# Windows Forensic Handbook

## Windows Forensic Handbook

- [Welcome](https://psmths.gitbook.io/windows-forensics/readme.md)
- [Registry Artifacts](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts.md)
- [Amcache.hve](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/amcache.md)
- [Background Activity Montitor](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam.md)
- [Image File Execution Options Registry Keys](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/image-file-execution-options.md)
- [System Resource Usage Monitor (SRUM)](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/srum-db.md)
- [Run/RunOnce Registry Keys](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/reg-run-runonce.md)
- [Tracing Registry Keys](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/tracing-keys.md)
- [Services Registry Keys](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/registry-services.md)
- [Select Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/select.md)
- [CurrentVersion Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/current-version.md)
- [ComputerName Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/computer-name.md)
- [Interfaces Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/interfaces.md)
- [NetworkCards Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/network-cards.md)
- [TimeZoneInformation Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/time-zone-information.md)
- [Filesystem Artifacts](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts.md)
- [USN Journal](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal.md)
- [Prefetch](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch.md)
- [AutomaticDestinations Jumplists](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations.md)
- [Recycle Bin $I/$R Files](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/recycle-bin-files.md)
- [Task Scheduler Files](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/task-scheduler-files.md)
- [Windows Error Reporting Files (.WER)](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/wer-files.md)
- [Event Log Artifacts](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts.md)
- [Task Scheduler Operational Log](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log.md)
- [TerminalServices-RDPClient](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-rdpclient.md)
- [EventID 1024: RDP ClientActiveX is trying to connect to the server](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-rdpclient/evtx-1024-rdp-activex.md)
- [Security](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security.md)
- [EventID 4688: A new process has been created](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created.md)
- [EventID 4624: An account was successfully logged on](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon.md)
- [System](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/system.md)
- [Event ID 7045: Service Installed](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/system/evtx-7045-service-install.md)
- [Microsoft Windows Windows Firewall With Advanced Security](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security.md)
- [EventID 2004: Firewall Rule Added](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2004-firewall.md)
- [EventID 2005: Firewall Rule Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2005-firewall.md)
- [EventID 2006: Firewall Rule Deleted](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2006-firewall.md)
- [EventID 2071: Firewall Rule Added](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2071-firewall-windows-11.md)
- [EventID 2073: Firewall Rule Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2073-firewall-windows-11.md)
- [EventID 2052: Firewall Rule Deleted](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2052-firewall-windows-11.md)
- [TerminalServices-LocalSessionManager](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager.md)
- [EventID 21: Session logon succeeded](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21.md)
- [EventID 24: Session has been disconnected](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-24.md)
- [TerminalServices-RemoteConnectionManager](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager.md)
- [EventID 1149: User Authentication Succeeded](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager/terminal-services-remote-1149.md)
- [Microsoft Windows Shell Core](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core.md)
- [EventID 9707: Command Execution Started](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core/evtx-9707-shell-core.md)
- [Microsoft-Windows-PowerShell](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-powershell.md)
- [EventID 4104: PowerShell Script Block Logging](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-powershell/evtx-4104-script-block-logging.md)
- [Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution.md): Execution artifacts provide evidence of programs and applications being run on a system.
- [Evidence of Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution.md)
- [First Executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/first-executed.md)
- [Last Executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/last-executed.md)
- [Command Line Options](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/command-line-options.md)
- [Execution Account](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-account.md)
- [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information.md)
- [Execution Timestamp](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-timestamp.md)
- [File Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity.md): File Activity artifacts are generated by filesystem actions such as creating, modifying, or deleting files.
- [File Creation](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/creation.md)
- [File Deletion](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/deletion.md)
- [Last Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/last-modified.md)
- [File Origin](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/origin.md)
- [File Size](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/size.md)
- [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path.md)
- [File Hash](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-hash.md)
- [Account Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity.md): In certain circumstances, some artifacts may provide information about an account, or attribution of certain activity to a particular account.
- [Account Creation Time](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/creation-time.md)
- [Group Membership](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/group-membership.md)
- [Last Login](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/last-login.md)
- [Login History](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/login-history.md)
- [Logon ID](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/logon-id.md)
- [Relative Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/relative-identifier.md)
- [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier.md)
- [Username](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/username.md)
- [Network Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity.md): Network activity can be analyzed through certain artifacts, which may provide information such as the source or destination of certain network traffic, or the volume of that activity.
- [Evidence of Network Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/evidence-of-network-activity.md)
- [Destination Identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/destination-identification.md)
- [Source Identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/source-identification.md)
- [Transmit Volume](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/transmit-volume.md)
- [Firewall Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/firewall-activity.md)
- [Wireless Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/wireless-activity.md)
- [Browser Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/browser-activity.md)
- [History](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/browser-activity/history.md)
- [Firefox places.sqlite Database](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/browser-activity/history/firefox-places-sqlite.md)
- [Bookmarks](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/browser-activity/bookmarks.md)
- [Stored Passwords/Secrets](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/browser-activity/stored-passwords-secrets.md)
- [System Enumeration](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/system-enumeration.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on a page URL with the `ask` query parameter:
```
GET https://psmths.gitbook.io/windows-forensics/readme.md?ask=<question>
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.