AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Windows

For information on file signature analysis (OS agnostic and file-type specific), please check out Gary Kessler’s File Signature Table

See below for a list of Windows Tools.

ToolDescription
AmcacheParser
AppCompatCacheParser
Arsenal Image MounterArsenal Image Mounter (AIM) Walkthrough
Belkasoft RAM Capturer
DetectionHistory Parser Windows Defender DetectionHistory parser
DB Browser for SQLite
Cyber Triage LiteFree Windows tool - Tool explanation (Part 1) (Part 2) (Part 3)
Encrypted Disk Detector
Event Log Explorer
EvtxECmd
EzETWCmdlets for capturing Windows Events - Tool explanation (here)
Forensic Toolkit for SQLite + ESE addonComprised of 2 back-end Extensible Storage Engine (ESE) databases and other configuration files.
Foxton Browser History Viewer
FTK ImagerForensically sound logical file/folder acquisition
Hashcat
HashFinderHashFinder, Hash Verifier, Password Checker, Hash Manager
HashtopolisHashtopolis is a multi-platform client-server tool for distributing Hashcat tasks to multiple computers.
Hibernation Recon
JLECmd
Jump lists in depth: Understand the format to better understand what your tools are (or aren't) doing
JumpList Explorer
KAPE
l0ptCrack
LECmd
Log Parser
LSASecretsViewThe LSA secrets key is located under HKEY_LOCAL_MACHINE\Security\Policy\Secrets and may contain a user's Autologon password, RAS and/or VPN passwords, and other system passwords/keys.
Magnet AxiomUses Volatility
Magnet RAM Capture
Mount Image Pro
NeedleFind Windows registry files in a blob of data
NirSoft - Forensic Tools
NTLM Decrypter
O365 Python ParseParsing O365 UAL using Python
PECmd
PowerShell
RBCmdINFO2 and $I files
RDP Replay
RecentFileCacheParser
RECmd
Reconnoitre
Registry Explorer/RECmdNTUser.dat, System.dat, Security,dat, Software.dat, SAM.dat
Registry Explorer/RECmdThe LSA secrets key is located under HKEY_LOCAL_MACHINE\Security\Policy\Secrets and may contain a user's Autologon password, RAS and/or VPN passwords, and other system passwords/keys.
RegRipper
Rekall
SDB Explorer
SQLECmd
SQLite Browser
SrumECmd
SumECmd
SuperMemWindows Memory Parsing Tool
ThumbCacheViewerthumbcache_*.db and iconcache_*.db database files
Thumbs ViewerThumbs.db, ehthumbs.db, ehthumbs_vista.db, Image.db, Video.db, TVThumb.db, and musicThumbs.db database files
TZWorks USB Storage Parser (USB)
USB Detective
Velociraptor for Dead Disk & Dead Disk Forensics - Velociraptor & Paths and Filesystem Accessors - Velociraptor
VFC
Volatility
WinPMEM
WMI ExplorerGUI for exploring WMI on a live system
WMI Forensics2 Python scripts for parsing out WMI artifacts
WoanWare USB Device Forensics
WxTCmdWindows 10 timeline database parser
yEd graph editorCreate diagrams by importing external data - layout algorithms arrange even large datasets - (Shown in this example article on firewall analysis.)

See below for a list of Windows Artifacts.

Artifact or ProcessResource
7-ZipInvestigating 7-Zip
AD1 FormatDissecting the AD1 File Format
Adobe Acrobat ReaderInvestigating Adobe Acrobat Reader
Amcache - SHA-1Amcache contains SHA-1 Hash – It Depends! - NVISO Labs
AnyDeskDigital Forensic Artifact of Anydesk Application
AnyDesk Forensic Analysis of AnyDesk Logs
AnyDeskInvestigating AnyDesk
AnyDeskAnyDesk Forensic Analysis and Artefacts - Hats Off Security
APOLLO on Windows Apple Pattern of Life Lazy Output'er (APOLLO) on Windows
Battery LevelBattery charge level and its importance in forensics investigations - CyberDefNerd
Battery Levels Why do the battery use and the battery level matter during the investigation? - CyberDefNerd
BoxInvestigating Box
Box SyncInvestigating Box Sync
Brave Web BrowserInvestigating Brave Web Browser
Capability Access Manager (Camera/Mic Usage)Can you track processes accessing the camera and microphone? and an Update in: I can see and hear you seeing and hearing me!
Chrome - Changes in v96Cookies Database Moving in Chrome 96
Computer NameInvestigating Computer Name
ContainersWindows Container Forensics
CortanaInvestigating Cortana - Forensafe
DiscordFinding Discord app chats in Windows.
Discord Update on Discord forensic artifacts for iOS & Windows
Download ManagerQuick analysis of the Internet Download Manager history using RegRipper plugins - CyberDefNerd
DropboxArtifacts of Dropbox Usage on Windows 10 (Part 1)
DropboxArtifacts of Dropbox Usage on Windows 10 (Part 2)
DropboxInvestigating the Dropbox Desktop App for Windows with Belkasoft X
DropboxInvestigating Dropbox
EvernoteInvestigating Evernote
Exif Data that was "removed"Windows Explorer: Improper Exif Data Removal - Didier Stevens
Facebook MessengerInvestigating Facebook Messenger Windows Application
File CarvingFile carving: Recovering a deleted file from a Windows disk image
FirefoxInvestigating Firefox
Foxit PDF ReaderInvestigating Foxit Reader - Forensafe
GIMPQuick tip: GIMP Recent Files Artifact
Google ChromeHas the user logged into this account, or not? (Google Chrome’s Login Data-Part 1) (Part 2)
Google ChromeChrome Media History
Google Chrome Chrome Media History Tracking Your Viewing Habits
Google ChromeChromium Session Storage and Local Storage
Google ChromeInvestigating Google Chrome Web Browser
Google DriveData Exfiltration Using Google Drive — Forensic Investigation
Google DriveInvestigating Google Drive
InstallDate affected by Win11 UpgradeWindows InstallDate could be changed via Windows Update
Installed Programs ListInvestigating Installed Programs
Internet ExplorerInvestigating Internet Explorer Web Browser
Jump ListsInvestigating Jump Lists
Last Accessed KeyInvestigating Last Accessed Key
LNK filesInvestigating Link File
MAC RandomizationMAC Randomization in Windows - Forensic 4:cast
MapsInvestigating Windows 10 Maps
MegaNZ/MegaCMDForensic Investigation of the MEGAcmd Client - Awake Security
MEGAsyncAn Encounter With Ransomware-as-a-Service: MEGAsync Analysis
Microsoft EdgeInvestigating Microsoft Edge Web Browser and Application
Microsoft Edge (Chromium)Investigating Edge Chromium Web Browser
Microsoft OfficeAn Inside View of Office Document Cache Exploitation
Microsoft OfficeInvestigating Microsoft Office - Forensafe
Microsoft Office 365Everything you need to know about MailItemsAccessed and more
Microsoft TeamsLooking at Microsoft Teams from a DFIR Perspective
Microsoft Teams Microsoft Teams artifacts and chat logs
Microsoft TeamsMicrosoft Teams and Skype Logging Privacy Issue
Microsoft TeamsMicrosoft Teams Logs for Activity
Microsoft TeamsCollecting from Microsoft Teams using PowerShell
Microsoft User Access Logs (UAL)A new type of User access log
Mozilla ThunderbirdInvestigating Thunderbird Windows Application
MPLogMind the MPLog: Leveraging Microsoft Protection Logging for Forensic Investigations - CrowdStrike
MUICache (Multilingual User Interface)Investigating MUICache
Network Persistent State (Chromium)Recovering WiFi SSIDs from Chromium's Network Persistent State File - Alex Bilz
OneDriveOneDrive and NTFS last access timestamps
OneDriveInvestigating OneDrive
OneDrive Folder StructureRecreating OneDrive’s Folder Structure from .dat
OneDrive LogsReading OneDrive Logs - SwiftForensics
Opera Web BrowserInvestigating Opera Web Browser
OutlookInvestigating Outlook Windows Application
Page File URL'sInvestigating Page File URL's - Forensafe
PagefileAn Intro to Pagefil Forensic
Paint MRUInvestigating Paint MRU
Persistence Mechanisms13Cubed - Persistence Mechanisms
PowershellPowershell - Forensafe
PowerShell ScriptsReconstructing PowerShell scripts from multiple Windows event logs - Sophos
Powershell Scripts from Event LogsJoin PowerShell Script from Event Logs
Printer InformationInvestigating Printers Information
RecentDocs MRUInvestigating RecentDocs MRU
Remote Desktop MRUInvestigating Remote Desktop Connection MRU
Remote Desktop Protocol (RDP)13Cubed - RDP Cache Forensics & 13Cubed - RDP Event Log Forensics
Remote Desktop Protocol (RDP)Windows Forensic Analysis: some thoughts on RDP related Event IDs
Remote Desktop Protocol (RDP)Remote Desktop Connection (mstsc.exe) Screen in a Memory Dump Analysis
RunMRUInvestigating Run MRU - Forensafe
ScreenshotsTracking screenshots with LNK files - ThinkDFIR
Searched Strings/WordWheelQueryInvestigating Searched Strings
SignalPulling encrypted Signal messages off of desktop OS’ for forensics
SignalSignal for Desktop - A Digital Forensics Perspective
SignalInvestigating Signal with ArtiFast Signal
SkypeAnalysis of Skype - Windows 10 App Version 12.7 and higher
SkypeSkype Analysis - From the old one to the newest one - A First Overview
SkypeExtracting Skype Histories and Deleted Files Metadata from Microsoft Account
SkypeMicrosoft Teams and Skype Logging Privacy Issue
SkypeInvestigating Skype for Desktop and Windows Application
Skype (Metro App)Analysis of Skype App for Windows (Metro-App) - Version 14.xx
SRUM - SRUBD.datSwimming in the SRUM
Sticky NotesInvestigating Sticky Notes
SysmonSysmon 13.10 — FileDeleteDetected
System InformationInvestigating System Information
System Resource Utilization Monitor (SRUM)13Cubed - Windows SRUM Forensics
Task SchedulerInvestigating Task Scheduler
TeamViewerDigital Forensic Artifact of TeamViewer Application
TeamViewerTeamViewer Forensics
TeamViewerMagnet User Summit DFIR CTF 2019-Activity
TeamViewerAnalyze TeamViewer and its Log Files For Investigation
TeamViewerTeamViewer Forensics
TeamViewerBlog #27: IPv6 in TeamViewer(v15) part 1. [EN] & Blog #28: IPv6 in TeamViewer(v15) part 2. [EN]
TeamViewerBlog #28: IPv6 in TeamViewer(v15) part 2. [EN]
Torch BrowserInvestigating Torch Web Browser
Typed PathsInvestigating Typed Paths
Typed URLsInvestigating Typed URLs
UC Web BrowserInvestigating UC Web Browser
Universal Serial Bus (USB)Episode 106: The TWO Serial Numbers of a USB Device - Part 1 - 3 Min Max Series, Episode 107: Part 2, Episode 108: Part 3
Universal Serial Bus (USB)USB IDs
Universal Serial Bus (USB)13Cubed - Introduction to USB Detective
Universal Serial Bus (USB)DeviceHunt
Universal Serial Bus (USB)A Monkey Forays Into USB Flashdrives
Universal Serial Bus (USB)No Drive Letter, No USB Evidence? Think Again!
Universal Serial Bus (USB)Investigating USB Drives using Mount Points Not Drive Letters
Universal Serial Bus (USB)13Cubed - Introduction to Windows Forensics
Universal Serial Bus (USB)Episode 109: The TWO Serial Numbers of a USB Device - Part 4
Universal Serial Bus (USB)Episode 98: USB Forensics Series - Part 1 of 7
Universal Serial Bus (USB)Episode 99: USB Forensics Series - Part 2 of 7
Universal Serial Bus (USB)Episode 101: USB Forensics Series - Part 3 of 7
Universal Serial Bus (USB)Episode 102: USB Forensics Series - Part 4 of 7
Universal Serial Bus (USB)Episode 103: USB Forensics Series - Part 5 of 7
Universal Serial Bus (USB)Episode 104: USB Forensics Series - Part 6 of 7
Universal Serial Bus (USB)Episode 105: USB Forensics Series - Part 7 of 7
Universal Serial Bus (USB)Incident Response Thumb Drive
USB "Serial Numbers"The Truth About USB Device Serial Numbers – (and the lies your tools tell) - Computer Evidence Recovery
USB Artifacts with no logged-in userhttps://www.khyrenz.com/blog/usbs-without-login/>USB connections with no logged-in user
USB DevicesInvestigating USB Devices - Forensafe
UserAssistInvestigating UserAssist
VelociraptorVelociraptor - Dig Deeper
Vivaldi BrowserInvestigating Vivaldi Web Browser
VMTools Persistence - VMWareToolBoxCmd.exeAnalyzing and Detecting a VMTools Persistence Technique
VMWareInvestigating VMware Windows Application
Web Browsers (Chrome, Firefox, Edge)Web Browsers Forensics
WhatsAppWhatsApp in Plain Sight: Where and How You Can Collect Forensic Artifacts
WhatsappInvestigating WhatsApp
Windows - Active DirectoryDFIR – Windows and Active Directory persistence and malicious configurations
Windows - AmCacheAnalysis of the AmCache
Windows - Amcache(Am)Cache rules everything around me
Windows - AmcacheInvestigating Amcache
Windows - BAMBAM internals
Windows - BitLockerBitLocker Decryption Explained
Windows - BitLockerHow to handle Bitlocker Encrypted Volumes
Windows - BitLockerThe Interesting Case of Windows Hibernation and BitLocker
Windows - BitLockerBitLocker for DFIR – Part III
Windows - BitLockerBitLocker for DFIR – Part II
Windows - BitLockerBitLocker for DFIR – Part I
Windows - BITSBack in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service
Windows - CertUtilCertutil download artefacts
Windows - CertutilCertutil Artifacts Analysis
Windows - Compressed MemoryForensic analysis of Windows 10 compressed memory using Volatility
Windows - Event IDsEvent ID 1024
Windows - Event IDs4625 Events – Know your enemy
Windows - Event IDsDNS investigation on Windows
Windows - Event LogsMaking the Most Out of WLAN Event Log Artifacts
Windows - Event LogsParsing carved evtx records using EvtxECmd
Windows - Event Logs13Cubed - Event Log Forensics with Log Parser
Windows - Event Logs13Cubed - Introduction to EvtxECmd
Windows - Event LogsAre you sure you extract all the available Volume Serial Numbers (VSNs) that reside in the Windows 10 Event Log “Microsoft-Windows-Partition%4Diagnostic.evtx”?
Windows - Event LogsFinding Forensic Goodness In Obscure Windows Event Logs
Windows - Event LogsUsing the Convert-EventLogRecord function alongside the Get-WinEvent PowerShell cmdlet to search Windows event logs
Windows - EventTranscript.dbForensically Unpacking EventTranscript.db: An Investigative Series
Windows - EventTranscript.dbEventTranscript.db Research
Windows - EventTranscript.dbParsing Diagnostic Data With Powershell and Enhanced Logging
Windows - EventTranscript.dbParsing EventTranscript.db With KAPE and SQLECmd
Windows - EventTranscript.dbForensic Quick Wins With EventTranscript.DB: Win32kTraceLogging
Windows - EventTranscript.dbEventTranscript.db vs .rbs Files and Their Relation to DiagTrack
Windows - ExecutablesVerifying executables on Windows
Windows - hiberfil.sysHow to read Windows Hibernation file (hiberfil.sys) to extract forensic data?
Windows - JumpLists13Cubed - LNK Files and Jump Lists
Windows - JumpListsEpisode 17: “Quick Win” files #2 - Jumplists-Part 2
Windows - JumpListsEpisode 16: “Quick Win” files #2 - Jumplists-Part 1
Windows - JumpListsEpisode 52: The invisible files - Jumplists
Windows - LastVisitedMRUInvestigating LastVisitedMRU
Windows - LNK FiesLNK File Analysis: LNKing It Together!
Windows - LNK files13Cubed - Introduction to Windows Forensics
Windows - LNK filesThe Missing LNK — Correlating User Search LNK files
Windows - LNK filesCVE-2020-0729: REMOTE CODE EXECUTION THROUGH .LNK FILES
Windows - LNK files13Cubed - LNK Files and Jump Lists
Windows - LNK filesEpisode 20: “Quick Win” files #3 - .LNK files-Part 2
Windows - LNK filesEpisode 19: “Quick Win” files #3 - .LNK files-Part 1
Windows - LNK filesEpisode 51: Lies My Computer Told Me-LNK Files
Windows - LNK filesExploring Windows Artifacts : LNK Files
Windows - LSASSLSASS.DMP... Attacker or Admin?
Windows - MemoryCapturing Windows Memory
Windows - OpenSaveMRU Investigating OpenSaveMRU
Windows - Pagefile.sysForensic Investigation: Pagefile.sys
Windows - PhotosInvestigating Windows Photos
Windows - Prefetch13Cubed - Introduction to Windows Forensics
Windows - PrefetchEvidence of file execution
Windows - Prefetch13Cubed - Prefetch Deep Dive
Windows - PrefetchExtracting Windows Prefetch Files
Windows - PrefetchEpisode 24: “Quick Win” files #5 - Prefetch-Part 2
Windows - PrefetchEpisode 23: “Quick Win” files #5 - Prefetch-Part 1
Windows - PrefetchForensic Investigation : Prefetch File
Windows - PrefetchInvestigating Prefetch
Windows - Printer Usage via Event LogsHow to track printer usage with event logs
Windows - Program Execution ArtifactsAnalyzing Program Execution Windows Artifacts
Windows - Protected ContentAccessing Protected Content using Windows Domain Controllers and Workstations
Windows - Recycle BinWindows Forensics: analysis of Recycle bin artifacts
Windows - Recycle Bin13Cubed - Recycle Bin Forensics
Windows - Recycle BinInvestigating Windows Recycle Bin
Windows - RegistryA Technical Guide to Examining the Windows Registry
Windows - RegistryForensic Investigation: Windows Registry Analysis
Windows - RegistryRegistry hive basics part 1
Windows - RegistryRegistry hive basics part 2: NK records
Windows - RegistryRegistry hive basics part 3: VK records
Windows - RegistryRegistry hive basics part 4: SK records
Windows - RegistryRegistry hive basics part 5: Lists
Windows - RegistryExploring the Registry at the hex level
Windows - RegistryRECmd: command line tool for Windows Registry analysis
Windows - RegistryEpisode 75: What is the Windows Registry?
Windows - RegistryEpisode 78: What is the Windows Registry transaction log?
Windows - RegistryEpisode 76: Investigating the Windows Registry using Registry Explorer - Part 1
Windows - RegistryEpisode 77: Investigating the Windows Registry using Registry Explorer - Part 2
Windows - RegistryEpisode 15: “Quick Win” files #1 - The Registry-Part 2
Windows - RegistryEpisode 14: “Quick Win” files #1 - The Registry-Part 1
Windows - RegistryExploring the Hive — Deep Inside the Window Registry
Windows - RegistryWindows registry Transaction Logs in forensic analysis
Windows - RegistryExploring the Hive- Deep inside the Windows Registry. pt 2
Windows - RegistryYour AV is Trying to Tell You Something: Registry
Windows - RegistryRegistry Hive File Structure Analysis
Windows - Scheduled TasksA Deep Dive Into Windows Scheduled Tasks and The Processes Running Them
Windows - Security Event LogsWindows Security Event Logs: my own cheatsheet
Windows - ServicesInvestigating Windows Services
Windows - Shellbags13Cubed - Introduction to Windows Forensics
Windows - Shellbags13Cubed - Shellbag Forensics
Windows - ShellbagsEpisode 22: “Quick Win” files #4 - Shellbags-Part 2
Windows - ShellbagsEpisode 21: “Quick Win” files #4 - Shellbags-Part 1
Windows - ShellbagsForensic Investigation: Shellbags
Windows - ShellbagsInvestigating Shellbags
Windows - ShimCache13Cubed - Windows Application Compatibility Forensics
Windows - SRUMInvestigating Windows System Resource Usage Monitor (SRUM)
Windows - StartupInfoWho Left the Backdoor Open? Using Startupinfo for the Win
Windows - Task SchedulerInvestigating Task Scheduler
Windows - TaskbarEmploying FeatureUsage for Windows 10 Taskbar Forensics
Windows - ThumbCacheInvestigating ThumbCache
Windows - Thumbs.dbInvestigating Thumbs.db
WIndows - TimeLet's talk about time
Windows - Time ZonesCase 001 – The Timing of it All
Windows - UpdatesInvestigating Windows Update Log
Windows - User Access Logs (UAL)Windows User Access Logs (UAL)
Windows - User Access Logs (UAL)A new type of User access log
Windows - User Access Logs (UAL)UAL Thank Us Later: Leveraging User Access Logging for Forensic Investigations
Windows - User AccountsBlue Team-System Live Analysis [Part 9]- Windows: User Account Forensics- Ownership: Process, Applications, Folders, and Files
Windows - User AccountsInvestigating User Accounts - Forensafe
Windows - UserAssist13Cubed - Introduction to Windows Forensics
Windows - UserAssistUserAssist — with a pinch of Salt — As an “Evidence of Execution”
Windows - Various User DataBlue Team-System Live Analysis [Part 8]- Windows: User Account Forensics- Profile Folder, AppData, and Environment Variables
Windows - Volume Shadow CopiesExtracting unallocated clusters from a shadow copy
Windows - Volume Shadow CopiesOffline shadow copies
Windows - Volume Shadow Copies13Cubed - The Volume Shadow Knows
Windows - Volume Shadow CopiesEpisode 53: Volume Shadow Copy-Part 1
Windows - Volume Shadow CopiesEpisode 54: Volume Shadow Copy-Part 2
Windows - Volume Shadow CopiesEpisode 55: Volume Shadow Copy-Part 3
Windows - Volume Shadow CopiesShadow copies become less visible
Windows - Windows Install DateWhen Windows Lies
Windows - WinSCPDetecting Lateral Movement with WinSCP
Windows - Wireless NetworksInvestigating Windows Wireless Networks
Windows - Zone IdentifiersZone.Identifier: A Couple Of Observations
Windows 10 - Activity TimelineExploring the Windows Activity Timeline, Part 3: Clipboard Craziness
Windows 10 - Activity TimelineExploring the Windows Activity Timeline, Part 1: The High Points
Windows 10 - Activity TimelineExploring the Windows Activity Timeline, Part 2: Synching Across Devices
Windows 10 - Activity TimelineReconstructing User Activity for Forensics with FeatureUsage
Windows 10 - Activity TimelineInvestigating Windows 10 Timeline
Windows 10 - Activity TimelineAnalyzing Microsoft Timeline, OneDrive and Personal Vault Files
Windows 10 - CortanaInvestigating Windows Cortana
Windows 10 - Google DriveArtifacts of Google Drive Usage on Windows 10 (Part 1)
Windows 10 - Install DateWindows 10 Install Date - The Real One
Windows 10 - Mail AppWindows 10 Mail App Forensics
Windows 10 - NotificationsInvestigating Windows 10 Notifications
Windows 10 - NTFS TimestampsNTFS Timestamp changes on Windows 10
Windows 10 - Remote RAM CaptureCapturing and Retrieving a Memory Image Remotely
Windows 10 - ShimcacheLet's Talk about Shimcache - The Most Misunderstood Artifact
Windows 10 - Sticky NotesWindows 10 Sticky Notes Location
Windows 10 - USB StorageUSB storage forensics in Win10 #1 - Events
Windows 10 - Windows TimelineWindows Timeline: Putting the what & when together
Windows 11 - ETWETW on Windows 11 - Initial thoughts
Windows 11 - New ETW ProvidersWindows 11 “New” ETW Providers — Overview
Windows CalendarInvestigating Windows Calendar
Windows Event Tracing Open .ETL Files with NetworkMiner and CapLoader
Windows Images with Infections for TestingDFIRArtifactMuseum - Andrew Rathbun
Windows Logon BannerInvestigating Logon Banner - Forensafe
Windows RegistryMysteries of the Registry - Pavel Yosifovich
Windows Run MRUInvestigating Windows Run MRU - Forensafe
Windows Search IndexInvestigating Windows Search Index - Forensafe
Windows Subsystem for LinuxWindows Subsystem for Linux: Finding the Penguin - SketchyMoose
Windows Update Impact on ArtifactsCan Windows Update fool you during the investigation? - CyberDefNerd
WinRARInvestigating WinRAR - Forensafe
Wireless NetworksInvestigating Windows Wireless Networks - Forensafe
ZIP Files and Compressed ArchivesForensically Analyzing ZIP & Compressed Files
Zone.Identifier StreamForensic Analysis of the Zone.Identifier Stream - Digital Detective
ZoomInvestigating Zoom - Forensafe