File tunnelling is a little known Windows capability that stems back from MSDOS days. In MSDOS, a āsafe saveā was done by saving a copy of the modified data to a temp file, deleting the original and then renaming the temp file to the original name whilst also retaining the original files metadata. Windows NT … Continue reading File tunnelling: weird creation timestamps
Tag: windows forensics
Windows Shellbags Forensics
There are many weird and wonderful registry entries that I have yet to know about that could contain useful forensics information. One of the most recent that Iāve learnt about are theĀ shellbagĀ entries. These keys are stored in the usersĀ ntuser.datĀ file, and store the viewing settings for users folders ā e.g. the size, position and icon of … Continue reading Windows Shellbags Forensics
Windows cookies
Windows released aĀ security updateĀ on the 9thĀ August which means that cookies are no longer stored in the usualĀ <username>@<service>.txt, but are now a random set of 8 alphanumeric characters, e.g.Ā A1B2C3D4.txt. It seems this has broken a lot of software, especially those than delete cookies as they probably rely on the fact that cookies had a very conventional … Continue reading Windows cookies
Windows 7 Recycle Bin Forensics
When you look at your recycle bin folder, Windows shows you all the files youāve deleted in a user friendly format ā i.e. the name of the file you originally deleted and when it was deleted. The operating system does quite a bit of work for you, as the actual files within your recycle bin … Continue reading Windows 7 Recycle Bin Forensics
Lowmanio 