Windows systems offer a variety of special files that contain important pieces of information that are useful in a forensic investigation. It is a common misconception of many forensic investigators and incident responders that collecting these special files from a live system is cumbersome and impossible to do via the command line. In this blog post I will show a couple different ways to bypass the protection mechanism that Windows holds on these files. Without this hold, it then becomes possible to acquire these files from a running system.

By Pär Österberg Medina