Simplifying Digital Triage with Bootable Forensic Tools
2022-3-23 16:55:39 Author: blog.elcomsoft.com(查看原文) 阅读量:24 收藏

Elcomsoft System Recovery speeds up in-field investigations by providing experts with a forensic tool they can use by booting a PC from a dedicated USB media. The recent update extended the functionality of the tool by adding three new forensic tools.

What’s it all about?

Elcomsoft System Recovery is a digital triage tool for examining computers in the field. The tool helps overcome the challenger of accessing a locked system, delivering a straightforward workflow for investigating computers in the field.

Originally released as a simple tool for resetting Windows users’ passwords, Elcomsoft System Recovery is now evolving into a feature-rich bootable forensic toolkit. The new release makes field analysis faster and more straightforward while still producing court admissible evidence with write-blocking disk imaging. Conveniently, using the new features does not require the user’s or administrator’s password. The newly added forensic tools include:

Timeline: allows reviewing the user’s activities logged by the Windows Timeline. This includes the list of launched apps and past activities laid out in the convenient timeline view.

Recent files and folders: lists recently accessed files and folders.

Installed apps: lists applications installed in the system.

Thanks to these new analysis features, experts can simply boot a PC from a USB flash drive and quickly review the user’s latest activities. The shortcut saves the time and effort of removing and imaging the hard drive(s), making it possible to make real-time decisions in the field.

Using Elcomsoft System Recovery forensic tools

To access the new Forensic Tools section, boot the computer being investigated from a dedicated USB media with Elcomsoft System Recovery 8.20 or newer. If you have not done it already, here’s how to make the bootable USB drive with Elcomsoft System Recovery: A Bootable Flash Drive to Extract Encrypted Volume Keys, Break Full-Disk Encryption.

Once you boot the computer into Elcomsoft System Recovery and accept the license agreement, you will see the program’s main window. Click the newly added “Forensic Tools” shortcut at the bottom of the window.

At this time, three forensic tools are available: Installed Apps, Timeline, and Recent files and folders.

Installed apps

The Installed apps tool displays the list of applications installed in the system being investigated:

When using this tool, you can choose between listing regular applications of installation packages. This is how the list of regular applications looks like:

The list of installation packages corresponds to the list of apps displayed in the Windows Control Panel (add/remove programs). This is how it looks like:

You can export the list of installed applications into a text file.

Timeline

Windows Timeline is a feature that first appeared in the Windows 10 April 2018 Update. The feature enhances Task View, enabling a glance into the past by displaying the user’s historical activities. The Timeline contains timestamped information about the user’s launched applications, searches, documents, and Web browsing history. Along with Windows jumplists, the feature is little known and rarely disabled, giving a valuable insight into the history of system’s usage.

Microsoft used to synchronize the Timeline with the user’s Microsoft Account. This is no longer the case today. Since April 2021 Microsoft discontinued the Timeline as a cloud service. However, the corresponding low-level data is still collected and stored locally on all Windows 10 and Windows 11 systems. This information can be extracted and analyzed with Elcomsoft System Recovery. By analyzing the Timeline data, experts can access to timestamped information about the app usage and Web page visits.

Timeline data is collected individually per user. When analyzing the timeline, you will have to specify the Windows installation path as well as the path to the user profile. The user’s password is not required.

The process can be repeated for every user account registered on the computer.

Recent files and folders

Just like the Timeline, Recent files and folders is a user-specific feature, requiring the path to the user profile.

By default, the tool only returns the list of recently accessed files. You can check the “Show recent folders” box to display the list of recently accessed folders.

The result will be sorted by last access time. You can change the order by clicking on the corresponding column or export the list of recent files and folders for future analysis.


REFERENCES:

Elcomsoft System Recovery

Reset passwords to local Windows accounts and Microsoft Account and perform a wide range of administrative tasks. Assign administrative privileges to any user account, reset expired passwords or export password hashes for offline recovery, and create forensic disk images. Elcomsoft System Recovery is ready to boot thanks to the licensed Windows PE environment, allowing administrators to access locked computers.

Elcomsoft System Recovery official web page & downloads »


文章来源: https://blog.elcomsoft.com/2022/03/simplifying-digital-triage-with-bootable-forensic-tools/
如有侵权请联系:admin#unsafe.sh