AMERICAN UNIVERSITY OF SCIENCE &

TECHNOLOGY

FACULTY OF ENGINEERING

DEPARTMENT OF COMPUTER SCIENCE AND

COMMUNICATIONS ENGINEERING

Windows Forensic
Image Case Study
MAY 2024
Presented by:
Anthony Debbas
Jamal El Jari
Mohamad Taleb
Submited to:
Dr. Elie Nassr

Copyright 2024 American University of Science and Technology

OUTLINE

Introduction

Objectives

Tools can be Used

Image Acquisition

Analysis of Evidence

Conclusion

Copyright 2024 American University of Science and Technology 1

 INTRODUCTION

• In the digital age, understanding and effectively analyzing digital

evidence is paramount in numerous fields, from law
enforcement to cybersecurity. This project delves into the realm
of Windows forensic analysis, focusing on the examination of
digital artifacts within a Windows operating system to uncover
potential evidence relevant to an investigation.

Copyright 2024 American University of Science and Technology 2

Objective

• The primary objective of this project is to demonstrate proficiency in conducting forensic analysis on a
Windows system image. Through a systematic approach, we aim to extract, analyze, and interpret various
artifacts present within the system, shedding light on user activities, system events, and potential security
incidents.

Copyright 2024 American University of Science and Technology

3
Tools Can Be Used

Forensic Toolkit Imager (FTK)

FTK Imager, a free tool, ensures the integrity of digital evidence by analysing
drive images without modifying their original state. It supports all operating
systems, recovers deleted files, parses XFS files, and generates file hashes for
data integrity checks. Therefore, it is a crucial tool for forensic investigations .

Wireshark
Wireshark is the world’s most-used network protocol analysis tool, trusted by
governments, corporations, and academic institutions worldwide. It provides
microscopic-level visibility into network activity by capturing and analyzing network
traffic. With a user-friendly interface available on multiple operating systems,
Wireshark aids in detecting and investigating malicious activity. It supports various
data sources and allows exporting of output in multiple formats.

Autopsy
Autopsy is a modular and user-friendly digital forensics platform used by investigators to
assess computer and phone data. It offers timeline analysis, hash filtering, keyword search, web
artifact extraction, file recovery, and rapid identification of indicators of compromise.
Background jobs run in parallel, providing quick results for targeted keywords. Autopsy also
allows for creating a centralized repository and is an open-source solution. It is currently
available for Windows only.

Copyright 2024 American University of Science and Technology

4
 Image Acquisation

FTK Imager is a powerful forensic imaging tool used to acquire disk images and perform various
forensic tasks. Here are the steps to create an image using FTK Imager:

Step2:
Step1: Choose Source
Choose Destination: Next,
Drive: In the "Select
you'll need to specify the
Source" window, choose
destination where you
the drive or device you
want to save the image
want to create an image
file. Click on the "Add"
of. This could be a
button to select the
physical disk, a partition,
destination folder and
or a logical drive.
provide a name for the
image file.

Copyright 2024 American University of Science and Technology

4
 Image Acquisation
Step3:
Select Image Type: Choose Step4:
the type of image you want Evidence of information:
to create. FTK Imager offers give some evidence item
several options, including information like case
"Raw (dd)", "E01", and number, examiner and some
"SMART". Select the notes
appropriate type based on
your requirements. The E01
format is commonly used in
forensic investigations.

Copyright 2024 American University of Science and Technology

Image Acquisation

Step6:
Step7 :
Start Imaging: Once you've
Monitor Progress: You can
configured the settings, click
monitor the progress of the
on the "Start" button to begin
imaging process in the FTK
the imaging process. FTK
Imager interface. Depending on
Imager will start creating the
the size of the disk and the
disk image.
options you've selected, this
process may take some time.

Copyright 2024 American University of Science and Technology

Analysis Of Evidence

In this section, we'll display a list of all the software that has been downloaded and installed on this machine.
Registry Path:HKEY_LOCAL_MACHINE\SOFTWARE

Copyright 2024 American University of Science and Technology

5
Analysis Of Evidence

EXIF (Exchangeable Image File Format) metadata in Windows 7 refers to the additional information
embedded within image files captured by digital cameras or created by image editing software.

Copyright 2024 American University of Science and Technology

Analysis Of Evidence

In this section, we'll display all file sizes

Registry Path:HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\AllFolders

Copyright 2024 American University of Science and Technology

Analysis Of Evidence

Recycle Bin
Registry Path:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket

Copyright 2024 American University of Science and Technology

Analysis Of Evidence

This key contains information about USB controllers and hubs on the system. Each subkey represents a USB
controller or hub and may contain information about attached devices.
Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB

Copyright 2024 American University of Science and Technology

Analysis Of Evidence

Web browsers like Internet Explorer, Google Chrome, Mozilla Firefox, etc., may store cookies, passwords, and
other account-related information in their respective locations within the registry. These locations may vary
depending on the browser and its version.

Copyright 2024 American University of Science and Technology

Analysis Of Evidence
Web browsing history is primarily stored in the user's profile directory.
Registry Path: HKEY_CURRENT_USER\Software\Google\Chrome

Copyright 2024 American University of Science and Technology

Analysis Of Evidence

User account information, including user profiles, login credentials, and account settings, is stored in the
Windows Registry loction of the path.
Registry Path: Sam\Domains\Account\Users\Names

Copyright 2024 American University of Science and Technology

CONCLUSION

In summary, this Windows forensic project has provided valuable insights into the intricate world of digital
investigations within the Windows environment. Through meticulous analysis and examination of digital
artifacts, we've uncovered a wealth of evidence crucial for understanding past events and behaviors on the
system..

Copyright 2024 American University of Science and Technology

11
THANK YOU!

Copyright 2024 American University of Science and Technology