Chapter 04

Windows Forensic Artifacts

Chapter 04· 12 min read

Windows Forensic Artifacts

Reading as a guest

Sign up free to save your progress, highlight passages, and pick up where you left off.

You'll lose your reading position and notes if you leave without an account.

Create free accountSign in

Windows leaves traces of user activity in dozens of hidden locations — the registry, event logs, prefetch files, link files, and more. Knowing where each artifact lives and what it records is the core skill of Windows forensic examination.

4.1Windows Registry

The Windows Registry is the operating system's central configuration database. It is a hierarchical key-value store that records software settings, hardware configuration, user activity, and network history — all in one place. For a forensic examiner, the registry is one of the richest sources of evidence on any Windows machine.

Five root hives:

HiveAbbreviationWhat it stores
HKEY_LOCAL_MACHINEHKLMHardware, installed software, system configuration
HKEY_CURRENT_USERHKCUCurrent user's settings and recent activity
HKEY_USERSHKUProfiles for all users on the system
HKEY_CLASSES_ROOTHKCRFile type associations and COM object registrations
HKEY_CURRENT_CONFIGHKCCCurrent hardware profile (display, printers)

Forensic goldmines in HKCU:

  • Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs — lists recently opened files, grouped by file extension
  • Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths — URLs and paths typed directly into Windows Explorer's address bar
  • Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LastLoggedOnUser — the username of the last person to log in

USB device history:

The key SYSTEM\CurrentControlSet\Enum\USBSTOR records every USB storage device that has ever been plugged into the machine. For each device the registry stores the device description, manufacturer, serial number, first connection time, and last connection time. This is critical for proving a particular USB drive was connected to a suspect machine.

UserAssist:

The key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist records every program the user has launched through the Windows GUI — including the run count and the last run timestamp. The program names are ROT-13 encoded (each letter shifted 13 positions in the alphabet) to lightly obscure them, but any forensic tool decodes this instantly. ROT-13 is not encryption — it is a simple substitution that a forensic examiner must recognise and decode.

Registry hive files on disk:

The registry is stored in binary hive files. These are the actual files you image and parse:

  • %WINDIR%\System32\config\SYSTEM — system configuration
  • %WINDIR%\System32\config\SAM — local account password hashes
  • %WINDIR%\System32\config\SOFTWARE — installed software
  • %WINDIR%\System32\config\SECURITY — local security policy
  • %USERPROFILE%\NTUSER.DAT — the HKCU hive for the current user

Tools: RegRipper (command-line; runs targeted plugins per artifact), Registry Explorer by Eric Zimmermann (GUI; supports bookmarks and full hive browsing).

Windows RegistryHKLMHardware / SWHKCUCurrent userHKUAll usersHKCRFile assoc.HKCCHW profileUSBSTORUSB device historyRecentDocsRecently opened filesUserAssistRun count (ROT-13)On disk: NTUSER.DAT%USERPROFILE%\NTUSER.DATSAM hivePassword hashesTools: RegRipper · Registry Explorer (Eric Zimmermann)Hive files live in %WINDIR%\System32\config
Fig 4.1Registry hive hierarchy — five root keys with the most forensically important subkeys highlighted.

4.2Event Logs (EVTX)

Windows continuously records security, system, and application events in structured binary log files. These .evtx files live under %WINDIR%\System32\winevt\Logs\ and are one of the first places a forensic examiner looks to reconstruct what happened on a system.

Key log files:

  • Security.evtx — authentication events, account changes, privilege use. The most important log for incident response.
  • System.evtx — hardware events, service start/stop, system shutdowns.
  • Application.evtx — application errors, crashes, and informational messages.

Critical event IDs for FACT:

Event IDDescriptionWhy it matters
4624Successful logonWho was logged in and when
4625Failed logonBrute-force attempts; repeated failures before 4624 = attack
4634LogoffSession duration
4648Logon with explicit credentialsLateral movement; running tools as another user
4688New process createdEvery program launched — malware execution evidence
4698 / 4700Scheduled task created / enabledCommon persistence mechanism
4720User account createdNew backdoor account
4672Special privileges assignedPrivilege escalation
6006Event log service stopped (clean shutdown)System shut down normally
6008Unexpected shutdownCrash or forced power-off
7045New service installedMalware persistence — very high priority alert
1102Audit log cleared (Security log)Attempted evidence destruction
104System log clearedAttempted evidence destruction

Logon types (field inside Event 4624):

TypeMeaning
2Interactive — keyboard and monitor at the console
3Network — accessing a shared folder or resource
7Unlock — screen saver or lock screen dismissed
10Remote interactive — RDP session

Clearing logs as an artifact:

Attackers often clear event logs to hide their tracks. This is itself recorded as Event ID 1102 (Security log cleared) or 104 (System log cleared) — the act of covering up leaves its own trace.

Tools: Windows Event Viewer (built-in, GUI), EvtxECmd by Eric Zimmermann (command-line, parses to CSV/JSON), Chainsaw (fast Sigma-rule-based hunting across EVTX files).

time4625×3Failed logon(brute force)4624T:10Success logon(RDP, Type 10)4688procProcess created(malware.exe)7045svcService installed(persistence)Read events left to right to reconstruct the attacker's timeline
Fig 4.2Attack sequence on a Windows event log timeline — brute-force failures lead to a successful logon, then malware execution and persistence.

4.3Alternate Data Streams (ADS)

NTFS, the file system used by all modern Windows versions, supports a feature called Alternate Data Streams. Every file actually consists of one or more named "streams" of data. The default stream — the one you normally read and write — is called $DATA. But any file can have additional named streams attached to it, and those streams are completely invisible in Windows Explorer.

Syntax for alternate streams:

filename.txt:hiddenstream

The colon separates the base filename from the stream name. You can create a stream with:

echo "hidden content" > document.txt:secret

The file document.txt appears to have its normal size in Explorer. The hidden stream is not counted. The data in the stream is not shown anywhere in the normal UI.

How attackers misuse ADS:

An attacker can embed an entire executable inside an alternate stream of an innocent-looking file. The file appears as 0 bytes (or its original innocent size) in Explorer, but the malware lives in the stream. When executed via wscript.exe document.txt:malware.exe or similar, the payload runs.

Zone.Identifier — a legitimate ADS:

Windows itself uses ADS for the Zone.Identifier stream. Every file downloaded from the internet automatically receives this stream, recording the source URL and the security zone. Zone 3 = Internet Zone, which triggers the "Open File — Security Warning" prompt. SmartScreen also reads this stream. Forensically, examining Zone.Identifier tells you exactly where a file was downloaded from — even if the user has since cleared their browser history.

Zone.Identifier

A built-in NTFS alternate data stream that Windows attaches to every file downloaded from the internet. It records the source URL and the internet security zone (Zone=3 for the public internet). It is the forensic record of a file's download origin and persists on the file regardless of where the file is later moved or copied — until explicitly stripped.

Detecting ADS:

  • dir /r in the Command Prompt — lists all streams alongside each file
  • Get-Item -Stream * in PowerShell — shows all streams for a file
  • Streams.exe (Sysinternals) — scans a directory tree for all files with ADS
  • Forensic tools (FTK, Autopsy, X-Ways) — display ADS natively in the file browser
document.txtExplorer showsnormal size$DATA (default stream)Visible text contentdocument.txt:malware (hidden ADS)Executable payload — invisibledocument.txt:malware:Zone.Identifier (legit ADS)Zone=3 · SourceURL=https://...Detect ADS: dir /r or Get-Item -Stream *
Fig 4.3A single file with two data streams — the visible default stream and a hidden alternate stream carrying embedded malware.

4.4File Slack & Unallocated Space

File systems allocate disk space in fixed-size units called clusters. NTFS uses a default cluster size of 4 096 bytes (4 KB). Even a file containing just one byte of data occupies a full 4 KB cluster. The space between the end of the file's actual data and the end of its last cluster is wasted from the user's perspective — but it is a treasure from a forensic perspective.

Cluster and sector basics:

  • Sector: the smallest physical unit on a disk, typically 512 bytes.
  • Cluster: one or more consecutive sectors; the minimum allocation unit in a file system.
  • A file of 1 500 bytes in a 4 096-byte-cluster file system occupies one full cluster; 2 596 bytes of that cluster are unused.

Types of file slack:

  • RAM slack (also called sector slack): the gap between the logical end of the file and the end of the last sector. The OS pads this area with bytes from RAM when it writes the file — those RAM bytes may contain fragments of previously processed data.
  • Drive slack (also called file slack proper): the gap between the end of the last sector of the file and the end of its last cluster. This area is not written by the OS at all — it retains whatever bytes were stored there by a previous file that occupied that cluster.

Unallocated space:

When a file is deleted, its clusters are returned to the pool of "free" space — they are not wiped. Unallocated space consists of all clusters not currently assigned to any active file. It can contain complete or partial files from deleted data. File carving (Chapter 3) specifically targets unallocated space.

File Slack

The gap between the logical end of a file's data and the physical end of its last allocated cluster. It has two sub-regions: RAM slack (padded with OS memory bytes to fill the last sector) and drive slack (sectors between the last written sector and the end of the cluster, containing remnant data from prior occupants). File slack is invisible to users and normal applications but fully visible to forensic imaging tools.

$Recycle.Bin:

When a user deletes a file in Windows Explorer, the file moves to the Recycle Bin rather than being immediately erased. The Recycle Bin is implemented as the $Recycle.Bin folder at the root of each drive. For every deleted file the system creates two internal files:

  • $I file: stores the original full path, the original filename, the file size, and the exact deletion timestamp.
  • $R file: stores the original file content.

Even if the user empties the Recycle Bin, the $I metadata file often leaves remnants in the $MFT that a forensic examiner can parse to determine what was deleted and when.

4.5Prefetch, LNK Files & Jump Lists

Windows maintains several execution and access history artifacts specifically to help the OS run faster. As a side effect, they give forensic examiners detailed records of what files were opened and what programs were run — even after the files or programs themselves have been deleted.

Prefetch files:

Windows Prefetch (C:\Windows\Prefetch\) stores one .pf file for each program that has been launched. Each prefetch file records:

  • The full path of the executable
  • The number of times the program has been run (run count)
  • Up to eight timestamps of the last eight runs
  • A list of files and DLLs the program accessed during its last eight runs

Prefetch is enabled by default on HDDs but is often disabled automatically on SSDs in newer Windows versions (because SSDs are already fast at loading). Finding a prefetch file is execution evidence — proof that a specific program ran on this machine.

LNK (shortcut) files:

Every time a file is opened in Windows, the OS silently creates or updates a .lnk shortcut file in %APPDATA%\Microsoft\Windows\Recent\. Each LNK file records:

  • The original file's full path
  • The volume serial number and drive type (local, removable, network)
  • The original file's MAC timestamps (Modified, Accessed, Created) at the time it was accessed

Critically, LNK files survive deletion of the original file. If a document was opened and later deleted, the LNK file in \Recent\ still shows that the file existed and was accessed, along with its original path.

Jump Lists:

Jump Lists are per-application lists of recently opened files and common tasks, accessible by right-clicking a taskbar icon. They are stored in %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\ as OLE compound document files. Each application has its own Jump List file identified by an application ID. Jump Lists persist evidence of file access even after the original file is deleted and even after the user has cleared their "Recent Items" list.

Amcache and ShimCache:

  • Amcache (C:\Windows\AppCompat\Programs\Amcache.hve): records the SHA-1 hash of every executed application, its full path, and the first time it was run. Useful for identifying malware even if the malware file has since been deleted — the hash and path remain.
  • ShimCache (AppCompatCache, stored in the SYSTEM registry hive): records the path and last modification time of every executable the OS compatibility layer has seen, regardless of user or run context. Does not always mean the program ran — it means Windows examined the file.

Tools by Eric Zimmermann:

  • PECmd — parses prefetch files
  • LECmd — parses LNK files
  • JLECmd — parses Jump Lists
Windows SystemPrefetchC:\Windows\PrefetchRun count · timestampsLNK Files%APPDATA%...\RecentPath · vol serial · MAC timesJump ListsAutomaticDestinationsPer-app recent filesAmcacheAmcache.hveSHA-1 · first runRegistry ArtifactsUserAssistHKCU...\UserAssistROT-13 · run countUSBSTORHKLM...\USBSTORSerial · first/last connectRecentDocsHKCU...\RecentDocsRecently opened filesShimCacheSYSTEM hiveAll executables seenTools: PECmd (prefetch) · LECmd (LNK) · JLECmd (Jump Lists) · RegRipper (registry)All tools above by Eric Zimmermann (EZTools) — free, open source
Fig 4.4Windows artifact map — where each key forensic artifact lives on the file system and in the registry.
Memory hooks · Chapter 4

4.1 Registry: USB history lives in SYSTEM\CurrentControlSet\Enum\USBSTOR. UserAssist = ROT-13 encoded list of every program launched, with run count and last run time. NTUSER.DAT = the HKCU hive file on disk. SAM hive = local password hashes.

4.2 Event IDs: 4624 = successful logon · 4625 = failed logon (brute force flag) · 4688 = process created (malware execution) · 7045 = new service installed (persistence) · 1102 = audit log cleared (cover-up). Logon type 10 = RDP, type 2 = interactive console.

4.3 ADS: Syntax is filename.txt:streamname. Alternate streams are invisible in Explorer and not counted in file size. Zone.Identifier = built-in ADS on every downloaded file; Zone=3 means internet origin; records source URL. Detect with dir /r or Get-Item -Stream *.

4.4 File slack: Gap between logical end of file and physical end of last cluster. RAM slack = padded by OS from memory; Drive slack = untouched remnants from prior file. Unallocated space = freed clusters from deleted files, prime target for carving. $Recycle.Bin: $I = metadata (path, size, deletion time), $R = content.

4.5 Execution artifacts: Prefetch (C:\Windows\Prefetch) = run count + up to 8 last-run timestamps. LNK files survive deletion of the original — proves a file existed and was opened. Jump Lists = per-app recent file history. Amcache = SHA-1 hash of executed programs even if deleted. ShimCache = all executables Windows has examined.

Don't lose your place

Save this chapter and the rest of Cyber & Digital Forensics.

A free ForensicSpot account remembers which chapters you've read, lets you highlight passages, take notes and resume from any device.

Create free accountI already have an account
PreviousFirst Responder & Digital Search-and-SeizureNextLinux & macOS Artifacts