File tunnelling is a little known Windows capability that stems back from MSDOS days. In MSDOS, a āsafe saveā was done by saving a copy of the modified data to a temp file, deleting the original and then renaming the temp file to the original name whilst also retaining the original files metadata. Windows NT … Continue reading File tunnelling: weird creation timestamps
Month: March 2012
Windows Shellbags Forensics
There are many weird and wonderful registry entries that I have yet to know about that could contain useful forensics information. One of the most recent that Iāve learnt about are theĀ shellbagĀ entries. These keys are stored in the usersĀ ntuser.datĀ file, and store the viewing settings for users folders ā e.g. the size, position and icon of … Continue reading Windows Shellbags Forensics