Forensic analysis of anti‐forensic file‐wiping tools on Windows

AlHarbi, Rayed; Alzahrani, Ali; Bhat, Wasim Ahmad

doi:10.1111/1556-4029.14907

Cited by 8 publications

(8 citation statements)

References 24 publications

(37 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Open&SavePidlMRU is an artifact that contains information about files that have been opened or saved by an application [7]. We determined that Open&SavePidlMRU could potentially have traces of file-wiping tools as it also saves records of exe files.…”

Section: Openandsavepidlmrumentioning

confidence: 99%

“…LastVisitedPidlMRU artifact provides information about the application used to view or store files in Open&SavePidlMRU, as well as the locations of files that were previously accessed by those applications [7]. Therefore, it can be determined that if a file-wiping tool was used, traces of it may remain in this artifact.…”

Section: Lastvisitedpidlmrumentioning

confidence: 99%

“…LNK file is a shell item which automatically generated by the Windows OS as a result of the execution of the file or folder such as an application's executable file, document, or image. They contain information such as the name, size, and location accessed file [7]. If the lnk file of a file‐wiping tool remains, it can be assumed that the program was executed, so we decided to consider it in our study.…”

Section: Target Artifactsmentioning

confidence: 99%

“…Previous studies have attempted to detect wiping traces by analyzing remaining artifacts or changes in data areas after wiping [7–10]. These studies have made significant contributions, but there are limitations when dealing with new wiping tools or analyzing new artifacts.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

A reference database of Windows artifacts for file‐wiping tool execution analysis

Joo

Lee

Jeong

2023

Journal of Forensic Sciences

View full text Add to dashboard Cite

Anti‐forensic technology can play an effective role in protecting information, but it can make forensic investigations difficult. Specifically, file‐wiping permanently erases evidence, making it challenging for investigators to determine whether a file ever existed and prolonging the investigation process. To address this issue, forensic researchers have studied anti‐forensic techniques that detect file‐wiping activities. Many previous studies have focused on the effects of file‐wiping tools on $MFT, $LogFile, and $DATA, rather than on Windows artifacts. Additionally, previous studies that have examined Windows artifacts have considered different artifacts, making it difficult to study them in a comprehensive manner. To address this, we focused on analyzing traces in 13 Windows artifacts of 10 file‐wiping tools' operations in the Windows operating system comprehensively. For our experiments, we installed each file‐wiping tool on separate virtual machines and checked the traces that the tools left behind in each artifact. We then organized the results in a database format. Our analysis revealed that most of the tools left traces on other artifacts, except for JumpList, Open&SavePidlMRU, and lnk. There were also some cases where traces remained on the other three artifacts. Based on our research, forensic investigators can quickly identify whether a file‐wiping tool has been used, and it can assist in decision‐making for evidence collection and forensic triage.

show abstract

Section: Openandsavepidlmrumentioning

confidence: 99%

Section: Lastvisitedpidlmrumentioning

confidence: 99%

Section: Target Artifactsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A reference database of Windows artifacts for file‐wiping tool execution analysis

Joo

Lee

Jeong

2023

Journal of Forensic Sciences

View full text Add to dashboard Cite

show abstract

“…For example, an email client toast notification might hold data and metadata-sender, date/time-about incoming emails. Although the amount of data are limited, it might be useful when common forensic artifacts have provided no valuable data, or the machine was cleaned with anti-forensic software [5,6]. Additional details about anti-forensic software are presented in Section 3.1.…”

Section: Introductionmentioning

confidence: 99%

A Digital Forensic View of Windows 10 Notifications

2022

View full text Add to dashboard Cite

Windows Push Notifications (WPN) is a relevant part of Windows 10 interaction with the user. It is comprised of badges, tiles and toasts. Important and meaningful data can be conveyed by notifications, namely by so-called toasts that can popup with information regarding a new incoming email or a recent message from a social network. In this paper, we analyze the Windows 10 Notification systems from a digital forensic perspective, focusing on the main forensic artifacts conveyed by WPN. We also briefly analyze Windows 11 first release’s WPN system, observing that internal data structures are practically identical to Windows 10. We provide an open source Python 3 command line application to parse and extract data from the Windows Push Notification SQLite3 database, and a Jython module that allows the well-known Autopsy digital forensic software to interact with the application and thus to also parse and process Windows Push Notifications forensic artifacts. From our study, we observe that forensic data provided by WPN are scarce, although they still need to be considered, namely if traditional Windows forensic artifacts are not available. Furthermore, toasts are clearly WPN’s most relevant source of forensic data.

show abstract