2016 Cybersecurity and Cyberforensics Conference
Windows Forensic Investigations using PowerForensics Tool
Akram Barakat
Security Researcher
Princess Sumaya University for Technology
Amman, Jordan
akram.f.barakat@gmail.com
AbstractDigital forensic investigations has become an
important field in this era due to the raise of cybercrimes.
Therefore, most governments and companies found the
urgent need to invest more in research related to digital
forensic investigations. To perform digital forensic
investigations covering extraction, analysis, and reporting
of digital evidences, new methods and techniques are
required. One of these methods used when applying digital
forensics on a Windows operating system, is PowerShell.
While PowerShell is mainly used to configure, manage and
administrate the Windows operating system and other
installed programs, this paper will also show that it could
be used to collect forensic evidences from a Windows
operating system. This paper will discuss Windows
PowerShell functions and how they can be beneficiary to a
digital forensic investigator. Moreover, the paper will
focus on the tools and modules made specifically for
forensic investigations. Subsequently, different digital
forensic experiments will be conducted using
PowerForensics tool in order to extract and identify
different Windows forensic artifacts. The results are
presented the capabilities of PowerForensics tool to
extract forensic evidences from Windows operating system
and provide an insight into its limitations.
Keywords-PowerShell Forensics; PowerForensics;
Windows Forensics; Winodws artifact; digital investigation
I. INTRODUCTION
The world is consistently increasing their
dependency on digital devices, and information systems
running on top of them. Information is being stored and
exchanged using these different digital devices or
machines. Such level of usage and the peoples
dependency on these devices, lead to the exposure of a
new type of threat and crime. Such threats and crimes
could be named cyber threats and cybercrimes,
respectively.
Threats that are targeting such devices require a
special kind handling. Crimes that are done, whether
against or using such devices will need to be
investigated differently in order to reach the proper
evidence to either incriminate the suspect or refute
him/her.
Digital forensic investigation defined as the use of
scientifically derived and proven methods toward the
preservation, collection, validation, identification,
analysis, interpretation, documentation and presentation
of digital evidence derived from digital sources for the
purpose of facilitating or furthering the reconstruction
of events found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to planned
978-1-5090-2657-9/16 $31.00 2016 IEEE
DOI 10.1109/CCC.2016.18
Ali Hadi
Computer Science Dept.
Princess Sumaya University for Technology
Amman, Jordan
a.hadi@psut.edu.jo
operations [1]. Its mainly related to criminal and
unauthorized actions [2].
In order to conduct a successful digital forensic
investigation of a cybercrime, investigators will usually
need to process and analyze a huge number of variant
data and system artifacts to reach a better insight of
what happened.
There are different investigation models that digital
investigators could follow to derive the investigation
starting from determining incident until the final report
and presentation. In general, the standard model used in
the investigation process consist of four main stages: (1)
preparation, (2) physical investigation, (3) digital
investigation and (4) results [3, 4]. In digital
investigation stage, an investigator preserves, collects
and performs thorough analysis of the digital evidence in
custody using special methods and techniques depending
on the type of hardware and software used.
Windows forensics are any method or technique
used to extract the evidence from Windows operating
system. The reason why the Windows operating system
has seen huge concern in investigations, is due to the
fact that around 87% of client computers using Windows
operating system since May 2016 [5]. With that said,
there is still an intense need for research related to
Windows operating systems. One of the tools that can be
used for forensic investigations in a Windows OS
environment is PowerShell.
Detecting and extracting evidences require a deep
knowledge of the investigator in the technology used in
order to be able to collect, acquire and analyze digital
devices and systems in the right and effective manner to
reach an accuracy in his/her results. Therefore, gaining
knowledge about Windows artifacts will help
investigators when analyzing suspects computers that
are running a Windows operating system [6, 7].
According to SANS Institute [8], Patrick Leahy
Center for Digital Investigation (LCDI) [9] and others
[10, 11], Windows artifacts are divided into the
following categories:
1) General Machine information
This category includes machine name, network
addresses and OS information. Table I shows some of
the most important machine artifacts and each ones
location.
TABLE I. GENERAL MACHINE INFORMATION ARTIFACTS
Artifact Registry Location
SYSTEM:
Machine
ControlSet001\Control\ComputerName\Computer
Name
Name , ComputerName
OS SOFTWARE:
41
 Microsoft\Windows NT\CurrentVersion , Executed program %systemroot%\Prefetch
ProductName & CSDVersion Program cache Depends on program
SOFTWARE: Microsoft\Windows
Owner
NT\CurrentVersion , RegisteredOwner
User
5) Internet activity
SAM: Domains\Account\Users\Name As most computers are connected to the Internet
accounts
SOFTWARE: Microsoft\Windows [12], there is a dedicated category of such artifacts.
System root
NT\CurrentVersion , PathName Table V shows the most used artifacts related to Internet
SYSTEM: activity [13].
IP address ControlSet001\Services\Tcpip\Parameters\Interface
s\<Interface GUID> , DhcpIPAddress TABLE V. INTERNET ACTIVITY ARTIFACTS
SOFTWARE:
Last logged Artifact Location
Microsoft\Windows\CurrentVersion\Authentication
on user
\LogonUI , LastLoggedOnUser %systemdrive%\Users\<USERNAME>\AppData\L
IE History
ocal\Microsoft\Windows\History
NTUSER:
2) User account activity Typed
SOFTWARE\Microsoft\Internet
As shown in Table II, there are many artifacts related URLs
Explorer\TypedURLs
to user activities such as login times, login status, and if %systemdrive%\Users\<USERNAME>\AppData\l
Downloads
the login was successful or not. Furthermore, there is an ocal\Microsoft\Windows\IEDownloadHistory
ability to identify if the login was through the console %systemdrive%\Users\<USERNAME>\AppData\l
Cookies
(direct access to the machine) or using a remote ocal\Microsoft\Windows\INetCookies
%systemdrive%\Users\<USERNAME>\AppData\l
connection. Moreover, each user profile information can Cache
ocal\Microsoft\Windows\INetCache
extract such as profile root path, user security identifier
(SID) and other user information.
6) External storage device
TABLE II. USER ACCOUNT ACTIVITY ARTIFACTS External storage devices are one of the very
important sources that are used for data leakage. These
Artifact Location
First login Found in NTUser.dat creation date
artifacts should be taken into deep consideration for
Last login Found in NTUser.dat last modified date most investigations. This is why, there is a special
Success/fail login From event viewer, logon events category of these artifacts and Table VI list a number of
Login type From event viewer, logon type them.
Found in SOFTWARE: Microsoft\Windows
User SID TABLE VI. EXTERNAL STORAGE DEVICE ARTIFACTS
NT\CurrentVersion\ProfileList
Found in SOFTWARE: Microsoft\Windows
Profile path Artifact Location
NT\CurrentVersion\ProfileList
From registry, SYSTEM
Last used
CurrentControlSet\Enum\USB\VID_<VendorID
time
3) Folder/File activity >&PID_<ProductID>
This type of artifacts related to all the events that From registry, NTUSER:
have occurred on files and folders from access activity to User Software\Microsoft\Windows\CurrentVersion\Ex
plorer\MountPoints2\<USB GUID>
the file until action event such as copy, move, rename Device From registry, SYSTEM:
and delete. Furthermore, all links and shortcuts such as information ControlSet001\Enum\USBSTOR
.LNK files and Jumplists are related to this category. Device events %systemroot%\inf\setupapi.dev.log
Table III presents several folder and file activity, artifact
with their associated location. The rest of this paper is organized as follows:
TABLE III. FOLDER/FILE ACTIVITY ARTIFACTS
Section two covers the related work, and Windows
artifact sources. Section three covers the experiments
Artifact Location conducted using PowerForensics. The results of the
%systemdrive%\Users\<USERNAME>\A experiments will be presented in section four, and the
Recent used activity
ppData\Roaming\Microsoft\Windows\Rec
(modify/access)
ent
last section includes the conclusions reached and future
Deleted file DRIVE:\$RECYCLE.BIN\SID works that could be done in this area.
%systemdrive%\/ProgramData/Microsoft/
Shortcut files (.LNK) II. RELATED WORK
Windows/Start Menu/Programs
%APPDATA%\Microsoft\Windows\Rece NTFS is the main file system used with Windows
Jumplists
nt Items
operating systems based on NT technology such as
Windows 2000, XP, 7, 8, 10 and even Windows server
4) Program 2012 R2. It was designed to provide more enhancement
Program details, history and cache are good artifacts in security, scalability and reliability while FAT file
which can provide more information about user behavior system doesnt provide. Each component in NTFS is a
and his/her intention. Table IV shows artifacts related to file stored on the disk and the most important file is the
programs. Master File Table (MFT) [14]. MFT is like a database,
where each record contained within it is in a file stored
TABLE IV. PROGRAM ARTIFACTS on the volume [15]. Moreover, there are a couple of
Artifact Location other important files used for NTFS administration
SOFTWARE: called metadata files such as $LogFile, $Volume,
Installed
Microsoft\Windows\CurrentVersion\Uninstall $Bitmap and $AttrDef. These NTFS metadata files are

42
considered one of the most important source of evidence related to the investigation. However, gathering and
that can help investigators find and extract used/ unused extracting data from these tools not a straightforward
clusters, MFT logs, files logs and events, time stamps, way as its not designed for forensic purposes. On the
file status and other information [14]. other hand, there is a number of new projects created
Windows Registry is another source of artifacts especially for forensic purposes and still under
which can help in Windows investigation. Its a central development such as PSRecon, Kansa and
database of Windows operating system used to store all PowerForensics. PSRecon is a forensic tool used to
configuration data for operating system, system collect data from remote machine running Windows OS
hardware and most installed programs [16]. From this with a number of incident response functionalities [26].
database, there are many data can help in forensic Moreover, Kansa is a data collection tool with analysis
analysis, such as general system information, user and number of incident response functionalities [27].
accounts, history, installed applications, time stamps, PowerForensics tool is an open source forensics
network connections and removable devices [17]. framework developed by Jared Catkinson used to collect
Prefetch files used to speed up application loading by evidence on the Windows OS level such as registry,
collecting all needed files in one place. These files can event log and prefetch. Moreover, this tool can work on
provide beneficial information about applications disk level and file system level too. Furthermore,
activity such as executed applications recently with last forensic timeline can be created using this tool [23].
run time, which is view deleted programs if ran before or Table VII summarizes mentioned PowerShell tools
malicious programs ran on the system [18]. Its another and methods dedicated to forensic investigations to
source of artifacts on Windows operating system. compare each one with others from type if its a built
Windows event viewer is a central location contains tool or just a method to present PowerShell capabilities
many logs about Windows events, installed applications to solve forensic cases. Furthermore, several tools or
and configured services. Furthermore, its contains audit methods require sophisticated knowledge in PowerShell
logs for users, applications and files. Therefore, it to reach needed data. Finally, Windows artifacts break
contains a huge data can be used in forensics [19]. up into three levels: disk, file system and OS level. Each
All these sources contain artifacts for Windows tool or method can extract data from certain levels only.
operating system which can be used as an evidence in
digital investigations. TABLE VII. POWERSHELL TOOLS AND METHODS COMPARASION
Most digital investigations start after an incident or Evidence extraction
Advanced
crime occurred. Thus, all investigations to get evidences PowerShell level
and knowing how this case happened will be after the Name Type
knowledge File
damage occurred and business or service affected. required Disk OS
system
However, each case is a set of sequence events which is Live response
Method Yes No No Yes
need time and leave at least one evidence or mark [21]
behind one of these events. Therefore, any incident can Intrusion
Method Yes No No Yes
be avoided or minimize its damage by tracing and analysis [22]
detecting up normal behavior then stop it before the PSRecon [26] Tool No No No Yes
incident happened. This process, called threat hunting Kansa [27] Tool No No No Yes
[20]. PowerForensics
There are many PowerShell tools and scripts can be Tool No Yes Yes Yes
[23]
used for forensics, but not specially designed for this
purpose or tools specially designed for this purpose. III. EXPERIMENT
SANS institute mentioned various methods and In this section, an experiment conducted will be
procedures to handle different live incident response presented on Windows operating system using the
[21] and intrusion analysis [22] scenarios using PowerShell tool called PowerForensics to extract
PowerShell commands and scripts. However, these Windows artifacts to solve forensic case.
methods require an investigator to have deep knowledge As PowerForensics use online forensics for
in PowerShell scripting language to extract needed data Windows OS forensics only, its possible to use it for
from target machine running Windows operating system offline image by use conversion tool to convert RAW or
as its working on accessing data by typing PowerShell dd image to a virtual disk. The converted disk with
scripts and commands each time according to case extension .vhd or .vhdx can be attached directly on
circumstances. Moreover, these white papers [21, 22] Windows disk management. This procedure will make
focused on extracting data from Windows OS level only an offline image available online and ready to use in
while other special forensic tools can provide the ability PowerForensics. Moreover, its better to select read only
to extract data from disk level and file system level too option when attaching virtual disk to insure data
such as PowerForensics tool [23]. PSTools [24] is a integrity. QEMU is an example of a command line
Microsoft tool designed to manage and monitor local utility used to convert disk between different types [28].
and remote computers while Exchange Management PowerForensics has many PowerShell commands or
Shell [25] is a management shell for Microsoft what are called cmdlets that are designed for different
Exchange server which is a collaboration and mail purposes. Therefore, these cmdlets will be split into a set
system. Both these tools designed for different purposes, of categories based on the forensics level for each
but it can be used for forensics by executing commands (Windows OS, File system or Disk) and the collection
and scripts to gather data and check various parameters

43
sources used such as Windows Registry or Event
viewer:
1) Disk forensic artifacts cmdlets
Get-ForensicMasterBootRecord
Get-ForensicGuidPartitionTable
Get-ForensicBootSector
Get-ForensicPartitionTable
In case there is a disk have an issue in the boot and
required for investigation, it can be repaired by extract
boot sector of disk based on its type if its Master Boot
Record (MBR) or Guid Partition Table (GPT). By
extracting boot record, there is a lot of information can
be gathered such as list of partitions, size, file system
type and which partition marked as bootable. Moreover,
an investigator can collect disk information in Hex
format to make it simple, even in reading or in parsing,
Fig. 1 have an example of Hex format output. However,
its important to mention that physical disk name needed
to be able to select the right disk to get information from
the right disk. Thus why an investigator should get
physical disk name first, and the following command is
an example:
wmic diskdrive list brief
Therefore, the syntax of disk forensics cmdlet will be
as the following:
Get-ForensicDiskCommand path
\\.\PHYSICALDRIVE#
Figure 1. View boot sector in Hex format
2) File system forensic artifacts
File system forensic provides many artifacts for
investigation which can support in cases related to time
stamp change, deleted data, file activity logs and other
information.
a) NTFS file system artifacts cmdlets
Get-ForensicAttrDef
Get-
ForensicVolumeInformation
Get-ForensicVolumeName
Get-ForensicBitmap
Get-ForensicUnallocatedSpace
44
Get-ForensicFileSlack
Get-ForensicMftSlack
Get-ForensicFileRecord
Get-ForensicFileRecordIndex
Get-ForensicVolumeBootRecord
Get-ForensicUsnJrnl
Get-
ForensicUsnJrnlInformation
As NTFS file system related to volume or partition,
an investigator should specify volume name or MFT file
path to gather data from the right file system.
Using PowerForensics tool, an investigator can get
general information about file system such as used
attributes in MFT entries, volume information and
volume name. Moreover, he/she can get unallocated
space area from the following methods:
Unallocated cluster, it can be collected by
inquiring cluster status on $Bitmap file or get all
unallocated clusters in one shot. For single
cluster status, an investigation need to use Get-
ForensicBitmap while he/she need to use Get-
ForensicUnallocatedSpace to get all unallocated
clusters.
MFT and file slack, it can be collected by
specifying a file or volume to get file slack for
it. However, there is an issue with the result of
slack commands, as it presents zero 0 for each
byte in the slack area. Therefore, an investigator
needs to count these zeros to get the exact
number of bytes in slack area or use PowerShell
to count it as shown in Fig. 2.
Figure 2. File slack for specific file
Furthermore, the PowerForensics tool for NTFS can
help investigator to extract MFT records or get file
record index from the MFT table. However, there is an
issue in first MFT records such as $MFT, $bitmap and
$boot, the results keep display value 5 in the results as
shown in Fig. 3.
Figure 3. Wrong file record index for first records
In addition, an investigator can collect boot record
for volumes even NTFS or FAT file systems with
parsing for NTFS only. Last NTFS commands related to
file logging and tracking, its UsnJrnl. Using these
commands, any file can track it and check UsnJrnl
information such as maximum size and last USN ID. But
unfortunately, UsnJrnl tracking command still have
some issues in execution as its retain blank results as
shown in Fig. 4.
Figure 4. No results from UsnJrnl command
b) ext4 file system artifacts
There are a few commands used for this file system
to get blocks and Inode entries from an ext4 file system
which is used for Linux/ Unix OS only. However, as this
paper focused on Windows OS only, these cmdlets will
not be discussed.
3) Windows forensic artifacts
There are many artifacts for Windows operating
system can have extracted it with this tool. However,
some of these artifacts cant extract it properly with
Windows 10 and Microsoft Office 2016. For cases
related to office documents, Microsoft Office artifacts
can provide valuable information such as most recent
Office and Outlook files. For compatibility reasons, only
applicable artifacts discussed. In general,
PowerForensics artifacts for Windows OS can split it
into two parts:
a) Direct artifact extraction
In this part, artifacts gathered directly using specific
functions that frequently used by investigators such as
user typed paths, typed URLs and list of earlier
connected networks:
Get-AlternateDataStream
Get-ForensicShellLink
Get-ForensicExplorerTypedPath
Get-ForensicTypedUrl
Get-ForensicWindowsSearchHistory
Get-ForensicPrefetch
Get-ForensicUserAssist
Get-ForensicNetworkList
Get-ForensicScheduledJob
Get-ForensicSid
Get-ForensicTimezone
When investigator want to perform tracking for a file
location and name, he/she should collect all files have
the alternative name and find the original file for each
shortcut (.lnk) file. Moreover, user activity can be
tracked by getting all typed paths, typed URLs and
search history too. However, collecting typed paths and
typed URLs using this tool not collecting any path or
URL accessed from Windows Explorer or any other
graphical user interface as its only related to what user
type on the keyboard. These limitations related to
registry key contents not to PowerForensics. On the
other hand, Prefetch and User assist can get a list of
running applications recently. The difference between
prefetch and User assist that first one shows all ran
45
applications to all users while User assist show us recent
ran applications to a specific user. The rest of artifacts
mentioned in the above commands used to get earlier
connected networks, scheduled task jobs, security
identifier for the administrator account and configured
time zone on the machine.
b) Indirect artifact extraction
PowerForensics tool provides some flexibility by
allowing collecting artifacts from sources directly such
as Windows Registry and Windows event viewer. This
way allows the investigator to navigate and browse the
specific source to gather information manually.
Moreover, this allows investigators to gather needed
information not covered by specific purpose commands
without needing to use another tool too. Thus
investigators can design their own scripts quickly
without modifying PowerForensics source code.
However, there is an issue in collecting registry key
values. All values in numeric data type, view the value
as an offset number plus 4096 as shown in Fig. 5. For
example, if the registry value equal 5 and data type is a
double word, then the value will view as 5001 which
4096 plus 5.
Figure 5. Registry key value plus 4096
Moreover, all values in string data type, view the
offset number of the first character of the string not the
exact value.
The investigator can collect artifacts as much as
needed to get full image about what happened in the
case. However, collecting artifacts only not sufficient
without analysis by connecting each artifact with other
according to the relation between them. Afterward, all
artifacts should order according to the time to reach the
final solution of the case. Therefore, timeline is one of
the important things in the investigation and should be
considered in the final report as it will include full story
of the case. Thus, J. Atkinson didnt forget to include
forensic timeline convertor to PowerForensics which
convert artifacts to timeline style and can export it to
different formats. Fig. 6 present an example of an
exported timeline in comma separated value format.
However, converting timeline still have limitations
in collection sources as its only include scheduled tasks,
shell links, UsnJrnl, event logs and registry keys.
IV. EXPERIMENT DISCUSSIONS
The results demonstration that the PowerForensics
tool was capable of investigating many Windows
artifacts, but indicated some technical issues related to
newer operating systems, such as Windows 10, and
applications such as Office 2016. Therefore, several
artifacts related to start-up applications gathering data
 Figure 6. Timeline exported result
without errors and without results too. Finally, the [3]
results prove that tools developed on top of PowerShell,
could do a fairly great job related to Windows forensic
[4]
investigations, but still require further development and
more support to make reaching a more accurate and [5]
powerful level.
Furthermore, PowerForensics is an effective tool for
real time collection. It has the ability to collect evidence
from remote machine running Windows OS without [6]
affecting operational tasks. Because this tool based on
PowerShell, there is an ability to automate the collection [7]
process. Therefore, this tool is able to use it with other
real time collection systems such as computer forensic
evidence collection mentioned in [29]. [8]
V. CONCLUSION AND FUTURE WORKS
In this paper, we discussed Windows PowerShell and
how it could be used in digital investigations. [9]
Furthermore, the paper presented some of the tools
developed specially for forensics such as [10]
PowerForensics, PSRecon and Kansa. Moreover,
PowerForensics was used to conduct different Windows
related experiments in order to check what Windows
artifacts are covered and the compatibility level of the [11]
tool used in such investigations. However, as this tool
showed some technical issues related to newer operating
systems and applications.
Future work would be to enhance PowerForensics to [12]
avoid current issues and include more artifacts. Also, it
would be great to expand its coverage to other systems [13]
supported PowerShell such as Microsoft Exchange
Server to help digital investigators who are willing to
use it. Finally, PowerForansics could be used to build a
semi-automated threat hunting system which can check [14]
for different system artifact values, in order to detect any
abnormal behaviors. [15]
VI. REFERENCES
[1] T. Charles and M. Pollock, "Digital forensic investigations at [16]
universities in South Africa," published in 2015 Second
International Conference on Information Security and Cyber
Forensics (InfoSec), IEEE, Nov. 2015, pp. 5358, DOI.
10.1109/InfoSec.2015.7435506. [17]
[2] J. John, "Digital forensics and preservation," Digital
Preservation Coalition, Nov. 2012, pp. 7.
46
B. Carrier and E. Spa ord, An Event-Based Digital Forensic
Investigation Framework, Published in Digital Forensic
Research Workshop, Aug. 2004
R. Kaur and A. Kaur, "Digital forensics," International Journal
of Computer Applications, vol. 50, no. 5, pp. 59, Jul. 2012.
N. Applications, "Operating system market share," 2006.
[Online]. Available:
https://www.netmarketshare.com/operating-system-market-
share.aspx?qprid=10&qpcustomd=0. Accessed: Jun. 12, 2016.
D. M. Allen, "Digital investigation workforce development",
Whitepaper, Published by Software Engineering Institute, 2016.
A. Yasinsac, R. F. Erbacher, D. G. Marks, M. M. Pollitt, and P.
M. Sommer, "Computer forensics education," IEEE Security &
Privacy, no. 4, pp. 1523, Jul. 2003, DOI.
10.1109/MSECP.2003.1219052.
A. Mare, "Windows forensics and security," Forensic Focus -
Articles, 2014. [Online]. Available:
https://articles.forensicfocus.com/2014/04/14/windows-
forensics-and-security/. Accessed: Jun. 13, 2016.
InternetLiveStats, "Number of Internet users (2016)," 2014.
[Online]. Available: http://www.internetlivestats.com/internet-
users/. Accessed: Jun. 13, 2016.
J. Ryder, "Internet explorer forensics analysis explore
artifacts," in File Forensics, Blog Sharing Information About
Forensic Analysis of Email Clients, 2015. [Online]. Available:
http://www.xploreforensics.com/blog/internet-explorer-forensic-
artifacts-analysis.html. Accessed: Jun. 13, 2016.
A. Mare, "Windows forensics and security," Forensic Focus -
Articles, 2014. [Online]. Available:
https://articles.forensicfocus.com/2014/04/14/windows-
forensics-and-security/. Accessed: Jun. 13, 2016.
InternetLiveStats, "Number of Internet users (2016)," 2014.
[Online]. Available: http://www.internetlivestats.com/internet-
users/. Accessed: Jun. 13, 2016.
J. Ryder, "Internet explorer forensics analysis explore
artifacts," in File Forensics, Blog Sharing Information About
Forensic Analysis of Email Clients, 2015. [Online]. Available:
http://www.xploreforensics.com/blog/internet-explorer-forensic-
artifacts-analysis.html. Accessed: Jun. 13, 2016.
B. Carrier, File system forensic analysis, Boston, MA:
Addison-Wesley Educational Publishers, 2005, pp. 199-202.
Z. Kai, C. En, and G. Qinquan, "Analysis and implementation of
NTFS file system based on computer forensics," vol. 1, pp. 325
328, Mar. 2007, DOI. 10.1109/ETCS.2010.434.
R. M. Saidi, S. A. Ahmad, N. M. Noor, and R. Yunos,
"Windows registry analysis for forensic investigation," IEEE,
pp. 132136, May 2011, DOI.
10.1109/TAEECE.2013.6557209.
K. Alghafli, A. Jones, and T. Martin, "Forensic analysis of the
windows 7 registry," School of Computer and Information
Science, Edith Cowan University, Perth, Western Australia,
2010.
[18] J. McQuaid, "Forensic analysis of Prefetch files in windows -
magnet forensics Inc," in Artifact Profiles, Magnet Forensics,
2014. [Online]. Available:
https://www.magnetforensics.com/computer-forensics/forensic-
analysis-of-prefetch-files-in-windows/. Accessed: Jun. 13, 2016.
[19] Q. Do, B. Martini, J. Looi, Y. Wang, and K.-K. Choo,
"Windows event forensic process," in IFIP Advances in
Information and Communication Technology. Springer Science
+ Business Media, 2014, pp. 87100, DOI. 10.1007/978-3-662-
44952-3_7.
[20] T. Asselman, "Hunting for Ransomware with Powershell,"
Cyberforce, 2016. [Online]. Available:
http://www.cyberforce.be/blog/2016/5/2/hunting-for-
ransomware-with-powershell. Accessed: Jun. 13, 2016.
[21] S. Nair, "Live Response Using PowerShell," SANS -
Whitepapers, 2013. [Online]. Available:
https://www.sans.org/reading-room/whitepapers/forensics/live-
response-powershell-34302. Accessed: July 1, 2016.
[22] M. Weeks, "Intrusion Analysis Using Windows PowerShell,"
SANS - Whitepapers, 2014. [Online]. Available:
https://www.sans.org/reading-
room/whitepapers/detection/intrusion-analysis-windows-
powershell-34585. Accessed: July 1, 2016.
[23] J. Atkinson, "Invoke-IR/PowerForensics," GitHub, 2016.
[Online]. Available: https://github.com/Invoke-
IR/PowerForensics. Accessed: Jun. 13, 2016.
[24] M. Russinovich, "PsTools," 2016. [Online]. Available:
https://technet.microsoft.com/en-us/sysinternals/pstools.aspx.
Accessed: Jun. 13, 2016.
[25] Microsoft, "Exchange PowerShell," 2016. [Online]. Available:
https://technet.microsoft.com/en-
us/library/mt587043(v=exchg.150).aspx. Accessed: Jun. 13,
2016.
[26] G. Foss, "PSRecon - live forensic data acquisition," 2015.
[Online]. Available: https://logrhythm.com/blog/psrecon/.
Accessed: Jun. 13, 2016.
[27] R. McRee, "Tool tip: Kansa Stafford released, PowerShell for
DFIR - SANS Internet storm center," SANS Internet Storm
Center. [Online]. Available:
https://isc.sans.edu/forums/diary/Tool+Tip+Kansa+Stafford+rel
eased+PowerShell+for+DFIR/20049/. Accessed: Jun. 13, 2016.
[28] Cloudbase Solutions, "Qemu-img for wIndows - Cloudbase
solutions," Cloudbase Solutions, 2016. [Online]. Available:
https://cloudbase.it/qemu-img-windows/. Accessed: Jun. 13,
2016.
[29] S. A. Awawdeh, I. Baggili, A. Marrington, and F. Iqbal,
"Towards a unified agent-based approach for real time computer
forensic evidence collection," Proceedings of the 2013
IEEE/ACM International Conference on Advances in Social
Networks Analysis and Mining - ASONAM 13, 2013, DOI.
10.1145/2492517.2500310.

47