An application consists of one or more processes. A process, in the simplest terms, is an executing program. One or more threads run in the context of the process. A thread is the basic unit to which the operating system allocates processor time. A thread can execute any part of the process code, including parts currently being executed by another thread.
Each process provides the resources needed to execute a program. A process has a virtual address space, executable code, open handles to system objects, a security context, a unique process identifier, environment variables, a priority class, minimum and maximum working set sizes, and at least one thread of execution. Each process is started with a single thread, often called the primary thread, but can create additional threads from any of its threads.
Timestamp is extremely important in forensic investigation
- Created (Birthdate): File volume creation date/time
- Accessed: Last time File Data was Opened
- Modified: Last Time file Data was Changed
- Changed (Change in Metadata): Master file table entry was changed or changes in file attribute.
You can remember it as B-MAC
NTFS stores Time in UTC while FAT store time in Local Time.
Windows Timestamp file is located in $MFT (located in Root of NTFS)
$MFT Keep Tracks of all files along with Metadata.
Things to do when you suspect if the file timestamp is modified:
The above image is taken from Cyber Forensicator website. Please click on image to read the whole article.
Cache Memory and History Analysis:
Active Directory - NTDS.DID –
For a System is SAM (System Account Manager) File – System32 Config, Additional Copy in repair folder.
NTLM V2 is the latest version used by windows:
Sigverif: Shows unsigned drivers