Windows Registry and Event Logs

This mock covers Windows forensic artefacts in depth — the Registry hives, the Event Log infrastructure, Prefetch, ShimCache, Amcache, USB device tracking, ShellBags, UserAssist, RecentDocs, Jump Lists, LNK files, the NTFS journal files, Volume Shadow Copies, SRUM and the Recycle Bin. Thirty questions test what each artefact records, where it lives on disk, what tool to use to parse it, and what real-investigation question each artefact answers — who logged in, what programs ran, what USB drives were inserted, what files were opened, what was the user doing at 14:32.

It is pitched at BSc and MSc cyber forensics students at NFSU and similar Indian universities, certified examiner aspirants (CHFI, GCFE, GCFA), and FACT or state-FSL examinees who routinely face Windows-artefact questions. Windows desktop forensics is the largest single section in any practical cyber-forensics paper because the majority of seized devices in Indian cyber-crime cells are still Windows machines — knowing the artefacts cold is the difference between a competent examiner and a paper-only candidate.

Themes covered:

• Registry hive structure: SAM, SECURITY, SOFTWARE, SYSTEM, NTUSER.DAT, USRCLASS.DAT — and exactly where each file lives on disk
• USB insertion artefacts: USBSTOR, MountedDevices, MountPoints2 and setupapi.dev.log
• Persistence keys: Run, RunOnce, Services, Image File Execution Options
• ShellBags, RecentDocs, UserAssist, Jump Lists, LNK files — what each tells you about user activity
• Critical Event Log IDs: 4624, 4625, 4634, 4647, 4672, 4688, 4720, 7045, 1102 — what each means and when it fires
• Prefetch (.pf): up to 8 last-run timestamps in Windows 10+, the eviction rules
• ShimCache (AppCompatCache) and Amcache.hve — the differences and why both matter
• $MFT, $LogFile, $UsnJrnl — the NTFS forensic trio
• Volume Shadow Copies, SRUM (SRUDB.dat), the Recycle Bin ($I / $R files)
• Tooling: Eric Zimmerman tools (Registry Explorer, RECmd, EvtxECmd, MFTECmd, AmcacheParser, JLECmd, LECmd, RBCmd), KAPE, Autopsy, Magnet AXIOM

Each question carries a detailed explanation citing Microsoft Learn for the official artefact behaviour, Carvey Windows Registry Forensics and Windows Forensic Analysis Toolkit, Eric Zimmerman documentation, MITRE ATT&CK technique mappings, and Mandiant research where relevant. Allow 15 minutes — these are quick-recall questions that any practising examiner should answer in well under 30 seconds each. The explanations are long enough to use as study notes by themselves; even if you skip the timed run, reading through them once is a complete refresher.