computers
what are the main registary hives
In computer forensics, SAM stands for Security Account Manager.
It’s a critical Windows database that stores information about local user accounts on a system.
What SAM contains
• Usernames of local accounts
• Password hashes (not plain-text passwords)
• Account-related security info (like account status)
Where it’s found
On Windows systems, the SAM database is stored at: C:\Windows\System32\Config\SAM
Why does SAM matter in forensics?
Why SAM matters in forensics
Forensic investigators use the SAM to:
• Identify local users on a machine
• Determine if password cracking is possible (using the hashes)
• Correlate user activity with login artifacts
• Support incident response and malware investigations
whats the SYSTEMA registary hive?
In computer forensics, SYSTEM refers to the Windows SYSTEM registry hive.
It’s one of the most important artifacts on a Windows machine.
⸻
What the SYSTEM hive contains
The SYSTEM hive stores:
• System configuration and hardware info
• Services and drivers (what runs at boot)
• Startup settings
• Mounted devices (USBs, drives, volume IDs)
• Control Sets (current, last known good, etc.) C:\Windows\System32\Config\SYSTEM
Why does SYSTEM matter in forensics?
Why SYSTEM matters in forensics
Investigators use the SYSTEM hive to:
• Reconstruct boot history
• Identify connected storage devices (USB forensics)
• Determine which services/drivers were active
• Extract the Boot Key (SysKey) 🔑
That last one is crucial…
SAM AND SYSTEM together..,
SYSTEM + SAM = 🔓
• The SYSTEM hive stores the SysKey
• The SAM hive stores encrypted password hashes
• You need SYSTEM to decrypt the SAM hashes
That’s why examiners always collect both.
What key forensic artifacts are inside System?
Key forensic artifacts inside SYSTEM
• MountedDevices → USB & drive history
• Services → persistence mechanisms
• Select key → tells which ControlSet was active
• CurrentControlSet → live system configuration
what is SECURITY registary hive?
🔐 SECURITY (Registry Hive)
What it is
The SECURITY hive stores local security policy information for the system. It’s tightly protected and mostly invisible during normal use.
why is SECURITY hive important in forensics?
What it contains
• Audit policies (what events Windows logs)
• User rights assignments
(who can log on locally, access the network, shut down the system, etc.)
• LSA secrets (sensitive encrypted data), such as:
• Cached domain credentials
• Service account passwords
• Network share credentials
• System-wide security settings
Why it matters in forensics
Investigators use SECURITY to:
• Determine who had elevated privileges
• Identify credential storage and reuse
• Understand logging behavior (what should have been logged)
• Detect persistence or lateral movement via service credentials
⚠️ Like SAM, SECURITY relies on the SYSTEM hive for decryption.
what is the NTUSER.DAT hive?
👤 NTUSER.DAT (Per-User Registry Hive)
What it is
NTUSER.DAT is the registry hive for an individual user.
Every user account has their own copy.
C:\Users\<username>\NTUSER.DAT
What it contains
• User preferences (desktop, UI settings)
• Recently opened files
• Program execution history
• Mapped network drives
• Application-specific data
• Explorer artifacts (MRUs, typed paths)
why is NTUSER.DAT important in forensics?
Why it matters in forensics
NTUSER.DAT is gold for user activity reconstruction:
• What programs the user ran
• What files they opened
• When activity occurred
• Which user did what
It directly ties actions to a specific account, unlike SYSTEM or SAM.
WHAT IS RID
relative identifyer (in SAM hive) - it uniqueley identifies a user and can be matched to a username.
on Xways, how do you dind the main HDD or SSD?
look for the largest data size
what is the registary?
Think of the Windows Registry as the central brain + memory of a Windows system 🧠.
What sorts of artifacts can you locate in the registary?
time zone settings
computer name
registard owner
windows
system 32
config
SAM
SECURITY
SOFTWARE
Use the registary viewer to view this
How can you tell what drives have been plugged into a computer?
you can see 'mounted drives' on the systems registry.
every drive has its own unique signature (first 4 hex)
found at offset 440
this signature shows if the frive has been connected to another computer etc.
What is SAM
a registary hive where you can find everything to do with the user - user info
what is SYSTEM
a registary hive - the origional stuff on the computer - the physical computer info such as computer name, time zone details
whats SOFTWARE
a registary hive - application data is found here
what can SAM tell us
SAM can contain password hints that have been set up which may help encrpt further files on the computer
App data folders - what are they?
on the C drive under users
roaming
temp
local
can see the apps used on ghe device.
e.g. roaming could hold skype data
local holds torrent - bit torrent
cache history
what are torrent files?
A metadata descriptor used by the BitTorrent peer-to-peer (P2P) protocol to coordinate distributed file transfer.
From a forensic perspective, torrent artifacts indicate:
• Use or presence of BitTorrent software
• Intent or capability to download or distribute specific content
• Possible correlation to downloaded files via matching hashes
• A torrent file alone does not prove possession of the content
• It only proves possession of metadata describing the content
whats P2P?
Peer-to-peer is a network model where each computer (“peer”) can act as both a client and a server, sharing data directly with other computers instead of going through one central server.
How that differs from “normal” downloads
• Normal (client–server):
You download a file from one central server.
• P2P:
You download small pieces of the same file from many other users at the same time.
whats Cache?
Temporary stored data created to make systems and applications run faster — and it often preserves traces of past activity even after the original data is gone.
what can Web cache show?
What cache can contain (forensic gold)
Depending on the app/system, cache may hold:
Web cache
• Visited URLs
• Page titles
• Images, videos, scripts
• Timestamps of access
➡️ Shows what was viewed, even if history was cleared
what is torrent??
A way to download a file by getting little pieces of it from lots of other people’s computers instead of one central server.
Here’s the clean mental picture:
• The file (movie, game, Linux, whatever) is split into many small pieces
• Lots of people have different pieces
• Your computer grabs pieces from many of them at once
• At the same time, your computer shares the pieces it already has
That system is called BitTorrent, and it’s a type of P2P (peer-to-peer) sharing.
what can programme files show you?
Why Program Files matters in forensics
Program Files helps investigators answer presence, capability, and timeline questions.
⸻
1. Proof of software installation
If a folder exists in Program Files, it usually means:
• The application was installed intentionally
• The installer ran with sufficient privileges
➡️ Stronger evidence than a shortcut or download alone
Example:
• C:\Program Files\qBittorrent\
➡️ Indicates the system was capable of torrenting
what sorts of other things can you see in programme files?
dodgy apps like "CCCleaner" or anything wipe etc which you can see this was downloaded.
other downloades apps can be seen, this could lead you down a different path as an analyst e.g., AI, website making etc.
how will you handle this sort of material?
i never bottle stuff up- i talk and seek support from my colleagues and managers.
if i feel stressed or upset, i always open up about it.
i have a good social life outside of work and i tend to leave work at the door.
i know that i will be supported here with regular screening and counsellors should i feel i need it.
i am resilient, naturally i have already been exposed
whats the difference between deleted data and carving?
Deleted data is data the file system still knows about.
Carving is recovering data the file system has forgotten about.
File carving (file-system unaware)
What carving is
Carving recovers data by:
• Scanning raw disk space
• Ignoring the file system entirely
• Looking for known file signatures (headers/footers)
Example:
• JPEG starts with FFD8
• PDF starts with %PDF
When carving is used
Carving is used when:
• File system metadata is gone
• The file was deleted long ago
• The disk is partially damaged
• The file system is corrupted or wiped
carving in dumb terms
Finding loose pages of a book in a dumpster and guessing which book they came from.
again - carving and deleted data differences
Deleted data recovery relies on surviving file system metadata, while carving reconstructs files from raw disk data when metadata no longer exists.
How does carving work?
carving is the process you do to re-piece together fragmented deleted files.
sometimes a deleted file in intact where it is. sometimes it goes in to unallocated space but is split up into different sectors, like shards of smashed glass.
carving reads file headers and signatures and from this knows how big the file should be and what type of file it should be and pieces it all together as best it can.
its the de-fragmentation process
what is a file header?
meta data stored here
determines what type of file it is.
this is a file signature in the header. and a set of bytes represent each different file type signature e.g. Zip Txt PDF etc
very useful in carving and hidden files .
if hidden and part of the signature is changed, the file will be corrupt and wont open. BUT you can go in Hex editor and change this back to open it.
What is a file footer and how is it useful in carving?
a file footer is at the end of a file.
it shows you where the file ends and helps you judge what youve carved is complete and valid.
can show how much data belongs to the file when meta data is missing.
what does SAM stand for?
security accounts manager
what can AppData folder tell us?
AppData is in the C drive under users.
withij there you have temp and roaming and local.
you can find torrents in here and cache historty
name different operating systems
windows
mac OS
linux
android
solaris
Chrome OS
whats an OS?
Software that manages a computer’s hardware and software and provides a platform for running applications.
whats a file system?
A file system is a method and data structure that an operating system uses to store, organize, and manage files and directories on storage devices (like hard drives, SSDs, or USB drives).
please name some key points of a file system
Key Points
1. Determines how data is named, stored, and retrieved.
2. Keeps track of where files are located on disk.
3. Examples: NTFS, FAT32, exFAT (Windows); HFS+, APFS (macOS); ext4, Btrfs (Linux).
FAT
file allocation table - a file system
ExFAT
a file system - extended file allocation table
NTFS
new technology file system
APFS
apple file system
ext4
linnux - fourth extended file system
REFS
resilient file system - windows
whats a bootable tool?
a usb with software to plug into laptop to extract.
cant remove HD on some macs but not able to use bootable tools hence why they outsource
whats CAID?
Child Abuse Image Database
whats CSAM
child sexual abuse material
whats MCGA
a type of cloud storage used
what about encryption?
section 49 - an offence if password not given.
true crypt and bitlocker - need pword
passwords on other devices - may work on device you have.
passware
or look through Axiom, passwords can be stored
VFC - stored on browser can se passwords in clear text
NTAC as last resort.
what can log files show?
using remote access - if this was used
whats hash analysis and hash matching?
In digital forensics, hash analysis is a fundamental technique used to verify, identify, and categorize digital data. Let’s break it down carefully.
run this whilst processing when also carving.
used to identify known files against databases
helps the analyst organise and prioritise evidence. like a file inventory.
hash matching is The process of comparing a file’s hash against a known hash database to see if it’s recognized.
What legalities
ACPO
PACE
DPN
Data protection
attorney generals guide to disclosure
Code of ethics
what are link files? (Windows LNK files)
A link file is a shortcut created by Windows to point to another file, folder, or program.
• It has the extension .lnk.
• Even if the original file is deleted, the LNK file can still exist, giving clues about what the user accessed.
Example:
• Document.docx exists in C:\Users\Alice\Documents\.
• Windows creates Document.docx.lnk on the Desktop.
• Clicking the shortcut opens the original document, but the LNK file stores metadata about it.
2. Why are link files important in forensics?
LNK files can provide investigators with evidence of user behavior, including:
1. File access information
• Path to the original file.
• Last time the file was accessed.
• File size.
2. User activity timeline
• Timestamps in the LNK file can help reconstruct when files or applications were opened.
3. Deleted file evidence
• Even if a file has been deleted, the LNK file may still exist, giving clues about its previous location.
4. Network and removable drive usage
• LNK files can indicate if a file was on a USB drive or network share.
whats a link file in short?
Link files are shortcuts that store metadata about the original file. In forensics, they are valuable artifacts for reconstructing user activity, even if the original files are deleted.
whats a jump list?
A Jump List is a Windows feature that provides quick access to recently used files, folders, and programs.
• It’s linked to the taskbar or Start Menu: right-clicking an application icon often shows the Jump List.
• Jump Lists are stored as automatic files in the user profile with the extension .automaticDestinations-ms or .customDestinations-ms.
why are jump lists important in forensics?
Jump Lists are valuable because they store evidence of file and program usage, including:
1. Recently accessed files
• Full path of files recently opened.
• Timestamps of last access.
2. Recently accessed programs
• Which applications the user ran, and when.
3. Deleted or moved files
• Even if a file was deleted, the Jump List may still contain a reference to it.
4. User activity reconstruction
• Investigators can use Jump Lists to build timelines of actions on a device.
where are jump lists stored?
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
jumplists in short
A Jump List is a Windows feature that tracks recently accessed files and programs. In digital forensics, it’s a key source of user activity evidence and can help reconstruct timelines, identify deleted files, and support investigations.
what are pre-fetch files?
when a user opens up an application, prefetch stores the amount of times the application has been run, last time used etc.
1. What is a Prefetch file?
• Prefetch files are special Windows system files designed to speed up program startup.
• When a program runs for the first time, Windows creates a .pf file in the Prefetch folder: C:\Windows\Prefetch
• These files store information about the program’s executable and the files it uses so that future launches are faster.
Example:
• Running chrome.exe creates a Prefetch file: CHROME.EXE-12345678.pf
• The next time Chrome is opened, Windows uses the Prefetch data to load it faster.
Prefetch files are valuable because they reveal user activity and program execution, even if other evidence is deleted:
what are shellbags?
In digital forensics, Shell Bags are a very important Windows artifact used to track user interactions with folders. They can reveal which folders were accessed, created, or modified, even if the folders have been deleted.
• Shell Bags are Windows registry entries that store metadata about folders viewed in File Explorer.
• They record how folders are displayed and arranged, like icon size, window position, and view mode.
• Stored in the Windows Registry, typically under: HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
Example:
• If a user opens C:\Users\Alice\Documents\Projects in File Explorer, Windows creates a Shell Bag entry for that folder.
• Even if the folder is deleted, the Shell Bag may remain, showing that it existed and was accessed.
Shell Bags are valuable because they can reveal user activity and hidden evidence:
1. Folder existence
• Detect folders that may have been deleted.
2. Folder structure
• Shows the hierarchy of folders the user has accessed.
3. User activity timeline
• Accessed folders and their last viewed timestamps help reconstruct user actions over time.
4. Hidden or external drives
• If the user accessed USB drives or network shares, Shell Bags may record the folder paths.
5. Corroborating other artifacts
• Combine with Prefetch files, LNK files, and Jump Lists for a more complete timeline.
shell bags, LNK files, pretechfiles and jumplists show...
When you combine Prefetch files, LNK files, Jump Lists, and Shell Bags, you can reconstruct a very detailed timeline of user activity, including which files and folders were accessed, which programs were run, and when. Let’s break it down clearly:
5. Corroborating other artifacts
• Combine with Prefetch files, LNK files, and Jump Lists for a more complete timeline.
LNK FILES
What they show:
• The original file path of shortcuts used.
• Timestamps of last access.
• Clues about deleted files (the shortcut may remain).
• Use in timeline:
• Shows what files the user opened or attempted to open.
jump lists
What they show:
• Recently opened files and programs tied to a specific application.
• Timestamps of last access.
• References to deleted or moved files.
• Use in timeline:
• Reveals frequent or recent activity per application, helping establish usage patterns.
pre-fetch files
What they show:
• Programs that were executed.
• Run count and last run time.
• Path to the executable.
• Use in timeline:
• Confirms which applications were actually executed, even if the executable has been deleted.
shellbags
What they show:
• Folders that were accessed, including deleted or hidden folders.
• Folder structure, view settings, and access timestamps.
• Use in timeline:
• Helps reconstruct the folder hierarchy the user navigated, even if the files inside are gone.
whats WebCacheV01?
In digital forensics, WebCacheV01.dat (sometimes written as WebCacheV01) is a Windows system database that stores Internet Explorer (IE) and Microsoft Edge browsing activity, including cached web pages, cookies, and history. It’s a very important artifact for tracking user web activity.
C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache
Visited URLs / browsing history
• Cached web pages (local copies of sites visited)
• Cookies and session information
• File download metadata (sometimes shows downloaded file names and timestamps)
• Form data and autofill information (if saved by the browser)
whats the boot key? SYSKEY
Why it matters in forensics
You need the Boot Key to:
• Decrypt the SAM hive
• Extract NTLM hashes
• Recover LSA secrets
• Perform offline password cracking
This is why most tools start by asking for the SYSTEM hive — that’s where the Boot Key comes from.
found in system!
⸻
What the Windows Boot Key is (forensics context)
The Boot Key is a 128-bit key used to protect sensitive security data, mainly:
• SAM database (user password hashes)
• LSA secrets
• Cached credentials
Without the Boot Key, those items remain encrypted.
in short: The Windows Boot Key (SYSKEY) is a cryptographic key derived from the SYSTEM registry hive and used to decrypt the SAM and LSA secrets.