Windows Disk forensics cheat sheet
📅 Published: 2026-03-24 14:21 | 🔄 Last Updated: 2026-05-08 21:05
tip
This cheat sheet is my personal compilation of essential windows disk artifacts, their fantastic forensic significance and where to find them. Hope you find this reading insightful
1. General Guidelines & Triage​
- Large-scale analysis: When dealing with massive, flat datasets, always parse and sort them into a unified super-timeline. Tools: KAPE, Timeline Explorer.
- File System: Focus on
$MFT,$UsnJrnl ($J), and$LogFile. - Evidence of Execution: Focus on Prefetch, ShimCache, Amcache.
- User Behavior/Correlation: Focus on LNK files, ShellBags, JumpLists.
- Tooling Strategy: Use Event Log Explorer / EvtxECmd for
.evtxfiles. Use Registry Explorer / RECmd for structured hive data. - System Hives Path:
C:\Windows\System32\config\(SYSTEM, SOFTWARE, SAM, SECURITY). - User Hives Path:
C:\Users\<User>\(NTUSER.DAT) andC:\Users\<User>\AppData\Local\Microsoft\Windows\(UsrClass.dat).
2. Important artifact​
| Live System | Dead System | Investigation Tool |
|---|---|---|
HKEY_LOCAL_MACHINE/SYSTEM | C:\Windows\System32\config\SYSTEM | Registry Explorer / Regrip |
HKEY_LOCAL_MACHINE/SOFTWARE | C:\Windows\System32\config\SOFTWARE | Registry Explorer / Regrip |
HKEY_USERS | C:\Windows\System32\config\SAM | Registry Explorer / Regrip |
HKEY_CURRENT_USER | C:\Users\<USER>\NTUSER.datC:\Users\<user>\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat | Registry Explorer / Regrip |
Amcache.hve | C:\Windows\appcompat\Programs\Amcache.hve | Registry Explorer / Regrip |
Event viewer -> Windows Logs -> SECURITY | C:\Windows\winevt\Logs\Security.evtx | Event logs Explorer |
Event viewer -> Windows Logs -> SYSTEM | C:\Windows\winevt\Logs\SYSTEM.evtx | Event logs Explorer |
Event viewer -> Windows Logs -> Application | C:\Windows\winevt\Logs\Application.evtx | Event logs Explorer |
Event viewer -> Applications & service logs -> Microsoft -> Windows -> TaskScheduler -> Operational | Microsoft-Windows-TaskScheduler%4Operational.evtx | Event Log Explorer |
3. System information​
| What to look for? | Where to find it? | Investigation Tool |
|---|---|---|
| Windows version and installation date | SOFTWARE\Microsoft\Windows NT\CurrentVersion | Registry Explorer / Regrip |
| Computer name | SYSTEM\ControlSet001\Control\ComputerName\ComputerName | Registry Explorer / Regrip |
| Timezone | SYSTEM\ControlSet001\Control\TimeZoneInformation | Registry Explorer / Regrip |
| Identify physical cards | SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards | Registry Explorer / Regrip |
| Identify interface configuration | SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces | Registry Explorer / Regrip |
| Connections History | • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged• SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles• Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx | WifiHistoryView |
4. User information​
| What to look for? | Where to find it? | Investigation Tool |
|---|---|---|
| Username, creation date, login date, SID | SAM | Registry Explorer / Regrip |
| Login, logout, deletion, creation | Security.evtx• 4624 -> Successful logon event • 4625 -> failed logon event • 4634 -> Session terminated • 4647 -> User initiated logoff • 4672 -> Special privilege logon • 4648 -> User run program as another user (Runas administrator) • 4720/4726 -> Account creation/deletion | EventLog Explorer |
5. File activity​
| Artifact | Description & Value | Tool |
|---|---|---|
| $MFT | Contains physical file location, MACB timestamps, Alternate Data Streams (ADS), and compares Standard Information (SI) vs. File Name (FN) times to detect Timestomping. | MFTECmd, NTFS Log Tracker |
| J) | Tracks the lifecycle of a file (creation, deletion, modification). | MFTECmd |
| $LogFile | Transaction log. Highly useful for countering Timestomping because it retains original timestamps even if the $MFT is altered. | MFTECmd |
| $I30 | Directory index attribute. Crucial for identifying files that have been deleted from a specific folder (slack space). | INDXRipper |
| $Recycle.Bin | Contains deleted files. R files: Store the actual deleted content. | RBCmd |
KAPE can also be used for mass forensic evidence collection - EZparser plugin
6. File activity - user correlation​
| Artifact | Description & Evidence Provided | Tool | Where to find |
|---|---|---|---|
| ShellBags | Accessed folders (GUI). Persists even if the folder/drive is deleted or removed. | ShellBags Explorer | ShellBags • NTUSER.dat • USRCLASS.dat |
| LNK Files | Shortcut files. Provides evidence of file access, original path, MAC times of the target, and Volume Serial Number. | LECmd | LNK files • C:\Users\<User>\Appdata\Roaming\Microsoft\Windows\Recent • C:\Users\<User>\Desktop • C:\Users\<User>\AppData\Roaming\Microsoft\Office\Recent\ |
| JumpLists | Records right-click actions on taskbar icons. Tied to a specific user. Shows frequently/recently accessed files. | JLECmd Jumplist Explorer | JumpLists • C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations • C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations |
| MRU Lists | Most Recently Used lists (Registry). Shows files the user interacted with via specific applications (e.g., Office, Run dialog). | Registry Explorer | NTUSER.dat • Software\Microsoft\Office\15.0<Office application>\File MRU • Software\Microsoft\Office\15.0<Office application>\Place MRU • Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU* • Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs • Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU • Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths |
| Windows Event IDs | Failed/Successful object access | Event Log exlorer | Security.evtx • 4656 -> User tried to access an object • 4660 -> object was deleted • 4663 -> User accessed the object successfuly • 4658 -> the user closed the opened object (file) |
7. Connected devices​
| What to look for? | Where to find it? | Investigation Tool |
|---|---|---|
| Vendor ID, Product ID, Serial Number, Device name | SYSTEM\ControlSet001\Enum\USB | Registry Explorer / Regrip |
| Serial Number, First connection time, last connection time, last removal time | SYSTEM\ControlSet001\USBSTOR | Registry Explorer / Regrip |
| USB Label | SYSTEM\ControlSet001\Enum\SWD\WPDBUSENUM | Registry Explorer / Regrip |
| GUID, TYPE, serial number | SYSTEM\ControlSet001\Control\DeviceClasses | Registry Explorer / Regrip |
| VolumeGUID, Volume letter, serial number | • SYSTEM\Mounted Devices• SOFTWARE\Microsoft\Windows Portable Devices\Devices• SOFTWARE\Microsoft\Windows Search\VolumeInfoCache | RegistryExplorer / Regrip |
| Serial number, first connection time | setupapi.dev.log | notepad++ |
| Serial number, connections times, drive letter | • SYSTEM.evtx (20001 -> a new device is installed)• Security.evtx (6416 -> new externel device recognized)• Microsoft-Windows-Ntfs%4Operational.evtx | EventLog Explorer |
| Automation | Registry, EventLogs, setupapi.dev.log | USBDeviceForensics, USBDetective |
8. Execution activities​
| Artifact | Description & Evidence Provided | Tool | Where to find |
|---|---|---|---|
| UserAssist | Tracks GUI-based execution. Shows execution count and focus time . Tied to user profile. | UserAssist / Registry Explorer UserAssist by didier steven | (NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist) |
| ShimCache | Tracks application compatibility. Proves executable presence and last modified time. (Note: Does not guarantee the file was actually executed). | AppCompatCacheParser | SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache |
| Amcache | Proves application presence, installation, and often retains the file's SHA1 hash. | AmcacheParser | C:\Windows\AppCompat\Programs\Amcache.hve |
| Prefetch | Hard evidence of execution. Tracks executable run count, last 8 execution timestamps (Win8+), and lists DLLs loaded within the first 10 seconds. | PECmd, WinPrefetchView (nirsoft) | Prefetch (C:\Windows\Prefetch) |
| BAM & DAM | Background/Desktop Activity Moderator. Tracks full path and last execution time of executables. | Registry Explorer | BAM & DAM (SYSTEM\ControlSet001\Services\bam\State\UserSettings) |
| SRUM | System Resource Usage Monitor. Tracks network bytes sent/received and application memory usage over time. | SrumECmd | SRUM (C:\Windows\System32\sru\SRUDB.dat) |
| Scheduled Tasks | Tracks persistence mechanisms. | Task Scheduler / Registry Explorer | Found in C:\Windows\System32\Tasks and the Registry. |
| Windows Services executable, date added | Persistence detection | Registry Explorer / Regrip | SYSTEM\CurrentControlSet\Services |
| Windows event logs: Service related evindence | Service installation time, Service crashed, stop/start service event | Eventlog Explorer | •Security.evtx (4697 -> service gets installed)• SYSTEM.evtx (7034 -> Service crashed, 7035 -> start/stop requests, 7036 -> service stoppped/started) |
| Autorun | The name is self-explanatory. Artifacts that automatically executes code upon mounting USBs, CDs, or at system startup | Registry Explorer / regrip | •SOFTWARE\Microsoft\Windows\CurrentVersion\Run• SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce• SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run• SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce |