last User Logged In
  • User Sessions
  • UAC
  • User Assist Keys
  • Most Recently Opened (applications and files)
34
Q

Why check User Assist Keys?

A
  • Understand the frequency of program execution
  • Identify the last time a program was launched
  • Which items were being launched most often
  • Evidence of programs after deletion/uninstall
  • How long a user has interacted with a given program
35
Q

What is “Evidence of Absence?

A
  • when an item is frequently accessed, but it empty
  • Example: My Documents directory was accessed 333 times, but there are no files there; means there could have recently been something there that was deleted
36
Q

What are ShellBags?

A
  • a set of Windows Registry keys located in NTUser.dat and USRClass.dat registry keys
  • maintain view, icon, position, and size of folders
  • can serve as a history into data that was removed from a system

6. eCDFP: Certified Digital Forensics Professional (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions