Approach
With the files, you’d typically look out for several things:
- File system events/logs/registry (like
$MFTfor Windows orfseventsdfor macOS), which could help build a timeline of when the file was created/deleted/modified. - File metadata. Sometimes metadata occupies more space than the file itself. It can contain timestamps (which could be different from the file system ones and be an indicator that those were tampered with), notes, author and event modification history.
- File structure. Look out for steganography techniques used when something is hidden in a legit file or some indication that the file is a polygon (a valid file for different formats, like a php+png or bmp+php).
- File contents. Apart from the obvious (reading the file), look out for some stego techniques (if applicable) like data written in white or actual message mixed with garbage etc.
Hashing only applies to the file contents but not to the file name since the filename is stored in the file table, and the file itself is stored on the file system. Running ls -la shows information about the files, including the hidden ones. You can run properties on a Windows machine to see the same data on the file. To see hidden files on the Windows machine, follow the instructions.
Looking for file permissions changes is significant (owners or write/read/execute permissions added).
Windows
C:\$MFT
C:\$LogFile
C:\$Extend\$UsnJrnl:$J
UserFolders
C: \Users\Desktop
C: \Users\Documents
C: \Users\Downloads
C: \Users Dropbox
Bin
C:\$Recycle.Bin\*
C:\RECYCLER\*