69
Case study
WINDOWS EVENT LOGS
Windows maintains a record of all application and system
activities within event
logs. These are entries created automatically by the operating system and can pro-
vide significant information about chronological actions performed by users and the
system. This will include user logons and offs; file access;
account creation; services
that are running; and the installation of drivers. They are typically used to perform
troubleshooting activities on the computer: these can be found in
%SystemRoot%\
Windows\system32\config
.
WINDOWS REGISTRY
The Windows registry is a database storing settings for a computer defining all the us-
ers; applications; and hardware installed on the system; and any associated settings,
allowing the system to be configured correctly at boot-up.
The registry is stored in a
format that requires decoding to be read; there are numerous tools that can do this.
Once opened it provides a wealth of information including, but is in no way limited
to, evidence of the applications and files a user has opened; what devices were con-
nected; and the IP addresses used.
RESTORE POINTS
Microsoft Windows provides a service known
as restore points, the version of
Windows determines what these actually contain. The simple purpose of restore
points is to snapshot the computer, at a predefined date and time, or when an event
occurs (such as the installation of software), so that it can be restored by the user
if an error occurs. The restore points contain snapshots of the Windows Registry;
system files; LNK files and with later versions of Windows they can also include
incremental backups of user files. This can provide an
invaluable resource for an
investigation, as it will provide historic information such as applications that are no
longer installed. Windows XP has a default retention period of 90 days for restore
points, whereas later versions are only limited by the amount of disk space permitted
to be used by them.
CASE STUDY
Following reports of customers being mis-sold legal-based documentation, a high-
tech investigation was requested by a legal practice.
Arrangements were made to
attend the premises of the organization under investigation, legal proceedings meant
that the organization had no idea that this was to happen—preventing malicious data
destruction. A legal stipulation was enforced, intended to
reduce loss of revenue for
the business, which meant that digital devices could not be removed from the prem-
ises. Pre-search intelligence identified that up to 20 staff worked at the premises at