Uncovering Deleted Items and File Existence in Digital Forensics.

When investigating digital forensics cases, confirming which files were deleted or previously existed is crucial. Whether tracking user activity or validating forensic evidence, understanding where and how to find artifacts plays a key role in uncovering the truth.

However, putting them all together in a structured way helps streamline forensic investigations.

This article serves as a reference guide, consolidating various forensic artifacts that indicate deleted items and file existence, along with their advantages, disadvantages, and relevant analysis techniques.

----------------------------------------------------------------------------------------------------------

1. Thumbnail Cache (Thumbs.db / Thumbcache)

• Artifact: Thumbs.db (Windows XP) and Thumbcache (Windows Vista and later)

• Forensic Importance: Stores thumbnail previews of images and documents, even after deletion.

Article:

Understanding and Managing Thumbnail Cache in Windows: Tools thumbcache_viewer_64

----------------------------------------------------------------------------------------------------------

2. Recycle Bin

• Forensic Importance: Stores deleted files before permanent removal.

Article:

• Windows Recycle Bin Forensics: Recovering Deleted Files

• Analyzing Recycle Bin Metadata with RBCmd and $I_Parse

----------------------------------------------------------------------------------------------------------

3. User Typed Paths

• Registry Path: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

• Forensic Importance: Tracks file paths typed in the Windows Explorer address bar.

Article:

Windows Registry Artifacts: Insights into User Activity (Typed Path)

----------------------------------------------------------------------------------------------------------

4. Windows Search Database

• Artifact: Windows.edb

• Forensic Importance: Stores indexed metadata of files searched on the system.

Article:

• Unlocking Windows Search Indexing for Forensics: A Deep Dive

• A Deep Dive into Windows Search Database Parsing (WinSearchDBAnalyzer / SQLite / SIDR)

----------------------------------------------------------------------------------------------------------

5. Search WordWheelQuery

Registry Hive: NTUSER.DAT

Key: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

Stores user-searched keywords from the Start menu.

Registry Explorer

----------------------------------------------------------------------------------------------------------

Conclusion

Analyzing deleted files and file existence artifacts plays a vital role in forensic investigations. By leveraging Windows registry artifacts, cache files, and search history, investigators can reconstruct user activity, track deleted files, and build a strong case with digital evidence. A structured approach to investigating these artifacts ensures efficiency and thoroughness in forensic analysis.

-------------------------------------------------Dean------------------------------------------------------