# 2. Understanding Windows Forensic
First of all, I discovered that some challenges are related to file system artifacts such as Event Logs, Prefetch Files, LNK files, browser history (Chrome, Edge, Internet Explorer), OST/PST files, EML files, Alternate Data Streams (ADS), RDP cache, the Master File Table (MFT), Scheduled Tasks, and PowerShell history.
For example, large files—especially those in ELF, EXE, or RAW format—often require specific tools to analyze and extract the flag.
**Objective**: To gain foundational to intermediate-level knowledge of Windows forensics by understanding the artifacts left by system and user activity, and how they can be analyzed during an investigation.
### File System Artifacts
**Master File Table (MFT)**
The Master File Table is a core component of the NTFS file system used by Windows. It contains metadata about every file and directory on the volume, including:
+ File name and size
+ Creation, modification, and access timestamps (MAC times)
+ File attributes and data run locations
Forensic Value: Investigators analyze the MFT to detect file creation/deletion events, recover deleted files, and examine timestamp anomalies that may indicate tampering.
### Event Logs
Windows logs system, security, and application events in **.evtx** files. These logs are stored in:
```python
C:\Windows\System32\winevt\Logs\
```
Key logs include:
+ System: Startup/shutdown events, hardware changes
+ Security: Logon attempts, policy changes
+ Application: Application crashes or behavior
+ PowerShell Logs: Execution of scripts
Forensic Value: Event logs can confirm user activity, privilege escalation, remote logins, malware execution, and persistence mechanisms.
### Prefetch Files
Located in **C:\Windows\Prefetch**, these **.pf** files track executable launches to speed up subsequent loading.
Each **.pf** file records:
- Executable path
- Last execution time
- Number of times run
- Related DLLs
Forensic Value: Useful to prove that a program was run, when it was last run, and how often. Crucial for timeline analysis and execution tracking.
### LNK (Shortcut) Files
LNK files are Windows shortcuts typically found in:
```python
C:\Users\<username>\Recent\
```
They store:
- Target path
- MAC times of the target
- Volume serial number
- Drive letter
Forensic Value: Even if a file is deleted, the LNK file can prove that it existed and was opened.
### Browser History
**Chrome/Edge (Chromium-based)**:
Stored in SQLite databases like **History**, **Cookies**, **Login Data** found in:
```python
C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\
```
**Internet Explorer / Legacy Edge**:
Data in **WebCacheV01.dat (ESE database)**
Forensic Value: Tracks websites visited, timestamps, downloads, and cached data—critical for tracing user activity or data exfiltration.
### OST/PST and EML Files
**OST/PST**: Outlook data files storing emails, calendars, contacts.
**EML**: Standard format for single emails.
Forensic Value: Investigators extract communications, phishing attempts, exfiltrated data, and trace attacker persistence through email-based malware.
### Alternate Data Streams (ADS)
A feature of NTFS allowing hidden data streams to be attached to files. For example:
```python
notepad.exe:hidden.txt
```
Forensic Value: Often used to hide malware or scripts. They do not show up in regular directory listings.
### RDP Cache
Remote Desktop Protocol (RDP) cache files include:
- Connection logs
- Bitmap cache images
- Clipboard usage
Stored in:
```python
C:\Users\<username>\AppData\Local\Microsoft\Terminal Server Client\
```
Forensic Value: Proves remote access, connected hosts, and session activity.
### Scheduled Tasks
Used for automation, but often abused by attackers for persistence.
Stored in:
- Registry keys (e.g.,**HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule**)
- XML files in **C:\Windows\System32\Tasks\**
Forensic Value: Reveals malware persistence methods and execution patterns.
### PowerShell History
Commands executed in PowerShell are logged in:
```python
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
```
Forensic Value: Detects manual or scripted malicious behavior, credential dumping, and lateral movement attempts.
### Large Files (ELF, EXE, RAW)
Large binary files such as:
- EXE: Executables
- ELF: Linux binaries (unusual on Windows, may indicate dual-use tools)
- RAW: Disk or memory dumps
These files often require specialized tools for analysis:
- PEStudio, Detect It Easy: EXE file inspection
- Volatility, HxD, Binwalk: Memory or RAW file analysis
Forensic Value: These files can contain malware payloads, rootkits, or forensic images holding key evidence.
---
### Practical
---
#### .DAY 1
### Desktop GUI
The above screenshot is an example of a typical Windows Desktop. Each component that makes up the GUI is explained briefly below.
The Desktop
Start Menu
Search Box (Cortana)
Task View
Taskbar
Toolbars
Notification Area
#### The Desktop
The desktop is where you will have shortcuts to programs, folders, files, etc. These icons will either be well organized in folders sorted alphabetically or scattered randomly with no specific organization on the desktop. In either case, these items are typically placed on the desktop for quick access.
The look and feel of the desktop can be changed to suit your liking. By right-clicking anywhere on the desktop, a context menu will appear. This menu will allow you to change the sizes of the desktop icons, specify how you want to arrange them, copy/paste items to the desktop, and create new items, such as a folder, shortcut, or text document.
Under **Display settings** , you can make changes to the screen's resolution and orientation. In case you have multiple computer screens, you can make configurations to the multi-screen setup here.
**Note** : In a Remote Desktop session, some of the display settings will be disabled.
You can also change the wallpaper by selecting **Personalize** .
Under Personalize, you can change the background image to the Desktop, change fonts, themes, color scheme, etc.
#### The Start Menu
In previous versions of Windows, the word **Start** was visible at the bottom left corner of the desktop GUI. In modern versions of Windows, such as Windows 10, the word 'Start' doesn't appear anymore, but rather a Windows Logo is shown instead. Even though the look of the Start Menu has changed, its overall purpose is the same.
The Start Menu provides access to all the apps/programs, files, utility tools, etc., that are most useful.
Clicking on the Windows logo, the Start Menu will open. The Start Menu is broken up into sections. See below.
https://assets.tryhackme.com/additional/win-fun1/win-start-menu.png
1. This section of the Start Menu provides quick shortcuts to actions that you can perform with your account or login session, such as making changes to your user account, lock your screen, or signing out of your account. Other shortcuts specific to your account are your Documents (document icon) folder and Pictures folder (pictures icon). Lastly, the gear/cog icon will take you to the Settings screen, and the power icon will allow you to Disconnect from a [Remote Desktop](https://https://community.windows.com/en-us/stories/work-from-anywhere-with-windows-10-remote-desktop) session, shut down the computer, or restart the computer.
In the below image, you can see what each of the icons represents. To expand this section, click on the icon that resembles a hamburger at the top.
2. This section will show all **Recently added** apps/programs at the top and all the installed apps/programs (that are configured to appear in the Start Menu). In this section, you'll also see the apps/programs will be listed in alphabetical order. Each letter will have its own section. See below.
In the above image, the first box is where the recently added apps/programs will appear. The second box is where all the installed apps/programs will appear.
**Note** : In your VM, Google Chrome will not show up as a Recently Added program anymore.
If you have a LONG list of installed apps/programs, you can jump to a particular section in the list by clicking on the letter headings to launch an alphabet grid. See below.
**Note** : The white letters match the letter headings.
3. The right side of the Start Menu is where you will find icons for specific apps/programs or utilities. These icons are known as **tiles** . Some tiles are added to this section by default. If you right-click any of the tiles, you guessed it; a menu will appear to allow you to perform more actions on the selected tile; such as resizing the tile, unpinning from Start Menu, view its Properties, etc. See below.
Apps/programs can be added to this Start Menu section by right-clicking the app/program and selecting Pin to Start. See below.
### The Taskbar
Some of the components are enabled and visible by default. The Toolbar (6), for example, was enabled for demonstration purposes.
If you're like me and want to disable some of these components, you can right-click on Taskbar to bring up a context menu that will allow you to make changes.
Any apps/programs, folders, files, etc., that you open/start will appear in the taskbar.
Hovering over the icon will provide a preview thumbnail, along with a tooltip. This tooltip is handy if you have many apps/programs open, such as Google Chrome, and you wish to find which instance of Google Chrome is the one you need to bring in to focus.
When you close any of these items, they will disappear from the taskbar (unless you explicitly pinned it to the taskbar).
#### The Notification Area
The Notification Area, which is typically located at the bottom right of the Windows screen, is where the date and time are displayed. Other icons possibly visible in this area is the volume icon, network/wireless icon, to name a few. Icons can be either added or removed from the Notification Area in Taskbar settings.
From there, scroll down to the Notification Area section to make changes.
Here are Microsoft's brief documents for the [Start Menu](https://support.microsoft.com/en-us/windows/see-what-s-on-the-start-menu-a8ccb400-ad49-962b-d2b1-93f453785a13) and [Notification Area](https://support.microsoft.com/en-us/windows/customize-the-taskbar-notification-area-e159e8d2-9ac5-b2bd-61c5-bb63c1d437c3#WindowsVersion=Windows_10) .
**Tip** : You can right-click any folder, file, app/program, or icon to view more information or perform other actions on the clicked item.
#### The File system
The file system used in modern versions of Windows is the **New Technology File System** or simply [NTFS](https://docs.microsoft.com/en-us/windows-server/storage/file-server/ntfs-overview) .
Before NTFS, there was **FAT16/FAT32** (File Allocation Table) and **HPFS** (High Performance File System).
You still see FAT partitions in use today. For example, you typically see FAT partitions in USB devices, MicroSD cards, etc. but traditionally not on personal Windows computers/laptops or Windows servers.
NTFS is known as a journaling file system. In case of a failure, the file system can automatically repair the folders/files on disk using information stored in a log file. This function is not possible with FAT.
NTFS addresses many of the limitations of the previous file systems; such as:
* Supports files larger than 4GB
* Set specific permissions on folders and files
* Folder and file compression
* Encryption ( [Encryption File System](https://docs.microsoft.com/en-us/windows/win32/fileio/file-encryption) or **EFS** )
If you're running Windows, what is the file system your Windows installation is using? You can check the Properties (right-click) of the drive your operating system is installed on, typically the C drive (C:\).
You can read Microsoft's official documentation on FAT, HPFS, and NTFS here .
Let's speak briefly on some features that are specific to NTFS.
On NTFS volumes, you can set permissions that grant or deny access to files and folders.
The permissions are:
+ Full control
+ Modify
+ Read & Execute
+ List folder contents
+ Read
+ Write
The below image lists the meaning of each permission on how it applies to a file and a folder. (credit [Microsoft](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727008(v=technet.10)?redirectedfrom=MSDN) )
How can you view the permissions for a file or folder?
* Right-click the file or folder you want to check for permissions.
* From the context menu, select **Properties** .
* Within Properties, click on the **Security** tab.
* In the **Group or user** names list, select the user, computer, or group whose permissions you want to view.
In the below image, you can see the permissions for the **Users** group for the Windows folder.
Refer to the Microsoft documentation to get a better understanding of the NTFS permissions for Special Permissions .
Another feature of NTFS is **Alternate Data Streams ( ADS )**.
**Alternate Data Streams** (ADS) is a file attribute specific to Windows **NTFS** (New Technology File System).
Every file has at least one data stream ( **$DATA** ), and ADS allows files to contain more than one stream of data. Natively [Window Explorer](https://support.microsoft.com/en-us/windows/what-s-changed-in-file-explorer-ef370130-1cca-9dc5-e0df-2f7416fe1cb1) doesn't display ADS to the user. There are 3rd party executables that can be used to view this data, but [Powershell](https://docs.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7.1) gives you the ability to view ADS for files.
From a security perspective, malware writers have used ADS to hide data.
Not all its uses are malicious. For example, when you download a file from the Internet, there are identifiers written to ADS to identify that the file was downloaded from the Internet.
To learn more about ADS, refer to the following link from MalwareBytes [here](https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/) .
#### The Windows\System32 Folders
The Windows folder ( **C:\Windows** ) is traditionally known as the folder which contains the Windows operating system.
The folder doesn't have to reside in the C drive necessarily. It can reside in any other drive and technically can reside in a different folder.
This is where environment variables, more specifically system environment variables, come into play. Even though not discussed yet, the system environment variable for the Windows directory is **%windir%** .
Per[ Microsoft](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_environment_variables?view=powershell-7.1) , " Environment variables store information about the operating system environment. This information includes details such as the operating system path, the number of processors used by the operating system, and the location of temporary folders ".
There are many folders within the 'Windows' folder. See below.
One of the many folders is **System32**
The System32 folder holds the important files that are critical for the operating system.
You should proceed with extreme caution when interacting with this folder. Accidentally deleting any files or folders within System32 can render the Windows OS inoperational. Read more about this action [here ](https://www.howtogeek.com/346997/what-is-the-system32-directory-and-why-you-shouldnt-delete-it/).
**Note** : Many of the tools that will be covered in the Windows Fundamentals series reside within the System32 folder.
#### User Accounts, Profiles, and Permissions
User accounts can be one of two types on a typical local Windows system: **Administrator** & **Standard User**.
The user account type will determine what actions the user can perform on that specific Windows system.
+ An Administrator can make changes to the system: add users, delete users, modify groups, modify settings on the system, etc.
+ A Standard User can only make changes to folders/files attributed to the user & can't perform system-level changes, such as install programs.
You are currently logged in as an Administrator. There are several ways to determine which user accounts exist on the system.
One way is to click the **Start Menu** and type **Other User**. A shortcut to **System Settings > Other users** should appear.
If you click on it, a Settings window should now appear. See below.
Since you're the Administrator, you see an option to **Add someone else to this PC**.
**Note**: A Standard User will not see this option.
Click on the local user account. More options should appear: **Change account type** and **Remove**.
Click on Change account type. The value in the drop-down box (or the highlighted value if you click the drop-down) is the current account type.
When a user account is created, a profile is created for the user. The location for each user profile folder will fall under is C:\Users.
For example, the user profile folder for the user account Max will be C:\Users\Max.
The creation of the user's profile is done upon initial login. When a new user account logs in to a local system for the first time, they'll see several messages on the login screen. One of the messages, User Profile Service, sits on the login screen for a while, which is at work creating the user profile. See below.
Once logged in, the user will see a dialog box similar to the one below (again), indicating that the profile is in creation.
Each user profile will have the same folders; a few of them are:
+ Desktop
+ Documents
+ Downloads
+ Music
+ Pictures
Another way to access this information, and then some, is using **Local User and Group Management**.
Right-click on the Start Menu and click **Run**. Type **lusrmgr.msc**. See below
**Note**: The Run Dialog Box allows us to open items quickly.
Back to lusrmgr, you should see two folders: **Users** and **Groups**.
If you click on Groups, you see all the names of the local groups along with a brief description for each group.
Each group has permissions set to it, and users are assigned/added to groups by the Administrator. When a user is assigned to a group, the user inherits the permissions of that group. A user can be assigned to multiple groups.
**Note**: If you click on **Add someone else to this PC** from Other users, it will open **Local Users and Management**.
#### User Account
The large majority of home users are logged into their Windows systems as local administrators. Remember from the previous task that any user with administrator as the account type can make changes to the system.
A user doesn't need to run with high (elevated) privileges on the system to run tasks that don't require such privileges, such as surfing the Internet, working on a Word document, etc. This elevated privilege increases the risk of system compromise because it makes it easier for malware to infect the system. Consequently, since the user account can make changes to the system, the malware would run in the context of the logged-in user.
To protect the local user with such privileges, Microsoft introduced **User Account Control** (UAC). This concept was first introduced with the short-lived [Windows Vista](https://en.wikipedia.org/wiki/Windows_Vista) and continued with versions of Windows that followed.
**Note** : UAC (by default) doesn't apply for the built-in local administrator account.
How does UAC work? When a user with an account type of administrator logs into a system, the current session doesn't run with elevated permissions. When an operation requiring higher-level privileges needs to execute, the user will be prompted to confirm if they permit the operation to run.
Let's look at the program on the account you're currently logged into, the built-in administrator account—Right-click to view its Properties.
In the Security tab, we can see the users/groups and their permissions to this file. Notice that the standard user is not listed.
Log in as the standard user and try to install this program. To do this, you can remote desktop into the machine as the standard user account.
**Note** : You have the username and password for the standard user. It's visible in **lusrmgr.msc** .
Before installing the program, notice the icon. Do you see the difference? When you're logged in as the standard user, the shield icon is on the program's default icon. See below.
This shield icon is an indicator that UAC will prompt to allow higher-level privileges to install the program.
Double-click the program, and you'll see the UAC prompt. Notice that the built-in administrator account is already set as the user name and prompts the account's password. See below.
After some time, if a password is not entered, the UAC prompt disappears, and the program does not install.
This feature reduces the likelihood of malware successfully compromising your system. You can read more about [UAC](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) here.
### Settings and the Control Panel
On a Windows system, the primary locations to make changes are the Settings menu and the Control Panel.
For a long time, the Control Panel has been the go-to location to make system changes, such as adding a printer, uninstall a program, etc.
The Settings menu was introduced in Windows 8, the first Windows operating system catered to touch screen tablets, and is still available in Windows 10. As a matter of fact, the Settings menu is now the primary location a user goes to if they are looking to change the system.
There are similarities and differences between the two menus. Below are screenshots of each.
**Settings :**
**Control Panel :**
**Note** : The icons for Settings might be different in the version of Windows on your personal device.
Both can be accessed from the Start Menu. See below.
Control Panel is the menu where you will access more complex settings and perform more complex actions. In some cases, you can start in Settings and end up in the Control Panel.
For example, in Settings, click on **Network & Internet** . From here, click on **Change adapter options**
Notice that the next window that pops up is from the Control Panel.
If you're unclear which to open if you wish to change a setting, use the Start menu and search for it.
In the example below, the search was 'wallpaper.' Notice that few results were returned.
If we click on the Best match, a window to the Settings menu appears to make changes to the wallpaper.
### Task Manager
The last subject that will be touched on in this module is the **Task Manager**.
The Task Manager provides information about the applications and processes currently running on the system. Other information is also available, such as how much CPU and RAM are being utilized, which falls under **Performance**.
You can access the Task Manager by right-clicking the taskbar.
Task Manager will open in Simple View and won't show much information.
Click on **More details**, and the view changes.
Reference: https://www.howtogeek.com/405806/windows-task-manager-the-complete-guide/
### 3. Write up
#### Challenges:
https://battle.cookiearena.org/challenges/digital-forensics/so-dang-ky
They provide me file DAT.
I have to find a way to view file DAT.
*i use website https://filext.com/online-file-viewer.html to view file*
i found something suspect
Or
i got a flag
CyberDefenders Challenge: https://cyberdefenders.org/blueteam-ctf-challenges/62#nav-questions
i inqure chatgpt!!
Answer: 16299
Answer: TOTALLYNOTAHACK
Answer: skype
Answer: 19709
Answer: MS
Answer: 150000
Answer : Egypt
Answer : UTC
Answer : 03/17/2019 09:52 PM
Answer : A
Answer :TheCardCriesNoMore
Answer : Cyber Security Analyst
i ask chatgpt
*Use RegRipper to analyses SAM file :*
Answer: 03/21/2019 19:13:09
Answer : 72.0.3626.121
Answer: https://www.skype.com/en/get-skype/
Answer: palominoalpacafarm.com
I successfully completed HireMe Blue Team Lab at @CyberDefenders!
https://cyberdefenders.org/blueteam-ctf-challenges/achievements/boybro245/hireme/
#CyberDefenders #CyberSecurity #BlueYard #BlueTeam #InfoSec #SOC #SOCAnalyst #DFIR #CCD #CyberDefender
### Password Windows
samdump system.bak sam.bak > hashes.txt
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Write up : https://hackmd.io/JrL0xd2JSQ-cFpdQVEgbag
password is flag
Challenge: https://51ypsj-my.sharepoint.com/:f:/g/personal/tam_51ypsj_onmicrosoft_com/Eu8dFGHSHbZIhTXWIJT5VHkBc5r-_Ja8rcFWPhHT2CpnFQ?e=mgYP1C
FOR_1 : Refer to the company's security policies and find the flag in the Microsoft To Do application.
The flag is related to a violation of the company's security policies.
FORMAT: FLAG{...}
Locate : C:\Users\<username>\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\
ook in these subfolders:
LocalState
Settings
Logs
TempState
You’re looking for:
.log, .json, .txt, .db, .sqlite, or .xml files
FLAG{pR0h1B1T10n_Cr3d3nt14L5_1n_m3m0}
FOR_2: CAN U FIND MY Service Admin password
FORMAT: FLAG{...}
Hints: ggp group policy sysvol
find cpassword
gpp-decrypt eKKX4xuz0qgb7P7OIh0YKGTGR3Az/vNOv3z/dyc9mqkp2qFu4X00l5AQNQHBUbi/
### 4. Recommended References:
- SANS FOR500 course materials (Search on LibGen): https://libgen.is/search.php?req=for500&lg_topic=libgen&open=0&view=simple&res=25&phrase=1&column=def
- GitHub Digital Forensics Lab (especially Lab 02): https://github.com/vonderchild/digital-forensics-lab/tree/main/Lab%2002
Deliverables:
- Detailed writeup of all artifacts and labs.
- Solutions to challenges with explanations and screenshots where applicable.
- Submit everything in a structured folder or PDF document.
Optional tools to explore:
- Eric Zimmerman's tools (Registry Explorer, PECmd, LECmd, MFTECmd, etc.)
- FTK Imager
- Autopsy
- Timeline Explorer
Sign in with Wallet
Connect another wallet