Windows Forensic Checklist

Pre-Investigation

• Establish a clean and isolated forensic environment to prevent contamination of evidence.
• Ensure all forensic tools are up-to-date and compatible with the Windows version being examined.
• Document the case background, scope, and objectives.

Acquisition of Evidence

• Safely power down the target system and remove it from the network.
• Create a forensic image (bit-for-bit copy) of the target system's storage media.
  • Tools: dd, FTK Imager, ddrescue
• Verify the integrity of the acquired image using checksums (e.g., MD5, SHA256).
• Create a write-protected copy of the acquired image for analysis.
  • Tools: AccessData WriteBlocker

Examination of Evidence

• Analyze the file system structure to identify relevant files and directories.
• Examine the Windows Registry for system and user-related information.
• Check for evidence of malware, suspicious processes, and network activity.
• Recover deleted files and artifacts, if necessary.
  • Tools: Autopsy, Recuva
• Collect information about user accounts, system settings, and installed software.
• Examine event logs (Security, System, Application) for security-related events.
• Review browser history, cache, and cookies for web activity.
  • Tools: NirSoft BrowsingHistoryView
• Analyze system memory (RAM) for running processes and volatile artifacts.
  • Tools: Volatility, Magnet RAM Capture
• Identify and analyze registry hives (e.g., SOFTWARE, NTUSER.DAT) for user and system data.
• Extract and analyze metadata from files, including timestamps and ownership details.

Timeline Analysis

• Create a timeline of system events and user activities.
• Correlate events from different sources, such as logs and artifacts.
• Identify suspicious or anomalous activities based on the timeline.
• Document a chronological sequence of events for the investigation.

Analysis of Artifacts

• Examine specific artifacts for evidence, such as:
  • Prefetch files (C:\Windows\Prefetch) for executed applications.
  • Shellbags for folder navigation history.
  • LNK files for shortcuts and recent file access.
  • Jump lists for recently opened files and applications.
• Analyze the Windows Event Log for security-relevant events.
• Check the Windows Task Scheduler for scheduled tasks.
• Examine Windows Update and patch management history.

Network Forensics

• Analyze network traffic logs, if available.
• Identify network connections and open ports on the target system.
• Investigate evidence of network intrusions or suspicious outbound connections.
• Check DNS cache for evidence of visited websites.
• Determine if the system was part of a botnet or involved in malicious activities.
• Correlate network activity with system logs and artifacts.

Reporting and Documentation

• Create a detailed forensic report that includes findings, analysis, and conclusions.
• Document the forensic process, including acquisition, examination, and analysis steps.
• Include all relevant artifacts, logs, and extracted evidence in the report.
• Ensure the report is clear, concise, and well-organized.
• Maintain the chain of custody documentation for all evidence handled during the investigation.

Preservation of Evidence

• Store all forensic evidence securely to prevent tampering or loss.
• Maintain a record of who has accessed the evidence and for what purpose.
• Comply with legal and ethical guidelines for evidence preservation.

Legal Considerations

• Adhere to legal requirements and obtain necessary permissions for the investigation.
• Consult with legal counsel if required for handling sensitive cases.

Follow-Up Actions

• Implement security measures to prevent a similar incident from occurring in the future.
• Continuously monitor the network and systems for any signs of compromise.