Windows Forensics Fundamentals | Part Four

Ali Sefer
5 min readOct 11, 2024

--

Please be sure to check out the previous blogs in the series before reading this post. The topics to be covered here will be assumed to be familiar as they are related to the previous topics!

Evidence of Execution

I have covered this topic in my previous articles, but I would like to show you some more advanced techniques.

Windows Prefetch Files

When a program is run in Windows, it stores information for future use. This stored information is used to load the program quickly in case of frequent use. This information is stored in prefetch files located in the C:\Windows\Prefetch directory.

C:\Windows\Prefetch

Prefetch files have a .pf extension. Prefetch files contain the last times the application was run, the number of times the application was run, and all files and device handles used by the file. This is an excellent source of information about recently executed programs and files.

To parse prefetch files and extract data, we can use Prefetch Parser (PECmd.exe), a tool by Eric Zimmerman.

PECmd.exe CMD Command Output

You can then use the EZViewer tool to view this output.

PECmd Output in EZViewer

Windows 10 Timeline

Windows 10 stores recently used applications and files in a SQLite database called the Windows 10 Timeline. This data can be a source of information about recently run programs. It includes the application that was executed and the focus time of the application. The Windows 10 timeline can be found in the following location: C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\ActivitiesCache.db

C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\ActivitiesCache.db

We can use Eric Zimmerman’s WxTCmd.exe to parse the Windows 10 Timeline.

WxTCmd

You can then use the EZViewer tool to view this output.

WxTCmd Output in EZViewer

Windows Jump Lists

Windows introduced Jump Lists to help users navigate directly from the taskbar to their recently used files. We can display Jump Lists by right-clicking on an application’s icon in the taskbar and it will show us the most recently opened files in that application. This data is stored in the following directory: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
Jump Lists

Jump Lists contain information about the applications run, the first run time and the last run time of the application against an AppID.

You can explore them using the JumpList Explorer tool.

JumpList Explorer

File/Folder Information

Shortcut Files

Windows creates a shortcut file for each file opened locally or remotely. Shortcut files contain information about the first and last times the file was opened and the path to the opened file, among some other data. Shortcut files can be found in the following locations:

  • C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\
  • C:\Users\<username>\AppData\Roaming\Microsoft\Office\Recent\

To parse shortcut files we can use Eric Zimmerman’s LECmd.exe (Lnk Explorer) program.

LECmd

The creation date of the shortcut file indicates the date/time when the file was first opened. The modification date/time of the shortcut file indicates the date/time when the file was last accessed.

You can then use the EZViewer tool to view this output.

LECmd Output in EZViewer

IE/Edge History

An interesting thing about the IE/Edge browsing history is that it also contains files opened on the system, whether or not these files were opened using the browser. Therefore, a valuable source of information about files opened on a system is the IE/Edge history. We can access the history from the following location: C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat

C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat

Accessed files/folders appear in the IE/Edge history with the prefix file:///*. Although various tools can be used to analyze web cache data, you can use Autopsy to do this in the attached VM. To do this, select Logical Files as the data source.

Autopsy | Logical Files

When we select the Recent Activity module and the relevant analysis is completed, we get an output as in the screenshot.

Autopsy | Recent Activity

Jump Lists

As we learned in the last topic, Jump Lists create a list of recently opened files. This information can be used to identify both recently run programs and recently opened files on a system.

Stay safe…

--

--

Ali Sefer

Information Security Specialist | Purple Team Member