windows

hat is the Windows operating system?

A series of operating systems with a graphical user interface (GUI) developed by Microsoft. It is a set of programs used to control and manage a computer's hardware and system resources.

What are ALL file systems supported by Windows?

FAT12, FAT16, FAT32, exFAT, NTFS, ReFS, CDFS (Compact Discs), and UDF (CDs, DVDs, Blu-ray). The six primary ones are ReFS, NTFS, exFAT, FAT32, FAT16, FAT12.

Which file system is the primary modern file system used by Windows and supports forensic timestamps in UTC?

NTFS (New Technology File System).

True or False: Windows only supports NTFS and FAT32.

False. Windows supports FAT12, FAT16, FAT32, exFAT, NTFS, ReFS, CDFS, and UDF.

What is a forensic artifact?

Data created or modified as a result of system, application, or user activity that can be analyzed to reconstruct historical events.

What are the main categories of forensic artifacts in Windows?

Application execution, file and folder opening, deleted items and file existence, browser activity, account usage, system information, network activity, and external devices.

What four questions should you ask when studying any forensic artifact?

1. What is its purpose for the OS? 2. What causes it to be created or modified? 3. What does its presence mean forensically? 4. What information can be found in it?

What is a Windows Registry key?

A container that functions like a folder. It can hold subkeys and value entries. Keys are case-insensitive.

What is a Windows Registry value (value entry)?

A named data item stored inside a key. Each value consists of three parts: a name, a data type, and data.

What is registry value data?

The actual information stored within a registry value — distinct from the value's name and type.

What is a registry subkey?

A key nested inside another key. Subkeys function like subfolders and can contain their own subkeys and value entries.

How many root keys does the Windows Registry technically have?

Six. The five commonly known ones plus HKEY_PERFORMANCE_DATA.

What are all five commonly known root keys and their abbreviations?

HKEY_CLASSES_ROOT (HKCR), HKEY_CURRENT_USER (HKCU), HKEY_LOCAL_MACHINE (HKLM), HKEY_USERS (HKU), HKEY_CURRENT_CONFIG (HKCC).

What is the purpose of HKEY_CLASSES_ROOT?

Manages drag-and-drop rules, program shortcuts, and UI. Links file types with programs (e.g., .doc files with Microsoft Word).

What is the purpose of HKEY_CURRENT_USER?

Stores the computing environment configuration for the currently logged-on user.

What is the purpose of HKEY_LOCAL_MACHINE?

Stores settings common to the entire machine regardless of which user is logged in.

What is the purpose of HKEY_USERS?

Stores computing environment settings for each user that has logged on to the system.

What is the purpose of HKEY_CURRENT_CONFIG?

Stores system configuration necessary during the startup process.

What is HKEY_PERFORMANCE_DATA and why is it unique?

The sixth root key. It provides access to Windows performance counter information for the OS and applications. It is inaccessible using Registry Editor or any forensic tool — only accessible through programmatic means.

What are the two Master keys in the Windows Registry?

HKEY_LOCAL_MACHINE (HKLM) and HKEY_USERS (HKU). All other root keys are derived from these two.

Which root keys are derived (not master) keys?

HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, and HKEY_CURRENT_CONFIG are all derived keys.

True or False: HKEY_CURRENT_USER is a master key.

False. HKCU is a derived key — it is derived from HKEY_USERS. The two master keys are HKLM and HKU.

What is a registry hive?

A logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the OS starts or a user logs in.

Which four HKLM hives are most important, and which two are the primary forensic interest?

Most important: SAM, SECURITY, SOFTWARE, SYSTEM. Primary forensic interest: SOFTWARE and SYSTEM.

True or False: The HARDWARE hive under HKLM is stored on disk.

False. The HARDWARE hive is volatile — it is built dynamically at boot and is never stored on disk.

What are the two user hive files and what does each contain?

NTUSER.DAT (loaded as HKEY_CURRENT_USER; stores user-specific settings) and UsrClass.dat (Vista+; supports UAC, mandatory access control, and stores program/folder access info).

When is a new user hive created?

Each time a new user logs on to a computer for the first time, a new hive is created for that user with a separate file for the user profile.

Where are user hives stored in the registry hierarchy?

Under HKEY_USERS.

What is UsrClass.dat and what does it support?

A per-user hive introduced around XP SP2, mandatory in Vista. It supports User Account Control (UAC) and mandatory access control integrity levels, and contains information on programs and folders accessed by users.

What information is stored in NTUSER.DAT?

User-specific registry information pertaining to application settings, desktop, environment, network connections, and printers.

What timestamp is stored for every registry key?

LastWriteTime, stored in UTC. This does NOT apply to timestamps decoded from inside registry values.

What is the role of registry transaction logs in forensics?

If a hive is "dirty" (not cleanly written to disk), transaction logs can be replayed to reconstruct a clean, current hive. If multiple .LOG files exist, inspect sequence numbers to determine replay order — Registry Explorer handles this automatically.

What does it mean for a registry hive to be "dirty"?

Changes exist in the transaction log but have not yet been flushed to the hive file on disk, typically due to a system crash or abrupt shutdown.

What file extensions are used by registry transaction logs and what do they do?

.LOG (original single log), .LOG1 and .LOG2 (dual alternating logs introduced in XP for crash safety). They record a transaction log of changes to keys and value entries in the hive.

What is RegBack and what changed in Windows 10 v1803?

RegBack is a folder where Windows automatically backed up the system registry. Starting in Windows 10 v1803, Windows no longer automatically backs up to RegBack to reduce disk footprint. It may still be present on Windows Servers.

If you find a RegBack directory during an investigation, what must you consider?

You may be analyzing a historical state of the registry, not the registry's state at the time of acquisition.

What is CurrentControlSet and what does it represent?

A runtime alias in the registry that points to the active ControlSet (e.g., ControlSet001), determined by the SYSTEM\Select\Current value. It is not a physical structure on disk.

What does ControlSet001 represent?

The last control set Windows successfully booted with.

What does ControlSet002 represent?

The last known good control set — the control set that last successfully booted Windows. Should be identical to ControlSet001.

What is the purpose of control sets in Windows forensics?

They store critical system configuration (services, drivers, hardware profiles). Analyzing them can reveal what services were running, what drivers were loaded, and the system state during a specific boot.

When a USB storage device is connected to Windows, what component handles it and where is the data stored?

The Plug-and-Play (PnP) manager receives the notification, queries the device, and stores information extracted from the device descriptor in the System hive.

Where is USB device installation information recorded outside the registry?

In setupapi.dev.log — captures device installation, driver loading, and PnP manager actions.

Why are USB serial numbers in USBSTOR not always reliable unique identifiers?

The same serial string can appear for different physical drives if the device uses a USB enclosure or adapter that exposes a generic descriptor. The serial shown may be the enclosure's ID, not the drive's own serial. Uniqueness is not guaranteed.

What are the forensic consequences of unreliable USB serial numbers?

Using a serial number as the sole attribution factor can lead to wrong conclusions. In court, you must validate the provenance of the serial string, explain its limitations, and avoid over-claiming attribution.

What are Shellbags?

Registry artifacts that store view settings (icon size, window position, sort order) for file system folders accessed through Windows Explorer.

What are the two Shellbag subkeys?

Bags (list of all shell bags) and BagMRU (list of folders used most recently).

What does the presence of a folder in Shellbags forensically prove?

The user accessed that directory at least once through Windows Explorer.

What timestamp information do Shellbags provide?

Last access time for the folder.

What are Jump Lists and when were they introduced?

Introduced in Windows 7. A collection of link files in a single file used to populate per-application recent menus, accessible by right-clicking an app in the Start Menu or Taskbar.

What is the difference between AutomaticDestinations and CustomDestinations in Jump Lists?

AutomaticDestinations: system-generated, tracks files recently accessed by an application — contains target paths, last accessed timestamp, app ID, and frequency. CustomDestinations: developer-defined, contains target paths and app ID only.

What information can be extracted from Jump Lists forensically?

Target file paths accessed, last accessed timestamps, associated application ID, and file access frequency.

What are LNK (link/shortcut) files and in what three situations are they created?

Shell link files that store shortcuts. Created during: (1) software installation, (2) opening a file or volume, (3) manual creation via right-click > Send To > Desktop shortcut.

What forensic information is contained in a LNK file?

MAC times of the target file, full path to the linked file, network share information, volume serial number, and size of the accessed file.

True or False: A LNK file is only created if the user successfully opened the target file.

False. A LNK file can be created even if Windows prevented the user from opening the file, making it evidence of an access attempt.

What is TypedPaths?

A registry artifact that records paths manually typed by the user into the Start Menu or Windows Explorer address bar.

What is Thumbs.db and which Windows versions have it?

A hidden system file created by Windows Explorer to store thumbnail previews of image and video files in a folder. Exists in pre-Windows 8 systems and on shared/network drives.

What does the forensic presence of a Thumbs.db entry for a deleted file prove?

That the file previously existed in that folder and the user's Explorer generated a thumbnail preview — demonstrating user awareness of the file.

Does Thumbs.db prove a user deliberately opened or ran a file?

No. It shows the file was viewed or previewed in Explorer but does NOT prove deliberate opening via double-click or application launch.

What data does a Thumbs.db entry contain?

Thumbnail image data (binary JPEG/PNG), original file path, modification time, and file type and size.

What replaced Thumbs.db starting in Windows Vista?

Centralized thumbcache_*.db files stored under the user profile (thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, thumbcache_1024.db, thumbcache_sr.db).

In the Vista+ thumbcache system, what are entries stored as?

Hashes of the original file path including the drive letter. This means you can attempt to map entries back to their original paths (except on Vista, where the hashing format prevents this).

What does Windows Search index by default?

All properties of files (names, full paths) and contents of text-based files in C:\Users\* (excluding AppData) and the Start Menu programs folder.

Name three forensically valuable things found in the Windows Search index.

1. Deleted files may still be present in the index. 2. Deleted browser history may be present. 3. File renames show user knowledge — ActivityHistory records persist even after deletion or renaming.

True or False: Deleting a file removes its record from the Windows Search index.

False. File deletion or renames do not delete ActivityHistory records from the Windows Search index.

What is EXIF data?

Exchangeable Image File Format — embedded metadata inside image files, most commonly .jpeg, .heic, and .tiff.

What types of information may EXIF data contain?

Date/Time Original (capture time), geolocation coordinates (GPS), camera make and model, lens model, serial number, image dimensions, and orientation.

Why is EXIF geolocation data forensically significant?

It can place a device (and potentially a person) at a specific geographic location at a specific time, corroborating or contradicting a suspect's alibi.

What database formats do modern browsers use to store forensic artifacts?

SQLite and JSON databases. Legacy Edge/IE 10+ used ESE (WebCacheV01.dat). IE ≤9 used proprietary index.dat files.

What browser artifacts are commonly found on disk?

History (URLs, timestamps, visit count), cookies (hostname, name, value, expiry), downloads (filename, path, source URL), login data (saved credentials), local storage/IndexedDB, and bookmarks.

Which browser uses the ESE database WebCacheV01.dat?

Legacy Microsoft Edge and Internet Explorer 10+. Modern Edge uses Chromium format (same as Chrome), stored in SQLite and JSON.

What is the Zone.Identifier Alternate Data Stream (ADS)?

A stream attached by Windows to files downloaded via browser, Outlook, or Teams. It records the security zone the file originated from.

What are the Zone.Identifier ZoneId values and what does each mean?

0 = Local, 1 = Intranet, 2 = Trusted, 3 = Internet, 4 = Restricted.

A file has Zone.Identifier ZoneId = 3. What does this mean forensically?

The file was downloaded from the Internet. This proves the file was obtained from an external source, not created locally.

True or False: Private/Incognito browsing leaves absolutely no forensic traces on disk.

False. Residual artifacts can persist in %Temp%, memory/pagefile, crash dumps, SQLite WAL/journal files, file system metadata ($LogFile, $UsnJrnl), DNS cache, and downloads remain visible.

What SQLite artifacts may persist after an abnormal browser shutdown during a private session?

WAL/journal files (*-journal, *-wal) and recovery fragments in %LocalAppData%\Temp\ or WebCache\.

What happens in the MFT when a file is sent to the Recycle Bin?

A new MFT entry is created for the file inside the $Recycle.Bin directory. The original file's clusters are NOT marked as unallocated — they remain allocated until the Recycle Bin is emptied.

What happens to a file when it is sent to the Recycle Bin (Vista+)?

The file's clusters are marked as unallocated. A new Directory/MFT Entry is created for the file in the Recycle Bin. Two new files are created: a $I file (metadata) and a $R file (actual data).

What happens when a file is Shift+Deleted (bypassing the Recycle Bin)?

In NTFS: the MFT entry is marked as deleted and clusters are marked as available in $Bitmap immediately. In FAT32: the Directory Entry is deleted. No $I/$R pair is created.

What happens when a folder is sent to the Recycle Bin?

The folder structure is recreated inside the $R directory. Original filenames are preserved inside the recreated structure.

What are the two types of files in the Vista+ Recycle Bin?

$I files: contain metadata (original name, path, file size, deletion timestamp — minimum 544 bytes). $R files: contain the actual data of the deleted file. A random identifier links each pair.

What information does a $I file contain at what offsets?

Offset 0: Version (record format, usually 2). Offset 8: Original file size in bytes. Offset 16: Deletion timestamp (Windows FILETIME). Offset 24: Path length. Offset 28: Original path (UTF-16LE).

How many $Recycle.Bin directories exist on a Windows system?

One per volume. Every volume (drive letter) has its own $Recycle.Bin at its root. Subdirectories are named by the user's SID.

What does the desktop.ini file inside a $Recycle.Bin SID folder indicate?

It is created when the user's Recycle Bin folder is first generated. Its creation timestamp may correspond to the user's first deletion event on that volume.

What is file carving?

The process of locating the boundaries of a file using known file signatures (headers and footers) and extracting the data within those boundaries without relying on the file system.

What does file carving look for to identify files?

File headers (magic bytes/signatures) and footers (if the file type has one). It does not rely on the file system structure at all.

Name five limitations of file carving.

1. Original filename and directory path are lost. 2. Files may be incomplete (fragmented files are problematic). 3. False positives may occur. 4. File boundaries may be incorrect without a footer. 5. Carving is very slow (scans all unallocated space byte-by-byte).

What types of artifacts can be carved beyond just files?

Index records ($I30), MFT records, registry hives, and event logs.

What is the Volume Shadow Copy Service (VSS)?

A Windows service that creates shadow copies (snapshots) of a volume, preserving the state of files at a point in time. Introduced in Windows XP and Server 2003.

What are the maximum specifications for VSS?

Up to 512 VSCs per volume. Supports volumes up to 64 TB.

True or False: Volume Shadow Copies are full backups of a volume.

False. VSCs are NOT backups. Temporary files, paging files (pagefile.sys), hibernation files (hiberfil.sys), and items in FilesNotToBackup are automatically excluded.

Where is VSC data stored on a volume?

In the "System Volume Information" directory at the root of each volume. The storage container includes GUID: 3808876b-c176-4e48-b7ae-04046e6cc752.

Why would a forensic examiner need to carve for Volume Shadow Copies?

VSCs may be deleted by attackers (vssadmin delete shadows /all /quiet), by the OS when disk space is low, when the max storage limit is reached (oldest deleted first), or during Windows Updates or backup rotation.

Name three commands attackers use to delete Volume Shadow Copies.

vssadmin delete shadows /all /quiet, wmic shadowcopy delete, diskshadow delete shadows all.

True or False: Carving for VSCs can only be performed on a live system.

False. VSCs can be carved from a forensic disk image of an offline system.

What is hiberfil.sys and what does it store?

A system file created when hibernation or Fast Startup (Windows 8+) is enabled. Stores the complete contents of system RAM when the computer hibernates, allowing the OS to resume state after power-off.

True or False: If hibernation is disabled, hiberfil.sys will never exist on a Windows 8+ system.

False. Fast Startup (enabled by default in Windows 8+) still uses hiberfil.sys to store the kernel session even if full hibernation is disabled by policy.

What is pagefile.sys?

An optional hidden system file used by Windows as virtual memory to supplement physical RAM when memory is full. Contains paged-out portions of RAM from running processes. Up to 16 can be configured via the PagingFiles registry value.

What is swapfile.sys?

An optimized paging file introduced in Windows 8+ specifically for Universal Windows Platform (UWP) apps. Supports modern app suspension and fast resume. Typically smaller than pagefile.sys.

What is the forensic value of pagefile.sys and swapfile.sys?

They may contain fragments of memory from running processes including passwords, encryption keys, decrypted document contents, and other volatile data that was paged to disk.

What compression changes did Windows 10 introduce to hiberfil.sys?

Windows 10 introduced compression of individual memory pages in hiberfil.sys. Tools such as Hibr2Bin or Volatility3 (windows.hibernation.Dump) are required to decompress it before analysis.