AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response


For information on file signature analysis (OS agnostic and file-type specific), please check out Gary Kessler’s File Signature Table

See below for a list of Windows Tools.

Belkasoft RAM Capturer
DB Browser for SQLite
DetectionHistory Parser Windows Defender DetectionHistory parser
DissectDissect is a collection of Python libraries and tools to facilitate enterprise-scale incident response and forensics. Click here for an intro video from 13Cubed.
DumpItDumpIt is a fast memory acquisition tool for Windows (x86, x64, ARM64). Generate full memory crash dumps of Windows machines.
Cyber Triage LiteFree Windows tool - Tool explanation (Part 1) (Part 2) (Part 3)
Encrypted Disk Detector
Event Log Explorer
EzETWCmdlets for capturing Windows Events - Tool explanation (here)
Forensic Toolkit for SQLite + ESE addonComprised of 2 back-end Extensible Storage Engine (ESE) databases and other configuration files.
Foxton Browser History Viewer
FTK ImagerForensically sound logical file/folder acquisition
HashtopolisHashtopolis is a multi-platform client-server tool for distributing Hashcat tasks to multiple computers.
HayabusaWindows event log fast forensics timeline generator and threat hunting tool Blog Post Explainer
Hibernation Recon
HintfoIntro to Hintfo - Exif Viewer
Jump lists in depth: Understand the format to better understand what your tools are (or aren't) doing
JumpList Explorer
Log Parser
LSASecretsViewThe LSA secrets key is located under HKEY_LOCAL_MACHINE\Security\Policy\Secrets and may contain a user's Autologon password, RAS and/or VPN passwords, and other system passwords/keys.
Magnet AxiomUses Volatility
Magnet RAM Capture
Memory BaselinerMemory Baselining tool with Volatility 3 and standalone
Mount Image Pro
NeedleFind Windows registry files in a blob of data
NirSoft - Forensic Tools
O365 Python ParseParsing O365 UAL using Python
RBCmdINFO2 and $I files
RDP Replay
Registry Explorer/RECmdNTUser.dat, System.dat, Security,dat, Software.dat, SAM.dat
Registry Explorer/RECmdThe LSA secrets key is located under HKEY_LOCAL_MACHINE\Security\Policy\Secrets and may contain a user's Autologon password, RAS and/or VPN passwords, and other system passwords/keys.
SDB Explorer
SQLite Browser
SuperMemWindows Memory Parsing Tool
TimesketchTimesketch is an open-source tool for collaborative forensic timeline analysis.
ThumbCacheViewerthumbcache_*.db and iconcache_*.db database files
Thumbs ViewerThumbs.db, ehthumbs.db, ehthumbs_vista.db, Image.db, Video.db, TVThumb.db, and musicThumbs.db database files
USB Detective
Velociraptor for Dead Disk & Dead Disk Forensics - Velociraptor & Paths and Filesystem Accessors - Velociraptor
WMI ExplorerGUI for exploring WMI on a live system
WMI Forensics2 Python scripts for parsing out WMI artifacts
WoanWare USB Device Forensics
WxTCmdWindows 10 timeline database parser
yEd graph editorCreate diagrams by importing external data - layout algorithms arrange even large datasets - (Shown in this example article on firewall analysis.)

See below for a list of Windows Artifacts.

Artifact or ProcessResource
1PasswordInvestigating Windows 1Password - Forensafe
360 Secure BrowserInvestigating 360 Secure Browser - Forensafe
7-ZipInvestigating 7-Zip
AD1 FormatDissecting the AD1 File Format
Adobe Acrobat ReaderInvestigating Adobe Acrobat Reader - Forensafe
ADS Zone.IdentifierStripped off ADS (Zone.Identifier) for files downloaded in the incognito/private mode. - CyberDefNerd
Alternate Data StreamsList of articles or [Direct Download]Windows Alternate Data Streams (ADS) - winitor
Amcache - SHA-1Amcache contains SHA-1 Hash – It Depends! - NVISO Labs
AnyDeskDigital Forensic Artifact of Anydesk Application
AnyDesk Forensic Analysis of AnyDesk Logs
AnyDeskInvestigating AnyDesk
AnyDeskAnyDesk Forensic Analysis and Artefacts - Hats Off Security
AnyDeskAnyDesk Forensics | AnyDesk Log Analysis - Tyler Brozek
AnyDeskInvestigating Windows AnyDesk - Forensafe
APOLLO on Windows Apple Pattern of Life Lazy Output'er (APOLLO) on Windows
App Timeline Provider - SRUMApp Timeline Provider - SRUM Database - Cassie Doemel
AVG AntivirusInvestigating Windows AVG Antivirus - Forensafe
Avira AntivirusInvestigating Windows Avira Antivirus - Forensafe
Background Activity Monitor (BAM)Investigating Windows Background Activity Moderator (BAM) - Forensafe
Battery LevelBattery charge level and its importance in forensics investigations - CyberDefNerd
Battery Levels Why do the battery use and the battery level matter during the investigation? - CyberDefNerd
BitCometInvestigating Window BitComit - Forensafe
BitdefenderInvestigating Windows Bitdefender Antivirus - Forensafe
BitTorrentInvestigating Windows Bittorrent - Forensafe
BoxInvestigating Box
Box SyncInvestigating Box Sync
BoxDriveInvestigating Windows BoxDrive - Forensafe
Brave Web BrowserInvestigating Brave Web Browser
Browser ArtifactsAnalysing Web Browsers Forensic Artifacts - Digital Investigator
Browser Downloads in $UsnJrnlEasy way to prove that a file was downloaded by a web browser, having only $UsnJrnl logs. - CyberDefNerd
Capability Access Manager (Camera/Mic Usage)Can you track processes accessing the camera and microphone? and an Update in: I can see and hear you seeing and hearing me!
Chrome - Changes in v96Cookies Database Moving in Chrome 96
Chrome History - DeletedRecovering Cleared Browser History - Chrome Forensics - InverseCos
Cisco Webex MeetingsInvestigating Cisco Webex Meetings - Forensafe
Clipboard ArtifactsHow to Perform Clipboard Forensics: ActivitiesCache.db, Memory Forensics and Clipboard History - inversecos
Computer NameInvestigating Computer Name
ContainersWindows Container Forensics
CortanaInvestigating Cortana - Forensafe
DefenderInvestigating Windows Defender - Forensafe
Desktop WallpaperInvestigating Desktop Wallpaper - Forensafe
DiscordFinding Discord app chats in Windows.
Discord Update on Discord forensic artifacts for iOS & Windows
Download ManagerQuick analysis of the Internet Download Manager history using RegRipper plugins - CyberDefNerd
DropboxArtifacts of Dropbox Usage on Windows 10 (Part 1)
DropboxArtifacts of Dropbox Usage on Windows 10 (Part 2)
DropboxInvestigating the Dropbox Desktop App for Windows with Belkasoft X
DropboxInvestigating Dropbox
Email ForensicsEmail Forensics – Definition and Guideline - Salvation Data
Email Forensics/ArtifactsTechniques In Email Forensic Analysis and Email Header Forensic Analysis - Joseph Moronwi
Event Log (Damaged Logs)Event Log Explorer Forensic Edition – working with damaged logs or disks - EventLogExplorer
Event Log AccessC:\ProgramData\Microsoft\Event Viewer\ExternalLogs – artifacts showing what Windows Event Logs were opened on the suspected device - CyberDefNerd
Event LogsFiles in Event Log Explorer Forensic Edition. Searching for removed events - FSPro Labs Download
Event LogsInvestigating Windows Event Logs - Forensafe
Event Logs (Cheat Sheet)Hunting Windows Event Logs - Avesta Fahimipour
Event Tracing (ETW)A Begginers All Inclusive Guide to ETW - Blakes R & D
EvernoteInvestigating Evernote
Exif DataHow To Use ExifTool To Look At Metadata - CyberSocialHub
Exif Data that was "removed"Windows Explorer: Improper Exif Data Removal - Didier Stevens
ExpressVPNInvestigating ExpressVPN - Forensafe
Facebook MessengerInvestigating Facebook Messenger Windows Application
FeatureUsageEmploying FeatureUsage for Windows 10 Taskbar Forensics - Crowdstrike
File CarvingFile carving: Recovering a deleted file from a Windows disk image
File CarvingFile Carving In Windows - Joseph Moronwi
File Explorer - Temporary Zip FoldersInvestigating Explorer's temporary ZIP folders and retrieving files - MattCASmith
File Extension AssociationsInvestigating File Extension Associations - Forensafe
File Signature And Hash AnalysisFile Signature And Hash Analysis - Joseph Moronwi
FileZillaInvestigating FileZilla - Forensafe
FirefoxInvestigating Firefox
Foxit PDF ReaderInvestigating Foxit Reader - Forensafe
F-SecureInvestigating Windows F-Secure - Forensafe
GIMPQuick tip: GIMP Recent Files Artifact
GKE ContainersInvestigating a GKE Container - Open Source DFIR
Google ChromeHas the user logged into this account, or not? (Google Chrome’s Login Data-Part 1) (Part 2)
Google ChromeChrome Media History
Google Chrome Chrome Media History Tracking Your Viewing Habits
Google ChromeChromium Session Storage and Local Storage
Google ChromeInvestigating Google Chrome Web Browser
Google DriveData Exfiltration Using Google Drive — Forensic Investigation
Google DriveInvestigating Google Drive
Google Drive FSInvestigating Windows Google Drive - Forensafe
Google Tasks - Google TakeoutCheck Marks the Spot - Google Tasks from Takeout - Stark4n6
GoToMeetingGoToForensics - DFIR TNT
HeapLeakDetection Registry KeyThe Mystery of the HeapLeakDetection Registry Key - RAT in Mi Kitchen
HTTP Request HeadersUnderstanding HTTP Request Headers - Josh Rickard
imo (Messenger)Investigating Window imo - Forensafe
INetCacheINetCache: Exploiting From Within - ParaFlare
InstallDate affected by Win11 UpgradeWindows InstallDate could be changed via Windows Update
Installed Programs ListInvestigating Installed Programs
Internet ExplorerInvestigating Internet Explorer Web Browser
iTunesWindows iTunes Desktop Application - Forensafe
Jump ListsInvestigating Jump Lists
Kaspersky AntivirusInvestigating Windows Kaspersky Antivirus - Forensafe
Last Accessed KeyInvestigating Last Accessed Key
Last ShutdownInvestigating Last Shutdown - Forensafe
LNK filesInvestigating Link File
LNK FilesExploring Windows Artifacts : LNK Files - u0041
Logfile Windows Logfile - Forensafe
LogMeINInvestigating LogMeIN - Forensafe
LogonBetter know a data source: Logon sessions - Jonathan Johnson
MAC RandomizationMAC Randomization in Windows - Forensic 4:cast
Machine SIDInvestigating MachineSID - Forensafe
MalwarebytesInvestigating Windows MalwareBytes - Forensafe
Mapped Network DrivesInvestigating Windows Mapped Network Drives - Forensafe
MapsInvestigating Windows 10 Maps
MEGAEven more MEGA - kibaffo33
MegaNZ/MegaCMDForensic Investigation of the MEGAcmd Client - Awake Security
Mega's megapreferencesDecrypting Mega’s megaprefences Sqlite Database - AskClees Part 2
MEGAsyncAn Encounter With Ransomware-as-a-Service: MEGAsync Analysis
Memories Leaky Notifications from Windows 11 - Ian D
Microsoft EdgeInvestigating Microsoft Edge Web Browser and Application
Microsoft Edge (Chromium)Investigating Edge Chromium Web Browser
Microsoft Management Console MRUInvestigating Microsoft Management Console (MMC) MRU - Forensafe
Microsoft OfficeAn Inside View of Office Document Cache Exploitation
Microsoft OfficeInvestigating Microsoft Office - Forensafe
Microsoft Office 365Everything you need to know about MailItemsAccessed and more
Microsoft Teams Microsoft Teams artifacts and chat logs
Microsoft TeamsMicrosoft Teams and Skype Logging Privacy Issue
Microsoft TeamsMicrosoft Teams Logs for Activity
Microsoft TeamsCollecting from Microsoft Teams using PowerShell
Microsoft TeamsMS Teams Desktop Forensic - Misconfig
Microsoft User Access Logs (UAL)A new type of User access log
Mozilla ThunderbirdInvestigating Thunderbird Windows Application
MPLogMind the MPLog: Leveraging Microsoft Protection Logging for Forensic Investigations - CrowdStrike
MRUWhat is MRU (Most Recently Used)? - Magnet Forensics
MUICacheForensic Analysis of MUICache Files in Windows - Magnet Forensics
MUICacheLet's Talk About MUICache - 13Cubed
MUICache (Multilingual User Interface)Investigating MUICache
Network InterfacesInvestigating Windows Network Interfaces - Forensafe
Network Persistent State (Chromium)Recovering WiFi SSIDs from Chromium's Network Persistent State File - Alex Bilz
Network Traffic Analyzing Network Packets With Wireshark – AD And User Enumeration - m365guy
Notepad++Investigating Windows Notepad++ Desktop Application - Forensafe
Office MRUWhat is a Microsoft Office Most Recently Used Artifact “MRU” - Cyber Triage
OneDriveOneDrive and NTFS last access timestamps
OneDriveInvestigating OneDrive
OneDriveReading OneDrive Logs: Part 1 Part 2 - SwiftForensics
OneDrive - $MFTThe $MFT flag that you have never considered before – OneDrive not synchronized files. - CyberDefNerd
OneDrive Folder StructureRecreating OneDrive’s Folder Structure from .dat
OneDrive LogsReading OneDrive Logs - SwiftForensics
OpenSaveMRUWhat is a Windows OpenSave MRU Artifact? - CyberTriage
OpenVPNInvestigating Windows OpenVPN - Forensafe
Opera Web BrowserInvestigating Opera Web Browser
OutlookInvestigating Outlook Windows Application
Page File URL'sInvestigating Page File URL's - Forensafe
PagefileAn Intro to Pagefil Forensic
Paint MRUInvestigating Paint MRU
pCloudInvestigating pCloud - Forensafe
Persistence Mechanisms13Cubed - Persistence Mechanisms
Photo GPS ArtifactsOne Country, Two Systems - HackerFactor
PowershellPowershell - Forensafe
Powershell LogsHow long was the malicious PowerShell script active on the compromised machine? - CyberDefNerd
PowerShell ScriptsReconstructing PowerShell scripts from multiple Windows event logs - Sophos
Powershell Scripts from Event LogsJoin PowerShell Script from Event Logs
PrefetchUncovering Hidden Clues: How Windows Artifact Prefetch Can Help in Digital Forensics Investigations in Windows 11 Machine - 4n6Shetty
Printer InformationInvestigating Printers Information
ProfilesInvestigating Profiles List - Forensafe
Program Compatibility AssistantNew Windows 11 Pro (22H2) Evidence of Execution Artifact! - Andrew Rathbun & Lucas Gonzalez
ProtonVPNInvestigating Proton VPN - Forensafe
PsExecThe Key to Identify PsExec - Fabian Mendoza
Quick AccessInvestigating Quick Access - Forensafe
Recent ItemsInvestigating Recent Items - Forensafe
RecentDocs MRUInvestigating RecentDocs MRU
Recents FolderWhat is a Windows Recents Folder Artifact? - Cyber Triage
RegistryThreat Hunting for Windows Registry - Alican Kiraz
RegistryThe Defender’s Guide to the Windows Registry - Luke Paine
Registry Hive BinsMaximum Exploitation of Windows Registry Hive Bins - Arsenal Recon
Remote Access SoftwareRemote Access Software - Forensics - Vikas Singh
Remote Desktop MRUInvestigating Remote Desktop Connection MRU
Remote Desktop Protocol (RDP)13Cubed - RDP Cache Forensics & 13Cubed - RDP Event Log Forensics
Remote Desktop Protocol (RDP)Windows Forensic Analysis: some thoughts on RDP related Event IDs
Remote Desktop Protocol (RDP)Remote Desktop Connection (mstsc.exe) Screen in a Memory Dump Analysis
RunMRUInvestigating Run MRU - Forensafe
ScreenshotsTracking screenshots with LNK files - ThinkDFIR
SDeleted FilesForensic Detection of Files Deleted via SDelete - InverseCos
Searched Strings/WordWheelQueryInvestigating Searched Strings
Security:4624 (Win11)DFIR FYI: Security:4624 has been updated in Windows 11 Pro (22H2) - Andrew Rathbun
ShimCacheInvestigating ShimCache with ArtiFast ShimCache Artifact Parser - Forensafe
SignalPulling encrypted Signal messages off of desktop OS’ for forensics
SignalSignal for Desktop - A Digital Forensics Perspective
SignalInvestigating Signal with ArtiFast Signal
SkypeAnalysis of Skype - Windows 10 App Version 12.7 and higher
SkypeSkype Analysis - From the old one to the newest one - A First Overview
SkypeExtracting Skype Histories and Deleted Files Metadata from Microsoft Account
SkypeMicrosoft Teams and Skype Logging Privacy Issue
SkypeInvestigating Skype for Desktop and Windows Application
Skype (Metro App)Analysis of Skype App for Windows (Metro-App) - Version 14.xx
SlackInvestigating Slack for Windows - Forensafe
SQLite DatabasesSQLite Forensics with Belkasoft X
SRUMSRUM: Forensic Analysis of Windows System Resource Utilization Monitor - Magnet Forensics
SRUM - SRUBD.datSwimming in the SRUM
Sticky NotesInvestigating Sticky Notes
Swapfile URL'sInvestigating Swap File URL's - Forensafe
SysmonSysmon 13.10 — FileDeleteDetected
System InformationInvestigating System Information
System Resource Utilization Monitor (SRUM)13Cubed - Windows SRUM Forensics
Task SchedulerInvestigating Task Scheduler
TasksWindows Registry Analysis – Today’s Episode: Tasks - Cyber.wtf
TeamViewerDigital Forensic Artifact of TeamViewer Application
TeamViewerTeamViewer Forensics
TeamViewerMagnet User Summit DFIR CTF 2019-Activity
TeamViewerAnalyze TeamViewer and its Log Files For Investigation
TeamViewerTeamViewer Forensics
TeamViewerBlog #27: IPv6 in TeamViewer(v15) part 1. [EN] & Blog #28: IPv6 in TeamViewer(v15) part 2. [EN]
TeamViewerBlog #28: IPv6 in TeamViewer(v15) part 2. [EN]
Time Rules - Windows 11Windows 11 Time Rules - Khyrenz Ltd
Timezone InformationInvestigating Timezone Information - Forensafe
Torch BrowserInvestigating Torch Web Browser
Typed PathsInvestigating Typed Paths
Typed URLsInvestigating Typed URLs
UC Web BrowserInvestigating UC Web Browser
UnigramInvestigating Windows Unigram - Forensafe
Universal Serial Bus (USB)Episode 106: The TWO Serial Numbers of a USB Device - Part 1 - 3 Min Max Series, Episode 107: Part 2, Episode 108: Part 3
Universal Serial Bus (USB)USB IDs
Universal Serial Bus (USB)13Cubed - Introduction to USB Detective
Universal Serial Bus (USB)DeviceHunt
Universal Serial Bus (USB)A Monkey Forays Into USB Flashdrives
Universal Serial Bus (USB)No Drive Letter, No USB Evidence? Think Again!
Universal Serial Bus (USB)Investigating USB Drives using Mount Points Not Drive Letters
Universal Serial Bus (USB)13Cubed - Introduction to Windows Forensics
Universal Serial Bus (USB)Episode 109: The TWO Serial Numbers of a USB Device - Part 4
Universal Serial Bus (USB)Episode 98: USB Forensics Series - Part 1 of 7
Universal Serial Bus (USB)Episode 99: USB Forensics Series - Part 2 of 7
Universal Serial Bus (USB)Episode 101: USB Forensics Series - Part 3 of 7
Universal Serial Bus (USB)Episode 102: USB Forensics Series - Part 4 of 7
Universal Serial Bus (USB)Episode 103: USB Forensics Series - Part 5 of 7
Universal Serial Bus (USB)Episode 104: USB Forensics Series - Part 6 of 7
Universal Serial Bus (USB)Episode 105: USB Forensics Series - Part 7 of 7
Universal Serial Bus (USB)Incident Response Thumb Drive
USB "Serial Numbers"The Truth About USB Device Serial Numbers – (and the lies your tools tell) - Computer Evidence Recovery
USB Artifacts with no logged-in userhttps://www.khyrenz.com/blog/usbs-without-login/>USB connections with no logged-in user
USB Connection TimesUSB or not USB... Connection Times - Kathryn Hedley
USB DevicesInvestigating USB Devices - Forensafe
UserAssistInvestigating UserAssist
VelociraptorVelociraptor - Dig Deeper
Viber.dbOn Viber.db and Thumbnail Paths - Random Dent
VirtualBoxInvestigating VirtualBox - Forensafe
Vivaldi BrowserInvestigating Vivaldi Web Browser
VMTools Persistence - VMWareToolBoxCmd.exeAnalyzing and Detecting a VMTools Persistence Technique
VMWareInvestigating VMware Windows Application
VSSVSS Carving - Pt. 1, Setup - Nullsec and Pt. 2
Web Browsers (Chrome, Firefox, Edge)Web Browsers Forensics
WhatsAppWhatsApp in Plain Sight: Where and How You Can Collect Forensic Artifacts
WhatsappInvestigating WhatsApp
Windows - Active DirectoryDFIR – Windows and Active Directory persistence and malicious configurations
Windows - AmCacheAnalysis of the AmCache
Windows - Amcache(Am)Cache rules everything around me
Windows - AmcacheInvestigating Amcache
Windows - BAMBAM internals
Windows - BitLockerBitLocker Decryption Explained
Windows - BitLockerHow to handle Bitlocker Encrypted Volumes
Windows - BitLockerThe Interesting Case of Windows Hibernation and BitLocker
Windows - BitLockerBitLocker for DFIR – Part III
Windows - BitLockerBitLocker for DFIR – Part II
Windows - BitLockerBitLocker for DFIR – Part I
Windows - BITSBack in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service
Windows - CertUtilCertutil download artefacts
Windows - CertutilCertutil Artifacts Analysis
Windows - Compressed MemoryForensic analysis of Windows 10 compressed memory using Volatility
Windows - Event IDsEvent ID 1024
Windows - Event IDs4625 Events – Know your enemy
Windows - Event IDsDNS investigation on Windows
Windows - Event LogsMaking the Most Out of WLAN Event Log Artifacts
Windows - Event LogsParsing carved evtx records using EvtxECmd
Windows - Event Logs13Cubed - Event Log Forensics with Log Parser
Windows - Event Logs13Cubed - Introduction to EvtxECmd
Windows - Event LogsAre you sure you extract all the available Volume Serial Numbers (VSNs) that reside in the Windows 10 Event Log “Microsoft-Windows-Partition%4Diagnostic.evtx”?
Windows - Event LogsFinding Forensic Goodness In Obscure Windows Event Logs
Windows - Event LogsUsing the Convert-EventLogRecord function alongside the Get-WinEvent PowerShell cmdlet to search Windows event logs
Windows - EventTranscript.dbForensically Unpacking EventTranscript.db: An Investigative Series
Windows - EventTranscript.dbEventTranscript.db Research
Windows - EventTranscript.dbParsing Diagnostic Data With Powershell and Enhanced Logging
Windows - EventTranscript.dbParsing EventTranscript.db With KAPE and SQLECmd
Windows - EventTranscript.dbForensic Quick Wins With EventTranscript.DB: Win32kTraceLogging
Windows - EventTranscript.dbEventTranscript.db vs .rbs Files and Their Relation to DiagTrack
Windows - ExecutablesVerifying executables on Windows
Windows - hiberfil.sysHow to read Windows Hibernation file (hiberfil.sys) to extract forensic data?
Windows - JumpLists13Cubed - LNK Files and Jump Lists
Windows - JumpListsEpisode 17: “Quick Win” files #2 - Jumplists-Part 2
Windows - JumpListsEpisode 16: “Quick Win” files #2 - Jumplists-Part 1
Windows - JumpListsEpisode 52: The invisible files - Jumplists
Windows - LastVisitedMRUInvestigating LastVisitedMRU
Windows - LNK FiesLNK File Analysis: LNKing It Together!
Windows - LNK files13Cubed - Introduction to Windows Forensics
Windows - LNK filesThe Missing LNK — Correlating User Search LNK files
Windows - LNK files13Cubed - LNK Files and Jump Lists
Windows - LNK filesEpisode 20: “Quick Win” files #3 - .LNK files-Part 2
Windows - LNK filesEpisode 19: “Quick Win” files #3 - .LNK files-Part 1
Windows - LNK filesEpisode 51: Lies My Computer Told Me-LNK Files
Windows - LNK filesExploring Windows Artifacts : LNK Files
Windows - LSASSLSASS.DMP... Attacker or Admin?
Windows - MemoryCapturing Windows Memory
Windows - OpenSaveMRU Investigating OpenSaveMRU
Windows - Pagefile.sysForensic Investigation: Pagefile.sys
Windows - PhotosInvestigating Windows Photos
Windows - Prefetch13Cubed - Introduction to Windows Forensics
Windows - PrefetchEvidence of file execution
Windows - Prefetch13Cubed - Prefetch Deep Dive
Windows - PrefetchExtracting Windows Prefetch Files
Windows - PrefetchEpisode 24: “Quick Win” files #5 - Prefetch-Part 2
Windows - PrefetchEpisode 23: “Quick Win” files #5 - Prefetch-Part 1
Windows - PrefetchForensic Investigation : Prefetch File
Windows - PrefetchInvestigating Prefetch
Windows - Printer Usage via Event LogsHow to track printer usage with event logs
Windows - Program Execution ArtifactsAnalyzing Program Execution Windows Artifacts
Windows - Protected ContentAccessing Protected Content using Windows Domain Controllers and Workstations
Windows - Recycle BinWindows Forensics: analysis of Recycle bin artifacts
Windows - Recycle Bin13Cubed - Recycle Bin Forensics
Windows - Recycle BinInvestigating Windows Recycle Bin
Windows - RegistryA Technical Guide to Examining the Windows Registry
Windows - RegistryForensic Investigation: Windows Registry Analysis
Windows - RegistryRegistry hive basics part 1
Windows - RegistryRegistry hive basics part 2: NK records
Windows - RegistryRegistry hive basics part 3: VK records
Windows - RegistryRegistry hive basics part 4: SK records
Windows - RegistryRegistry hive basics part 5: Lists
Windows - RegistryExploring the Registry at the hex level
Windows - RegistryRECmd: command line tool for Windows Registry analysis
Windows - RegistryEpisode 75: What is the Windows Registry?
Windows - RegistryEpisode 78: What is the Windows Registry transaction log?
Windows - RegistryEpisode 76: Investigating the Windows Registry using Registry Explorer - Part 1
Windows - RegistryEpisode 77: Investigating the Windows Registry using Registry Explorer - Part 2
Windows - RegistryEpisode 15: “Quick Win” files #1 - The Registry-Part 2
Windows - RegistryEpisode 14: “Quick Win” files #1 - The Registry-Part 1
Windows - RegistryExploring the Hive — Deep Inside the Window Registry
Windows - RegistryWindows registry Transaction Logs in forensic analysis
Windows - RegistryExploring the Hive- Deep inside the Windows Registry. pt 2
Windows - RegistryYour AV is Trying to Tell You Something: Registry
Windows - RegistryRegistry Hive File Structure Analysis
Windows - Scheduled TasksA Deep Dive Into Windows Scheduled Tasks and The Processes Running Them
Windows - Security Event LogsWindows Security Event Logs: my own cheatsheet
Windows - ServicesInvestigating Windows Services
Windows - Shellbags13Cubed - Introduction to Windows Forensics
Windows - Shellbags13Cubed - Shellbag Forensics
Windows - ShellbagsEpisode 22: “Quick Win” files #4 - Shellbags-Part 2
Windows - ShellbagsEpisode 21: “Quick Win” files #4 - Shellbags-Part 1
Windows - ShellbagsForensic Investigation: Shellbags
Windows - ShellbagsInvestigating Shellbags
Windows - ShimCache13Cubed - Windows Application Compatibility Forensics
Windows - SRUMInvestigating Windows System Resource Usage Monitor (SRUM)
Windows - StartupInfoWho Left the Backdoor Open? Using Startupinfo for the Win
Windows - Task SchedulerInvestigating Task Scheduler
Windows - TaskbarEmploying FeatureUsage for Windows 10 Taskbar Forensics
Windows - ThumbCacheInvestigating ThumbCache
Windows - Thumbs.dbInvestigating Thumbs.db
WIndows - TimeLet's talk about time
Windows - Time ZonesCase 001 – The Timing of it All
Windows - UpdatesInvestigating Windows Update Log
Windows - User Access Logs (UAL)Windows User Access Logs (UAL)
Windows - User Access Logs (UAL)A new type of User access log
Windows - User Access Logs (UAL)UAL Thank Us Later: Leveraging User Access Logging for Forensic Investigations
Windows - User AccountsBlue Team-System Live Analysis [Part 9]- Windows: User Account Forensics- Ownership: Process, Applications, Folders, and Files
Windows - User AccountsInvestigating User Accounts - Forensafe
Windows - UserAssist13Cubed - Introduction to Windows Forensics
Windows - UserAssistUserAssist — with a pinch of Salt — As an “Evidence of Execution”
Windows - Various User DataBlue Team-System Live Analysis [Part 8]- Windows: User Account Forensics- Profile Folder, AppData, and Environment Variables
Windows - Volume Shadow CopiesExtracting unallocated clusters from a shadow copy
Windows - Volume Shadow CopiesOffline shadow copies
Windows - Volume Shadow Copies13Cubed - The Volume Shadow Knows
Windows - Volume Shadow CopiesEpisode 53: Volume Shadow Copy-Part 1
Windows - Volume Shadow CopiesEpisode 54: Volume Shadow Copy-Part 2
Windows - Volume Shadow CopiesEpisode 55: Volume Shadow Copy-Part 3
Windows - Volume Shadow CopiesShadow copies become less visible
Windows - Windows Install DateWhen Windows Lies
Windows - WinSCPDetecting Lateral Movement with WinSCP
Windows - Wireless NetworksInvestigating Windows Wireless Networks
Windows - Zone IdentifiersZone.Identifier: A Couple Of Observations
Windows 10 - Activity TimelineExploring the Windows Activity Timeline, Part 3: Clipboard Craziness
Windows 10 - Activity TimelineExploring the Windows Activity Timeline, Part 1: The High Points
Windows 10 - Activity TimelineExploring the Windows Activity Timeline, Part 2: Synching Across Devices
Windows 10 - Activity TimelineReconstructing User Activity for Forensics with FeatureUsage
Windows 10 - Activity TimelineInvestigating Windows 10 Timeline
Windows 10 - Activity TimelineAnalyzing Microsoft Timeline, OneDrive and Personal Vault Files
Windows 10 - CortanaInvestigating Windows Cortana
Windows 10 - Google DriveArtifacts of Google Drive Usage on Windows 10 (Part 1)
Windows 10 - Install DateWindows 10 Install Date - The Real One
Windows 10 - Mail AppWindows 10 Mail App Forensics
Windows 10 - NotificationsInvestigating Windows 10 Notifications
Windows 10 - NTFS TimestampsNTFS Timestamp changes on Windows 10
Windows 10 - Remote RAM CaptureCapturing and Retrieving a Memory Image Remotely
Windows 10 - ShimcacheLet's Talk about Shimcache - The Most Misunderstood Artifact
Windows 10 - Sticky NotesWindows 10 Sticky Notes Location
Windows 10 - USB StorageUSB storage forensics in Win10 #1 - Events
Windows 10 - Windows TimelineWindows Timeline: Putting the what & when together
Windows 11 - ETWETW on Windows 11 - Initial thoughts
Windows 11 - New ETW ProvidersWindows 11 “New” ETW Providers — Overview
Windows 11 ChangesWindows 10 vs. Windows 11, What Has Changed? - Andrew Rathbun
Windows 11 GUID Partition Scheme (GPT)Boggle-bytes in a Basic Data Partition Entry - Ian D
Windows Artifacts General Reference
Windows CalendarInvestigating Windows Calendar
Windows Event Tracing Open .ETL Files with NetworkMiner and CapLoader
Windows Images with Infections for TestingDFIRArtifactMuseum - Andrew Rathbun
Windows Logon BannerInvestigating Logon Banner - Forensafe
Windows MailInvestigating Windows Mail - Forensafe
Windows Management Instrumentation (WMI)Investigating Windows Management Instrumentation (WMI) - Forensafe
Windows Management Instrumentation (WMI)WMI Internals Part 1 - jsecurity101
Windows RegistryMysteries of the Registry - Pavel Yosifovich
Windows Run MRUInvestigating Windows Run MRU - Forensafe
Windows Search IndexInvestigating Windows Search Index - Forensafe
Windows Search IndexWindows Search Index - AON Cyber Labs
Windows Startup ProgramsInvestigating Windows Startup Programs - Forensafe
Windows Subsystem for LinuxWindows Subsystem for Linux: Finding the Penguin - SketchyMoose
Windows TerminalInvestigating Windows Terminal - Forensafe
Windows Update Impact on ArtifactsCan Windows Update fool you during the investigation? - CyberDefNerd
WinRARInvestigating WinRAR - Forensafe
WinZipInvestigating WinZip - Forensafe
Wireless NetworksInvestigating Windows Wireless Networks - Forensafe
WordPad Recent FilesInvestigating WordPad Recent Files - Forensafe
WSHThe Forensic Value of the (Other) WSH Registry Key - RAT In Mi Kitchen
YARA RulesInvestigating Artifacts Using YARA Rules with ArtiFast - Forensafe
ZIP Files and Compressed ArchivesForensically Analyzing ZIP & Compressed Files
Zone.Identifier StreamForensic Analysis of the Zone.Identifier Stream - Digital Detective
ZoomInvestigating Zoom - Forensafe