A reference database of Windows artifacts for file‐wiping tool execution analysis

Abstract

AbstractAnti‐forensic technology can play an effective role in protecting information, but it can make forensic investigations difficult. Specifically, file‐wiping permanently erases evidence, making it challenging for investigators to determine whether a file ever existed and prolonging the investigation process. To address this issue, forensic researchers have studied anti‐forensic techniques that detect file‐wiping activities. Many previous studies have focused on the effects of file‐wiping tools on $MFT, $LogFile, and $DATA, rather than on Windows artifacts. Additionally, previous studies that have examined Windows artifacts have considered different artifacts, making it difficult to study them in a comprehensive manner. To address this, we focused on analyzing traces in 13 Windows artifacts of 10 file‐wiping tools' operations in the Windows operating system comprehensively. For our experiments, we installed each file‐wiping tool on separate virtual machines and checked the traces that the tools left behind in each artifact. We then organized the results in a database format. Our analysis revealed that most of the tools left traces on other artifacts, except for JumpList, Open&SavePidlMRU, and lnk. There were also some cases where traces remained on the other three artifacts. Based on our research, forensic investigators can quickly identify whether a file‐wiping tool has been used, and it can assist in decision‐making for evidence collection and forensic triage.