| 1Password | Investigating Windows 1Password - Forensafe |
| 360 Secure Browser | Investigating 360 Secure Browser - Forensafe |
| 7-Zip | Investigating 7-Zip |
| AD1 Format | Dissecting the AD1 File Format |
| Adobe Acrobat Reader | Investigating Adobe Acrobat Reader - Forensafe |
| ADS Zone.Identifier | Stripped off ADS (Zone.Identifier) for files downloaded in the incognito/private mode. - CyberDefNerd |
| Alternate Data Streams | List of articles or [Direct Download]Windows Alternate Data Streams (ADS) - winitor |
| Amcache - SHA-1 | Amcache contains SHA-1 Hash – It Depends! - NVISO Labs |
| AnyDesk | Digital Forensic Artifact of Anydesk Application |
| AnyDesk | Forensic Analysis of AnyDesk Logs |
| AnyDesk | Investigating AnyDesk |
| AnyDesk | AnyDesk Forensic Analysis and Artefacts - Hats Off Security |
| AnyDesk | AnyDesk Forensics | AnyDesk Log Analysis - Tyler Brozek |
| AnyDesk | Investigating Windows AnyDesk - Forensafe |
| APOLLO on Windows | Apple Pattern of Life Lazy Output'er (APOLLO) on Windows |
| App Timeline Provider - SRUM | App Timeline Provider - SRUM Database - Cassie Doemel |
| AVG Antivirus | Investigating Windows AVG Antivirus - Forensafe |
| Avira Antivirus | Investigating Windows Avira Antivirus - Forensafe |
| Background Activity Monitor (BAM) | Investigating Windows Background Activity Moderator (BAM) - Forensafe |
| Battery Level | Battery charge level and its importance in forensics investigations - CyberDefNerd |
| Battery Levels | Why do the battery use and the battery level matter during the investigation? - CyberDefNerd |
| BitComet | Investigating Window BitComit - Forensafe |
| Bitdefender | Investigating Windows Bitdefender Antivirus - Forensafe |
| BitTorrent | Investigating Windows Bittorrent - Forensafe |
| Box | Investigating Box |
| Box Sync | Investigating Box Sync |
| BoxDrive | Investigating Windows BoxDrive - Forensafe |
| Brave Web Browser | Investigating Brave Web Browser |
| Browser Artifacts | Analysing Web Browsers Forensic Artifacts - Digital Investigator |
| Browser Downloads in $UsnJrnl | Easy way to prove that a file was downloaded by a web browser, having only $UsnJrnl logs. - CyberDefNerd |
| Capability Access Manager (Camera/Mic Usage) | Can you track processes accessing the camera and microphone? and an Update in: I can see and hear you seeing and hearing me! |
| Chrome - Changes in v96 | Cookies Database Moving in Chrome 96 |
| Chrome History - Deleted | Recovering Cleared Browser History - Chrome Forensics - InverseCos |
| Cisco Webex Meetings | Investigating Cisco Webex Meetings - Forensafe |
| Clipboard Artifacts | How to Perform Clipboard Forensics: ActivitiesCache.db, Memory Forensics and Clipboard History - inversecos |
| Computer Name | Investigating Computer Name |
| Containers | Windows Container Forensics |
| Cortana | Investigating Cortana - Forensafe |
| Defender | Investigating Windows Defender - Forensafe |
| Desktop Wallpaper | Investigating Desktop Wallpaper - Forensafe |
| Discord | Finding Discord app chats in Windows. |
| Discord | Update on Discord forensic artifacts for iOS & Windows |
| Download Manager | Quick analysis of the Internet Download Manager history using RegRipper plugins - CyberDefNerd |
| Dropbox | Artifacts of Dropbox Usage on Windows 10 (Part 1) |
| Dropbox | Artifacts of Dropbox Usage on Windows 10 (Part 2) |
| Dropbox | Investigating the Dropbox Desktop App for Windows with Belkasoft X |
| Dropbox | Investigating Dropbox |
| Email Forensics | Email Forensics – Definition and Guideline - Salvation Data |
| Email Forensics/Artifacts | Techniques In Email Forensic Analysis and Email Header Forensic Analysis - Joseph Moronwi |
| Event Log (Damaged Logs) | Event Log Explorer Forensic Edition – working with damaged logs or disks - EventLogExplorer |
| Event Log Access | C:\ProgramData\Microsoft\Event Viewer\ExternalLogs – artifacts showing what Windows Event Logs were opened on the suspected device - CyberDefNerd |
| Event Logs | Files in Event Log Explorer Forensic Edition. Searching for removed events - FSPro Labs Download |
| Event Logs | Investigating Windows Event Logs - Forensafe |
| Event Logs (Cheat Sheet) | Hunting Windows Event Logs - Avesta Fahimipour |
| Event Tracing (ETW) | A Begginers All Inclusive Guide to ETW - Blakes R & D |
| Evernote | Investigating Evernote |
| Exif Data | How To Use ExifTool To Look At Metadata - CyberSocialHub |
| Exif Data that was "removed" | Windows Explorer: Improper Exif Data Removal - Didier Stevens |
| ExpressVPN | Investigating ExpressVPN - Forensafe |
| Facebook Messenger | Investigating Facebook Messenger Windows Application |
| FeatureUsage | Employing FeatureUsage for Windows 10 Taskbar Forensics - Crowdstrike |
| File Carving | File carving: Recovering a deleted file from a Windows disk image |
| File Carving | File Carving In Windows - Joseph Moronwi |
| File Explorer - Temporary Zip Folders | Investigating Explorer's temporary ZIP folders and retrieving files - MattCASmith |
| File Extension Associations | Investigating File Extension Associations - Forensafe |
| File Signature And Hash Analysis | File Signature And Hash Analysis - Joseph Moronwi |
| FileZilla | Investigating FileZilla - Forensafe |
| Firefox | Investigating Firefox |
| Foxit PDF Reader | Investigating Foxit Reader - Forensafe |
| F-Secure | Investigating Windows F-Secure - Forensafe |
| GIMP | Quick tip: GIMP Recent Files Artifact |
| GKE Containers | Investigating a GKE Container - Open Source DFIR |
| Google Chrome | Has the user logged into this account, or not? (Google Chrome’s Login Data-Part 1) (Part 2) |
| Google Chrome | Chrome Media History |
| Google Chrome | Chrome Media History Tracking Your Viewing Habits |
| Google Chrome | Chromium Session Storage and Local Storage |
| Google Chrome | Investigating Google Chrome Web Browser |
| Google Drive | Data Exfiltration Using Google Drive — Forensic Investigation |
| Google Drive | Investigating Google Drive |
| Google Drive FS | Investigating Windows Google Drive - Forensafe |
| Google Tasks - Google Takeout | Check Marks the Spot - Google Tasks from Takeout - Stark4n6 |
| GoToMeeting | GoToForensics - DFIR TNT |
| HeapLeakDetection Registry Key | The Mystery of the HeapLeakDetection Registry Key - RAT in Mi Kitchen |
| HTTP Request Headers | Understanding HTTP Request Headers - Josh Rickard |
| imo (Messenger) | Investigating Window imo - Forensafe |
| INetCache | INetCache: Exploiting From Within - ParaFlare |
| InstallDate affected by Win11 Upgrade | Windows InstallDate could be changed via Windows Update |
| Installed Programs List | Investigating Installed Programs |
| Internet Explorer | Investigating Internet Explorer Web Browser |
| iTunes | Windows iTunes Desktop Application - Forensafe |
| Jump Lists | Investigating Jump Lists |
| Kaspersky Antivirus | Investigating Windows Kaspersky Antivirus - Forensafe |
| Last Accessed Key | Investigating Last Accessed Key |
| Last Shutdown | Investigating Last Shutdown - Forensafe |
| LNK files | Investigating Link File |
| LNK Files | Exploring Windows Artifacts : LNK Files - u0041 |
| Logfile | Windows Logfile - Forensafe |
| LogMeIN | Investigating LogMeIN - Forensafe |
| Logon | Better know a data source: Logon sessions - Jonathan Johnson |
| MAC Randomization | MAC Randomization in Windows - Forensic 4:cast |
| Machine SID | Investigating MachineSID - Forensafe |
| Malwarebytes | Investigating Windows MalwareBytes - Forensafe |
| Mapped Network Drives | Investigating Windows Mapped Network Drives - Forensafe |
| Maps | Investigating Windows 10 Maps |
| MEGA | Even more MEGA - kibaffo33 |
| MegaNZ/MegaCMD | Forensic Investigation of the MEGAcmd Client - Awake Security |
| Mega's megapreferences | Decrypting Mega’s megaprefences Sqlite Database - AskClees Part 2 |
| MEGAsync | An Encounter With Ransomware-as-a-Service: MEGAsync Analysis |
| Memories | Leaky Notifications from Windows 11 - Ian D |
| Microsoft Edge | Investigating Microsoft Edge Web Browser and Application |
| Microsoft Edge (Chromium) | Investigating Edge Chromium Web Browser |
| Microsoft Management Console MRU | Investigating Microsoft Management Console (MMC) MRU - Forensafe |
| Microsoft Office | An Inside View of Office Document Cache Exploitation |
| Microsoft Office | Investigating Microsoft Office - Forensafe |
| Microsoft Office 365 | Everything you need to know about MailItemsAccessed and more |
| Microsoft Teams | Microsoft Teams artifacts and chat logs |
| Microsoft Teams | Microsoft Teams and Skype Logging Privacy Issue |
| Microsoft Teams | Microsoft Teams Logs for Activity |
| Microsoft Teams | Collecting from Microsoft Teams using PowerShell |
| Microsoft Teams | MS Teams Desktop Forensic - Misconfig |
| Microsoft User Access Logs (UAL) | A new type of User access log |
| Mozilla Thunderbird | Investigating Thunderbird Windows Application |
| MPLog | Mind the MPLog: Leveraging Microsoft Protection Logging for Forensic Investigations - CrowdStrike |
| MRU | What is MRU (Most Recently Used)? - Magnet Forensics |
| MUICache | Forensic Analysis of MUICache Files in Windows - Magnet Forensics |
| MUICache | Let's Talk About MUICache - 13Cubed |
| MUICache (Multilingual User Interface) | Investigating MUICache |
| Network Interfaces | Investigating Windows Network Interfaces - Forensafe |
| Network Persistent State (Chromium) | Recovering WiFi SSIDs from Chromium's Network Persistent State File - Alex Bilz |
| Network Traffic | Analyzing Network Packets With Wireshark – AD And User Enumeration - m365guy |
| Notepad++ | Investigating Windows Notepad++ Desktop Application - Forensafe |
| Office MRU | What is a Microsoft Office Most Recently Used Artifact “MRU” - Cyber Triage |
| OneDrive | OneDrive and NTFS last access timestamps |
| OneDrive | Investigating OneDrive |
| OneDrive | Reading OneDrive Logs: Part 1 Part 2 - SwiftForensics |
| OneDrive - $MFT | The $MFT flag that you have never considered before – OneDrive not synchronized files. - CyberDefNerd |
| OneDrive Folder Structure | Recreating OneDrive’s Folder Structure from .dat |
| OneDrive Logs | Reading OneDrive Logs - SwiftForensics |
| OpenSaveMRU | What is a Windows OpenSave MRU Artifact? - CyberTriage |
| OpenVPN | Investigating Windows OpenVPN - Forensafe |
| Opera Web Browser | Investigating Opera Web Browser |
| Outlook | Investigating Outlook Windows Application |
| Page File URL's | Investigating Page File URL's - Forensafe |
| Pagefile | An Intro to Pagefil Forensic |
| Paint MRU | Investigating Paint MRU |
| pCloud | Investigating pCloud - Forensafe |
| Persistence Mechanisms | 13Cubed - Persistence Mechanisms |
| Photo GPS Artifacts | One Country, Two Systems - HackerFactor |
| Powershell | Powershell - Forensafe |
| Powershell Logs | How long was the malicious PowerShell script active on the compromised machine? - CyberDefNerd |
| PowerShell Scripts | Reconstructing PowerShell scripts from multiple Windows event logs - Sophos |
| Powershell Scripts from Event Logs | Join PowerShell Script from Event Logs |
| Prefetch | Uncovering Hidden Clues: How Windows Artifact Prefetch Can Help in Digital Forensics Investigations in Windows 11 Machine - 4n6Shetty |
| Printer Information | Investigating Printers Information |
| Profiles | Investigating Profiles List - Forensafe |
| Program Compatibility Assistant | New Windows 11 Pro (22H2) Evidence of Execution Artifact! - Andrew Rathbun & Lucas Gonzalez |
| ProtonVPN | Investigating Proton VPN - Forensafe |
| PsExec | The Key to Identify PsExec - Fabian Mendoza |
| Quick Access | Investigating Quick Access - Forensafe |
| Recent Items | Investigating Recent Items - Forensafe |
| RecentDocs MRU | Investigating RecentDocs MRU |
| Recents Folder | What is a Windows Recents Folder Artifact? - Cyber Triage |
| Registry | Threat Hunting for Windows Registry - Alican Kiraz |
| Registry | The Defender’s Guide to the Windows Registry - Luke Paine |
| Registry Hive Bins | Maximum Exploitation of Windows Registry Hive Bins - Arsenal Recon |
| Remote Access Software | Remote Access Software - Forensics - Vikas Singh |
| Remote Desktop MRU | Investigating Remote Desktop Connection MRU |
| Remote Desktop Protocol (RDP) | 13Cubed - RDP Cache Forensics & 13Cubed - RDP Event Log Forensics |
| Remote Desktop Protocol (RDP) | Windows Forensic Analysis: some thoughts on RDP related Event IDs |
| Remote Desktop Protocol (RDP) | Remote Desktop Connection (mstsc.exe) Screen in a Memory Dump Analysis |
| RunMRU | Investigating Run MRU - Forensafe |
| Screenshots | Tracking screenshots with LNK files - ThinkDFIR |
| SDeleted Files | Forensic Detection of Files Deleted via SDelete - InverseCos |
| Searched Strings/WordWheelQuery | Investigating Searched Strings |
| Security:4624 (Win11) | DFIR FYI: Security:4624 has been updated in Windows 11 Pro (22H2) - Andrew Rathbun |
| ShimCache | Investigating ShimCache with ArtiFast ShimCache Artifact Parser - Forensafe |
| Signal | Pulling encrypted Signal messages off of desktop OS’ for forensics |
| Signal | Signal for Desktop - A Digital Forensics Perspective |
| Signal | Investigating Signal with ArtiFast Signal |
| Skype | Analysis of Skype - Windows 10 App Version 12.7 and higher |
| Skype | Skype Analysis - From the old one to the newest one - A First Overview |
| Skype | Extracting Skype Histories and Deleted Files Metadata from Microsoft Account |
| Skype | Microsoft Teams and Skype Logging Privacy Issue |
| Skype | Investigating Skype for Desktop and Windows Application |
| Skype (Metro App) | Analysis of Skype App for Windows (Metro-App) - Version 14.xx |
| Slack | Investigating Slack for Windows - Forensafe |
| SQLite Databases | SQLite Forensics with Belkasoft X |
| SRUM | SRUM: Forensic Analysis of Windows System Resource Utilization Monitor - Magnet Forensics |
| SRUM - SRUBD.dat | Swimming in the SRUM |
| Sticky Notes | Investigating Sticky Notes |
| Swapfile URL's | Investigating Swap File URL's - Forensafe |
| Sysmon | Sysmon 13.10 — FileDeleteDetected |
| System Information | Investigating System Information |
| System Resource Utilization Monitor (SRUM) | 13Cubed - Windows SRUM Forensics |
| Task Scheduler | Investigating Task Scheduler |
| Tasks | Windows Registry Analysis – Today’s Episode: Tasks - Cyber.wtf |
| TeamViewer | Digital Forensic Artifact of TeamViewer Application |
| TeamViewer | TeamViewer Forensics |
| TeamViewer | Magnet User Summit DFIR CTF 2019-Activity |
| TeamViewer | Analyze TeamViewer and its Log Files For Investigation |
| TeamViewer | TeamViewer Forensics |
| TeamViewer | Blog #27: IPv6 in TeamViewer(v15) part 1. [EN] & Blog #28: IPv6 in TeamViewer(v15) part 2. [EN] |
| TeamViewer | Blog #28: IPv6 in TeamViewer(v15) part 2. [EN] |
| Time Rules - Windows 11 | Windows 11 Time Rules - Khyrenz Ltd |
| Timezone Information | Investigating Timezone Information - Forensafe |
| Torch Browser | Investigating Torch Web Browser |
| Typed Paths | Investigating Typed Paths |
| Typed URLs | Investigating Typed URLs |
| UC Web Browser | Investigating UC Web Browser |
| Unigram | Investigating Windows Unigram - Forensafe |
| Universal Serial Bus (USB) | Episode 106: The TWO Serial Numbers of a USB Device - Part 1 - 3 Min Max Series, Episode 107: Part 2, Episode 108: Part 3 |
| Universal Serial Bus (USB) | USB IDs |
| Universal Serial Bus (USB) | 13Cubed - Introduction to USB Detective |
| Universal Serial Bus (USB) | DeviceHunt |
| Universal Serial Bus (USB) | A Monkey Forays Into USB Flashdrives |
| Universal Serial Bus (USB) | No Drive Letter, No USB Evidence? Think Again! |
| Universal Serial Bus (USB) | Investigating USB Drives using Mount Points Not Drive Letters |
| Universal Serial Bus (USB) | 13Cubed - Introduction to Windows Forensics |
| Universal Serial Bus (USB) | Episode 109: The TWO Serial Numbers of a USB Device - Part 4 |
| Universal Serial Bus (USB) | Episode 98: USB Forensics Series - Part 1 of 7 |
| Universal Serial Bus (USB) | Episode 99: USB Forensics Series - Part 2 of 7 |
| Universal Serial Bus (USB) | Episode 101: USB Forensics Series - Part 3 of 7 |
| Universal Serial Bus (USB) | Episode 102: USB Forensics Series - Part 4 of 7 |
| Universal Serial Bus (USB) | Episode 103: USB Forensics Series - Part 5 of 7 |
| Universal Serial Bus (USB) | Episode 104: USB Forensics Series - Part 6 of 7 |
| Universal Serial Bus (USB) | Episode 105: USB Forensics Series - Part 7 of 7 |
| Universal Serial Bus (USB) | Incident Response Thumb Drive |
| USB "Serial Numbers" | The Truth About USB Device Serial Numbers – (and the lies your tools tell) - Computer Evidence Recovery |
| USB Artifacts with no logged-in user | https://www.khyrenz.com/blog/usbs-without-login/>USB connections with no logged-in user |
| USB Connection Times | USB or not USB... Connection Times - Kathryn Hedley |
| USB Devices | Investigating USB Devices - Forensafe |
| UserAssist | Investigating UserAssist |
| Velociraptor | Velociraptor - Dig Deeper |
| Viber.db | On Viber.db and Thumbnail Paths - Random Dent |
| VirtualBox | Investigating VirtualBox - Forensafe |
| Vivaldi Browser | Investigating Vivaldi Web Browser |
| VMTools Persistence - VMWareToolBoxCmd.exe | Analyzing and Detecting a VMTools Persistence Technique |
| VMWare | Investigating VMware Windows Application |
| VSS | VSS Carving - Pt. 1, Setup - Nullsec and Pt. 2 |
| Web Browsers (Chrome, Firefox, Edge) | Web Browsers Forensics |
| WhatsApp | WhatsApp in Plain Sight: Where and How You Can Collect Forensic Artifacts |
| Whatsapp | Investigating WhatsApp |
| Windows - Active Directory | DFIR – Windows and Active Directory persistence and malicious configurations |
| Windows - AmCache | Analysis of the AmCache |
| Windows - Amcache | (Am)Cache rules everything around me |
| Windows - Amcache | Investigating Amcache |
| Windows - BAM | BAM internals |
| Windows - BitLocker | BitLocker Decryption Explained |
| Windows - BitLocker | How to handle Bitlocker Encrypted Volumes |
| Windows - BitLocker | The Interesting Case of Windows Hibernation and BitLocker |
| Windows - BitLocker | BitLocker for DFIR – Part III |
| Windows - BitLocker | BitLocker for DFIR – Part II |
| Windows - BitLocker | BitLocker for DFIR – Part I |
| Windows - BITS | Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service |
| Windows - CertUtil | Certutil download artefacts |
| Windows - Certutil | Certutil Artifacts Analysis |
| Windows - Compressed Memory | Forensic analysis of Windows 10 compressed memory using Volatility |
| Windows - Event IDs | Event ID 1024 |
| Windows - Event IDs | 4625 Events – Know your enemy |
| Windows - Event IDs | DNS investigation on Windows |
| Windows - Event Logs | Making the Most Out of WLAN Event Log Artifacts |
| Windows - Event Logs | Parsing carved evtx records using EvtxECmd |
| Windows - Event Logs | 13Cubed - Event Log Forensics with Log Parser |
| Windows - Event Logs | 13Cubed - Introduction to EvtxECmd |
| Windows - Event Logs | Are you sure you extract all the available Volume Serial Numbers (VSNs) that reside in the Windows 10 Event Log “Microsoft-Windows-Partition%4Diagnostic.evtx”? |
| Windows - Event Logs | Finding Forensic Goodness In Obscure Windows Event Logs |
| Windows - Event Logs | Using the Convert-EventLogRecord function alongside the Get-WinEvent PowerShell cmdlet to search Windows event logs |
| Windows - EventTranscript.db | Forensically Unpacking EventTranscript.db: An Investigative Series |
| Windows - EventTranscript.db | EventTranscript.db Research |
| Windows - EventTranscript.db | Parsing Diagnostic Data With Powershell and Enhanced Logging |
| Windows - EventTranscript.db | Parsing EventTranscript.db With KAPE and SQLECmd |
| Windows - EventTranscript.db | Forensic Quick Wins With EventTranscript.DB: Win32kTraceLogging |
| Windows - EventTranscript.db | EventTranscript.db vs .rbs Files and Their Relation to DiagTrack |
| Windows - Executables | Verifying executables on Windows |
| Windows - hiberfil.sys | How to read Windows Hibernation file (hiberfil.sys) to extract forensic data? |
| Windows - JumpLists | 13Cubed - LNK Files and Jump Lists |
| Windows - JumpLists | Episode 17: “Quick Win” files #2 - Jumplists-Part 2 |
| Windows - JumpLists | Episode 16: “Quick Win” files #2 - Jumplists-Part 1 |
| Windows - JumpLists | Episode 52: The invisible files - Jumplists |
| Windows - LastVisitedMRU | Investigating LastVisitedMRU |
| Windows - LNK Fies | LNK File Analysis: LNKing It Together! |
| Windows - LNK files | 13Cubed - Introduction to Windows Forensics |
| Windows - LNK files | The Missing LNK — Correlating User Search LNK files |
| Windows - LNK files | CVE-2020-0729: REMOTE CODE EXECUTION THROUGH .LNK FILES |
| Windows - LNK files | 13Cubed - LNK Files and Jump Lists |
| Windows - LNK files | Episode 20: “Quick Win” files #3 - .LNK files-Part 2 |
| Windows - LNK files | Episode 19: “Quick Win” files #3 - .LNK files-Part 1 |
| Windows - LNK files | Episode 51: Lies My Computer Told Me-LNK Files |
| Windows - LNK files | Exploring Windows Artifacts : LNK Files |
| Windows - LSASS | LSASS.DMP... Attacker or Admin? |
| Windows - Memory | Capturing Windows Memory |
| Windows - OpenSaveMRU | Investigating OpenSaveMRU |
| Windows - Pagefile.sys | Forensic Investigation: Pagefile.sys |
| Windows - Photos | Investigating Windows Photos |
| Windows - Prefetch | 13Cubed - Introduction to Windows Forensics |
| Windows - Prefetch | Evidence of file execution |
| Windows - Prefetch | 13Cubed - Prefetch Deep Dive |
| Windows - Prefetch | Extracting Windows Prefetch Files |
| Windows - Prefetch | Episode 24: “Quick Win” files #5 - Prefetch-Part 2 |
| Windows - Prefetch | Episode 23: “Quick Win” files #5 - Prefetch-Part 1 |
| Windows - Prefetch | Forensic Investigation : Prefetch File |
| Windows - Prefetch | Investigating Prefetch |
| Windows - Printer Usage via Event Logs | How to track printer usage with event logs |
| Windows - Program Execution Artifacts | Analyzing Program Execution Windows Artifacts |
| Windows - Protected Content | Accessing Protected Content using Windows Domain Controllers and Workstations |
| Windows - Recycle Bin | Windows Forensics: analysis of Recycle bin artifacts |
| Windows - Recycle Bin | 13Cubed - Recycle Bin Forensics |
| Windows - Recycle Bin | Investigating Windows Recycle Bin |
| Windows - Registry | A Technical Guide to Examining the Windows Registry |
| Windows - Registry | Forensic Investigation: Windows Registry Analysis |
| Windows - Registry | Registry hive basics part 1 |
| Windows - Registry | Registry hive basics part 2: NK records |
| Windows - Registry | Registry hive basics part 3: VK records |
| Windows - Registry | Registry hive basics part 4: SK records |
| Windows - Registry | Registry hive basics part 5: Lists |
| Windows - Registry | Exploring the Registry at the hex level |
| Windows - Registry | RECmd: command line tool for Windows Registry analysis |
| Windows - Registry | Episode 75: What is the Windows Registry? |
| Windows - Registry | Episode 78: What is the Windows Registry transaction log? |
| Windows - Registry | Episode 76: Investigating the Windows Registry using Registry Explorer - Part 1 |
| Windows - Registry | Episode 77: Investigating the Windows Registry using Registry Explorer - Part 2 |
| Windows - Registry | Episode 15: “Quick Win” files #1 - The Registry-Part 2 |
| Windows - Registry | Episode 14: “Quick Win” files #1 - The Registry-Part 1 |
| Windows - Registry | Exploring the Hive — Deep Inside the Window Registry |
| Windows - Registry | Windows registry Transaction Logs in forensic analysis |
| Windows - Registry | Exploring the Hive- Deep inside the Windows Registry. pt 2 |
| Windows - Registry | Your AV is Trying to Tell You Something: Registry |
| Windows - Registry | Registry Hive File Structure Analysis |
| Windows - Scheduled Tasks | A Deep Dive Into Windows Scheduled Tasks and The Processes Running Them |
| Windows - Security Event Logs | Windows Security Event Logs: my own cheatsheet |
| Windows - Services | Investigating Windows Services |
| Windows - Shellbags | 13Cubed - Introduction to Windows Forensics |
| Windows - Shellbags | 13Cubed - Shellbag Forensics |
| Windows - Shellbags | Episode 22: “Quick Win” files #4 - Shellbags-Part 2 |
| Windows - Shellbags | Episode 21: “Quick Win” files #4 - Shellbags-Part 1 |
| Windows - Shellbags | Forensic Investigation: Shellbags |
| Windows - Shellbags | Investigating Shellbags |
| Windows - ShimCache | 13Cubed - Windows Application Compatibility Forensics |
| Windows - SRUM | Investigating Windows System Resource Usage Monitor (SRUM) |
| Windows - StartupInfo | Who Left the Backdoor Open? Using Startupinfo for the Win |
| Windows - Task Scheduler | Investigating Task Scheduler |
| Windows - Taskbar | Employing FeatureUsage for Windows 10 Taskbar Forensics |
| Windows - ThumbCache | Investigating ThumbCache |
| Windows - Thumbs.db | Investigating Thumbs.db |
| WIndows - Time | Let's talk about time |
| Windows - Time Zones | Case 001 – The Timing of it All |
| Windows - Updates | Investigating Windows Update Log |
| Windows - User Access Logs (UAL) | Windows User Access Logs (UAL) |
| Windows - User Access Logs (UAL) | A new type of User access log |
| Windows - User Access Logs (UAL) | UAL Thank Us Later: Leveraging User Access Logging for Forensic Investigations |
| Windows - User Accounts | Blue Team-System Live Analysis [Part 9]- Windows: User Account Forensics- Ownership: Process, Applications, Folders, and Files |
| Windows - User Accounts | Investigating User Accounts - Forensafe |
| Windows - UserAssist | 13Cubed - Introduction to Windows Forensics |
| Windows - UserAssist | UserAssist — with a pinch of Salt — As an “Evidence of Execution” |
| Windows - Various User Data | Blue Team-System Live Analysis [Part 8]- Windows: User Account Forensics- Profile Folder, AppData, and Environment Variables |
| Windows - Volume Shadow Copies | Extracting unallocated clusters from a shadow copy |
| Windows - Volume Shadow Copies | Offline shadow copies |
| Windows - Volume Shadow Copies | 13Cubed - The Volume Shadow Knows |
| Windows - Volume Shadow Copies | Episode 53: Volume Shadow Copy-Part 1 |
| Windows - Volume Shadow Copies | Episode 54: Volume Shadow Copy-Part 2 |
| Windows - Volume Shadow Copies | Episode 55: Volume Shadow Copy-Part 3 |
| Windows - Volume Shadow Copies | Shadow copies become less visible |
| Windows - Windows Install Date | When Windows Lies |
| Windows - WinSCP | Detecting Lateral Movement with WinSCP |
| Windows - Wireless Networks | Investigating Windows Wireless Networks |
| Windows - Zone Identifiers | Zone.Identifier: A Couple Of Observations |
| Windows 10 - Activity Timeline | Exploring the Windows Activity Timeline, Part 3: Clipboard Craziness |
| Windows 10 - Activity Timeline | Exploring the Windows Activity Timeline, Part 1: The High Points |
| Windows 10 - Activity Timeline | Exploring the Windows Activity Timeline, Part 2: Synching Across Devices |
| Windows 10 - Activity Timeline | Reconstructing User Activity for Forensics with FeatureUsage |
| Windows 10 - Activity Timeline | Investigating Windows 10 Timeline |
| Windows 10 - Activity Timeline | Analyzing Microsoft Timeline, OneDrive and Personal Vault Files |
| Windows 10 - Cortana | Investigating Windows Cortana |
| Windows 10 - Google Drive | Artifacts of Google Drive Usage on Windows 10 (Part 1) |
| Windows 10 - Install Date | Windows 10 Install Date - The Real One |
| Windows 10 - Mail App | Windows 10 Mail App Forensics |
| Windows 10 - Notifications | Investigating Windows 10 Notifications |
| Windows 10 - NTFS Timestamps | NTFS Timestamp changes on Windows 10 |
| Windows 10 - Remote RAM Capture | Capturing and Retrieving a Memory Image Remotely |
| Windows 10 - Shimcache | Let's Talk about Shimcache - The Most Misunderstood Artifact |
| Windows 10 - Sticky Notes | Windows 10 Sticky Notes Location |
| Windows 10 - USB Storage | USB storage forensics in Win10 #1 - Events |
| Windows 10 - Windows Timeline | Windows Timeline: Putting the what & when together |
| Windows 11 - ETW | ETW on Windows 11 - Initial thoughts |
| Windows 11 - New ETW Providers | Windows 11 “New” ETW Providers — Overview |
| Windows 11 Changes | Windows 10 vs. Windows 11, What Has Changed? - Andrew Rathbun |
| Windows 11 GUID Partition Scheme (GPT) | Boggle-bytes in a Basic Data Partition Entry - Ian D |
| Windows Artifacts General Reference | |
| Windows Calendar | Investigating Windows Calendar |
| Windows Event Tracing | Open .ETL Files with NetworkMiner and CapLoader |
| Windows Images with Infections for Testing | DFIRArtifactMuseum - Andrew Rathbun |
| Windows Logon Banner | Investigating Logon Banner - Forensafe |
| Windows Mail | Investigating Windows Mail - Forensafe |
| Windows Management Instrumentation (WMI) | Investigating Windows Management Instrumentation (WMI) - Forensafe |
| Windows Management Instrumentation (WMI) | WMI Internals Part 1 - jsecurity101 |
| Windows Registry | Mysteries of the Registry - Pavel Yosifovich |
| Windows Run MRU | Investigating Windows Run MRU - Forensafe |
| Windows Search Index | Investigating Windows Search Index - Forensafe |
| Windows Search Index | Windows Search Index - AON Cyber Labs |
| Windows Startup Programs | Investigating Windows Startup Programs - Forensafe |
| Windows Subsystem for Linux | Windows Subsystem for Linux: Finding the Penguin - SketchyMoose |
| Windows Terminal | Investigating Windows Terminal - Forensafe |
| Windows Update Impact on Artifacts | Can Windows Update fool you during the investigation? - CyberDefNerd |
| WinRAR | Investigating WinRAR - Forensafe |
| WinZip | Investigating WinZip - Forensafe |
| Wireless Networks | Investigating Windows Wireless Networks - Forensafe |
| WordPad Recent Files | Investigating WordPad Recent Files - Forensafe |
| WSH | The Forensic Value of the (Other) WSH Registry Key - RAT In Mi Kitchen |
| YARA Rules | Investigating Artifacts Using YARA Rules with ArtiFast - Forensafe |
| ZIP Files and Compressed Archives | Forensically Analyzing ZIP & Compressed Files |
| Zone.Identifier Stream | Forensic Analysis of the Zone.Identifier Stream - Digital Detective |
| Zoom | Investigating Zoom - Forensafe |