1Password | Investigating Windows 1Password - Forensafe |
360 Secure Browser | Investigating 360 Secure Browser - Forensafe |
7-Zip | Investigating 7-Zip |
Active Directory | DFIR – Windows and Active Directory persistence and malicious configurations |
Active Directory | The Active Directory Access Control List Explained |
AD1 Format | Dissecting the AD1 File Format |
Adobe Acrobat Reader | Investigating Adobe Acrobat Reader - Forensafe |
ADS Zone.Identifier | Stripped off ADS (Zone.Identifier) for files downloaded in the incognito/private mode. - CyberDefNerd |
Alternate Data Streams | List of articles or [Direct Download]Windows Alternate Data Streams (ADS) - winitor |
AmCache | Analysis of the AmCache |
AmCache | (Am)Cache rules everything around me |
AmCache | Investigating Amcache |
AmCache | Amcache contains SHA-1 Hash – It Depends! - NVISO Labs |
AmCache | Evidence of Program Existence - Amcache |
AnyDesk | Digital Forensic Artifact of Anydesk Application |
AnyDesk | Forensic Analysis of AnyDesk Logs |
AnyDesk | Investigating AnyDesk |
AnyDesk | AnyDesk Forensic Analysis and Artefacts - Hats Off Security |
AnyDesk | AnyDesk Forensics | AnyDesk Log Analysis - Tyler Brozek |
AnyDesk | Investigating Windows AnyDesk - Forensafe |
APOLLO on Windows | Apple Pattern of Life Lazy Output'er (APOLLO) on Windows |
App Timeline Provider - SRUM | App Timeline Provider - SRUM Database - Cassie Doemel |
AVG Antivirus | Investigating Windows AVG Antivirus - Forensafe |
Avira Antivirus | Investigating Windows Avira Antivirus - Forensafe |
Background Activity Monitor (BAM) | Investigating Windows Background Activity Moderator (BAM) - Forensafe |
BAM | BAM internals |
Battery Level | Battery charge level and its importance in forensics investigations - CyberDefNerd |
Battery Levels | Why do the battery use and the battery level matter during the investigation? - CyberDefNerd |
BitComet | Investigating Window BitComit - Forensafe |
Bitdefender | Investigating Windows Bitdefender Antivirus - Forensafe |
BitLocker | BitLocker Decryption Explained |
BitLocker | How to handle Bitlocker Encrypted Volumes |
BitLocker | The Interesting Case of Windows Hibernation and BitLocker |
BitLocker | BitLocker for DFIR – Part III |
BitLocker | BitLocker for DFIR – Part II |
BitLocker | BitLocker for DFIR – Part I |
BITS | Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service |
BitTorrent | Investigating Windows Bittorrent - Forensafe |
Box | Investigating Box |
Box Sync | Investigating Box Sync |
BoxDrive | Investigating Windows BoxDrive - Forensafe |
Brave Web Browser | Investigating Brave Web Browser |
Browser Artifacts | Analysing Web Browsers Forensic Artifacts - Digital Investigator |
Browser Artifacts | Browser Cache and Interrupted Downloads - Investigation Strategies |
Browser Downloads in $UsnJrnl | Easy way to prove that a file was downloaded by a web browser, having only $UsnJrnl logs. - CyberDefNerd |
Capability Access Manager (Camera/Mic Usage) | Can you track processes accessing the camera and microphone? and an Update in: I can see and hear you seeing and hearing me! |
CertUtil | Certutil download artefacts |
Certutil | Certutil Artifacts Analysis |
Chrome - Changes in v96 | Cookies Database Moving in Chrome 96 |
Chrome History - Deleted | Recovering Cleared Browser History - Chrome Forensics - InverseCos |
Chromium Browsers | Chromium Based Browsers Investigation |
Cisco Webex Meetings | Investigating Cisco Webex Meetings - Forensafe |
Clipboard Artifacts | How to Perform Clipboard Forensics: ActivitiesCache.db, Memory Forensics and Clipboard History - inversecos |
Computer Name | Investigating Computer Name |
Containers | Windows Container Forensics |
Cortana | Investigating Cortana - Forensafe |
Desktop Wallpaper | Investigating Desktop Wallpaper - Forensafe |
Discord | Finding Discord app chats in Windows. |
Discord | Update on Discord forensic artifacts for iOS & Windows |
Download Manager | Quick analysis of the Internet Download Manager history using RegRipper plugins - CyberDefNerd |
Dropbox | Artifacts of Dropbox Usage on Windows 10 (Part 1) |
Dropbox | Artifacts of Dropbox Usage on Windows 10 (Part 2) |
Dropbox | Investigating the Dropbox Desktop App for Windows with Belkasoft X |
Dropbox | Investigating Dropbox |
Event IDs | Event ID 1024 |
Event IDs | 4625 Events – Know your enemy |
Event IDs | DNS investigation on Windows |
Event Log (Damaged Logs) | Event Log Explorer Forensic Edition – working with damaged logs or disks - EventLogExplorer |
Event Log Access | C:\ProgramData\Microsoft\Event Viewer\ExternalLogs – artifacts showing what Windows Event Logs were opened on the suspected device - CyberDefNerd |
Event Logs | Files in Event Log Explorer Forensic Edition. Searching for removed events - FSPro Labs Download |
Event Logs | Investigating Windows Event Logs - Forensafe |
Event Logs | Making the Most Out of WLAN Event Log Artifacts |
Event Logs | Parsing carved evtx records using EvtxECmd |
Event Logs | 13Cubed - Event Log Forensics with Log Parser |
Event Logs | 13Cubed - Introduction to EvtxECmd |
Event Logs | Are you sure you extract all the available Volume Serial Numbers (VSNs) that reside in the Windows 10 Event Log “Microsoft-Windows-Partition%4Diagnostic.evtx”? |
Event Logs | Finding Forensic Goodness In Obscure Windows Event Logs |
Event Logs | Using the Convert-EventLogRecord function alongside the Get-WinEvent PowerShell cmdlet to search Windows event logs |
Event Logs | DFIR Next Steps: What to do after you find a suspicious Windows Network Logon Session |
Event Logs | Microsoft Office Alerts ("OAlerts") |
Event Logs - Hidden Insights | Windows Event Analysis: Unlocking the Hidden Insights in Event Logs - Paritosh |
Event Logs (Cheat Sheet) | Hunting Windows Event Logs - Avesta Fahimipour |
Event Tracing (ETW) | A Begginers All Inclusive Guide to ETW - Blakes R & D |
Event Tracing (ETW) | ETW Internals for Security Research and Forensics |
Event Tracing (ETW) | ETL File analysis in live |
EventTranscript.db | Forensically Unpacking EventTranscript.db: An Investigative Series |
EventTranscript.db | EventTranscript.db Research |
EventTranscript.db | Parsing Diagnostic Data With Powershell and Enhanced Logging |
EventTranscript.db | Parsing EventTranscript.db With KAPE and SQLECmd |
EventTranscript.db | Forensic Quick Wins With EventTranscript.DB: Win32kTraceLogging |
EventTranscript.db | EventTranscript.db vs .rbs Files and Their Relation to DiagTrack |
Evernote | Investigating Evernote |
Executables | Verifying executables on Windows |
Exif Data | How To Use ExifTool To Look At Metadata - CyberSocialHub |
Exif Data that was "removed" | Windows Explorer: Improper Exif Data Removal - Didier Stevens |
ExpressVPN | Investigating ExpressVPN - Forensafe |
Facebook Messenger | Investigating Facebook Messenger Windows Application |
FeatureUsage | Employing FeatureUsage for Windows 10 Taskbar Forensics - Crowdstrike |
File Carving | File carving: Recovering a deleted file from a Windows disk image |
File Carving | File Carving In Windows - Joseph Moronwi |
File Explorer - Temporary Zip Folders | Investigating Explorer's temporary ZIP folders and retrieving files - MattCASmith |
File Extension Associations | Investigating File Extension Associations - Forensafe |
File Signature And Hash Analysis | File Signature And Hash Analysis - Joseph Moronwi |
FileZilla | Investigating FileZilla - Forensafe |
Firefox | Investigating Firefox |
Foxit PDF Reader | Investigating Foxit Reader - Forensafe |
F-Secure | Investigating Windows F-Secure - Forensafe |
GIMP | Quick tip: GIMP Recent Files Artifact |
GKE Containers | Investigating a GKE Container - Open Source DFIR |
GoToMeeting | GoToForensics - DFIR TNT |
HeapLeakDetection Registry Key | The Mystery of the HeapLeakDetection Registry Key - RAT in Mi Kitchen |
hiberfil.sys | How to read Windows Hibernation file (hiberfil.sys) to extract forensic data? |
hiberfil.sys | Volatility3: Modern Windows Hibernation file analysis |
HTTP Request Headers | Understanding HTTP Request Headers - Josh Rickard |
imo (Messenger) | Investigating Window imo - Forensafe |
Import Address Table (IAT) | Volatility3 : Import Address Table |
INetCache | INetCache: Exploiting From Within - ParaFlare |
InstallDate affected by Win11 Upgrade | Windows InstallDate could be changed via Windows Update |
Installed Programs List | Investigating Installed Programs |
Internet Explorer | Investigating Internet Explorer Web Browser |
Intrusion Analysis | Windows Artifacts For Intrusion Analysis: A Treasure Trove of Evidence |
iTunes | Windows iTunes Desktop Application - Forensafe |
Jump Lists | Investigating Jump Lists |
Jump Lists | CPY JMP - Phill Moore |
Jump Lists | 13Cubed - LNK Files and Jump Lists |
Jump Lists | Episode 17: “Quick Win” files #2 - Jumplists-Part 2 |
Jump Lists | Episode 16: “Quick Win” files #2 - Jumplists-Part 1 |
Jump Lists | Episode 52: The invisible files - Jumplists |
Kaspersky Antivirus | Investigating Windows Kaspersky Antivirus - Forensafe |
Last Accessed Key | Investigating Last Accessed Key |
Last Shutdown | Investigating Last Shutdown - Forensafe |
LastVisitedMRU | Investigating LastVisitedMRU |
Level.io | RMM - Level.io: Forensic Artifacts and Evidence |
LNK Fies | LNK File Analysis: LNKing It Together! |
LNK Fies | 13Cubed - Introduction to Windows Forensics |
LNK Fies | The Missing LNK — Correlating User Search LNK files |
LNK Fies | CVE-2020-0729: REMOTE CODE EXECUTION THROUGH .LNK FILES |
LNK Fies | 13Cubed - LNK Files and Jump Lists |
LNK Fies | Episode 20: “Quick Win” files #3 - .LNK files-Part 2 |
LNK Fies | Episode 19: “Quick Win” files #3 - .LNK files-Part 1 |
LNK Fies | Episode 51: Lies My Computer Told Me-LNK Files |
LNK Fies | Exploring Windows Artifacts : LNK Files |
LNK Files | Investigating Link File |
LNK Files | Exploring Windows Artifacts : LNK Files - u0041 |
LNK Files | Analyzing a Multi-Stage LNK Dropper |
Logfile | Windows Logfile - Forensafe |
LogMeIN | Investigating LogMeIN - Forensafe |
Logon | Better know a data source: Logon sessions - Jonathan Johnson |
LSASS | LSASS.DMP... Attacker or Admin? |
MAC Randomization | MAC Randomization in Windows - Forensic 4:cast |
Machine SID | Investigating MachineSID - Forensafe |
Malwarebytes | Investigating Windows MalwareBytes - Forensafe |
Mapped Network Drives | Investigating Windows Mapped Network Drives - Forensafe |
Maps | Investigating Windows 10 Maps |
MEGA | Even more MEGA - kibaffo33 |
MegaNZ/MegaCMD | Forensic Investigation of the MEGAcmd Client - Awake Security |
Mega's megapreferences | Decrypting Mega’s megaprefences Sqlite Database - AskClees Part 2 |
MEGAsync | An Encounter With Ransomware-as-a-Service: MEGAsync Analysis |
Memories | Leaky Notifications from Windows 11 - Ian D |
Memory Forensics | Forensic analysis of Windows 10 compressed memory using Volatility |
Memory Forensics | Capturing Windows Memory |
Memory Forensics | Volatility3: Alternate Data Stream Scan |
Memory Forensics | VMware Memory Analysis with MemProcFS - Epic Capuano |
Memory Forensics | Memory Forensics – Practical Example, Detect Classic Remote Process Injection |
Memory Forensics | THM: Memory Forensics (Volatility) |
Memory Forensics | Windows Memory Forensics |
Microsoft Edge | Investigating Microsoft Edge Web Browser and Application |
Microsoft Edge | Microsoft Edge Forensics: Screenshot History |
Microsoft Edge | How can I be of WebAssist(ance)? |
Microsoft Edge (Chromium) | Investigating Edge Chromium Web Browser |
Microsoft Management Console MRU | Investigating Microsoft Management Console (MMC) MRU - Forensafe |
Microsoft Remote Access VPN | Forensic Aspects of Microsoft Remote Access VPN |
Mozilla Thunderbird | Investigating Thunderbird Windows Application |
MPLog | Mind the MPLog: Leveraging Microsoft Protection Logging for Forensic Investigations - CrowdStrike |
MRU | What is MRU (Most Recently Used)? - Magnet Forensics |
MUICache | Forensic Analysis of MUICache Files in Windows - Magnet Forensics |
MUICache | Let's Talk About MUICache - 13Cubed |
MUICache (Multilingual User Interface) | Investigating MUICache |
NetSupport Manager | NetSupport Intrusion Results in Domain Compromise |
Network Interfaces | Investigating Windows Network Interfaces - Forensafe |
Network Persistent State (Chromium) | Recovering WiFi SSIDs from Chromium's Network Persistent State File - Alex Bilz |
Network Traffic | Analyzing Network Packets With Wireshark – AD And User Enumeration - m365guy |
Notepad++ | Investigating Windows Notepad++ Desktop Application - Forensafe |
Office MRU | What is a Microsoft Office Most Recently Used Artifact “MRU” - Cyber Triage |
OpenSaveMRU | What is a Windows OpenSave MRU Artifact? - CyberTriage |
OpenSaveMRU | Investigating OpenSaveMRU |
OpenVPN | Investigating Windows OpenVPN - Forensafe |
Opera Web Browser | Investigating Opera Web Browser |
Page File URL's | Investigating Page File URL's - Forensafe |
Pagefile | An Intro to Pagefil Forensic |
Pagefile.sys | Forensic Investigation: Pagefile.sys |
Paint MRU | Investigating Paint MRU |
pCloud | Investigating pCloud - Forensafe |
Persistence Mechanisms | 13Cubed - Persistence Mechanisms |
Photo GPS Artifacts | One Country, Two Systems - HackerFactor |
Photos | Investigating Windows Photos |
PowerShell | Powershell - Forensafe |
PowerShell Logs | How long was the malicious PowerShell script active on the compromised machine? - CyberDefNerd |
PowerShell Scripts | Reconstructing PowerShell scripts from multiple Windows event logs - Sophos |
PowerShell Scripts From Event Logs | Join PowerShell Script from Event Logs |
Prefetch | Uncovering Hidden Clues: How Windows Artifact Prefetch Can Help in Digital Forensics Investigations in Windows 11 Machine - 4n6Shetty |
Prefetch | 13Cubed - Introduction to Windows Forensics |
Prefetch | Evidence of file execution |
Prefetch | 13Cubed - Prefetch Deep Dive |
Prefetch | Extracting Windows Prefetch Files |
Prefetch | Episode 24: “Quick Win” files #5 - Prefetch-Part 2 |
Prefetch | Episode 23: “Quick Win” files #5 - Prefetch-Part 1 |
Prefetch | Forensic Investigation : Prefetch File |
Prefetch | Investigating Prefetch |
Prefetch | Artifacts of Execution: Prefetch - Part One |
Prefetch | Operation-based prefetching |
Printer Information | Investigating Printers Information |
Printer Usage via Event Logs | How to track printer usage with event logs |
Profiles | Investigating Profiles List - Forensafe |
Program Compatibility Assistant (PCA) | New Windows 11 Pro (22H2) Evidence of Execution Artifact! - Andrew Rathbun & Lucas Gonzalez |
Program Compatibility Assistant (PCA) | Diving Into The New Windows 11 PCA Artifact |
Program Execution Artifacts | Analyzing Program Execution Windows Artifacts |
Protected Content | Accessing Protected Content using Windows Domain Controllers and Workstations |
ProtonVPN | Investigating Proton VPN - Forensafe |
PsExec | The Key to Identify PsExec - Fabian Mendoza |
qBittorrent | Investigating qBittorrent - Forensafe |
Quick Access | Investigating Quick Access - Forensafe |
RDP | Investigating Window Remote Desktop Connection Events Log - Forensafe |
Recent Items | Investigating Recent Items - Forensafe |
RecentDocs MRU | Investigating RecentDocs MRU |
Recents Folder | What is a Windows Recents Folder Artifact? - Cyber Triage |
Recycle Bin | Digital dumpster diving: Exploring the intricacies of recycle bin forensics - Kushalveer Singh Bachchas |
Recycle Bin | Windows Forensics: analysis of Recycle bin artifacts |
Recycle Bin | 13Cubed - Recycle Bin Forensics |
Recycle Bin | Investigating Windows Recycle Bin |
Registry | Threat Hunting for Windows Registry - Alican Kiraz |
Registry | The Defender’s Guide to the Windows Registry - Luke Paine |
Registry | A Technical Guide to Examining the Windows Registry |
Registry | Forensic Investigation: Windows Registry Analysis |
Registry | Registry hive basics part 1 |
Registry | Registry hive basics part 2: NK records |
Registry | Registry hive basics part 3: VK records |
Registry | Registry hive basics part 4: SK records |
Registry | Registry hive basics part 5: Lists |
Registry | Exploring the Registry at the hex level |
Registry | RECmd: command line tool for Windows Registry analysis |
Registry | Episode 75: What is the Windows Registry? |
Registry | Episode 78: What is the Windows Registry transaction log? |
Registry | Episode 76: Investigating the Windows Registry using Registry Explorer - Part 1 |
Registry | Episode 77: Investigating the Windows Registry using Registry Explorer - Part 2 |
Registry | Episode 15: “Quick Win” files #1 - The Registry-Part 2 |
Registry | Episode 14: “Quick Win” files #1 - The Registry-Part 1 |
Registry | Exploring the Hive — Deep Inside the Window Registry |
Registry | Windows registry Transaction Logs in forensic analysis |
Registry | Exploring the Hive- Deep inside the Windows Registry. pt 2 |
Registry | Your AV is Trying to Tell You Something: Registry |
Registry | Registry Hive File Structure Analysis |
Registry | The Registry Hives You May be MSIX-ING: Registry Redirection with MS MSIX |
Registry Hive Bins | Maximum Exploitation of Windows Registry Hive Bins - Arsenal Recon |
Remote Access Software | Remote Access Software - Forensics - Vikas Singh |
Remote Desktop Application | Remote Desktop Application vs MSTSC Forensics: The RDP Artifacts You Might Be Missing |
Remote Desktop MRU | Investigating Remote Desktop Connection MRU |
Remote Desktop Protocol (RDP) | 13Cubed - RDP Cache Forensics & 13Cubed - RDP Event Log Forensics |
Remote Desktop Protocol (RDP) | Windows Forensic Analysis: some thoughts on RDP related Event IDs |
Remote Desktop Protocol (RDP) | Remote Desktop Connection (mstsc.exe) Screen in a Memory Dump Analysis |
RunMRU | Investigating Run MRU - Forensafe |
Scheduled Tasks | A Deep Dive Into Windows Scheduled Tasks and The Processes Running Them |
Scheduled Tasks | Windows Scheduled Tasks for DFIR Investigations |
ScreenConnect | From ScreenConnect to Hive Ransomware in 61 hours |
Screenshots | Tracking screenshots with LNK files - ThinkDFIR |
SDeleted Files | Forensic Detection of Files Deleted via SDelete - InverseCos |
Searched Strings/WordWheelQuery | Investigating Searched Strings |
Security Event Logs | Windows Security Event Logs: my own cheatsheet |
Security:4624 (Win11) | DFIR FYI: Security:4624 has been updated in Windows 11 Pro (22H2) - Andrew Rathbun |
Services | Investigating Windows Services |
Shellbags | 13Cubed - Introduction to Windows Forensics |
Shellbags | 13Cubed - Shellbag Forensics |
Shellbags | Episode 22: “Quick Win” files #4 - Shellbags-Part 2 |
Shellbags | Episode 21: “Quick Win” files #4 - Shellbags-Part 1 |
Shellbags | Forensic Investigation: Shellbags |
Shellbags | Investigating Shellbags |
ShimCache | Investigating ShimCache with ArtiFast ShimCache Artifact Parser - Forensafe |
ShimCache | 13Cubed - Windows Application Compatibility Forensics |
ShimCache | Let's Talk about Shimcache - The Most Misunderstood Artifact |
ShimCache | Evidence of Program Existence - Shimcache |
Signal | Pulling encrypted Signal messages off of desktop OS’ for forensics |
Signal | Signal for Desktop - A Digital Forensics Perspective |
Signal | Investigating Signal with ArtiFast Signal |
Skype | Analysis of Skype - Windows 10 App Version 12.7 and higher |
Skype | Skype Analysis - From the old one to the newest one - A First Overview |
Skype | Extracting Skype Histories and Deleted Files Metadata from Microsoft Account |
Skype | Microsoft Teams and Skype Logging Privacy Issue |
Skype | Investigating Skype for Desktop and Windows Application+A288:B296 |
Skype (Metro App) | Analysis of Skype App for Windows (Metro-App) - Version 14.xx |
Slack | Investigating Slack for Windows - Forensafe |
SQLite Databases | SQLite Forensics with Belkasoft X |
SRUM | SRUM: Forensic Analysis of Windows System Resource Utilization Monitor - Magnet Forensics |
SRUM | Investigating Windows System Resource Usage Monitor (SRUM) |
SRUM | Swimming in the SRUM |
SRUM | Leveraging SRUM for Incident Response |
StartupInfo | Who Left the Backdoor Open? Using Startupinfo for the Win |
Steam | Video Games Forensics : Steam - ForensicxLab |
Sticky Notes | Investigating Sticky Notes |
Swapfile URL's | Investigating Swap File URL's - Forensafe |
Sysmon | Sysmon 13.10 — FileDeleteDetected |
System Information | Investigating System Information |
System Resource Utilization Monitor (SRUM) | 13Cubed - Windows SRUM Forensics |
Task Scheduler | Investigating Task Scheduler |
Task Scheduler | Investigating Task Scheduler |
Taskbar | Employing FeatureUsage for Windows 10 Taskbar Forensics |
Tasks | Windows Registry Analysis – Today’s Episode: Tasks - Cyber.wtf |
TeamViewer | Digital Forensic Artifact of TeamViewer Application |
TeamViewer | TeamViewer Forensics |
TeamViewer | Magnet User Summit DFIR CTF 2019-Activity |
TeamViewer | Analyze TeamViewer and its Log Files For Investigation |
TeamViewer | TeamViewer Forensics |
TeamViewer | Blog #27: IPv6 in TeamViewer(v15) part 1. [EN] & Blog #28: IPv6 in TeamViewer(v15) part 2. [EN] |
TeamViewer | Blog #28: IPv6 in TeamViewer(v15) part 2. [EN] |
TeraCopy | Introducing TeraLogger |
The Ruler Project | Really Useful Logging and Event Repository (RULER) Project |
ThumbCache | Investigating ThumbCache |
Thumbs.db | Investigating Thumbs.db |
Time | Let's talk about time |
Time Rules - Windows 11 | Windows 11 Time Rules - Khyrenz Ltd |
Time Zones | Case 001 – The Timing of it All |
Timeline Analysis | Timeline Creation for Forensics Analysis |
Timezone Information | Investigating Timezone Information - Forensafe |
Torch Browser | Investigating Torch Web Browser |
Triage Analyis | Chaos to Clarity: Why Triage is Not Optional |
Typed Paths | Investigating Typed Paths |
Typed URLs | Investigating Typed URLs |
UC Web Browser | Investigating UC Web Browser |
Unigram | Investigating Windows Unigram - Forensafe |
Universal Serial Bus (USB) | Episode 106: The TWO Serial Numbers of a USB Device - Part 1 - 3 Min Max Series, Episode 107: Part 2, Episode 108: Part 3 |
Universal Serial Bus (USB) | USB IDs |
Universal Serial Bus (USB) | 13Cubed - Introduction to USB Detective |
Universal Serial Bus (USB) | DeviceHunt |
Universal Serial Bus (USB) | A Monkey Forays Into USB Flashdrives |
Universal Serial Bus (USB) | No Drive Letter, No USB Evidence? Think Again! |
Universal Serial Bus (USB) | Investigating USB Drives using Mount Points Not Drive Letters |
Universal Serial Bus (USB) | 13Cubed - Introduction to Windows Forensics |
Universal Serial Bus (USB) | Episode 109: The TWO Serial Numbers of a USB Device - Part 4 |
Universal Serial Bus (USB) | Episode 98: USB Forensics Series - Part 1 of 7 |
Universal Serial Bus (USB) | Episode 99: USB Forensics Series - Part 2 of 7 |
Universal Serial Bus (USB) | Episode 101: USB Forensics Series - Part 3 of 7 |
Universal Serial Bus (USB) | Episode 102: USB Forensics Series - Part 4 of 7 |
Universal Serial Bus (USB) | Episode 103: USB Forensics Series - Part 5 of 7 |
Universal Serial Bus (USB) | Episode 104: USB Forensics Series - Part 6 of 7 |
Universal Serial Bus (USB) | Episode 105: USB Forensics Series - Part 7 of 7 |
Universal Serial Bus (USB) | Incident Response Thumb Drive |
Updates | Investigating Windows Update Log |
USB "Serial Numbers" | The Truth About USB Device Serial Numbers – (and the lies your tools tell) - Computer Evidence Recovery |
USB Artifacts with no logged-in user | https://www.khyrenz.com/blog/usbs-without-login/>USB connections with no logged-in user |
USB Connection Times | USB or not USB... Connection Times - Kathryn Hedley |
USB Devices | Investigating USB Devices - Forensafe |
USB Devices | Automated USB artefact parsing from the Registry |
User Access Logs (UAL) | Windows User Access Logs (UAL) |
User Access Logs (UAL) | A new type of User access log |
User Access Logs (UAL) | UAL Thank Us Later: Leveraging User Access Logging for Forensic Investigations |
User Accounts | Blue Team-System Live Analysis [Part 9]- Windows: User Account Forensics- Ownership: Process, Applications, Folders, and Files |
User Accounts | Investigating User Accounts - Forensafe |
UserAssist | Investigating UserAssist |
UserAssist | 13Cubed - Introduction to Windows Forensics |
UserAssist | UserAssist — with a pinch of Salt — As an “Evidence of Execution” |
UserAssist | Decoding Windows Registry Artifacts with Belkasoft X: UserAssist |
Various User Data | Blue Team-System Live Analysis [Part 8]- Windows: User Account Forensics- Profile Folder, AppData, and Environment Variables |
Velociraptor | Velociraptor - Dig Deeper |
Viber.db | On Viber.db and Thumbnail Paths - Random Dent |
VirtualBox | Investigating VirtualBox - Forensafe |
Vivaldi Browser | Investigating Vivaldi Web Browser |
VMTools Persistence - VMWareToolBoxCmd.exe | Analyzing and Detecting a VMTools Persistence Technique |
VMWare | Investigating VMware Windows Application |
Volume Shadow Copies | Extracting unallocated clusters from a shadow copy |
Volume Shadow Copies | Offline shadow copies |
Volume Shadow Copies | 13Cubed - The Volume Shadow Knows |
Volume Shadow Copies | Episode 53: Volume Shadow Copy-Part 1 |
Volume Shadow Copies | Episode 54: Volume Shadow Copy-Part 2 |
Volume Shadow Copies | Episode 55: Volume Shadow Copy-Part 3 |
Volume Shadow Copies | Shadow copies become less visible |
VSS | VSS Carving - Pt. 1, Setup - Nullsec and Pt. 2 |
Web Browsers (Chrome, Firefox, Edge) | Web Browsers Forensics |
Webshells | Hunting Webshells |
WhatsApp | WhatsApp in Plain Sight: Where and How You Can Collect Forensic Artifacts |
WhatsApp | Investigating WhatsApp |
Windows 10 - Activity Timeline | Exploring the Windows Activity Timeline, Part 3: Clipboard Craziness |
Windows 10 - Activity Timeline | Exploring the Windows Activity Timeline, Part 1: The High Points |
Windows 10 - Activity Timeline | Exploring the Windows Activity Timeline, Part 2: Synching Across Devices |
Windows 10 - Activity Timeline | Reconstructing User Activity for Forensics with FeatureUsage |
Windows 10 - Activity Timeline | Investigating Windows 10 Timeline |
Windows 10 - Activity Timeline | Analyzing Microsoft Timeline, OneDrive and Personal Vault Files |
Windows 10 - Cortana | Inve+B373+A379:B381 |
Windows 10 - Google Drive | Artifacts of Google Drive Usage on Windows 10 (Part 1) |
Windows 10 - Install Date | Windows 10 Install Date - The Real One |
Windows 10 - Mail App | Windows 10 Mail App Forensics |
Windows 10 - Notifications | Investigating Windows 10 Notifications |
Windows 10 - NTFS Timestamps | NTFS Timestamp changes on Windows 10 |
Windows 10 - Remote RAM Capture | Capturing and Retrieving a Memory Image Remotely |
Windows 10 - Sticky Notes | Windows 10 Sticky Notes Location |
Windows 10 - USB Storage | USB storage forensics in Win10 #1 - Events |
Windows 10 - Windows Timeline | Windows Timeline: Putting the what & when together |
Windows 11 - ETW | ETW on Windows 11 - Initial thoughts |
Windows 11 - New ETW Providers | Windows 11 “New” ETW Providers — Overview |
Windows 11 Changes | Windows 10 vs. Windows 11, What Has Changed? - Andrew Rathbun |
Windows 11 GUID Partition Scheme (GPT) | Boggle-bytes in a Basic Data Partition Entry - Ian D |
Windows Artifacts General Reference | Windows Forensic Artifacts Guide |
Windows Artifacts General Reference | Introduction to Windows Artifacts : Your Gateway to Effective Incident Response |
Windows Calendar | Investigating Windows Calendar |
Windows Defender | Investigating Windows Defender - Forensafe |
Windows Defender | Reverse, Reveal, Recover: Windows Defender Quarantine Forensics |
Windows Event Tracing | Open .ETL Files with NetworkMiner and CapLoader |
Windows Images with Infections for Testing | DFIRArtifactMuseum - Andrew Rathbun |
Windows Install Date | When Windows Lies |
Windows Logon Banner | Investigating Logon Banner - Forensafe |
Windows Mail | Investigating Windows Mail - Forensafe |
Windows Management Instrumentation (WMI) | Investigating Windows Management Instrumentation (WMI) - Forensafe |
Windows Management Instrumentation (WMI) | WMI Internals Part 1 - jsecurity101 |
Windows Management Instrumentation (WMI) | Windows Management Instrumentation (WMI) Offense, Defense, and Forensics - FireEye |
Windows Registry | Mysteries of the Registry - Pavel Yosifovich |
Windows Run MRU | Investigating Windows Run MRU - Forensafe |
Windows Search Index | Investigating Windows Search Index - Forensafe |
Windows Search Index | Windows Search Index - AON Cyber Labs |
Windows Startup Programs | Investigating Windows Startup Programs - Forensafe |
Windows Subsystem for Linux | Windows Subsystem for Linux: Finding the Penguin - SketchyMoose |
Windows Terminal | Investigating Windows Terminal - Forensafe |
Windows Update Impact on Artifacts | Can Windows Update fool you during the investigation? - CyberDefNerd |
WinRAR | Investigating WinRAR - Forensafe |
WinSCP | Detecting Lateral Movement with WinSCP |
WinZip | Investigating WinZip - Forensafe |
Wireless Networks | Investigating Windows Wireless Networks |
Wireless Networks | Investigating Windows Wireless Networks - Forensafe |
WMI Events | Finding Evil WMI Event Consumers with Disk Forensics - Chad Tilbury - SANS |
WordPad Recent Files | Investigating WordPad Recent Files - Forensafe |
WSH | The Forensic Value of the (Other) WSH Registry Key - RAT In Mi Kitchen |
YARA Rules | Investigating Artifacts Using YARA Rules with ArtiFast - Forensafe |
ZIP Files and Compressed Archives | Forensically Analyzing ZIP & Compressed Files |
Zone Identifiers | Zone.Identifier: A Couple Of Observations |
Zone.Identifier Stream | Forensic Analysis of the Zone.Identifier Stream - Digital Detective |
Zoom | Investigating Zoom - Forensafe |