Saturday, October 18, 2025
No menu items!
Google search engine
HomeCheat SheetsWindows Forensic Artifact Cheatsheet
Cheat Sheets

Windows Forensic Artifact Cheatsheet

Tech Corsair
By Tech Corsair
0
183

📂 File System Artifacts

  • $MFT (Master File Table): NTFS metadata; shows all files and timestamps.
  • $LogFile: Records filesystem changes; useful for file creation/deletion events.
  • $UsnJrnl (Change Journal): Tracks file changes; helpful for ransomware investigations.
  • Recycle Bin: C:\$Recycle.Bin\<SID>; tracks deleted files.
  • LNK (Shortcut) Files: User activity on opened files and programs.
  • Thumbcache: Stores thumbnails of viewed images/files.
    • C:\Users\<User>\AppData\Local\Microsoft\Windows\Explorer
  • Recent Files: C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Recent

🧾 Log Files

  • Event Logs:
    • Security: Logon, privilege use → Security.evtx
    • System: Device & driver logs → System.evtx
    • Application: Program-specific logs → Application.evtx
    • PowerShell: Script execution logs → Microsoft-Windows-PowerShell/Operational.evtx
    • Sysmon (if installed): High-fidelity telemetry
  • Windows Firewall Logs: C:\Windows\System32\LogFiles\Firewall\pfirewall.log
  • Windows Update Logs: C:\Windows\WindowsUpdate.log

🧬 Registry Artifacts

  • Hives:
    • NTUSER.DAT: User-specific settings
    • SAM: Security Account Manager
    • SYSTEM: System configuration
    • SOFTWARE: Installed applications & configs
  • UserAssist: Tracks GUI-based program execution
  • Run / RunOnce Keys: Persistence points
  • ShimCache (AppCompatCache): Execution artifacts stored in SYSTEM hive
  • Amcache.hve: Application execution and install metadata
  • MRU Lists: Tracks most recently used files/locations
  • TypedURLs: URLs typed into Internet Explorer

💻 Execution & Persistence

  • Prefetch Files: Tracks program executions (last 8 executions)
    • C:\Windows\Prefetch
  • Scheduled Tasks: schtasks /query
  • Services: services.msc, sc query
  • WMI Persistence: wmic /namespace:"\\root\subscription" PATH __EventFilter
  • Startup Folder: C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • Registry Run Keys: Persistence across reboots

🌐 Network Artifacts

  • DNS Cache: ipconfig /displaydns
  • ARP Cache: arp -a
  • Netstat Output: Active connections → netstat -ano
  • RDP Connection Logs: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

👤 User Artifacts

  • Browser Artifacts:
    • Chrome: C:\Users\<User>\AppData\Local\Google\Chrome\User Data\Default
    • Edge/IE: C:\Users\<User>\AppData\Local\Microsoft\Edge\User Data
  • Email Clients: Outlook PST/OST files
  • USB Device History: SYSTEM hive → Enum\USBSTOR
  • Mounted Devices: Tracks drive mounts
  • Shellbags: Folder view preferences (can indicate accessed directories)

✅ Use tools like KAPE, RECmd, MFTECmd, Eric Zimmerman's Tools, Volatility, and Plaso for collection and analysis.

Happy Hunting!

Previous article
Windows Forensics 102: Understanding Processes with WMIC
Next article
CrowPi Review: A Suitcase Full of Circuits and Human Curiosity
Tech Corsair
Tech Corsairhttps://techcorsair.co.uk
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Load more

Recent Comments

EDITOR PICKS

POPULAR POSTS

POPULAR CATEGORY

ABOUT US

We're on the pulse of the latest tech developments.

Contact us: info@techcorsair.co.uk

© TechCorsair.co.uk, all rights reserved.