Windows File Analyzer is a versatile PC forensics tool

[Batu69]

 

Whether you’re worried about malware, or just need to find out what someone else is doing on a PC, logging any executables launched can tell you a lot.

Normally this involves installing some kind of monitoring application, like the Event Monitor Service we talked about last week, but if you’re trying to track PC usage without someone’s knowledge, that can be risky.

 

Active logging applications can only tell you what’s happened since they were installed, too, of course -- not much use if you’re trying to find out what’s been happening in the past few days.

 

Windows File Analyzer is a forensics tool which analyzes various logs to tell you more about how a PC has been used over the past few days, no installation or anything else required.

 

Be sure to launch the program as an administrator -- it doesn’t request elevation, and won’t work properly if you forget.

The opening interface is basic -- menu bar, blank work area -- but clicking the File menu lists all the main tools.

 

Click File > Analyze Prefetch and browse to \Windows\Prefetch, for example, and the program decodes your system prefetch files to display information about the programs you’ve been running. (Assuming prefetch is enabled, anyway -- if you have an SSD then it may be turned off.)

 

On our test system we saw the executable names, create/ written/ last accessed dates, file and path hashes, a run count (incorrect, for some reason) and more.

Clicking the "Written" column date sorted the list by the order the programs had been executed, and we were able to see the 98 executables our system had launched in the past four hours: programs we’d run, system applications (SearchProtocolHost.exe), background processes and more.

 

Exactly how far back in time this goes depends on your PC setup and usage, but you’ll probably have two or three days of significant detail, and if nothing else it’ll give you times when your system was on and being used.

 

If you need to go back further, clicking File > Analyze Shortcuts and pointing the program at a folder of shortcuts tells you more.

We tried this out on our desktop, and saw the file name for each shortcut, the path, and the dates each shortcut was created, written or last accessed. (There’s also the NetBIOS name and MAC address for the target, maybe handy if some of these are network drives.)

 

Elsewhere, there are tools to display the contents of various thumbnail databases, including Windows’ Thumbs.db, ACDSee’s *.fpt, Google Picasa’s *.db, FastStone Viewer’s fsviewer.db and HP Digital Imaging’s *.db or *.dat files.

 

Windows File Analyzer has been around for more than 10 years, and its age shows in places. Windows hasn’t used the thumbs.db format for a long time, Internet Explorer analysis is limited to Index.dat files (IE9 or earlier), even the "guidance" manual is dated 2005.

 

Bizarrely, you can’t directly save its reports, either -- there’s a Print option only.

Despite that, the program can give you plenty of information about PC activities, and -- if you’re using one of the supported applications -- the thumbnail database tools will probably justify the download all on their own.

 

But if it doesn’t work for you, try NirSoft’s similar LastActivityView instead.

 

Windows File Analyzer is a free application for Windows 2000 and later.

 

Article source

[straycat19]

I would not consider this a forensic tool since it makes changes to the hard drive when it is run and that violates the basic rule of live forensic programs that they not touch the hard drive and change or add ANY data to it.  It can be considered a good information tool for laymen.

 

Unfortunately, the term 'forensic tool' is thrown around way too often without any actual testing to see if it actually conforms to what is acceptable as a forensic tool.  For example, do a SHA256 hash of an entire drive, then run the forensic tool you want to test, and after closing it run another SHA256 hash.  If the hashes match exactly then the tool did not touch the drive and is forensically sound, though one test is not considered enough, you would need a hundred tests on different systems to qualify the tool .  Forensic technicians have to certify every tool they use themselves because when you testify about your results you have to be able to show through records and tests where your forensic tools have been certified as forensically sound in case your results are questioned.  Usually the opposing parties will have access to this data before the actual trial and just stipulate that the forensic tools/procedures are sound and accurate.