12.2 Windows Artifacts Part 2

00:01

Hey, welcome back.

00:03

The local Cities folder is a hidden folder which contains information about the Windows User Profile. Also the fourth locations for temporary files. Historical uses off Internet Explorer as well as Windows Explorer I. Lucas Breaks Man,

00:21

You Sir Stand folder as other information.

00:25

Temporary Internet files are frequent. Focus for forensic examiners. If they contain the Internet, cash were based. Email downloaded. Five on other information.

00:39

The term folder, while noting that's exciting user folder, may provide tremendous information to assist in an examination.

00:49

As many applications create on mountain low fives in this folder,

00:55

we will just x p.

00:57

This folder is located at sea. You search user name local settings

01:03

in Windows Vista seven. On more recent versions, the local faith is is a junction point or Ah, here, unprotected operating system file. There is no man's to be accessed by the uses.

01:18

It closed toe Use Accessible folder. Article in destination. See you searched. Use the name of data local.

01:29

My documents on documents are Microsoft Windows. Folders that store computer documents on other five associate with programs on the computer,

01:40

for example, will save in a file in Microsoft Ward that a full folder East. My documents. Saving all your files in today in my Documents folder makes them easier to back up and locate

01:53

irreversible off Windows referred to the folder that whole suit documents asked my documents.

02:00

However, all of the recent variations off Windows now refer to this folder asked documents as though they have different names. They are the same folder

02:13

in early versions off Microsoft Windows. The My Documents folder could be fine on the deck. Stop by the fault,

02:22

however, we must be starting with conversions. Disabled This feature by the Fault,

02:28

the recent Ireland's folder, previously called Recent Documents in Window six Speak,

02:35

is used by Windows to record what documents have been opened.

02:39

The list is displayed in the We'll Start Menu, either under the reasons, items, meaning

02:46

or when you Hoover over applications this link. Five appear to the user when they access the recent documents on By the fall, they will see a maximum off 15 entries,

03:00

a new entry with the users and to you, Sir, that that's raised three haIf dictates the selected entries

03:08

whenever a user opens a document a link file. If created in the recent folder located in the route User folder effect for Windows Vista on Beyond where it is located in the past. See you search user name

03:25

data roaming Microsoft Windows Recent,

03:31

the user is unaware that this file is being created or money fight.

03:38

If the same document in the same location is later reopens, the link file is updated with the target files. Updated information.

03:50

They fell to fish. You has been around since we lost 98 providing a convenient way for Windows. Users toe easily perform simple file operations and sacrifice or folders to other locations. So she has the deck stuff on documents folder. Surprise applications,

04:10

Uneven floor, the drive

04:12

or they're isis via Bluetooth or CD or DVD writers.

04:16

A few the four locations are provided, such as compressed or seats. Fold their deck. Stop the humans fax recipient mains Recipients on attached rice that you can send

04:30

on. These options would likely grow after they're starting to serve our applications.

04:36

Entries for just the storm drives on Similar media will not Percy's in this folder, as they're only available on an operating computer with immediate inserted

04:48

examiners will need to examine. They used the store key with the system registry highs to the tournament. They used the storage devices that have been attached to your computer.

05:01

We will see these in the next month.

05:03

Willow's Ex speak It's easy to get this folder are still is find at sea Documents on settings. You certainly on sale, too.

05:13

Investor on recent versions. Will you navigate to see uses use early.

05:18

You'll see several shortcuts like the same too. Sure could, but you won't be able to access any of them.

05:26

Those are junction points. The Rial Center folder is relocated to see you search you, sir. Lane up Data Rami, My cross off with needles under Defend to Folder,

05:42

then Microsoft Windows Start Training is the primary location in Windows to locate a start programs and find any files or folders

05:53

by the falls. The start blue is accessed by Creaking Start, which has the window struggle

06:00

on is located in the bottom left corner on the windows. Next stop scream.

06:05

We lost eight on Windows 8.1. The start menu was replaced by the start screen. The start menu returned with this time.

06:15

This allow the system to this place specific items for each user that accesses the system. Just as with the Dexter folder Examiners News. Consult the Star menu for all the use, their kinds to gain a more complete view

06:32

off the items available to the user account under investigation.

06:38

The Understand the left hand side off the star. Many is made up off two main sources off circles.

06:46

Where is the user's profile location. This is pulled for a little full user profile

06:51

under Surber, where the profile is created.

06:56

The other one is that Carmen users a star meaning directory.

07:00

This location is also the area where the tiles are pulled from one defining a Houston start Main. You lay out the start menu will combine our results from both off this location on display a single full. They're dead aggregation

07:17

off all charcoal in all four restructures below these directories.

07:26

Okay, here's a quick question.

07:28

Which artifact is used by Windows to record what the humans have Bean opened.

07:34

You took a start being you

07:36

or be sent to. Or maybe see my documents or the recent.

07:45

The correct answer here is the

07:46

the Star. Many is the primary locations in Windows to locate the stark programs and find any fights or folders

07:56

saying to refers to Feist that were sent to location socials. They stop and look Miss folder, third party applications and even to other drive or devices.

08:07

My documents for documents store computer documents on Orefice associate with programs on the computer

08:18

to sum up with this operating system creates multiple artifacts. As a result, off use activity on the computer system when properly identified. Process on analyzed. These artifacts helped the forensic examiner

08:33

in the terminal in the use of activities that have taken place in the system

08:37

as we left the Thailand or such activity on frequency off the activity.

08:43

This information also helps in reconstructing a specific activity or security incident

08:50

that's useful. Don't forget to check the share Francis for more information Or do you have any question?