Posted on

General Forensics Tips for Windows Platform

On this Page:

Disabling Windows BitLocker Encryption Tips - Disabling Windows BitLocker EncryptionBitLocker is a new drive encryption technology introduced with the Vista operating system. With BitLocker enabled, all files on a personal computers hard disk drive are automatically encrypted. BitLocker is included in the Enterprise and Ultimate editions of Vista and is disabled by default. Disk encryption can pose a problem for forensic investigators and additional steps must be taken to insure access to suspect data.

When an investigator come across a running Windows Vista system they should first determine which version of Windows Vista the suspect system is running. As only Vista Enterprise and Ultimate offer BitLocker drive encryption, investigators can disregard further steps on other versions.

Once an investigator has determined that the system is running either Windows Vista Enterprise or Ultimate, the next step is to determine if BitLocker is running. The easiest way to determine this is through the BitLocker configuration in the Control Panel. If BitLocker encryption is running, use the following steps to disable it.

Disabling BitLocker does not decrypt the suspect data which would alter each file. Instead it stores the encryption key on the disk so that it can be decrypted when it is booted or accessed without the need for the startup key or numerical password.

The following command shows how to disable Bitlocker from the command line:

cscript manage-bde.wsf -protectors -disable c:

The above command will disable Bitlocker (not decrypt). It can then later be attached to another Vista machine using a hardware write blocker and all the data will be visible. The investigator can then image the suspect drive.

The investigator should also obtain the BitLocker numeric recovery password to ensure later access to the drive for imaging should it be needed.

The following command will display the BitLocker numerical recovery password:

cscript manage-bde.wsf -protectors -get c:

Disabling Windows Autorun Tips - Disabling Windows AutorunCare needs to be taken when examining suspect USB thumb drives and CDs. These types of media may contain autorun viruses and malware that could potentially infect the investigators workstation. Steps should be taken to disable autorun on Windows computers and decrease the chance of damage by malware. By disabling autorun on a Windows machine the investigator stops programs that may attempt to run when suspect media is attached. Disabling autorun will also stop MacLockPick from accidentally being run on an investigator’s forensic examination station. It may still be run manually.

To protect your Windows forensic workstations, follow these steps:

Copy and paste the following into a .reg file and merge it into the registry.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

More information on disabling Windows Autorun can be found here:

FireFox Artifacts Tips - Firefox ArtifactsMozilla Firefox is fast becoming one of the most popular browsers on the internet today. Current estimates as of June 2007 believe Firefox makes up 14.55% of the world’s web browsers. Being free, cross-platform, and updated regularly is just some of the many reasons many users have made the switch to it. Firefox also allows the user to easily install add-ons to enhance the functionality of the browser. Here are some Firefox files that may be of interest during an investigation with MacForensicsLab.

Firefox stores the user data in the following places:
Mac OS X: ~/Library/Application Support/Firefox/Profiles//
Windows XP & 2000: C:Documents and SettingsApplication DataMozillaFirefoxProfiles
Windows 98 & ME: C:WindowsApplication DataMozillaFirefoxProfiles
C:WindowsProfilesApplication DataMozillaFirefoxProfiles
Windows NT 4.x: C:WinntProfilesApplication DataMozillaFirefoxProfiles
Unix: ~/.mozilla/firefox//

Website History
File name: history.dat
By default Firefox stores the browsing history for 9 days.
Side note: “history.dat” is written in a complex format called “Mork”.

Encrypted Saved Passwords
File name: signons.txt
This file also stores a list of sites to never save the passwords for. The encryption key is contained in the file called key3.db

More information about specific files in the user profile can be found at MozillaZine’s Knowledge Base article on the Profile Folder.


If you need a tool in extracting FireFox’s cache files, consider SubRosaSoft Cache Detective.

SubRosaSoft Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders.

Viewing Recently Accessed Windows Files Tips - Viewing Recently Accessed Windows FilesThe Windows Registry stores a wealth of information that can be helpful to a forensic investigator during an examination. Knowing which documents were recently accessed on a suspects Windows machine can point an investigator to files of interest along with helping to show proof of intent.

The following key and it’s associated sub-keys contain a fairly comprehensive list of files that were opened while that account was logged in:


Flash Drive Registry Information Tips - Flash Drive Registry InformationUSB thumb drives (flash drives) have become a very popular tool for transferring files from computer to computer. They’re small, portable, and often contain evidence that can be helpful to an investigation.

When examining the Windows registry, one of the interesting things to look at are the entries where devices have been attached, especially USB devices, and grab the information regarding the device manufacturer and serial number if it has one.

Also there is an entry that is keyed to the mounted device volume letter. The letter is not that important but I think there is a date associated with the last time the device was written. This would be of value during a forensic exam.

USB thumb drives sometimes have a registry entry indicating that they are CD-ROM drives to be aware of that.

Thanks to Tim Clark for this information.