Windows Forensics

Registry, Event Logs, Prefetch & Artifacts

Section 4 of 12

Windows Registry

What is the Registry?

Hierarchical database storing Windows configuration data, user settings, application info, and system preferences. Critical for forensic investigations.

Registry Hives

  • HKEY_LOCAL_MACHINE (HKLM) - System-wide settings
  • HKEY_CURRENT_USER (HKCU) - Current user settings
  • HKEY_USERS (HKU) - All user profiles
  • HKEY_CLASSES_ROOT - File associations
  • HKEY_CURRENT_CONFIG - Hardware profile

Registry File Locations

SYSTEM

C:\Windows\System32\config\SYSTEM

SOFTWARE

C:\Windows\System32\config\SOFTWARE

SAM

C:\Windows\System32\config\SAM

NTUSER.DAT

C:\Users\[Username]\NTUSER.DAT

Key Registry Artifacts

UserAssist

Tracks GUI-based programs run by user. Data is ROT13 encoded.

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Contains: Program names, run count, last execution time

RecentDocs

Tracks recently opened documents and their locations.

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Shows: File names, extensions, last access times

Run Keys (AutoStart)

Programs configured to run at startup - common persistence mechanism for malware.

SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Critical for: Malware persistence, autoruns analysis

MRU Lists (Most Recently Used)

Tracks various user activities like typed URLs, search terms, opened files.

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Reveals: User behavior, file interactions, typed paths

Windows Event Logs

Event logs record system, security, and application events. Located at: C:\Windows\System32\winevt\Logs\

Security.evtx

Authentication, logon/logoff events, privilege use

4624: Successful logon

4625: Failed logon

4672: Admin logon

4720: User created

System.evtx

System events, service starts/stops, driver issues

6005: System startup

6006: System shutdown

7036: Service status

7045: Service installed

Application.evtx

Application errors, warnings, and information

1000: App crash

1001: App hang

1002: App error

Varies by application

Analyzing Event Logs

Tools:

  • • Event Viewer (built-in)
  • • Event Log Explorer
  • • Log Parser
  • • Chainsaw (Rust-based)

Focus Areas:

  • • Failed login attempts
  • • Privilege escalation
  • • Account creation/deletion
  • • Service installations

Prefetch Files

What are Prefetch Files?

Windows performance feature that tracks application execution. Creates .pf files to speed up program loading.

Forensic Value: Proves program execution, timestamps, run count

Location

C:\Windows\Prefetch\

Files: [EXECUTABLE]-[HASH].pf

What's Stored

  • • Application name
  • • Run count (first 8 executions)
  • • Last 8 execution timestamps
  • • Files/directories accessed

Parsing Prefetch

Tools for analysis:

  • PECmd (Eric Zimmerman)

    Command-line Prefetch parser

  • WinPrefetchView

    GUI-based viewer

  • Autopsy

    Integrated Prefetch parsing

Forensic Use Cases

  • Prove malware execution
  • Establish timeline of activity
  • Identify file access patterns
  • Detect deleted programs

LNK Files & Jump Lists

LNK Files (Shortcuts)

What They Contain

  • • Target file path and location
  • • MAC timestamps
  • • Volume serial number
  • • Network share information
  • • Command-line arguments

Locations

Recent Items:

C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Recent\

Desktop Shortcuts:

C:\Users\[User]\Desktop\

Jump Lists

Windows 7+ feature tracking recently accessed files per application. Appears in taskbar right-click menus.

AutomaticDestinations

\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\

Automatically generated jump lists

CustomDestinations

\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\

User-pinned items

USN Journal & Volume Shadow Copies

USN Journal (Update Sequence Number)

Change log that records all file system modifications. Part of NTFS, tracks creates, deletes, renames, and modifications.

What's Tracked

  • • File creation/deletion
  • • Rename operations
  • • Security changes
  • • Data modifications

Location

$Extend\$UsnJrnl:$J

Alternate Data Stream on NTFS

Volume Shadow Copies (VSS)

Point-in-time snapshots of volumes. Can contain deleted files, previous versions, and historical data.

Forensic Value

  • • Recover deleted files
  • • View previous file versions
  • • Access historical Registry
  • • Timeline reconstruction

Accessing VSS

# List shadow copies

vssadmin list shadows

# Mount shadow copy

mklink /d C:\VSS \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\