MCSI Certified DFIR Specialist
https://www.mosse-institute.com/certifications/mdfir-certified-dfir-specialist.html

Windows Forensics
https://library.mosse-institute.com/cyber-domains/digital-forensics.html#windows-forensics

MCSI Digital Forensics Library
https://library.mosse-institute.com/cyber-domains/digital-forensics.html


Windows forensic artefacts are pieces of information that can be recovered from a Windows system that can be used to understand what has happened on the system. Artefacts can include things like file metadata, registry data, event logs, and more. Forensic investigators can use these artefacts to reconstruct what has happened on a system, and they can be invaluable in understanding how a system was used or abused.

In this video, you will learn about the most common data sources within the Windows operating system and the artifacts that can be extracted from them, this includes

Event Logs

Windows event logs can be a valuable source of information for a digital forensics investigation. They can provide insight into what happened on a system, when it happened, and who was involved. Event logs can also help identify malicious activity and provide information that can be used to track down the responsible party.

Scheduled Tasks

Scheduled Tasks may aid a digital forensics investigation by providing insight into when specific tasks were scheduled to run. This information can help narrow down the time frame of an investigation, and may also help identify potential suspects. In some cases, Scheduled Tasks may also contain information about why a particular task was scheduled to run. This can be helpful in understanding the motives behind an act, and can provide valuable leads for investigators to follow.

Prefetch Files

Windows Prefetch files are a type of metadata that can be found on a Windows system. These files contain information about how the system has been used, and can be helpful in a digital forensics investigation. For example, Prefetch files can show which programs have been run, and when they were last run. This information can be helpful in determining which programs were used to access certain data, or to perform certain actions.

Registry

The registry can provide a wealth of information on a system's configuration and installed software. This can be useful in reconstructing what a system looked like at a particular point in time. Secondly, the registry can also contain evidence of user activity, such as recently accessed files or installed programs. This information can be used to help identify which users were active on a system at a given time, and what they were doing. Additionally, the registry can also contain information on system hardware, such as installed devices and drivers. This can be useful in determining what hardware was present on a system at a particular point in time, and can also help to identify any unusual hardware

Recycle Bin

The Recycle Bin allows users to recover deleted files and folders, which can be vital in many cases. The Recycle Bin can be searched through to find specific files or items, and it can also help to identify when a file was deleted.

Hibernation File

When a computer is put into hibernation, a file is created that contains a snapshot of the system's state at that moment. This file can contain important information such as a list of running processes, open files, and network connections. investigators can use this information to piece together what was happening on a system at the time it was hibernated.

Temporary Data Folder

This folder contains a variety of data that can be helpful in an investigation, including information on recently accessed files, internet history, and more. By accessing this folder, an investigator can gain valuable insights into the actions of a suspect.

Downloads Folder

This folder can contain a wealth of information, including downloaded files, webpages, and cookies. This folder can be a goldmine of evidence for an investigator.

Application Data

Application data can include everything from log files and error messages to user preferences and saved data. This data can be very helpful in understanding how a device was used and what may have happened on it. In some cases, application data can even be used to reconstruct events that have taken place on a device.

User Accounts

user accounts can provide investigators with valuable information about an individual’s online activity, including the websites they visit and the files they access. Additionally, user accounts can help investigators to identify potential victims and witnesses in a case. Finally, user accounts can also be used to track down the source of illegal or unauthorized activity.