Skip to content

CH6: Windows File Artifacts

Introduction

In the previous chapters, we established the foundational structure of the Windows file system (NTFS) and the legal frameworks governing our investigations. Now, we move into the "bread and butter" of digital forensics: Windows File Artifacts.

An artifact, in the context of digital forensics, is a remnant of data left behind by the operating system or applications as a result of user activity or system processes. Windows is notoriously "noisy"; it tracks nearly everything a user does—files opened, folders navigated, applications executed, and external devices connected—to improve user experience. For the forensic examiner, these convenience features are a goldmine of evidence.

This chapter focuses on identifying, recovering, and analyzing these specific file-based artifacts to reconstruct a user's timeline and activity using standard open-source and free forensic tools.

Learning Objectives

By the end of this chapter, you will be able to:

  • Recover and analyze deleted data from the Windows Recycle Bin (interpreting $I and $R files) using tools like RBCmd.
  • Reconstruct user activity and file knowledge by parsing Shell Link (.LNK) files and Jump Lists with LECmd and JLECmd.
  • Prove application execution and establish timelines by analyzing Prefetch files (.pf) using PECmd.
  • Identify deleted visual evidence by recovering and viewing thumbnails from the Windows Thumbcache using Thumbcache Viewer.
  • Detect anti-forensics and file system changes by examining NTFS system artifacts ($I30 indices, USN Journal, and MFT timestamps) using MFTECmd and other parsers.
  • Build device connection timelines (specifically for USB storage) by analyzing text-based logs like setupapi.dev.log.

6.1 The Recycle Bin and Deleted Files

One of the first places an investigator looks during an analysis is the Recycle Bin. While it may seem obvious, the mechanics of how Windows handles "deleted" files provide critical metadata that simple file carving cannot.

The Deletion Process

When a user "deletes" a file in Windows (without bypassing the Recycle Bin via Shift+Delete), the file is not actually removed from the file system. Instead, it is moved to a hidden system folder named $Recycle.Bin located at the root of the volume (e.g., C:\$Recycle.Bin).

Within this directory, subfolders are created for each user, named according to their unique Security Identifier (SID). This allows an investigator to immediately attribute deleted files to a specific user account.

$I and $R Files

Since Windows Vista, the Recycle Bin utilizes a dual-file system to track deleted items. When a file is sent to the Recycle Bin, the original filename is obfuscated, and two new files are created:

  1. The $R File (Data): This file contains the actual content (data streams) of the deleted file. It is renamed to start with $R followed by a random alphanumeric string and the original extension (e.g., $R9A8B7.docx).
  2. The $I File (Metadata): This file corresponds to the $R file (e.g., $I9A8B7.docx) and is significantly smaller (typically 544 bytes). It acts as an index card, containing forensic treasures:
    • Original Filename and Path: Where the file lived before deletion.
    • Deletion Timestamp: The exact moment the file was moved to the Recycle Bin.
    • File Size: The size of the original file.

Forensic Tip: If you find a $R file without its matching $I file, you can still carve the content, but you lose the context of when it was deleted and from where. Conversely, finding an orphaned $I file proves that a specific file existed and was deleted, even if the content is overwritten.

Tool Focus: RBCmd

To parse these artifacts efficiently, we use RBCmd (part of Eric Zimmerman's EZ Tools suite). It parses the $I files to generate a readable CSV report.

Command Line Example:

RBCmd.exe -d "C:\Evidence\RecycleBin" --csv "C:\Reports"
  • -d: Points to the directory containing the artifacts.
  • --csv: Specifies the output folder for the report.

What to look for in the output: The generated CSV will clearly list the OriginalFileName, DeletionTime, and FileSize. This allows you to quickly filter for specific file extensions (like .jpg or .docx) that were deleted by the suspect.

Windows uses "shortcuts" to help users access files quickly. Forensically, these are known as Shell Link files or .LNK files.

Anatomy of a .LNK File

A .LNK file is created automatically by Windows when a user opens a file or document. These artifacts are typically found in the user's Recent folder (C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Recent).

The .LNK file is not the document itself; it is a pointer. However, it embeds metadata about the target file that is invaluable if the target file has been wiped or moved to an encrypted drive. Key attributes include:

  • Target File Path: The location of the file being linked to (local or network).
  • MAC Times of the Target: The Creation, Modification, and Access timestamps of the target file are stored inside the .LNK file.
  • Volume Serial Number: The serial number of the drive where the target file resided. This is critical for proving a suspect accessed files on a specific USB drive.
  • Network Share Information: If the file was on a network, the UNC path is recorded.

Tool Focus: LECmd

LECmd (Lnk Explorer Command Line) is the industry standard for parsing LNK files.

Command Line Example:

LECmd.exe -f "C:\Users\Suspect\AppData\Roaming\Microsoft\Windows\Recent\Confidential.lnk"
  • -f: Analyzes a single file. (Use -d to analyze the whole directory).

Analysis Note: LECmd will decode the "Structure" of the link, revealing the Drive Type (Fixed, Removable, Network). If the Drive Type is "Removable," look for the Volume Serial Number in the output to match it against physical USB drives found at the scene.

Jump Lists and JLECmd

Jump Lists are collections of LNK streams stored in the AppData folder (AutomaticDestinations). They show "Recent" or "Pinned" files for specific applications.

To parse these, we use JLECmd:

JLECmd.exe -d "C:\Users\Suspect\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv "C:\Reports" --q
  • The --q (quiet) flag is often useful to suppress verbose output when processing many files. This tool is essential for proving intent, as it shows files the user accessed frequently.

6.3 Proof of Execution: Prefetch Files

While .LNK files show us which documents were opened, Prefetch files show us which applications were executed.

What is Prefetch?

The Windows Prefetcher is a memory management feature. When an application is launched, Windows monitors the first 10 seconds of activity (files loaded, DLLs called) and creates a "trace file" in C:\Windows\Prefetch\.

Forensic Value of .pf Files

A Prefetch file is named using the executable name followed by a hash of the file path (e.g., CMD.EXE-0BD30981.pf).

For the examiner, this file answers three critical questions:

  1. Was the program run? Existence of the file proves execution.
  2. How many times? The file header contains a "Run Count."
  3. When was it last run? It stores the timestamp of the last execution (and in Windows 10/11, the last eight execution times).

Tool Focus: PECmd

PECmd is the tool of choice for parsing Prefetch files.

Command Line Example:

PECmd.exe -f "C:\Windows\Prefetch\CRYPT_V1.EXE-1A2B3C4D.pf"

Output Interpretation: The tool will output a "Run Count" and a list of "Last Run" timestamps.

  • High Run Count: Indicates habitual use (e.g., a CCleaner tool used daily).
  • Run Count = 1: Indicates a single execution (common with malware droppers or one-time wiper tools).

Forensic Tip: PECmd also lists "Files Referenced." This shows every DLL and file the program touched during startup. This is excellent for malware analysis to see what libraries the malicious code loaded.

6.4 Multimedia Artifacts: Thumbnails

In cases involving illicit images (CSAM) or intellectual property theft, suspects often delete the actual image files. However, Windows is helpful enough to keep a backup for us in the form of thumbnails.

Thumbcache

In modern Windows, thumbnails are stored in centralized databases located at C:\Users\[User]\AppData\Local\Microsoft\Windows\Explorer\, named thumbcache_xxxx.db.

Forensic Significance:

  • Persistence: When an image is deleted, its thumbnail is not automatically removed from the thumbcache.
  • Visual Proof: While you cannot restore the full-resolution image, the resolution in thumbcache_1024.db is often high enough to clearly identify the subject matter.

Tool Focus: Thumbcache Viewer

Unlike the previous command-line tools, thumbnail analysis is visual. We use Thumbcache Viewer (a free, open-source GUI tool).

Usage:

  1. File -> Load -> Select the thumbcache_xxx.db file.
  2. The tool displays a list of cached images.
  3. Clicking an entry displays the image.
  4. Crucial Step: You can right-click a thumbnail to view the "header" information, which may map the thumbnail back to the original filename and path, linking the picture to the user's "My Pictures" folder.

6.5 NTFS System Artifacts

To go deeper than standard file analysis, we must look at the internal bookkeeping files of the NTFS file system.

The $I30 File (Directory Indices)

The $I30 attribute contains the index of files in a directory. When files are deleted, their entries may remain in the "Index Slack" of this file.

Tool Focus: Active@ Disk Editor / Indx2Csv Analyzing $I30 often requires a Hex Editor like Active@ Disk Editor (freeware version) to manually inspect the slack space for filenames that shouldn't be there. Alternatively, Indx2Csv (part of some open-source repositories) can attempt to parse these structures. However, manual hex inspection is often required to validate "ghost" entries found in slack space.

The USN Journal ($UsnJrnl)

The USN Journal tracks changes to the volume (File Create, File Delete, etc.).

Tool Focus: UsnJrnl2Csv We can use a tool like UsnJrnl2Csv or TurnedOnTimesView (NirSoft) to parse the $J data stream. These tools convert the binary log into a spreadsheet, allowing you to sort by timestamp to see exactly what files were created or deleted during the timeframe of the incident.

Timestamp Analysis: $Standard_Information vs $File_Name

Every file in NTFS has two sets of timestamps ($SI and $FN). Discrepancies between them indicate Timestomping.

Tool Focus: MFTECmd To see both sets of timestamps clearly, we parse the Master File Table (MFT) using MFTECmd.

Command Line Example:

MFTECmd.exe -f "C:\$MFT" --csv "C:\Reports"

In the resulting CSV, compare the columns SI_CreationTime and FN_CreationTime. If SI is significantly earlier than FN (e.g., SI says 2018, FN says 2024), the SI timestamp was likely faked by the user.

6.6 Log Files and Execution Evidence

Windows Event Logs (.evtx)

The Windows Event Log is often the first place an investigator looks to establish a timeline of activity. Unlike file system artifacts which show us the results of an action (e.g., a deleted file), Event Logs record the action itself as it happened.

These logs are binary files (EVTX format) located in C:\Windows\System32\winevt\Logs\. While there are hundreds of log types, three core logs are essential for forensics:

  • Security.evtx: The most critical log. It records authentication (logons), privilege elevation, and auditing success/failure.
  • System.evtx: Records service control manager events (e.g., starting/stopping services), driver loads, and USB device insertion events.
  • Application.evtx: Records errors and events generated by specific applications (e.g., crash logs or installation events).

Critical Event IDs for Forensics

Searching through millions of events is impossible without knowing what to look for. Below is a table of "high-value" Event IDs that should be in every examiner's filter list.

Event ID Log Source Description Forensic Significance
4624 Security Successful Logon Records when a user successfully authenticates. Look closely at the Logon Type field:
Type 2: Interactive (Keyboard/Local)
Type 3: Network (Accessing shared folder/SMB)
Type 10: Remote Interactive (RDP)
4625 Security Failed Logon Records failed authentication attempts. A massive spike in these events (e.g., hundreds in a minute) often indicates a Brute Force or Password Spraying attack.
4672 Security Special Privileges Assigned "Administrator" logon. This event often appears immediately after a 4624 and indicates the user has Admin rights. If you see this for a standard user account, it indicates Privilege Escalation.
4688 Security Process Creation Perhaps the most valuable artifact for malware analysis. It records every time a program (.exe) is executed. It shows the Process Name (what ran) and the Parent Process (what launched it).
Note: This must be enabled via Group Policy to be visible.
1102 Security Audit Log Cleared The "Smoking Gun." This event is generated when a user manually clears the Security log to hide their tracks. The event itself records the Account Name of the person who cleared it.
7045 System Service Installed Attackers often install malware as a "Service" so it persists after a reboot. This event logs the Service Name and the Image Path (location of the malware).
4720 Security User Account Created Logs when a new user is added to the system. Attackers frequently create a "backdoor" account to maintain access if their primary exploit is patched.

Tool Focus: Event Log Explorer & EvtxECmd

While the built-in Windows Event Viewer is fine for casual browsing, it is too slow for forensic analysis.

  • FullEventLogView (NirSoft): A lightweight, free tool that allows you to view all events from all logs in a single, sortable table. Excellent for quick triage.
  • EvtxECmd (Zimmerman): A command-line tool used to parse EVTX files in bulk. It standardizes the data into a CSV format that can be loaded into Timeline Explorer.
    • Command: EvtxECmd.exe -d "C:\Evidence\Logs" --csv "C:\Reports" --csvf "Events.csv"

Device Connection Logs: setupapi.dev.log

When a USB device is connected to a Windows machine, the system must install a driver. This process is logged in plain text in the setupapi.dev.log file, located in C:\Windows\INF\.

Forensic Value:

  • First Install Date: Proves the first time a specific USB drive was ever connected to the machine.
  • Serial Number: Captures the unique hardware serial number of the USB device.

Tool Focus: USBDeview Parsing the text log manually is tedious. USBDeview (NirSoft) parses this log (along with Registry keys) to present a unified history of every USB device ever connected, including the "Last Plug/Unplug" timestamps.

Chapter Summary

Windows File Artifacts provide the "who, what, where, and when" of an investigation.

  • Who: SIDs in the Recycle Bin and User Profiles identify the actor.
  • What: .LNK, Prefetch, and Thumbcache identify the files and apps involved.
  • Where: $I30 and ShellBags (registry) show where files were stored.
  • When: Setupapi logs, USN Journal, and Event Logs build the timeline.

By using specialized tools like RBCmd, LECmd, PECmd, and Thumbcache Viewer, you move beyond simple observation to forensic validation, producing evidence that stands up in court.