Course 36 - Windows Forensics and Tools | Episode 8: Efficiency, Evidence, and Forensics - CyberCode Academy

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
So imagine you've got a cyber criminal, right, They're sitting
in this dark room just meticulously wiping a hard drive.

Speaker 2 (00:06):
Yeah, trying to completely destroy all the evidence of whatever
illegal operation they were running.

Speaker 1 (00:11):
Exactly. I mean, they're running this advanced, like military grade
scrubbing software, overwriting the entire disc with random ones and zeros,
just pass after.

Speaker 2 (00:22):
Pass, making sure nothing can be recovered.

Speaker 1 (00:24):
Right, and they lean back, you know, breathing this huge
sigh of relief. The files are gone, burn to ashes.
They feel completely untouchable.

Speaker 2 (00:31):
But they are entirely unaware of what's actually happening on
that machine.

Speaker 1 (00:35):
Yes, because their computer's operating system has quietly maintained this
highly detailed, timestamped log of exactly what they did, which
programs they ran, and the exact second they ran them.

Speaker 2 (00:47):
It's the ultimate paradox in digital forensics.

Speaker 1 (00:50):
Really it is. And the wildest part of this scenario
isn't even the log itself. It's the fact that the
computer didn't do this to like spy on them. It
recorded this permanent forensic footprint all in the name of
making the system boot up just a few seconds faster.

Speaker 2 (01:05):
Yeah, the core mechanisms that were engineered purely to optimize
user experience, to make things feel snappy and responsive. Those
are the exact same mechanisms that leave an indelible trail
for investigators.

Speaker 1 (01:17):
Which brings us to today's topic. Today's deep dive is
into a really fascinating architectural feature of the Windows operating
system called Windows prefetch files.

Speaker 2 (01:27):
It's essentially an operating system feature that acts like a
hypervigilant butler, and that butler, well, it remembers absolutely everything
you've asked it to do.

Speaker 1 (01:35):
Right. So our mission today is to dissect how this
seemingly mundane performance optimization tool functions under the hood, and
how digital forensic analysts leverage these invisible breadcrumbs to completely
reconstruct a timeline of events.

Speaker 2 (01:51):
It's incredibly powerful when you know what to look for.

Speaker 1 (01:53):
So for everyone listening, think of this way. If the
computer's a busy restaurant, the physical hard drive is the
deep freezer all the way way in the back, and
the RAM the system memory is the prep table, right
and from the chef.

Speaker 2 (02:05):
That's a great way to visualize it.

Speaker 1 (02:06):
Yeah, so getting ingredients from the freezer to the prep
table takes time. Every time you open a program, it's
like the chef shouting out in order. If the kitchen
staff has to physically run to the freezer on demand
for every single item, the whole restaurant slows to a crawl.

Speaker 2 (02:21):
And nobody wants a slow computer exactly.

Speaker 1 (02:23):
So we're going to look at the system that anticipates
the chef's orders and moves those specific ingredients to the
prep table before the chef even opens their mouth.

Speaker 2 (02:32):
And to understand how investigators essentially weaponize that system, we
have to look back at the engineering bottleneck that caused
it to be built in the first place. This goes
all the way back to the Windows XP.

Speaker 1 (02:44):
Era, right so early two thousands.

Speaker 2 (02:46):
Exactly, Microsoft engineers realized the professor wasn't the main issue
causing slow application launches. The real issue was disio input
output operations.

Speaker 1 (02:56):
Because physical hard drives back then were slow spinning magnetic exactly.

Speaker 2 (03:01):
Pulling code libraries from a physical spinning platter into memory
is just a mechanically limited process. It takes time. So
their solution was to create a system that actively monitors
the specific blocks of data and application asks for when
it launches, so.

Speaker 1 (03:17):
It's watching what the app needs from the hard drift right.

Speaker 2 (03:19):
And the heavy lifting here is coordinated by two things,
the cash manager and the task scheduler. Okay, when an
application executes, the system generates what are called page faults
as it searches for the necessary code. The task seduler
intercepts this activity, maps at exactly which pieces of data
are being loaded into memory, and writes those instructions into
a dedicated file.

Speaker 1 (03:40):
And that's our prefetch file, right, the dot PF file.

Speaker 2 (03:43):
Exactly the dot PF file.

Speaker 1 (03:45):
So instead of the hard drive randomly seeking all over
its platters to find the necessary files every single time
you open an app, it just writes down the exact
physical locations of.

Speaker 2 (03:54):
That data you've got it. It organizes the requested resources
so they can be loaded proactively.

Speaker 1 (03:59):
So the next time you click the icon, it just
reads that dot PF file, grabs all the data in
one smooth, sequential sweep, and throws it right out of.

Speaker 2 (04:08):
The prep table precisely. But, and this is important, there
is a strict boundary on when this observation occurs. The
task scheduler is not blindly recording your every move.

Speaker 1 (04:19):
Wait, really, it's not just constantly watching, no, not at all.

Speaker 2 (04:22):
It monitors activity during three highly specific time windows. First,
it tracks the initial two minutes of systems startup to
optimize the boot process.

Speaker 1 (04:32):
Okay, that makes sense, getting the computer running right.

Speaker 2 (04:35):
Second, it watches for sixty seconds immediately following the startup
of all win thirty two background service sizes. And Finally,
and this is the most critical part for incident response,
it monitors the first ten seconds of any user initiated
application launch.

Speaker 1 (04:51):
Wait just ten seconds, so it only watches for the
first ten seconds of an app launching.

Speaker 2 (04:55):
Yep, just the first ten seconds.

Speaker 1 (04:56):
It's not recording everything I do inside the app, just
the fact that I open the door exactly.

Speaker 2 (05:01):
That ten second window is a crucial distinction. If you
open a word processor, the prefetcher logs the application and
the system libraries it needs to launch.

Speaker 1 (05:11):
But if I then spend the next i don't know,
four hours typing out a confidential document.

Speaker 2 (05:16):
The prefetcher isn't logging your keystrokes or the contents of
that document. It completely stopped watching at second eleven.

Speaker 1 (05:22):
Ah, okay, so it only cares about the boot sequence
of the application itself, which means it's purely an allocator
of resources, not a key logger.

Speaker 2 (05:31):
Right, and That limited scope is why the performance gain
doesn't get negated by like massive logging overhead. You know
it's efficient.

Speaker 1 (05:39):
That makes total sense.

Speaker 2 (05:40):
But while this reactive prefetching was a massive success in
Windows XP, Microsoft actually decided to shift gears in later versions.
They moved from a reactive model to a predictive model.

Speaker 1 (05:50):
Oh interesting, when did that happen?

Speaker 2 (05:52):
Starting with Windows Vista and evolving through Windows seven and beyond,
they introduced something called SuperFetch.

Speaker 1 (05:57):
Soberfetch sounds like a n upgrade, it really was.

Speaker 2 (06:00):
Rather than just making the second launch of an application faster,
SuperFetch attempts to map out your entire behavioral routine.

Speaker 1 (06:07):
Wait, it builds a profile on you. It does.

Speaker 2 (06:09):
It anticipates your workflow and actually preloads resources into memory
before you even request them.

Speaker 1 (06:14):
Wow. Okay, that implies a massive step up in data collection. Yeah,
because if it's trying to predict that, say I always
open my email client at eight am and my video
editor at two pm, it has to be logging long
term usage patterns. Yes, not just those ten seconds startup bursts.
It's creating a highly detailed profile of my daily habits.

Speaker 2 (06:35):
And that profiling is managed by an internal engine called
sismain dot dll. It runs totally invisibly in the background
under the SVC host process right exactly. It analyzes your
usage patterns over days and weeks. And to store this
really complex behavioral data, SuperFetch creates its own database files.

Speaker 1 (06:51):
Okay, so these aren't the dot PF files anymore.

Speaker 2 (06:53):
Well, they're distinguished by an AG prefix and a dot
dB extension. But these database files sit directly alongside the
standard dot PF.

Speaker 1 (07:01):
Prefetch files in that same folder, right in.

Speaker 2 (07:04):
The system root prefetch directory, which you can usually find
at c colon backslash Windows backslash prefetch.

Speaker 1 (07:10):
Gotcha.

Speaker 2 (07:11):
They also introduced a companion feature called ready boost around
this time. This allowed users to plug in portable flash
storage like a standard thumb drive to act as a
dedicated disc cache.

Speaker 1 (07:22):
Oh I remember that. Yeah, you could plug in a
USB drive to make your computer faster.

Speaker 2 (07:26):
Yes, because flash memory handles random scattered read requests significantly
faster than those older mechanical drives, so offloading the cash
to a thumb drive provided a massive performance.

Speaker 1 (07:38):
Bike, which brings us to the core vulnerability here. Really,
as you think about it, we have a directory sitting
right on the sea drive, quietly aggregating a master list
of every application launched, the exact time it was launched,
and the behavioral patterns of the user over time. If
it's hoarding all this data into SuperFetch files anticipating my
every move, isn't that creating a massive centralized target for

(08:00):
anyone trying to snoop on my habits?

Speaker 2 (08:02):
It absolutely is. By optimizing the system, the operating system
has inadvertently created this centralized gold mine of metadata for
any forensic investigator.

Speaker 1 (08:13):
As long as they know how to read it. Right.

Speaker 2 (08:15):
So, let's actually open one of these standard dot PF
files and look at the forensic footprint inside.

Speaker 1 (08:21):
Let's do it. What's it look like?

Speaker 2 (08:22):
Opening a dot PF file reveals a highly structured set
of data. At the top level, you find the name
of the executable itself.

Speaker 1 (08:30):
Okay, so the name of the program exactly.

Speaker 2 (08:33):
Then, digging deeper, you find the Unicode paths of every
single DLL the dynamic link libraries that the executable called
upon during those first ten seconds.

Speaker 1 (08:43):
So that tells an analyst not just what the program
is called, but what system capabilities it requested.

Speaker 2 (08:48):
Right, things like networking modules or encryption libraries. You also
extract a definitive timestamp of the absolute last time that
application was executed. And finally, the file maintains a running launch.

Speaker 1 (08:59):
Counter way of counter tracking exactly how many times it's
been run.

Speaker 2 (09:03):
Tracking the exact number of times that specific executable has
been run on that system since the prefetch file was created.

Speaker 1 (09:10):
Okay, that launch counter is devastating from an interrogation standpoint.
I mean, think about it. If a suspect claims they
accidentally clicked a malicious email attachment just.

Speaker 2 (09:20):
Once, but the forensic analyst pulls the prefetch file and
sees the launch counter for that malware payload is sitting
at forty five.

Speaker 1 (09:27):
That defense completely evaporates. You can't argue with that. The
operating system's internal tallly doesn't lie.

Speaker 2 (09:33):
It really doesn't.

Speaker 1 (09:34):
But hold on, if I have a thousand applications on
my computer, how does this system organize these files?

Speaker 2 (09:40):
What do you mean?

Speaker 1 (09:41):
Well, let's say I have an app called update dot
XCEE for my browser and another app called update dot
XE for a video game. The system can't just name
the prefetch file update dot PEF. They would override each other, right, Ah,
that's a great point.

Speaker 2 (09:55):
The naming convention is specifically designed to prevent that exact collision.

Speaker 1 (10:00):
Has to do that.

Speaker 2 (10:01):
A prefetch file is formatted with the executable name and uppercase,
followed by a dash and then an eight character hexadecimal hash,
concluding with the dot pf extension a hexadecimal hash yes,
and the crucial element there is the hash. That eight
character alphanumeric string is generated mathematically based on the exact
file path from which the application was launched.

Speaker 1 (10:22):
Ah, so the hash maps back to the location exactly. Okay.
So if I run a portable web browser from a
thumb drive, the pass might be e colon backslash browser
dot xe Right, the system hashes that path and generates
something like a one B two C three D four.
But if I run a different browser from c colon
backslash program files, it generates a totally different hash.

Speaker 2 (10:45):
You've got it. The operating system doesn't see two similar programs,
it sees two entirely distinct execution paths.

Speaker 1 (10:51):
Wow. That distinction is exactly what saves investigators. It prevents
files from overrideing each other. But more importantly, it definitively
proves where the file was executed from. Yes.

Speaker 2 (11:00):
If an analyst finds a prefetch file for a known
hacking tool, the HASH in the filename allows them to
calculate whether the tool was run from the user's desktop.

Speaker 1 (11:10):
Or if it was run from a removable thumb drive
that the suspect has since unplugged and thrown in.

Speaker 2 (11:14):
A river exactly. The physical thumb drive might be gone,
but the execution path remains permanently logged on the sea drive.

Speaker 1 (11:21):
That is incredible. And when forensic analysts are extracting these
timestamps encounters, I'm assuming they aren't always just plugging them
into some sleek graphical software interface. Sometimes they have to
dive straight into the raw binary data using a hex editor,
right they do, Yeah, but why would an analyst manually
dig through raw hexadesimal code to find this data when

(11:41):
there are automated forensic tools designed to read these files instantly? Well.

Speaker 2 (11:46):
Automated tools are fantastic for rapid triage you know, when
you need answers fast, but they can fail spectacularly if
a PF file has been partially.

Speaker 1 (11:54):
Corrupted or intentionally tampered.

Speaker 2 (11:56):
With exactly, or if a malware strain has altered the fileheader,
specifically to confuse commercial software. In those scenarios, an investigator
has to rely on the absolute ground truth of the
raw binary, so.

Speaker 1 (12:08):
They have to know exactly where to look in the code.

Speaker 2 (12:10):
They need to know the specific byte offsets where the
operating system hardcodes the data. For example, in Windows XP,
the sixty four bit timestamp indicating the last launch time
is physically located at hexadesimal offset seventy.

Speaker 1 (12:24):
Eight offset seventy eight, So that means if you count
one hundred and twenty bytes into the file, you will
find the raw time.

Speaker 2 (12:30):
Data precisely, and the launch counter is a hexadesimal offset ninety.

Speaker 1 (12:34):
But as the operating system evolved, Microsoft shifted where that
data lives within the file structure, didn't they They did.

Speaker 2 (12:41):
In Windows Vista and Windows seven, the timestamp moved down
to hex offset eighty and the launch counter shifted to
hex ninety eight.

Speaker 1 (12:49):
So an investigator reading the raw hex isn't relying on
a software's interpretation of the data. They're looking at the
foundational data exactly as the operating system wrote it to
the disc.

Speaker 2 (12:58):
Reading the hex offsets manually ensures that no matter how
offuscated the environment is, those core metrics of execution time
and frequency can be definitively.

Speaker 1 (13:08):
Verified, which brings us right back to the cybercriminal from
the beginning of our deep dive, the suspect who used
the military grade wiping application to completely obliterate their illicit files.

Speaker 2 (13:18):
Right, let's walk through that paradox. The suspect runs Evidencewiper
dot XA. It executes, overwrites the target files with zeros,
and effectively burns the evidence to ashes. The actual illicit
files are completely unrecoverable.

Speaker 1 (13:32):
They're gone. But and this is the kicker. The moment
this suspect launched Evidencewiper dot xay, the task scheduler noticed
a new application starting up.

Speaker 2 (13:41):
It sure did. It monitored the first ten seconds of
the wiping application's boot sequence.

Speaker 1 (13:46):
Attracked which dls the wiper needed to function.

Speaker 2 (13:48):
And it wrote all of that data into a brand
new prefetch file called evidence dash wiper dash hash sh
dot pf.

Speaker 1 (13:55):
It's the equivalent of breaking into a highly secure building
successfully shred every top secret document you stole, but accidentally
leaving the shred er running with your fingerprints clearly pressed
into the power button.

Speaker 2 (14:07):
That is a perfect analogy. The sheer presence of the
wiping applications. Prefetch file proves definitively that the suspect possessed
installed and executed evidence eliminating software at a highly specific
date and time.

Speaker 1 (14:22):
You might not know what they wiped, but you have
undeniable proof of their intent to destroy evidence.

Speaker 2 (14:27):
The metadata just cuts through the deception completely, and we
see this vividly in cases involving hidden or obuscated directories too.

Speaker 1 (14:35):
Oh like encrypted folders exactly.

Speaker 2 (14:37):
Consider a scenario where a suspect uses advanced encryption software
like true crypt to create deeply concealed hidden volumes on
their hard drive.

Speaker 1 (14:46):
Right Because a sophisticated user won't just leave a folder
called secret files on their desktop.

Speaker 2 (14:51):
No, they'll hide the encrypted volume inside a labyrinthine system
directory like System thirty two, which already contains thousands of
obscure operating soyctem files.

Speaker 1 (15:00):
Finding a hidden encrypted volume in System thirty two manually
is literally like finding a needle in a digital haystack.
Even an experienced investigator wouldn't necessarily spot an encrypted data
blob disguised as a random system file just by glancing
at the directory.

Speaker 2 (15:16):
They wouldn't, But the prefetch file doesn't care about the
encryption or the clever camouflage.

Speaker 1 (15:21):
Because it's logging the execution path.

Speaker 2 (15:23):
Exactly when the user eventually mounts that hidden volume and
executes an application stored inside it. Windows naturally optimizes the
launch and the resulting dot PF file captures the full,
unencrypted execution path.

Speaker 1 (15:37):
Oh wow. So when the forensic examiner analyzes the prefetch metadata,
they extract a path pointing to a drive letter or
a volume mount point that doesn't visibly exist on the
standard file system.

Speaker 2 (15:48):
The dot PF file basically acts as a glaring neon sign,
pointing the investigator directly toward the hidden volume that they
would have otherwise never known existed.

Speaker 1 (15:57):
So the investigator pulls the thread, they see an execute
uh path leading to a ghost drive deduced that a
hidden volume was mounted at that exact time, and the
entire camouflage strategy just unravels.

Speaker 2 (16:08):
It completely falls apart.

Speaker 1 (16:09):
And this independent logging system is incredibly resilient against other
forms of tampering too, like time stomping.

Speaker 2 (16:15):
Ah. Time stomping.

Speaker 1 (16:17):
Yeah, For those who might not know, time stomping is
when a hacker intentionally alters a file's metadata. They change
the creation or modification days to make it look like,
say a piece of malware was installed three years ago
instead of yesterday, just completely throwing off the investigation timeline. Right.

Speaker 2 (16:32):
Time stomping manipulates the file's inherent metadata, but the proofetch
files maintain their own isolated records, so.

Speaker 1 (16:39):
The time stamps recorded inside the dot PF file at
those specific hexofs, as we discussed earlier, those are completely
independent of the executable's modified attributes.

Speaker 2 (16:50):
Exactly, the prefetch system acts as an isolated secondary clock.
It provides the forensic analyst with a verified, untampered sequence
of events that exposes the timeline manipulation immediately.

Speaker 1 (17:01):
So if this system is such an inescapable snare, if
it completely neutralizes wiping apps, exposes hidden volumes, and defeats
time stomping, the logical next step for any individual trying
to hide their tracks is to simply turn the system off, right,
just stop the butler from writing the diary Entirely.

Speaker 2 (17:19):
You'd think so, but disabling a core kernel level optimization
feature isn't something you can just toggle off in a
user friendly settings menu.

Speaker 1 (17:27):
No, of course not. You have to dive into the
Windows registry exactly.

Speaker 2 (17:31):
The registry is the central nervous system of the operating system.
It's a massive, hierarchical database where Windows stores its lowest
level configuration settings.

Speaker 1 (17:39):
And navigating it is inherently risky. I mean, altering the
wrong key can destabilize the entire.

Speaker 2 (17:45):
System, very risky. To turn off the prefetcher, a user
has to navigate a really deep path. You start at
HKY local machine, go down into the system hive, through
current control, set into control, Session Manager, memory management, and
finally arrive at a subkey named prefetch parameters.

Speaker 1 (18:01):
Okay, that is not a directory a casual user accidentally
clicks into. That is the deep end of the kernel
configuration definitely. So once you are inside prefetch parameters, what
are you actually modifying?

Speaker 2 (18:12):
You're looking for specific registry values, namely enable prefetcher and
enable SuperFetch. These are controlled by simple integer values ranging
from zero to three.

Speaker 1 (18:22):
Okay, zero to three. How do they work well?

Speaker 2 (18:24):
A value of three enables maximum monitoring, optimizing both application
launches and the system boot process. A value of two
optimizes only the boot process, a value of one optimizes
only application launches, and a value of zero instruct the
kernel to completely disable the monitoring system entirely.

Speaker 1 (18:43):
So the cybercernel dives into the registry, changes enable prefetcher
to zero, and the system stops logging their execution paths.
They run their malicious tools and no PF files are generated.

Speaker 2 (18:54):
That's the idea, But what is the.

Speaker 1 (18:56):
Actual cost of turning that feature off. It can't be consequence.

Speaker 2 (18:59):
Free, d It cost is severe system performance degradation. The
operating system basically reverts to the stone age of data retrieval.
It manually fetches every single resource from the hard drive
via random io requests every time at application launches, so.

Speaker 1 (19:13):
The system just feels incredibly sluggish and unresponsive.

Speaker 2 (19:16):
Very but the forensic cost is even steeper. It is
crucial to understand that consumer desktop operating systems like Windows
XP Vista and Windows seven they have application prefetching enabled
by default, right Server environments like Windows Server two thousand
and three and two thousand and eight have it disabled
by default because servers prioritize continuous background stability over snappy

(19:38):
user application launches, which.

Speaker 1 (19:40):
Creates a massive trap for the suspect. If you seize
a standard consumer desktop machine booted into a forensic environment
and discover the c colon Backslash Windows backslash prefetch folder
is completely empty. Well, it doesn't mean the suspect is innocent,
not at all.

Speaker 2 (19:55):
It means the suspect has a deep technical understanding of
operating system.

Speaker 1 (19:58):
Internalqickly sanitized room on a desktop OS is infinitely more
suspicious than a messy one.

Speaker 2 (20:04):
Finding an empty prefetch folder and a registry value manually
altered to zero fundamentally changes the posture of the investigation.
It immediately establishes intent because.

Speaker 1 (20:14):
The suspect actively sought out a buried kernel configuration to
disable an invisible logging mechanism.

Speaker 2 (20:21):
Exactly, it tells the investigator that the suspect is highly sophisticated,
actively engaged in a cover up, and that the forensic
team needs to deploy advanced data recovery techniques to reconstruct
what the suspect was trying so desperately to hide. The
active concealment actually becomes the primary indicator of guilt.

Speaker 1 (20:40):
It's a fascinating psychological game. Every attempt to evade the
system ends up triggering a different, equally incriminating alarm.

Speaker 2 (20:48):
It really is so.

Speaker 1 (20:50):
If you've been listening to this breakdown and mentally mapping
out your own system directories. You might be visualizing these
files right now. Let's do a quick mental check for
you to reinforce the core mechanics we've exped board today.

Speaker 2 (21:00):
Sounds good.

Speaker 1 (21:01):
Imagine you are staring at a massive directory system logs
trying to find the exact footprint of a specific executable.
What is the precise naming structure you should be looking for?
Do you look for the path hash first or the
application name?

Speaker 2 (21:15):
Well, if you recall how the cash manager organizes the
data to prevent file collisions while prioritizing readability, you'll know
it leads with the most identifiable piece of human readable data.
The correct format is the application name and uppercase, followed
by a dash and concluding with the eight character hexodesimal
hash derived from the execution.

Speaker 1 (21:34):
Path right executable dash hashier dot pff. It's really incredible
how much narrative power is packed and is such a
seemingly innocuous string of text. I mean, a feature designed
entirely to shave three seconds off a loading screen ends
up being the ultimate arbiter of truth in a digital investigation.

Speaker 2 (21:53):
It really forces us to reconsider the fundamental architecture of
the environments we interact with daily. The operating system is
constantly observing, optimizing, and recording. Yeah, if your computer is
quietly logging the exact timestamp, the execution path, and the
frequency of every single action you take, just to make
the interface feel a bit smoother, what other entirely benign,

(22:13):
helpful convenience features in your everyday devices are secretly functioning
as an indelible, permanent log of your digital existence.

Speaker 1 (22:20):
That is a lingering thought to keep in mind. The
next time you clear your browser history, run a system cleaner,
and genuinely believe you've scrubbed the timeline clean. The system
always remembers keep exploring, keep questioning the mechanics behind the interface,
and we'll see you on the next team dive

All Episodes

Course 36 - Windows Forensics and Tools | Episode 8: Efficiency, Evidence, and Forensics

Episode Transcript

Popular Podcasts

Stuff You Should Know

iHeartRadio 24/7 News: The Latest

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Course 36 - Windows Forensics and Tools | Episode 8: Efficiency, Evidence, and Forensics