Windows Forensic Artifacts: The Essential DFIR Cheatsheet

During an active investigation, speed matters. Knowing exactly which artifacts to collect and where to find them is the difference between catching the attacker's trail and losing it. This cheatsheet covers the essential Windows forensic artifacts organized by category, with locations, tools, and investigative value for each.

For deeper coverage of individual artifacts, see the DFIR Assist artifact library, which provides detailed analysis guides with example outputs and common attacker techniques for each artifact type.

Event Logs

Windows Event Logs are the foundation of most investigations. They record authentication events, process creation, service installations, and network activity. The three most critical log sources for DFIR are Security, Sysmon, and PowerShell.

Security Event Log

Location: %SystemRoot%\System32\winevt\Logs\Security.evtx

The Security log records authentication and authorization events. Key Event IDs to focus on during an investigation:

• 4624 — Successful logon. Check the Logon Type field: Type 3 (network), Type 10 (RDP), and Type 2 (interactive) each tell a different story
• 4625 — Failed logon. High volumes suggest brute-force or password spraying attacks
• 4672 — Special privileges assigned. Tracks when administrative tokens are granted
• 4720 / 4732 — Account creation and group membership changes. Attackers frequently create backdoor accounts
• 4688 — Process creation (when audit policy is enabled). Shows the full command line of every process started

Sysmon Event Log

Location: %SystemRoot%\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx

Sysmon provides deep visibility into process and network activity. If it's deployed, it's often the most valuable log source on the system:

• Event 1 — Process creation with full command line, parent process, and file hashes
• Event 3 — Network connections with source/destination IP and port
• Event 7 — Image loaded (DLL). Critical for detecting DLL sideloading and injection
• Event 8 — CreateRemoteThread. A strong indicator of process injection
• Event 11 — File creation. Tracks when files are written to disk
• Event 13 — Registry value set. Detects persistence mechanisms in real time

PowerShell Logs

Location: %SystemRoot%\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

PowerShell is the most abused living-off-the-land binary in modern attacks. Script Block Logging (Event 4104) is the single most valuable PowerShell artifact, as it records the full content of every script block executed — even when the attacker uses encoding or obfuscation.

• Event 4104 — Script Block Logging. Full deobfuscated script content
• Event 4103 — Module Logging. Records pipeline execution details
• Event 400/403 — Engine start/stop (legacy). Indicates PowerShell session activity

Registry Artifacts

The Windows Registry is a goldmine for forensic investigators. It stores program execution history, user activity, network connections, and persistence mechanisms. Key registry locations to examine:

UserAssist

Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Records GUI-based program execution with timestamps and run counts. Values are ROT13-encoded but trivially decoded. UserAssist reveals what programs users actually launched through the Explorer shell, making it valuable for establishing a timeline of user activity.

ShimCache (AppCompatCache)

Location: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Tracks executable files that have been run or existed on the system. ShimCache stores file path, size, and last modified timestamp. It's one of the most reliable indicators that an executable was present on the system, even if the file has since been deleted.

Amcache

Location: C:\Windows\appcompat\Programs\Amcache.hve

Stores detailed information about executed programs including full path, SHA1 hash, publisher, and first execution timestamp. Amcache is particularly valuable because it records file hashes, allowing you to verify whether a suspicious binary matches known malware samples.

Run / RunOnce Keys

Locations:

• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
• SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

The classic persistence mechanism. Entries in these keys execute automatically at user logon (NTUSER) or system boot (SOFTWARE). Attackers routinely use these for persistence. Always cross-reference entries against known-good baselines.

File System Artifacts

The NTFS file system stores metadata that persists even after files are deleted. These artifacts are critical for timeline analysis and proving that files existed on the system.

Prefetch

Location: C:\Windows\Prefetch\*.pf

Windows creates Prefetch files for executables to speed up subsequent launches. Each .pf file records the executable name, run count, last eight execution timestamps, and files/directories accessed during the first 10 seconds of execution. Prefetch is disabled by default on SSDs in some Windows configurations, but it remains one of the most valuable execution artifacts when present.

$MFT (Master File Table)

Location: \\.\C:\$MFT

The MFT is the NTFS file system's master index. Every file and directory on the volume has an MFT entry with created, modified, accessed, and entry-modified timestamps (MACE). The MFT retains entries for deleted files until the space is reused, making it invaluable for recovering evidence of files that attackers tried to remove.

USN Journal ($UsnJrnl)

Location: \\.\C:\$Extend\$UsnJrnl:$J

The USN (Update Sequence Number) Journal records every change made to files and directories on the volume. It captures file creation, deletion, rename, data overwrite, and attribute changes. The journal is circular and can grow quite large, providing a detailed timeline of file system activity spanning days or weeks.

$I30 (Directory Index)

NTFS directory index entries can contain references to deleted files that no longer appear in directory listings. Parsing $I30 slack space can reveal filenames and timestamps of files that were present in a directory before being deleted — a technique frequently used to discover attacker tool drops.

Additional Artifacts to Collect

Beyond the core categories above, several other artifacts deserve attention during a thorough investigation:

• Scheduled Tasks (C:\Windows\System32\Tasks\) — A common persistence mechanism. Check for XML task files with suspicious execution paths
• WMI Persistence (OBJECTS.DATA) — WMI event subscriptions can execute code on triggers like system boot. Parse with tools like PyWMIPersistenceFinder
• Browser History — SQLite databases in user profile directories. Reveals download URLs, search queries, and timeline of web activity
• Windows Timeline (ActivitiesCache.db) — Records application usage, file opens, and web browsing across devices
• SRUM (C:\Windows\System32\sru\SRUDB.dat) — System Resource Usage Monitor tracks per-application network usage, CPU time, and energy consumption over 30+ days

For detailed analysis guides on each artifact, including example tool output and detection techniques, explore the DFIR Assist knowledge base.