File tunnelling: weird creation timestamps

March 26, 2012August 11, 2021 ~ lowmanio ~ Leave a comment

File tunnelling is a little known Windows capability that stems back from MSDOS days. In MSDOS, a ‘safe save’ was done by saving a copy of the modified data to a temp file, deleting the original and then renaming the temp file to the original name whilst also retaining the original files metadata. Windows NT … Continue reading File tunnelling: weird creation timestamps

Windows Shellbags Forensics

March 3, 2012December 24, 2020 ~ lowmanio ~ Leave a comment

There are many weird and wonderful registry entries that I have yet to know about that could contain useful forensics information. One of the most recent that I’ve learnt about are the shellbag entries. These keys are stored in the users ntuser.dat file, and store the viewing settings for users folders – e.g. the size, position and icon of … Continue reading Windows Shellbags Forensics