Common Places In File System Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

File system itself contains lots of important information about the user, applications and files being used on the system. Places like temp folder where programs can dump the temporary data. In this folder even if the main file may have been wiped there is possibility to find a version depending on which application the file belongs to and how the application works. Most people ignore the Recycle Bin in the system that is one place where investigator could find lots of informative data. System Logs are good place to look these logs can help find useful information about USB devices connected to the system, event logs contain information about all sorts of actions performed on the system. Depending on operating system these logs could be found either in config or winevt\logs folder under System32 folder. A general misconception is that once you delete or format the data on hard drive you cannot get it back. Well that's not true, until a zero wipe is done professionally. So having a look on deleted files is worthwhile and can provide the evidence forensics expert is searching for. These deleted files could be drug dealing information or contact details.

Recently opened files and network short cuts under windows folder are the places where we can get information about the internal network of captured laptop and files which are accessed recently.

Registry keys are valuable source of gathering evidence; following are some of the importance keys to look:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

This key provide information about who logged in last, and may also provide a user name, which can be helpful to establish user connection with the laptop.


This key is supposed to contain information about programs and shortcuts accessed by the Windows GUI, including execution count and the date of last execution, but the way information is stored is not straight forward or easy to understand.


If the user try to make some changes in the registry with the help of this key it is possible to identify that.


This key not only gives information about the connected USB devices but also the one was connected earlier providing vendor name and serial number of the USB. This information can be very helpful to make connection between the USB device and the system.


This key has sub keys by file extension that provide information about what someone have been opening/saving to when the common file save/open dialog comes up, which can lead to important data related with the case. Values are in HEX, but readable if you open them in ASCII view.


This key provides information about the recently opened files and can be quite useful to gather details of contact names, addresses and drugs.

The communication between the drug dealer and his correspondent could be done using various technologies. To access most of those technologies a web browser is required i.e. Internet Explorer or FireFox.

Internet Explorer

Vital information about the browsing through Internet Explorer can be found in different folders, which are Temporary Internet Files, Cookies and History. All these folders reside under Windows folder. Trmporary Internet Files give clues about the content someone was looking on the internet. Cookies are the files which contain information about recently visited websites, and if user was authenticated by website cookies can possibly provide a password or at least a session ID. History folder can provide useful information about what websites been visited, when, and how many times. This will show the intension of the surfer. In this case if investigator finds large number of websites visited dealing with drugs can show the interest of the laptop owner. The helpful registry keys associated with Internet Explorer are following:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedUrls

This key can help in distinguish between sites that were manually entered, and ones accessed via a link.

And if the user registered to a drug dealing websites registry keys; HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage1 and HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 Above keys stores the autocomplete information for Internet Explorer. If the user visited a website which deals in illegal drugs and filled a form to register. These keys store that filled information, although it is in obfuscated form, use of right tool can help the forensics investigator.


Firefox save most of the data in files instead of the registry, which is easy to find in individual folders. Following are the places where forensics investigator can look for case relative information;

C:\Users\<user name>\AppData\Local\Mozilla\Firefox\Profiles\<some profile number>.default\ anything found in this place is useful especially *.sqllite files. Under this folder there are several useful folders such as 'Cache', while IE stored its cache in easy to read file names, Firefox makes it a little harder. The files need to be open to look at their header to see what they are, or use a tool like 'Mozilla Cache Viewer'. Files with names like _CACHE_001_ are good for looking at the banners of recently accessed sites, which will be useful to determine what sites the user been visiting. File named 'formhistory.sqlite' has tons of information about web forms filled out in Firefox, when they were filled out, and what information was they filled with. This is a SQLLite file that contains the browsing history for Firefox/Mozilla. Open Source app 'SQL Lite Studio' can be used to read the file. To look for the saved passwords in Firefox 'signons.sqlite' is the key and should contain Firefox's stored passwords. To read the file 'SQL Lite Studio' can be used. Even if the passwords are not found the "Disabled hosts" will give clues about the websites user doesn't want to save the password for, these could be the websites dealing with illegal drugs. Last but not the least, cookies can be found in 'cookies.sqlite'. Information about the websites visited, and if the surfer was authenticated by the website possibly a password or at least a session ID can be extracted from here.

Technologies could be used in communication

Communication could be done in several form i.e. email, instant messengers, web browser chat(volatile messaging) Voice over IP.


Email or Electronic mail is one of the quickest way to exchange the messages. These email servers accept, forward, deliver and store messages on user behalf. At first email was sent from one user's device to another directly. Use of email increased with the internet technology boom. If compared to traditional mail system email has its advantages; speed, organized way of sending messages and ease of management are some. Security and reliability of an email message is arguable. There is no doubt that email has changed the way organizations or end user use to communicate.

Email is commonly used for the purpose of illegal activities such as fraud, phishing scams and sometime transmitting viruses. There are several cases email communications provide evidence of conspiracy, helping identify new suspects and linking them to a criminal activity.

An email message contains two components; message header and the message body. Message header contains the information about the originator's email address and recipient address(es). When an email is send or received changes are made in specific files in file system, which are important to extract not only the message but also the originator and receiver information. With right tools and experience in place investigators can discover all the important information related to drug dealing which was communicating through an email.

Instant Messengers

The definition of Instant Messaging according to Wikipedia is "a form of real-time communication between two or more people based on typed text. The text is conveyed via devices connected over a network such as the Internet".

These instant messengers are used by people of all ages and no special computer skills required operating them. You can use instant messengers when you cannot or do not want to make call using phone and want real-time conversation. Many IMs store conversation history and as we know instant messengers are widely used, computer forensics professionals have very keen interest in instant messengers chat history.

Which IMs are the most popular? Difficult question as there are so many of them. If this question is asked people might give a list like this: Yahoo, Skype, ICQ, AIM and MSN. This is a good list to start. However, the most preferred instant messenger normally changes depending on common interests and most importantly country to country. For example, instant messenger used in Germany and Russia is ICQ, while AIM is popular and mostly used in the United States. Interestingly, one messenger which is not known by the average user but has the largest audience in the world is QQ messenger which is extremely popular in China and has a total of over a billion user accounts. A few other widely used Instant Messengers are QIP, SIM, MySpace IM, Digsby, Google Hello, Trillian, Meebo and Jabber.

The problem with IMs investigation is very clear they are too many to look at! All of them store their information in different places, and a forensic investigator should know all those places: Registry, AppData folders, Program Files, Documents and Settings (which may be spelled in another language) and so on. Moreover, the suspect may move his history to a folder other than the default one, so that you cannot find it in those well-known places. If forensic investigators do not have required skills and tool to use they will end up spending enormous amount of time to search the instant messenger history. And when finish with the search and extracting data they have to create a report of the extracted chat contents which has to be in readable form. This is not an easy task to perform and could cause lots of problem to time specific projects.

To look in detail at the possible difficulties involved in investigating instant messenger histories. First of all, many messengers have an unreadable or hardly readable format. Some IMs (e.g. Digsby and AIM) store messages in the good, old and simple HTML format; others even use plain text (e.g. QIP). However, most instant messengers 'pretend' to be secure. For example, an older ICQ used to keep messages in binary .dat files, which made it possible to read some text. What was hard to understand is who sent the message, who is the receiver of the message and what time the message was send? The same is true for Skype: You can read chat message texts and you even know who participated in the chat, but you cannot figure out whether the given message was sent or received, and what the time was.

Time, History and Storage

All the IMs have their way to timestamp the messages history. Most instant messengers use the UTC timestamp while other uses the local time. Time shift used by ICQ is very strange. There was no timestamps in Skype but now 5 bytes will be used to store time of the message. With the time IM evolves and change the way they store message history. For example ICQ had 5 different formats to save the chat history till now and Skype had two formats to store chat history. During investigation tool used by the computer forensics investigator should support every format so there won't be any chance to miss any important information.

If an IM does not save the history most times it is very difficult to extract the information from the files. Interestingly an ICQ version use to store the outgoing messages even after the history saving option was turned off by the user it was due to a bug. Because of that half of the chat history was available to read. However, that was it, all other instant messengers are successfully keeping their promise of not saving chat history if the option is turned off by the user.

IM Analysis - is it worthwhile?

The question usually asked is whether or not it is possible to deal with messengers that do not store histories. AIM, for instance, does not store its history by default. The only way to have access to its histories is to have special software called 'sniffer'. The software of this kind can intercept the network packages in the real time. However, there are two major difficulties. First, as the software only works in the real time and it needs to be installed before a chat is conducted. Second and most difficult one, the sniffer should be there in the same local network as a suspect's one, which, in real life is doesn't seem possible.

Another question is if some messengers do not store history are these tools of any use? The answer is simple as fingerprint analysis is important even though investigator knows there might not be anything. For the IM history some users know about the automatic chat history recording while other might know that. Sometimes user might know about it but forget to delete the history in hurry or even if user delete the history the option he/she use is not for permanent deletion. There are several recovery tools available to recover history files.

Information related to most commonly used Instant Messengers is as follow:

AIM stores the history in HTML format which is easy to read. But the bad news is the store history option is not on by default.

Skype is one of the leading VoIP software to make voice and video calls which supports text chat as well. Skype text chat is not very reliable because messages some time can take several days to deliver. The chat history is stored by default and it is in dbb file which is a readable format. However, there is not clear indication about the message weather it was sent or received and it is without a time stamp.

Yahoo messenger stores all the messages in encrypted files which can be read with help of different tools available.

ICQ stores the messages in different ways: binary format one, binary format two, and XML. Now it is Access database, and expected are MySQL and SQL Server Express in the next versions. ICQ 6 format is easy to investigate because it is readable if opened in Microsoft Access. The same is true for XML. Binary formats.

QQ messenger we can say is probably the worst for investigators to deal with. It stores history in OLE containers, which are viewable by DocFile Viewer, but the data inside is encrypted with Blowfish algorithm, key to decrypt is the QQ owner account number. Although QQ allows encrypting with a custom key, a limited number of people use this strong protective option.

QIP, MSN, SIM, Trillian, Digsby and MySpace IM have simpler formats, like plain text, XML or html. But to prepare a report forensic investigator have to use a tool to get all related messages together after filtering the raw data.

Instant Messenger Google Hello is used especially for pictures exchange. For a computer forensics professional, you are interested not only in texts, but also in pictures sent or received. The history stored by this messenger contains thumbnail of a picture, which is available even if the full-size picture was deleted by the suspect. This instant messenger uses the binary format to store the chat history.

Web Browser chat

Web browser instant messaging, is a relatively new concept. This is achieved by adopting an operational definition for the concept: "real-time messaging between two or more people using a web interface." A user with access to a public terminal or web browser can engage in instant messaging without having to access a traditional client like AOL Instant Messenger or MSN. This clarifies the concept of volatility. After the web browser is closed or the machine is shut down, no records of user activity or chat log archives are (conceivably) retained. This is the primary difference between volatile instant messaging and its traditional counterpart.

Most instant messaging programmes require the installation of client program (e.g., Yahoo Messenger or MSN). Most programs require the user to enter an online handle and password from a previously created account. The one benefit of user authentication is that the messaging server can archive the IP address of the user. This makes it possible to pinpoint a user to a specific computer or geographical location.

AIM Express and Google Talk are web-based clients that run their own protocol. Meebo and E-Buddy, on the other hand, are browser based clients that rely on other instant messaging services (e.g., Yahoo, MSN or AOL).

AIM Express

AIM Express leaves behind several artifacts, including snippets of conversations, details of the buddy list and approximate times when the conversations took place. The buddy list is extremely helpful in forensic investigations; this list can be used as a reference point to establish a social network. The approximate times of conversations can be estimated based on Index.dat entries made by AIM Express; these times can be used to construct timelines and sequences of key events.

Snippets of the other user's conversations and the buddy list can be found in the file slack and pagefile.sys file. In traditional instant messaging programs, such as AIM, chat logs are stored in files under locations specified by the user or in default locations such as the Program Files directory. Web-based conversations, unless specifically logged by the user, are stored in temporary Internet directories that may or may not remain after the browser is closed. If these directories have been deleted or overwritten, more powerful forensic tools are required to view conversations in drive free space or file slack.

The fetchbuddyInfo.htm file, which is normally found under the Temporary Internet Files\Content.IE5 directory within the profile's local settings, contained expanded buddy list information for the screen names. In addition, the expanded profile can provide investigative clues about the suspect's behaviour and potential contacts, and help determine geographic areas of activity.

The Index.dat entries in Temporary Internet Files\Content.IE5 show the screen name of the user as well as the time of the conversation.

This allows an investigator to make an estimate of when the conversation took place.

Google Talk

Google Talk leaves several artefacts in the Temporary Internet Files\ Content.IE5 directory, e.g., the accountinfo.htm file, which displays the screen name used to sign on to Google. More importantly, the data in slack space can show portions of conversations from both parties. Depending on what the investigator is looking for un-indexed search or indexed search can help to find the conversations. Entries made in the Index.dat file within the History.IE5 directory will be helpful to correlate the time the user logged into gmail and the interface through which Google Talk was accessed.

Meebo and E-Buddy

These programs function as true volatile messaging clients - virtually all the information about a conversation disappears after it ends. This is partly due to the heavy use of JavaScript on both websites. By maintaining a constant server-side connection via JavaScript, the site is able to maintain the appearance of a desktop application [8]. However, this has the effect of limiting the amount of information that can be gathered from the hard drive. Ultimately, the most useful artifacts found were the Index.dat entries, which showed when the E-Buddy and Meebo websites were accessed. In addition, the ebuddy.htm file in the Temporary Internet Files folder retains the screen name that the user used to sign on to the service.


As computers have become more affordable, communications via the internet has been slowly replacing the physical alternatives. Brochures replaced with websites, letters with emails, and CDs and cassettes with downloadable MP3s.

And now, a landline telephone, which is one of the few remaining non-internet based methods of communication, is slowly being replaced by Voice over Internet Protocol (VoIP), a technology which allows voice communications to be carried via the web. While VoIP can offer several benefits for users, such as free calls between computers, for law officials wishing to intercept the communications of suspected criminals, VoIP poses a series of problems. 

A call using a landline telephone passes through 'PSTN'( public switch telephone network). This network was made up of fixed line telephone systems. Every call made using this network has to pass through an 'exchange'. If a law enforcement officer have the authorisation they can intercept the call via exchange to gather relevant evidence.

On the other hand, the audio signals in VoIP communication are converted in several encrypted digital 'packets' which travel through internet via different routes, when these 'packets' reach to their destination they re-collect to get into the original messages shape. This process shows that there is no exchange through which all the information passes. Because of that the traditional methods of checking the calls are not effective.

While analysing the VoIP communication computer forensic experts usually have two main things to do; first to extract the information about the contents of the conversation and second is the location of the callers. Unlike landline calls, which lead to a definite physical location, VoIP software such as Skype is free to use and has been allowing users to make calls over the internet since 2003 with no proof of identity or details of location.

To check if one user has communicated to the other using a VoIP service the computer forensics method looks to analyse the encrypted traffic at both ends, and check the similarities in the traffic patterns. While this might prove that there was a communication between two users, it does not show the nature of what was discussed in the call.

Computer forensic experts are working on the possibilities of analysing 'volatile computer memory' (RAM), this memory is having relatively low capacity and able to maintain stored information while it is receiving power. If a computer system has not been powered off after a VoIP call, there is some evidence to suggest that some of the contents of the call can be extracted for this memory.

Summary and Conclusion

Above mentioned places to look in the file system and registry, while keeping in mind discussed technologies for communication, could help extract required information. This information can use to identify individuals who were involved or were corresponding with drug dealer. Other useful information found in these places could be; what they were corresponding about, places to meet, pickup or drop points and type of drugs they were dealing in.

Computer forensics investigator could face difficulties in the process of extracting information from the laptop. It depends on how careful the drug dealer was while communicating, but with the help of right tools and skills there is every chance to collect enough information to present as evidence in court of law.