12.1 Windows Artifacts Part 1

00:00

Hello, well comfortable 12. The window system stores different types off evidence they control the user's activity on the computer systems. Most off the forensic investigations would revolve around traditional areas. So shall user created or use our protected data like active or delay of five

00:20

bus works.

00:21

It's great that files among olders but nor around nontraditional areas such as system created data or artifacts.

00:31

Artifacts are objects or areas within a computer system that whole important information relevant to the activities performed on the computer by the user.

00:42

The location on type of information contained in the artifacts differs from one operating system to another.

00:49

These artifacts have to be identified properly. Process on information contained in there has to be analysed, toe proof or this process on observation made during the forensic analysis.

01:00

However, absence of information in a particular artifact doesn't mean that this did not occur in the computer system.

01:10

They're in multiple artifacts in a window's environment that serves as important evidence. In the forensic analysis off StarMedia,

01:18

we have seen it produced models. Some of this in just such as the windows profess the right history. We're still points are sore this morning, We're analyzing the folder structure on a windows upgrade your sister. This can provide important evidence. So if you want to analyze some of the windows Seychelles,

01:37

your first post this video

01:38

have you the previous models.

01:42

We know spreading system creates multiple artifacts because officer TV on the computer system. When a user looks on for the first time, a series off folders files are created on that computer. In a way, there is trust parents to the user.

01:59

This folder structure is created whether the person looks on luckily, or attempt a case through a network.

02:06

On interesting thing about this process is that the user's root folder off their structure is named after the person's use her name.

02:15

Well, not lt 2000. Expedient to those sultry on Vista, all store these folders in different places.

02:23

When those 2000 expecto sentry is stored information in C document and settings

02:30

windows lt distorts tendency. Will Auntie pra fais on Willis the starry some very sense. It starts in the folder. You see users

02:42

they account for all users is one that should be included in all examinations.

02:47

As this account is accessible to all on holds global information. The root folder for a user also contains anti user does that, which is a key file mentioned in previous various the anti user does that is updated by the Veridian system. When I used to look out,

03:07

therefore,

03:08

it's last return. Town can be used to possible determine when the user last looked out.

03:15

Okay, here's a quick question for you.

03:19

Where's the users who folded, located in modern versus off windows? Is it a C documents on settings or B C Will NT pra fires or C C users or probably D C NT users?

03:38

If you said see you're correct.

03:40

A is a location for Williams to south on Expedia. Onto the tree

03:45

be represents the folder word that Window's NT store. The user's data. Andi is not a real sister folder.

03:53

When does the stuff on recent versions stores the uses data? You see users. Now let's analyze some of the artifacts.

04:02

The application data or update a folder contains they created by protests. Almost every program you still create is unfolding in up data on the stores. Information there,

04:15

Invista moments and very sprints off Windows de Application Data Folder, Hospital Place with our folder named up data. The AFT later forced their size in the user folder, which is the same location. The contents documents music on order like very folders.

04:33

Normally, this is something social, sexy user. Use her name up data, but like those folders up data is healing, which means you can't normally see it.

04:46

The Windows Address book is located within the folder found within this area,

04:50

a least off recently accessed files created or open through only Microsoft Office application is maintained under application. Daya Microsoft Office Re Sent folder

05:03

If you're using an older person off our look,

05:06

that brutal stada is probably in update as well.

05:12

A cookie is a small piece off data sent by a server toe. A browser on stored on the uses computer while the user is Rosie

05:21

Cookies are produced a shared between the Brosa under server using the STD Ba heather.

05:29

It allows server store under trees later from the clients. It is stored in a fire on the tri inside on the maximum size off cookie that can be stored is limited upto for killer vice in anywhere. Brosa

05:45

Internet site typically store cookies from local computers to allow identification off the user on subsequent visits.

05:53

Cookies can be not allowed by the user but are mostly accepted. The overuse value to forensic analysis is to be able to gain an insight to the size they use services.

06:04

Days, sometimes off the visit, are also useful.

06:08

Forest us Will You Open? You took on search for pop songs. This will get saved in your grocer's history. Now, the next time you go toe to toe in the grocer, the cookies read your browsing history, and you will be recommended. More pop songs

06:24

in older versions of Windows. The Cookies folder is located in the Road User folder

06:30

with this Beast. Our recent versions because cookies followed the user in our domain. The Cookies folder is found at sea. You, sir, User name. After data roaming Microsoft, we lose cookies

06:46

on windows. The next stop is the location, which occupies the whole screen area that you see after you sign into your user account.

06:56

He can store Sure could tow anything as well as five folders

07:01

finds you see on the deck stop are stored in a special folder in the user profile.

07:08

All the fires present on the deck stop off a user are stored in the Dexter folder off the braiding sister. Deeply, the death star is populated either by the user or buy programs that automatically create five I'm placed in on the desktop.

07:24

The old user's desktop should also be examined to see what I come for Global on what once are specific to the user

07:32

in more Windows versions in Turin, Windows 10 All You first folder has been replaced by a folder called Public the Dexter Fold. Their contents are stored in two locations.

07:46

One is the common Dex Stop located in the full there. See you, sirs Bolic deck stop on the other one is a special folder in the current user's profile.

07:57

You see you thirst username on destiny.

08:01

Windows shows the content off both folders in a single view.

08:07

The favourites fold. They're found in Windows provides the user on easy way to organize on launch the folders that they used often

08:16

the favourites fold there was introduced in Greendale, seven on continues and Windows eight More recent versus displayed in the left side. Bar Favors provides easy access to popular locations within the Explorer.

08:30

This folder contains favourites for Internet Explorer

08:33

Intimate size that I use service is frequently are typically found in this folder.

08:39

Examiners should be aware that some scripts contain with S T. M L Vegas can populate entries with this folder without the use is consent.

08:50

Why the majority of entries are due to the action off. The user's additional examination may be required to confirm the origin

09:00

by default. We know stores the user's personal favorites folder in the user's account folder

09:07

More window So pretty insistent stores favorites in See You, sir, You, sir Noon favourites.