👋Welcome

This handbook provides an in-depth guide to the various Windows forensic artifacts that can be utilized when conducting an investigation. Detailed information is provided for each artifact, including its location, available parsing tools, and instructions for interpreting the results of a forensic data extraction. Furthermore, the handbook seeks to provide a comprehensive resource for those seeking to expand their understanding of Windows forensics artifacts and how to properly leverage them during a forensic investigation.

GitHub

GitHub - Psmths/windows-forensic-artifacts: Handbook of windows forensic artifacts across multiple Windows version with interpretation tips with some examples. Work in progress!GitHub

Artifacts by Type

Registry Artifacts

Artifacts found in the Windows registry

Event Log Artifacts

Artifacts created by Windows Event Log Providers

Filesystem Artifacts

Artifacts found on an endpoint's filesystem

Artifacts by Activity

Execution

Artifacts spawned by application execution

File Activity

Artifacts generated by filesystem activity

Account Activity

Artifacts providing event attribution

Network Activity

Artifacts spawned by network activity

Browser Activity

Artifacts created by web browsers

System Enumeration Artifacts

Artifacts to enumerate endpoints

How to Use this Guide

This handbook was created to classify the numerous Windows forensic artifacts and provide a concise list of what information they respectively provide. While it may be used as a general reference, it shines when it comes time to tie separate artifacts together based on mutual or shared data-points.

For instance, if it is known that an attacker has logged into an endpoint around a certain time, an analyst may want to determine what activity on the endpoint can be attributed to this session. For this, the analyst might begin by looking at EventID 4624: An account was successfully logged on and pull the Logon ID from this artifact. This guide provides a list of artifacts that have the Logon ID field present here: Logon ID, providing a quick way to correlate logon activity with other activity on the endpoint.

As another example, say for instance you are aware that an endpoint may have a malicious file on it. Maybe you want to see when it was created ( File Creation ), or when it was first executed ( First Executed), this handbook will provide a list of artifacts that may be able to produce answers.

Building a visual map in your mind of the relationships between all the artifacts present in Windows is necessary to allow for an analyst to efficiently pivot their focus during an investigation, this guide simply lays it all out and provides useful analysis tips collected during years of forensic experience while doing so.