Skip to main content

Windows Disk forensics cheat sheet

📅 Published: 2026-03-24 14:21 | 🔄 Last Updated: 2026-05-08 21:05

tip

This cheat sheet is my personal compilation of essential windows disk artifacts, their fantastic forensic significance and where to find them. Hope you find this reading insightful

1. General Guidelines & Triage​

  • Large-scale analysis: When dealing with massive, flat datasets, always parse and sort them into a unified super-timeline. Tools: KAPE, Timeline Explorer.
  • File System: Focus on $MFT, $UsnJrnl ($J), and $LogFile.
  • Evidence of Execution: Focus on Prefetch, ShimCache, Amcache.
  • User Behavior/Correlation: Focus on LNK files, ShellBags, JumpLists.
  • Tooling Strategy: Use Event Log Explorer / EvtxECmd for .evtx files. Use Registry Explorer / RECmd for structured hive data.
  • System Hives Path: C:\Windows\System32\config\ (SYSTEM, SOFTWARE, SAM, SECURITY).
  • User Hives Path: C:\Users\<User>\ (NTUSER.DAT) and C:\Users\<User>\AppData\Local\Microsoft\Windows\ (UsrClass.dat).

2. Important artifact​

Live SystemDead SystemInvestigation Tool
HKEY_LOCAL_MACHINE/SYSTEMC:\Windows\System32\config\SYSTEMRegistry Explorer / Regrip
HKEY_LOCAL_MACHINE/SOFTWAREC:\Windows\System32\config\SOFTWARERegistry Explorer / Regrip
HKEY_USERSC:\Windows\System32\config\SAMRegistry Explorer / Regrip
HKEY_CURRENT_USERC:\Users\<USER>\NTUSER.dat
C:\Users\<user>\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Registry Explorer / Regrip
Amcache.hveC:\Windows\appcompat\Programs\Amcache.hveRegistry Explorer / Regrip
Event viewer -> Windows Logs -> SECURITYC:\Windows\winevt\Logs\Security.evtxEvent logs Explorer
Event viewer -> Windows Logs -> SYSTEMC:\Windows\winevt\Logs\SYSTEM.evtxEvent logs Explorer
Event viewer -> Windows Logs -> ApplicationC:\Windows\winevt\Logs\Application.evtxEvent logs Explorer
Event viewer -> Applications & service logs -> Microsoft -> Windows -> TaskScheduler -> OperationalMicrosoft-Windows-TaskScheduler%4Operational.evtxEvent Log Explorer

3. System information​

What to look for?Where to find it?Investigation Tool
Windows version and installation dateSOFTWARE\Microsoft\Windows NT\CurrentVersionRegistry Explorer / Regrip
Computer nameSYSTEM\ControlSet001\Control\ComputerName\ComputerNameRegistry Explorer / Regrip
TimezoneSYSTEM\ControlSet001\Control\TimeZoneInformationRegistry Explorer / Regrip
Identify physical cardsSOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCardsRegistry Explorer / Regrip
Identify interface configurationSYSTEM\ControlSet001\Services\Tcpip\Parameters\InterfacesRegistry Explorer / Regrip
Connections History• SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
• SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
• Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx
WifiHistoryView

4. User information​

What to look for?Where to find it?Investigation Tool
Username, creation date, login date, SIDSAMRegistry Explorer / Regrip
Login, logout, deletion, creationSecurity.evtx
• 4624 -> Successful logon event
• 4625 -> failed logon event
• 4634 -> Session terminated
• 4647 -> User initiated logoff
• 4672 -> Special privilege logon
• 4648 -> User run program as another user (Runas administrator)
• 4720/4726 -> Account creation/deletion
EventLog Explorer

5. File activity​

ArtifactDescription & ValueTool
$MFTContains physical file location, MACB timestamps, Alternate Data Streams (ADS), and compares Standard Information (SI) vs. File Name (FN) times to detect Timestomping.MFTECmd, NTFS Log Tracker
UsnJrnl(UsnJrnl (J)Tracks the lifecycle of a file (creation, deletion, modification).MFTECmd
$LogFileTransaction log. Highly useful for countering Timestomping because it retains original timestamps even if the $MFT is altered.MFTECmd
$I30Directory index attribute. Crucial for identifying files that have been deleted from a specific folder (slack space).INDXRipper
$Recycle.BinContains deleted files. Ifiles:∗∗Storeoriginalpathanddeletiontime.∗∗I files:** Store original path and deletion time. **R files: Store the actual deleted content.RBCmd

KAPE can also be used for mass forensic evidence collection - EZparser plugin

6. File activity - user correlation​

ArtifactDescription & Evidence ProvidedToolWhere to find
ShellBagsAccessed folders (GUI). Persists even if the folder/drive is deleted or removed.ShellBags ExplorerShellBags

• NTUSER.dat

• USRCLASS.dat
LNK FilesShortcut files. Provides evidence of file access, original path, MAC times of the target, and Volume Serial Number.LECmdLNK files

• C:\Users\<User>\Appdata\Roaming\Microsoft\Windows\Recent

• C:\Users\<User>\Desktop

• C:\Users\<User>\AppData\Roaming\Microsoft\Office\Recent\
JumpListsRecords right-click actions on taskbar icons. Tied to a specific user. Shows frequently/recently accessed files.JLECmd
Jumplist Explorer
JumpLists

• C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

• C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
MRU ListsMost Recently Used lists (Registry). Shows files the user interacted with via specific applications (e.g., Office, Run dialog).Registry ExplorerNTUSER.dat

• Software\Microsoft\Office\15.0<Office application>\File MRU

• Software\Microsoft\Office\15.0<Office application>\Place MRU

• Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU*

• Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

• Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

• Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
Windows Event IDsFailed/Successful object accessEvent Log exlorerSecurity.evtx

• 4656 -> User tried to access an object

• 4660 -> object was deleted

• 4663 -> User accessed the object successfuly

• 4658 -> the user closed the opened object (file)

7. Connected devices​

What to look for?Where to find it?Investigation Tool
Vendor ID, Product ID, Serial Number, Device nameSYSTEM\ControlSet001\Enum\USBRegistry Explorer / Regrip
Serial Number, First connection time, last connection time, last removal timeSYSTEM\ControlSet001\USBSTORRegistry Explorer / Regrip
USB LabelSYSTEM\ControlSet001\Enum\SWD\WPDBUSENUMRegistry Explorer / Regrip
GUID, TYPE, serial numberSYSTEM\ControlSet001\Control\DeviceClassesRegistry Explorer / Regrip
VolumeGUID, Volume letter, serial number• SYSTEM\Mounted Devices
• SOFTWARE\Microsoft\Windows Portable Devices\Devices
• SOFTWARE\Microsoft\Windows Search\VolumeInfoCache
RegistryExplorer / Regrip
Serial number, first connection timesetupapi.dev.lognotepad++
Serial number, connections times, drive letter• SYSTEM.evtx (20001 -> a new device is installed)
• Security.evtx (6416 -> new externel device recognized)
• Microsoft-Windows-Ntfs%4Operational.evtx
EventLog Explorer
AutomationRegistry, EventLogs, setupapi.dev.logUSBDeviceForensics, USBDetective

8. Execution activities​

ArtifactDescription & Evidence ProvidedToolWhere to find
UserAssistTracks GUI-based execution. Shows execution count and focus time . Tied to user profile.UserAssist / Registry Explorer
UserAssist by didier steven
(NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist)
ShimCacheTracks application compatibility. Proves executable presence and last modified time. (Note: Does not guarantee the file was actually executed).AppCompatCacheParserSYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache
AmcacheProves application presence, installation, and often retains the file's SHA1 hash.AmcacheParserC:\Windows\AppCompat\Programs\Amcache.hve
PrefetchHard evidence of execution. Tracks executable run count, last 8 execution timestamps (Win8+), and lists DLLs loaded within the first 10 seconds.PECmd, WinPrefetchView (nirsoft)Prefetch (C:\Windows\Prefetch)
BAM & DAMBackground/Desktop Activity Moderator. Tracks full path and last execution time of executables.Registry ExplorerBAM & DAM (SYSTEM\ControlSet001\Services\bam\State\UserSettings)
SRUMSystem Resource Usage Monitor. Tracks network bytes sent/received and application memory usage over time.SrumECmdSRUM (C:\Windows\System32\sru\SRUDB.dat)
Scheduled TasksTracks persistence mechanisms.Task Scheduler / Registry ExplorerFound in C:\Windows\System32\Tasks and the Registry.
Windows Services executable, date addedPersistence detectionRegistry Explorer / RegripSYSTEM\CurrentControlSet\Services
Windows event logs: Service related evindenceService installation time, Service crashed, stop/start service eventEventlog Explorer•Security.evtx (4697 -> service gets installed)
• SYSTEM.evtx (7034 -> Service crashed, 7035 -> start/stop requests, 7036 -> service stoppped/started)
AutorunThe name is self-explanatory. Artifacts that automatically executes code upon mounting USBs, CDs, or at system startupRegistry Explorer / regrip•SOFTWARE\Microsoft\Windows\CurrentVersion\Run
•SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
•SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
•SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
•NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
•NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce