Windows Forensics: Examine Windows Files and Metadata

Ahmed Belhadjadji
4 min readMar 27


The Windows forensics methodology comprises of 8 phases, and we have previously covered the initial five. If you wish to explore them further, you can refer to the provided links.

1- Gathering Volatile Information: link

2- Collecting Non-volatile Information: link

3- Memory Analysis: link

4- Registry Analysis: link

5- Cache, Cookies, and History Analysis: link

During a Windows system investigation, investigators often need to identify any modifications that attackers may have made to application files on the system. To achieve this, investigators must analyze the following components:

Restore Point Directories:

These directories contain information about the installation or removal of application files, as well as any changes made to them.

  • RP.log file: contains description of the event that caused the restore point creation
  • Change.log files: record file changes , which are located in the restore point directories

Prefetch Files:

Examining the prefetch directory assists in identifying the applications that were executed on the system.

  • When a user installs an application, runs it, and deletes it , traces of that application can be found in C:\Windows\Prefetch directory
  • Number of launch times (DWORD value at the offset 144)
  • Last launch time (DWORD value at the offset 120)
  • Correlate information from .pf file with the registry or Event Log information to determine logged-on users, running applications, etc.
  • WinPrefetchView ( reads the Prefetch files present on the system and displays the information such as File Size, MAC Times, Run Counter, Process EXE, Process Path, Last Run Time, etc.
  • Check if prefetching is enabled at: HKLM\SYSTEM\ControlSet001\Control\SessionManager\MemoryManagement\PrefetchParameters\EnablePrefetcher
0: disabled 
1: Application prefetching
2: Boot prefetching
3: application and boot prefetching

Image Files and EXIF Data:

Analyzing JPEG image files and the EXIF data they contain can provide insight into the metadata associated with those images.

This section outlines the process of examining these Windows files and the associated metadata.

  • Metadata on JPEG image file depends on the application that created or modified it
  • Digital cameras embed Exchangeable Image File Format (EXIF) information in images, including GPS data, device model, serial Number, etc.
  • ExifReader, EXIF Library, and ExifTool display EXIF data found in a JPEG image.
  • Use Exiv2 ( or IrfanView ( to view, retrieve, or even modify image metadata.


Metadata associated with any file type reveals various characteristics and finer details related to the creation, access, and modification of files.


Metadata associated with any file type reveals various characteristics and finer details related to the creation, access, and modification of files.

  • Users may unintentionally disclose confidential information when sharing or providing electronic files because such information is often not readily visible
  • Examples of metadata: Organization name, Author name, Computer name, Network name, Hidden text or cells, MAC times (modified, accessed, and created)
  • Copy a file: retains the same modification date, but updates creation date to the current date
  • Move a file: retains the same modification and creation date
  • $STANDARD_INFO (SI) can be modified by user level processes $FILE_NAME (FN) can only be modified by the system kernel
  • You can use the Perl scripts and to extract metadata from PDF files (author name, creation date and application, if the file was created on a Mac or by converting from a Word file)
  • You can use the Perl scripts and to list the OLE streams embedded in a Word document (up to last 10 editors, past revisions)
  • Use tools such as Metadata Assistant, Paraben P2 Commander, and Metashield Analyzer to analyze metadata

Other Locations


  • Windows OS can track the view preferences of folders such as its size, position, and location that have been visited by the user via Windows Explorer
  • These view preferences are stored in Windows OS as Registry keys known as “ShellBags”
  • Bags key: HKCU\Software\Microsoft\Windows\Shell\Bags -> view preferences
  • BagMRU: HKCU\Software\Microsoft\Windows\Shell\BagMRU -> tracks recently accessed directories, even after the directory is removed, which can be used to enumerate previously mounted drives, deleted files and User/Intruder actions.
  • Use ShellBags Explorer (github/ericzimmerman), ShellBagsView (NirSoft), SBag (tzworks) to browse ShellBag data

LNK Files:

  • The investigator can get valuable insights on user activities analyzing shortcut files in C:\Users\[TargetUser]\AppData\Roaming\Microsoft\Windows\Recent directory
  • Use Lnk Explorer (github/ericzimmerman) to decode information contained in shortcut files.
LECmd -d C:\Users\ TargetUser]\AppData\Roaming\Microsoft\Windows\Recent -q - -csv .\

Analyzing Jump Lists:

  • A taskbar feature of Windows 7 and above versions that provides the user with a graphical interface to the recently accessed applications, files and performed actions
  • AutomaticDestinations: C:\Users\[TargetUser]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations (created automatically by the OS)
  • CustomDestinations: C:\Users\[TargetUser]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations (created when a user pins a file/program to taskbar)
  • JumpListExt ( is tool that parses Jump Lists and helps investigators analyze them.

I hope that you like the article, happy learning !!