Our website may use cookies to improve and personalize your experience and to display advertisements (if any). Our website may also include cookies from third parties like Google Adsense or Google Analytics. By using the website, you consent to the use of cookies. We’ve updated our Privacy Policy. Please click on the button to check our Privacy Policy.

AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Windows

For information on file signature analysis (OS agnostic and file-type specific), please check out Gary Kessler’s File Signature Table

See below for a list of Windows Tools.

ToolDescription
AmcacheParser
AppCompatCacheParser
Arsenal Image MounterArsenal Image Mounter (AIM) Walkthrough
DB Browser for SQLite
Event Log Explorer
EvtxECmd
Forensic Toolkit for SQLite + ESE addonComprised of 2 back-end Extensible Storage Engine (ESE) databases and other configuration files.
Foxton Browser History Viewer
FTK ImagerForensically sound logical file/folder acquisition
Hashcat
HashFinderHashFinder, Hash Verifier, Password Checker, Hash Manager
HashtopolisHashtopolis is a multi-platform client-server tool for distributing Hashcat tasks to multiple computers.
Hibernation Recon
JLECmd
Jump lists in depth: Understand the format to better understand what your tools are (or aren't) doing
JumpList Explorer
KAPE
l0ptCrack
LECmd
Log Parser
LSASecretsViewThe LSA secrets key is located under HKEY_LOCAL_MACHINE\Security\Policy\Secrets and may contain a user's Autologon password, RAS and/or VPN passwords, and other system passwords/keys.
Magnet AxiomUses Volatility
Magnet Axiom
Mount Image Pro
NirSoft - Forensic Tools
NTLM Decrypter
PECmd
PowerShell
RBCmdINFO2 and $I files
RDP Replay
RecentFileCacheParser
RECmd
Reconnoitre
Registry Explorer/RECmdNTUser.dat, System.dat, Security,dat, Software.dat, SAM.dat
Registry Explorer/RECmdThe LSA secrets key is located under HKEY_LOCAL_MACHINE\Security\Policy\Secrets and may contain a user's Autologon password, RAS and/or VPN passwords, and other system passwords/keys.
Registry Explorer/RECmd
RegRipper
Rekall
SDB Explorer
SQLECmd
SQLite Browser
SrumECmd
SumECmd
ThumbCacheViewerthumbcache_*.db and iconcache_*.db database files
Thumbs ViewerThumbs.db, ehthumbs.db, ehthumbs_vista.db, Image.db, Video.db, TVThumb.db, and musicThumbs.db database files
TZWorks USB Storage Parser (USB)
USB Detective
VFC
Volatility
WinPMEM
WMI ExplorerGUI for exploring WMI on a live system
WMI Forensics2 Python scripts for parsing out WMI artifacts
WoanWare USB Device Forensics
WxTCmdWindows 10 timeline database parser

See below for a list of Windows Artifacts.

Artifact or ProcessResource
AD1 FormatDissecting the AD1 File Format
Adobe Acrobat ReaderInvestigating Adobe Acrobat Reader
AnyDeskDigital Forensic Artifact of Anydesk Application
AnyDesk Forensic Analysis of AnyDesk Logs
APOLLO on Windows Apple Pattern of Life Lazy Output'er (APOLLO) on Windows
BoxInvestigating Box
Box SyncInvestigating Box Sync
Brave Web BrowserInvestigating Brave Web Browser
Camera/MicrophoneCan you track processes accessing the camera and microphone?
Camera/MicrophoneCan You Track Processes Accessing the Camera and Microphone on Windows 10?
ContainersWindows Container Forensics
DiscordFinding Discord app chats in Windows.
Discord Update on Discord forensic artifacts for iOS & Windows
DropboxArtifacts of Dropbox Usage on Windows 10 (Part 1)
DropboxArtifacts of Dropbox Usage on Windows 10 (Part 2)
DropboxInvestigating the Dropbox Desktop App for Windows with Belkasoft X
DropboxInvestigating Dropbox
Facebook MessengerInvestigating Facebook Messenger Windows Application
File CarvingFile carving: Recovering a deleted file from a Windows disk image
FirefoxInvestigating Firefox
GIMPQuick tip: GIMP Recent Files Artifact
Google ChromeHas the user logged into this account, or not? (Google Chrome’s Login Data-Part 1)
Google ChromeHas the user logged into this account, or not? (Google Chrome’s Web Data-Part 2)
Google ChromeChrome Media History
Google Chrome Chrome Media History Tracking Your Viewing Habits
Google ChromeChromium Session Storage and Local Storage
Google DriveData Exfiltration Using Google Drive — Forensic Investigation
Google DriveInvestigating Google Drive
Internet ExplorerInvestigating Internet Explorer Web Browser
MEGAsyncAn Encounter With Ransomware-as-a-Service: MEGAsync Analysis
Microsoft EdgeInvestigating Microsoft Edge Web Browser and Application
Microsoft Edge (Chromium)Investigating Edge Chromium Web Browser
Microsoft OfficeAn Inside View of Office Document Cache Exploitation
Microsoft Office 365Everything you need to know about MailItemsAccessed and more
Microsoft TeamsLooking at Microsoft Teams from a DFIR Perspective
Microsoft Teams Microsoft Teams artifacts and chat logs
Microsoft TeamsMicrosoft Teams and Skype Logging Privacy Issue
Microsoft TeamsMicrosoft Teams Logs for Activity
Microsoft TeamsCollecting from Microsoft Teams using PowerShell
Microsoft User Access Logs (UAL)A new type of User access log
OneDriveOneDrive and NTFS last access timestamps
OneDriveInvestigating OneDrive
Persistence Mechanisms13Cubed - Persistence Mechanisms
PowerShellInvestigating PowerShell
Remote Desktop Protocol (RDP)13Cubed - RDP Cache Forensics
Remote Desktop Protocol (RDP)13Cubed - RDP Event Log Forensics
Remote Desktop Protocol (RDP)Windows Forensic Analysis: some thoughts on RDP related Event IDs
Remote Desktop Protocol (RDP)Remote Desktop Connection (mstsc.exe) Screen in a Memory Dump Analysis
SignalPulling encrypted Signal messages off of desktop OS’ for forensics
SignalSignal for Desktop - A Digital Forensics Perspective
SignalInvestigating Signal with ArtiFast Signal
SkypeAnalysis of Skype - Windows 10 App Version 12.7 and higher
SkypeSkype Analysis - From the old one to the newest one - A First Overview
SkypeExtracting Skype Histories and Deleted Files Metadata from Microsoft Account
SkypeMicrosoft Teams and Skype Logging Privacy Issue
SkypeInvestigating Skype for Desktop and Windows Application
Skype (Metro App)Analysis of Skype App for Windows (Metro-App) - Version 14.xx
SysmonSysmon 13.10 — FileDeleteDetected
System Resource Utilization Monitor (SRUM)13Cubed - Windows SRUM Forensics
TeamViewerDigital Forensic Artifact of TeamViewer Application
TeamViewerTeamViewer Forensics
TeamViewerMagnet User Summit DFIR CTF 2019-Activity
TeamViewerAnalyze TeamViewer and its Log Files For Investigation
TeamViewerTeamViewer Forensics
TeamViewerBlog #27: IPv6 in TeamViewer(v15) part 1. [EN]
TeamViewerBlog #28: IPv6 in TeamViewer(v15) part 2. [EN]
ThumbCacheInvestigating ThumbCache
Torch Web BrowserInvestigating Torch Web Browser
UC Web BrowserInvestigating UC Web Browser
Universal Serial Bus (USB)Episode 106: The TWO Serial Numbers of a USB Device - Part 1 - 3 Min Max Series
Universal Serial Bus (USB)Episode 107: The TWO Serial Numbers of a USB Device - Part 2
Universal Serial Bus (USB)Episode 108: The TWO Serial Numbers of a USB Device - Part 3
Universal Serial Bus (USB)USB IDs
Universal Serial Bus (USB)13Cubed - Introduction to USB Detective
Universal Serial Bus (USB)DeviceHunt
Universal Serial Bus (USB)A Monkey Forays Into USB Flashdrives
Universal Serial Bus (USB)No Drive Letter, No USB Evidence? Think Again!
Universal Serial Bus (USB)Investigating USB Drives using Mount Points Not Drive Letters
Universal Serial Bus (USB)13Cubed - Introduction to Windows Forensics
Universal Serial Bus (USB)Episode 109: The TWO Serial Numbers of a USB Device - Part 4
Universal Serial Bus (USB)Episode 98: USB Forensics Series - Part 1 of 7
Universal Serial Bus (USB)Episode 99: USB Forensics Series - Part 2 of 7
Universal Serial Bus (USB)Episode 101: USB Forensics Series - Part 3 of 7
Universal Serial Bus (USB)Episode 102: USB Forensics Series - Part 4 of 7
Universal Serial Bus (USB)Episode 103: USB Forensics Series - Part 5 of 7
Universal Serial Bus (USB)Episode 104: USB Forensics Series - Part 6 of 7
Universal Serial Bus (USB)Episode 105: USB Forensics Series - Part 7 of 7
Universal Serial Bus (USB)Incident Response Thumb Drive
VelociraptorVelociraptor - Dig Deeper
Web Browsers (Chrome, Firefox, Edge)Web Browsers Forensics
WhatsAppWhatsApp in Plain Sight: Where and How You Can Collect Forensic Artifacts
WhatsappInvestigating WhatsApp
Windows - Active DirectoryDFIR – Windows and Active Directory persistence and malicious configurations
Windows - AmCacheAnalysis of the AmCache
Windows - Amcache(Am)Cache rules everything around me
Windows - BAMBAM internals
Windows - BitLockerBitLocker Decryption Explained
Windows - BitLockerHow to handle Bitlocker Encrypted Volumes
Windows - BitLockerThe Interesting Case of Windows Hibernation and BitLocker
Windows - BitLockerBitLocker for DFIR – Part III
Windows - BitLockerBitLocker for DFIR – Part II
Windows - BitLockerBitLocker for DFIR – Part I
Windows - BITSBack in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service
Windows - CertUtilCertutil download artefacts
Windows - CertutilCertutil Artifacts Analysis
Windows - Compressed MemoryForensic analysis of Windows 10 compressed memory using Volatility
Windows - Event IDsEvent ID 1024
Windows - Event IDs4625 Events – Know your enemy
Windows - Event IDsDNS investigation on Windows
Windows - Event LogsMaking the Most Out of WLAN Event Log Artifacts
Windows - Event LogsParsing carved evtx records using EvtxECmd
Windows - Event Logs13Cubed - Event Log Forensics with Log Parser
Windows - Event Logs13Cubed - Introduction to EvtxECmd
Windows - Event LogsAre you sure you extract all the available Volume Serial Numbers (VSNs) that reside in the Windows 10 Event Log “Microsoft-Windows-Partition%4Diagnostic.evtx”?
Windows - Event LogsFinding Forensic Goodness In Obscure Windows Event Logs
Windows - Event LogsUsing the Convert-EventLogRecord function alongside the Get-WinEvent PowerShell cmdlet to search Windows event logs
Windows - EventTranscript.dbForensically Unpacking EventTranscript.db: An Investigative Series
Windows - EventTranscript.dbEventTranscript.db Research
Windows - EventTranscript.dbParsing Diagnostic Data With Powershell and Enhanced Logging
Windows - EventTranscript.dbParsing EventTranscript.db With KAPE and SQLECmd
Windows - EventTranscript.dbForensic Quick Wins With EventTranscript.DB: Win32kTraceLogging
Windows - EventTranscript.dbEventTranscript.db vs .rbs Files and Their Relation to DiagTrack
Windows - ExecutablesVerifying executables on Windows
Windows - hiberfil.sysHow to read Windows Hibernation file (hiberfil.sys) to extract forensic data?
Windows - JumpLists13Cubed - LNK Files and Jump Lists
Windows - JumpListsEpisode 17: “Quick Win” files #2 - Jumplists-Part 2
Windows - JumpListsEpisode 16: “Quick Win” files #2 - Jumplists-Part 1
Windows - JumpListsEpisode 52: The invisible files - Jumplists
Windows - LastVisitedMRUInvestigating LastVisitedMRU
Windows - LNK FiesLNK File Analysis: LNKing It Together!
Windows - LNK files13Cubed - Introduction to Windows Forensics
Windows - LNK filesThe Missing LNK — Correlating User Search LNK files
Windows - LNK filesCVE-2020-0729: REMOTE CODE EXECUTION THROUGH .LNK FILES
Windows - LNK files13Cubed - LNK Files and Jump Lists
Windows - LNK filesEpisode 20: “Quick Win” files #3 - .LNK files-Part 2
Windows - LNK filesEpisode 19: “Quick Win” files #3 - .LNK files-Part 1
Windows - LNK filesEpisode 51: Lies My Computer Told Me-LNK Files
Windows - LNK filesExploring Windows Artifacts : LNK Files
Windows - LSASSLSASS.DMP... Attacker or Admin?
Windows - MemoryCapturing Windows Memory
Windows - OpenSaveMRU Investigating OpenSaveMRU
Windows - Pagefile.sysForensic Investigation: Pagefile.sys
Windows - PhotosInvestigating Windows Photos
Windows - Prefetch13Cubed - Introduction to Windows Forensics
Windows - PrefetchEvidence of file execution
Windows - Prefetch13Cubed - Prefetch Deep Dive
Windows - PrefetchExtracting Windows Prefetch Files
Windows - PrefetchEpisode 24: “Quick Win” files #5 - Prefetch-Part 2
Windows - PrefetchEpisode 23: “Quick Win” files #5 - Prefetch-Part 1
Windows - PrefetchForensic Investigation : Prefetch File
Windows - PrefetchInvestigating Prefetch
Windows - Printer Usage via Event LogsHow to track printer usage with event logs
Windows - Program Execution ArtifactsAnalyzing Program Execution Windows Artifacts
Windows - Protected ContentAccessing Protected Content using Windows Domain Controllers and Workstations
Windows - Recycle BinWindows Forensics: analysis of Recycle bin artifacts
Windows - Recycle Bin13Cubed - Recycle Bin Forensics
Windows - Recycle BinInvestigating Windows Recycle Bin
Windows - RegistryA Technical Guide to Examining the Windows Registry
Windows - RegistryForensic Investigation: Windows Registry Analysis
Windows - RegistryRegistry hive basics part 1
Windows - RegistryRegistry hive basics part 2: NK records
Windows - RegistryRegistry hive basics part 3: VK records
Windows - RegistryRegistry hive basics part 4: SK records
Windows - RegistryRegistry hive basics part 5: Lists
Windows - RegistryExploring the Registry at the hex level
Windows - RegistryRECmd: command line tool for Windows Registry analysis
Windows - RegistryEpisode 75: What is the Windows Registry?
Windows - RegistryEpisode 78: What is the Windows Registry transaction log?
Windows - RegistryEpisode 76: Investigating the Windows Registry using Registry Explorer - Part 1
Windows - RegistryEpisode 77: Investigating the Windows Registry using Registry Explorer - Part 2
Windows - RegistryEpisode 15: “Quick Win” files #1 - The Registry-Part 2
Windows - RegistryEpisode 14: “Quick Win” files #1 - The Registry-Part 1
Windows - RegistryExploring the Hive — Deep Inside the Window Registry
Windows - RegistryWindows registry Transaction Logs in forensic analysis
Windows - RegistryExploring the Hive- Deep inside the Windows Registry. pt 2
Windows - RegistryYour AV is Trying to Tell You Something: Registry
Windows - RegistryRegistry Hive File Structure Analysis
Windows - Scheduled TasksA Deep Dive Into Windows Scheduled Tasks and The Processes Running Them
Windows - Security Event LogsWindows Security Event Logs: my own cheatsheet
Windows - ServicesInvestigating Windows Services
Windows - Shellbags13Cubed - Introduction to Windows Forensics
Windows - Shellbags13Cubed - Shellbag Forensics
Windows - ShellbagsEpisode 22: “Quick Win” files #4 - Shellbags-Part 2
Windows - ShellbagsEpisode 21: “Quick Win” files #4 - Shellbags-Part 1
Windows - ShellbagsForensic Investigation: Shellbags
Windows - ShimCache13Cubed - Windows Application Compatibility Forensics
Windows - SRUMInvestigating Windows System Resource Usage Monitor (SRUM)
Windows - StartupInfoWho Left the Backdoor Open? Using Startupinfo for the Win
Windows - Task SchedulerInvestigating Task Scheduler
Windows - TaskbarEmploying FeatureUsage for Windows 10 Taskbar Forensics
Windows - Thumbs.dbInvestigating Thumbs.db
WIndows - TimeLet's talk about time
Windows - Time ZonesCase 001 – The Timing of it All
Windows - UpdatesInvestigating Windows Update Log
Windows - User Access Logs (UAL)Windows User Access Logs (UAL)
Windows - User Access Logs (UAL)A new type of User access log
Windows - User Access Logs (UAL)UAL Thank Us Later: Leveraging User Access Logging for Forensic Investigations
Windows - User AccountsBlue Team-System Live Analysis [Part 9]- Windows: User Account Forensics- Ownership: Process, Applications, Folders, and Files
Windows - User AccountsInvestigating User Accounts
Windows - UserAssist13Cubed - Introduction to Windows Forensics
Windows - UserAssistUserAssist — with a pinch of Salt — As an “Evidence of Execution”
Windows - Various User DataBlue Team-System Live Analysis [Part 8]- Windows: User Account Forensics- Profile Folder, AppData, and Environment Variables
Windows - Volume Shadow CopiesExtracting unallocated clusters from a shadow copy
Windows - Volume Shadow CopiesOffline shadow copies
Windows - Volume Shadow Copies13Cubed - The Volume Shadow Knows
Windows - Volume Shadow CopiesEpisode 53: Volume Shadow Copy-Part 1
Windows - Volume Shadow CopiesEpisode 54: Volume Shadow Copy-Part 2
Windows - Volume Shadow CopiesEpisode 55: Volume Shadow Copy-Part 3
Windows - Volume Shadow CopiesShadow copies become less visible
Windows - Windows Install DateWhen Windows Lies
Windows - WinSCPDetecting Lateral Movement with WinSCP
Windows - Wireless NetworksInvestigating Windows Wireless Networks
Windows - Zone IdentifiersZone.Identifier: A Couple Of Observations
Windows 10 - Activity TimelineExploring the Windows Activity Timeline, Part 3: Clipboard Craziness
Windows 10 - Activity TimelineExploring the Windows Activity Timeline, Part 1: The High Points
Windows 10 - Activity TimelineExploring the Windows Activity Timeline, Part 2: Synching Across Devices
Windows 10 - Activity TimelineReconstructing User Activity for Forensics with FeatureUsage
Windows 10 - Activity TimelineInvestigating Windows 10 Timeline
Windows 10 - Activity TimelineAnalyzing Microsoft Timeline, OneDrive and Personal Vault Files
Windows 10 - CortanaInvestigating Windows Cortana
Windows 10 - Google DriveArtifacts of Google Drive Usage on Windows 10 (Part 1)
Windows 10 - Install DateWindows 10 Install Date - The Real One
Windows 10 - Mail AppWindows 10 Mail App Forensics
Windows 10 - NotificationsInvestigating Windows 10 Notifications
Windows 10 - NTFS TimestampsNTFS Timestamp changes on Windows 10
Windows 10 - Remote RAM CaptureCapturing and Retrieving a Memory Image Remotely
Windows 10 - Sticky NotesWindows 10 Sticky Notes Location
Windows 10 - USB StorageUSB storage forensics in Win10 #1 - Events
Windows 11 - ETWETW on Windows 11 - Initial thoughts
Windows Logon BannerInvestigating Logon Banner
Windows Subsystem for LinuxWindows Subsystem for Linux: Finding the Penguin
ZIP Files and Compressed ArchivesForensically Analyzing ZIP & Compressed Files
ZoomInvestigating Zoom