Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.
Registry hives, EVTX event logs, and Prefetch as proof of execution: a working examiner's reference for Module 2, with the Eric Zimmerman toolset and the Indian SFSL triage workflow.
Windows leaves traces of almost everything it does. A program is launched, the registry records it; a user logs in, the Security event log captures the 4624; a binary executes, the Prefetch subsystem writes a .pf file with timestamps and referenced libraries. For a digital forensic examiner in an Indian SFSL cyber wing, Windows is the platform under examination in roughly four out of five computer cases, and the three artefact families covered here, the registry, the EVTX event logs, and Prefetch, account for the majority of triage findings on a typical job. They are also the artefacts that hold up under BSA Section 63 cross-examination because the data structures are documented, the tooling is mature, and the timestamps are forensically meaningful.
This topic is the working reference for Module 2 Topic 1. It assumes the examiner already has a verified image of the disk and is past the first-responder workflow covered in The digital first responder. The companion topic Windows artifacts: ShellBags, ADS, LNK, hibernation, slack covers the rest of the Windows artefact universe.
A database that looks like a tree.
The Windows registry is a hierarchical database that holds configuration, user state, and a surprising amount of execution history. Logically it has five roots; physically each root maps to one or more files on disk. An examiner working from an image always parses the physical files, never the live logical view, because the live view aggregates and abstracts in ways that hide useful detail.
| Logical root | Physical file(s) | Location | Forensic value |
|---|---|---|---|
| HKLM\SAM | SAM | C:\Windows\System32\config | Local account names, RID, password hash metadata |
| HKLM\SYSTEM | SYSTEM | C:\Windows\System32\config | Services, drivers, USB history, ComputerName, TimeZone |
| HKLM\SOFTWARE | SOFTWARE | C:\Windows\System32\config | Installed applications, Run keys, network profiles |
| HKLM\SECURITY | SECURITY | C:\Windows\System32\config | LSA Secrets, cached domain credentials |
The dozen keys that crack most Windows cases.
A registry hive has thousands of keys; only a small set carries reliable forensic value. The CFSL cyber wing triage list, similar to the SANS DFPS FOR500 poster and the RegRipper plugin catalogue, converges on this dozen.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run and the equivalent under HKCU. These hold autorun entries: programs that launch on logon. The standard malware persistence location, but also the standard place to find legitimate update agents that confuse a novice.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<GUID>\Count. Records GUI-launched programs per user, with run count and last execution time stored in a 72-byte binary structure. Value names are ROT13-encoded, so ZHFGRA.RKR is MUSTAN.EXE after decoding. RegRipper and Registry Explorer decode automatically.HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache. Stores executable friendly names for programs the user has run. Lacks timestamps but proves a program was launched by that user.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs. Recently opened documents, broken down by file extension. A .docx subkey lists recent Word documents, .pdf lists recent PDFs, and so on. The last-write time of each subkey is the most-recent-access timestamp for that extension.HKCU\Software\Microsoft\Internet Explorer\TypedURLs. URLs the user has typed into Internet Explorer or Edge legacy. On Windows 10/11 the parallel value TypedURLsTime carries timestamps. Edge Chromium history lives in SQLite, not the registry; see the email and browser forensics topic for that.HKLM\SYSTEM\MountedDevices. Maps drive letters to volume signatures. Useful for proving that a specific USB device was mounted as E: at a specific time.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR. Records every USB mass-storage device ever connected, by vendor, product, and serial number. The serial number is the silver bullet; it matches against a physical device the police later seize.A hundred channels, a dozen event IDs that matter.
Windows Vista replaced the legacy .evt log format with EVTX, an XML-structured binary format. The files live at C:\Windows\System32\winevt\Logs\ and are organised by channel. A modern Windows 11 install has more than 400 channels, but for forensic triage four channels and roughly a dozen event IDs do most of the work.
| Channel | File | Key events | Forensic use |
|---|---|---|---|
| Security | Security.evtx | 4624, 4625, 4634, 4672, 4720, 4724, 4738 | Logon, logoff, privilege use, account changes |
| System | System.evtx | 6005, 6006, 1074, 41, 7045 | Boot, shutdown, BSOD, service install, time change |
| Application | Application.evtx | 1000, 11707, 1033 | App crashes, MSI installs, .NET errors |
| PowerShell Operational | Microsoft-Windows-PowerShell%4Operational.evtx | 4103, 4104 | Pipeline execution, script block logging |
The single best 'this program ran' artefact.
Prefetch is a Windows performance optimisation that watches the first ten seconds of execution of every program and writes a .pf file recording the executable's name, a hash of its path, the time of execution, the count of executions, and the list of DLLs and data files it touched. The files live in C:\Windows\Prefetch\ with the naming convention <EXE>-<8-character-path-hash>.pf.
For an examiner the Prefetch file is the strongest "this program ran" evidence the operating system provides. Unlike registry execution traces that can be argued to be "merely scheduled," a Prefetch entry only exists if the binary was actually loaded into memory and started executing.
PECmd from Eric Zimmerman is the standard parser, producing CSV output that includes the executable name, the last eight run times, the run count, the referenced file list, the volume serial of the source disk, and the path-hash check. RegRipper plugins parse the related registry references. KAPE targets the Prefetch directory by default in its BasicCollection profile.
A subtlety that catches new examiners: Prefetch is disabled on SSDs by default in some Windows builds and tunings, controlled by HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcher. A value of 0 means disabled, 3 means enabled for boot and applications. On servers Prefetch is disabled by default. The examiner always checks the EnablePrefetcher value before drawing conclusions from an absence of .pf files; an absent file does not mean the program did not run if Prefetch was off.
The referenced-file list inside a .pf is itself evidence. A malicious binary's .pf will list the libraries it imported and any data files it touched in those first ten seconds. A piece of cryptolocker ransomware leaves a Prefetch entry whose referenced-file list includes the first few user documents it encrypted, which is sometimes the only way to recover the partial list of victim files when the ransomware deletes its own logs.
Free, court-tested, and the SFSL standard.
The Windows artefact tooling that Indian SFSLs converge on is mostly free and is mostly maintained by two people: Eric Zimmerman (the EZ Tools suite) and Harlan Carvey (RegRipper). KAPE, originally written by Eric Zimmerman, is the triage orchestrator that pulls artefacts off a live or imaged system and feeds them to the parsers.
| Tool | Purpose | Input | Output |
|---|---|---|---|
| Registry Explorer | Interactive registry browse with bookmark plugins | Hive file with .LOG1/.LOG2 | GUI navigation, CSV export |
| RECmd | Command-line registry parser, plugin-driven | Hive file or mounted image | CSV per plugin |
| RegRipper 3.0 | Command-line plugin engine in Perl | Hive file | Text or CSV report per plugin |
| EvtxECmd | EVTX parser with Maps for normalised fields | EVTX file or directory | CSV with named fields per event |
| PECmd |
A 24-hour SFSL workflow on a real-style case.
Consider a case that lands at a state SFSL cyber wing in Pune: a private-bank employee is alleged to have copied a customer database to a personal USB stick over a weekend and shared it with a competitor. The seized laptop is a Windows 10 Pro machine; the suspect has admitted using a USB stick but denies copying any customer data. The cyber cell wants confirmation, within 24 hours, that (a) a specific Kingston USB was plugged in over the weekend, (b) Microsoft Excel and a particular query tool were launched while it was plugged in, and (c) files of a customer-database shape were written to the USB.
The examiner mounts the E01, runs KAPE, and pivots through the triangle:
08...A3F was first connected three weeks ago and last connected on Saturday at 14:22 IST. MountedDevices confirms it was mounted as drive E:. EMDMgmt carries the same serial, which corroborates the entry.EXCEL.EXE at 14:24 IST and SQLQUERYTOOL.EXE at 14:31, both on Saturday, with run counts incremented by one.EXCEL.EXE-<hash>.pf with the most recent of its eight timestamps at 14:24:07 and SQLQUERYTOOL.EXE-<hash>.pf at 14:31:12. The referenced-file list inside the SQLQUERYTOOL.pf includes a path that begins with E:\ and ends in customer_export.csv.The three pillars agree: a registry trail of USB connection and program launches, an event-log trail of session start and clean shutdown, a Prefetch trail of execution with the USB path embedded. The BSA Sec 63(4) certificate cites each artefact, the parser version, and the dual-hash on the source E01. The PECmd output for is attached to the report as Annexure B.
Which physical file holds the per-user portion of the Windows registry, including UserAssist and RecentDocs?
| HKU\<SID> |
| NTUSER.DAT |
| C:\Users\<user>\ |
| Per-user state, UserAssist, RecentDocs, TypedURLs |
| HKU\<SID>_Classes | UsrClass.dat | C:\Users\<user>\AppData\Local\Microsoft\Windows\ | Per-user shell extensions, ShellBags |
| HKCU, HKCR, HKCC | (virtual) | (maps onto the above) | Logical views; examiner uses the underlying files |
The physical hives are not the only copies. Each hive on a healthy system has a .LOG1 and .LOG2 transaction log written next to it. On a dirty shutdown those logs hold writes that had not yet been merged into the hive proper. Modern parsers (RegRipper 3.0 from Harlan Carvey, Registry Explorer and RECmd from Eric Zimmerman) will replay the transaction logs onto the hive image before parsing, which sometimes surfaces values that vanish when only the bare hive is read. Older tools that ignore the logs miss those values; cross-examining defence experts know this and ask about it.
Beyond the active hives, Windows keeps Volume Shadow Copy snapshots of the hives at a daily or near-daily cadence (vssadmin list shadows). Each shadow copy holds a registry state from an earlier point in time. An examiner who only parses the current hives sees the present; an examiner who mounts each shadow and parses the hives within sees the history. This is the trick by which "deleted" registry keys reappear in evidence.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt. ReadyBoost candidate records that include drive serial and a first-connection timestamp. The classic cross-check for USBStor.HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache. The Application Compatibility shim records executables seen by the system, with file size and last-modified time. Written to disk at shutdown, so a hard power-off can lose the most recent entries.C:\Windows\AppCompat\Programs\Amcache.hve. A standalone hive with rich install and execution metadata including SHA-1 hash of each executable, first-run time, and parent install info. Often the only place where a deleted malware sample's SHA-1 still lives.HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation. The system's configured time zone, bias, and daylight rule. Critical for converting every other timestamp on the image into IST or UTC for the report.| Sysmon Operational |
| Microsoft-Windows-Sysmon%4Operational.evtx |
| 1, 3, 7, 11, 22 |
| Process create, network connect, image load, file create, DNS query |
The Security log carries the events an Indian cyber-cell triage almost always touches:
System.evtx is where boot and shutdown sequences live (6005 event log service started, 6006 event log service stopped, 1074 user-initiated restart with the actual binary that triggered it, 41 unexpected restart). Service installations are 7045, a key event for tracking malware that installs itself as a Windows service. Time-change events are buried in the System log at event 1; an examiner who sees one of those flags the case as potentially anti-forensic.
PowerShell Operational at event 4104 records the full script block of every PowerShell command if script block logging is enabled (the default on Windows 10+ with the right policy). This is where attacker Invoke-Mimikatz and Invoke-WebRequest calls land, deobfuscated by Windows itself before logging, which is one of the best gifts to a defender that Microsoft has ever shipped.
Sysmon is not installed by default. When it is, the operational log captures every process creation with command line, parent process, image hash and parent image hash. CERT-In's CSIRT-Fin playbook for banking incidents recommends Sysmon deployment on critical endpoints, and several Indian PSU networks now ship it as standard.
| Prefetch parser |
| .pf file or directory |
| CSV with last-8 times and referenced files |
| KAPE | Triage orchestrator | Live system or mounted image | Collected artefacts plus parsed CSVs |
| Sysmon | Live process and network telemetry, not a parser | Live system | Operational EVTX channel |
A typical Indian SFSL triage timeline on a Windows seizure runs as follows.
The whole pipeline is documented on the analyst worksheet with command-line invocations and output file hashes, so that the BSA Sec 63(4) certificate can identify exactly which version of which tool produced each piece of derived evidence. CFSL Hyderabad maintains a frozen toolset version per case, which is the cleanest way to handle long-running investigations where Eric Zimmerman ships a tool update mid-case.
SQLQUERYTOOL.EXEThat cross-artefact corroboration is what the appellate bench wants to see. Any single artefact can be argued to be coincidental; the three together cannot.