AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Windows

For information on file signature analysis (OS agnostic and file-type specific), please check out Gary Kessler’s File Signature Table

See below for a list of Windows Tools.

ToolDescription
AmcacheParser
AppCompatCacheParser
Arsenal Image Mounter
Belkasoft RAM Capturer
Belkasoft TWindows Triage Tool - Blog Post Explainer
Cyber Triage LiteFree Windows tool - Tool explanation (Part 1) (Part 2) (Part 3)
DB Browser for SQLite
DetectionHistory Parser Windows Defender DetectionHistory parser
DissectDissect is a collection of Python libraries and tools to facilitate enterprise-scale incident response and forensics. Click here for an intro video from 13Cubed.
DumpItDumpIt is a fast memory acquisition tool for Windows (x86, x64, ARM64). Generate full memory crash dumps of Windows machines.
Encrypted Disk Detector
Event Log Explorer
EventTranscriptParserParser for the EventTranscript.db (Windows Diagnostic Database)
EvtxECmd
EzETWCmdlets for capturing Windows Events - Tool explanation (here)
Forensic Toolkit for SQLite + ESE addonComprised of 2 back-end Extensible Storage Engine (ESE) databases and other configuration files.
Foxton Browser History Viewer
FTK ImagerForensically sound logical file/folder acquisition
Hashcat
HashtopolisHashtopolis is a multi-platform client-server tool for distributing Hashcat tasks to multiple computers.
HayabusaWindows event log fast forensics timeline generator and threat hunting tool Blog Post Explainer
Hibernation Recon
HintfoIntro to Hintfo - Exif Viewer
Invoke-LiveResponseThe current scope of Invoke-LiveResponse is a live response tool for targeted collection. There are two main modes of use in Invoke-LiveResponse and both are configured by a variety of command line switches.
Invoke-LiveResponse Wiki
JLECmd[DFIR TOOLS] JLECmd, what is it & how to use!
Jump lists in depth: Understand the format to better understand what your tools are (or aren't) doing
JumpList Explorer
KAPEKroll Artifact Parser and Extractor (KAPE)
Remote collection of Windows Forensic Artifacts using KAPE and Microsoft Defender for Endpoint.
Collaboration between KAPE and Microsoft Defender for Endpoint at the service of the SOC
l0ptCrack
LECmd
Log Parser
LSASecretsViewThe LSA secrets key is located under HKEY_LOCAL_MACHINE\Security\Policy\Secrets and may contain a user's Autologon password, RAS and/or VPN passwords, and other system passwords/keys.
Magnet AxiomUses Volatility
Magnet RAM Capture
Memory BaselinerMemory Baselining tool with Volatility 3 and standalone
Mount Image Pro
NeedleFind Windows registry files in a blob of data
NirSoft - Forensic Tools
PECmd
PowerShell
RBCmdINFO2 and $I files
RDP Replay
RecentFileCacheParser
RECmd
Reconnoitre
Registry Explorer/RECmdNTUser.dat, System.dat, Security,dat, Software.dat, SAM.dat
Registry Explorer/RECmdThe LSA secrets key is located under HKEY_LOCAL_MACHINE\Security\Policy\Secrets and may contain a user's Autologon password, RAS and/or VPN passwords, and other system passwords/keys.
Rekall
SDB Explorer
SQLECmd
SQLite Browser
SrumECmd
SumECmd
SuperMemWindows Memory Parsing Tool
TeraLoggerPython script to parse TeraCopy Logs
TimesketchTimesketch is an open-source tool for collaborative forensic timeline analysis.
ThumbCacheViewerthumbcache_*.db and iconcache_*.db database files
Thumbs ViewerThumbs.db, ehthumbs.db, ehthumbs_vista.db, Image.db, Video.db, TVThumb.db, and musicThumbs.db database files
USB Detective
Velociraptor for Dead Disk & Dead Disk Forensics - Velociraptor & Paths and Filesystem Accessors - Velociraptor
Volatility
WinPMEM
WMI ExplorerGUI for exploring WMI on a live system
WMI Forensics2 Python scripts for parsing out WMI artifacts
WoanWare USB Device Forensics
WxTCmdWindows 10 timeline database parser
yEd graph editorCreate diagrams by importing external data - layout algorithms arrange even large datasets - (Shown in this example article on firewall analysis.)

See below for a list of Windows Artifacts.

Artifact or ProcessResource
1PasswordInvestigating Windows 1Password - Forensafe
360 Secure BrowserInvestigating 360 Secure Browser - Forensafe
7-ZipInvestigating 7-Zip
Active DirectoryDFIR – Windows and Active Directory persistence and malicious configurations
Active DirectoryThe Active Directory Access Control List Explained
AD1 FormatDissecting the AD1 File Format
Adobe Acrobat ReaderInvestigating Adobe Acrobat Reader - Forensafe
ADS Zone.IdentifierStripped off ADS (Zone.Identifier) for files downloaded in the incognito/private mode. - CyberDefNerd
Alternate Data StreamsList of articles or [Direct Download]Windows Alternate Data Streams (ADS) - winitor
AmCacheAnalysis of the AmCache
AmCache(Am)Cache rules everything around me
AmCacheInvestigating Amcache
AmCacheAmcache contains SHA-1 Hash – It Depends! - NVISO Labs
AmCacheEvidence of Program Existence - Amcache
AnyDeskDigital Forensic Artifact of Anydesk Application
AnyDesk Forensic Analysis of AnyDesk Logs
AnyDeskInvestigating AnyDesk
AnyDeskAnyDesk Forensic Analysis and Artefacts - Hats Off Security
AnyDeskAnyDesk Forensics | AnyDesk Log Analysis - Tyler Brozek
AnyDeskInvestigating Windows AnyDesk - Forensafe
APOLLO on Windows Apple Pattern of Life Lazy Output'er (APOLLO) on Windows
App Timeline Provider - SRUMApp Timeline Provider - SRUM Database - Cassie Doemel
AVG AntivirusInvestigating Windows AVG Antivirus - Forensafe
Avira AntivirusInvestigating Windows Avira Antivirus - Forensafe
Background Activity Monitor (BAM)Investigating Windows Background Activity Moderator (BAM) - Forensafe
BAMBAM internals
Battery LevelBattery charge level and its importance in forensics investigations - CyberDefNerd
Battery Levels Why do the battery use and the battery level matter during the investigation? - CyberDefNerd
BitCometInvestigating Window BitComit - Forensafe
BitdefenderInvestigating Windows Bitdefender Antivirus - Forensafe
BitLockerBitLocker Decryption Explained
BitLockerHow to handle Bitlocker Encrypted Volumes
BitLockerThe Interesting Case of Windows Hibernation and BitLocker
BitLockerBitLocker for DFIR – Part III
BitLockerBitLocker for DFIR – Part II
BitLockerBitLocker for DFIR – Part I
BITSBack in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service
BitTorrentInvestigating Windows Bittorrent - Forensafe
BoxInvestigating Box
Box SyncInvestigating Box Sync
BoxDriveInvestigating Windows BoxDrive - Forensafe
Brave Web BrowserInvestigating Brave Web Browser
Browser ArtifactsAnalysing Web Browsers Forensic Artifacts - Digital Investigator
Browser ArtifactsBrowser Cache and Interrupted Downloads - Investigation Strategies
Browser Downloads in $UsnJrnlEasy way to prove that a file was downloaded by a web browser, having only $UsnJrnl logs. - CyberDefNerd
Capability Access Manager (Camera/Mic Usage)Can you track processes accessing the camera and microphone? and an Update in: I can see and hear you seeing and hearing me!
CertUtilCertutil download artefacts
CertutilCertutil Artifacts Analysis
Chrome - Changes in v96Cookies Database Moving in Chrome 96
Chrome History - DeletedRecovering Cleared Browser History - Chrome Forensics - InverseCos
Chromium BrowsersChromium Based Browsers Investigation
Cisco Webex MeetingsInvestigating Cisco Webex Meetings - Forensafe
Clipboard ArtifactsHow to Perform Clipboard Forensics: ActivitiesCache.db, Memory Forensics and Clipboard History - inversecos
Computer NameInvestigating Computer Name
ContainersWindows Container Forensics
CortanaInvestigating Cortana - Forensafe
Desktop WallpaperInvestigating Desktop Wallpaper - Forensafe
DiscordFinding Discord app chats in Windows.
Discord Update on Discord forensic artifacts for iOS & Windows
Download ManagerQuick analysis of the Internet Download Manager history using RegRipper plugins - CyberDefNerd
DropboxArtifacts of Dropbox Usage on Windows 10 (Part 1)
DropboxArtifacts of Dropbox Usage on Windows 10 (Part 2)
DropboxInvestigating the Dropbox Desktop App for Windows with Belkasoft X
DropboxInvestigating Dropbox
Event IDsEvent ID 1024
Event IDs4625 Events – Know your enemy
Event IDsDNS investigation on Windows
Event Log (Damaged Logs)Event Log Explorer Forensic Edition – working with damaged logs or disks - EventLogExplorer
Event Log AccessC:\ProgramData\Microsoft\Event Viewer\ExternalLogs – artifacts showing what Windows Event Logs were opened on the suspected device - CyberDefNerd
Event LogsFiles in Event Log Explorer Forensic Edition. Searching for removed events - FSPro Labs Download
Event LogsInvestigating Windows Event Logs - Forensafe
Event LogsMaking the Most Out of WLAN Event Log Artifacts
Event LogsParsing carved evtx records using EvtxECmd
Event Logs13Cubed - Event Log Forensics with Log Parser
Event Logs13Cubed - Introduction to EvtxECmd
Event LogsAre you sure you extract all the available Volume Serial Numbers (VSNs) that reside in the Windows 10 Event Log “Microsoft-Windows-Partition%4Diagnostic.evtx”?
Event LogsFinding Forensic Goodness In Obscure Windows Event Logs
Event LogsUsing the Convert-EventLogRecord function alongside the Get-WinEvent PowerShell cmdlet to search Windows event logs
Event LogsDFIR Next Steps: What to do after you find a suspicious Windows Network Logon Session
Event LogsMicrosoft Office Alerts ("OAlerts")
Event Logs - Hidden InsightsWindows Event Analysis: Unlocking the Hidden Insights in Event Logs - Paritosh
Event Logs (Cheat Sheet)Hunting Windows Event Logs - Avesta Fahimipour
Event Tracing (ETW)A Begginers All Inclusive Guide to ETW - Blakes R & D
Event Tracing (ETW)ETW Internals for Security Research and Forensics
Event Tracing (ETW)ETL File analysis in live
EventTranscript.dbForensically Unpacking EventTranscript.db: An Investigative Series
EventTranscript.dbEventTranscript.db Research
EventTranscript.dbParsing Diagnostic Data With Powershell and Enhanced Logging
EventTranscript.dbParsing EventTranscript.db With KAPE and SQLECmd
EventTranscript.dbForensic Quick Wins With EventTranscript.DB: Win32kTraceLogging
EventTranscript.dbEventTranscript.db vs .rbs Files and Their Relation to DiagTrack
EvernoteInvestigating Evernote
ExecutablesVerifying executables on Windows
Exif DataHow To Use ExifTool To Look At Metadata - CyberSocialHub
Exif Data that was "removed"Windows Explorer: Improper Exif Data Removal - Didier Stevens
ExpressVPNInvestigating ExpressVPN - Forensafe
Facebook MessengerInvestigating Facebook Messenger Windows Application
FeatureUsageEmploying FeatureUsage for Windows 10 Taskbar Forensics - Crowdstrike
File CarvingFile carving: Recovering a deleted file from a Windows disk image
File CarvingFile Carving In Windows - Joseph Moronwi
File Explorer - Temporary Zip FoldersInvestigating Explorer's temporary ZIP folders and retrieving files - MattCASmith
File Extension AssociationsInvestigating File Extension Associations - Forensafe
File Signature And Hash AnalysisFile Signature And Hash Analysis - Joseph Moronwi
FileZillaInvestigating FileZilla - Forensafe
FirefoxInvestigating Firefox
Foxit PDF ReaderInvestigating Foxit Reader - Forensafe
F-SecureInvestigating Windows F-Secure - Forensafe
GIMPQuick tip: GIMP Recent Files Artifact
GKE ContainersInvestigating a GKE Container - Open Source DFIR
GoToMeetingGoToForensics - DFIR TNT
HeapLeakDetection Registry KeyThe Mystery of the HeapLeakDetection Registry Key - RAT in Mi Kitchen
hiberfil.sysHow to read Windows Hibernation file (hiberfil.sys) to extract forensic data?
hiberfil.sysVolatility3: Modern Windows Hibernation file analysis
HTTP Request HeadersUnderstanding HTTP Request Headers - Josh Rickard
imo (Messenger)Investigating Window imo - Forensafe
Import Address Table (IAT)Volatility3 : Import Address Table
INetCacheINetCache: Exploiting From Within - ParaFlare
InstallDate affected by Win11 UpgradeWindows InstallDate could be changed via Windows Update
Installed Programs ListInvestigating Installed Programs
Internet ExplorerInvestigating Internet Explorer Web Browser
Intrusion AnalysisWindows Artifacts For Intrusion Analysis: A Treasure Trove of Evidence
iTunesWindows iTunes Desktop Application - Forensafe
Jump ListsInvestigating Jump Lists
Jump ListsCPY JMP - Phill Moore
Jump Lists13Cubed - LNK Files and Jump Lists
Jump ListsEpisode 17: “Quick Win” files #2 - Jumplists-Part 2
Jump ListsEpisode 16: “Quick Win” files #2 - Jumplists-Part 1
Jump ListsEpisode 52: The invisible files - Jumplists
Kaspersky AntivirusInvestigating Windows Kaspersky Antivirus - Forensafe
Last Accessed KeyInvestigating Last Accessed Key
Last ShutdownInvestigating Last Shutdown - Forensafe
LastVisitedMRUInvestigating LastVisitedMRU
Level.ioRMM - Level.io: Forensic Artifacts and Evidence
LNK FiesLNK File Analysis: LNKing It Together!
LNK Fies13Cubed - Introduction to Windows Forensics
LNK FiesThe Missing LNK — Correlating User Search LNK files
LNK FiesCVE-2020-0729: REMOTE CODE EXECUTION THROUGH .LNK FILES
LNK Fies13Cubed - LNK Files and Jump Lists
LNK FiesEpisode 20: “Quick Win” files #3 - .LNK files-Part 2
LNK FiesEpisode 19: “Quick Win” files #3 - .LNK files-Part 1
LNK FiesEpisode 51: Lies My Computer Told Me-LNK Files
LNK FiesExploring Windows Artifacts : LNK Files
LNK FilesInvestigating Link File
LNK FilesExploring Windows Artifacts : LNK Files - u0041
LNK FilesAnalyzing a Multi-Stage LNK Dropper
Logfile Windows Logfile - Forensafe
LogMeINInvestigating LogMeIN - Forensafe
LogonBetter know a data source: Logon sessions - Jonathan Johnson
LSASSLSASS.DMP... Attacker or Admin?
MAC RandomizationMAC Randomization in Windows - Forensic 4:cast
Machine SIDInvestigating MachineSID - Forensafe
MalwarebytesInvestigating Windows MalwareBytes - Forensafe
Mapped Network DrivesInvestigating Windows Mapped Network Drives - Forensafe
MapsInvestigating Windows 10 Maps
MEGAEven more MEGA - kibaffo33
MegaNZ/MegaCMDForensic Investigation of the MEGAcmd Client - Awake Security
Mega's megapreferencesDecrypting Mega’s megaprefences Sqlite Database - AskClees Part 2
MEGAsyncAn Encounter With Ransomware-as-a-Service: MEGAsync Analysis
Memories Leaky Notifications from Windows 11 - Ian D
Memory ForensicsForensic analysis of Windows 10 compressed memory using Volatility
Memory ForensicsCapturing Windows Memory
Memory ForensicsVolatility3: Alternate Data Stream Scan
Memory ForensicsVMware Memory Analysis with MemProcFS - Epic Capuano
Memory ForensicsMemory Forensics – Practical Example, Detect Classic Remote Process Injection
Memory ForensicsTHM: Memory Forensics (Volatility)
Memory ForensicsWindows Memory Forensics
Microsoft EdgeInvestigating Microsoft Edge Web Browser and Application
Microsoft EdgeMicrosoft Edge Forensics: Screenshot History
Microsoft EdgeHow can I be of WebAssist(ance)?
Microsoft Edge (Chromium)Investigating Edge Chromium Web Browser
Microsoft Management Console MRUInvestigating Microsoft Management Console (MMC) MRU - Forensafe
Microsoft Remote Access VPNForensic Aspects of Microsoft Remote Access VPN
Mozilla ThunderbirdInvestigating Thunderbird Windows Application
MPLogMind the MPLog: Leveraging Microsoft Protection Logging for Forensic Investigations - CrowdStrike
MRUWhat is MRU (Most Recently Used)? - Magnet Forensics
MUICacheForensic Analysis of MUICache Files in Windows - Magnet Forensics
MUICacheLet's Talk About MUICache - 13Cubed
MUICache (Multilingual User Interface)Investigating MUICache
NetSupport ManagerNetSupport Intrusion Results in Domain Compromise
Network InterfacesInvestigating Windows Network Interfaces - Forensafe
Network Persistent State (Chromium)Recovering WiFi SSIDs from Chromium's Network Persistent State File - Alex Bilz
Network Traffic Analyzing Network Packets With Wireshark – AD And User Enumeration - m365guy
Notepad++Investigating Windows Notepad++ Desktop Application - Forensafe
Office MRUWhat is a Microsoft Office Most Recently Used Artifact “MRU” - Cyber Triage
OpenSaveMRUWhat is a Windows OpenSave MRU Artifact? - CyberTriage
OpenSaveMRU Investigating OpenSaveMRU
OpenVPNInvestigating Windows OpenVPN - Forensafe
Opera Web BrowserInvestigating Opera Web Browser
Page File URL'sInvestigating Page File URL's - Forensafe
PagefileAn Intro to Pagefil Forensic
Pagefile.sysForensic Investigation: Pagefile.sys
Paint MRUInvestigating Paint MRU
pCloudInvestigating pCloud - Forensafe
Persistence Mechanisms13Cubed - Persistence Mechanisms
Photo GPS ArtifactsOne Country, Two Systems - HackerFactor
PhotosInvestigating Windows Photos
PowerShellPowershell - Forensafe
PowerShell LogsHow long was the malicious PowerShell script active on the compromised machine? - CyberDefNerd
PowerShell ScriptsReconstructing PowerShell scripts from multiple Windows event logs - Sophos
PowerShell Scripts From Event LogsJoin PowerShell Script from Event Logs
PrefetchUncovering Hidden Clues: How Windows Artifact Prefetch Can Help in Digital Forensics Investigations in Windows 11 Machine - 4n6Shetty
Prefetch13Cubed - Introduction to Windows Forensics
PrefetchEvidence of file execution
Prefetch13Cubed - Prefetch Deep Dive
PrefetchExtracting Windows Prefetch Files
PrefetchEpisode 24: “Quick Win” files #5 - Prefetch-Part 2
PrefetchEpisode 23: “Quick Win” files #5 - Prefetch-Part 1
PrefetchForensic Investigation : Prefetch File
PrefetchInvestigating Prefetch
PrefetchArtifacts of Execution: Prefetch - Part One
PrefetchOperation-based prefetching
Printer InformationInvestigating Printers Information
Printer Usage via Event LogsHow to track printer usage with event logs
ProfilesInvestigating Profiles List - Forensafe
Program Compatibility Assistant (PCA)New Windows 11 Pro (22H2) Evidence of Execution Artifact! - Andrew Rathbun & Lucas Gonzalez
Program Compatibility Assistant (PCA)Diving Into The New Windows 11 PCA Artifact
Program Execution ArtifactsAnalyzing Program Execution Windows Artifacts
Protected ContentAccessing Protected Content using Windows Domain Controllers and Workstations
ProtonVPNInvestigating Proton VPN - Forensafe
PsExecThe Key to Identify PsExec - Fabian Mendoza
qBittorrentInvestigating qBittorrent - Forensafe
Quick AccessInvestigating Quick Access - Forensafe
RDPInvestigating Window Remote Desktop Connection Events Log - Forensafe
Recent ItemsInvestigating Recent Items - Forensafe
RecentDocs MRUInvestigating RecentDocs MRU
Recents FolderWhat is a Windows Recents Folder Artifact? - Cyber Triage
Recycle BinDigital dumpster diving: Exploring the intricacies of recycle bin forensics - Kushalveer Singh Bachchas
Recycle BinWindows Forensics: analysis of Recycle bin artifacts
Recycle Bin13Cubed - Recycle Bin Forensics
Recycle BinInvestigating Windows Recycle Bin
RegistryThreat Hunting for Windows Registry - Alican Kiraz
RegistryThe Defender’s Guide to the Windows Registry - Luke Paine
RegistryA Technical Guide to Examining the Windows Registry
RegistryForensic Investigation: Windows Registry Analysis
RegistryRegistry hive basics part 1
RegistryRegistry hive basics part 2: NK records
RegistryRegistry hive basics part 3: VK records
RegistryRegistry hive basics part 4: SK records
RegistryRegistry hive basics part 5: Lists
RegistryExploring the Registry at the hex level
RegistryRECmd: command line tool for Windows Registry analysis
RegistryEpisode 75: What is the Windows Registry?
RegistryEpisode 78: What is the Windows Registry transaction log?
RegistryEpisode 76: Investigating the Windows Registry using Registry Explorer - Part 1
RegistryEpisode 77: Investigating the Windows Registry using Registry Explorer - Part 2
RegistryEpisode 15: “Quick Win” files #1 - The Registry-Part 2
RegistryEpisode 14: “Quick Win” files #1 - The Registry-Part 1
RegistryExploring the Hive — Deep Inside the Window Registry
RegistryWindows registry Transaction Logs in forensic analysis
RegistryExploring the Hive- Deep inside the Windows Registry. pt 2
RegistryYour AV is Trying to Tell You Something: Registry
RegistryRegistry Hive File Structure Analysis
RegistryThe Registry Hives You May be MSIX-ING: Registry Redirection with MS MSIX
Registry Hive BinsMaximum Exploitation of Windows Registry Hive Bins - Arsenal Recon
Remote Access SoftwareRemote Access Software - Forensics - Vikas Singh
Remote Desktop ApplicationRemote Desktop Application vs MSTSC Forensics: The RDP Artifacts You Might Be Missing
Remote Desktop MRUInvestigating Remote Desktop Connection MRU
Remote Desktop Protocol (RDP)13Cubed - RDP Cache Forensics & 13Cubed - RDP Event Log Forensics
Remote Desktop Protocol (RDP)Windows Forensic Analysis: some thoughts on RDP related Event IDs
Remote Desktop Protocol (RDP)Remote Desktop Connection (mstsc.exe) Screen in a Memory Dump Analysis
RunMRUInvestigating Run MRU - Forensafe
Scheduled TasksA Deep Dive Into Windows Scheduled Tasks and The Processes Running Them
Scheduled TasksWindows Scheduled Tasks for DFIR Investigations
ScreenConnectFrom ScreenConnect to Hive Ransomware in 61 hours
ScreenshotsTracking screenshots with LNK files - ThinkDFIR
SDeleted FilesForensic Detection of Files Deleted via SDelete - InverseCos
Searched Strings/WordWheelQueryInvestigating Searched Strings
Security Event LogsWindows Security Event Logs: my own cheatsheet
Security:4624 (Win11)DFIR FYI: Security:4624 has been updated in Windows 11 Pro (22H2) - Andrew Rathbun
ServicesInvestigating Windows Services
Shellbags13Cubed - Introduction to Windows Forensics
Shellbags13Cubed - Shellbag Forensics
ShellbagsEpisode 22: “Quick Win” files #4 - Shellbags-Part 2
ShellbagsEpisode 21: “Quick Win” files #4 - Shellbags-Part 1
ShellbagsForensic Investigation: Shellbags
ShellbagsInvestigating Shellbags
ShimCacheInvestigating ShimCache with ArtiFast ShimCache Artifact Parser - Forensafe
ShimCache13Cubed - Windows Application Compatibility Forensics
ShimCacheLet's Talk about Shimcache - The Most Misunderstood Artifact
ShimCacheEvidence of Program Existence - Shimcache
SignalPulling encrypted Signal messages off of desktop OS’ for forensics
SignalSignal for Desktop - A Digital Forensics Perspective
SignalInvestigating Signal with ArtiFast Signal
SkypeAnalysis of Skype - Windows 10 App Version 12.7 and higher
SkypeSkype Analysis - From the old one to the newest one - A First Overview
SkypeExtracting Skype Histories and Deleted Files Metadata from Microsoft Account
SkypeMicrosoft Teams and Skype Logging Privacy Issue
SkypeInvestigating Skype for Desktop and Windows Application+A288:B296
Skype (Metro App)Analysis of Skype App for Windows (Metro-App) - Version 14.xx
SlackInvestigating Slack for Windows - Forensafe
SQLite DatabasesSQLite Forensics with Belkasoft X
SRUMSRUM: Forensic Analysis of Windows System Resource Utilization Monitor - Magnet Forensics
SRUMInvestigating Windows System Resource Usage Monitor (SRUM)
SRUMSwimming in the SRUM
SRUMLeveraging SRUM for Incident Response
StartupInfoWho Left the Backdoor Open? Using Startupinfo for the Win
SteamVideo Games Forensics : Steam - ForensicxLab
Sticky NotesInvestigating Sticky Notes
Swapfile URL'sInvestigating Swap File URL's - Forensafe
SysmonSysmon 13.10 — FileDeleteDetected
System InformationInvestigating System Information
System Resource Utilization Monitor (SRUM)13Cubed - Windows SRUM Forensics
Task SchedulerInvestigating Task Scheduler
Task SchedulerInvestigating Task Scheduler
TaskbarEmploying FeatureUsage for Windows 10 Taskbar Forensics
TasksWindows Registry Analysis – Today’s Episode: Tasks - Cyber.wtf
TeamViewerDigital Forensic Artifact of TeamViewer Application
TeamViewerTeamViewer Forensics
TeamViewerMagnet User Summit DFIR CTF 2019-Activity
TeamViewerAnalyze TeamViewer and its Log Files For Investigation
TeamViewerTeamViewer Forensics
TeamViewerBlog #27: IPv6 in TeamViewer(v15) part 1. [EN] & Blog #28: IPv6 in TeamViewer(v15) part 2. [EN]
TeamViewerBlog #28: IPv6 in TeamViewer(v15) part 2. [EN]
TeraCopyIntroducing TeraLogger
The Ruler ProjectReally Useful Logging and Event Repository (RULER) Project
ThumbCacheInvestigating ThumbCache
Thumbs.dbInvestigating Thumbs.db
TimeLet's talk about time
Time Rules - Windows 11Windows 11 Time Rules - Khyrenz Ltd
Time ZonesCase 001 – The Timing of it All
Timeline AnalysisTimeline Creation for Forensics Analysis
Timezone InformationInvestigating Timezone Information - Forensafe
Torch BrowserInvestigating Torch Web Browser
Triage AnalyisChaos to Clarity: Why Triage is Not Optional
Typed PathsInvestigating Typed Paths
Typed URLsInvestigating Typed URLs
UC Web BrowserInvestigating UC Web Browser
UnigramInvestigating Windows Unigram - Forensafe
Universal Serial Bus (USB)Episode 106: The TWO Serial Numbers of a USB Device - Part 1 - 3 Min Max Series, Episode 107: Part 2, Episode 108: Part 3
Universal Serial Bus (USB)USB IDs
Universal Serial Bus (USB)13Cubed - Introduction to USB Detective
Universal Serial Bus (USB)DeviceHunt
Universal Serial Bus (USB)A Monkey Forays Into USB Flashdrives
Universal Serial Bus (USB)No Drive Letter, No USB Evidence? Think Again!
Universal Serial Bus (USB)Investigating USB Drives using Mount Points Not Drive Letters
Universal Serial Bus (USB)13Cubed - Introduction to Windows Forensics
Universal Serial Bus (USB)Episode 109: The TWO Serial Numbers of a USB Device - Part 4
Universal Serial Bus (USB)Episode 98: USB Forensics Series - Part 1 of 7
Universal Serial Bus (USB)Episode 99: USB Forensics Series - Part 2 of 7
Universal Serial Bus (USB)Episode 101: USB Forensics Series - Part 3 of 7
Universal Serial Bus (USB)Episode 102: USB Forensics Series - Part 4 of 7
Universal Serial Bus (USB)Episode 103: USB Forensics Series - Part 5 of 7
Universal Serial Bus (USB)Episode 104: USB Forensics Series - Part 6 of 7
Universal Serial Bus (USB)Episode 105: USB Forensics Series - Part 7 of 7
Universal Serial Bus (USB)Incident Response Thumb Drive
UpdatesInvestigating Windows Update Log
USB "Serial Numbers"The Truth About USB Device Serial Numbers – (and the lies your tools tell) - Computer Evidence Recovery
USB Artifacts with no logged-in userhttps://www.khyrenz.com/blog/usbs-without-login/>USB connections with no logged-in user
USB Connection TimesUSB or not USB... Connection Times - Kathryn Hedley
USB DevicesInvestigating USB Devices - Forensafe
USB DevicesAutomated USB artefact parsing from the Registry
User Access Logs (UAL)Windows User Access Logs (UAL)
User Access Logs (UAL)A new type of User access log
User Access Logs (UAL)UAL Thank Us Later: Leveraging User Access Logging for Forensic Investigations
User AccountsBlue Team-System Live Analysis [Part 9]- Windows: User Account Forensics- Ownership: Process, Applications, Folders, and Files
User AccountsInvestigating User Accounts - Forensafe
UserAssistInvestigating UserAssist
UserAssist13Cubed - Introduction to Windows Forensics
UserAssistUserAssist — with a pinch of Salt — As an “Evidence of Execution”
UserAssistDecoding Windows Registry Artifacts with Belkasoft X: UserAssist
Various User DataBlue Team-System Live Analysis [Part 8]- Windows: User Account Forensics- Profile Folder, AppData, and Environment Variables
VelociraptorVelociraptor - Dig Deeper
Viber.dbOn Viber.db and Thumbnail Paths - Random Dent
VirtualBoxInvestigating VirtualBox - Forensafe
Vivaldi BrowserInvestigating Vivaldi Web Browser
VMTools Persistence - VMWareToolBoxCmd.exeAnalyzing and Detecting a VMTools Persistence Technique
VMWareInvestigating VMware Windows Application
Volume Shadow CopiesExtracting unallocated clusters from a shadow copy
Volume Shadow CopiesOffline shadow copies
Volume Shadow Copies13Cubed - The Volume Shadow Knows
Volume Shadow CopiesEpisode 53: Volume Shadow Copy-Part 1
Volume Shadow CopiesEpisode 54: Volume Shadow Copy-Part 2
Volume Shadow CopiesEpisode 55: Volume Shadow Copy-Part 3
Volume Shadow CopiesShadow copies become less visible
VSSVSS Carving - Pt. 1, Setup - Nullsec and Pt. 2
Web Browsers (Chrome, Firefox, Edge)Web Browsers Forensics
WebshellsHunting Webshells
WhatsAppWhatsApp in Plain Sight: Where and How You Can Collect Forensic Artifacts
WhatsAppInvestigating WhatsApp
Windows 10 - Activity TimelineExploring the Windows Activity Timeline, Part 3: Clipboard Craziness
Windows 10 - Activity TimelineExploring the Windows Activity Timeline, Part 1: The High Points
Windows 10 - Activity TimelineExploring the Windows Activity Timeline, Part 2: Synching Across Devices
Windows 10 - Activity TimelineReconstructing User Activity for Forensics with FeatureUsage
Windows 10 - Activity TimelineInvestigating Windows 10 Timeline
Windows 10 - Activity TimelineAnalyzing Microsoft Timeline, OneDrive and Personal Vault Files
Windows 10 - CortanaInve+B373+A379:B381
Windows 10 - Google DriveArtifacts of Google Drive Usage on Windows 10 (Part 1)
Windows 10 - Install DateWindows 10 Install Date - The Real One
Windows 10 - Mail AppWindows 10 Mail App Forensics
Windows 10 - NotificationsInvestigating Windows 10 Notifications
Windows 10 - NTFS TimestampsNTFS Timestamp changes on Windows 10
Windows 10 - Remote RAM CaptureCapturing and Retrieving a Memory Image Remotely
Windows 10 - Sticky NotesWindows 10 Sticky Notes Location
Windows 10 - USB StorageUSB storage forensics in Win10 #1 - Events
Windows 10 - Windows TimelineWindows Timeline: Putting the what & when together
Windows 11 - ETWETW on Windows 11 - Initial thoughts
Windows 11 - New ETW ProvidersWindows 11 “New” ETW Providers — Overview
Windows 11 ChangesWindows 10 vs. Windows 11, What Has Changed? - Andrew Rathbun
Windows 11 GUID Partition Scheme (GPT)Boggle-bytes in a Basic Data Partition Entry - Ian D
Windows Artifacts General ReferenceWindows Forensic Artifacts Guide
Windows Artifacts General ReferenceIntroduction to Windows Artifacts : Your Gateway to Effective Incident Response
Windows CalendarInvestigating Windows Calendar
Windows DefenderInvestigating Windows Defender - Forensafe
Windows DefenderReverse, Reveal, Recover: Windows Defender Quarantine Forensics
Windows Event Tracing Open .ETL Files with NetworkMiner and CapLoader
Windows Images with Infections for TestingDFIRArtifactMuseum - Andrew Rathbun
Windows Install DateWhen Windows Lies
Windows Logon BannerInvestigating Logon Banner - Forensafe
Windows MailInvestigating Windows Mail - Forensafe
Windows Management Instrumentation (WMI)Investigating Windows Management Instrumentation (WMI) - Forensafe
Windows Management Instrumentation (WMI)WMI Internals Part 1 - jsecurity101
Windows Management Instrumentation (WMI)Windows Management Instrumentation (WMI) Offense, Defense, and Forensics - FireEye
Windows RegistryMysteries of the Registry - Pavel Yosifovich
Windows Run MRUInvestigating Windows Run MRU - Forensafe
Windows Search IndexInvestigating Windows Search Index - Forensafe
Windows Search IndexWindows Search Index - AON Cyber Labs
Windows Startup ProgramsInvestigating Windows Startup Programs - Forensafe
Windows Subsystem for LinuxWindows Subsystem for Linux: Finding the Penguin - SketchyMoose
Windows TerminalInvestigating Windows Terminal - Forensafe
Windows Update Impact on ArtifactsCan Windows Update fool you during the investigation? - CyberDefNerd
WinRARInvestigating WinRAR - Forensafe
WinSCPDetecting Lateral Movement with WinSCP
WinZipInvestigating WinZip - Forensafe
Wireless NetworksInvestigating Windows Wireless Networks
Wireless NetworksInvestigating Windows Wireless Networks - Forensafe
WMI EventsFinding Evil WMI Event Consumers with Disk Forensics - Chad Tilbury - SANS
WordPad Recent FilesInvestigating WordPad Recent Files - Forensafe
WSHThe Forensic Value of the (Other) WSH Registry Key - RAT In Mi Kitchen
YARA RulesInvestigating Artifacts Using YARA Rules with ArtiFast - Forensafe
ZIP Files and Compressed ArchivesForensically Analyzing ZIP & Compressed Files
Zone IdentifiersZone.Identifier: A Couple Of Observations
Zone.Identifier StreamForensic Analysis of the Zone.Identifier Stream - Digital Detective
ZoomInvestigating Zoom - Forensafe