# Welcome

This handbook provides an in-depth guide to the various Windows forensic artifacts that can be utilized when conducting an investigation. Detailed information is provided for each artifact, including its location, available parsing tools, and instructions for interpreting the results of a forensic data extraction. Furthermore, the handbook seeks to provide a comprehensive resource for those seeking to expand their understanding of Windows forensics artifacts and how to properly leverage them during a forensic investigation.

### GitHub

{% embed url="<https://github.com/Psmths/windows-forensic-artifacts>" %}

### Artifacts by Type

<table data-view="cards"><thead><tr><th></th><th></th><th></th><th data-hidden data-card-cover data-type="files"></th><th data-hidden data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><strong>Registry Artifacts</strong></td><td><em>Artifacts found in the Windows registry</em></td><td></td><td><a href="https://2561440521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fiw3VkMLE3v7eYbxTGUJS%2Fuploads%2Fttut9G9kIwSm5fn5410I%2Fregistry.png?alt=media&#x26;token=53470314-1efb-491e-a16a-33615d10f6ce">registry.png</a></td><td><a href="artifacts-by-type/registry-artifacts">registry-artifacts</a></td></tr><tr><td><strong>Event Log Artifacts</strong></td><td><em>Artifacts created by Windows Event Log Providers</em></td><td></td><td><a href="https://2561440521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fiw3VkMLE3v7eYbxTGUJS%2Fuploads%2Fe3UhkFBSc4z0OUkngSzX%2Feventlog.png?alt=media&#x26;token=6ba7482e-c5ed-4e87-981b-cdd5cf2fc5df">eventlog.png</a></td><td><a href="artifacts-by-type/event-log-artifacts">event-log-artifacts</a></td></tr><tr><td><strong>Filesystem Artifacts</strong></td><td><em>Artifacts found on an endpoint's filesystem</em></td><td></td><td><a href="https://2561440521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fiw3VkMLE3v7eYbxTGUJS%2Fuploads%2FJzqE9kyBGzUrtjLukms0%2Ffilesystem.png?alt=media&#x26;token=42fc007a-b354-4941-9122-82027182f37b">filesystem.png</a></td><td><a href="artifacts-by-type/filesystem-artifacts">filesystem-artifacts</a></td></tr></tbody></table>

### Artifacts by Activity

<table data-view="cards"><thead><tr><th></th><th></th><th></th><th data-hidden data-card-cover data-type="files"></th><th data-hidden data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><strong>Execution</strong></td><td><em>Artifacts spawned by application execution</em></td><td></td><td><a href="https://2561440521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fiw3VkMLE3v7eYbxTGUJS%2Fuploads%2FhVWLFOl6CIBpX24XP6TK%2Fexecution.png?alt=media&#x26;token=ece3ff8d-6361-4547-95b7-929a891f68ce">execution.png</a></td><td><a href="artifacts-by-activity/execution">execution</a></td></tr><tr><td><strong>File Activity</strong></td><td><em>Artifacts generated by filesystem activity</em></td><td></td><td><a href="https://2561440521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fiw3VkMLE3v7eYbxTGUJS%2Fuploads%2FTdTYgGS02BDfl3TX9pwh%2Ffile.png?alt=media&#x26;token=1d05c769-3862-46f8-bd45-70a813aa6363">file.png</a></td><td><a href="artifacts-by-activity/file-activity">file-activity</a></td></tr><tr><td><strong>Account Activity</strong></td><td><em>Artifacts providing event attribution</em></td><td></td><td><a href="https://2561440521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fiw3VkMLE3v7eYbxTGUJS%2Fuploads%2F0CIJ0DkwhCdd0XKrixt0%2Faccount.png?alt=media&#x26;token=c7fd45d2-5eaa-459c-a9e9-efc0143f793f">account.png</a></td><td><a href="artifacts-by-activity/account-activity">account-activity</a></td></tr><tr><td><strong>Network Activity</strong></td><td><em>Artifacts spawned by network activity</em></td><td></td><td><a href="https://2561440521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fiw3VkMLE3v7eYbxTGUJS%2Fuploads%2FJFfHS3Jr7C3UuYObpqjb%2Fnetwork.png?alt=media&#x26;token=157a42b8-4f60-4e84-9a3f-9bab3e6bc5b6">network.png</a></td><td><a href="artifacts-by-activity/network-activity">network-activity</a></td></tr><tr><td><strong>Browser Activity</strong></td><td><em>Artifacts created by web browsers</em></td><td></td><td><a href="https://2561440521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fiw3VkMLE3v7eYbxTGUJS%2Fuploads%2FGccXzG0uoUvvdR9KVcV2%2Fbrowser.png?alt=media&#x26;token=b78c1198-3f10-478d-abd1-caa0b07c84be">browser.png</a></td><td><a href="artifacts-by-activity/browser-activity">browser-activity</a></td></tr><tr><td><strong>System Enumeration Artifacts</strong></td><td><em>Artifacts to enumerate endpoints</em></td><td></td><td><a href="https://2561440521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fiw3VkMLE3v7eYbxTGUJS%2Fuploads%2FGtdevVfXnrtzph2IVsCn%2Fenumeration.png?alt=media&#x26;token=ec5b1197-576b-4825-9b5c-109b9b181817">enumeration.png</a></td><td><a href="artifacts-by-activity/system-enumeration">system-enumeration</a></td></tr></tbody></table>

### How to Use this Guide

This handbook was created to classify the numerous Windows forensic artifacts and provide a concise list of what information they respectively provide. While it may be used as a general reference, it shines when it comes time to tie separate artifacts together based on mutual or shared data-points.

For instance, if it is known that an attacker has logged into an endpoint around a certain time, an analyst may want to determine what activity on the endpoint can be attributed to this session. For this, the analyst might begin by looking at [evtx-4624-successful-logon](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon "mention") and pull the `Logon ID` from this artifact. This guide provides a list of artifacts that have the `Logon ID` field present here: [logon-id](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/logon-id "mention"), providing a quick way to correlate logon activity with other activity on the endpoint.

As another example, say for instance you are aware that an endpoint may have a malicious file on it. Maybe you want to see when it was created ( [creation](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/creation "mention") ), or when it was first executed ( [first-executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/first-executed "mention")), this handbook will provide a list of artifacts that may be able to produce answers.

Building a visual map in your mind of the relationships between all the artifacts present in Windows is necessary to allow for an analyst to efficiently pivot their focus during an investigation, this guide simply lays it all out and provides useful analysis tips collected during years of forensic experience while doing so.