Introduction
Windows systems contain a wealth of forensic artifacts that can reveal user activity, program execution, and system events. This part covers the most important Windows-specific evidence sources that every forensic examiner must master.
Master Windows Registry analysis, Event Log investigation, Prefetch file examination, LNK shortcut parsing, and Jump List analysis to reconstruct user activity and system events.
Windows Registry Analysis
The Windows Registry is a hierarchical database storing configuration settings and options. For forensic examiners, it's a goldmine of evidence about system configuration, user activity, and installed software.
Registry Hive Locations
# System Hives (C:\Windows\System32\config\)
SAM # Security Account Manager - User accounts and hashes
SECURITY # Security policies and audit settings
SOFTWARE # Software configuration, installed programs
SYSTEM # Hardware config, services, drivers
DEFAULT # Default user profile template
# User Hives
C:\Users\[username]\NTUSER.DAT # User settings (HKCU)
C:\Users\[username]\AppData\Local\Microsoft\Windows\UsrClass.dat
# User class registrations (ShellBags)
# AmCache - Program execution evidence
C:\Windows\AppCompat\Programs\Amcache.hve
Key Forensic Registry Locations
User Activity Evidence
Recently accessed documents by extension type.
Paths typed directly into Explorer address bar.
Commands typed in the Run dialog (Win+R).
Search terms entered in Explorer search box.
Program Execution Evidence
Programs run via Explorer with execution counts and last run times (ROT13 encoded).
Application paths for installed programs.
ShimCache - evidence of program execution (even without running).
USB Device History
USB storage devices that were connected - includes serial numbers.
Drive letter assignments for mounted volumes.
Friendly names of connected portable devices.
Network Evidence
Network profiles with connection dates and types (wired/wireless).
Network signatures including MAC addresses and SSIDs.
Use dedicated tools for registry analysis:
- Registry Explorer (Eric Zimmerman): Free, powerful GUI tool
- RegRipper: Automated registry parsing with plugins
- RECmd: Command-line registry parser
- Autopsy: Integrated registry analysis module
Windows Event Logs
Windows Event Logs record system, security, and application events. They're crucial for investigating security incidents, user logons, and system changes.
Event Log Locations
# Windows Vista+ Event Log Location
C:\Windows\System32\winevt\Logs\
# Key Event Log Files
Security.evtx # Logons, logoffs, privilege use, audit events
System.evtx # Driver loads, service starts/stops, system events
Application.evtx # Application errors and events
Microsoft-Windows-PowerShell%4Operational.evtx # PowerShell activity
Microsoft-Windows-TaskScheduler%4Operational.evtx # Scheduled tasks
Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
# RDP sessions
Critical Security Event IDs
| Event ID | Description | Forensic Value |
|---|---|---|
| 4624 | Successful logon | User logon activity, logon type, source IP |
| 4625 | Failed logon | Brute force attempts, password guessing |
| 4634/4647 | Logoff | Session duration analysis |
| 4648 | Explicit credential logon | RunAs, network drive mapping |
| 4672 | Special privileges assigned | Admin logons, privilege escalation |
| 4688 | Process creation | Program execution (if enabled) |
| 4720 | User account created | Backdoor account creation |
| 4732 | Member added to local group | Privilege escalation |
| 7045 | Service installed (System log) | Malware persistence |
Logon Types
| Type | Name | Description |
|---|---|---|
| 2 | Interactive | Keyboard/console logon |
| 3 | Network | Network share access, remote |
| 4 | Batch | Scheduled task |
| 5 | Service | Service account logon |
| 7 | Unlock | Workstation unlock |
| 8 | NetworkCleartext | IIS basic auth |
| 9 | NewCredentials | RunAs /netonly |
| 10 | RemoteInteractive | RDP logon |
| 11 | CachedInteractive | Domain logon with cached creds |
Prefetch Files
Prefetch files are created by Windows to speed up application loading. For forensics, they provide evidence of program execution with timestamps and execution counts.
Prefetch Location and Format
# Prefetch Location
C:\Windows\Prefetch\
# Filename Format
[EXECUTABLE_NAME]-[HASH].pf
# Examples
CHROME.EXE-5A3D7E90.pf
CMD.EXE-4A81B364.pf
POWERSHELL.EXE-767E3A5D.pf
# Hash is calculated from executable path
# Same executable from different paths = different prefetch files
Prefetch Contents
Execution Times
Last 8 execution times (Windows 8+) or last 1 time (Windows 7 and earlier).
Run Count
Total number of times the application was executed.
Files Loaded
List of files/DLLs loaded in the first 10 seconds of execution.
Directories Referenced
Directories accessed during application startup.
Prefetch proves program execution even if the executable is deleted. The loaded files list can reveal what data was accessed. Look for suspicious executables like renamed system tools (e.g., SVC.EXE that's actually cmd.exe).
Prefetch Analysis Tools
- PECmd (Eric Zimmerman): Command-line prefetch parser
- WinPrefetchView (NirSoft): GUI-based prefetch viewer
- Autopsy: Built-in prefetch analysis
LNK Shortcut Files
LNK files (Windows shortcuts) contain rich metadata about the target file, even if that file no longer exists. They're automatically created when files are accessed.
LNK File Locations
# Recent Items
C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Recent\
# Office Recent Documents
C:\Users\[user]\AppData\Roaming\Microsoft\Office\Recent\
# Start Menu
C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Start Menu\
# Desktop
C:\Users\[user]\Desktop\
LNK File Contents
| Field | Description |
|---|---|
| Target path | Full path to the linked file |
| Target timestamps | Created, Modified, Accessed times of target |
| Target size | File size of target |
| Volume information | Serial number, type, label |
| NetBIOS name | Computer name where target resides |
| MAC address | Network adapter MAC (if network target) |
| Working directory | Initial working directory |
LNK files prove file access even if files are deleted. They capture timestamps that may predate current file timestamps. USB drive serial numbers in LNK files link users to specific devices. Network paths reveal accessed shares and their locations.
Jump Lists
Jump Lists are Windows 7+ features showing recently and frequently used items per application. They persist even after files are deleted and applications are closed.
Jump List Locations
# Automatic Destinations (Recent items)
C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
# Custom Destinations (Pinned items)
C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\
# File Naming
[AppID].automaticDestinations-ms
[AppID].customDestinations-ms
Common Application IDs
| Application | AppID |
|---|---|
| Windows Explorer | f01b4d95cf55d32a |
| Chrome | 5d696d521de238c3 |
| Firefox | 10f5a20c21466e85 |
| Microsoft Word | a7bd71699cd38d1c |
| Microsoft Excel | 1bc392b8e104a00e |
| Notepad | 9b9cdc69c1c24e2b |
| CMD | f0275e8685d95486 |
| PowerShell | 9fda41b86ddcf1db |
Jump List Analysis Tools
- JLECmd (Eric Zimmerman): Comprehensive Jump List parser
- JumpListExplorer: GUI-based viewer
- Autopsy: Built-in Jump List analysis
ShellBags
ShellBags record folder access, view preferences, and window positions. They persist evidence of folder access even after folders are deleted or removable media is ejected.
ShellBag Locations
# NTUSER.DAT - Desktop, shares, folder views
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
# UsrClass.dat - Zips, FTP, remote folders
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
ShellBags prove that a user browsed to a specific folder using Windows Explorer. This includes USB drive folders, network shares, and even deleted folders. The timestamps indicate when the folder was accessed. ShellBags persist across reboots and survive file deletion.
- The Windows Registry contains evidence of user activity, program execution, USB devices, and network connections
- Event Logs record security events - Event IDs 4624, 4625, 4688 are critical for investigations
- Prefetch files prove program execution with timestamps and execution counts
- LNK files preserve metadata about accessed files even after deletion
- Jump Lists track recent and frequent items per application
- ShellBags record folder navigation history including deleted folders and removable media