👋Welcome
Last updated
Last updated
This handbook provides an in-depth guide to the various Windows forensic artifacts that can be utilized when conducting an investigation. Detailed information is provided for each artifact, including its location, available parsing tools, and instructions for interpreting the results of a forensic data extraction. Furthermore, the handbook seeks to provide a comprehensive resource for those seeking to expand their understanding of Windows forensics artifacts and how to properly leverage them during a forensic investigation.
This handbook was created to classify the numerous Windows forensic artifacts and provide a concise list of what information they respectively provide. While it may be used as a general reference, it shines when it comes time to tie separate artifacts together based on mutual or shared data-points.
For instance, if it is known that an attacker has logged into an endpoint around a certain time, an analyst may want to determine what activity on the endpoint can be attributed to this session. For this, the analyst might begin by looking at EventID 4624: An account was successfully logged on and pull the Logon ID
from this artifact. This guide provides a list of artifacts that have the Logon ID
field present here: Logon ID, providing a quick way to correlate logon activity with other activity on the endpoint.
As another example, say for instance you are aware that an endpoint may have a malicious file on it. Maybe you want to see when it was created ( File Creation ), or when it was first executed ( First Executed), this handbook will provide a list of artifacts that may be able to produce answers.
Building a visual map in your mind of the relationships between all the artifacts present in Windows is necessary to allow for an analyst to efficiently pivot their focus during an investigation, this guide simply lays it all out and provides useful analysis tips collected during years of forensic experience while doing so.