Windows System Artifacts PDF
Document Details
2012
Tags
Summary
This chapter from "The Basics of Digital Forensics" provides an introduction to Windows system artifacts for forensic examiners. It covers finding deleted data, hibernation files, examining the Windows Registry, print spooling evidence, and metadata. It also details how to examine prefetch items, link files, and the registry structure. The text provides insight into crucial aspects of digital forensics.
Full Transcript
CHAPTER 5 Windows System Artifacts 65 Information in This Chapter: Finding Deleted Data Hibernation Files Examining the Windows Registry Print Spo...
CHAPTER 5 Windows System Artifacts 65 Information in This Chapter: Finding Deleted Data Hibernation Files Examining the Windows Registry Print Spooling Evidence Recycle Bin Operation Metadata: What It Is and How It’s Used Thumbnail Images as Evidence Most Recently Used Lists: How They’re Created and Their Forensic Value Working with Restore Points and Shadow Copies Examining Prefetch and Link Files INTRODUCTION Many say that the eyes are the window to the soul, but for the forensic examiner, Windows can be the “soul” of the computer. The odds are high that examiners will encounter the Windows operating system more times than not when con- ducting an investigation. The good news for us is that we can use Windows itself as a tool to recover data and track the footprints left behind by the user. Because of this, it is imperative that examiners have an extensive understanding of the Windows operating system and all of its functions. Love it or hate it, it’s a Windows world. With about 90% (Brodkin, 2011) of the desktop market share, a forensic examiner will face a Windows machine the majority of the time. Getting cozy with Windows is an absolute necessity in this line of work. In the course of using Windows and its multitude of compatible applications, users will leave artifacts or footprints scattered throughout the machine. As you can imagine, this is pretty handy from an investigative perspec- tive. These artifacts are often located in unfamiliar or “hard to reach” places. Even a savvy individual, bent on covering their tracks, can miss some of these buried forensic treasures. The Basics of Digital Forensics. DOI: 10.1016/B978-1-59749-661-2.00005-X © 2012 Elsevier, Inc. All rights reserved. 66 CHAPTER 5 Windows System Artifacts The forensic challenge is to identify, preserve, collect, and interpret this evidence correctly. In this chapter, we’ll take a closer look at many of these artifacts, their purpose, and their forensic significance. DELETED DATA For the average user, hitting the delete key provides a satisfying sense of security. With the click of a mouse, we think our data are forever obliterated, never again to see the light of day. Think again. We know from Chapter 2 that, contrary to what many folks believe, hitting the delete key doesn’t do anything to the data itself. The file hasn’t gone anywhere. “Deleting” a file only tells the computer that the space occupied by that file is available if the computer needs it. The deleted data will remain until another file is written over it. This can take quite some time, if it’s done at all. MORE ADVANCED File Carving The unallocated space on a hard drive can contain valuable evidence. Extracting this data is no simple task. The process is known as file carving and can be done manually or with the help of a tool. As you might imagine, tools can greatly speed up the process. Files are identified in the unallocated space by certain unique characteristics. File headers and footers are common examples of these characteristics or signatures. Headers and footers can be used to identify the file as well as marking its beginning and end. Allocated space refers to the data that the computer is using and keeping tabs on. These are all the files that we can see and open in Windows. The computer’s file system monitors these files and records a variety of information about them. For example, the file system tracks and records the date and time a particular file was last modified, accessed, and created. We’ll revisit this kind of information when we talk about metadata later in this chapter. HIBERNATION FILE (HIBERFILE.SYS) Computers sometimes need their rest and can nap just like we do. Through this “cybernap” process, more potential evidence can be generated, depend- ing on how “deep” the PC goes to sleep. “Deep sleep” modes like hiberna- tion and hybrid sleep save data to the hard drive as opposed to just holding it in RAM (like “sleep”). As we know, data written to the drive itself are more persistent and can be recovered. It’s possible that files deleted by a suspect could still be found here. How? Let’s say that the suspect is working on an incriminating document on Monday. She has to step away for awhile to make a phone call. She puts the laptop into hibernation mode, which Registry 67 causes the computer to save everything she is doing to the hard drive. When she returns forty-five minutes later and brings the laptop back up, everything is just like she left it, including the incriminating document. Generally, a computer can go into three different modes or states when it sleeps. Those modes are: sleep, hibernation, and hybrid sleep. (Microsoft Corporation). The different modes are intended to conserve power and can vary from lap- top to desktop. Sleep Sleep mode is intended to conserve energy but is also intended to get the com- puter back into operation as quickly as possible. Microsoft compares this state to “pausing a DVD player” (Microsoft Corporation; TechTarget). Here, a small amount of power is continuously applied to the RAM, keeping those data intact. Remember, RAM is considered volatile memory, meaning that the data disappear when power is removed. Sleep mode doesn’t do much for us forensically because all the data remain in the RAM. Hibernation Hibernation is also a power-saving mode but is intended for laptops rather than desktops. It is here that we start to see some potential investigative benefit. In this mode, all of the data in RAM are written to the hard drive, which, as we know, is much harder to get rid of. Hybrid Sleep As the name implies, hybrid sleep is a blend of the previous two modes and is intended mainly for desktops. It keeps a minimal amount of power applied to your RAM (preserving your data and applications) and writes the data to disk. Like the page file, suspects bent on destroying evidence can overlook these hiber- nation files. Pedophiles or corporate crooks will often attempt to avoid detection by deleting or destroying evidence on their hard drive as the investigation closes in around them. These hibernation files, unknown to most users, are often missed during these last minute “delete-a-thons.” REGISTRY The Windows Registry plays a crucial role in the operation of a PC. Microsoft’s TechNet defines the registry as “simply a database for configuration files.” You could also describe it as the computer’s central nervous system. In that context, you can see just how critical the registry is to the Windows computer. The registry keeps track of user and system configuration and preferences, which is no simple task. From a forensic standpoint, it can provide an abun- dance of potential evidence. Many of the artifacts we look for are kept in the 68 CHAPTER 5 Windows System Artifacts registry. Some of the potential evidence could include search terms, programs that were run or installed, web addresses, files that have been recently opened, and so on. Registry Structure The registry is set up in a tree structure similar to the directories, folders, and files you’re used to working with in Windows. The registry is broken into four tiers or levels. Inspecting the registry is something that is done in nearly every forensic examina- tion. Looking at the registry requires a tool that can translate this information into something we can understand. Two of the major multipurpose forensic tools, EnCase and FTK, do just that. As a key repository of critical system information, the registry could contain quite a bit of evidence. As an added bonus, the Registry can also hold the information we need to break any encrypted files we find. FROM THE CASE FILES: THE WINDOWS REGISTRY The Windows Registry helped law enforcement officials in Houston, Texas crack a credit card case. In this case, the suspect’s stolen credit card numbers were used to purchase items from the Internet. The two suspects in this case, a mar- ried couple, were arrested after a controlled drop of merchandise ordered from the Internet. Examination of the computer’s NTUSER.DAT, Registry, and Pro- tected Storage System Provider information, found a listing of multiple other names, addresses, and credit card numbers that where being used online to pur- chase items. After further investigation, investigators discovered that these too were being used illegally without the owners consent. The information recovered from the registry was enough to obtain additional search warrants. These extra searches netted the arrest of 22 individuals and lead to the recovery of over $100,000 of illegally purchased merchandise. Ultimately, all of the suspects plead guilty to organized crime charges and were sentenced to jail time. FROM THE CASE FILES: THE WINDOWS REGISTRY AND USBSTOR In a small town outside of Austin, Texas, guests at a local hotel called police after observing an individual at the hotel who was roaming mostly naked and appearing somewhat intoxicated. When the police arrived, they found the individual and determined he was staying at the hotel. They accompanied him back to his room and were surprised by what they found. When the door opened, they discovered another individual in the room and a picture of child pornography being projected on the wall. The projector was attached to a laptop. Two external hard drives were found lying next to the laptop. The unexpected occupant said that the laptop was his but that the two external Registry 69 drives belonged to the other gentlemen and had never been connected to his laptop. All of the equipment was seized and sent for examination. Forensic clones were made of the laptop and both external drives. The initial examina- tion of the external drives found both still images and movies of child pornography. Next, examiners wanted to determine if either of those drives had ever been connected to the laptop. The system registry file of the laptop was searched for entries in the USBStor key. Listings for external hard drives were discovered along with the hardware serial numbers from both external hard drives. Next, examiners sought to validate their results. Using a lab computer system with a clean installation of Windows, they connected the defendants external drives to the lab system. A write blocker was connected between the drives and the system to prevent any changes or modifications to the clones of the external drives. The lab computer’s system registry file was then examined and the USBStor keys showed the same external hard drive listings as the suspect’s with matching hardware serial numbers. These results proved that the suspect’s external hard drives had in fact been hooked to the laptop at one time. The suspect was eventually convicted of possession of child pornography. Attribution Digital forensics can be used to answer many questions, such as, what terms were searched using Google? We can find that. Did Bob type those terms? Houston, we’ve got a problem. Unfortunately, we can rarely put someone’s sticky fingers on the keyboard when a particular artifact is created. We may need to uncover other evi- dence in order to connect those dots. Tracking something back to a specific user account or identifying the regis- tered owner of the system is a much easier task. A single PC can have multiple user accounts set up on the machine. In a technical sense, user accounts estab- lish what that specific user can and can’t do on the computer (Microsoft Cor- poration). A PC will set up two accounts by default, the administrator and a guest account. Other accounts may be created, but they are not required. The administrator has all rights and privileges on the machine. They can do anything. A guest account (which doesn’t require any login) generally has less authority. For example, a family PC could have separate accounts for mom, dad, and each of the kids. Each of these accounts could be password-protected. Each account on the machine is assigned a unique number called a security iden- tifier or SID. Many actions on the computer are associated with, and tracked by, a specific SID. It’s through the SID that we can tie an account to some particular action or event. 70 CHAPTER 5 Windows System Artifacts External Drives Information has value, sometimes substantial value. They don’t keep the formula for Coke under lock and key for grins. Theft of intellectual property is a huge concern. One way that would-be thieves could easily smuggle data out of an orga- nization is by way of one of these external storage devices, such as a thumb drive. As a result, examiners are often asked to determine whether any such device has been attached to a computer. These devices can take a variety forms such as thumb drives or external hard drives. In addition to stealing information, these devices can also be used to inject a virus or store child pornography. Whether or not such a device was attached can be determined by data contained in the registry. The registry records this kind of information with a significant amount of detail. It tells us both the vendor and the serial number of the device. PRINT SPOOLING In some investigations, a suspect’s printing activities may be relevant. As you might expect, printing can also leave some tracks for us to follow. You’ve probably noticed that there’s a bit of a delay after you click Print. This delay is an indication of a pro- cess called spooling. Essentially, spooling temporarily stores the print job until it can be printed at a time that is more convenient for the printer (TechTarget). Dur- ing this spooling procedure, Windows creates a pair of complementary files. One is the Enhanced Meta File (EMF) which is an image of document to be printed. The other is the spool file which contains information about the print job itself. There is one of each for every print job. What kind of information can we recover from the spool file? The spool file (.spl) tells us things like the printer name, com- puter name as well as the user account that sent the job to the printer. Either or both of these files may have evidentiary value. The problem is they don’t stick around long. In fact, they are normally deleted automatically after the print job is finished. However, there are a few exceptions. The first exception occurs if there is some kind of problem and the document didn’t print. The second is that the computer that is initiating the print job may be set up to retain a copy. Some companies may find this setup appealing if they have some reason to hang onto a copy. Spool and EMF files can be used to directly connect targets to their crimes. Copies of extortion letters, forged contracts, stolen client lists, and maps to body dump sites are but a few pieces of evidentiary gold potentially mined from their computers. RECYCLE BIN The “trash can” has been a familiar presence on our computer desktops starting with the early Macintosh systems. It’s a really good idea, especially from the casual user’s perspective. Users may not understand sectors and bytes, but most everyone “gets” the trash can. Sometimes, though, the trash can “gets” them. This is espe- cially true when they count on the trash can to erase their evidence. They assume Recycle Bin 71 that their incriminating data have disappeared into a digital “Bermuda Triangle,” never again to see the light of day. Unlike Amelia Earhart, that’s definitely not the case. Using forensic tools such as Forensic Toolkit and EnCase, we can quite often bring those files back in mint condition. ALERT! Recycle Bin Function Here’s a quick question. Where is a file moved when it’s deleted? I bet some of you said the recycle bin. That would make the most sense. I mean, that’s where we put the unwanted files, right? But it would also be wrong. When you delete a file, it’s moved to … wait for it … nowhere. The file itself stays exactly where it was. It’s a common notion that when deleted, the file is actually picked up and moved to the recycle bin. That’s not the case. Unwanted files can be moved to the recycle bin a few different ways. They can be moved from a menu item or by dragging and dropping the file to the recycle bin. Finally, you can right-click on an item and choose Delete. The benefit of putting files into the recycle bin is that we can dig through it and pull our files back out. I’ve worked in places where digging through office trash can be a pretty hazardous undertaking. Fortunately, things aren’t nearly as dicey on our computers. As long as our files are still “in the can,” we can get them back. However, emptying the recycle bin (i.e., “taking out the trash”) makes recovery pretty much impossible for the average user. Not everything that’s deleted passes through the recycle bin. A user can actually bypass the bin altogether. Bypassing can be done a couple of ways. First, if you press Shift+Delete, the file will go straight to unallocated space without ever going through the recycle bin. You can also configure your machine to bypass the recycle bin altogether. Your deleted files won’t even brush the sides of the recycle bin. The recycle bin is obviously one of the first places that examiners look for potential evidence. The first instinct suspects have is to get rid of any and every incriminating file on their computer. Not fully understanding how their com- puter works, they put all their faith in the recycle bin. Now you know that’s a bad move. Lucky for us, many folks still don’t recognize how misplaced their faith is. As a result, the recycle bin is a great place to look for all kinds of poten- tially incriminating files. MORE ADVANCED Recycle Bin Bypass If an examiner suspects that the system has been set to bypass the recycle bin, the first thing they would check would be the registry. The “NukeOnDelete” value would be set to “1” indicating that this function had been switched on. (See Figure 5.1.) 72 CHAPTER 5 Windows System Artifacts FIGURE 5.1 The recycle bin bypass option. METADATA Metadata is most often defined as data about data. Odds are you’ve come across metadata at some point. You may not have known that’s what you were looking at. There are two flavors of metadata if you will: application and file system. Remember, the file system keeps track of our files and folders as well as some information about them. File system metadata include the date and time a file or folder was created, accessed, or modified. If you right-click on a file and choose “Properties,” you can see these date/time stamps as shown in Figure 5.2. Although this information can prove quite valuable to an investigation, we must keep in mind that all these date/time stamps may not be what they seem. One problem is that the system’s clock can be changed by the user. Time zone differences can also cause some issues. Let’s take a little closer look at the created, accessed, and modified date/time stamps. Metadata 73 FIGURE 5.2 Metadata information as seen after right-clicking on the file and choosing “Properties.” Note the created, modified, and accessed dates and times. Created—The created date/time stamp frequently indicates when a file or folder was created on a particular piece of media, such as a hard drive (Casey, 2009). How the file got there makes a difference. By and large, a file can be saved, copied, cut and pasted, or dragged and dropped. Modified—The modified date and time are set when a file is altered in any way and then saved (Casey, 2009). Accessed—This date/time stamp is updated whenever a file is accessed by the file system. Accessed does not mean the same thing as opened. You may be asking 74 CHAPTER 5 Windows System Artifacts how a file can be accessed without being opened, and that’s a good question. You see, the computer itself can interact with the files. Antivirus scans and other preset events are just two examples of this automated interaction. ALERT! Date and Time Stamps System date and time stamps should NOT be taken simply at face value. These settings are readily accessible and can be easily changed. Determining an accurate timeline can be further complicated if the case involves more than one time zone. Just because the metadata say a file was created at a certain date and time doesn’t necessarily make it so. Applications themselves can create and store metadata as well. Like the file system, they can track the created, accessed, and modified dates and times. But it doesn’t stop there. They can also track a variety of application-specific attributes as well. Examples could include the name of the author, the name of the company or organization, and the computer name, just to name a few (Casey, 2009). Removing Metadata Although metadata used to be one of our best-kept secrets, it’s not any more. The criminals aren’t the only ones taking notice. Corporations, law firms, and private citizens are just some of the folks concerned about metadata and the information contained therein. These legitimate concerns are being addressed by actually removing the metadata prior to sharing those files with other folks. Many tools exist for just that purpose. For example, law firms routinely scrub the metadata from all of their outbound documents, like those transmitted via e-mail. For the privacy-minded individual, the newer ver- sions of Microsoft Word have the ability to detect and remove metadata. (See Figures 5.3 and 5.4.) Recovered metadata can be used to refute claims by a suspect that they had no knowledge of a file’s existence. It’s tough to claim you didn’t know it was there FIGURE 5.3 Menu item to choose scrubbing inside of Microsoft Word 2010. Thumbnail Cache 75 FIGURE 5.4 The option to scan for metadata in Microsoft Word 2010. when you not only opened the file but you changed or deleted the file as well. These dates and times can also be used to construct timelines in a case. FROM THE CASE FILES: METADATA Metadata can help investigators identify all the suspects in a case and recover more evidence. Take this case from Houston, Texas regarding the production of counterfeit credit cards. The suspects in this case used “skimmed” card infor- mation in their card production process. Credit card “skimming” is when thieves grab the data from the magnetic strip on the back of credit and debit cards. This often occurs during a legitimate transaction, such as when you use your card to pay for dinner. After identifying their prime suspect, police arrested him and searched his com- puter. In the end, the search of the computer was disappointing. The search only found one Microsoft Word document that contained “skimmed” information. Furthermore, the search of the residence found no skimmer hardware and there was no skimming software located on the computer. Not exactly the treasure trove they had hoped to find. The exam didn’t stop there. Further examination of the Word document hit pay dirt. A review of the metadata revealed the author of the document, a female. Further investigation found that she was the suspect's girlfriend and that she worked as a waitress in a neighboring town. This information gave investigators the probable cause needed to obtain a second search warrant for her apartment. During the second search, the skimmer (the piece of hardware used to extract the data from the magnetic strip) was recovered. The examination of the computer found not only the skimming software, but additional lists of debit cards and related information. Fortunately, this information was seized before it could be used. Both suspects were eventually found guilty. THUMBNAIL CACHE To make it easier to browse the pictures on your computer, Windows creates smaller versions of your photos called thumbnails. Thumbnails are just min- iaturized versions of their larger counterparts. These miniatures are created automatically by Windows when the user chooses “Thumbnail” view when using Windows Explorer. Windows creates a couple of different kinds of thumbnail files, depending on the version being used. Windows XP creates a file called thumbs.db. Microsoft Vista and Windows 7 create a similar file called thumbcache. db. 76 CHAPTER 5 Windows System Artifacts FIGURE 5.5 An Example of an MRU in Microsoft Word 2010. Most users are completely unaware that these files even exist. The cool thing about these files is that they remain even after the original images have been deleted. Even if we don’t recover the original image, thumbnails can serve as the next best evidence. Their mere existence tells us that those pictures existed at one point on the system. MOST RECENTLY USED (MRU) Windows tries to make our lives, at least on our computers, as pleasant as possible. They may not always succeed, but their hearts are in the right place. The Most Recently Used (MRU) list is one such example of Microsoft think- ing of us. The MRU are links that serve as shortcuts to applications or files that have recently been used. You can see these in action by clicking on the Windows Start button through the file menu on many applications. (See Figure 5.5.) RESTORE POINTS AND SHADOW COPY Do you ever wish you could go back in time? We’re not there yet, but lucky for us, Windows is. There may come a time when it’s just easier (or necessary) for our computers to revert back to an earlier point in time when everything was working just fine. In Windows, these are called restore points (RP), and they serve as time travel machines for our computers. Restore Points Restore points are snapshots of key system settings and configuration at a specific moment in time (Microsoft Corporation). These snapshots can be used to return the system to working order. Restore points are created in different ways. They can be created by the system automatically before major system events, like installing software. They can be scheduled at regular intervals, such as weekly. Restore Points and Shadow Copy 77 Finally, they can be created manually by a user. The restore point feature is on by default, and one snapshot is automatically produced every day. Before you start looking around for your restore points, you should know that Microsoft has taken steps to keep them from your prying eyes. They are normally hidden from the user. These RPs have metadata (data about the data) associated with them. This information could be valuable in determining the point in time when this snapshot was taken. If the RP contains evidence, this can tell us exactly when that data existed on the system in question. Digging through the restore points may reveal evidentiary gems that don’t exist anywhere else. For the average person trying to conceal information from inves- tigators, restore points are likely not the first place they would start destroying evidence. Obviously, that works in our favor. FROM THE CASE FILES: INTERNET HISTORY & RESTORE POINTS A defendant accused of possessing child pornography claimed that he had visited the site in question on only one accession, and that was only by accident. To refute this claim, examiners turned to the restore points for the previous two months. Examination of each of the registry files found in the various restore points told a significantly different story. The evidence showed that not only had multiple child pornography sites been visited, but the URLs had been typed directly into the address bar of the browser, destroying his claim that the site was visited by accident. Confronted with this new evidence, the defendant quickly accepted a plea deal. Shadow Copies Shadow copies provide the source data for restore points. Like the restore point, shadow files are another artifact that could very well be worth a look. We can use them to demonstrate how a particular file has been changed over time. They can likewise hold copies of files that have been deleted (Larson, 2010). FROM THE CASE FILES: RESTORE POINTS, SHADOW COPIES, AND ANTI-FORENSICS Officers from the Texas OAG (Office or the Attorney General) Cyber Unit, respond- ing to a tip, served a search warrant at the suspect’s residence. The OAG Cyber Unit obtained the search warrant after they were alerted that the suspect was uploading child pornography to the Internet. When the officers served the search warrant, they found the house unoccupied. Officers called the suspect letting him know they were in his home and that he should come home immediately and meet with them. When the suspect arrived, officers interviewed the suspect and searched his vehicle. Inside the car was a laptop computer. All items seized were taken to the OAG offices for forensic examination. During the exam of the suspect’s laptop, an alarming discovery was made. It appeared 78 CHAPTER 5 Windows System Artifacts the suspect, on the drive home to meet the officers, used a wiping tool to get rid of not only incriminating images but the Internet history from his laptop. While the initial exam found no child pornography on the laptop, other compelling evidence was recovered. For example, the examiner was able to recover logs from the wiping program itself showing that it had indeed been run. That wasn’t all. Since the operating system was Windows Vista, the examiner decided to check the shadow copies found on the machine. Remember, these Shadow Copies (or System Restore Points) are essentially snap shots of data at a given point in time. Next, the forensic image (clone) of the suspect's laptop was loaded into a virtual environment. This enabled the examiner to see the computer system as the suspect saw it. The examiner exported out the restore points from the suspects laptop, then imported those same files into his forensic tool. This process allowed the examiner to use his tools to extract images and other information from the suspect’s system restore points. This procedure hit pay dirt. More than 3000 images of child pornography were recovered. In addition, log files were found showing searches and downloads of those same files. When it was all said and done, the suspect plead guilty and is currently serving 10 years in a Texas state prison. PREFETCH Speed kills. Or in the case of computers, it’s that lack of speed that kills. Devel- opers at Microsoft know this and work hard to squeeze every millisecond out of the system. Prefetching is one of the ways they try to speed up the system. Prefetch files can show that an application was indeed installed and run on the system at one time. Take, for example, a wiping application such as “Evidence Eliminator.” Programs like this are designed to completely destroy selected data on a hard drive. Although we may not be able to recover the original evidence, the mere presence of “Evidence Eliminator” can prove to be almost as damning as the original files themselves. Stay tuned for more discussion on “Evidence Eliminator.” LINK FILES We all love shortcuts. They help us avoid road construction and steer clear of traffic jams. They save us time and make our travels easier, at least in theory. Microsoft Windows also like shortcuts. It likes them a lot. Link files are simply shortcuts. They point to other files. Link files can be created by us, or more often by the computer. You may have created a shortcut on your desktop to your favorite program or folder. The computer itself creates them in several different places. You’ve likely seen and used these link files before. Take Microsoft Word, for example. If you look under the File menu, you’ll see an option called “recent.” The items in that list are link files, or shortcuts, created by the computer. Summary 79 Link files have their own date and time stamps showing when they were created and last used. The existence of a link file can be important. It can be used to show that someone actually opened the file in question. It can also be used to refute the assertion that a file or folder never existed. Link files can also con- tain the full file path, even if the storage device is no longer connected, like a thumb drive. Installed Programs Software that is or has been installed on the questioned computer could also be of interest. This is especially true if the same application has now been removed after some relevant point in time (i.e., when the suspect became aware of a potential investigation). There are multiple locations on the drive to look for these artifacts. The program folder is a great place to start. Link and prefetch files are two other locations that could also bear fruit. SUMMARY The computer records a tremendous amount of information unbeknownst to the vast majority of users. These artifacts come in a variety of forms and can be found throughout the system. For example, it’s possible to identify external storage devices, like thumb drives, that have been attached to the system. Items moved to the Windows Recycle Bin can tell us when they were deleted and by which account. Even if a file has been deleted or overwritten, copies of the file could still exist on the drive in multiple forms. These often-overlooked copies are generated by print jobs and hibernation functions as well as restore points. These files can also be found in the swap space, a specific portion of a hard drive that is used when the system is out of RAM. One major takeaway from this chapter is that valuable evidence of specific files, actions, or events can be recorded in multiple locations. As such, truly getting rid of it can be a highly technical process beyond the reach of most crooks. Even deleting data and defragging your hard drive don’t get rid of it. The computer stores data in a way that permits fragments of older files to be carved out for further analysis. The partial files removed from the slack space could contain just enough information to become a useful piece of evidence. Attribution is a major challenge in digital forensics. Saying with absolute certainty that a specific individual was responsible for a given artifact is often impossible. Identifying the account is often the best that can be done. The system and the applications we use generate data about data. This informa- tion, known as metadata, can tell us when the file was created, accessed, modi- fied, and deleted. Knowing what software has been installed and run could be relevant to an investigation. Drive wiping software, for example, could be of par- ticular interest. The Windows Registry and the prefetching function are two sources of this potentially relevant information.