| 1Password | Investigating Windows 1Password - Forensafe |
| 360 Secure Browser | Investigating 360 Secure Browser - Forensafe |
| 7-Zip | Investigating 7-Zip |
| Active Directory | DFIR – Windows and Active Directory persistence and malicious configurations |
| Active Directory | The Active Directory Access Control List Explained |
| AD1 Format | Dissecting the AD1 File Format |
| Adobe Acrobat Reader | Investigating Adobe Acrobat Reader - Forensafe |
| ADS Zone.Identifier | Stripped off ADS (Zone.Identifier) for files downloaded in the incognito/private mode. - CyberDefNerd |
| Alternate Data Streams | List of articles or [Direct Download]Windows Alternate Data Streams (ADS) - winitor |
| AmCache | Analysis of the AmCache |
| AmCache | (Am)Cache rules everything around me |
| AmCache | Investigating Amcache |
| AmCache | Amcache contains SHA-1 Hash – It Depends! - NVISO Labs |
| AmCache | Evidence of Program Existence - Amcache |
| AnyDesk | Digital Forensic Artifact of Anydesk Application |
| AnyDesk | Forensic Analysis of AnyDesk Logs |
| AnyDesk | Investigating AnyDesk |
| AnyDesk | AnyDesk Forensic Analysis and Artefacts - Hats Off Security |
| AnyDesk | AnyDesk Forensics | AnyDesk Log Analysis - Tyler Brozek |
| AnyDesk | Investigating Windows AnyDesk - Forensafe |
| APOLLO on Windows | Apple Pattern of Life Lazy Output'er (APOLLO) on Windows |
| App Timeline Provider - SRUM | App Timeline Provider - SRUM Database - Cassie Doemel |
| AVG Antivirus | Investigating Windows AVG Antivirus - Forensafe |
| Avira Antivirus | Investigating Windows Avira Antivirus - Forensafe |
| Background Activity Monitor (BAM) | Investigating Windows Background Activity Moderator (BAM) - Forensafe |
| BAM | BAM internals |
| Battery Level | Battery charge level and its importance in forensics investigations - CyberDefNerd |
| Battery Levels | Why do the battery use and the battery level matter during the investigation? - CyberDefNerd |
| BitComet | Investigating Window BitComit - Forensafe |
| Bitdefender | Investigating Windows Bitdefender Antivirus - Forensafe |
| BitLocker | BitLocker Decryption Explained |
| BitLocker | How to handle Bitlocker Encrypted Volumes |
| BitLocker | The Interesting Case of Windows Hibernation and BitLocker |
| BitLocker | BitLocker for DFIR – Part III |
| BitLocker | BitLocker for DFIR – Part II |
| BitLocker | BitLocker for DFIR – Part I |
| BITS | Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service |
| BitTorrent | Investigating Windows Bittorrent - Forensafe |
| Box | Investigating Box |
| Box Sync | Investigating Box Sync |
| BoxDrive | Investigating Windows BoxDrive - Forensafe |
| Brave Web Browser | Investigating Brave Web Browser |
| Browser Artifacts | Analysing Web Browsers Forensic Artifacts - Digital Investigator |
| Browser Artifacts | Browser Cache and Interrupted Downloads - Investigation Strategies |
| Browser Downloads in $UsnJrnl | Easy way to prove that a file was downloaded by a web browser, having only $UsnJrnl logs. - CyberDefNerd |
| Capability Access Manager (Camera/Mic Usage) | Can you track processes accessing the camera and microphone? and an Update in: I can see and hear you seeing and hearing me! |
| CertUtil | Certutil download artefacts |
| Certutil | Certutil Artifacts Analysis |
| Chrome - Changes in v96 | Cookies Database Moving in Chrome 96 |
| Chrome History - Deleted | Recovering Cleared Browser History - Chrome Forensics - InverseCos |
| Chromium Browsers | Chromium Based Browsers Investigation |
| Cisco Webex Meetings | Investigating Cisco Webex Meetings - Forensafe |
| Clipboard Artifacts | How to Perform Clipboard Forensics: ActivitiesCache.db, Memory Forensics and Clipboard History - inversecos |
| Computer Name | Investigating Computer Name |
| Containers | Windows Container Forensics |
| Cortana | Investigating Cortana - Forensafe |
| Desktop Wallpaper | Investigating Desktop Wallpaper - Forensafe |
| Discord | Finding Discord app chats in Windows. |
| Discord | Update on Discord forensic artifacts for iOS & Windows |
| Download Manager | Quick analysis of the Internet Download Manager history using RegRipper plugins - CyberDefNerd |
| Dropbox | Artifacts of Dropbox Usage on Windows 10 (Part 1) |
| Dropbox | Artifacts of Dropbox Usage on Windows 10 (Part 2) |
| Dropbox | Investigating the Dropbox Desktop App for Windows with Belkasoft X |
| Dropbox | Investigating Dropbox |
| Event IDs | Event ID 1024 |
| Event IDs | 4625 Events – Know your enemy |
| Event IDs | DNS investigation on Windows |
| Event Log (Damaged Logs) | Event Log Explorer Forensic Edition – working with damaged logs or disks - EventLogExplorer |
| Event Log Access | C:\ProgramData\Microsoft\Event Viewer\ExternalLogs – artifacts showing what Windows Event Logs were opened on the suspected device - CyberDefNerd |
| Event Logs | Files in Event Log Explorer Forensic Edition. Searching for removed events - FSPro Labs Download |
| Event Logs | Investigating Windows Event Logs - Forensafe |
| Event Logs | Making the Most Out of WLAN Event Log Artifacts |
| Event Logs | Parsing carved evtx records using EvtxECmd |
| Event Logs | 13Cubed - Event Log Forensics with Log Parser |
| Event Logs | 13Cubed - Introduction to EvtxECmd |
| Event Logs | Are you sure you extract all the available Volume Serial Numbers (VSNs) that reside in the Windows 10 Event Log “Microsoft-Windows-Partition%4Diagnostic.evtx”? |
| Event Logs | Finding Forensic Goodness In Obscure Windows Event Logs |
| Event Logs | Using the Convert-EventLogRecord function alongside the Get-WinEvent PowerShell cmdlet to search Windows event logs |
| Event Logs | DFIR Next Steps: What to do after you find a suspicious Windows Network Logon Session |
| Event Logs | Microsoft Office Alerts ("OAlerts") |
| Event Logs - Hidden Insights | Windows Event Analysis: Unlocking the Hidden Insights in Event Logs - Paritosh |
| Event Logs (Cheat Sheet) | Hunting Windows Event Logs - Avesta Fahimipour |
| Event Tracing (ETW) | A Begginers All Inclusive Guide to ETW - Blakes R & D |
| Event Tracing (ETW) | ETW Internals for Security Research and Forensics |
| Event Tracing (ETW) | ETL File analysis in live |
| EventTranscript.db | Forensically Unpacking EventTranscript.db: An Investigative Series |
| EventTranscript.db | EventTranscript.db Research |
| EventTranscript.db | Parsing Diagnostic Data With Powershell and Enhanced Logging |
| EventTranscript.db | Parsing EventTranscript.db With KAPE and SQLECmd |
| EventTranscript.db | Forensic Quick Wins With EventTranscript.DB: Win32kTraceLogging |
| EventTranscript.db | EventTranscript.db vs .rbs Files and Their Relation to DiagTrack |
| Evernote | Investigating Evernote |
| Executables | Verifying executables on Windows |
| Exif Data | How To Use ExifTool To Look At Metadata - CyberSocialHub |
| Exif Data that was "removed" | Windows Explorer: Improper Exif Data Removal - Didier Stevens |
| ExpressVPN | Investigating ExpressVPN - Forensafe |
| Facebook Messenger | Investigating Facebook Messenger Windows Application |
| FeatureUsage | Employing FeatureUsage for Windows 10 Taskbar Forensics - Crowdstrike |
| File Carving | File carving: Recovering a deleted file from a Windows disk image |
| File Carving | File Carving In Windows - Joseph Moronwi |
| File Explorer - Temporary Zip Folders | Investigating Explorer's temporary ZIP folders and retrieving files - MattCASmith |
| File Extension Associations | Investigating File Extension Associations - Forensafe |
| File Signature And Hash Analysis | File Signature And Hash Analysis - Joseph Moronwi |
| FileZilla | Investigating FileZilla - Forensafe |
| Firefox | Investigating Firefox |
| Foxit PDF Reader | Investigating Foxit Reader - Forensafe |
| F-Secure | Investigating Windows F-Secure - Forensafe |
| GIMP | Quick tip: GIMP Recent Files Artifact |
| GKE Containers | Investigating a GKE Container - Open Source DFIR |
| GoToMeeting | GoToForensics - DFIR TNT |
| HeapLeakDetection Registry Key | The Mystery of the HeapLeakDetection Registry Key - RAT in Mi Kitchen |
| hiberfil.sys | How to read Windows Hibernation file (hiberfil.sys) to extract forensic data? |
| hiberfil.sys | Volatility3: Modern Windows Hibernation file analysis |
| HTTP Request Headers | Understanding HTTP Request Headers - Josh Rickard |
| imo (Messenger) | Investigating Window imo - Forensafe |
| Import Address Table (IAT) | Volatility3 : Import Address Table |
| INetCache | INetCache: Exploiting From Within - ParaFlare |
| InstallDate affected by Win11 Upgrade | Windows InstallDate could be changed via Windows Update |
| Installed Programs List | Investigating Installed Programs |
| Internet Explorer | Investigating Internet Explorer Web Browser |
| Intrusion Analysis | Windows Artifacts For Intrusion Analysis: A Treasure Trove of Evidence |
| iTunes | Windows iTunes Desktop Application - Forensafe |
| Jump Lists | Investigating Jump Lists |
| Jump Lists | CPY JMP - Phill Moore |
| Jump Lists | 13Cubed - LNK Files and Jump Lists |
| Jump Lists | Episode 17: “Quick Win” files #2 - Jumplists-Part 2 |
| Jump Lists | Episode 16: “Quick Win” files #2 - Jumplists-Part 1 |
| Jump Lists | Episode 52: The invisible files - Jumplists |
| Kaspersky Antivirus | Investigating Windows Kaspersky Antivirus - Forensafe |
| Last Accessed Key | Investigating Last Accessed Key |
| Last Shutdown | Investigating Last Shutdown - Forensafe |
| LastVisitedMRU | Investigating LastVisitedMRU |
| Level.io | RMM - Level.io: Forensic Artifacts and Evidence |
| LNK Fies | LNK File Analysis: LNKing It Together! |
| LNK Fies | 13Cubed - Introduction to Windows Forensics |
| LNK Fies | The Missing LNK — Correlating User Search LNK files |
| LNK Fies | CVE-2020-0729: REMOTE CODE EXECUTION THROUGH .LNK FILES |
| LNK Fies | 13Cubed - LNK Files and Jump Lists |
| LNK Fies | Episode 20: “Quick Win” files #3 - .LNK files-Part 2 |
| LNK Fies | Episode 19: “Quick Win” files #3 - .LNK files-Part 1 |
| LNK Fies | Episode 51: Lies My Computer Told Me-LNK Files |
| LNK Fies | Exploring Windows Artifacts : LNK Files |
| LNK Files | Investigating Link File |
| LNK Files | Exploring Windows Artifacts : LNK Files - u0041 |
| LNK Files | Analyzing a Multi-Stage LNK Dropper |
| Logfile | Windows Logfile - Forensafe |
| LogMeIN | Investigating LogMeIN - Forensafe |
| Logon | Better know a data source: Logon sessions - Jonathan Johnson |
| LSASS | LSASS.DMP... Attacker or Admin? |
| MAC Randomization | MAC Randomization in Windows - Forensic 4:cast |
| Machine SID | Investigating MachineSID - Forensafe |
| Malwarebytes | Investigating Windows MalwareBytes - Forensafe |
| Mapped Network Drives | Investigating Windows Mapped Network Drives - Forensafe |
| Maps | Investigating Windows 10 Maps |
| MEGA | Even more MEGA - kibaffo33 |
| MegaNZ/MegaCMD | Forensic Investigation of the MEGAcmd Client - Awake Security |
| Mega's megapreferences | Decrypting Mega’s megaprefences Sqlite Database - AskClees Part 2 |
| MEGAsync | An Encounter With Ransomware-as-a-Service: MEGAsync Analysis |
| Memories | Leaky Notifications from Windows 11 - Ian D |
| Memory Forensics | Forensic analysis of Windows 10 compressed memory using Volatility |
| Memory Forensics | Capturing Windows Memory |
| Memory Forensics | Volatility3: Alternate Data Stream Scan |
| Memory Forensics | VMware Memory Analysis with MemProcFS - Epic Capuano |
| Memory Forensics | Memory Forensics – Practical Example, Detect Classic Remote Process Injection |
| Memory Forensics | THM: Memory Forensics (Volatility) |
| Memory Forensics | Windows Memory Forensics |
| Microsoft Edge | Investigating Microsoft Edge Web Browser and Application |
| Microsoft Edge | Microsoft Edge Forensics: Screenshot History |
| Microsoft Edge | How can I be of WebAssist(ance)? |
| Microsoft Edge (Chromium) | Investigating Edge Chromium Web Browser |
| Microsoft Management Console MRU | Investigating Microsoft Management Console (MMC) MRU - Forensafe |
| Microsoft Remote Access VPN | Forensic Aspects of Microsoft Remote Access VPN |
| Mozilla Thunderbird | Investigating Thunderbird Windows Application |
| MPLog | Mind the MPLog: Leveraging Microsoft Protection Logging for Forensic Investigations - CrowdStrike |
| MRU | What is MRU (Most Recently Used)? - Magnet Forensics |
| MUICache | Forensic Analysis of MUICache Files in Windows - Magnet Forensics |
| MUICache | Let's Talk About MUICache - 13Cubed |
| MUICache (Multilingual User Interface) | Investigating MUICache |
| NetSupport Manager | NetSupport Intrusion Results in Domain Compromise |
| Network Interfaces | Investigating Windows Network Interfaces - Forensafe |
| Network Persistent State (Chromium) | Recovering WiFi SSIDs from Chromium's Network Persistent State File - Alex Bilz |
| Network Traffic | Analyzing Network Packets With Wireshark – AD And User Enumeration - m365guy |
| Notepad++ | Investigating Windows Notepad++ Desktop Application - Forensafe |
| Office MRU | What is a Microsoft Office Most Recently Used Artifact “MRU” - Cyber Triage |
| OpenSaveMRU | What is a Windows OpenSave MRU Artifact? - CyberTriage |
| OpenSaveMRU | Investigating OpenSaveMRU |
| OpenVPN | Investigating Windows OpenVPN - Forensafe |
| Opera Web Browser | Investigating Opera Web Browser |
| Page File URL's | Investigating Page File URL's - Forensafe |
| Pagefile | An Intro to Pagefil Forensic |
| Pagefile.sys | Forensic Investigation: Pagefile.sys |
| Paint MRU | Investigating Paint MRU |
| pCloud | Investigating pCloud - Forensafe |
| Persistence Mechanisms | 13Cubed - Persistence Mechanisms |
| Photo GPS Artifacts | One Country, Two Systems - HackerFactor |
| Photos | Investigating Windows Photos |
| PowerShell | Powershell - Forensafe |
| PowerShell Logs | How long was the malicious PowerShell script active on the compromised machine? - CyberDefNerd |
| PowerShell Scripts | Reconstructing PowerShell scripts from multiple Windows event logs - Sophos |
| PowerShell Scripts From Event Logs | Join PowerShell Script from Event Logs |
| Prefetch | Uncovering Hidden Clues: How Windows Artifact Prefetch Can Help in Digital Forensics Investigations in Windows 11 Machine - 4n6Shetty |
| Prefetch | 13Cubed - Introduction to Windows Forensics |
| Prefetch | Evidence of file execution |
| Prefetch | 13Cubed - Prefetch Deep Dive |
| Prefetch | Extracting Windows Prefetch Files |
| Prefetch | Episode 24: “Quick Win” files #5 - Prefetch-Part 2 |
| Prefetch | Episode 23: “Quick Win” files #5 - Prefetch-Part 1 |
| Prefetch | Forensic Investigation : Prefetch File |
| Prefetch | Investigating Prefetch |
| Prefetch | Artifacts of Execution: Prefetch - Part One |
| Prefetch | Operation-based prefetching |
| Printer Information | Investigating Printers Information |
| Printer Usage via Event Logs | How to track printer usage with event logs |
| Profiles | Investigating Profiles List - Forensafe |
| Program Compatibility Assistant (PCA) | New Windows 11 Pro (22H2) Evidence of Execution Artifact! - Andrew Rathbun & Lucas Gonzalez |
| Program Compatibility Assistant (PCA) | Diving Into The New Windows 11 PCA Artifact |
| Program Execution Artifacts | Analyzing Program Execution Windows Artifacts |
| Protected Content | Accessing Protected Content using Windows Domain Controllers and Workstations |
| ProtonVPN | Investigating Proton VPN - Forensafe |
| PsExec | The Key to Identify PsExec - Fabian Mendoza |
| qBittorrent | Investigating qBittorrent - Forensafe |
| Quick Access | Investigating Quick Access - Forensafe |
| RDP | Investigating Window Remote Desktop Connection Events Log - Forensafe |
| Recent Items | Investigating Recent Items - Forensafe |
| RecentDocs MRU | Investigating RecentDocs MRU |
| Recents Folder | What is a Windows Recents Folder Artifact? - Cyber Triage |
| Recycle Bin | Digital dumpster diving: Exploring the intricacies of recycle bin forensics - Kushalveer Singh Bachchas |
| Recycle Bin | Windows Forensics: analysis of Recycle bin artifacts |
| Recycle Bin | 13Cubed - Recycle Bin Forensics |
| Recycle Bin | Investigating Windows Recycle Bin |
| Registry | Threat Hunting for Windows Registry - Alican Kiraz |
| Registry | The Defender’s Guide to the Windows Registry - Luke Paine |
| Registry | A Technical Guide to Examining the Windows Registry |
| Registry | Forensic Investigation: Windows Registry Analysis |
| Registry | Registry hive basics part 1 |
| Registry | Registry hive basics part 2: NK records |
| Registry | Registry hive basics part 3: VK records |
| Registry | Registry hive basics part 4: SK records |
| Registry | Registry hive basics part 5: Lists |
| Registry | Exploring the Registry at the hex level |
| Registry | RECmd: command line tool for Windows Registry analysis |
| Registry | Episode 75: What is the Windows Registry? |
| Registry | Episode 78: What is the Windows Registry transaction log? |
| Registry | Episode 76: Investigating the Windows Registry using Registry Explorer - Part 1 |
| Registry | Episode 77: Investigating the Windows Registry using Registry Explorer - Part 2 |
| Registry | Episode 15: “Quick Win” files #1 - The Registry-Part 2 |
| Registry | Episode 14: “Quick Win” files #1 - The Registry-Part 1 |
| Registry | Exploring the Hive — Deep Inside the Window Registry |
| Registry | Windows registry Transaction Logs in forensic analysis |
| Registry | Exploring the Hive- Deep inside the Windows Registry. pt 2 |
| Registry | Your AV is Trying to Tell You Something: Registry |
| Registry | Registry Hive File Structure Analysis |
| Registry | The Registry Hives You May be MSIX-ING: Registry Redirection with MS MSIX |
| Registry Hive Bins | Maximum Exploitation of Windows Registry Hive Bins - Arsenal Recon |
| Remote Access Software | Remote Access Software - Forensics - Vikas Singh |
| Remote Desktop Application | Remote Desktop Application vs MSTSC Forensics: The RDP Artifacts You Might Be Missing |
| Remote Desktop MRU | Investigating Remote Desktop Connection MRU |
| Remote Desktop Protocol (RDP) | 13Cubed - RDP Cache Forensics & 13Cubed - RDP Event Log Forensics |
| Remote Desktop Protocol (RDP) | Windows Forensic Analysis: some thoughts on RDP related Event IDs |
| Remote Desktop Protocol (RDP) | Remote Desktop Connection (mstsc.exe) Screen in a Memory Dump Analysis |
| RunMRU | Investigating Run MRU - Forensafe |
| Scheduled Tasks | A Deep Dive Into Windows Scheduled Tasks and The Processes Running Them |
| Scheduled Tasks | Windows Scheduled Tasks for DFIR Investigations |
| ScreenConnect | From ScreenConnect to Hive Ransomware in 61 hours |
| Screenshots | Tracking screenshots with LNK files - ThinkDFIR |
| SDeleted Files | Forensic Detection of Files Deleted via SDelete - InverseCos |
| Searched Strings/WordWheelQuery | Investigating Searched Strings |
| Security Event Logs | Windows Security Event Logs: my own cheatsheet |
| Security:4624 (Win11) | DFIR FYI: Security:4624 has been updated in Windows 11 Pro (22H2) - Andrew Rathbun |
| Services | Investigating Windows Services |
| Shellbags | 13Cubed - Introduction to Windows Forensics |
| Shellbags | 13Cubed - Shellbag Forensics |
| Shellbags | Episode 22: “Quick Win” files #4 - Shellbags-Part 2 |
| Shellbags | Episode 21: “Quick Win” files #4 - Shellbags-Part 1 |
| Shellbags | Forensic Investigation: Shellbags |
| Shellbags | Investigating Shellbags |
| ShimCache | Investigating ShimCache with ArtiFast ShimCache Artifact Parser - Forensafe |
| ShimCache | 13Cubed - Windows Application Compatibility Forensics |
| ShimCache | Let's Talk about Shimcache - The Most Misunderstood Artifact |
| ShimCache | Evidence of Program Existence - Shimcache |
| Signal | Pulling encrypted Signal messages off of desktop OS’ for forensics |
| Signal | Signal for Desktop - A Digital Forensics Perspective |
| Signal | Investigating Signal with ArtiFast Signal |
| Skype | Analysis of Skype - Windows 10 App Version 12.7 and higher |
| Skype | Skype Analysis - From the old one to the newest one - A First Overview |
| Skype | Extracting Skype Histories and Deleted Files Metadata from Microsoft Account |
| Skype | Microsoft Teams and Skype Logging Privacy Issue |
| Skype | Investigating Skype for Desktop and Windows Application+A288:B296 |
| Skype (Metro App) | Analysis of Skype App for Windows (Metro-App) - Version 14.xx |
| Slack | Investigating Slack for Windows - Forensafe |
| SQLite Databases | SQLite Forensics with Belkasoft X |
| SRUM | SRUM: Forensic Analysis of Windows System Resource Utilization Monitor - Magnet Forensics |
| SRUM | Investigating Windows System Resource Usage Monitor (SRUM) |
| SRUM | Swimming in the SRUM |
| SRUM | Leveraging SRUM for Incident Response |
| StartupInfo | Who Left the Backdoor Open? Using Startupinfo for the Win |
| Steam | Video Games Forensics : Steam - ForensicxLab |
| Sticky Notes | Investigating Sticky Notes |
| Swapfile URL's | Investigating Swap File URL's - Forensafe |
| Sysmon | Sysmon 13.10 — FileDeleteDetected |
| System Information | Investigating System Information |
| System Resource Utilization Monitor (SRUM) | 13Cubed - Windows SRUM Forensics |
| Task Scheduler | Investigating Task Scheduler |
| Task Scheduler | Investigating Task Scheduler |
| Taskbar | Employing FeatureUsage for Windows 10 Taskbar Forensics |
| Tasks | Windows Registry Analysis – Today’s Episode: Tasks - Cyber.wtf |
| TeamViewer | Digital Forensic Artifact of TeamViewer Application |
| TeamViewer | TeamViewer Forensics |
| TeamViewer | Magnet User Summit DFIR CTF 2019-Activity |
| TeamViewer | Analyze TeamViewer and its Log Files For Investigation |
| TeamViewer | TeamViewer Forensics |
| TeamViewer | Blog #27: IPv6 in TeamViewer(v15) part 1. [EN] & Blog #28: IPv6 in TeamViewer(v15) part 2. [EN] |
| TeamViewer | Blog #28: IPv6 in TeamViewer(v15) part 2. [EN] |
| TeraCopy | Introducing TeraLogger |
| The Ruler Project | Really Useful Logging and Event Repository (RULER) Project |
| ThumbCache | Investigating ThumbCache |
| Thumbs.db | Investigating Thumbs.db |
| Time | Let's talk about time |
| Time Rules - Windows 11 | Windows 11 Time Rules - Khyrenz Ltd |
| Time Zones | Case 001 – The Timing of it All |
| Timeline Analysis | Timeline Creation for Forensics Analysis |
| Timezone Information | Investigating Timezone Information - Forensafe |
| Torch Browser | Investigating Torch Web Browser |
| Triage Analyis | Chaos to Clarity: Why Triage is Not Optional |
| Typed Paths | Investigating Typed Paths |
| Typed URLs | Investigating Typed URLs |
| UC Web Browser | Investigating UC Web Browser |
| Unigram | Investigating Windows Unigram - Forensafe |
| Universal Serial Bus (USB) | Episode 106: The TWO Serial Numbers of a USB Device - Part 1 - 3 Min Max Series, Episode 107: Part 2, Episode 108: Part 3 |
| Universal Serial Bus (USB) | USB IDs |
| Universal Serial Bus (USB) | 13Cubed - Introduction to USB Detective |
| Universal Serial Bus (USB) | DeviceHunt |
| Universal Serial Bus (USB) | A Monkey Forays Into USB Flashdrives |
| Universal Serial Bus (USB) | No Drive Letter, No USB Evidence? Think Again! |
| Universal Serial Bus (USB) | Investigating USB Drives using Mount Points Not Drive Letters |
| Universal Serial Bus (USB) | 13Cubed - Introduction to Windows Forensics |
| Universal Serial Bus (USB) | Episode 109: The TWO Serial Numbers of a USB Device - Part 4 |
| Universal Serial Bus (USB) | Episode 98: USB Forensics Series - Part 1 of 7 |
| Universal Serial Bus (USB) | Episode 99: USB Forensics Series - Part 2 of 7 |
| Universal Serial Bus (USB) | Episode 101: USB Forensics Series - Part 3 of 7 |
| Universal Serial Bus (USB) | Episode 102: USB Forensics Series - Part 4 of 7 |
| Universal Serial Bus (USB) | Episode 103: USB Forensics Series - Part 5 of 7 |
| Universal Serial Bus (USB) | Episode 104: USB Forensics Series - Part 6 of 7 |
| Universal Serial Bus (USB) | Episode 105: USB Forensics Series - Part 7 of 7 |
| Universal Serial Bus (USB) | Incident Response Thumb Drive |
| Updates | Investigating Windows Update Log |
| USB "Serial Numbers" | The Truth About USB Device Serial Numbers – (and the lies your tools tell) - Computer Evidence Recovery |
| USB Artifacts with no logged-in user | https://www.khyrenz.com/blog/usbs-without-login/>USB connections with no logged-in user |
| USB Connection Times | USB or not USB... Connection Times - Kathryn Hedley |
| USB Devices | Investigating USB Devices - Forensafe |
| USB Devices | Automated USB artefact parsing from the Registry |
| User Access Logs (UAL) | Windows User Access Logs (UAL) |
| User Access Logs (UAL) | A new type of User access log |
| User Access Logs (UAL) | UAL Thank Us Later: Leveraging User Access Logging for Forensic Investigations |
| User Accounts | Blue Team-System Live Analysis [Part 9]- Windows: User Account Forensics- Ownership: Process, Applications, Folders, and Files |
| User Accounts | Investigating User Accounts - Forensafe |
| UserAssist | Investigating UserAssist |
| UserAssist | 13Cubed - Introduction to Windows Forensics |
| UserAssist | UserAssist — with a pinch of Salt — As an “Evidence of Execution” |
| UserAssist | Decoding Windows Registry Artifacts with Belkasoft X: UserAssist |
| Various User Data | Blue Team-System Live Analysis [Part 8]- Windows: User Account Forensics- Profile Folder, AppData, and Environment Variables |
| Velociraptor | Velociraptor - Dig Deeper |
| Viber.db | On Viber.db and Thumbnail Paths - Random Dent |
| VirtualBox | Investigating VirtualBox - Forensafe |
| Vivaldi Browser | Investigating Vivaldi Web Browser |
| VMTools Persistence - VMWareToolBoxCmd.exe | Analyzing and Detecting a VMTools Persistence Technique |
| VMWare | Investigating VMware Windows Application |
| Volume Shadow Copies | Extracting unallocated clusters from a shadow copy |
| Volume Shadow Copies | Offline shadow copies |
| Volume Shadow Copies | 13Cubed - The Volume Shadow Knows |
| Volume Shadow Copies | Episode 53: Volume Shadow Copy-Part 1 |
| Volume Shadow Copies | Episode 54: Volume Shadow Copy-Part 2 |
| Volume Shadow Copies | Episode 55: Volume Shadow Copy-Part 3 |
| Volume Shadow Copies | Shadow copies become less visible |
| VSS | VSS Carving - Pt. 1, Setup - Nullsec and Pt. 2 |
| Web Browsers (Chrome, Firefox, Edge) | Web Browsers Forensics |
| Webshells | Hunting Webshells |
| WhatsApp | WhatsApp in Plain Sight: Where and How You Can Collect Forensic Artifacts |
| WhatsApp | Investigating WhatsApp |
| Windows 10 - Activity Timeline | Exploring the Windows Activity Timeline, Part 3: Clipboard Craziness |
| Windows 10 - Activity Timeline | Exploring the Windows Activity Timeline, Part 1: The High Points |
| Windows 10 - Activity Timeline | Exploring the Windows Activity Timeline, Part 2: Synching Across Devices |
| Windows 10 - Activity Timeline | Reconstructing User Activity for Forensics with FeatureUsage |
| Windows 10 - Activity Timeline | Investigating Windows 10 Timeline |
| Windows 10 - Activity Timeline | Analyzing Microsoft Timeline, OneDrive and Personal Vault Files |
| Windows 10 - Cortana | Inve+B373+A379:B381 |
| Windows 10 - Google Drive | Artifacts of Google Drive Usage on Windows 10 (Part 1) |
| Windows 10 - Install Date | Windows 10 Install Date - The Real One |
| Windows 10 - Mail App | Windows 10 Mail App Forensics |
| Windows 10 - Notifications | Investigating Windows 10 Notifications |
| Windows 10 - NTFS Timestamps | NTFS Timestamp changes on Windows 10 |
| Windows 10 - Remote RAM Capture | Capturing and Retrieving a Memory Image Remotely |
| Windows 10 - Sticky Notes | Windows 10 Sticky Notes Location |
| Windows 10 - USB Storage | USB storage forensics in Win10 #1 - Events |
| Windows 10 - Windows Timeline | Windows Timeline: Putting the what & when together |
| Windows 11 - ETW | ETW on Windows 11 - Initial thoughts |
| Windows 11 - New ETW Providers | Windows 11 “New” ETW Providers — Overview |
| Windows 11 Changes | Windows 10 vs. Windows 11, What Has Changed? - Andrew Rathbun |
| Windows 11 GUID Partition Scheme (GPT) | Boggle-bytes in a Basic Data Partition Entry - Ian D |
| Windows Artifacts General Reference | Windows Forensic Artifacts Guide |
| Windows Artifacts General Reference | Introduction to Windows Artifacts : Your Gateway to Effective Incident Response |
| Windows Calendar | Investigating Windows Calendar |
| Windows Defender | Investigating Windows Defender - Forensafe |
| Windows Defender | Reverse, Reveal, Recover: Windows Defender Quarantine Forensics |
| Windows Event Tracing | Open .ETL Files with NetworkMiner and CapLoader |
| Windows Images with Infections for Testing | DFIRArtifactMuseum - Andrew Rathbun |
| Windows Install Date | When Windows Lies |
| Windows Logon Banner | Investigating Logon Banner - Forensafe |
| Windows Mail | Investigating Windows Mail - Forensafe |
| Windows Management Instrumentation (WMI) | Investigating Windows Management Instrumentation (WMI) - Forensafe |
| Windows Management Instrumentation (WMI) | WMI Internals Part 1 - jsecurity101 |
| Windows Management Instrumentation (WMI) | Windows Management Instrumentation (WMI) Offense, Defense, and Forensics - FireEye |
| Windows Registry | Mysteries of the Registry - Pavel Yosifovich |
| Windows Run MRU | Investigating Windows Run MRU - Forensafe |
| Windows Search Index | Investigating Windows Search Index - Forensafe |
| Windows Search Index | Windows Search Index - AON Cyber Labs |
| Windows Startup Programs | Investigating Windows Startup Programs - Forensafe |
| Windows Subsystem for Linux | Windows Subsystem for Linux: Finding the Penguin - SketchyMoose |
| Windows Terminal | Investigating Windows Terminal - Forensafe |
| Windows Update Impact on Artifacts | Can Windows Update fool you during the investigation? - CyberDefNerd |
| WinRAR | Investigating WinRAR - Forensafe |
| WinSCP | Detecting Lateral Movement with WinSCP |
| WinZip | Investigating WinZip - Forensafe |
| Wireless Networks | Investigating Windows Wireless Networks |
| Wireless Networks | Investigating Windows Wireless Networks - Forensafe |
| WMI Events | Finding Evil WMI Event Consumers with Disk Forensics - Chad Tilbury - SANS |
| WordPad Recent Files | Investigating WordPad Recent Files - Forensafe |
| WSH | The Forensic Value of the (Other) WSH Registry Key - RAT In Mi Kitchen |
| YARA Rules | Investigating Artifacts Using YARA Rules with ArtiFast - Forensafe |
| ZIP Files and Compressed Archives | Forensically Analyzing ZIP & Compressed Files |
| Zone Identifiers | Zone.Identifier: A Couple Of Observations |
| Zone.Identifier Stream | Forensic Analysis of the Zone.Identifier Stream - Digital Detective |
| Zoom | Investigating Zoom - Forensafe |