DFIR/DTR Tip:- File history Value for Forensic Team
Mohammed AlAqeel
Subject Matter Expert in Cyber Defense solutions | Digital Forensic Incident Response|SecOps| Cyber Threat Intelligence| Threat Detection and Response |GCFA | GCFE| GCTI| eCMAP| OSCP| OSINT/SOCMINT | IT and OT.
Who’s during the investigation looking for file history backup? since this feature is turned off by default. ?But if it is turned on there are multiple interesting values to Investigators This if we can set is as one of forensic artifacts, it’s was starting shows from Windows 8 Operating system, they have introduced file history backup which changes the way that backups were previously used. In previous versions of windows, backups could only be maintained and restored using the default system. But Within windows 8 this solution is more robust and allows backups to be stored both on removable media and remote network shares. By default this will backup folders such as Music, Documents, Videos, Contacts and Favorites. There are a few artifacts that are established when file history is turned on so it’s includes File History folder, Registry Value, and Windows Events. The file history folder located at :-
C:\Users\<username>\AppData\Local\Microsoft\Windows\FileHistory
within this folder there is a configuration folder and a data folder.
Note :- If the File History option has been turned on there is also a registry key that is created, this key is only found on users that have turned on this feature. The Registry key can be found HKU\Software\Microsoft\Windows\CurrentVersion\FileHistory
Within this directory there is a key named "ProtectedUpToTime" that shows the last time this process backed up
The files area good to have look up to gathering more information about File History is within the System Events it is provide us with auditing information related to the File History:
Links :-
The specific details about the location of key files and registry entries add practical insights for those engaged in digital forensic incident response. Mohammed's recommendation of Grzegorz Tworek's PowerShell script further enhances the tip, providing a practical resource for investigators.
the reference to Grzegorz Tworek's PowerShell script for exploring the EDB file adds a useful tool to the investigator's toolkit. Overall, a well-structured and informative tip for digital forensic incident response professionals.
Entrepreneurial Leader & Cybersecurity Strategist
11 个月The explanation of file history artifacts, including the File History folder, Registry Value, and Windows Events, provides a comprehensive overview for investigators to consider. The mention of specific locations such as the Configuration folder and the Registry key adds practical details for forensic teams
SOC Analyst @ TMB/Easy Paisa | EDR | XDR | SIEM | PAM | Top 2% @TryHackMe | Cyber Threat Intelligence | Tracking APT Groups Targeting Pakistan | Pursing Masters in Computer Network and Security @ FAST ISB
11 个月Thank you for sharing