Windows Forensic Artifacts: Unveiling Key Evidence

Overview of the differences between various forensic artifacts:  Click Me

-----------------------------------------------------------------------------------------------------------

1. All combined Artifacts to Confirm Application Execution:

Guide to Identifying Application Execution in Windows Forensics :  Click Me

2. All combined Artifacts to Confirm File and Folder Access:

Guide to Identifying File and Folder Access in Digital Forensics : Click Me

3. All combined Artifacts to Confirm Deleted Items and File Existence:

Uncovering Deleted Items and File Existence in Digital Forensics. : Click Me

4. All combined Artifacts to Confirm External Device/USB Usage:

USB Forensics : Click Me

-----------------------------------------------------------------------------------------------------------

Windows Prefetch Files: A Tracking Program Execution Blog Link Click me

Prefetch Analysis with PECmd and WinPrefetchView Tool link  Click me

-----------------------------------------------------------------------------------------------------

Understanding ShellBags: A Goldmine in Investigations Blog Link Click Me

ShellBags Analysis ShellBags Explorer(SBE)/SBECmd Tool Link  Click Me

-----------------------------------------------------------------------------------------------------

Windows LNK Files: A Treasure Forensic Investigators Blog Link  Click Me

LECmd: A Powerful Tool for Investigating LNK Files Tool Link  Click Me

---------------------------------------------------------------------------------------------------------

Windows Taskbar Jump Lists: A Forensic Goldmine Blog Link Click Me

Mastering JLECmd for Windows Jump List Forensics Tool Link  Click Me

----------------------------------------------------------------------------------------------------------

Windows Recycle Bin Forensics: Recovering Deleted Files Blog Link  Click Me

Analyzing Recycle Bin Metadata with RBCmd and $I_Parse Tool Link   Click Me

----------------------------------------------------------------------------------------------------------

Understanding Microsoft’s (ShimCache) in Digital Forensics Blog Link Click me

Understanding AppCompatCache tool Forensic Analysis Tool Link Click Me

-----------------------------------------------------------------------------------------------------------

Understanding Amcache.hve: A Powerful Forensic Artifact Blog link  Click me 

AmcacheParser and appcompatprocessor.py for Analysis Tool Link Click Me

---------------------------------------------------------------------------------------------------------

Windows Hibernation Files: Artifact Forensic Investigations Blog Link Click Me

---------------------------------------------------------------------------------------------------------

Unlocking Windows Search Indexing for Forensics: A Deep Dive : Click Me

A Deep Dive into Windows Search Database Parsing

(WinSearchDBAnalyzer / SQLite / SIDR) : Click Me

---------------------------------------------------------------------------------------------------------

Tracking Microphone and Camera Usage in Windows : Click Me

BAM and DAM in Windows Forensics: Tracking Executed Applications : Click Me

TaskBar FeatureUsage: Tracking executed Applications : Click Me

UserAssist: A Powerful Artifact for Tracking Application Execution : Click Me

Using RADAR and MUICache for Evidence of Execution in Windows : Click Me

Evidence of Execution: Program Compatibility Assistant (PCA) : Click Me

-------------------------------------------------------------------------------------------------------------

Uncovering Autostart Locations in Windows (RECmd) : Click Me

Lateral Movement: User Access Logging (UAL) Artifact : Click Me  

​Windows Knows Files Came from the Internet: ADS (Zone.Identifier) : Click Me

Forensic Analysis of Universal Windows Platform (UWP) Applications : Click Me

----------------------------------------------------------------------------------------------------------------