Skip to content

CH6: Windows System Artifacts

6.1 Introduction: The Breadcrumbs of Windows

In Chapter 5, we explored the Windows Registry, the "nervous system" of the OS that tracks user configurations. In this chapter, we move from configuration to Execution and Interaction.

When a user interacts with Windows—opening a file, running a program, or browsing a folder—the operating system creates hidden records of these actions. Windows does not create these records to help forensic investigators; it creates them to improve the user experience (UX). Features like "Recent Documents," "Quick Access," and faster application loading times all rely on background data tracking.

For the forensic examiner, these convenience features are a gold mine. They allow us to answer two critical questions: 1. Did a specific program run? (Proof of Execution) 2. Did the user know a specific file or folder existed? (Attribution/Knowledge)

Learning Objectives

By the end of this chapter, you will be able to:

  • Explain why Windows stores data in binary formats and the role of forensic parsers in making this data human-readable.
  • Identify common encoding schemes found in forensics (Base64, ROT13) and apply tools like CyberChef to decode them.
  • Analyze LNK files and Jump Lists to determine file knowledge, access history, and the use of external devices.
  • Utilize Windows Prefetch data to prove program execution, identify execution counts, and establish precise timelines.
  • Examine Registry artifacts—specifically Shimcache, Amcache, and Shellbags—to identify evidence of deleted files and folder browsing history.
  • Apply Eric Zimmerman's Tools (LECmd, PECmd, SBECmd) to parse, export, and interpret binary system artifacts.

6.2 The Need for Tools: Binary, Hex, and Encoding

Before we analyze specific files, it is vital to understand why we need specialized tools. You cannot simply open a Prefetch file or an LNK file in Notepad. If you did, you would see a chaotic mess of unrecognizable symbols.

6.2.1 Storing Data in Binary

Windows stores system artifacts in Binary format rather than plain text.

  • Efficiency: Binary files are smaller and faster for the computer to read.
  • Structure: They use complex structures where specific bytes represent specific data (e.g., "Bytes 10-14 represent the date").

This is why we use Forensic Parsers like Eric Zimmerman's tools. A parser acts as a translator: it reads the raw binary code that the computer understands and converts it into a CSV or text report that a human can read.

6.2.2 Encoding and Obfuscation

Sometimes, text is readable but hidden behind an Encoding scheme.

  • ROT13: A simple cipher that shifts every letter 13 places. Windows uses this to hide the names of programs in the UserAssist registry key so they aren't immediately obvious.
  • Base64: A method of encoding binary data into ASCII text. Malicious PowerShell scripts often use Base64 to hide commands so they don't trigger antivirus alarms.

6.2.3 The Swiss Army Knife: CyberChef

While EZ Tools are excellent for parsing files, CyberChef (a free, web-based tool by GCHQ) is the industry standard for decoding data strings.

  • Use Case: If you find a suspicious string of text in the registry that looks like Start-Process -EncodedCommand JABz..., you can copy that text into CyberChef and use the "From Base64" recipe to reveal the hidden hacker commands.

6.3 LNK Files (Windows Shortcuts)

One of the most valuable artifacts for proving file access is the Windows Shortcut file, commonly known by its extension, .lnk.

6.3.1 What is an LNK File?

While users are familiar with creating shortcuts on their desktop to launch programs, Windows automatically generates LNK files in the background whenever a user opens a non-executable file (like a Word document, PDF, or Excel spreadsheet).

These automatically generated LNK files are stored in a specific user directory: \Users\<User>\AppData\Roaming\Microsoft\Windows\Recent.

6.3.2 Forensic Significance

The existence of an LNK file in the "Recent" folder proves that a file existed and was opened by that specific user, even if the original target file has since been deleted.

An LNK file is not just a pointer; it is a container of metadata. When parsed, an LNK file reveals:

  • Target Path: The location of the file being opened (e.g., F:\Stolen_Docs\Q4_Report.pdf).
  • MAC Times of the Target: The LNK file stores the Creation, Modification, and Access timestamps of the target file at the moment the shortcut was created.
  • Volume Serial Number (VSN): It records the unique serial number of the drive where the file lived. This is critical for proving a file was opened from a specific USB drive (USB A) versus the local hard drive (C:).
  • Network Share Paths: If the file was opened from a network server (e.g., \\Server01\Confidential), this path is recorded.

6.3.3 Analysis Tool: LECmd (LNK Explorer Command Line)

To analyze LNK files, we use LECmd.exe. It parses the binary LNK structure into human-readable text or CSV formats, which is essential for handling hundreds of shortcuts at once.

Command Line Usage: The most common workflow is to process an entire directory of LNK files (like the Recent folder) and export the results to a CSV for filtering in Excel.

LECmd.exe -d "C:\Temp\Evidence\Recent" --csv "C:\Temp\Reports" --csvf "LNK_Report.csv"
  • -d: Specifies the directory containing the LNK files you want to analyze.
  • --csv: Specifies the folder where you want to save the report.
  • --csvf: Specifies the filename of the report.

Analyzing the Output: Once you open LNK_Report.csv in Excel, focus on these specific columns:

  1. SourceFile: The name of the LNK file itself (e.g., Budget.xlsx.lnk).
  2. LocalPath: The path where the actual file lived (e.g., C:\Users\John\Documents\Budget.xlsx).
  3. DriveSerialNumber: This hexadecimal value matches the VSN of the disk. If this VSN matches a USB drive found in the suspect's possession, you have a direct link between the physical evidence and the digital history.
  4. NetworkPath: If the file was accessed over a network share, the UNC path appears here.

6.4 Windows Prefetch

6.4.1 Goal and Function

Windows Prefetch is a memory management feature designed to speed up the boot process and application launching. When a program is run, Windows monitors the first 10 seconds of execution, tracking which code libraries and files are loaded. It saves this trace data into a .pf file so that next time the program runs, Windows can load it into RAM more efficiently.

6.4.2 Forensic Significance: Proof of Execution

Prefetch is arguably the primary artifact for proving that a program was executed. It provides:

  • Execution Count: How many times the application has been run. A count of '1' suggests a single use (perhaps testing malware), while a count of '1,000' suggests daily usage (like a web browser).
  • Last Run Time: It records the timestamp of the last execution. In Windows 10 and later, the Prefetch file can store up to eight previous execution timestamps, allowing investigators to build a pattern of usage.
  • Files Loaded: It lists other files (DLLs, configs) that the application touched during startup.

Note on SSDs: In some modern systems with very fast SSDs, Windows may disable Prefetch automatically. Always verify the registry key EnablePrefetcher at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters to confirm if it was active (Value 3 = All enabled).

6.4.3 Analysis Tool: PECmd (Prefetch Explorer Command Line)

We use PECmd.exe to parse the proprietary hashing and compression used in .pf files.

Command Line Usage: To analyze the entire Prefetch directory:

PECmd.exe -d "C:\Temp\Evidence\Prefetch" --csv "C:\Temp\Reports" --csvf "Prefetch_Report.csv"

Analyzing the Output: In the resulting CSV, filter for the ExecutableName of interest (e.g., CCLEANER.EXE or MIMIKATZ.EXE).

  1. RunCount: Look for anomalies. If a remote access tool like AnyDesk.exe has a RunCount of 5, but the user claims they installed it "years ago," the low count contradicts them.
  2. LastRun: This timestamp allows you to place the execution on your master timeline.
  3. Files Referenced: (Best viewed in the console output or the HTML report). If WORD.EXE prefetch shows it loaded C:\Temp\Malicious.macro, you know exactly which file triggered the activity.

6.5 Shimcache (AppCompatCache)

6.5.1 Concept

As Windows evolves, it must maintain compatibility with older software. To do this, it uses the "Application Compatibility Database," or "Shim." This system tracks executables to ensure they don't crash the OS.

6.5.2 Forensic Significance

The Shimcache is stored in the SYSTEM registry hive. It is unique because it tracks files that were present on the system even if they were never executed (though modern versions include an execution flag). It is a "rolling log" of executables.

If a hacker drops a tool named hack.exe and then deletes it, Shimcache may still retain the record that hack.exe existed in a specific folder.

6.5.3 Analysis Tool: AppCompatCacheParser

Because Shimcache is embedded inside the Registry, we must extract it using AppCompatCacheParser.exe.

Command Line Usage: You must point the tool at the extracted SYSTEM hive file, not a directory.

AppCompatCacheParser.exe -f "C:\Temp\Evidence\Registry\SYSTEM" --csv "C:\Temp\Reports"
  • -f: Specifies the specific file to parse (the SYSTEM hive).

Analyzing the Output:

  1. Path: Look for suspicious locations, such as executables running from C:\Users\Public, C:\ProgramData, or C:\Temp. legitimate software rarely runs from these temporary folders.
  2. LastModifiedTimeUTC: This is the timestamp of the executable itself (when it was compiled or copied), not when it was run. This is useful for identifying "Time Stomping" (if the compiled date is older than the OS itself, it might be faked).
  3. Execution Flag: (Windows 10+). This boolean (True/False) tells you if the specific entry was actually executed.

6.6 Amcache.hve

6.6.1 Concept

Amcache is a registry hive located at \Windows\AppCompat\Programs\Amcache.hve. It tracks installed applications and drivers for compatibility purposes.

6.6.2 Forensic Significance: Attribution

Amcache is critical for malware attribution because it stores the SHA1 hash of the executed program.

If you find a suspicious program name in Prefetch (e.g., svchost.exe running from the wrong folder), you can check Amcache to get its specific hash fingerprint.

6.6.3 Analysis Tool: AmcacheParser

We use AmcacheParser.exe to extract the data.

Command Line Usage:

AmcacheParser.exe -f "C:\Temp\Evidence\Amcache.hve" --csv "C:\Temp\Reports"

Analyzing the Output: The tool generates several CSV files. Focus on the one named Amcache_UnassociatedFileEntries.

  1. SHA1: Copy this hash value.
  2. VirusTotal Check: Submit the SHA1 hash to VirusTotal.com. This allows you to identify a file definitively even if the attacker renamed malware.exe to calculator.exe.

6.7 Shellbags

6.7.1 Concept

When you open a folder in Windows Explorer, you might change the view to "Large Icons," resize the window, or move it to a specific spot on your screen. Windows remembers these preferences in Shellbags so that the next time you open that folder, it looks the same.

6.7.2 Forensic Significance: Knowledge and Intent

Shellbags are stored in the USRCLASS.DAT registry hive. They are persistent. Even if a folder is deleted, the Shellbag entry usually remains.

  • Browsing History: It proves a user navigated to a specific folder.
  • External Devices: If a user plugs in a USB drive and browses a folder named "Stolen_Designs," a Shellbag is created. Even if they destroy the USB drive, the Shellbag remains on the computer, proving they viewed that specific folder.

6.7.3 Analysis Tool: SBECmd (ShellBags Explorer Command Line)

Shellbags are structurally complex and nested. SBECmd.exe flattens this data into a linear history.

Command Line Usage: You should point this tool at the directory containing the registry hives.

SBECmd.exe -d "C:\Temp\Evidence\Registry" --csv "C:\Temp\Reports"

Analyzing the Output: Sort the CSV by LastInteracted.

  1. AbsolutePath: Reconstructs the full path the user browsed.
  2. BagMRU: The order in which folders were opened.
  3. Exploration: Look for depth. Did the user just open the root of the drive (E:\)? Or did they click through E:\Documents\Finance\2023\Hidden? The deeper the traversal, the harder it is for the user to claim ignorance of the contents.

6.8 Jump Lists

6.8.1 Concept

Introduced in Windows 7, Jump Lists are the menus that appear when you right-click an icon in the Taskbar or Start Menu. They show "Recent" or "Pinned" files specific to that application.

6.8.2 Forensic Significance

They act as application-specific history.

  • AutomaticDestinations: Created by the OS. Shows the most frequently or recently used files.
  • CustomDestinations: Created when a user explicitly "pins" a file.
  • Spoofing: Attackers often clear their "Recent Docs" folder, but they frequently forget to clear Jump Lists.

6.8.3 Analysis Tool: JLECmd (Jump List Explorer Command Line)

Jump Lists are stored as compounded binary files (OLE format), essentially collections of LNK streams packed together. JLECmd.exe parses them.

Command Line Usage: Jump Lists are named by the "AppID" (a hash of the application path). For example, Microsoft Word's AppID is fb3b0dbfee58fac8.

JLECmd.exe -d "C:\Temp\Evidence\JumpLists" --csv "C:\Temp\Reports"

Analyzing the Output:

  1. AppIdDescription: JLECmd automatically translates the confusing AppIDs (e.g., fb3b0dbfee58fac8) into human names (e.g., "Word 2016").
  2. Path: Shows the files opened by that specific app.
  3. Interaction: Pinning a file indicates high value/importance to the user.

6.9 Chapter Summary & Practical Workflow

When performing an investigation, do not analyze these artifacts in isolation. Use the "Evidence Trinity" approach to cross-validate your findings:

Question Artifact Tool Output to Check
Did they run it? Prefetch PECmd RunCount, LastRun
Did they know it was there? Shellbags SBECmd AbsolutePath, LastInteracted
Did they open the file? LNK Files LECmd LocalPath, DriveSerialNumber

Chapter Review Questions

  1. Why are specialized Forensic Parsers necessary when examining artifacts like Prefetch or LNK files?
  2. What is the purpose of ROT13 encoding in the Windows Registry, and which tool could you use to decode it?
  3. Why is the Volume Serial Number inside an LNK file important for investigating data theft via USB?
  4. If an application was executed only once, what would the Prefetch execution count be?
  5. Which tool would you use to find the SHA1 hash of a program that was executed?