A forensic investigator is analyzing a Windows system for possible malicious activity. The investigator is specifically interested in the recent actions of a suspect on the system, including any deleted directories or files, mounted drives, and actions taken. Which of the following approaches and tools would be the most effective for obtaining this information?
Parsing the BagMRU and Bags registry keys using SBag would be the most effective approach for obtaining information about recent actions taken by a user, including deleted directories or files, and mounted drives. The BagMRU and Bags registry keys store metadata about the folders and their contents accessed by the user, even if these folders have been deleted. This data includes details that can reveal user activity, making it crucial for forensic investigations.
ShellBags are a set of registry keys which record the viewing preferences of folders of the user, such as their size, location and position, when using Windows Explorer. The information in these ShellBags plays a crucial role in the forensic investigation as it provides evidence related to folders accessed by a user.
Analyzing ShellBags provides forensic investigators with data such as: ▪ Folders opened by user from a mounted external hard drive.
The ShellBags contain information pertaining to the directories (accessed by the user) even after the directory is removed, which can be used to enumerate previously mounted drives, deleted files and User/Intruder action.
LNK is a file extension for shortcut files used by Windows OS to point to any executable files These files are created when a user/suspect accesses any local/remote file and can provide forensic investigator with valuable information on user activities on the system These artifacts also help forensic investigators find the LNK files associated with the original files that no longer exists on the target machine