Chapter 6: Windows Artifact Analysis

Understanding profile locations and hierarchies is foundational for locating relevant forensic evidence. The chapter then provides comprehensive coverage of the Windows Registry, the hierarchical database containing configuration data and user activity logs. Specific hives including SAM, SECURITY, SOFTWARE, and SYSTEM contain distinct categories of artifacts revealing hardware configurations, application installations, user account information, and system modifications. Specialized tools such as Registry Explorer and RegRipper automate the extraction and parsing of registry data, enabling investigators to efficiently navigate vast amounts of structured information. The chapter explores five major categories of investigative artifacts. Account usage analysis examines login histories and user access patterns. File knowledge artifacts including thumbcache databases, Windows.edb indexes, and Shellbags reveal which files and folders users accessed. Program execution evidence emerges from JumpLists documenting recently opened documents, Prefetch files tracking application launches, and Most Recently Used lists within the NTUSER.DAT hive showing recent file access. Link files and Recycle Bin artifacts provide information about deleted items and shortcuts even after removal. Finally, the chapter addresses external device connectivity and physical location determination through analysis of USB device history stored in system registry hives, WLAN event logs documenting wireless network connections, and network configuration records. Together, these artifacts reconstruct detailed timelines of user behavior, establish digital footprints, and provide investigative leads for forensic cases.