Monday, September 2, 2013

Daily Blog #71: Sunday Funday 9/1/13 Winner!

Hello Reader,
         It's Labor Day and boy did I have a great day. So great in fact that I woke up at 6am to smoke ribs rather than get this post up this morning. So here I am late labor day evening to announce the winner of yesterdays Sunday Funday contest!

The Challenge:
One of things that's important in any investigation is knowing whats normal, what should be there and whats missing. On a Windows 7 system with a SSD drive what forensic artifacts no longer get created or maintained by default?

I was happily surprised to see how many people were aware of the changes made to Windows 7 when SSDs where in use. While we did have a very interesting discussion in the comments regarding in what circumstances these changes take place/do not take place Jason was the first person to submit this answer at 1am on Sunday!

The Winning Answer:
Jason Hale
Assuming the operating system recognizes that a solid state drive is being used, Windows 7 should disable ReadyBoost, Superfetch, application and boot prefetching, and automatic disk defragmentation.  Translated to their respective forensic artifacts, here's what that means:
  • ReadyBoost: No subkeys referencing external devices will be maintained under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt subkey.
  • Superfetch: Files associated with superfetch ("Ag*.db") may or may not exist in the C:\Windows\Prefetch directory, but will not be maintained/updated if they do exist.
  • Application and boot prefetching: Prefetch files (.pf) will not be created and maintained in the C:\Windows\Prefetch directory.
  • Auto Defrag: The scheduled task for a disk defrag will be in the disabled state.  You will also not see a prefetch file referencing defrag.exe (although the lack of a prefetch file is due to application prefetching being disabled).  
Well done Jason! I'll be sending out your book this week!