This repository provides an in-depth guide to the various Windows forensic artifacts that can be utilized when conducting an investigation. Detailed information is provided for each artifact, including its location, available parsing tools, and instructions for interpreting the results of a forensic data extraction. Furthermore, the repository seeks to provide a comprehensive resource for those seeking to expand their understanding of Windows forensics artifacts and how to properly leverage them during a forensic investigation.
- Types of Windows Artifacts
- How to Use this Guide
- Artifacts by Category
- System Enumeration Artifacts
- Artifact Behavioral Mappings
Forensic artifacts on the Windows operatying system can generally be split into four main categories:
- Registry
- Filesystem
- Event Log
- Memory
Registry artifacts are found in the Windows registry, which is loaded into memory while a system is in operation and written to disk during shutdown. The registry stores low-level configuration settings for the operating system and contains a wealth of forensic artifacts of interest to an analyst.
Filesystem artifacts are artifacts that arise due to the operation of Windows' filesystem - NTFS (New Technology File System).
Event log artifacts are found in the Windows event log and consist primarily of audit logs from the operating system and its applications.
Memory artifacts are those artifacts found in the endpoint's memory while it is operational. These artifacts must be collected from a live system, and are generally not applicable to dead disk forensics with certain exceptions such as page files and hibernation files that consist of memory that has been written to the disk.
A complete forensic analysis of a Windows endpoint will consist of one or all of these artifacts. They may be collected and parsed individually at the analyst's discretion, or consolidated into "super timelines" with forensic software such as log2timeline.
This guide was created to classify the numerous Windows forensic artifacts and provide a concise list of what information they respectively provide. While it may be used as a general reference, it shines when it comes time to tie separate artifacts together based on mutual/shared datapoints.
For instance, if it is known that an attacker has logged into an endpoint around a certain time, an analyst may want to determine what activity on the endpoint can be attributed to this session. For this, the analyst might begin by looking at 4624 Login events and pull the Logon ID
from this artifact. This guide provides a list of every artifact that has the Logon ID
field present, providing a quick way to correlate logon activity with other activity on the endpoint filed under the section Logon ID.
As another example, say for instance you are aware that an endpoint may have a malicious file on it. Maybe you want to see when the file was created, or when it was first executed. What about determining what Logon ID is associated with the execution with 4688 events?
Building a visual map in your mind of the relationships between all the artifacts present in Windows is necessary to allow for an analyst to efficiently pivot their focus during an investigation, this guide simply lays it all out and provides useful analysis tips collected during years of forensic experience while doing so.
The forensic artifacts described in this repository are split into the following categories:
Execution artifacts may provide the following information:
What command line was used to spawn this process?
- Security/4688: A new process has been created
- Scheduled Task Files
- TaskScheduler/Operational Log
- Detection History Files
- Microsoft-Windows-Shell-Core/Operational/9707: Command Execution Started
- winget Activity
When was this executable furst run?
- Prefetch
- AmCache.hve
- Scheduled Task Files
- TaskScheduler/Operational Log
- Microsoft-Windows-PowerShell/Operational/4104: PowerShell Script Block Logging
- AutomaticDestinations Jumplists
When was the last time this executable was run?
- Prefetch
- Scheduled Task Files
- TaskScheduler/Operational Log
- Background Activity Montitor
- Program Compatibility Assistant (PCA) - PcaAppLaunchDic.txt
- AutomaticDestinations Jumplists
What permissions does the process have? What account launced the process?
- Security/4688: A new process has been created
- Scheduled Task Files
- Background Activity Montitor
- SRUM Database
- Microsoft-Windows-Shell-Core/Operational/9707: Command Execution Started
- AutomaticDestinations Jumplists
How did this process come to be? What spawned this process? Is the ProcessID available?
- Security/4688: A new process has been created
- Microsoft-Windows-PowerShell/Operational/4104: PowerShell Script Block Logging
- TerminalServices-RDPClient/Operational/1024: RDP ClientActiveX is trying to connect to the server
- Microsoft-Windows-Shell-Core/Operational/9707: Command Execution Started
When was this process spawned?
- Security/4688: A new process has been created
- Scheduled Task Files
- TaskScheduler/Operational Log
- Microsoft-Windows-Shell-Core/Operational/9707: Command Execution Started
Was a process spawned?
- AmCache.hve
- Background Activity Montitor
- Security/4688: A new process has been created
- Prefetch
- ShimCache
- SRUM Database
- Detection History Files
- Scheduled Task Files
- TaskScheduler/Operational Log
- Program Compatibility Assistant (PCA) - PcaAppLaunchDic.txt
- Tracing Registry Keys
- Microsoft-Windows-Shell-Core/Operational/9707: Command Execution Started
- Security/5156: The Windows Filtering Platform has permitted a connection
- AutomaticDestinations Jumplists
- Windows Error Reporting Files (.WER)
Account activity artifacts may provide the following information:
When was this account created?
What groups is the account a member of?
When did this account last log in?
Identification of specific instances of account logins
- Security/4778: Session reconnected
- Security/4648: Logon using explicit credentials
- Security/4624: An account was successfully logged on
- Security/4625: An account failed to log on
Certain activity can be tied to login sessions by means of a
Logon ID
- Security/4688: A new process has been created
- Security/4720: A user account was created
- Security/4778: Session reconnected
- Security/4648: Logon using explicit credentials
- Security/4624: An account was successfully logged on
What is the account's Relative Identifier?
What is the account's Security Identifier?
- SAM Hive
- Security/4720: A user account was created
- Security/4778: Session reconnected
- TerminalServices-RDPClient/Operational/1024: RDP ClientActiveX is trying to connect to the server
- Security/4648: Logon using explicit credentials
- Security/4624: An account was successfully logged on
- Security/4625: An account failed to log on
- WMI-Activity/Operational/5861: New WMI Event Consumer
- SRUM Database
- ProfileList
- Microsoft-Windows-PowerShell/Operational/4104: PowerShell Script Block Logging
- Recycle Bin $I/$R Files
- Background Activity Montitor
- Microsoft-Windows-Shell-Core/Operational/9707: Command Execution Started
- Security/7045: Service Installed
Determining the username attached to a particular SID, or artifacts where you would expect to find a username
- ProfileList
- AutomaticDestinations Jumplists
- Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational/1149
- Microsoft-Windows-TerminalServices-LocalSessionManager/Operational/21: Session logon succeeded
- Microsoft-Windows-TerminalServices-LocalSessionManager/Operational/24: Session has been disconnected
File activity artifacts may provide the following information:
When was the file created?
When was the file deleted?
What is the hash of this file?
When was the file last modified?
Where did the file come from?
Where is the file located?
- ShimCache
- AmCache.hve
- Run/RunOnce Keys
- USN Journal
- Scheduled Task Files
- TaskScheduler/Operational Log
- Background Activity Montitor
- SRUM Database
- Detection History Files
- Image File Execution Options
- Program Compatibility Assistant (PCA) - PcaAppLaunchDic.txt
- Microsoft-Windows-PowerShell/Operational/4104: PowerShell Script Block Logging
- Recycle Bin $I/$R Files
- Services Registry Keys
- Security/7045: Service Installed
- Security/5156: The Windows Filtering Platform has permitted a connection
- AutomaticDestinations Jumplists
- Windows Error Reporting Files (.WER)
- Microsoft Office TrustRecords Registry Keys
What is the file's size on disk?
Network activity artifacts may provide the following information:
Is there evidence of network activity?
- TerminalServices-RDPClient/Operational/1024: RDP ClientActiveX is trying to connect to the server
- Tracing Registry Keys
- Microsoft-Windows-WLAN-AutoConfig/Operational/8001: Successfully Connected to a Wireless Network
- Microsoft-Windows-WLAN-AutoConfig/Operational/8003: Successfully Disconnected from a Wireless Network
- Security/5156: The Windows Filtering Platform has permitted a connection
- Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational/1149
- Microsoft-Windows-TerminalServices-LocalSessionManager/Operational/21: Session logon succeeded
- Microsoft-Windows-TerminalServices-LocalSessionManager/Operational/24: Session has been disconnected
- RDP Persistent Bitmap Cache
- Terminal Server Client Registry Keys
Can the destination for this activity be identified?
- TerminalServices-RDPClient/Operational/1024: RDP ClientActiveX is trying to connect to the server
- Security/4648: Logon using explicit credentials
- Security/5156: The Windows Filtering Platform has permitted a connection
Can the source of this activity be identified?
- TaskScheduler/Operational Log
- Scheduled Task Files
- Security/4778: Session reconnected
- Security/4624: An account was successfully logged on
- Security/4625: An account failed to log on
- Security/5156: The Windows Filtering Platform has permitted a connection
- Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational/1149
- Microsoft-Windows-TerminalServices-LocalSessionManager/Operational/21: Session logon succeeded
- Microsoft-Windows-TerminalServices-LocalSessionManager/Operational/24: Session has been disconnected
Can the amount of data sent or received be determined?
Artifacts supporting general forensic analysis for browser activity on an endpoint
Artifacts supporting general forensic analysis of events pertaining to the Windows Firewall
- Microsoft-Windows-Windows Firewall With Advanced Security/Firewall/2004: Firewall Rule Added
- Microsoft-Windows-Windows Firewall With Advanced Security/Firewall/2071: Firewall Rule Added
- Microsoft-Windows-Windows Firewall With Advanced Security/Firewall/2005: Firewall Rule Modified
- Microsoft-Windows-Windows Firewall With Advanced Security/Firewall/2073: Firewall Rule Modified
- Microsoft-Windows-Windows Firewall With Advanced Security/Firewall/2006: Firewall Rule Deleted
- Microsoft-Windows-Windows Firewall With Advanced Security/Firewall/2052: Firewall Rule Deleted
- Security/5156: The Windows Filtering Platform has permitted a connection
Artifacts providing evidence of wireless network activity
- Microsoft-Windows-WLAN-AutoConfig/Operational/8001: Successfully Connected to a Wireless Network
- Microsoft-Windows-WLAN-AutoConfig/Operational/8003: Successfully Disconnected from a Wireless Network
Network activity artifacts may provide the following information:
These miscellaneous artifacts may provide an analyst information regarding certain actions that a user took on a system.
These miscellaneous artifacts may provide an analyst information regarding Group Policy Object (GPO) activity on an Active Directory domain.
- Microsoft-Windows-GroupPolicy/Operational/4005: Starting manual processing of policy for user
- Microsoft-Windows-GroupPolicy/Operational/4001: Starting user logon Policy processing
- System/1503: The Group Policy settings for the user were processed successfully
- Microsoft-Windows-GroupPolicy/Operational/4004: Starting manual processing of policy for computer
- Microsoft-Windows-GroupPolicy/Operational/4000: Starting computer boot policy processing
- System/1502: The Group Policy settings for the computer were processed successfully
- Microsoft-Windows-GroupPolicy/Operational/5312: List of applicable Group Policy objects
These artifacts may be leveraged by an analyst to enumerate information from an endpoint that may prove useful during an investigation. While some of these artifacts may not necessarily be looked at for evidence of activity, they may be analyzed to obtain information important to an investigation.
Arifact | Information |
---|---|
Select |
|
CurrentVersion |
|
TimeZoneInformation |
|
ComputerName |
|
Interfaces |
|
Network Cards |
|
Group Membership Registry Key |
|
Additionally, these artifacts may be roughly mapped to the MITRE ATT&CK framework to perform analysis on a behavioral basis:
The below artifacts are related to execution. Execution is defined by MITRE as:
...techniques that result in adversary-controlled code running on a local or remote system.
The below artifacts may prove useful in identifying instances of execution on an endpoint:
Arifact Type | Artifact |
---|---|
Filesystem | Prefetch |
Eventlog | Security/4688: A new process has been created |
Registry/Memory | ShimCache |
Registry | AmCache.hve |
Filesystem | Scheduled Task Files |
Eventlog | TaskScheduler/Operational Log |
Registry/Filesystem | SRUM Database |
Filesystem | Program Compatibility Assistant (PCA) - PcaAppLaunchDic.txt |
Registry | Background Activity Montitor |
Filesystem | Detection History Files |
Filesystem | Program Compatibility Assistant (PCA) - PcaAppLaunchDic.txt |
Registry | Tracing Registry Keys |
Eventlog | Microsoft-Windows-Shell-Core/Operational/9707: Command Execution Started |
Filesystem | AutomaticDestinations Jumplists |
Filesystem | Windows Error Reporting Files (.WER) |
The below artifacts are related to persistence activities. Persistence is defined by MITRE as:
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.
The below artifacts may prove useful in identifying instances of persistence on an endpoint:
Arifact Type | Artifact |
---|---|
Registry | Run/RunOnce Keys |
Eventlog | TaskScheduler/Operational Log |
Filesystem | Scheduled Task Files |
Eventlog | Security/4720: A user account was created |
Eventlog | WMI-Activity/Operational/5861: New WMI Event Consumer |
Registry | Image File Execution Options |
Eventlog | Microsoft-Windows-Shell-Core/Operational/9707: Command Execution Started |
Registry | Services Registry Keys |
Eventlog | Security/7045: Service Installed |
Registry | Image File Execution Options |
Eventlog | Microsoft-Windows-Shell-Core/Operational/9707: Command Execution Started |
The below artifacts are related to lateral movement activities. Lateral movement is defined by MITRE as:
techniques that adversaries use to enter and control remote systems on a network.
The below artifacts may prove useful in identifying instances of lateral movement to or from an endpoint: