LITIGATION SUPPORT TIP OF THE NIGHT

If you're curious as to whether or not a forensic examination of a computer can determine if

folders were renamed or deleted, or even simply accessed on a device inquire about the possibility of analyzing shellbags. Shellbags are stored in a file named UserClass.dat in the Windows Registry . The timestamps and other data are encoded in hexadecimal - the numbering system employed by developers that uses 16 symbols (0-9 and A-F) rather than the standard decimal system.

Companies such as Privazer have applications which cannot only display last accessed and modified times for directories which are stored in shellbags but also erase that data as well.

Shellbag data is hard to remove. A new folder or zip file which is created in place of an old one with the same name will inherit its shellbag data. Opening a folder, copying a folder, renaming a folder, deleting a folder, or even simply selecting or right clicking on a folder will generate shellbag data.

As discussed here before, even after files are removed from the Windows Recycle Bin, and even after a drive is reformatted, it's still possible to recover deleted files with widely available tools. See the Tip of the Night for December 29, 2019.

Windows 10 and Windows 11 include a reset option which can help wipe the drive of your PC, overwrite the existing data with new data, but this method may not be completely effective. Under Settings if you go to System . . . Recovery, you will see an option to 'Reset this PC'.

. . .if you then choose the option to 'Remove everything', that will initiate the process of wiping the hard drive.

However, there are some reports that even after the 'Remove everything' option has been run, files can still be recovered. See this April 2023 report by Tom's Hardware, detailing the subsequent recovery of persumably wiped files with EaseUS Data Recovery.

A better, or supplementary, option may be to use a secure erase option in the BIOS firmware that manages a computer at the most basic level without the operating system. You can enter BIOS by pressing F2 when rebooting on most kinds of PC (use F10 if you have a HP computer and F1 for a Lenovo device). Or, search for 'advanced startup options' in Windows

. . . and then select the option to 'Restart now'

When your PC restarts you should then be given the option to go into Troubleshoot mode and then under advanced options select the firmware settings.

The Dell BIOS firmware includes an option to wipe the device.

If you want to find out the last time a Windows 11 PC was powered on, or shut down you can use the Event Viewer application.

Bring up Event Viewer by searching for it Windows. It will be preinstalled.

In Event Viewer, open the Windows Log menu and click on 'System'

Bring up 'Filter Current Log' from the Actions pane on the right. Enter '6005' in the Event ID field.

You can sort in the results by the date and time to find the latest time the PC was started.

Use 6006 as the Event ID to find when the PC was shut down.