Lets understand with example: We have created table to understand NTFS Operations 1. Create Operation: When a file is created, according...

Introduction: In digital forensics, understanding NTFS timestamps is crucial for reconstructing events and analyzing user activities on a...

What is Timeline Analysis? Timeline analysis in digital forensics is the process of examining chronological data to reconstruct events...

LNK (Shortcut) Files: LNK files are Windows shortcut files that contain metadata about the file or program they link to. They can reveal...

1.Timezone The system time zone plays a crucial role in forensic investigations as it provides valuable insights into the timing of...

1. Last Login: Location: C:\windows\system32\config\SAM SAM\Domains\Account\Users Interpretation: The last login time for local accounts...

Tools of Analysis: DB Browser for SQLite/SQLciper Armed with the "DB Browser for SQLite," forensic investigators gain a powerful lens...

1. Open/Save MRU Artifacts: It acts as a repository for a history of files accessed or saved by users, offering a panoramic view of their...

1.Search-WordWheelQuery The "WordWheelQuery" registry key is a valuable artifact found in the Windows registry of Windows 7 to Windows 10...

1.ACMRU Description: On Windows XP machines, the search assistant feature allows users to search for various items such as filenames,...

1.Last Visted MRU Tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key. In addition,...

1. Open/Save MRU Artifacts: It acts as a repository for a history of files accessed or saved by users, offering a panoramic view of their...

1.Jump Lists Get deep details about this artifact from my previous blog. Blog 1: Unveiling the Significance of Jump list Files in...

1. Last Visited MRU Description: The Last Visited MRU (Most Recently Used) artifact tracks the specific executable files used by an...

This article have been updated on 22 January 2025 When investigating user activity on a Windows system, LNK (shortcut) files  serve as a...

When investigating digital forensics on a Windows system, LNK (shortcut) files  serve as one of the most valuable sources of user...

When investigating deleted files on a Windows system, analyzing the Recycle Bin metadata can provide crucial insights. In this guide,...

The Windows Recycle Bin is an important artifact in forensic investigations . When a user deletes a file using the graphical interface,...

ShellBags  can provide invaluable insights into a user’s activity— helping forensic analysts reconstruct deleted folders, track accessed...

When investigating user activity on a Windows system, ShellBags   are one of the most powerful yet misunderstood  forensic artifacts....