1. Open/Save MRU Artifacts:
It acts as a repository for a history of files accessed or saved by users, offering a panoramic view of their digital footprint.
Location in the Registry
To get a glimpse into this trove of information, one need only venture into the registry. The Open/Save MRU key resides at:
Command:-
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
You will find this artifact in C:\Users\User<Name>\NTUSER.DAT
Collect All 3 Artifacts
Crafting a Seamless Forensic Workflow
To craft a seamless forensic workflow, consider the following steps:
KAPE Automation: Leverage the power of KAPE for efficient and automated artifact collection.
Manual Extraction: For those who prefer a more hands-on approach, manual extraction via registry exploration is a viable option.
Forensic Image Considerations: Ensure that the registry hive NTUSER.DAT is part of your forensics image to unlock a comprehensive array of artifacts.
If you using FTK Imager: Simple do this to collect all NTUSER.DAT Hive.
-------------------------------------------------------------------------------------------------------------
2. Email Attachments
The exploration begins by navigating to the user's Outlook data files, a realm rich in potential forensic artifacts.
command :- cd %USERPROFILE%\AppData\Local\Microsoft\Outlook
leads us to the hub where OST and PST files reside. These files, OST (Offline Storage Table) and PST (Personal Storage Table), are the cornerstone of Microsoft Outlook's data storage.
Understanding OST and PST Files
OST Files: Offline Storage Table files facilitate offline access to mailbox data. Cached mode in Outlook relies on OST files to ensure users can seamlessly interact with their mailbox even when offline.
PST Files: Personal Storage Table files serve as local repositories for mailbox data. Users often utilize PST files to store their mailbox data locally, providing a degree of autonomy and control.
Extraction of these files,
the simple yet potent
Command :- copy "OriginalFilename.ost" "DestinationPath"
command proves invaluable. It allows forensic analysts to create copies for analysis without compromising the integrity of the original data.
Analysis Tools: Unveiling the Forensic Arsenal
Forensic analysis of OST and PST files requires specialized tools equipped to navigate the intricate structures of these data repositories. Here are some stalwarts in the forensic arsenal:
FTK (Forensic Toolkit): Renowned for its comprehensive forensic analysis capabilities, FTK is adept at parsing and examining email artifacts, including those stored in OST and PST files.
Encase: A stalwart in digital forensics, EnCase provides a robust platform for dissecting OST and PST files, unraveling the layers of email data with precision.
MailXaminer: Tailored for email forensics, MailXaminer proves to be a versatile tool, offering a range of features to analyze and interpret OST and PST files.
Kernel for OST Viewer: Designed specifically for OST files, this tool provides a streamlined view into the contents of Offline Storage Table files.
-------------------------------------------------------------------------------------------------------------
3. Skype History
To unveil the secrets held within Skype chat history,
command :- C:\Users\<username>\AppData\Roaming\Skype\<skype-name>
serves as our compass. This command directs us to the directory where Skype diligently stores the traces of chat sessions and files exchanged between users.
Forensic investigators armed with the knowledge of Skype's data storage location can navigate the intricacies of chat history. Analyzing these artifacts can reveal a wealth of information, shedding light on communication patterns, shared content, and potentially uncovering crucial details in digital investigations.
Комментарии