Windows Forensics
Investigation
Windows systems leave extensive forensic artifacts. Event logs record user activity, the registry stores configuration and malware persistence, and MFT reveals file access patterns. Eric Zimmerman's tools are essential.
Critical Windows Artifacts
powershell
# Event Logs (Security, System, Application)
# Location: C:\Windows\System32\winevt\Logs\
# Parse with: Event Log Explorer, EvtxECmd
EvtxECmd.exe -f Security.evtx --csv output --csvf security.csv
# Key Event IDs:
# 4624 - Successful logon
# 4625 - Failed logon
# 4672 - Special privileges assigned (admin)
# 4688 - Process creation
# 4720 - User account created
# Registry Hives
# SYSTEM: C:\Windows\System32\config\SYSTEM
# SOFTWARE: C:\Windows\System32\config\SOFTWARE
# SAM: C:\Windows\System32\config\SAM
# NTUSER.DAT: C:\Users\<user>\NTUSER.DAT
# Parse with RegRipper
rip.exe -r NTUSER.DAT -p userassist
# Prefetch (program execution history)
# Location: C:\Windows\Prefetch\
PECmd.exe -d C:\Windows\Prefetch --csv output
# MFT (Master File Table) - every file on NTFS
# Extract with: FTK Imager, MFTECmd
MFTECmd.exe -f $MFT --csv output --csvf mft.csv
# SRUM (System Resource Usage Monitor) - network usage, app runtime
# Location: C:\Windows\System32\sru\SRUDB.dat
srum-dump.exe -i SRUDB.dat -t SRUM_TEMPLATE.xlsx -o output.xlsxEric Zimmerman's Tools
Download the complete suite from
https://ericzimmerman.github.io/. Includes MFTECmd, PECmd, EvtxECmd, RECmd, and more. Essential for Windows DFIR.