Windows Artifact Overview
Anna ILLAMAA, CFCE
- Over 19 years of investigative experience for the Estonian Police and Border Guard Board
- Eight years as a Computer Forensic Examiner
- Recognized as a Certified Forensic Computer Examiner (CFCE) though the International Association of Computer Investigative Specialists (IACIS)
- Regularly instruct law enforcement, government and corporate examiners both nationally and internationally in computer forensics
Course Outline
- Resources/prerequisite for the course
- Introduction
- Shortcut files analysis
- Jump Lists analysis
- Overview
- Final Exercise
Course Requirements
- Computer with Windows OS (installed Windows 7 and above)
- Files for the exercises
- RecentItems.zip (SHA1: 29039291bc0011e66379a8fc956064d1857a7f9b)
- Important.pdf (SHA1: 2fb10eab76f606c7012fcec857c6cae39a441d71)
- Files for the final exercise
- SuspectActivity.zip(SHA1:a8f601018fdef6d8954026e7431963416021a107)
- SUMURI Jumplist and Shortcut Final Answers.pdf
- Tools
- JLECmd Jump List parser (by Eric Zimmerman)
- JumpList Explorer GUI based Jump List viewer (by Eric Zimmerman)
- LECmd Parse lnk files (by Eric Zimmerman) Download link: https://ericzimmerman.github.io/#!index.md
- WFA tool (Windows File Analyzer: https://www.mitec.cz/wfa.html)
- ExifTool GUI (by Phil Harvey, https://exiftool.org)
- Exiftool (by Phil Harvey, https://exiftool.org)