1Password | Investigating Windows 1Password - Forensafe |
360 Secure Browser | Investigating 360 Secure Browser - Forensafe |
7-Zip | Investigating 7-Zip |
AD1 Format | Dissecting the AD1 File Format |
Adobe Acrobat Reader | Investigating Adobe Acrobat Reader - Forensafe |
ADS Zone.Identifier | Stripped off ADS (Zone.Identifier) for files downloaded in the incognito/private mode. - CyberDefNerd |
Alternate Data Streams | List of articles or [Direct Download]Windows Alternate Data Streams (ADS) - winitor |
Amcache - SHA-1 | Amcache contains SHA-1 Hash – It Depends! - NVISO Labs |
AnyDesk | Digital Forensic Artifact of Anydesk Application |
AnyDesk | Forensic Analysis of AnyDesk Logs |
AnyDesk | Investigating AnyDesk |
AnyDesk | AnyDesk Forensic Analysis and Artefacts - Hats Off Security |
AnyDesk | AnyDesk Forensics | AnyDesk Log Analysis - Tyler Brozek |
AnyDesk | Investigating Windows AnyDesk - Forensafe |
APOLLO on Windows | Apple Pattern of Life Lazy Output'er (APOLLO) on Windows |
App Timeline Provider - SRUM | App Timeline Provider - SRUM Database - Cassie Doemel |
AVG Antivirus | Investigating Windows AVG Antivirus - Forensafe |
Avira Antivirus | Investigating Windows Avira Antivirus - Forensafe |
Background Activity Monitor (BAM) | Investigating Windows Background Activity Moderator (BAM) - Forensafe |
Battery Level | Battery charge level and its importance in forensics investigations - CyberDefNerd |
Battery Levels | Why do the battery use and the battery level matter during the investigation? - CyberDefNerd |
BitComet | Investigating Window BitComit - Forensafe |
Bitdefender | Investigating Windows Bitdefender Antivirus - Forensafe |
BitTorrent | Investigating Windows Bittorrent - Forensafe |
Box | Investigating Box |
Box Sync | Investigating Box Sync |
BoxDrive | Investigating Windows BoxDrive - Forensafe |
Brave Web Browser | Investigating Brave Web Browser |
Browser Artifacts | Analysing Web Browsers Forensic Artifacts - Digital Investigator |
Browser Downloads in $UsnJrnl | Easy way to prove that a file was downloaded by a web browser, having only $UsnJrnl logs. - CyberDefNerd |
Capability Access Manager (Camera/Mic Usage) | Can you track processes accessing the camera and microphone? and an Update in: I can see and hear you seeing and hearing me! |
Chrome - Changes in v96 | Cookies Database Moving in Chrome 96 |
Chrome History - Deleted | Recovering Cleared Browser History - Chrome Forensics - InverseCos |
Cisco Webex Meetings | Investigating Cisco Webex Meetings - Forensafe |
Clipboard Artifacts | How to Perform Clipboard Forensics: ActivitiesCache.db, Memory Forensics and Clipboard History - inversecos |
Computer Name | Investigating Computer Name |
Containers | Windows Container Forensics |
Cortana | Investigating Cortana - Forensafe |
Defender | Investigating Windows Defender - Forensafe |
Desktop Wallpaper | Investigating Desktop Wallpaper - Forensafe |
Discord | Finding Discord app chats in Windows. |
Discord | Update on Discord forensic artifacts for iOS & Windows |
Download Manager | Quick analysis of the Internet Download Manager history using RegRipper plugins - CyberDefNerd |
Dropbox | Artifacts of Dropbox Usage on Windows 10 (Part 1) |
Dropbox | Artifacts of Dropbox Usage on Windows 10 (Part 2) |
Dropbox | Investigating the Dropbox Desktop App for Windows with Belkasoft X |
Dropbox | Investigating Dropbox |
Email Forensics | Email Forensics – Definition and Guideline - Salvation Data |
Email Forensics/Artifacts | Techniques In Email Forensic Analysis and Email Header Forensic Analysis - Joseph Moronwi |
Event Log (Damaged Logs) | Event Log Explorer Forensic Edition – working with damaged logs or disks - EventLogExplorer |
Event Log Access | C:\ProgramData\Microsoft\Event Viewer\ExternalLogs – artifacts showing what Windows Event Logs were opened on the suspected device - CyberDefNerd |
Event Logs | Files in Event Log Explorer Forensic Edition. Searching for removed events - FSPro Labs Download |
Event Logs | Investigating Windows Event Logs - Forensafe |
Event Logs (Cheat Sheet) | Hunting Windows Event Logs - Avesta Fahimipour |
Event Tracing (ETW) | A Begginers All Inclusive Guide to ETW - Blakes R & D |
Evernote | Investigating Evernote |
Exif Data | How To Use ExifTool To Look At Metadata - CyberSocialHub |
Exif Data that was "removed" | Windows Explorer: Improper Exif Data Removal - Didier Stevens |
ExpressVPN | Investigating ExpressVPN - Forensafe |
Facebook Messenger | Investigating Facebook Messenger Windows Application |
FeatureUsage | Employing FeatureUsage for Windows 10 Taskbar Forensics - Crowdstrike |
File Carving | File carving: Recovering a deleted file from a Windows disk image |
File Carving | File Carving In Windows - Joseph Moronwi |
File Explorer - Temporary Zip Folders | Investigating Explorer's temporary ZIP folders and retrieving files - MattCASmith |
File Extension Associations | Investigating File Extension Associations - Forensafe |
File Signature And Hash Analysis | File Signature And Hash Analysis - Joseph Moronwi |
FileZilla | Investigating FileZilla - Forensafe |
Firefox | Investigating Firefox |
Foxit PDF Reader | Investigating Foxit Reader - Forensafe |
F-Secure | Investigating Windows F-Secure - Forensafe |
GIMP | Quick tip: GIMP Recent Files Artifact |
GKE Containers | Investigating a GKE Container - Open Source DFIR |
Google Chrome | Has the user logged into this account, or not? (Google Chrome’s Login Data-Part 1) (Part 2) |
Google Chrome | Chrome Media History |
Google Chrome | Chrome Media History Tracking Your Viewing Habits |
Google Chrome | Chromium Session Storage and Local Storage |
Google Chrome | Investigating Google Chrome Web Browser |
Google Drive | Data Exfiltration Using Google Drive — Forensic Investigation |
Google Drive | Investigating Google Drive |
Google Drive FS | Investigating Windows Google Drive - Forensafe |
Google Tasks - Google Takeout | Check Marks the Spot - Google Tasks from Takeout - Stark4n6 |
GoToMeeting | GoToForensics - DFIR TNT |
HeapLeakDetection Registry Key | The Mystery of the HeapLeakDetection Registry Key - RAT in Mi Kitchen |
HTTP Request Headers | Understanding HTTP Request Headers - Josh Rickard |
imo (Messenger) | Investigating Window imo - Forensafe |
INetCache | INetCache: Exploiting From Within - ParaFlare |
InstallDate affected by Win11 Upgrade | Windows InstallDate could be changed via Windows Update |
Installed Programs List | Investigating Installed Programs |
Internet Explorer | Investigating Internet Explorer Web Browser |
iTunes | Windows iTunes Desktop Application - Forensafe |
Jump Lists | Investigating Jump Lists |
Kaspersky Antivirus | Investigating Windows Kaspersky Antivirus - Forensafe |
Last Accessed Key | Investigating Last Accessed Key |
Last Shutdown | Investigating Last Shutdown - Forensafe |
LNK files | Investigating Link File |
LNK Files | Exploring Windows Artifacts : LNK Files - u0041 |
Logfile | Windows Logfile - Forensafe |
LogMeIN | Investigating LogMeIN - Forensafe |
Logon | Better know a data source: Logon sessions - Jonathan Johnson |
MAC Randomization | MAC Randomization in Windows - Forensic 4:cast |
Machine SID | Investigating MachineSID - Forensafe |
Malwarebytes | Investigating Windows MalwareBytes - Forensafe |
Mapped Network Drives | Investigating Windows Mapped Network Drives - Forensafe |
Maps | Investigating Windows 10 Maps |
MEGA | Even more MEGA - kibaffo33 |
MegaNZ/MegaCMD | Forensic Investigation of the MEGAcmd Client - Awake Security |
Mega's megapreferences | Decrypting Mega’s megaprefences Sqlite Database - AskClees Part 2 |
MEGAsync | An Encounter With Ransomware-as-a-Service: MEGAsync Analysis |
Memories | Leaky Notifications from Windows 11 - Ian D |
Microsoft Edge | Investigating Microsoft Edge Web Browser and Application |
Microsoft Edge (Chromium) | Investigating Edge Chromium Web Browser |
Microsoft Management Console MRU | Investigating Microsoft Management Console (MMC) MRU - Forensafe |
Microsoft Office | An Inside View of Office Document Cache Exploitation |
Microsoft Office | Investigating Microsoft Office - Forensafe |
Microsoft Office 365 | Everything you need to know about MailItemsAccessed and more |
Microsoft Teams | Microsoft Teams artifacts and chat logs |
Microsoft Teams | Microsoft Teams and Skype Logging Privacy Issue |
Microsoft Teams | Microsoft Teams Logs for Activity |
Microsoft Teams | Collecting from Microsoft Teams using PowerShell |
Microsoft Teams | MS Teams Desktop Forensic - Misconfig |
Microsoft User Access Logs (UAL) | A new type of User access log |
Mozilla Thunderbird | Investigating Thunderbird Windows Application |
MPLog | Mind the MPLog: Leveraging Microsoft Protection Logging for Forensic Investigations - CrowdStrike |
MRU | What is MRU (Most Recently Used)? - Magnet Forensics |
MUICache | Forensic Analysis of MUICache Files in Windows - Magnet Forensics |
MUICache | Let's Talk About MUICache - 13Cubed |
MUICache (Multilingual User Interface) | Investigating MUICache |
Network Interfaces | Investigating Windows Network Interfaces - Forensafe |
Network Persistent State (Chromium) | Recovering WiFi SSIDs from Chromium's Network Persistent State File - Alex Bilz |
Network Traffic | Analyzing Network Packets With Wireshark – AD And User Enumeration - m365guy |
Notepad++ | Investigating Windows Notepad++ Desktop Application - Forensafe |
Office MRU | What is a Microsoft Office Most Recently Used Artifact “MRU” - Cyber Triage |
OneDrive | OneDrive and NTFS last access timestamps |
OneDrive | Investigating OneDrive |
OneDrive | Reading OneDrive Logs: Part 1 Part 2 - SwiftForensics |
OneDrive - $MFT | The $MFT flag that you have never considered before – OneDrive not synchronized files. - CyberDefNerd |
OneDrive Folder Structure | Recreating OneDrive’s Folder Structure from .dat |
OneDrive Logs | Reading OneDrive Logs - SwiftForensics |
OpenSaveMRU | What is a Windows OpenSave MRU Artifact? - CyberTriage |
OpenVPN | Investigating Windows OpenVPN - Forensafe |
Opera Web Browser | Investigating Opera Web Browser |
Outlook | Investigating Outlook Windows Application |
Page File URL's | Investigating Page File URL's - Forensafe |
Pagefile | An Intro to Pagefil Forensic |
Paint MRU | Investigating Paint MRU |
pCloud | Investigating pCloud - Forensafe |
Persistence Mechanisms | 13Cubed - Persistence Mechanisms |
Photo GPS Artifacts | One Country, Two Systems - HackerFactor |
Powershell | Powershell - Forensafe |
Powershell Logs | How long was the malicious PowerShell script active on the compromised machine? - CyberDefNerd |
PowerShell Scripts | Reconstructing PowerShell scripts from multiple Windows event logs - Sophos |
Powershell Scripts from Event Logs | Join PowerShell Script from Event Logs |
Prefetch | Uncovering Hidden Clues: How Windows Artifact Prefetch Can Help in Digital Forensics Investigations in Windows 11 Machine - 4n6Shetty |
Printer Information | Investigating Printers Information |
Profiles | Investigating Profiles List - Forensafe |
Program Compatibility Assistant | New Windows 11 Pro (22H2) Evidence of Execution Artifact! - Andrew Rathbun & Lucas Gonzalez |
ProtonVPN | Investigating Proton VPN - Forensafe |
PsExec | The Key to Identify PsExec - Fabian Mendoza |
Quick Access | Investigating Quick Access - Forensafe |
Recent Items | Investigating Recent Items - Forensafe |
RecentDocs MRU | Investigating RecentDocs MRU |
Recents Folder | What is a Windows Recents Folder Artifact? - Cyber Triage |
Registry | Threat Hunting for Windows Registry - Alican Kiraz |
Registry | The Defender’s Guide to the Windows Registry - Luke Paine |
Registry Hive Bins | Maximum Exploitation of Windows Registry Hive Bins - Arsenal Recon |
Remote Access Software | Remote Access Software - Forensics - Vikas Singh |
Remote Desktop MRU | Investigating Remote Desktop Connection MRU |
Remote Desktop Protocol (RDP) | 13Cubed - RDP Cache Forensics & 13Cubed - RDP Event Log Forensics |
Remote Desktop Protocol (RDP) | Windows Forensic Analysis: some thoughts on RDP related Event IDs |
Remote Desktop Protocol (RDP) | Remote Desktop Connection (mstsc.exe) Screen in a Memory Dump Analysis |
RunMRU | Investigating Run MRU - Forensafe |
Screenshots | Tracking screenshots with LNK files - ThinkDFIR |
SDeleted Files | Forensic Detection of Files Deleted via SDelete - InverseCos |
Searched Strings/WordWheelQuery | Investigating Searched Strings |
Security:4624 (Win11) | DFIR FYI: Security:4624 has been updated in Windows 11 Pro (22H2) - Andrew Rathbun |
ShimCache | Investigating ShimCache with ArtiFast ShimCache Artifact Parser - Forensafe |
Signal | Pulling encrypted Signal messages off of desktop OS’ for forensics |
Signal | Signal for Desktop - A Digital Forensics Perspective |
Signal | Investigating Signal with ArtiFast Signal |
Skype | Analysis of Skype - Windows 10 App Version 12.7 and higher |
Skype | Skype Analysis - From the old one to the newest one - A First Overview |
Skype | Extracting Skype Histories and Deleted Files Metadata from Microsoft Account |
Skype | Microsoft Teams and Skype Logging Privacy Issue |
Skype | Investigating Skype for Desktop and Windows Application |
Skype (Metro App) | Analysis of Skype App for Windows (Metro-App) - Version 14.xx |
Slack | Investigating Slack for Windows - Forensafe |
SQLite Databases | SQLite Forensics with Belkasoft X |
SRUM | SRUM: Forensic Analysis of Windows System Resource Utilization Monitor - Magnet Forensics |
SRUM - SRUBD.dat | Swimming in the SRUM |
Sticky Notes | Investigating Sticky Notes |
Swapfile URL's | Investigating Swap File URL's - Forensafe |
Sysmon | Sysmon 13.10 — FileDeleteDetected |
System Information | Investigating System Information |
System Resource Utilization Monitor (SRUM) | 13Cubed - Windows SRUM Forensics |
Task Scheduler | Investigating Task Scheduler |
Tasks | Windows Registry Analysis – Today’s Episode: Tasks - Cyber.wtf |
TeamViewer | Digital Forensic Artifact of TeamViewer Application |
TeamViewer | TeamViewer Forensics |
TeamViewer | Magnet User Summit DFIR CTF 2019-Activity |
TeamViewer | Analyze TeamViewer and its Log Files For Investigation |
TeamViewer | TeamViewer Forensics |
TeamViewer | Blog #27: IPv6 in TeamViewer(v15) part 1. [EN] & Blog #28: IPv6 in TeamViewer(v15) part 2. [EN] |
TeamViewer | Blog #28: IPv6 in TeamViewer(v15) part 2. [EN] |
Time Rules - Windows 11 | Windows 11 Time Rules - Khyrenz Ltd |
Timezone Information | Investigating Timezone Information - Forensafe |
Torch Browser | Investigating Torch Web Browser |
Typed Paths | Investigating Typed Paths |
Typed URLs | Investigating Typed URLs |
UC Web Browser | Investigating UC Web Browser |
Unigram | Investigating Windows Unigram - Forensafe |
Universal Serial Bus (USB) | Episode 106: The TWO Serial Numbers of a USB Device - Part 1 - 3 Min Max Series, Episode 107: Part 2, Episode 108: Part 3 |
Universal Serial Bus (USB) | USB IDs |
Universal Serial Bus (USB) | 13Cubed - Introduction to USB Detective |
Universal Serial Bus (USB) | DeviceHunt |
Universal Serial Bus (USB) | A Monkey Forays Into USB Flashdrives |
Universal Serial Bus (USB) | No Drive Letter, No USB Evidence? Think Again! |
Universal Serial Bus (USB) | Investigating USB Drives using Mount Points Not Drive Letters |
Universal Serial Bus (USB) | 13Cubed - Introduction to Windows Forensics |
Universal Serial Bus (USB) | Episode 109: The TWO Serial Numbers of a USB Device - Part 4 |
Universal Serial Bus (USB) | Episode 98: USB Forensics Series - Part 1 of 7 |
Universal Serial Bus (USB) | Episode 99: USB Forensics Series - Part 2 of 7 |
Universal Serial Bus (USB) | Episode 101: USB Forensics Series - Part 3 of 7 |
Universal Serial Bus (USB) | Episode 102: USB Forensics Series - Part 4 of 7 |
Universal Serial Bus (USB) | Episode 103: USB Forensics Series - Part 5 of 7 |
Universal Serial Bus (USB) | Episode 104: USB Forensics Series - Part 6 of 7 |
Universal Serial Bus (USB) | Episode 105: USB Forensics Series - Part 7 of 7 |
Universal Serial Bus (USB) | Incident Response Thumb Drive |
USB "Serial Numbers" | The Truth About USB Device Serial Numbers – (and the lies your tools tell) - Computer Evidence Recovery |
USB Artifacts with no logged-in user | https://www.khyrenz.com/blog/usbs-without-login/>USB connections with no logged-in user |
USB Connection Times | USB or not USB... Connection Times - Kathryn Hedley |
USB Devices | Investigating USB Devices - Forensafe |
UserAssist | Investigating UserAssist |
Velociraptor | Velociraptor - Dig Deeper |
Viber.db | On Viber.db and Thumbnail Paths - Random Dent |
VirtualBox | Investigating VirtualBox - Forensafe |
Vivaldi Browser | Investigating Vivaldi Web Browser |
VMTools Persistence - VMWareToolBoxCmd.exe | Analyzing and Detecting a VMTools Persistence Technique |
VMWare | Investigating VMware Windows Application |
VSS | VSS Carving - Pt. 1, Setup - Nullsec and Pt. 2 |
Web Browsers (Chrome, Firefox, Edge) | Web Browsers Forensics |
WhatsApp | WhatsApp in Plain Sight: Where and How You Can Collect Forensic Artifacts |
Whatsapp | Investigating WhatsApp |
Windows - Active Directory | DFIR – Windows and Active Directory persistence and malicious configurations |
Windows - AmCache | Analysis of the AmCache |
Windows - Amcache | (Am)Cache rules everything around me |
Windows - Amcache | Investigating Amcache |
Windows - BAM | BAM internals |
Windows - BitLocker | BitLocker Decryption Explained |
Windows - BitLocker | How to handle Bitlocker Encrypted Volumes |
Windows - BitLocker | The Interesting Case of Windows Hibernation and BitLocker |
Windows - BitLocker | BitLocker for DFIR – Part III |
Windows - BitLocker | BitLocker for DFIR – Part II |
Windows - BitLocker | BitLocker for DFIR – Part I |
Windows - BITS | Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service |
Windows - CertUtil | Certutil download artefacts |
Windows - Certutil | Certutil Artifacts Analysis |
Windows - Compressed Memory | Forensic analysis of Windows 10 compressed memory using Volatility |
Windows - Event IDs | Event ID 1024 |
Windows - Event IDs | 4625 Events – Know your enemy |
Windows - Event IDs | DNS investigation on Windows |
Windows - Event Logs | Making the Most Out of WLAN Event Log Artifacts |
Windows - Event Logs | Parsing carved evtx records using EvtxECmd |
Windows - Event Logs | 13Cubed - Event Log Forensics with Log Parser |
Windows - Event Logs | 13Cubed - Introduction to EvtxECmd |
Windows - Event Logs | Are you sure you extract all the available Volume Serial Numbers (VSNs) that reside in the Windows 10 Event Log “Microsoft-Windows-Partition%4Diagnostic.evtx”? |
Windows - Event Logs | Finding Forensic Goodness In Obscure Windows Event Logs |
Windows - Event Logs | Using the Convert-EventLogRecord function alongside the Get-WinEvent PowerShell cmdlet to search Windows event logs |
Windows - EventTranscript.db | Forensically Unpacking EventTranscript.db: An Investigative Series |
Windows - EventTranscript.db | EventTranscript.db Research |
Windows - EventTranscript.db | Parsing Diagnostic Data With Powershell and Enhanced Logging |
Windows - EventTranscript.db | Parsing EventTranscript.db With KAPE and SQLECmd |
Windows - EventTranscript.db | Forensic Quick Wins With EventTranscript.DB: Win32kTraceLogging |
Windows - EventTranscript.db | EventTranscript.db vs .rbs Files and Their Relation to DiagTrack |
Windows - Executables | Verifying executables on Windows |
Windows - hiberfil.sys | How to read Windows Hibernation file (hiberfil.sys) to extract forensic data? |
Windows - JumpLists | 13Cubed - LNK Files and Jump Lists |
Windows - JumpLists | Episode 17: “Quick Win” files #2 - Jumplists-Part 2 |
Windows - JumpLists | Episode 16: “Quick Win” files #2 - Jumplists-Part 1 |
Windows - JumpLists | Episode 52: The invisible files - Jumplists |
Windows - LastVisitedMRU | Investigating LastVisitedMRU |
Windows - LNK Fies | LNK File Analysis: LNKing It Together! |
Windows - LNK files | 13Cubed - Introduction to Windows Forensics |
Windows - LNK files | The Missing LNK — Correlating User Search LNK files |
Windows - LNK files | CVE-2020-0729: REMOTE CODE EXECUTION THROUGH .LNK FILES |
Windows - LNK files | 13Cubed - LNK Files and Jump Lists |
Windows - LNK files | Episode 20: “Quick Win” files #3 - .LNK files-Part 2 |
Windows - LNK files | Episode 19: “Quick Win” files #3 - .LNK files-Part 1 |
Windows - LNK files | Episode 51: Lies My Computer Told Me-LNK Files |
Windows - LNK files | Exploring Windows Artifacts : LNK Files |
Windows - LSASS | LSASS.DMP... Attacker or Admin? |
Windows - Memory | Capturing Windows Memory |
Windows - OpenSaveMRU | Investigating OpenSaveMRU |
Windows - Pagefile.sys | Forensic Investigation: Pagefile.sys |
Windows - Photos | Investigating Windows Photos |
Windows - Prefetch | 13Cubed - Introduction to Windows Forensics |
Windows - Prefetch | Evidence of file execution |
Windows - Prefetch | 13Cubed - Prefetch Deep Dive |
Windows - Prefetch | Extracting Windows Prefetch Files |
Windows - Prefetch | Episode 24: “Quick Win” files #5 - Prefetch-Part 2 |
Windows - Prefetch | Episode 23: “Quick Win” files #5 - Prefetch-Part 1 |
Windows - Prefetch | Forensic Investigation : Prefetch File |
Windows - Prefetch | Investigating Prefetch |
Windows - Printer Usage via Event Logs | How to track printer usage with event logs |
Windows - Program Execution Artifacts | Analyzing Program Execution Windows Artifacts |
Windows - Protected Content | Accessing Protected Content using Windows Domain Controllers and Workstations |
Windows - Recycle Bin | Windows Forensics: analysis of Recycle bin artifacts |
Windows - Recycle Bin | 13Cubed - Recycle Bin Forensics |
Windows - Recycle Bin | Investigating Windows Recycle Bin |
Windows - Registry | A Technical Guide to Examining the Windows Registry |
Windows - Registry | Forensic Investigation: Windows Registry Analysis |
Windows - Registry | Registry hive basics part 1 |
Windows - Registry | Registry hive basics part 2: NK records |
Windows - Registry | Registry hive basics part 3: VK records |
Windows - Registry | Registry hive basics part 4: SK records |
Windows - Registry | Registry hive basics part 5: Lists |
Windows - Registry | Exploring the Registry at the hex level |
Windows - Registry | RECmd: command line tool for Windows Registry analysis |
Windows - Registry | Episode 75: What is the Windows Registry? |
Windows - Registry | Episode 78: What is the Windows Registry transaction log? |
Windows - Registry | Episode 76: Investigating the Windows Registry using Registry Explorer - Part 1 |
Windows - Registry | Episode 77: Investigating the Windows Registry using Registry Explorer - Part 2 |
Windows - Registry | Episode 15: “Quick Win” files #1 - The Registry-Part 2 |
Windows - Registry | Episode 14: “Quick Win” files #1 - The Registry-Part 1 |
Windows - Registry | Exploring the Hive — Deep Inside the Window Registry |
Windows - Registry | Windows registry Transaction Logs in forensic analysis |
Windows - Registry | Exploring the Hive- Deep inside the Windows Registry. pt 2 |
Windows - Registry | Your AV is Trying to Tell You Something: Registry |
Windows - Registry | Registry Hive File Structure Analysis |
Windows - Scheduled Tasks | A Deep Dive Into Windows Scheduled Tasks and The Processes Running Them |
Windows - Security Event Logs | Windows Security Event Logs: my own cheatsheet |
Windows - Services | Investigating Windows Services |
Windows - Shellbags | 13Cubed - Introduction to Windows Forensics |
Windows - Shellbags | 13Cubed - Shellbag Forensics |
Windows - Shellbags | Episode 22: “Quick Win” files #4 - Shellbags-Part 2 |
Windows - Shellbags | Episode 21: “Quick Win” files #4 - Shellbags-Part 1 |
Windows - Shellbags | Forensic Investigation: Shellbags |
Windows - Shellbags | Investigating Shellbags |
Windows - ShimCache | 13Cubed - Windows Application Compatibility Forensics |
Windows - SRUM | Investigating Windows System Resource Usage Monitor (SRUM) |
Windows - StartupInfo | Who Left the Backdoor Open? Using Startupinfo for the Win |
Windows - Task Scheduler | Investigating Task Scheduler |
Windows - Taskbar | Employing FeatureUsage for Windows 10 Taskbar Forensics |
Windows - ThumbCache | Investigating ThumbCache |
Windows - Thumbs.db | Investigating Thumbs.db |
WIndows - Time | Let's talk about time |
Windows - Time Zones | Case 001 – The Timing of it All |
Windows - Updates | Investigating Windows Update Log |
Windows - User Access Logs (UAL) | Windows User Access Logs (UAL) |
Windows - User Access Logs (UAL) | A new type of User access log |
Windows - User Access Logs (UAL) | UAL Thank Us Later: Leveraging User Access Logging for Forensic Investigations |
Windows - User Accounts | Blue Team-System Live Analysis [Part 9]- Windows: User Account Forensics- Ownership: Process, Applications, Folders, and Files |
Windows - User Accounts | Investigating User Accounts - Forensafe |
Windows - UserAssist | 13Cubed - Introduction to Windows Forensics |
Windows - UserAssist | UserAssist — with a pinch of Salt — As an “Evidence of Execution” |
Windows - Various User Data | Blue Team-System Live Analysis [Part 8]- Windows: User Account Forensics- Profile Folder, AppData, and Environment Variables |
Windows - Volume Shadow Copies | Extracting unallocated clusters from a shadow copy |
Windows - Volume Shadow Copies | Offline shadow copies |
Windows - Volume Shadow Copies | 13Cubed - The Volume Shadow Knows |
Windows - Volume Shadow Copies | Episode 53: Volume Shadow Copy-Part 1 |
Windows - Volume Shadow Copies | Episode 54: Volume Shadow Copy-Part 2 |
Windows - Volume Shadow Copies | Episode 55: Volume Shadow Copy-Part 3 |
Windows - Volume Shadow Copies | Shadow copies become less visible |
Windows - Windows Install Date | When Windows Lies |
Windows - WinSCP | Detecting Lateral Movement with WinSCP |
Windows - Wireless Networks | Investigating Windows Wireless Networks |
Windows - Zone Identifiers | Zone.Identifier: A Couple Of Observations |
Windows 10 - Activity Timeline | Exploring the Windows Activity Timeline, Part 3: Clipboard Craziness |
Windows 10 - Activity Timeline | Exploring the Windows Activity Timeline, Part 1: The High Points |
Windows 10 - Activity Timeline | Exploring the Windows Activity Timeline, Part 2: Synching Across Devices |
Windows 10 - Activity Timeline | Reconstructing User Activity for Forensics with FeatureUsage |
Windows 10 - Activity Timeline | Investigating Windows 10 Timeline |
Windows 10 - Activity Timeline | Analyzing Microsoft Timeline, OneDrive and Personal Vault Files |
Windows 10 - Cortana | Investigating Windows Cortana |
Windows 10 - Google Drive | Artifacts of Google Drive Usage on Windows 10 (Part 1) |
Windows 10 - Install Date | Windows 10 Install Date - The Real One |
Windows 10 - Mail App | Windows 10 Mail App Forensics |
Windows 10 - Notifications | Investigating Windows 10 Notifications |
Windows 10 - NTFS Timestamps | NTFS Timestamp changes on Windows 10 |
Windows 10 - Remote RAM Capture | Capturing and Retrieving a Memory Image Remotely |
Windows 10 - Shimcache | Let's Talk about Shimcache - The Most Misunderstood Artifact |
Windows 10 - Sticky Notes | Windows 10 Sticky Notes Location |
Windows 10 - USB Storage | USB storage forensics in Win10 #1 - Events |
Windows 10 - Windows Timeline | Windows Timeline: Putting the what & when together |
Windows 11 - ETW | ETW on Windows 11 - Initial thoughts |
Windows 11 - New ETW Providers | Windows 11 “New” ETW Providers — Overview |
Windows 11 Changes | Windows 10 vs. Windows 11, What Has Changed? - Andrew Rathbun |
Windows 11 GUID Partition Scheme (GPT) | Boggle-bytes in a Basic Data Partition Entry - Ian D |
Windows Artifacts General Reference | |
Windows Calendar | Investigating Windows Calendar |
Windows Event Tracing | Open .ETL Files with NetworkMiner and CapLoader |
Windows Images with Infections for Testing | DFIRArtifactMuseum - Andrew Rathbun |
Windows Logon Banner | Investigating Logon Banner - Forensafe |
Windows Mail | Investigating Windows Mail - Forensafe |
Windows Management Instrumentation (WMI) | Investigating Windows Management Instrumentation (WMI) - Forensafe |
Windows Management Instrumentation (WMI) | WMI Internals Part 1 - jsecurity101 |
Windows Registry | Mysteries of the Registry - Pavel Yosifovich |
Windows Run MRU | Investigating Windows Run MRU - Forensafe |
Windows Search Index | Investigating Windows Search Index - Forensafe |
Windows Search Index | Windows Search Index - AON Cyber Labs |
Windows Startup Programs | Investigating Windows Startup Programs - Forensafe |
Windows Subsystem for Linux | Windows Subsystem for Linux: Finding the Penguin - SketchyMoose |
Windows Terminal | Investigating Windows Terminal - Forensafe |
Windows Update Impact on Artifacts | Can Windows Update fool you during the investigation? - CyberDefNerd |
WinRAR | Investigating WinRAR - Forensafe |
WinZip | Investigating WinZip - Forensafe |
Wireless Networks | Investigating Windows Wireless Networks - Forensafe |
WordPad Recent Files | Investigating WordPad Recent Files - Forensafe |
WSH | The Forensic Value of the (Other) WSH Registry Key - RAT In Mi Kitchen |
YARA Rules | Investigating Artifacts Using YARA Rules with ArtiFast - Forensafe |
ZIP Files and Compressed Archives | Forensically Analyzing ZIP & Compressed Files |
Zone.Identifier Stream | Forensic Analysis of the Zone.Identifier Stream - Digital Detective |
Zoom | Investigating Zoom - Forensafe |