Windows forensic files

I’d like to back up important Windows files for forensic purposes. I am aware of the Event Logs and Anti Virus logs, are there any other logs or files that have personal use information, connections or any other important information that could be backed up aside from that? If so, where is it located?

Using Windows Registry and File Forensic Locations in Investigations

There are a number of forensically-useful areas in the Windows registry and file system like those detailed in this SANS Poster. I’ve found this data can be really useful when I’m conducting investigations.

I was curious about how much others take advantage of this data.

  1. Do you use the data found in those locations as part of your investigations?
  2. What tool(s) do you use to extract the data from those locations?
  3. What tool(s) do you use to visualize/interact with the data you’ve extracted?
  4. Do you bring that data you’ve extracted into your SIEM?
  5. Do you use any dashboards/add-ons/apps within your SIEM to interact with that data?

Is it posible recover file from an encrypted home directory with a forensic tool?

Lately I have done forensic analysis on my computer(with photorec) to see how many deleted files I can recover. During the analysis I recover some photos and videos of my different partitions: Windows, Linux (user with not encrypted home directory), but I didn’t recover any file of my user with encrypted home directory. I probably did not do the analysis well? or probably the files were overwritten. But my main theory is that I can not recover those files because they are encrypted, that’s why I’m making this question, it’s posible recover files from and encrypted home directory.

I encrypted my home directory with ecryptfs

Can SSD data be recovered through Forensic Explorer?

I apologise in advance as I am a noob and a noob to this site. I am trying to recover deleted files from a SSD using Forensic Explorer. Once the image processing on the SSD had been completed using the write blocker, I opened up AccessData FTK Imager and then I saved the files. Then I opened up Forensic Explorer and I can see where the files that I deleted in recycle bin but cannot retrieve.


Maybe I am coming at this all wrong, I was reading up on SSDs and some say that you can retrieve deleted data and some sites say that you cannot. If anyone has experience with Forensic Explorer or know of an alternative, I would appreciate it.

Cheers 🙂

Is there a way to get a forensic image of EC2 instance

I currently have an instance on AWS which was compromised and resulted in me losing control. I have shutdown the instance since then, but require a forensic image of the volume so that I can analyze it further.

I have mounted the volume onto another instance to run dd command. when I check the size of the volume it shows 16MB used. What am I doing wrong?

Can you wipe a USB flash drive so securely that it’s impossible to recover deleted files through forensic analysis?

Internal SSD can be wiped with TRIM, but USB sticks are external SSD. They’re apparently difficult to wipe securely enough to make forensic analysis of the device impossible. This question has been asked before, about 4 or 5 years ago and the information is probably outdated. Looking for up-to-date advice on how to securely wipe files on a USB from a bootable media.

Is it possible to have a setup that can securely wipe USB with TRIM? Anyone know of any programs that will securely shred files on USB, making them impossible to recover via forensic recovery software?