You are on page 1of 7

2016 Cybersecurity and Cyberforensics Conference

Windows Forensic Investigations using PowerForensics Tool

Akram Barakat Ali Hadi


Security Researcher Computer Science Dept.
Princess Sumaya University for Technology Princess Sumaya University for Technology
Amman, Jordan Amman, Jordan
akram.f.barakat@gmail.com a.hadi@psut.edu.jo

AbstractDigital forensic investigations has become an operations [1]. Its mainly related to criminal and
important field in this era due to the raise of cybercrimes. unauthorized actions [2].
Therefore, most governments and companies found the In order to conduct a successful digital forensic
urgent need to invest more in research related to digital investigation of a cybercrime, investigators will usually
forensic investigations. To perform digital forensic
need to process and analyze a huge number of variant
investigations covering extraction, analysis, and reporting
of digital evidences, new methods and techniques are data and system artifacts to reach a better insight of
required. One of these methods used when applying digital what happened.
forensics on a Windows operating system, is PowerShell. There are different investigation models that digital
While PowerShell is mainly used to configure, manage and investigators could follow to derive the investigation
administrate the Windows operating system and other starting from determining incident until the final report
installed programs, this paper will also show that it could and presentation. In general, the standard model used in
be used to collect forensic evidences from a Windows the investigation process consist of four main stages: (1)
operating system. This paper will discuss Windows preparation, (2) physical investigation, (3) digital
PowerShell functions and how they can be beneficiary to a investigation and (4) results [3, 4]. In digital
digital forensic investigator. Moreover, the paper will investigation stage, an investigator preserves, collects
focus on the tools and modules made specifically for and performs thorough analysis of the digital evidence in
forensic investigations. Subsequently, different digital custody using special methods and techniques depending
forensic experiments will be conducted using on the type of hardware and software used.
PowerForensics tool in order to extract and identify Windows forensics are any method or technique
different Windows forensic artifacts. The results are
used to extract the evidence from Windows operating
presented the capabilities of PowerForensics tool to
system. The reason why the Windows operating system
extract forensic evidences from Windows operating system
and provide an insight into its limitations.
has seen huge concern in investigations, is due to the
fact that around 87% of client computers using Windows
Keywords-PowerShell Forensics; PowerForensics; operating system since May 2016 [5]. With that said,
Windows Forensics; Winodws artifact; digital investigation there is still an intense need for research related to
Windows operating systems. One of the tools that can be
used for forensic investigations in a Windows OS
I. INTRODUCTION
environment is PowerShell.
The world is consistently increasing their Detecting and extracting evidences require a deep
dependency on digital devices, and information systems knowledge of the investigator in the technology used in
running on top of them. Information is being stored and order to be able to collect, acquire and analyze digital
exchanged using these different digital devices or devices and systems in the right and effective manner to
machines. Such level of usage and the peoples reach an accuracy in his/her results. Therefore, gaining
dependency on these devices, lead to the exposure of a knowledge about Windows artifacts will help
new type of threat and crime. Such threats and crimes investigators when analyzing suspects computers that
could be named cyber threats and cybercrimes, are running a Windows operating system [6, 7].
respectively. According to SANS Institute [8], Patrick Leahy
Threats that are targeting such devices require a Center for Digital Investigation (LCDI) [9] and others
[10, 11], Windows artifacts are divided into the
special kind handling. Crimes that are done, whether
following categories:
against or using such devices will need to be
1) General Machine information
investigated differently in order to reach the proper
This category includes machine name, network
evidence to either incriminate the suspect or refute
addresses and OS information. Table I shows some of
him/her. the most important machine artifacts and each ones
Digital forensic investigation defined as the use of location.
scientifically derived and proven methods toward the
preservation, collection, validation, identification, TABLE I. GENERAL MACHINE INFORMATION ARTIFACTS
analysis, interpretation, documentation and presentation
Artifact Registry Location
of digital evidence derived from digital sources for the SYSTEM:
purpose of facilitating or furthering the reconstruction Machine
ControlSet001\Control\ComputerName\Computer
of events found to be criminal, or helping to anticipate Name
Name , ComputerName
unauthorized actions shown to be disruptive to planned OS SOFTWARE:

978-1-5090-2657-9/16 $31.00 2016 IEEE 41


DOI 10.1109/CCC.2016.18
Microsoft\Windows NT\CurrentVersion , Executed program %systemroot%\Prefetch
ProductName & CSDVersion Program cache Depends on program
SOFTWARE: Microsoft\Windows
Owner
NT\CurrentVersion , RegisteredOwner
User
5) Internet activity
SAM: Domains\Account\Users\Name As most computers are connected to the Internet
accounts
SOFTWARE: Microsoft\Windows [12], there is a dedicated category of such artifacts.
System root
NT\CurrentVersion , PathName Table V shows the most used artifacts related to Internet
SYSTEM: activity [13].
IP address ControlSet001\Services\Tcpip\Parameters\Interface
s\<Interface GUID> , DhcpIPAddress TABLE V. INTERNET ACTIVITY ARTIFACTS
SOFTWARE:
Last logged Artifact Location
Microsoft\Windows\CurrentVersion\Authentication
on user
\LogonUI , LastLoggedOnUser %systemdrive%\Users\<USERNAME>\AppData\L
IE History
ocal\Microsoft\Windows\History
NTUSER:
2) User account activity Typed
SOFTWARE\Microsoft\Internet
As shown in Table II, there are many artifacts related URLs
Explorer\TypedURLs
to user activities such as login times, login status, and if %systemdrive%\Users\<USERNAME>\AppData\l
Downloads
the login was successful or not. Furthermore, there is an ocal\Microsoft\Windows\IEDownloadHistory
ability to identify if the login was through the console %systemdrive%\Users\<USERNAME>\AppData\l
Cookies
(direct access to the machine) or using a remote ocal\Microsoft\Windows\INetCookies
%systemdrive%\Users\<USERNAME>\AppData\l
connection. Moreover, each user profile information can Cache
ocal\Microsoft\Windows\INetCache
extract such as profile root path, user security identifier
(SID) and other user information.
6) External storage device
TABLE II. USER ACCOUNT ACTIVITY ARTIFACTS External storage devices are one of the very
important sources that are used for data leakage. These
Artifact Location
First login Found in NTUser.dat creation date
artifacts should be taken into deep consideration for
Last login Found in NTUser.dat last modified date most investigations. This is why, there is a special
Success/fail login From event viewer, logon events category of these artifacts and Table VI list a number of
Login type From event viewer, logon type them.
Found in SOFTWARE: Microsoft\Windows
User SID TABLE VI. EXTERNAL STORAGE DEVICE ARTIFACTS
NT\CurrentVersion\ProfileList
Found in SOFTWARE: Microsoft\Windows
Profile path Artifact Location
NT\CurrentVersion\ProfileList
From registry, SYSTEM
Last used
CurrentControlSet\Enum\USB\VID_<VendorID
time
3) Folder/File activity >&PID_<ProductID>
This type of artifacts related to all the events that From registry, NTUSER:
have occurred on files and folders from access activity to User Software\Microsoft\Windows\CurrentVersion\Ex
plorer\MountPoints2\<USB GUID>
the file until action event such as copy, move, rename Device From registry, SYSTEM:
and delete. Furthermore, all links and shortcuts such as information ControlSet001\Enum\USBSTOR
.LNK files and Jumplists are related to this category. Device events %systemroot%\inf\setupapi.dev.log
Table III presents several folder and file activity, artifact
with their associated location. The rest of this paper is organized as follows:
TABLE III. FOLDER/FILE ACTIVITY ARTIFACTS
Section two covers the related work, and Windows
artifact sources. Section three covers the experiments
Artifact Location conducted using PowerForensics. The results of the
%systemdrive%\Users\<USERNAME>\A experiments will be presented in section four, and the
Recent used activity
ppData\Roaming\Microsoft\Windows\Rec
(modify/access)
ent
last section includes the conclusions reached and future
Deleted file DRIVE:\$RECYCLE.BIN\SID works that could be done in this area.
%systemdrive%\/ProgramData/Microsoft/
Shortcut files (.LNK) II. RELATED WORK
Windows/Start Menu/Programs
%APPDATA%\Microsoft\Windows\Rece NTFS is the main file system used with Windows
Jumplists
nt Items
operating systems based on NT technology such as
Windows 2000, XP, 7, 8, 10 and even Windows server
4) Program 2012 R2. It was designed to provide more enhancement
Program details, history and cache are good artifacts in security, scalability and reliability while FAT file
which can provide more information about user behavior system doesnt provide. Each component in NTFS is a
and his/her intention. Table IV shows artifacts related to file stored on the disk and the most important file is the
programs. Master File Table (MFT) [14]. MFT is like a database,
where each record contained within it is in a file stored
TABLE IV. PROGRAM ARTIFACTS on the volume [15]. Moreover, there are a couple of
Artifact Location other important files used for NTFS administration
SOFTWARE: called metadata files such as $LogFile, $Volume,
Installed
Microsoft\Windows\CurrentVersion\Uninstall $Bitmap and $AttrDef. These NTFS metadata files are

42
considered one of the most important source of evidence related to the investigation. However, gathering and
that can help investigators find and extract used/ unused extracting data from these tools not a straightforward
clusters, MFT logs, files logs and events, time stamps, way as its not designed for forensic purposes. On the
file status and other information [14]. other hand, there is a number of new projects created
Windows Registry is another source of artifacts especially for forensic purposes and still under
which can help in Windows investigation. Its a central development such as PSRecon, Kansa and
database of Windows operating system used to store all PowerForensics. PSRecon is a forensic tool used to
configuration data for operating system, system collect data from remote machine running Windows OS
hardware and most installed programs [16]. From this with a number of incident response functionalities [26].
database, there are many data can help in forensic Moreover, Kansa is a data collection tool with analysis
analysis, such as general system information, user and number of incident response functionalities [27].
accounts, history, installed applications, time stamps, PowerForensics tool is an open source forensics
network connections and removable devices [17]. framework developed by Jared Catkinson used to collect
Prefetch files used to speed up application loading by evidence on the Windows OS level such as registry,
collecting all needed files in one place. These files can event log and prefetch. Moreover, this tool can work on
provide beneficial information about applications disk level and file system level too. Furthermore,
activity such as executed applications recently with last forensic timeline can be created using this tool [23].
run time, which is view deleted programs if ran before or Table VII summarizes mentioned PowerShell tools
malicious programs ran on the system [18]. Its another and methods dedicated to forensic investigations to
source of artifacts on Windows operating system. compare each one with others from type if its a built
Windows event viewer is a central location contains tool or just a method to present PowerShell capabilities
many logs about Windows events, installed applications to solve forensic cases. Furthermore, several tools or
and configured services. Furthermore, its contains audit methods require sophisticated knowledge in PowerShell
logs for users, applications and files. Therefore, it to reach needed data. Finally, Windows artifacts break
contains a huge data can be used in forensics [19]. up into three levels: disk, file system and OS level. Each
All these sources contain artifacts for Windows tool or method can extract data from certain levels only.
operating system which can be used as an evidence in
digital investigations. TABLE VII. POWERSHELL TOOLS AND METHODS COMPARASION
Most digital investigations start after an incident or Evidence extraction
Advanced
crime occurred. Thus, all investigations to get evidences PowerShell level
and knowing how this case happened will be after the Name Type
knowledge File
damage occurred and business or service affected. required Disk OS
system
However, each case is a set of sequence events which is Live response
Method Yes No No Yes
need time and leave at least one evidence or mark [21]
behind one of these events. Therefore, any incident can Intrusion
Method Yes No No Yes
be avoided or minimize its damage by tracing and analysis [22]
detecting up normal behavior then stop it before the PSRecon [26] Tool No No No Yes
incident happened. This process, called threat hunting Kansa [27] Tool No No No Yes
[20]. PowerForensics
There are many PowerShell tools and scripts can be Tool No Yes Yes Yes
[23]
used for forensics, but not specially designed for this
purpose or tools specially designed for this purpose. III. EXPERIMENT
SANS institute mentioned various methods and In this section, an experiment conducted will be
procedures to handle different live incident response presented on Windows operating system using the
[21] and intrusion analysis [22] scenarios using PowerShell tool called PowerForensics to extract
PowerShell commands and scripts. However, these Windows artifacts to solve forensic case.
methods require an investigator to have deep knowledge As PowerForensics use online forensics for
in PowerShell scripting language to extract needed data Windows OS forensics only, its possible to use it for
from target machine running Windows operating system offline image by use conversion tool to convert RAW or
as its working on accessing data by typing PowerShell dd image to a virtual disk. The converted disk with
scripts and commands each time according to case extension .vhd or .vhdx can be attached directly on
circumstances. Moreover, these white papers [21, 22] Windows disk management. This procedure will make
focused on extracting data from Windows OS level only an offline image available online and ready to use in
while other special forensic tools can provide the ability PowerForensics. Moreover, its better to select read only
to extract data from disk level and file system level too option when attaching virtual disk to insure data
such as PowerForensics tool [23]. PSTools [24] is a integrity. QEMU is an example of a command line
Microsoft tool designed to manage and monitor local utility used to convert disk between different types [28].
and remote computers while Exchange Management PowerForensics has many PowerShell commands or
Shell [25] is a management shell for Microsoft what are called cmdlets that are designed for different
Exchange server which is a collaboration and mail purposes. Therefore, these cmdlets will be split into a set
system. Both these tools designed for different purposes, of categories based on the forensics level for each
but it can be used for forensics by executing commands (Windows OS, File system or Disk) and the collection
and scripts to gather data and check various parameters

43
sources used such as Windows Registry or Event Get-ForensicFileSlack
viewer:
Get-ForensicMftSlack
1) Disk forensic artifacts cmdlets
Get-ForensicMasterBootRecord Get-ForensicFileRecord
Get-ForensicGuidPartitionTable Get-ForensicFileRecordIndex
Get-ForensicBootSector Get-ForensicVolumeBootRecord
Get-ForensicPartitionTable Get-ForensicUsnJrnl
In case there is a disk have an issue in the boot and Get-
required for investigation, it can be repaired by extract ForensicUsnJrnlInformation
boot sector of disk based on its type if its Master Boot
Record (MBR) or Guid Partition Table (GPT). By As NTFS file system related to volume or partition,
extracting boot record, there is a lot of information can an investigator should specify volume name or MFT file
be gathered such as list of partitions, size, file system path to gather data from the right file system.
type and which partition marked as bootable. Moreover, Using PowerForensics tool, an investigator can get
an investigator can collect disk information in Hex general information about file system such as used
format to make it simple, even in reading or in parsing, attributes in MFT entries, volume information and
Fig. 1 have an example of Hex format output. However, volume name. Moreover, he/she can get unallocated
its important to mention that physical disk name needed space area from the following methods:
to be able to select the right disk to get information from Unallocated cluster, it can be collected by
the right disk. Thus why an investigator should get inquiring cluster status on $Bitmap file or get all
physical disk name first, and the following command is unallocated clusters in one shot. For single
an example: cluster status, an investigation need to use Get-
wmic diskdrive list brief ForensicBitmap while he/she need to use Get-
Therefore, the syntax of disk forensics cmdlet will be ForensicUnallocatedSpace to get all unallocated
as the following: clusters.
Get-ForensicDiskCommand path MFT and file slack, it can be collected by
\\.\PHYSICALDRIVE# specifying a file or volume to get file slack for
it. However, there is an issue with the result of
slack commands, as it presents zero 0 for each
byte in the slack area. Therefore, an investigator
needs to count these zeros to get the exact
number of bytes in slack area or use PowerShell
to count it as shown in Fig. 2.

Figure 2. File slack for specific file

Furthermore, the PowerForensics tool for NTFS can


help investigator to extract MFT records or get file
record index from the MFT table. However, there is an
issue in first MFT records such as $MFT, $bitmap and
Figure 1. View boot sector in Hex format $boot, the results keep display value 5 in the results as
shown in Fig. 3.
2) File system forensic artifacts
File system forensic provides many artifacts for
investigation which can support in cases related to time
stamp change, deleted data, file activity logs and other
information.
a) NTFS file system artifacts cmdlets
Get-ForensicAttrDef
Figure 3. Wrong file record index for first records
Get-
ForensicVolumeInformation In addition, an investigator can collect boot record
for volumes even NTFS or FAT file systems with
Get-ForensicVolumeName parsing for NTFS only. Last NTFS commands related to
Get-ForensicBitmap file logging and tracking, its UsnJrnl. Using these
commands, any file can track it and check UsnJrnl
Get-ForensicUnallocatedSpace information such as maximum size and last USN ID. But

44
unfortunately, UsnJrnl tracking command still have applications to all users while User assist show us recent
some issues in execution as its retain blank results as ran applications to a specific user. The rest of artifacts
shown in Fig. 4. mentioned in the above commands used to get earlier
connected networks, scheduled task jobs, security
identifier for the administrator account and configured
time zone on the machine.
b) Indirect artifact extraction
Figure 4. No results from UsnJrnl command
PowerForensics tool provides some flexibility by
allowing collecting artifacts from sources directly such
b) ext4 file system artifacts as Windows Registry and Windows event viewer. This
There are a few commands used for this file system way allows the investigator to navigate and browse the
to get blocks and Inode entries from an ext4 file system specific source to gather information manually.
which is used for Linux/ Unix OS only. However, as this Moreover, this allows investigators to gather needed
paper focused on Windows OS only, these cmdlets will information not covered by specific purpose commands
not be discussed. without needing to use another tool too. Thus
3) Windows forensic artifacts investigators can design their own scripts quickly
There are many artifacts for Windows operating without modifying PowerForensics source code.
system can have extracted it with this tool. However, However, there is an issue in collecting registry key
some of these artifacts cant extract it properly with values. All values in numeric data type, view the value
Windows 10 and Microsoft Office 2016. For cases as an offset number plus 4096 as shown in Fig. 5. For
related to office documents, Microsoft Office artifacts example, if the registry value equal 5 and data type is a
can provide valuable information such as most recent double word, then the value will view as 5001 which
Office and Outlook files. For compatibility reasons, only 4096 plus 5.
applicable artifacts discussed. In general,
PowerForensics artifacts for Windows OS can split it
into two parts:
a) Direct artifact extraction
In this part, artifacts gathered directly using specific
functions that frequently used by investigators such as
user typed paths, typed URLs and list of earlier
connected networks:
Get-AlternateDataStream
Figure 5. Registry key value plus 4096
Get-ForensicShellLink
Get-ForensicExplorerTypedPath Moreover, all values in string data type, view the
offset number of the first character of the string not the
Get-ForensicTypedUrl exact value.
Get-ForensicWindowsSearchHistory The investigator can collect artifacts as much as
needed to get full image about what happened in the
Get-ForensicPrefetch case. However, collecting artifacts only not sufficient
without analysis by connecting each artifact with other
Get-ForensicUserAssist
according to the relation between them. Afterward, all
Get-ForensicNetworkList artifacts should order according to the time to reach the
final solution of the case. Therefore, timeline is one of
Get-ForensicScheduledJob the important things in the investigation and should be
Get-ForensicSid considered in the final report as it will include full story
of the case. Thus, J. Atkinson didnt forget to include
Get-ForensicTimezone forensic timeline convertor to PowerForensics which
When investigator want to perform tracking for a file convert artifacts to timeline style and can export it to
location and name, he/she should collect all files have different formats. Fig. 6 present an example of an
the alternative name and find the original file for each exported timeline in comma separated value format.
shortcut (.lnk) file. Moreover, user activity can be However, converting timeline still have limitations
tracked by getting all typed paths, typed URLs and in collection sources as its only include scheduled tasks,
search history too. However, collecting typed paths and shell links, UsnJrnl, event logs and registry keys.
typed URLs using this tool not collecting any path or
URL accessed from Windows Explorer or any other IV. EXPERIMENT DISCUSSIONS
graphical user interface as its only related to what user The results demonstration that the PowerForensics
type on the keyboard. These limitations related to tool was capable of investigating many Windows
registry key contents not to PowerForensics. On the artifacts, but indicated some technical issues related to
other hand, Prefetch and User assist can get a list of newer operating systems, such as Windows 10, and
running applications recently. The difference between applications such as Office 2016. Therefore, several
prefetch and User assist that first one shows all ran artifacts related to start-up applications gathering data

45
Figure 6. Timeline exported result

without errors and without results too. Finally, the [3] B. Carrier and E. Spa ord, An Event-Based Digital Forensic
results prove that tools developed on top of PowerShell, Investigation Framework, Published in Digital Forensic
Research Workshop, Aug. 2004
could do a fairly great job related to Windows forensic
[4] R. Kaur and A. Kaur, "Digital forensics," International Journal
investigations, but still require further development and of Computer Applications, vol. 50, no. 5, pp. 59, Jul. 2012.
more support to make reaching a more accurate and [5] N. Applications, "Operating system market share," 2006.
powerful level. [Online]. Available:
Furthermore, PowerForensics is an effective tool for https://www.netmarketshare.com/operating-system-market-
real time collection. It has the ability to collect evidence share.aspx?qprid=10&qpcustomd=0. Accessed: Jun. 12, 2016.
from remote machine running Windows OS without [6] D. M. Allen, "Digital investigation workforce development",
affecting operational tasks. Because this tool based on Whitepaper, Published by Software Engineering Institute, 2016.
PowerShell, there is an ability to automate the collection [7] A. Yasinsac, R. F. Erbacher, D. G. Marks, M. M. Pollitt, and P.
process. Therefore, this tool is able to use it with other M. Sommer, "Computer forensics education," IEEE Security &
Privacy, no. 4, pp. 1523, Jul. 2003, DOI.
real time collection systems such as computer forensic 10.1109/MSECP.2003.1219052.
evidence collection mentioned in [29]. [8] A. Mare, "Windows forensics and security," Forensic Focus -
Articles, 2014. [Online]. Available:
V. CONCLUSION AND FUTURE WORKS https://articles.forensicfocus.com/2014/04/14/windows-
In this paper, we discussed Windows PowerShell and forensics-and-security/. Accessed: Jun. 13, 2016.
how it could be used in digital investigations. [9] InternetLiveStats, "Number of Internet users (2016)," 2014.
[Online]. Available: http://www.internetlivestats.com/internet-
Furthermore, the paper presented some of the tools users/. Accessed: Jun. 13, 2016.
developed specially for forensics such as [10] J. Ryder, "Internet explorer forensics analysis explore
PowerForensics, PSRecon and Kansa. Moreover, artifacts," in File Forensics, Blog Sharing Information About
PowerForensics was used to conduct different Windows Forensic Analysis of Email Clients, 2015. [Online]. Available:
http://www.xploreforensics.com/blog/internet-explorer-forensic-
related experiments in order to check what Windows artifacts-analysis.html. Accessed: Jun. 13, 2016.
artifacts are covered and the compatibility level of the [11] A. Mare, "Windows forensics and security," Forensic Focus -
tool used in such investigations. However, as this tool Articles, 2014. [Online]. Available:
showed some technical issues related to newer operating https://articles.forensicfocus.com/2014/04/14/windows-
systems and applications. forensics-and-security/. Accessed: Jun. 13, 2016.
Future work would be to enhance PowerForensics to [12] InternetLiveStats, "Number of Internet users (2016)," 2014.
[Online]. Available: http://www.internetlivestats.com/internet-
avoid current issues and include more artifacts. Also, it users/. Accessed: Jun. 13, 2016.
would be great to expand its coverage to other systems [13] J. Ryder, "Internet explorer forensics analysis explore
supported PowerShell such as Microsoft Exchange artifacts," in File Forensics, Blog Sharing Information About
Server to help digital investigators who are willing to Forensic Analysis of Email Clients, 2015. [Online]. Available:
http://www.xploreforensics.com/blog/internet-explorer-forensic-
use it. Finally, PowerForansics could be used to build a artifacts-analysis.html. Accessed: Jun. 13, 2016.
semi-automated threat hunting system which can check [14] B. Carrier, File system forensic analysis, Boston, MA:
for different system artifact values, in order to detect any Addison-Wesley Educational Publishers, 2005, pp. 199-202.
abnormal behaviors. [15] Z. Kai, C. En, and G. Qinquan, "Analysis and implementation of
NTFS file system based on computer forensics," vol. 1, pp. 325
VI. REFERENCES 328, Mar. 2007, DOI. 10.1109/ETCS.2010.434.
[1] T. Charles and M. Pollock, "Digital forensic investigations at [16] R. M. Saidi, S. A. Ahmad, N. M. Noor, and R. Yunos,
universities in South Africa," published in 2015 Second "Windows registry analysis for forensic investigation," IEEE,
International Conference on Information Security and Cyber pp. 132136, May 2011, DOI.
Forensics (InfoSec), IEEE, Nov. 2015, pp. 5358, DOI. 10.1109/TAEECE.2013.6557209.
10.1109/InfoSec.2015.7435506. [17] K. Alghafli, A. Jones, and T. Martin, "Forensic analysis of the
[2] J. John, "Digital forensics and preservation," Digital windows 7 registry," School of Computer and Information
Preservation Coalition, Nov. 2012, pp. 7. Science, Edith Cowan University, Perth, Western Australia,
2010.

46
[18] J. McQuaid, "Forensic analysis of Prefetch files in windows -
magnet forensics Inc," in Artifact Profiles, Magnet Forensics,
2014. [Online]. Available:
https://www.magnetforensics.com/computer-forensics/forensic-
analysis-of-prefetch-files-in-windows/. Accessed: Jun. 13, 2016.
[19] Q. Do, B. Martini, J. Looi, Y. Wang, and K.-K. Choo,
"Windows event forensic process," in IFIP Advances in
Information and Communication Technology. Springer Science
+ Business Media, 2014, pp. 87100, DOI. 10.1007/978-3-662-
44952-3_7.
[20] T. Asselman, "Hunting for Ransomware with Powershell,"
Cyberforce, 2016. [Online]. Available:
http://www.cyberforce.be/blog/2016/5/2/hunting-for-
ransomware-with-powershell. Accessed: Jun. 13, 2016.
[21] S. Nair, "Live Response Using PowerShell," SANS -
Whitepapers, 2013. [Online]. Available:
https://www.sans.org/reading-room/whitepapers/forensics/live-
response-powershell-34302. Accessed: July 1, 2016.
[22] M. Weeks, "Intrusion Analysis Using Windows PowerShell,"
SANS - Whitepapers, 2014. [Online]. Available:
https://www.sans.org/reading-
room/whitepapers/detection/intrusion-analysis-windows-
powershell-34585. Accessed: July 1, 2016.
[23] J. Atkinson, "Invoke-IR/PowerForensics," GitHub, 2016.
[Online]. Available: https://github.com/Invoke-
IR/PowerForensics. Accessed: Jun. 13, 2016.
[24] M. Russinovich, "PsTools," 2016. [Online]. Available:
https://technet.microsoft.com/en-us/sysinternals/pstools.aspx.
Accessed: Jun. 13, 2016.
[25] Microsoft, "Exchange PowerShell," 2016. [Online]. Available:
https://technet.microsoft.com/en-
us/library/mt587043(v=exchg.150).aspx. Accessed: Jun. 13,
2016.
[26] G. Foss, "PSRecon - live forensic data acquisition," 2015.
[Online]. Available: https://logrhythm.com/blog/psrecon/.
Accessed: Jun. 13, 2016.
[27] R. McRee, "Tool tip: Kansa Stafford released, PowerShell for
DFIR - SANS Internet storm center," SANS Internet Storm
Center. [Online]. Available:
https://isc.sans.edu/forums/diary/Tool+Tip+Kansa+Stafford+rel
eased+PowerShell+for+DFIR/20049/. Accessed: Jun. 13, 2016.
[28] Cloudbase Solutions, "Qemu-img for wIndows - Cloudbase
solutions," Cloudbase Solutions, 2016. [Online]. Available:
https://cloudbase.it/qemu-img-windows/. Accessed: Jun. 13,
2016.
[29] S. A. Awawdeh, I. Baggili, A. Marrington, and F. Iqbal,
"Towards a unified agent-based approach for real time computer
forensic evidence collection," Proceedings of the 2013
IEEE/ACM International Conference on Advances in Social
Networks Analysis and Mining - ASONAM 13, 2013, DOI.
10.1145/2492517.2500310.

47