Digital Forensic Insider

Firefox (version 16.0.2) typically includes twelve SQLite databases, each of which performs a different function such as to store bookmarks, cookies, places visited, searches, and so forth.

The majority of potential forensic information from Firefox does not reside in the Windows Registry, but rather in two directories located in the individual User account(s).

The most prevalent software applications in use today are probably Web browsers. Although browsers are complex software applications, they have common functionality regarding their main components.

Security Identifiers (SIDs) are unique alphanumeric character strings of variable length that are assigned during the log-on-process to each user on a stand-alone system or to each user, group, and computer on a domain-controlled network.

Registry Keys track each mounted volume and assigned drive letter used by the NTFS file system. Information concerning any external devices that had previously been attached to the system will be recorded in certain Registry Keys.

Artifacts are items of data or information left behind after a specific activity occurs on a system. Any USB device attached to a system will leave artifacts in several locations.

There are several techniques that can be used to examine the Registry, each of which has its own merits.

A typical Windows 7 Registry consists of at least five Hives, each of which performs a different function.

Many forensic examiners are not familiar with the Registry or its forensic importance. One way to gain first-hand knowledge is to explore the Registry on a live, non-forensic computer.

While the Windows Registry is forensically important, frequently it is not captured during the triage of a live system. Similarly, it is often overlooked during post-mortem examinations.