Skip to content

Chapter 1: Introduction to Windows Forensics

Learning Objectives

By the end of this chapter, students should be able to:

  • Analyze the historical evolution of the Windows operating system and its impact on modern forensic investigations.
  • Explain the core architecture of the New Technology File System (NTFS) and its role in data storage.
  • Differentiate between critical Windows artifacts, including timestamps, swap files, and hibernation files.
  • Describe the Windows boot sequence and its relevance to "live" versus "dead" system analysis.
  • Evaluate the forensic implications of Windows security features such as BitLocker, Windows Defender, and Certificate Management.
  • Identify new forensic challenges and features introduced in Windows 11.

1. Introduction to Windows in Forensics

For the digital forensic examiner, the Microsoft Windows operating system remains the most critical environment to master. Despite the meteoric rise of mobile devices and cloud computing, Windows continues to dominate the corporate desktop, government infrastructure, and industrial control sectors. Whether you are a law enforcement officer investigating the possession of contraband material or a corporate incident responder analyzing a complex ransomware attack, the evidence is inextricably bound to the operating system’s logic.

Understanding Windows is not merely about knowing how to navigate the Graphical User Interface (GUI). It requires a deep, almost surgical understanding of how the Operating System (OS) manages resources, how it stores data on the disk, and—crucially for forensics—what traces it leaves behind when a user interacts with files, applications, or the network.

The Duality of Investigation

Throughout this course, we will view evidence through two distinct lenses. While the artifacts remain the same, the goals often differ:

  1. Law Enforcement (LE): The focus is often on attribution and proving possession. Questions typically revolve around user intent: "Did this user download this specific illegal image?" or "Did the suspect knowingly execute the fraud software?"
  2. Corporate/Enterprise: The focus is often on root cause analysis, scope, and remediation. Questions revolve around the mechanics of a breach: "How did the attacker move laterally through the network using Active Directory credentials?" or "What data was exfiltrated before we severed the connection?"

2. History of Windows

To understand current artifacts, an examiner must understand their origins. Windows has evolved through two distinct lineages that eventually merged. While it may seem redundant to study "old" operating systems, legacy code exists within modern Windows 11 to maintain backward compatibility. This means an examiner might find artifacts related to features that have not been used by consumers in decades, yet provide valuable historical data on the system.

The DOS/9x Lineage

Early versions of Windows (3.1, 95, 98, ME) ran on top of MS-DOS. These systems used the File Allocation Table (FAT) file system (specifically FAT16 and later FAT32). While rare in modern desktop investigations, examiners still frequently encounter FAT structures in USB flash drives, SD cards, and body cameras utilized by suspects to hide data outside the main OS. Understanding how FAT deletes files (by marking the first character of the filename with a distinct hex value) is a foundational skill that still applies to these external devices.

The NT Lineage

Modern Windows (Windows 2000, XP, 7, 10, 11, and Server editions) is built on the "New Technology" (NT) kernel. This architecture was designed from the ground up for business environments, introducing robust permission models, multi-user support, and the NTFS file system.

The shift to NT brought about the Hardware Abstraction Layer (HAL), which separates the kernel from direct hardware interaction. For forensics, this standardization means that artifacts are remarkably consistent across different hardware manufacturers. Whether Windows is running on a Dell laptop or a virtual machine in Azure, the core system hives and file structures remain largely identical.

3. The File System: NTFS

The New Technology File System (NTFS) is the default file system for Windows. It is a high-performance, self-healing file system that provides security (Access Control Lists), reliability (journaling), and storage efficiency. For the analyst, NTFS is not just a storage bucket; it is a complex database of metadata.

The Master File Table (MFT)

The heart of NTFS is the Master File Table ($MFT). Every file and directory on an NTFS volume has at least one entry in the MFT. The MFT is essentially a relational database table where every row represents a file.

  • MFT Entry Structure: Each entry is typically 1024 bytes in size. The first few bytes identify it as a "FILE" record.
  • Resident Data: If a file is very small (typically roughly 600-700 bytes or less), its content is stored directly within the MFT record itself rather than being sent to a cluster on the disk. This is critical for forensics; even if the hard drive is formatted, or if a "wiper" malware cleans the free space, "resident" data might persist if the MFT record itself is not fully overwritten. This often happens with small text files, batch scripts, or tiny icon files.
  • Non-Resident Data: Larger files are stored in "clusters" on the drive, and the MFT simply points to their location using a mapping system called "data runs."

Attributes

NTFS treats everything as an attribute. The MFT record is just a collection of these attributes.

  • $STANDARD_INFORMATION: This attribute contains the basic metadata, including timestamps (Created, Modified, Accessed), file permissions, and ownership data.
  • $FILE_NAME: This attribute stores the name of the file and its parent directory. Crucially, it also contains its own set of timestamps. This redundancy allows forensic analysts to detect "timestomping" (anti-forensic manipulation of timestamps) by comparing the $STANDARD_INFORMATION times against the $FILE_NAME times.
  • $DATA: This contains the actual file content (or the pointers to where the content lives on the disk).
Try out this interactive activity to better understand MFT records and attributes.

4. Critical Windows Details

A forensic examination often hinges on correlating specific system behaviors with user actions. The following components are foundational to this analysis.

Windows Timestamps (MACE)

Windows tracks time in 100-nanosecond intervals since January 1, 1601 (UTC). In NTFS, we analyze the "MACE" times:

  1. M (Modified): When the file's content was last changed. This is the most common timestamp users look at.
  2. A (Accessed): When the file was last read, opened, or executed.
    • Forensic Note: In Windows 10 and 11, the updating of the Last Accessed timestamp is often disabled by default to save system performance. Therefore, seeing an old "Accessed" date does not prove the file wasn't opened recently. Conversely, seeing a recent Accessed date is a strong indicator of user interaction (or an antivirus scan).
  3. C (Created): When the file was created on that specific volume.
  4. E (MFT Entry Modified): Often represented as 'B' (Birth) in some tools, or 'Change' in others. This updates when metadata changes (e.g., file size change, permission change, or moving the file within the same volume).

The Copy/Move Paradox: One of the most confusing concepts for students is how Windows handles copying versus moving.

  • If you move a file from Folder A to Folder B on the same drive, the "Created" date stays the same (because the file physically didn't move; only the MFT pointer changed).
  • If you copy a file from a USB drive to the Desktop, the "Created" date becomes the current time (the moment it landed on the Desktop), but the "Modified" date will show the original time the content was authored (e.g., two years ago).
  • Forensic Implication: If a file has a "Created" timestamp that is after its "Modified" timestamp, it is a mathematical certainty that the file was copied from another location or volume.

Active Directory (AD) Basics for Forensics

In enterprise investigations, computers are rarely standalone; they are part of a domain managed by Active Directory. AD handles authentication and authorization.

  • SID (Security Identifier): Windows tracks users not by name (e.g., "John Smith") but by a unique alphanumeric string called a SID.
  • RID (Relative Identifier): The last part of the SID. For example, the builtin Administrator always has a RID of 500.
  • Forensic Value: When analyzing a hard drive image from a terminated employee, you may see "Orphaned SIDs" in the file permissions (e.g., "S-1-5-21-xxxx..."). Resolving these SIDs using the registry (specifically the SAM and SOFTWARE hives) allows the examiner to map actions to specific user accounts, even if those accounts were deleted from the system.
Try out this interactive activity to better understand SID and RIDs in Window systems.

DLLs and Services

  • Dynamic Link Libraries (DLLs): These are shared code libraries (.dll files) used by applications. Malware often performs "DLL Hijacking," replacing a legitimate system DLL with a malicious one to gain execution rights.
  • Services: Background processes that run regardless of who is logged in. Attackers favor installing malware as a service to ensure "persistence"—meaning the malware restarts every time the computer reboots. Analyzing the list of installed services (found in the Registry at SYSTEM\CurrentControlSet\Services) is a standard step in triage.

Swap File and Hiberfil.sys

Windows uses disk space to augment Random Access Memory (RAM).

  • Pagefile.sys (Swap): When physical RAM is full, Windows moves the least-used data "pages" to the hard drive. This file contains fragments of memory, which can include passwords, decrypted emails, unencrypted chat logs, or fragments of images viewed in a browser.
  • Hiberfil.sys (Hibernation): When a laptop hibernates, it takes a snapshot of the entire RAM content and writes it to this file to allow for a quick resume.
  • Forensic Goldmine: If an examiner is analyzing a "dead" (powered off) computer, the hiberfil.sys is essentially a forensic image of the RAM from the moment the machine last hibernated. It allows the examiner to recover data that would typically vanish upon power loss. In modern Windows, "Fast Startup" utilizes this hibernation file even during a shutdown/boot cycle, meaning the hiberfil.sys is almost always relevant.

5. The Windows Boot Sequence

Understanding how Windows starts is vital for troubleshooting and, more importantly, understanding where malware might inject itself to load before security tools do.

The Boot Process Steps

  1. POST (Power On Self Test): The hardware checks itself (RAM count, peripheral check).
  2. UEFI/BIOS: The firmware locates the boot device. Modern systems use UEFI (Unified Extensible Firmware Interface) which supports "Secure Boot." Secure Boot checks the cryptographic signature of the bootloader to ensure no rootkits have tampered with it.
  3. Bootloader (bootmgr): Reads the Boot Configuration Data (BCD) to locate the operating system partition.
  4. Kernel Initialization: The Windows Kernel (ntoskrnl.exe) is loaded into memory.
  5. Session Manager (Smss.exe): This is the first user-mode process started by the kernel. It sets up the environment variables and starts the Winlogon process.
  6. Winlogon.exe: Handles the interactive user login (Ctrl+Alt+Del screen) and loads the user profile.

Warm vs. Cold Booting

  • Cold Boot: Powering the machine on from a completely off state.
  • Warm Boot: Restarting the machine via the OS (Start -> Restart).
  • Forensic Consequence: In a "Cold Boot" attack scenario (rare but scientifically valid), data in RAM chips might fade slowly enough to be recovered if the chips are supercooled immediately after power loss. This is known as a "Remanence Decay" attack.

6. Security Features and Forensics

Microsoft has added layers of security that, while excellent for user protection, complicate the life of a forensic examiner.

Windows Defender

Microsoft's built-in antivirus has evolved into a full Endpoint Detection and Response (EDR) tool.

  • Forensic Artifact: Defender keeps logs of "Quarantined" items. If a suspect downloaded a hacker tool or a known exploit kit, Defender might have blocked it and deleted it. However, the log of that event remains. Finding these logs proves the file existed on the system, defeating the "I never downloaded that" defense.

Certmgr (Certificate Manager)

Windows manages digital certificates to establish trust.

  • Root Certificates: Verify that websites (HTTPS) and software publishers are who they say they are.
  • Forensic Relevance: Attackers sometimes install "Rogue Root Certificates." This allows them to intercept secure HTTPS traffic (Man-in-the-Middle attacks) without the browser warning the user. Checking Certmgr is a standard step in intrusion investigations to see if the system's "Chain of Trust" has been compromised.

BitLocker

BitLocker is Microsoft's full-volume encryption feature. It scrambles the data on the drive so that without the decryption key, the drive appears as random noise (high entropy).

  • The Trusted Platform Module (TPM): BitLocker usually stores the decryption key in the TPM chip soldered onto the motherboard. If the hard drive is removed from the laptop (a common legacy forensic acquisition technique), the TPM is no longer present, and the drive cannot be decrypted.
  • The "Live" vs. "Dead" Dilemma:
    • Live: If a computer is running and encrypted with BitLocker, pulling the plug (Dead Box Forensics) locks the data. The examiner must capture a live image or a RAM dump to recover the encryption keys before shutting down.
    • Dead: If the machine is off, the examiner must obtain the 48-digit BitLocker Recovery Key. This can be found on the user's Microsoft Cloud account, on a printout, or stored in the organization's Active Directory (AD).

7. Windows 11: New Frontiers

Windows 11 introduces specific architecture changes relevant to our analysis.

Trusted Platform Module (TPM) 2.0

Windows 11 strictly enforces the presence of TPM 2.0. This inextricably links the OS to the hardware. It makes "chip-off" forensics (unsoldering memory chips to read them) or drive swapping significantly more difficult without the specific recovery keys, as the encryption is tied to the physical mainboard of the host device.

Modern Standby (S0 Low Power Idle)

Windows 11 aggressively utilizes "Modern Standby." In this state, the laptop screen is off, and it appears to be asleep, but the CPU is still active. It functions like a smartphone—fetching emails, downloading updates, and maintaining network connectivity.

  • Forensic Impact: A laptop that appears to be "asleep" at a crime scene might actually be online. If an examiner seizes it and throws it in the trunk of a car, the device could be remotely wiped by an accomplice before the examiner arrives at the lab. Faraday bags (RF shielding bags) are now mandatory for seizing Windows 11 devices to prevent remote kill signals.

New Artifact Locations

  • Taskbar Integration: Microsoft Teams is integrated into the shell (taskbar) in Windows 11. This creates a new set of SQLite databases for "Chat" that are distinct from the traditional "Teams for Enterprise" logs found in AppData.
  • Widgets: The new Widgets panel creates its own cache of web content, which can contain news articles, weather locations, or stock tickers viewed by the user, providing geolocation and interest-based evidence.

Chapter Summary

Windows forensics requires a balance of historical knowledge and modern adaptability. By understanding the underlying file system (NTFS), the boot process, and the location of critical artifacts like the Registry, MFT, and Swap files, an examiner can reconstruct a user's activity with high precision.

The transition from Windows 10 to 11 has shifted the forensic landscape towards a focus on encryption (BitLocker/TPM) and live-state analysis (Modern Standby). The examiner must not only know where to look for evidence but must also understand how the operating system's power states and security features protect that evidence from retrieval.

Key Terms

  • NTFS (New Technology File System): The proprietary journaling file system developed by Microsoft.
  • MFT (Master File Table): The database that tracks every file on an NTFS volume.
  • Resident Data: Small files stored entirely within the MFT record.
  • MACE: The four timestamps tracked by Windows (Modified, Accessed, Created, Entry Modified).
  • Hiberfil.sys: The hibernation file containing a compressed snapshot of RAM.
  • BitLocker: Windows full-disk encryption technology.
  • TPM (Trusted Platform Module): A hardware cryptoprocessor that secures hardware via integrated cryptographic keys.
  • Modern Standby: A power state in Windows 11 where the system stays connected to the network while in low-power mode.