5 Things to Look for in a Forensic Investigation

white paper bytes 0 Comments
Jan 17

E-discovery is primarily thought of as the process of processing, reviewing and producing electronically stored information to the opposing party.  However, the greatest benefit of e-discovery often comes not from the data processing/review side but from the analysis and investigation side.  The side where your expert takes a deep dive into the electronic devices to find out what happened on that machine in the final hours when it was in the hands of the user.  Typically, that user was a former employee who left for unknown reasons with handfuls of confidential and proprietary information.  Sometimes it is an estranged spouse or an executive who is suspected of misusing funds.  Many times these forensic investigations bear the fruit that drive a quick and decisive resolution.

The investigation, however, needs to focus on more than just running search terms or identifying file names and file types to review.  There are logs, listings, and reports on the machines that can guide the investigator to the best evidence.  Crumbs that are left frequently behind by the user in hidden parts of the machine where most would think never to look or attempt to alter. 


ShellBags is a term used to refer to a specific area of registry analysis where a user's window preferences are maintained.  Windows stores user preferences within Windows Explorer--everything from visible columns to display mode are tracked.  ShellBags analysis can demonstrate access to folders, files, external storage devices, and network resources. It can also demonstrate a user's access to resources well after that resource is no longer available.  If collected under the right circumstances, the user's access to these resources will be preserved well after the accessed resource has been deleted or is no longer accessible.

LNK Files

Microsoft Windows makes extensive use of LNK files. Most of the icons on the Windows desktop and many of the items that cascade from the start menu are LNK files. These include the documents item ‘Recent Items’ or ‘My Recent Documents’ that lists recently opened document-type files. Many individual applications also provide a list of files recently opened by that application.  Access to removable media will be stored in the LNK file and will include the letter of the drive used as well as the path and the name of the file.  Registry analysis can be used to tie the drive letter to a specific device.  Similarly files that were viewed on CDs, USB flash drives and networked computers, even if these devices are no longer connected to the computer, can be identified.

USB Device History

USB ports allow you quickly to connect and use accessories such as mice, keyboards, and storage devices.  When a USB storage device is inserted into a machine, a key is created in the registry, and everything the operating system needs to know about that storage device is contained in that key.  Further, within the operating system, is a list of all the USB devices that have been connected to the system in the past.  The device description, its type (printer, camera, disk drive etc), whether it was connected via a USB hub, its drive letter, and the device's serial number all can be identified under the right conditions.  

Event Logs

The information residing in the event logs is an important source of forensic information as it relates to certain events at a particular point in time.  Windows has a specific type of logging which is a vital part of security structure of the system. The various functionalities that are recorded by the security structure are the verification of users logging on to the Windows system, handling password changes, creating access tokens and entries written to the security log.  The windows event logging system logs events like account logon, account management, directory service access, object access, policy change, privilege use, process tracking, and other system events.


Frequently the most critical aspect of an investigation is to properly align events as they occurred in real time.  If you can put the pieces together as they occurred you could quickly focus on the relevant data. One way of doing this is through the use of file system timeline analysis. Timelines allow the investigator to see the big picture of how a computer was used.  By focusing on the timing of the creation of documents or use of applications the investigator can identify areas of high-level activity.  Areas of the machine that were in high use just prior to the user turning the computer over may help identify what directories contain the most relevant information to the investigation. Timelines are also useful to seeing all of the places that had activity in a given time range when the misappropriation occurred.  This can be useful when you want to see all of the places where the user placed files.

These are just a few areas where you can focus your forensic investigation. There are a number of other areas that we will focus on later this year--such as Internet history, Data Exfiltration, and Cloud Synching—where the user may leave clues. 

The days of simply running search term filters through computers to identify core relevant information are in the past.  The amount of relevant information hidden from the everyday user as well as the increased sophistication of the casual user requires a more vigorous investigation when trying to build a case.   Aside from completely wiping a computer, the user will typically leave a few crumbs behind.