There are three components to the proper forensic analysis of Windows systems: (1) a strong understanding of the FAT and NT file systems; (2) an understanding of Windows 'artefacts,' including how to find them and interpret their properties; and (3) the use of proper computer forensic software. This chapter assumes knowledge of the FAT file system, and begins with an overview of the Windows NT file system. Detailed technical examples are provided for FAT file systems and the key concepts are extended to NTFS. In addition to describing the differences between recovering deleted files and folders on FAT versus NT file systems, this chapter demonstrates the investigative and probative usefulness of several Windows artefacts, including Recycle Bin INFO Files, enhanced metafiles, and link files.

Forensic examiners have only recently begun to understand and make use of many Windows artefacts. The evolution of integrated forensic search and recovery tools such as EnCase has enabled examiners to raise their focus from simply finding text and manually recovering images to identifying system-generated indicators and artefacts that qualify and give meaning and context to the evidence and the user's state of mind. Beyond determining the existence of a keyword of interest, or locating a graphical image that appears to constitute evidence, an examiner can explore attendant artefacts that are produced by the operating system and that can serve to confirm or refute a computer user's assertions of lack of intent or lack of knowledge. Additionally, those artefacts mined from unallocated clusters...