computer forensics, computer forensics expert, mobile phone forensics, expert witness

Category: Artefacts

Was the firewall blocking traffic? Identifying active firewall rules using registry analysis.

I came across this question recently in relation to claims that access to a Windows 8 host via Windows Remote Desktop Protocol was blocked by the firewall configuration. This post describes my research into the registry artefacts related to answering the question, and provides a patch to RegRipper to assist in analysis. Theory of operation Windows 8 uses the same firewall configuration entries used by Windows 7. Windows ships with a number of firewall rules enabled, and these may be added to or modified by the user, for example using the windows firewall control panel applet.


Zone Identifier Internals

The “Zone.Identifier” file is a common artefact observed when undertaking forensic examinations of Windows systems. More correctly, this isn’t a file. Rather, it is an Alternate Data Stream (ADS), attached to content downloaded from the internet by Internet Explorer. The stream’s purpose: to record the source of the file so that judgements about its level of trust can later on be made by the Windows OS, particularly when running downloaded executable files.