Skip to main content

Windows Artifacts

Forensic artifacts for Windows systems

📄️Amcache

Windows execution tracker

📄️Application Crashes

Windows Application Crashes

📄️BAM

Background Activities Manager

📄️BITS

The Background Intelligent Transer Service (BITS)

📄️BITS Job Event

Windows BITS Job events

📄️Active Directory Certs

Windows Active Directory Certificates

📄️Chocolatey

Chocolatey packages

📄️Connections

Windows network connections

📄️Crash Event

Windows Application Crash events

📄️Defender Quarantine

Windows Defender Quarantine events

📄️Extensible Storage Engine

Extensible Storage Engine (ESE) database

📄️EventLog Providers

Windows EventLog Providers

📄️Event Logs

Primary source of logs on Windows

📄️Files

Windows file metadata

📄️Firewall Rules

Windows Firewall Rules

📄️Jumplists

Tracks files opened by applications in Windows Taskbar

📄️Logons

Windows Logon events

📄️MFT

Windows Master File Table

📄️Most Recently Used

Most Recently Used entries

📄️MSI Installed

Windows MSI installed events

📄️Outlook

Windows Email Client

📄️PCA

Program Compatability Assistant

📄️Portable Executable

The native executable format for Windows

📄️PowerShell History

PowerShell history entries

📄️Prefetch

Tracks execution of files on workstations

📄️Processes

Windows process metadata

📄️Process Tree

Windows process trees

📄️Raw Files

Windows NTFS file metadata

📄️RDP

Windows RDP Logon events

📄️RecycleBin

Windows files in the RecycleBin

📄️Registry

Primary source of Windows configuration settings

📄️Registry Run Keys

Windows Registry Run Keys - windows - registry

📄️Scriptblocks

Windows Scriptblock events

📄️Search

The Windows Search database

📄️Service Installs

Windows Service Install events

📄️Services

Services installed on Windows

📄️Shellbags

List of directories accessed by Windows Explorer

📄️ShellItems

Windows ShellItems

📄️Shimcache

Tracks execution* of applications

📄️ShimDB

Contains shims used by applications

📄️Shortcuts

Metadata about recently opened files

📄️SRUM

System Resource Utilization Monitor (SRUM) tracks application usage

📄️SystemInfo

Windows system information

📄️Scheduled Tasks

Scheduled Tasks setup on Windows

📄️User Access Log

Windows User Access Log

📄️Updates

Windows Update History

📄️USBs

Connected USB devices

📄️UserAssist

Tracks applications executed in Windows Explorer

📄️Users

Users in the SAM Registry file

📄️UsnJrnl

Tracks file changes

📄️Velociraptor Execution

Velociraptor execution events

📄️WiFi

Windows WiFi connections

📄️WMI

The Windows Management Instrumentation (WMI) Repository

📄️WordWheel

Windows Explorer Search terms