Digital Forensics

What is Steganography?

"The practice of concealing messages or information within other non-secret text or data." An example of this would be having a text file that contains secret information, where the text file is actually hidden inside an innocent image file.

What is /etc/shadow?

Contains encrypted passwords as well as other information such as account or password expiration values. The /etc/shadow file is readable only by the root account to prevent standard users from grabbing the contents and then using a tool such as Hashcat or John The Ripper to brute force, perform a dictionary attack, or use rainbow tables to crack the hashes and reveal the plaintext passwords.

Why is memory forensics important?

Critical data pertaining to attacks or threats will exist solely in system memory - examples include network connections, account credentials, chat messages, encryption keys, running processes, injected code fragments, and internet history which is non-cacheable.

What is FAT16?

FAT16 is the original file system used in DOS and Windows 3. x, and was originally only designed for use on relatively small partitions. If there is an issue, and the File Allocation Table is lost or damaged, the data on the hard disk can't be used because the operating system is unable to locate the files.

What is FAT32?

FAT32 is a revised version of FAT16 that can be used to create much larger partitions and has native support for long filenames and was introduced with Win98. It is compatible with a huge variety of devices: smartphones, tablets, computers, digital cameras, gaming consoles, surveillance cameras, and so on. It is also cross-compatible with almost all operating systems that were launched since 1995. FAT32 works with Windows 95 OSR2, Windows 98, XP, Vista, Windows 7, 8, and 10. MacOS and Linux also support it. On the other hand, there are some serious disadvantages to using FAT32: - FAT32 can only work with files that are less than 4 GB in size. - FAT32 only works with partitions with a maximum capacity of 8 TB. - If you have a drive that is formatted in FAT32, you do not get any data protection in case of power loss. - The FAT32 file system does not include any built-in file compression features. - FAT32 was not designed to be secure and does not include any built-in encryption features.

Why are failed logon events useful?

Failed Logon events are very useful for us, especially when dealing with incident response. This is because these logs contain error codes, which help us to understand exactly why the logon attempt failed. The different error codes are:

What is the tool scalpel used for?

File carving - The process of reconstructing files by scanning the raw bytes of the disk and reassembling them.

What is scalpel used for?

File carving. Find and adjust conf file accordingly. To carve out specific file times /etc/scalpel/scalpel.conf.

What is an .html file?

HTML (Hypertext Markup Language) is a text-based approach to describing how content contained within an HTML file is structured. This markup tells a web browser how to display text, images and other forms of multimedia on a webpage.

Why was Base64 created?

It was impossible to send attachments such as images, videos, and files over email. Base64 was created and works to address this by transforming images and binary files into text strings, which can be reversed to retrieve the original data in it's original form.

Example of how KAPE can be used?

KAPE can target all browsers on a machine and retrieve information such as browser cookies (which can tell us what sites the user has visited) and form history which could include personal information such as addresses, names, date of birth, and more.

What Tools can we use for browser forensics?

KAPE, Browser History Viewer, Browser History Capturer

What does the tool KAPE Stand for and why is it used?

Kroll Artifact Parser and Extractor. KAPE is an efficient and highly configurable triage program that will target essentially any device or storage location, find forensically useful artifacts, and parse them within a few minutes

What is a .LNK file?

LNK files are used by the Windows OS to link one file to another, which is how we can have application shortcuts that work as a redirector. We can collect valuable metadata from LNK files such as the location of the folder it is linked to, the date the LNK file was created, modified, last accessed, the file size, and more.

Explain what Binary is?

The 0s and 1s in binary represent OFF or ON, respectively. In a transistor, an "0" represents no flow of electricity, and "1" represents electricity is allowed to flow.

What are Login IDs used for?

The Logon ID is a useful randomly-generated value that allows us to keep track of logon sessions. When looking at this logon, with the ID 0x25A036D, if we wanted to find the associated logoff with this session then we would look for the same ID in a Logoff log.

What is the Pagefile?

The Pagefile.sys is used within Windows operating systems to store data from the RAM when it becomes full. The Pagefile.sys is a contiguous file, so it can be read more quickly, that is located on the root of the hard drive and, normally, the more infrequently used memory pages are stored to it.

What is Wear leveling?

Wear leveling is a technique that some SSDs utilize to increase the lifetime of the memory using a very simple approach: evenly distribute writing on all blocks of an SSD so they wear evenly. Using this method, all physical cells in the SSD receive the same number of writes, to avoid writing too often on the same blocks, causing damage over time.

What is hexadecimal?

also known as hex or base 16 — is a system we can use to write and share numerical values. In that way it's no different than the most famous numeral systems

What is some special forensic equipment?

Wireless Stronghold/Faraday Boxes - to block any wireless signals from reaching the evidence, preventing remote access or wiping. Specialized Write-Blockers - write-blockers that could also be used on cell phones, GPS devices, IoT devices, and other non-standard hard drives. Phone Jammers - acting the same as a faraday box or wireless stronghold. Dedicated Flash Drives - containing tools like Encase, FTK, CSILinux, and MacQuisiton.

What is the different between kape.exe and gkape.exe?

gkape is the graphical version of the tool

What is exiftool used for?

retrieving metadata. "exiftool <filename.extenstion>

How to use Steghide to Hide and Retrieve Files

steghide - summons the tool we want to use embed - selects the operation we want to use, in this case embedding a file in another -cf Dog.jpg - the 'cover file' flag is where we state the file that will hold the hidden file -ef secretmessage - the 'embed file' flag is where we state the file we want to hide inside the cover file ex. steghide embed -cf Dog.jpg -ef secretmessage Retrieving Files? Example: steghide extract -sf Dog.jpg. steghide - summons the tool extract - selects the extract operation -sf Dog.jpg - the 'steganography file' flag is used to tell steghide which file we believe contains data hidden via steganography, which is our cover file from above.

Some of FTK Imager's features

- Dumping RAM and storing it in a .mem file, so we can output it to other tools such as Volatility for analysis purposes. - Taking forensically-sound disk images that can be analyzed in tools such as Autopsy. - Export files directly from disk images. - Generate MD5 and SHA1 hashes for evidence files. - Provide a read-only view of the contents of a disk image, exactly how the user would have seen it.

What is the extension for Prefetch files?

.pf

Order of Volatility?

1 - Registers & Cache 2 - Memory 3 - Disk (HDD and SSD) 4 - Remote Logging and Monitoring Data 5 - Physical Configuration, Network Topology, Archival Media

Key Tenets for evidence handling

1. Altering the original evidence - forensic analysts should not access a running system if they do not have to. 2. Using write-blockers - A write blocker is used to keep an operating system from making any changes to the original or suspect media to keep from erasing or damaging potential evidence. 3. Document- "If you don't write it down, it didn't happen"

What does the chain of custody look like?

1. Evidence Integrity Hashing 2. Taking a Forensic Copy - To keep the original evidence untouched 3. Storing the Digital evidence - Storing evidence in antistatic bags or faraday cages. In any case, evidence should be kept in a locked container 4. Every forensic examiner who works with the evidence should fill out a Chain of Custody form.

What are the different login type codes?

2 - Interactive (interactively logged on, meaning a physical logon to the device) 3 - Network (accessed system via network) 4 - Batch (started as an automated batch job) 5 - Service (a Windows service started by service controller) 6 - Proxy (proxy logon; not used in Windows NT or Windows 2000) 7 - Unlock (unlock workstation - think Interactive logon, but unlocking to resume a previous session) 8 - NetworkCleartext (network logon with cleartext credentials) 9 - NewCredentials (used by RunAs when the /netonly option is used)

What is a Cluster?

A cluster, in the context of a hard disk, is a group of sectors (described above) within a disk and is the grouping by which disk files are organized. A cluster is larger than a sector, and most files fill many clusters of disk space. The hard drive is able to find all the clusters on a disk because each cluster possesses its own unique ID value.

How is evidence integrity of hard drives maintained?

A complete copy of the storage media will be taken at a bit-by-bit level, meaning that everything possible from the disk is copied to a fresh hard drive. This new hard drive then has its hash generated, to ensure that this is the exact same value as the original, proving that an exact copy was successfully generated. This allows forensic analysts or investigators to work on a copy of the evidence, instead of analyzing the actual disk which could result in loss of evidence if anything went wrong

What are HDDs?

A hard disk drive (HDD) is a non-volatile memory hardware device that controls the positioning, reading and writing of the hard disk, which furnishes data storage. HDDs will typically store an operating system, software programs and user-created files such as documents. Hard disk drives are commonly found in drive bays and are connected to the motherboard via an ATA, SATA, or SCSI cable, and also connected directly to a power supply unit (PSU).

What is a Platter?

A hard disk drive platter (or disk) is the circular disk on which magnetic data is stored in a hard disk drive. The rigid nature of the platters in a hard drive is what gives them their name (as opposed to the flexible materials which are used to make floppy disks). Hard drives typically have several platters which are mounted on the same spindle. A platter can store information on both sides, requiring two heads per platter.

What is a Sector?

A sector is a subdivision of a track on a magnetic disk or optical disc. Files that do not fill a whole sector will have the remainder of their last sector filled with zeroes. In practice, operating systems typically operate on blocks of data, which may span multiple sectors.

What are the 4 principles of ACPO?

ACPO Principle 1 That no action is taken that should change data held on a digital device including a computer or mobile phone that may subsequently be relied upon as evidence in court. ACPO Principle 2 Where a person finds it necessary to access original data held on a digital device, that the person must be competent to do so, and able to explain their actions and the implications of those actions on the digital evidence to a Court. ACPO Principle 3 That a trail or record of all actions taken that have been applied to the digital evidence should be created and preserved. An independent third-party forensic expert should be able to examine those processes and reach the same conclusion. ACPO Principle 4 That the individual that is leading the investigation has the overall responsibility to ensure that the ACPO principles are followed throughout the investigation.

What is a grounding bracelet?

An antistatic wrist strap, ESD wrist strap, or ground bracelet is an antistatic device used to safely ground a person working on very sensitive electronic equipment, to prevent the buildup of static electricity on their body, which can result in ESD.

What is Prefetch files?

Artifact Description Information about programs including the name of the application, the path to the executable file, when the program was last run, and when the program was created/installed. Artifact Location Prefetch files can be found at: C:\Windows\Prefetch Artifact Analysis To view these files in a human-readable format, we can use Prefetch Explorer Command Line also known as PECmd.exe (download this now as we'll use it in the next lesson for a practical activity!)

What is a Jump list?

Artifact Description Using the Windows Jump List feature we are able to find two different types of files: automaticDestination-ms and customDestination-ms. These files contain information about applications that are pinned to the taskbar, such as the file path, timestamps, and application identifiers (AppIDs). Artifact Location The Jump List files can be found at: C:\Users\% USERNAME%\AppData\ Roaming\Microsoft\Windows\Recent\AutomaticDestinations C:\Users\%USERNAME%\AppData\ Roaming\Microsoft\Windows\Recent\CustomDestinations Artifact Analysis To analyze these files we can use tools such as JumpList Explorer https://ericzimmerman.github.io/#!index.md

What does ACPO stand for?

Association of Chief Police Officers. It is guidelines for digital-based evidence

What is Autopsy used for?

Autopsy is a forensic-grade tool that is used by the military, law enforcement, and corporate examiners to investigate what happened on a smartphone or a computer. Autopsy's Main Features Multi-User Cases: Collaborate with your fellow examiners on large cases. Keyword Search: Text extraction and the index searched modules allow you to find the files which mention specific terms and find the regular expression patterns. Timeline Analysis: Displays system events in a graphical interface to help identify activity. Web Artefacts: Extracts web activity from common browsers to help identify user activity. LNK File Analysis: Identifies shortcuts and accessed documents. Email Analysis: Parses MBOX format messages, such as Thunderbird. Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices. EXIF: Extracts geolocation and camera information from JPEG files. File Type Sorting: Group files by their type to find all images or documents. Media Playback: View videos and images in the application and not require an external viewer. Thumbnail viewer: Displays thumbnail of images to help quick view pictures. Robust File System Analysis: Support for common file systems, including NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2, and UFS from The Sleuth Kit. Hash Set Filtering: Filter known good files using NSRL and flags known bad files using custom hash sets in HashKeeper, md5sum, and EnCase formats. Tags: Tag files with arbitrary tag names, such as 'bookmark' or 'suspicious', and add comments. Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in many languages (Arabic, Chinese, Japanese, etc.). File Type Detection based on signatures and extension mismatch detection. Interesting Files Module will flag files and folders based on name and path. Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and more.

File path for Prefetch files?

C:\Windows\Prefetch

What is memory?

Computer memory operates at a high speed, for example, random-access memory (RAM), as a distinction from storage that provides slow-to-access information but offers higher capacities.

What is NTFS?

Developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family. Improved support for metadata and advanced data structures to improve performance, reliability, and disk space use. Additional extensions are a more elaborate security system based on access control lists (ACLs) and file system journaling.

Can we Trust Digital Evidence?

Digital evidence is often attacked for its authenticity due to the ease with which it can be modified, although courts are beginning to reject this argument without proof of tampering.

What are the two different Wear Leveling algorithms?

Dynamic wear leveling - When dynamic wear leveling is used blocks that undergo rewriting are repositioned to new blocks. The algorithm selects an empty block on which to write the data. The number of writes to each block is kept track of by the controller. A downside to dynamic leveling is that data blocks that are not frequently updated are not moved which can lead to uneven block wear. Static wear leveling - The same techniques are employed by static wear-leveling with one important difference. Blocks of static data are moved when their block erase count falls below a certain threshold. This leads to more effective leveling which results in slightly slower write performance countered with enhanced longevity of the device.

Digital Evidence Forms?

E-mails Digital Photographs Logs Documents Messages Files Browser History Databases Backups Disk Images Video/audio files

What is a .eml file?

EML, short for electronic mail or email, is a file extension for an email message saved to a file in the Internet Message Format protocol for electronic mail messages. It is the standard format used by Microsoft Outlook Express as well as some other email programs.

What is the Windows Artifact successful login ID?

Event ID 4624

How to hide strings in Metadata?

Example: "exiftool -Comment="Super Sneaky!" Dog.jpg" To view all the Metadata in a file, Example :"exiftool Dog.jpg"

What is Base64?

Example: VGhpcyBzZW50ZW5jZSBkb2Vzbid0IHJlYWxseSBtZWFuIGEgbG90LiBTb3JyeS4= A reversible encoding algorithm that allows for the transformation of data from the original form to strings such as the one above.

hexadecimal vs decimal?

Hex uses the standard 0-9(like decimal), but it also incorporates six digits you wouldn't usually expect to see creating numbers: A, B, C, D, E, and F.

What is the .bash_history file and where is it?

Hidden file on the user's home file. You need to use 'ls-a' to see it. This file includes a list of commands that have been run by the specific user.

How is Garbage Collection used in Digital Forensics?

If a computer is using solid-state drives, it needs to be powered off immediately to prevent Garbage Collection from erasing blocks in order to free up space .The SSD's controller looks for any pages that are no longer being used, such as deleted data and modified data to clear up. Forensic analysts need to either perform a hard shut-down (holding the power button until the system turns off), or by pulling the plug so the power supply unit (PSU) receives no electricity

What happens if the pagefile.sys is deleted?

If the file is deleted fully then the system will not function correctly and is likely to become unstable, however, the system can be configured to store the pagefile.sys onto another secondary hard drive.

What is ASCII?

In an ASCII file, each alphabetic, numeric, or special character is represented with a 8-bit binary number (a string of eight 0s or 1s).

How are blank hard drives used?

In the event that you need to copy data on-site, having blank hard disks are an essential piece of hardware to have in your toolkit. These can be used in conjunction with write-blockers to copy the disk to another one without making any writeable changes to the media.

What is SSD Garbage Collection?

Is a process used by solid-state drives to optimize space and improve efficiency. The goal of garbage collection is to keep as many empty blocks as possible so that when the SSD needs to write data, it can do so without waiting for a block to be erased.

What is in a memory Dump?

Is a snapshot capture of computer memory data from a specific instant. A memory dump can contain valuable forensics data about the state of the system before an incident such as a crash or security compromise, such as running processes, network connections, and malware that doesn't take the form of files, but instead resides purely in memory.

List of interactions the Volatility tool can perform?

List all processes that were running. List active and closed network connections. View internet history (IE). Identify files on the system and retrieve them from the memory dump. Read the contents of notepad documents. Retrieve commands entered into the Windows Command Prompt (CMD). Scan for the presence of malware using YARA rules. Retrieve screenshots and clipboard contents. Retrieve hashed passwords. Retrieve SSL keys and certificates.

What is live forensics?

Live forensics is a branch of digital forensics that focuses specifically on computers and other IT systems that are powered on. Volatile artifacts often only exist while a system is turned on, and shutting the system off would cause these artifacts to be lost. This volatile data could be extremely important to an investigation, so it's crucial to collect it, but not jeopardize other data that could be affected by aspects such as SSDs that use Garbage Collection or TRIM.

What is metadata?

Metadata is "data about data", which sounds confusing, but is relatively straightforward. If you have a Microsoft Word document that contains text, that text is data. Metadata is information that describes the data and can include details such as the author of the document, and in photos, it can contain the camera settings, GPS location, resolution, and much more.

Best way to see what packages/programs the system has installed? (Linux)

Move to /var/lib/dpkg/status cat status | grep Package > packages.txt cat status will read the file. grep Package will search for any lines containing 'Package' > packages.txt will output the results to a text file called packages.txt

What is Octal?

Octal was often used to shorten 12-bit, 24-bit or 36-bit words. Hexadecimal is now more commonly used in programming, making number representations even shorter than octal.

How to gather hashes on Linux?

On a Linux system generating hashes is a lot quicker. We can use the following three commands to generate SHA256, MD5, and SHA1 hashes respectively: sha256sum <file> md5sum <file> sha1sum <file>

One byte vs One bit?

One bit contains a single binary value — either a 0 or a 1. One byte contains eight bits, which means it can have 256 (28) different values.

What doesn't everyone use physical destruction to ensure evidence destruction?

Organizations may want to reuse hard drives or USBs that have been involved in forensic investigations, so overwriting may be the best option as it doesn't result in physical destruction. As covered at the start of this domain, data is typically still accessible until it has been overwritten. We can simply write zeros to a hard drive, overwriting any existing data. Windows offers a function called Diskpart that allows you to completely clear a hard drive from the command prompt.

Is Base64 used in Digital Forensics?

Perhaps an individual has explicit material on his home computer, but instead of keeping images and videos laying around, he encodes it all into Base64. For anyone that isn't familiar with this algorithm, they'd have no idea that the vast amount of characters is actually media content.

How to see metadata in Linux?

Right-clicking on a file and viewing the properties, or using two commands, ls -lisap <file> and stat <file>

What are SSDs?

SSDs have evolved beyond traditional mechanical hard disks by using flash-based memory which is significantly faster, allowing SSDs to speed up computers significantly because of their low read-access times and fast throughputs.

What is Slack Space?

Slack space is the leftover storage that exists on a computer's hard disk drive when a computer file does not need all the space it has been allocated by the operating system. The examination of slack space is an important aspect of computer forensics as we can find the remaining data from previous files allocated in the same cluster. For example, if a user deleted files that filled an entire hard drive cluster, and then saved new files that only filled half of the cluster, the latter half would not necessarily be empty. It may include leftover information from the deleted files that we can retrieve, and may potentially include evidence.

What is the Swapfile?

Similar to Windows, Linux uses swap space to store RAM when it is full or when the data is not in current use. Within Linux however, traditionally it is a swap partition rather than a swap file and is therefore separate from the other files as it is contained on its own partition.

What is a special login security event vs regular login?

Special Logon events are when a user with administrative privileges logs into the system. For example, in the screenshot below I am logging into my own PC. As I am the only user account, I am in the Administrators local group, and therefore show up as a Special Logon, instead of a Successful Logon.

What is the hibernation file?

Starting with Windows 2000, Microsoft introduced the hibernation feature that allows the operating system to store the current state of operation when you turn off the computer, or the system goes into sleep mode. During hibernation everything from memory is copied to the disk in a file called hiberfil.sys, when the computer is restored, the system moves to the saved state. Hibernation files are a good source of information for digital forensic practitioners, as they store data in RAM file without having to run special tools.

What is SSD Trim?

TRIM on an SSD will simply select the data in a recycle bin and clear it, removing any chance of forensic investigations recovering the file, or parts of the file. To counter this, we should take the same actions when dealing with Garbage Collection, as they work together. Power the system off with a hard shut-down or pull the plug

What is Evidence Integrity Hashing?

The first step of the investigation, even before making a forensic copy is to calculate the hash of the hard drive.

What is EXT4?

The fragmentation in terms of physical blocks where data is stored, is replaced by extents. This modification, which was not available in ext2 and ext3, increased the performance of the file system. Extent is a data storage area that reduces file fragmentation and file scattering.

Why do we use binary?

The positive and negative poles of magnetic media are quickly translated into binary. Binary is the most efficient way to control logic circuits.

What are clear files?

These are any files that are accessible through standard means, such as the terminal or the graphical browser. This includes areas such as: A user's desktop A user's default directories, including; Downloads, Music, Pictures, Public, Templates, Videos The Trash Bin

What is EXT3?

Third extended filesystem (Ext3), is a journaled file system that is commonly used by the Linux kernel. It is the default file system for many popular Linux distributions.

What can be found at /var/lib/dpkg/status?

This file includes a list of all installed software packages, and can be a gold mine if you're looking to see what programs the user has installed to the system. Let's take a copy of this file and move it to our desktop, and then open it in a text editor, and see what installed applications we can find!

Is File Shredding a secure destruction method?

This is not a secure method of deleting digital evidence, as there is the possibility it can be recovered. However, some file shredding programs utilize different methods to overwrite or sanitize the data that has been selected for shredding. One method that is known as the DoD 5220.22-M Wipe Method includes 3 steps: Pass 1: Writes a zero and verifies the write. Pass 2: Writes a one and verifies the write. Pass 3: Writes a random character and verifies the write.

What is the /etc/passwd file?

Used to keep track of every registered user that has access to a system. All users will have read access, but only super users will have the ability to write to the file. Maybe the user has a secret second user account that they have disguised to look like a service account, or maybe during an incident response, an attacker gained access to this Linux system and created an additional account for persistence.

Linux Architecture

User Space - The applications are located in the user space, which sends system calls to the system call interface. System call is nothing but a request that is sent to the kernel of the operating system, for a service. Kernel Space - Kernel is the core of the operating system that answers the system calls from the user space by providing the requested resources, managing the I/O (input/output) devices, memory devices, file management etc. Disk Space - The device driver in the kernel space sends the I/O request to the hard disk of the system which contains critical file data.

Difference between the history command and .bash_history command

Users can execute the history -c command, which deleted all history from the terminal. But when we go back and read the history file using cat .bash_history we can see that we still have a record of the commands. Note: *The terminal where the commands were entered needs to be closed before the commands can be written to the history file!*

How to gather hashes in Windows?

Using Powershell, the command get-filehash <file> will generate a SHA256 hash. If we want to retrieve the MD5 or SHA1 values, we need to add the '-algorithm' flag to specify what hashes we want. Using get-filehash -algorithm md5 <file>

What is Volatility?

Volatility is an open-source memory forensics framework for incident response and malware analysis.

What is the command(in Linux) for gathering hashes of text strings?

We can also retrieve the hash values of text strings using the command echo -n <text> | string

How to use the scalpel tool?

We can summon the tool using the following command: scalpel -b -o <output> <disk image file> "scalpel" calls the tool we want to use "-b" states we want to carve files out of the disk image file "-o <name>" provides a directory for recovered files to be stored. This MUST be an empty directory, or the name of a non-existent directory, as scalpel will create one "<disk image file>" tells scalpel the file we want to search for files inside Example command: scalpel -b -o /root/Desktop/ScalpelOutput DiskImage1.img

What is Degaussing?

When exposed to the powerful magnetic field of a degausser, the magnetic data on a tape or hard disk is neutralized or erased. Degaussing is the guaranteed form of hard drive erasure, which means that it serves as the standard method of data destruction.

Where are the Windows Event Logs stored?

Windows Event Logs are stored at the following location: C:\Windows\System32\winevt\Logs. The logs we're interested in are stored in the \Security folder of this location.

How tool can we use to analyze .LNK files?

Windows File Analyzer. Open up the file path where all .LNK files are residing: File -> Analyze Shortcuts -> Browse for the Recent location -> You can double click entries to open it in a new window. C:\Users\$USER$\AppData\Roaming\Microsoft\Windows\Recent

What is exiftool used for?

exiftool <filename> and we can retrieve a ton of useful metadata information