Forensic Technology Approaches

Part of the series (2 of 3) Windows artifact analysis. LNK files, also called link lists in some sources, are created automatically by Windows operating system when user interacts with documents, apps and folders. LNK file is also can be described as the list of shortcut files which is shown when user right clicks on the file explorer image on the taskbar, as shown below, as these shortcut files are shown based on latest access time and frequency: As we all know, that list up here is modifiable and limited with recently accessed few files. So how are LNK files can help us from the forensic perspective? Even though user is able to remove that list shown above, Windows still keeps trace of those files and also the list is lot longer that it appears on the taskbar. Complete list of recently accessed files, docs, apps and folders can be found in "C:\Users\%User%\Recent" location, or simply click Windows, type "run" and enter "recent" to the command window.  La...

Part of the series (1 of 3) Windows artifact analysis. When it comes to detect recently accessed files, Windows offers wide variety of artifacts which may be helpful for enlighting forensic investigations. As there are many items -so called artifacts- exist for that particular reason, one of those artifacts, which is automatically created by Windows is called jumplist. Jumplists are system artifacts that are created to keep track of recently accessed files. As those files can be viewed typing "recent" on the run command, the list which comes up might be the whole thing. Especially during forensic investigations, it is important to make sure that all the available information is collected completely. For that very reason, all jumplist files must be reached from the custodian's computer and inspected throughly. Two types of jumplists are created when user opens up a file; automatic (.automaticDestinations-ms) file and custom (.customDestinations-ms) file. The main differenc...