Windows Forensics¶
Windows dominates enterprise environments
Most DFIR work involves Windows systems and understanding the forensic artifacts Windows generates is critical for both incident response and attacker attribution
Windows Event Logs
Primary source of forensic evidence on Windows:
# Security log - authentication events
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} -MaxEvents 100 # Successful logon
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} -MaxEvents 100 # Failed logon
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4672} -MaxEvents 100 # Admin logon
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} -MaxEvents 100 # Process creation
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4648} -MaxEvents 100 # Explicit credential use
Event ID Quick Reference
| ID | Description |
|---|---|
| 4624 | Logon success |
| 4625 | Logon failure |
| 4634 | Logoff |
| 4648 | Runas credential use |
| 4672 | Admin logon (special privileges assigned) |
| 4688 | Process creation (cmdline included) |
| 4698 | Scheduled task creation |
| 4702 | Scheduled task updated |
| 4720 | User account created |
| 4732 | User added to security group |
| 4776 | Credential validation (NTLM) |
| 4104 | PowerShell script block logging |
Prefetch Files
Evidence of program execution on Windows:
C:\Windows\Prefetch\*.pf
Each execution recorded with: executable name, run count, first/last run times, loaded DLLs
# Parse prefetch with PECmd
PECmd.exe -f C:\Windows\Prefetch\CMD.EXE-*.pf
PECmd.exe -d C:\Windows\Prefetch\
Jump Lists
User activity evidence beyond just program execution:
%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\
%APPDATA%\Microsoft\Windows\Recent\CustomDestinations\
Records recently accessed files per application
Windows Registry
The Registry is a forensic goldmine:
# User profile list
Get-ItemProperty HKLM:\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
# Startup programs
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Run
Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
# Mounted devices (USB history)
Get-ItemProperty HKLM:\SYSTEM\MountedDevices
# Network interfaces
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
# UserAssist (program execution via GUI)
# Located in NTUSER.DAT under Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
AmCache and ShimCache
C:\Windows\appcompat\Programs\AmCache.hive
Shimcache shows all recently executed files even if deleted:
# Shimcache via AppCompatCache
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
USN Journal
NTFS Change Journal tracks every file modification:
fsutil usn readjournal C: > usn_journal.txt
Scheduled Tasks
Persistence evidence:
Get-ScheduledTask
schtasks /query /fo LIST /v
Services
Services set to auto-start are common persistence:
Get-CimInstance Win32_Service | Select Name, PathName, StartMode, State