An Introduction To Windows File Analyzer

Windows File Analyzer (WFA) program was specifically designed for Windows XP. WFA can run on Windows Vista and Window 7 operating systems, but at a lower functional capability level than possible on Windows XP. This lower functionality is attributed to change of thumbnails, Recycle bin and shortcuts formats by Microsoft. Consequently, only WFA’s .dat functionality will run on Window 7 and Vista. However, the Recycle Bin can be accessed under C:\$Recycle.bBin\\ and allowing the viewing of concealed and system files.

WFA doesn’t require installation but run automatically after unzipping the download.

Don’t forget to check our pefile tool and our file entropy article.

Functions

File analyzer refers to a tool used for file analysis in computer technology. File analyzer helps a primary file analysis by displaying file contents and their properties in hexadecimal dump format. It’s capable of interpreting general file contents such as resources structures including graphics, media, text and PE.

Utilities

WFA has five distinct utilities including Analyze Prefetch, Analyze Index. DAT, Analyze Thumbnail database and Analyze Recycle Bin.

Analyzing thumbnails

This is the first utility database of WFA. Analyzing thumbnails analyzes files known as thumbs .db. As usual, Windows Explorer also known as My Computer helps the folders’ contents to be displayed in different formats. Among these formats, which is useful in display of folders with graphics or image files contents is the thumbnail view, which displays a series of miniature formats of the photo or graphic images. When thumbnail view is initially activated, it creates inside the folder a unique database known as thumbs .db. Thumbs.db is often updated for every request of the thumbnail view. Thumbnails are deferentially stored in Windows 7 and Windows Vista. A commercial product version for thumbnails demo known as ThumbnailExpert is always available for trial.

Usually, a thumbs.db file within a folder consist information on files, which are no longer available in that folder. Occasionally, the program can generate faulty results, whereby the pictures do not match with the file name. In such a case, you are should consider the reason for the anomaly for instance whether the thumbs.db file has been corrupted, or whether the program is not up to the perfection expected. You should hence run some tests to establish the type of information provided by a thumbnails program. This is because the program’s ability to gives results doesn’t guarantee that it can always be relied upon.

Analyze Prefetch

Prefetch files are the most critical artifacts for forensic analyzers attempting to analyze applications run on a system. Windows generate a prefetch file every time an application is initially run from a given site. Prefetch files bear critical data about a user’s application use on a computer. This allows fast loading of windows applications.

Evidence of program command are critical resources for forensic investigators and are used to show that a suspect operated a program such as CCleaner to hide any culpable offence.

Analyzing Shortcuts

Microsoft Windows invests heavily on shortcuts or lnk files. Majority of icons on the windows desktop and other items that popup from the start menu are shortcuts or lnk files. Lnk files comprises the documents item ‘My Recent Document’ or ‘Recent Items’, which catalogue recently accessed document-type files. Majority of individual applications likewise offer a catalogue of recently accessed files under that application.

WFA’s Shortcut Analyzer allows you view an lnk file properties by right-clicking the lnk file on your desktop.

Analyzing Index.dat

Analyze Index.dat option causes the program to catechize the usual sites on your major hard disk for index.dat files as well as folders containing cookies. Analyze Index.dat utility then list the entire URLs, which it can locate and choose a column to request the information based on that column. The ULRs are not listed in terms of all the sites visited but as all the files retrieved from the remote location, so that picture and text components of the page will be distinct. A number of the URLs are hence significantly long and shows requests to a remote website. Practically, other complex tools for analysis and examination of the internet cache are available.

Analyzing the Recycle Bin

This program exclusively runs on Windows XP. The format and site of the Recycle Bin shifted with Windows Vista to C:\$Recycle.Bin though the program is unable to analyze the new version. The Recycle Bin represents the windows facility, which helps you to rapidly retrieve file that is accidentally deleted. In order for Recycle Bin facility to function, there is a concealed file known as INFO2. Recycle Bin option hence helps you to view INFO2 contents for every Windows disk partition without necessarily starting the undelete operation.

Don’t forget to check our pefile tool and our file entropy article.