Uncovering Digital Footprints: Proving Deleted Application Installations through Forensic Analysis

Previously Installed Application Overview A previously installed application often leaves a digital footprint on a device long after a user deletes the application. Forensic experts often use a combination of techniques to analyze application artifacts to uncover and present a digital footprint of a deleted application. Knowing the significance of a prefetch file, registry log, cache path, and hive file aids a forensic investigator in providing feedback on the initial installation and usage of an application on a device.


Prefetch File Analysis 

The Prefetch file stores a timestamp each time an application is run on a device. If an application was previously installed and deleted, there may be information about it in the Prefetch file if a user did not manually disable Prefetch. It is not uncommon to disable the Prefetch to improve performance; however, when the Prefetch is still enabled on a device it proves to be a quick and powerful tool for digital forensics investigators in uncovering the digital footprint of an application’s possible installation history on a device.


Registry Log Analysis 

In cases where Prefetch is manually disabled, information about a previously run application may be cached in logs in the registry. A registry allows a forensic examiner to view system information that can be helpful in detecting if a program was ever installed or has run on a device. Programs that require a license key to use often store the license key in the registry. If the key can be identified as the key for use with a specific program, the company may be able to tie the license data to a specific user.


AppCompatCache Analysis

The AppCompactCache lists the full path to an application, file size, and last modified date of an executable. Deleting or removing an application can leave behind residual information about an application that has dependencies or that may have interacted with other applications while it was installed and used on a device.


Hive File Analysis

The hive files often contain evidence of a previously run application. A forensic examiner could view a registry in FTK, extract the hive and view it in regedit, or extract the hive and parse it with RegRipper.


Because a proactive approach to system management promotes efficient disk usage and helps maintain the overall health of your system, information about a previously installed application often remains on a device even after an application is deleted. An application’s digital footprint allows forensic investigators to assess activity and create a timeline of events utilizing a variety of tools that aid in a digital forensics investigation.

Comments

Post a Comment

Popular posts from this blog

SalonAboutBeauty: Less Integration for Consistent Styling Across Components

Ensuring Consistent Variables Less provides several advantages for organizing CSS to ensure consistency across a website. The variables.less file defines reusable properties that allow a developer to easily communicate and maintain styles according to a style guide or theme.  The Less Web Development Cookbook describes properties in the variables.less file in relation to other programming languages: “Variables in Less are defined as the equivalent to statics in other programming languages. You assign a value to a variable once and use it everywhere in your code” (Meyghani & Jobsen, 2015, p. 50). It suggests that less allows a developer to set properties, such as colors and length, to variable names that retain their meaning and can be used everywhere in the code. Examples: @base-color: red, @primary: green.  By providing these definitions in a central location, developers create code consistency in all areas of the website. Creating an Organized File St...
Read more

Why “Human Error” Is Usually a System Design Problem

In complex systems, failure rarely comes from a single bad decision. It comes from problems that evolve slowly, cross boundaries, and remain unresolved while everyone involved behaves reasonably. Managing risk in these environments means managing trajectories, not just incidents. When ownership is divided strictly by role, function, or severity threshold, gaps are inevitable. Those gaps are where issues linger, age, and quietly accumulate risk, not because they were ignored, but because no one was responsible for carrying them forward end to end. This is common in healthcare, where delay is often necessary. A patient may require observation, referrals, or time to clarify diagnosis. The failure is not that care takes time; it is that the trajectory of care becomes fragmented. Each clinician escalates correctly within scope, yet no one owns the evolving picture across visits, domains, and decisions. The patient is evaluated repeatedly, reassured locally, and sent away without continuity ...
Read more

Challenges in Prosecuting Deep Web and Darknet Crimes: The Case of Ross Ulbricht and the Silk Road

  The deep web represents online information that is not easily accessible through search engines. Prosecuting crimes on the deep web is no more challenging than prosecuting crimes for any standard website because law enforcement can still track the user's location through a domain or IP address. Alternately, the darknet poses a challenge for law enforcement to address illicit activity because while the darknet is a web-based system, it is accessible only through the Tor protocol that encapsulates HTTP and HTTPS traffic, much like a VPN that hides a user’s location and identity. The Tor protocol, often called the Onion Router, contains methods for encrypting and routing traffic between peers. The purpose of the Tor protocol is to make web browsing anonymous by routing each request through multiple peers and altering encryption at various steps until the request reaches its destination. Subsequent requests may hop through different peers, making traffic appear random, unpredictable,...
Read more