A Forensic analysis tool for windows file system artifacts for security incident response
| dc.contributor.author | Mwangi, E. K. | |
| dc.date.accessioned | 2026-04-21T07:18:40Z | |
| dc.date.issued | 2025 | |
| dc.description | Full - text thesis | |
| dc.description.abstract | Effective incident response relies heavily on timely access to actionable insights, and forensic tools play a vital role in equipping security teams with the information needed to investigate and mitigate threats. One of the major challenges during the analysis phase of incident response is the intentional hiding or deletion of data by cybercriminals. Threat actors often erase evidence such as scripts and executables used in reconnaissance, exploitation, command and control, and data exfiltration to avoid detection. While there are commercial forensic tools available to recover such data, these solutions are frequently complex and demand significant system resources, making them impractical for use on compromised or resource-constrained systems. To address this gap, this dissertation presents the development of a lightweight, Python-based console tool designed for Microsoft Windows environments. The tool leverages native Windows artifacts including event logs, prefetch files, LNK files, registry hives, network connections, scheduled tasks, and browser data to support forensic investigators and incident responders in recovering and analyzing deleted evidence. Using the Rapid Application Development (RAD) methodology, the project focused on creating an efficient and accessible solution that minimizes resource usage while maximizing forensic value. Evaluation of the tool demonstrated its ability to successfully recover key Windows artifacts and, crucially, retrieve deleted executable (.exe) files. These capabilities are essential for identifying malicious activity and understanding the scope of an incident. The results affirm the value of lightweight forensic tools in improving the speed and effectiveness of incident response, offering a practical alternative to more resource-intensive commercial solutions. Keywords: Deleted file recovery, Indicator of Compromise, Windows Artifacts, Windows Operating System, incident response. | |
| dc.identifier.citation | Mwangi, E. K. (2025). A Forensic analysis tool for windows file system artifacts for security incident response [Strathmore University]. https://hdl.handle.net/11071/16408 | |
| dc.identifier.uri | https://hdl.handle.net/11071/16408 | |
| dc.language.iso | en | |
| dc.publisher | Strathmore University | |
| dc.title | A Forensic analysis tool for windows file system artifacts for security incident response | |
| dc.type | Thesis |
Files
Original bundle
1 - 1 of 1
Loading...
- Name:
- A Forensic analysis tool for windows file system artifacts for security incident response.pdf
- Size:
- 3.34 MB
- Format:
- Adobe Portable Document Format
License bundle
1 - 1 of 1
Loading...
- Name:
- license.txt
- Size:
- 1.71 KB
- Format:
- Item-specific license agreed upon to submission
- Description: