Opening Framing
Windows operating systems are prolific record-keepers. Every program execution, file access, USB connection, and network share leaves traces across dozens of artifact locations. This verbosity—designed for usability and troubleshooting—creates an investigator's paradise.
The Windows Registry alone contains thousands of forensically relevant keys tracking user activity, installed software, and system configuration. Event logs record security events, process creation, and PowerShell execution. Prefetch files reveal which programs ran and when. ShellBags remember every folder a user navigated, even deleted ones.
This week covers the major Windows artifact categories: Registry forensics, Event log analysis, execution artifacts (Prefetch, Amcache, ShimCache), and user activity traces (Recent files, Jump Lists, ShellBags). You'll learn where these artifacts live, what they reveal, and how to parse them with professional tools.
Key insight: Attackers who understand Windows forensics know what to delete. Investigators who understand it know what they missed.
1) Registry Forensics
The Windows Registry is a hierarchical database storing system and user configuration. For forensics, it's a goldmine of historical activity:
Registry Structure:
Hives (Physical Files):
┌─────────────────────────────────────────────────────────┐
│ SYSTEM → C:\Windows\System32\config\SYSTEM │
│ SOFTWARE → C:\Windows\System32\config\SOFTWARE │
│ SAM → C:\Windows\System32\config\SAM │
│ SECURITY → C:\Windows\System32\config\SECURITY │
│ NTUSER.DAT → C:\Users\{user}\NTUSER.DAT │
│ UsrClass.dat → C:\Users\{user}\AppData\Local\Microsoft\ │
│ Windows\UsrClass.dat │
└─────────────────────────────────────────────────────────┘
Logical Structure (What you see in regedit):
HKEY_LOCAL_MACHINE (HKLM)
├── SYSTEM → Hardware, services, boot config
├── SOFTWARE → Installed programs, OS settings
├── SAM → User accounts (encrypted)
└── SECURITY → Security policies
HKEY_USERS (HKU)
├── .DEFAULT
├── S-1-5-18 → SYSTEM account
├── S-1-5-19 → LOCAL SERVICE
├── S-1-5-20 → NETWORK SERVICE
└── S-1-5-21-* → User SIDs (from NTUSER.DAT)
HKEY_CURRENT_USER (HKCU) → Alias to current user's HKU keySYSTEM Hive - Key Forensic Artifacts:
SYSTEM Hive Analysis:
Computer Name:
HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Time Zone:
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
- Bias: Offset from UTC in minutes
- Critical for timeline accuracy
Last Shutdown Time:
HKLM\SYSTEM\CurrentControlSet\Control\Windows
- ShutdownTime (FILETIME format)
USB Device History:
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
- VID/PID, Serial number, First/Last connected
- Maps to user via MountPoints2
Network Interfaces:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
- IP addresses, DHCP info, DNS servers
Services:
HKLM\SYSTEM\CurrentControlSet\Services
- Start type, binary path, dependencies
- Malware persistence mechanism
Control Sets:
- CurrentControlSet → Symbolic link to active set
- ControlSet001, ControlSet002 → Backup configurations
- Select key shows which is currentSOFTWARE Hive:
SOFTWARE Hive Analysis:
Installed Programs:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKLM\SOFTWARE\WOW6432Node\...\Uninstall (32-bit on 64-bit)
- DisplayName, InstallDate, Publisher
Run Keys (Persistence):
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- Programs that start at boot
- Common malware persistence location
Network Profiles:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
- SSID names, first/last connected times
- DateCreated, DateLastConnected
OS Information:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
- ProductName, CurrentBuild, InstallDate
- RegisteredOwner, RegisteredOrganization
AppCompatCache (ShimCache):
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
- Executable paths and timestamps
- Proves execution (with caveats)NTUSER.DAT - User Activity:
NTUSER.DAT Analysis:
Recent Documents:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
- MRU (Most Recently Used) lists
- By extension: .docx, .pdf, .xlsx
- Binary data contains filename
TypedPaths (Explorer Address Bar):
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
- Manually typed paths
- url1, url2, url3...
RunMRU (Run Dialog):
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
- Commands typed in Win+R
UserAssist (Program Execution):
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
- ROT13 encoded program paths
- Run count, last execution time
- Focus time, focus count
MountPoints2 (Connected Devices):
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
- Drive letters, volume GUIDs
- Maps USB devices to user
Word Wheel Query (Search):
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
- Explorer search termsRegistry Parsing Tools:
RegRipper:
$ rip.pl -r NTUSER.DAT -p userassist
$ rip.pl -r SYSTEM -p usbstor
$ rip.pl -r SOFTWARE -p networklist
Registry Explorer (Eric Zimmerman):
- GUI-based registry browser
- Built-in bookmarks for forensic keys
- Handles dirty/locked hives
- Timeline view
RECmd (Eric Zimmerman):
> RECmd.exe -d C:\Cases\Registry --csv output/ --bn BatchExamples\AllRegExecutablesFoundOrRun.reb
AppCompatCacheParser:
> AppCompatCacheParser.exe -f SYSTEM --csv output/
AmcacheParser:
> AmcacheParser.exe -f Amcache.hve --csv output/Key insight: Registry analysis requires understanding not just where data is stored, but how timestamps work (key LastWrite vs value data) and what each artifact actually proves.
2) Windows Event Logs
Windows Event Logs are the official record of system activity. Modern Windows uses EVTX format with rich structured data:
Event Log Locations:
C:\Windows\System32\winevt\Logs\
├── Security.evtx → Authentication, access control
├── System.evtx → Driver, service events
├── Application.evtx → Application errors, info
├── Microsoft-Windows-PowerShell%4Operational.evtx
├── Microsoft-Windows-Sysmon%4Operational.evtx
├── Microsoft-Windows-TaskScheduler%4Operational.evtx
├── Microsoft-Windows-TerminalServices-*
└── Microsoft-Windows-Windows Defender%4Operational.evtx
Log Categories by Forensic Value:
High: Security, PowerShell, Sysmon, Terminal Services
Medium: System, Task Scheduler, Windows Defender
Lower: Application (depends on installed apps)Critical Security Events:
Security Log - Key Event IDs:
Authentication:
4624 - Successful logon
4625 - Failed logon
4634 - Logoff
4647 - User initiated logoff
4648 - Explicit credential logon (runas)
4672 - Special privileges assigned (admin logon)
Logon Types (in Event 4624):
Type 2 - Interactive (console)
Type 3 - Network (SMB, mapped drive)
Type 4 - Batch (scheduled task)
Type 5 - Service
Type 7 - Unlock
Type 8 - NetworkCleartext
Type 9 - NewCredentials (runas /netonly)
Type 10 - RemoteInteractive (RDP)
Type 11 - CachedInteractive
Account Management:
4720 - User account created
4722 - User account enabled
4724 - Password reset attempt
4728 - Member added to security group
4732 - Member added to local group
4756 - Member added to universal group
Process Tracking (if enabled):
4688 - Process creation
4689 - Process termination
Object Access (if enabled):
4663 - Object access attempt
4656 - Handle requestedSystem and Other Logs:
System Log Events:
7034 - Service crashed unexpectedly
7035 - Service control manager - start/stop
7036 - Service state change
7040 - Service start type changed
7045 - New service installed (persistence!)
104 - Event log cleared (anti-forensics!)
PowerShell Logging (Microsoft-Windows-PowerShell):
4103 - Module logging
4104 - Script block logging (GOLD - full scripts!)
4105 - Script block logging start
4106 - Script block logging stop
Task Scheduler:
106 - Task registered
140 - Task updated
141 - Task deleted
200 - Task executed
201 - Task completed
Terminal Services (RDP):
21 - Session logon succeeded
22 - Shell start
23 - Session logoff
24 - Session disconnected
25 - Session reconnected
Windows Defender:
1116 - Malware detected
1117 - Action taken on malware
5001 - Real-time protection disabledEvent Log Analysis Tools:
EvtxECmd (Eric Zimmerman):
> EvtxECmd.exe -d C:\Windows\System32\winevt\Logs --csv output/
> EvtxECmd.exe -f Security.evtx --csv output/
PowerShell:
> Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} |
Select TimeCreated,Message | Export-Csv logons.csv
> Get-WinEvent -Path .\Security.evtx -FilterXPath "*[System[EventID=4624]]"
Log Parser (Microsoft):
> LogParser "SELECT * FROM Security.evtx WHERE EventID=4624" -i:evt
Timeline Analysis:
- Export all logs to CSV
- Import to Timeline Explorer
- Filter by date range
- Correlate across log sources
Common Investigation Queries:
1. Failed logons followed by success (brute force)
2. Logon Type 10 from unusual IPs (RDP attacks)
3. Event ID 7045 (new services = persistence)
4. Event ID 4104 (PowerShell scripts)
5. Event ID 104 (log clearing)Key insight: Event logs tell you what Windows officially recorded. Gaps in logs (cleared, rolled over, not enabled) are equally important findings.
3) Execution Artifacts
Multiple Windows artifacts track program execution. Each has different retention, coverage, and reliability:
Execution Artifacts Overview:
┌────────────────┬─────────────────┬──────────────────────┐
│ Artifact │ Proves │ Limitations │
├────────────────┼─────────────────┼──────────────────────┤
│ Prefetch │ Execution │ Disabled on SSDs* │
│ Amcache │ Execution │ Complex, can be │
│ │ │ cleared │
│ ShimCache │ File existed │ Doesn't prove │
│ │ │ execution │
│ UserAssist │ GUI execution │ Only GUI programs │
│ BAM/DAM │ Execution │ Win10 1709+ only │
│ SRUM │ Execution │ Resource usage focus │
└────────────────┴─────────────────┴──────────────────────┘
*Prefetch is enabled by default on SSDs in Windows 10+Prefetch Files:
Prefetch Location and Format:
Location: C:\Windows\Prefetch\
Naming: {EXECUTABLE}-{HASH}.pf
Example: CMD.EXE-4A81B364.pf
Contains:
- Executable name and path
- Run count
- Last 8 run times (Windows 8+)
- Files and directories accessed
- Volume information
Forensic Value:
- Proves program execution
- Shows when it ran (up to 8 times)
- Shows files it accessed
- Persists after program deletion
Parsing with PECmd:
> PECmd.exe -d C:\Windows\Prefetch --csv output/
> PECmd.exe -f CMD.EXE-4A81B364.pf
Key Fields:
- ExecutableName
- RunCount
- LastRun (most recent)
- PreviousRun0-6 (older runs)
- FilesLoaded (dependencies)
Investigation Examples:
- PSEXESVC.EXE - PsExec remote execution
- WMIC.EXE - WMI command line
- POWERSHELL.EXE - Script execution
- MSHTA.EXE - HTML application host (common in attacks)Amcache.hve:
Amcache Registry Hive:
Location: C:\Windows\AppCompat\Programs\Amcache.hve
Contains:
- Executable metadata
- SHA1 hash of first ~32KB
- Full path
- File size
- Compile time
- Last modified time
- Publisher info
Key Paths in Amcache:
Root\InventoryApplicationFile → Installed applications
Root\InventoryDriverBinary → Drivers
Root\InventoryDevicePnp → Plug and play devices
Parsing:
> AmcacheParser.exe -f Amcache.hve --csv output/ -i
Forensic Value:
- SHA1 hash for malware identification
- Execution evidence (program had to run)
- Survives file deletion
- Compile time reveals malware age
Caveat:
- Can be cleared by attackers
- Complex structure changed across Windows versions
- Some entries may not indicate executionShimCache (AppCompatCache):
ShimCache:
Location: SYSTEM hive
Path: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
Contains:
- File path
- Last modified time ($STANDARD_INFORMATION)
- File size
- Execution flag (Windows XP/2003 only)
Important Caveat:
- Entries created when file is ACCESSED, not necessarily executed
- A file appearing in ShimCache means Windows checked it
- Does NOT definitively prove execution on Vista+
- Still valuable for showing file existed
Parsing:
> AppCompatCacheParser.exe -f SYSTEM --csv output/
Forensic Use:
- Corroborates other execution evidence
- Shows files that existed (even if deleted)
- Timeline of file access
- Order shows rough chronology (newest first)BAM/DAM (Windows 10+):
Background Activity Moderator:
Location: SYSTEM hive
Path: HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}
HKLM\SYSTEM\CurrentControlSet\Services\dam\State\UserSettings\{SID}
Contains:
- Full executable path
- Last execution timestamp
- Per-user tracking
Forensic Value:
- Definitively proves execution
- Links execution to specific user
- Recent activity (limited retention)
- Not well known = often not cleared
Parsing:
> rip.pl -r SYSTEM -p bam
> RECmd.exe with appropriate batch fileKey insight: No single artifact proves execution conclusively. Strong conclusions require corroboration across multiple artifact types.
4) User Activity Artifacts
Beyond program execution, Windows tracks extensive user activity through various artifacts:
Recent Files and LNK Files:
Recent Folder:
C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent\
- Contains .lnk files (shortcuts)
- Created when files opened
- Survives original file deletion
LNK File Contents:
- Target file path (full path!)
- Target file size
- Target MAC times
- Volume serial number
- NetBIOS name (for network files)
- MAC address of target (network)
Forensic Value:
- Proves file existed
- Proves user opened file
- Shows original location
- Reveals network shares accessed
Parsing with LECmd:
> LECmd.exe -d "C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent" --csv output/
> LECmd.exe -f suspicious.lnk
Key Fields:
- SourceFile (the LNK)
- TargetPath (what it pointed to)
- TargetCreated, TargetModified, TargetAccessed
- VolumeSerialNumber
- MachineId (NetBIOS name)Jump Lists:
Jump Lists:
Location:
C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\
Format: {AppID}.automaticDestinations-ms
Contains:
- Recently/frequently accessed files per application
- Pinned items
- Same data as LNK files
- Application-specific (Word, Excel, Chrome, etc.)
Common AppIDs:
5d696d521de238c3 → Chrome
9b9cdc69c1c24e2b → Notepad
f01b4d95cf55d32a → Windows Explorer
7e4dca80246863e3 → Control Panel
Parsing:
> JLECmd.exe -d "C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv output/
Forensic Value:
- Files opened by specific applications
- More complete than Recent folder
- Harder for users to clear
- Shows usage patternsShellBags:
ShellBags:
Location:
- NTUSER.DAT: Software\Microsoft\Windows\Shell\BagMRU
Software\Microsoft\Windows\Shell\Bags
- UsrClass.dat: Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Local Settings\Software\Microsoft\Windows\Shell\Bags
Contains:
- Every folder viewed in Explorer
- Folder timestamps
- View settings (icons, details, etc.)
- ZIP file contents (if browsed)
- Network shares
- Removable media folders
Forensic Gold:
- Folders that no longer exist
- Deleted USB drive contents
- Network share paths
- ZIP file browsing history
Parsing:
> SBECmd.exe -d "C:\Users\{user}" --csv output/
> ShellBagsExplorer.exe (GUI)
Example Finding:
User browsed: E:\Confidential\Project_X\Financials\
- E: drive no longer connected
- Folders may be deleted
- But ShellBags rememberBrowser Artifacts:
Browser Forensics Overview:
Chrome:
C:\Users\{user}\AppData\Local\Google\Chrome\User Data\Default\
- History (SQLite)
- Cookies (SQLite)
- Login Data (SQLite, encrypted)
- Bookmarks (JSON)
- Cache (separate folder)
- Downloads (in History)
Edge (Chromium):
C:\Users\{user}\AppData\Local\Microsoft\Edge\User Data\Default\
- Same structure as Chrome
Firefox:
C:\Users\{user}\AppData\Roaming\Mozilla\Firefox\Profiles\{random}.default\
- places.sqlite (history, bookmarks)
- cookies.sqlite
- logins.json + key4.db
Parsing Tools:
- DB Browser for SQLite
- Hindsight (Chrome/Edge)
- KAPE with browser modules
- Autopsy browser analyzer
Key Queries:
SELECT url, title, visit_count, datetime(last_visit_time/1000000-11644473600,'unixepoch')
FROM urls ORDER BY last_visit_time DESC;
SELECT * FROM downloads;Key insight: User activity artifacts often survive aggressive cleanup because users don't know they exist. ShellBags in particular are rarely cleared.
5) USB and External Device Forensics
Tracking USB devices and external storage is critical for investigating data theft and malware delivery:
USB Device Tracking Locations:
1. SYSTEM Hive - Device Identification:
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
- Device class, vendor, product, serial
- First install time (in setupapi.dev.log)
HKLM\SYSTEM\CurrentControlSet\Enum\USB
- VID (Vendor ID) and PID (Product ID)
- Maps to specific device model
2. SOFTWARE Hive - Device Details:
HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices
- Friendly name assigned by Windows
- Maps device ID to user-friendly name
3. NTUSER.DAT - User Connection:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
- Shows which user connected device
- Contains volume GUID
4. SYSTEM Hive - Drive Letter:
HKLM\SYSTEM\MountedDevices
- Maps volume GUID to drive letter
- \DosDevices\E: → device signatureUSB Timeline Reconstruction:
Determining When USB Was Connected:
First Connection:
- setupapi.dev.log (C:\Windows\INF\)
- Search for device serial number
- Timestamp shows first install
Last Connection:
- USBSTOR key LastWrite time
- NTUSER.DAT MountPoints2 LastWrite
User Who Connected:
- MountPoints2 appears under specific user's NTUSER.DAT
- Correlates device GUID to user
Volume Serial Number:
- Found in MountedDevices
- Also in LNK files pointing to USB files
- Can match files to specific USB drive
Complete USB Timeline:
1. First connection (setupapi.dev.log)
2. Device identification (USBSTOR)
3. Drive letter assignment (MountedDevices)
4. User association (MountPoints2)
5. Files accessed (LNK files, Jump Lists)
6. Last connection (Registry LastWrite)USB Forensic Tools:
USBDeview (NirSoft):
- GUI tool for live system
- Shows all USB history
- First/last plug times
Registry Analysis:
> rip.pl -r SYSTEM -p usbstor
> rip.pl -r SYSTEM -p usbdevices
> rip.pl -r NTUSER.DAT -p mountpoints2
setupapi.dev.log Parsing:
Search for "Device Install" entries
[Device Install (Hardware initiated)]
Device: USB\VID_0781&PID_5567\20051234567890
Install started: 2024-03-15 09:30:45
USB Detective (Commercial):
- Comprehensive USB analysis
- Correlates all artifact sources
- Timeline visualization
Investigation Scenarios:
1. Data theft: Was USB connected? What files accessed?
2. Malware delivery: Unknown USB appeared when?
3. Policy violation: Unauthorized device usageEvent Log USB Events:
USB-Related Event Logs:
Microsoft-Windows-DriverFrameworks-UserMode/Operational:
- Event ID 2003: Device connected
- Event ID 2102: Device disconnected
Microsoft-Windows-Partition/Diagnostic:
- Detailed partition information
- Volume serial numbers
Security Log (if auditing enabled):
- Event ID 4663: Object access
- Event ID 6416: New external device recognized
System Log:
- Event ID 20001: Plug and Play driver install
Correlation:
- Combine Registry + Event Logs + LNK files
- Build complete device usage timeline
- Identify specific files accessed from USBKey insight: USB forensics requires correlating multiple artifact sources. No single location tells the complete story, but together they reveal device, user, time, and activity.
Real-World Context
Case Study: Insider Data Theft
A financial services company suspected an employee of stealing client data before resignation. Forensic analysis of the employee's workstation revealed: ShellBags showing navigation to sensitive folders not required for their role, LNK files pointing to a USB drive letter containing "Client_Export.xlsx", USBSTOR entries for a personal USB drive connected three days before resignation, and Event logs showing large file access after hours. The correlation of these artifacts proved intentional data exfiltration.
Case Study: APT Lateral Movement
During incident response, investigators found Security Event 4624 Logon Type 3 (network) from an internal IP followed by new service installation (Event 7045) for a malicious service. Prefetch showed PSEXESVC.EXE execution, and Amcache contained SHA1 hashes matching known APT tools. ShimCache revealed the attacker's toolkit existed on disk before being deleted. This artifact correlation mapped the attacker's lateral movement across the network.
MITRE ATT&CK Alignment:
Windows Forensics Maps to Detection:
Execution Detection:
- T1059.001: PowerShell → Event ID 4104, Prefetch
- T1047: WMI → WMIC.EXE in Prefetch, Amcache
- T1053.005: Scheduled Task → Task Scheduler logs
Persistence Detection:
- T1547.001: Run Keys → Registry analysis
- T1543.003: Windows Service → Event 7045
- T1053: Scheduled Tasks → Task Scheduler logs
Credential Access:
- T1003: Credential Dumping → Event 4624/4648 anomalies
- T1110: Brute Force → Event 4625 patterns
Lateral Movement:
- T1021.001: RDP → Event 4624 Type 10
- T1021.002: SMB → Event 4624 Type 3
- T1570: Tool Transfer → Prefetch, Amcache
Defense Evasion:
- T1070.001: Clear Event Logs → Event 104
- T1070.004: File Deletion → ShimCache shows existedUnderstanding these artifacts is essential for both forensic investigation and detection engineering in security operations.
Guided Lab: Windows Artifact Analysis
In this lab, you'll analyze a Windows forensic image to reconstruct user and attacker activity using multiple artifact sources.
Lab Environment:
- SIFT Workstation or Windows analysis VM
- Eric Zimmerman tools (MFTECmd, PECmd, EvtxECmd, etc.)
- Registry Explorer or RegRipper
- Practice image with planted artifacts
Exercise Steps:
- Extract Registry hives from the image
- Parse SYSTEM hive for USB devices and services
- Parse NTUSER.DAT for UserAssist and RecentDocs
- Extract and parse Prefetch files with PECmd
- Parse Event logs focusing on Security and PowerShell
- Extract and analyze LNK files
- Correlate findings into an activity timeline
Reflection Questions:
- Which artifact source proved most valuable and why?
- What activity gaps exist in the artifacts?
- How would you present these findings to non-technical stakeholders?
Week Outcome Check
By the end of this week, you should be able to:
- Extract and parse Windows Registry hives for forensic artifacts
- Identify forensically relevant Event IDs and their meaning
- Analyze Prefetch, Amcache, and ShimCache for execution evidence
- Extract user activity from LNK files, Jump Lists, and ShellBags
- Reconstruct USB device connection history
- Correlate multiple artifact sources into coherent timelines
- Use Eric Zimmerman tools for efficient artifact parsing
- Map findings to MITRE ATT&CK techniques
🎯 Hands-On Labs (Free & Essential)
Practice Windows artifact analysis before moving to reading resources.
🎮 TryHackMe: Windows Forensics 1
What you'll do: Analyze Windows artifacts and extract user activity.
Why it matters: Windows artifacts are central to enterprise investigations.
Time estimate: 2-3 hours
🎮 TryHackMe: Windows Forensics 2
What you'll do: Continue artifact analysis with deeper Registry and log
parsing.
Why it matters: Correlating artifacts builds reliable timelines.
Time estimate: 2-3 hours
📝 Lab Exercise: Windows Artifact Timeline
Task: Build a timeline from Registry, Event Logs, and Prefetch.
Deliverable: Timeline table with artifact sources and timestamps.
Why it matters: Timelines turn artifacts into narratives.
Time estimate: 90-120 minutes
🛡️ Lab: Write Sigma Rules (Windows)
What you'll do: Create 2 Sigma rules for Windows ATT&CK techniques.
Deliverable: Sigma YAML + note on required Event IDs.
Why it matters: Detection engineering aligns forensics with SOC signals.
Time estimate: 60-90 minutes
💡 Lab Tip: Cross-check Registry and Event Log timestamps to reduce false narratives.
🛡️ SIEM & Detection Engineering Context
Windows forensics produces signals that should map to detections. Analysts who understand SIEM logic build better investigations.
Detection engineering basics:
- Normalize events into consistent schemas
- Map artifacts to ATT&CK techniques
- Write rules with clear false-positive notes
- Validate against real log samples📚 Building on CSY201: SIEM query design and alert tuning fundamentals.
Resources
Lab
Complete the following lab exercises to practice Windows forensic artifact analysis. Use Eric Zimmerman tools and Registry Explorer for parsing.