What are artifacts in Windows (forensic evidence) and how to analyze them?

La computer forensics In Windows environments, it requires understanding how the system leaves traces of everything that happens: user activity, program execution, network connections, and configuration changes. These traces, called artifacts, are the raw material for reconstructing incidents without compromising the integrity of the evidence.

In real incidents, the forensic artifacts They allow you to create timelines, identify accounts used, detect persistence, and provide evidence admissible in court. Although the data is scattered and some volatile, there are sources in Windows that are easy to collect and extremely informative.

What are forensic artifacts in Windows and why do they matter?

A forensic artifact is any record, file, or metadata that the system automatically creates during use. In Windows, these range from Event Logs and Prefetch to the Registry, LNK, ShellBags, SRUM, and the file system's own telemetry (NTFS). Each contributes pieces of the puzzle to answer the what, who, when, from where, and with what impact.

Thanks to its analysis it is possible reconstruct chronologies (file creation/modification/deletion, application execution), associate activity with users or computers, detect persistence and lateral movement techniques, and support expert reports with solid evidence.

Event Logs: Key IDs and Paths

• Session logins: 4624 (successful), 4625 (failed), 4634/4647 (shutdown), 4648 (logon with explicit credentials), 4672 (logon with elevated privileges).
• Sensitive changes: 4719 reports changes to audit policies, useful for identifying tampering attempts.
• Services: 7034 (crash), 7035 (Start/Stop), 7036 (started/stopped), 7040 (startup type changed), 7045 and 4697 (service installed).
• RDP: 4778 (session connected/reconnected) and 4779 (disconnected), ideal for tracking Remote Desktop usage.

To filter failed startups from PowerShell, you can throw a direct consultation against the security log:

Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4625 } | Select-Object TimeCreated, Message

The native viewer (eventvwr.msc) and utilities like Full Event Log View make it easy to review this data in a readable and exportable form, something crucial for DFIR profiles that build timelines.

Prefetch: Program Execution and Time Context

The Prefetch mechanism records the execution of binaries to speed up the Boot applications. For the forensic expert, it's pure gold because it preserves traces even if the executable disappears. .pf files reside in C:\\Windows\\Prefetch\\ and its name incorporates the executable plus a path hash, which helps differentiate instances of the same app run from different locations.

• Windows XP–7: creates one .pf per run, with a limit close to 128 entries.
• Windows 8 +: integrates with SysMain (formerly Superfetch) and raises the limit to ~1024, with richer traces.
• Windows 10 / 11: Maintains integration with SysMain and provides last-run granularity.
• Windows Server: In some editions it may be disabled by default.

Common use cases: identify executed malware, demonstrate remote administration capabilities in lateral movements, or corroborate a user's actions over time. To analyze it: PECmd (Eric Zimmerman), WinPrefetchView and a quick look with PowerShell at the last writing of the .pf:

Get-ChildItem -Path C:\Windows\Prefetch -Filter *.pf | Select-Object Name, LastWriteTime

LNK Files: Shortcuts with Forensic Metadata

.lnk shortcuts reveal what was opened, from where and when, and even device details (series of USB), which is key to suspected exfiltration. You'll find LNK on the user's Desktop and in the Recents folder:

• Desktop: C:\\Users\\ \\Desktop\\
• Recent: C:\\Users\\ \\AppData\\Roaming\\Microsoft\\Windows\\Recent\\
• Other shortcuts: Start Menu and Quick Launch in the user profile.

Useful tools: LECmd to extract complete metadata (network routes, serial numbers, timestamps) and ShellBagsExplorer to complement the Explorer navigation context. With PowerShell, you can list recent items and their last modification:

Get-ChildItem -Path "C:\Users\<usuario>\AppData\Roaming\Microsoft\Windows\Recent" -Filter *.lnk | Select-Object Name, LastWriteTime

These artifacts help to attribute activity to accounts and sessions, even when the original file was moved or deleted.

Windows Registry: Persistence, USB, and User Activity

The Registry is a hierarchical warehouse System and application configuration. From it, we get automatic startups (persistence), connected devices, and lists of recent files, among others.

• Autostart (persistence): HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object *

• Unit assemblies: HKLM:\\SYSTEM\\MountedDevices

Get-ItemProperty -Path "HKLM:\SYSTEM\MountedDevices" | Select-Object *

Important: MountedDevices maps drive letters; to trace specific USBs and their history, it is best to consult USBSTOR (e.g. SYSTEM\\CurrentControlSet\\Enum\\USBSTOR).

Two essential artifacts on program execution are Shimcache (AppCompatCache) y Amcache:

• Shimcache: Indicates which binaries were present/executed, but not the exact time. Key: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
• Amcache: Detailed inventory with SHA1 hashes, paths and timestamps, ideal for determining when and how A file was executed. Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppCompatFlags\Amcache

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" | Select-Object *
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppCompatFlags\Amcache" | Select-Object *

For folder navigation, the ShellBags They're a classic. They allow you to reconstruct which directories have been explored, even if they no longer exist. They're located under HKU\\ \\Software\\Microsoft\\Windows\\Shell\\BagMRU and HKU\\ \\Software\\Microsoft\\Windows\\Shell\\Bags.

Get-ItemProperty -Path "HKU:\<SID>\Software\Microsoft\Windows\Shell\BagMRU" | Select-Object *

More key artifacts in Windows: from desktop to NTFS

In addition to the above, there are complementary sources which enrich the analysis and fill gaps in the chronology.

• Hibernation and paging: hiberfil.sys and pagefile.sys may contain credentials, session remnants, and memory structures.
• UserAssist/MRU: Keys in NTUSER.DAT that show recently used programs and recently opened/saved documents.
• BAM/DAM: Background and desktop activity moderators, useful for understanding actual use of processes per user.
• Autoruns: Autostart points visible with Sysinternals Autoruns or collectible in triages (KAPE/IR-Rescue).
• Jump Lists: jump lists that reflect frequently used files/applications, another vector for attribution.

Browsers: history, cache, cookies and restore

Browsers concentrate intention and action. In IE/Edge/Chromium/Firefox we can extract browsing history, searches, cache, sessions and cookies, which contextualizes downloads, transfers or access to internal resources.

• IE/Edge (legacy): WebCacheV*.dat, Content.IE5, History.IE5
• Firefox: places.sqlite (history), downloads.sqlite (downloads), sessionstore.js (restoration)
• Chromium / Chrome: Default\History, Default\Cache
• Cookies: in user profiles for IE/Edge/Firefox/Chrome

To review these sources: BrowsingHistoryView speeds up cross-inventory; additionally, cache and cookie repositories help confirm exfiltrations via the web or the use of SaaS applications.

NTFS and File System Artifacts

The file system NTFS already granular telemetry which is crucial to knowing what happened to the files.

• $MFT: The master file table, with metadata (dates, sizes, ACLs). Analyzable with Mft2Csv and viewable with Registry Explorer.
• $UsnJrnl: volume change journal (creation/modification/deletion), very useful for detecting muestras of malware or forced deletions.
• $ LogFile: Internal NTFS transactions are key to rebuilding operations and crashes.

Tools like NTFS Journal Viewer o NTFS Log Tracker allow processing $UsnJrnl and $LogFile, while X-Ways, Autopsy or FTK provide powerful forensic viewers and filters.

USB and external devices: traceability and users

For USB, Windows stores information about vendor, product and series under SYSTEM\CurrentControlSet\Enum\USB and USBSTOR. Properties record milestones such as first installation (0064), last connection (0066), and last removal (0067) in Windows 8–10.

• Associated user: NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
• Volumes: SYSTEM\\MountedDevices and SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices
• PnP Events: System.evtx may reflect installation of drivers (e.g., 20001)

With these sources it is feasible link a USB with actions on the system (manipulated files, accessed paths) and with a specific account.

Accounts, Authentication, and RDP

The SAM database retains local account data and makes it easy to identify latest logins and password changes. For login activity, Security.evtx is the reference point with events 4624/4625, 4634/4647, 4648, 4672, and 4720 (account creation).

In Remote Desktop scenarios, control the events 4778/4779 It helps to date connections/disconnections, relate them to source addresses and cross-reference them with other artifacts such as LNK, Prefetch or SRUM.

Managing system logs and traces

Beyond the general Event Logs, Windows keeps specific records for installation, updating and maintenance.

• setupact.log: %WINDIR%\\setupact.log
• setuperr.log: %WINDIR%\\setuperr.log
• WindowsUpdate.log: %WINDIR%\\WindowsUpdate.log
• ReportingEvents.log: %WINDIR%\\SoftwareDistribution\\ReportingEvents.log
• MRT: %WINDIR%\\Debug\\mrt.log (antimalware tool runs)
• CBS.log: %WINDIR%\\Logs\\CBS\\CBS.log (Component Integrity)
• Panther: %SYSTEMROOT%\\$Windows.~BT\\Sources\\Panther\\*.log.xml and %WINDIR%\\PANTHER\\*.log.xml
• Setup API: %WINDIR%\\INF\\setupapi.dev and %WINDIR%\\INF\\setupapi.setup
• WinSAT: %WINDIR%\\Performance\\Winsat\\winsat.log
• Memory dump: %WINDIR%\\Memory.dmp

These files are very useful for corroborate system changes, driver installation and post-update statuses that explain time windows of vulnerability or key reboots.

SRUM (System Resource Usage Monitor): CPU, network, and power usage

SRUM is an ESE database that Windows updates periodically to monitor resources per application/process/service. Its main file is SRUDB.dat, located in C:\\Windows\\System32\\sru\\SRUDB.dat in Windows 8 and later.

SRUM extensions are reflected in the Registry (e.g., HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SRUM\\Extensions), indicating the data sets available according to the system. Tools such as SrumECmd (Eric Zimmerman) extract tables in CSV: AppUsage, NetworkUsages, Energy, among others.

In response to incidents, the table NetworkUsages is critical to demonstrate exfiltration. A typical case: to see that ssh.exe sent a high volume of bytes in a time interval related to a suspicious RDP session. By sorting by outgoing bytes by date, a mass transfer and link it to the user (account column) and the specific process.

Eye with There in SRUM: the timestamp It reflects the time the data was committed to the database, not necessarily the exact time it was executed. It's best to correlate SRUM with Prefetch, LNK, Event Logs, and Registry artifacts to consolidate the chronology.

Recommended tools

A well-curated toolbox makes the difference between hypothesis and testThese are especially useful on Windows:

• Eric Zimmerman Suite: PECmd/WinPrefetchView (Prefetch), LECmd (LNK), ShellBagsExplorer (ShellBags), Registry Explorer and RECmd (Registry), SrumECmd (SRUM), Timeline Explorer (chronologies).
• Autopsy & Sleuth Kit: Open source forensic disk analysis.
• FTK / EnCase / X-Ways: professional solutions for large volumes and complex cases.
• Volatility: RAM analysis (with hiberfil/pagefile dumps where appropriate).
• RegRipper: Automated extraction of critical registry keys.
• Full Event Log View y BrowsingHistoryView: Quick overview of events and browsing history.

Key Forensic Artifacts in Linux (Comparative Overview)

Although the focus is on Windows, it is convenient to have a mind map de Linux for mixed environments in organizations.

• System logs: /var/log/ (syslog, auth.log, secure) for auditing access, sudo, failures and services.
• Users and groups: /etc/passwd, /etc/shadow, /etc/group to review accounts and privileges.
• FS Metadata: times and attributes (inodes) to create creation/modification/deletion chronologies.
• Network and processes: ss/netstat, lsof, ps/top for real-time connections and activity.
• Shell history: .bash_history and variants, considering HISTCONTROL/HISTTIMEFORMAT settings.
• Conference proceedings: dumps with LiME and analysis with Volatility for volatile evidence.
• Configuration files: services, cron and package logs as additional sources.

This comparison helps to keep the thread of an incident that jumps between systems, avoiding gaps in the technical narrative.

The artifact landscape in Windows shows that every action leaves traces: from a 4625 in Security.evtx to a .pf in Prefetch, passing through LNKs with USB serial numbers, persistence keys in the Registry or network consumption in SRUM. correct acquisition, correlation between sources and cross-validation of tools, it is possible to reconstruct the history with sufficient precision for technical and legal decisions, even in the face of attackers who aggressively cover their tracks.