File associations are registry settings in Windows that determine what application to use to open a file of a specified type. Users or applications can set associations for file types so that when the file is opened, a command gets triggered by Windows. For example, when a user double-clicks a text “.txt” file, Notepad.exe will launch. Windows has preset default file associations; however, users can change and customize the associations according to their needs.
File Associations that are different from the defaults can provide details about how the system was used. During investigations, we can use the associations to give details on which applications were installed on the system and which extensions were related to these installed applications. That information helps prove that the user installed and configured a certain application.
The following registry locations contain File Extension Associations' details:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKLM\Software\Classes
This section will discuss how to use ArtiFast to extract file extension associations artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select File Extension Associations artifacts:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of File Extension Associations artifacts in ArtiFast.
Windows File Extension Associations Artifact:
Windows File Extension Associations Default Artifact:
For more information or suggestions please contact: asmaa.elkhatib@forensafe.com