The Complete Guide to Windows Artifact Collection#

In digital forensics, an artifact is trace data automatically generated by the operating system and applications during normal operation. Windows systems produce a vast amount of artifacts related to user activity, and systematically collecting and analyzing these is the core of forensic investigation.

1. Prefetch Files#

Overview#

Prefetch is a file Windows creates to optimize application loading speed. Each time a program runs, its loading information is recorded as a Prefetch file.

Location#

C:\Windows\Prefetch\*.pf

Forensic Value#

• Program execution evidence: Determine when and how many times a specific program was executed
• First execution time: Identify when a program was first run
• Last execution time: Confirm the most recent execution
• Execution count: Total number of runs recorded
• Referenced file list: Files and DLLs accessed during program execution

Analysis Points#

Particularly useful information for malware analysis:

• Suspicious executables (e.g., POWERSHELL.EXE or CMD.EXE executed at abnormal times)
• Execution traces of deleted programs (Prefetch remains even after the file is deleted)
• Ransomware execution timeline reconstruction

2. Windows EventLog#

Overview#

Windows Event Log is the centralized logging system that records system, security, and application events.

Location#

C:\Windows\System32\winevt\Logs\*.evtx

Key Log Files#

Critical Event IDs for Security Analysis#

• 4624: Successful login (includes logon type)
• 4625: Failed login attempt (brute force attack detection)
• 4648: Login using explicit credentials (pass-the-hash detection)
• 4720: New account creation (backdoor account detection)
• 7045: New service installation (malicious service detection)
• 4104: PowerShell script block logging (malicious script detection)

3. Windows Registry#

Overview#

The Registry is Windows' centralized configuration database, storing system settings, user environment, and software configuration in a hierarchical structure.

Key Hive File Locations#

SYSTEM: C:\Windows\System32\config\SYSTEM SOFTWARE: C:\Windows\System32\config\SOFTWARE SAM: C:\Windows\System32\config\SAM SECURITY: C:\Windows\System32\config\SECURITY NTUSER.DAT: C:\Users\<username>\NTUSER.DAT UsrClass.dat: C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat

Key Registry Keys for Forensics#

Autorun (Persistence Detection):

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SYSTEM\CurrentControlSet\Services

USB Device History:

HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR HKLM\SYSTEM\CurrentControlSet\Enum\USB HKLM\SYSTEM\MountedDevices

Recent Document Access:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

Network Connection History:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures

4. $MFT (Master File Table)#

Overview#

$MFT is the core metadata structure of the NTFS file system, containing records for every file and directory on the volume.

Location#

Volume root $MFT (hidden, system file)

Forensic Value#

• File existence evidence: If a deleted file's $MFT record remains, it proves the file existed
• Timestamp analysis: Four timestamps for creation, modification, access, and MFT change
• $STANDARD_INFORMATION vs $FILE_NAME: Discrepancies between these two attribute timestamps can indicate timestamp forgery
• File size changes: Track how a file was modified over time
• Alternate Data Streams (ADS): Detect hidden data

Timestamp Analysis Techniques#

Each file record in $MFT contains two sets of timestamps:

Rules for detecting timestamp forgery:

• FN_C > SI_C: If $FILE_NAME creation time is later than $STANDARD_INFORMATION, possible forgery
• SI_C > SI_M: If creation time is later than modification time, abnormal

5. USN Journal (Update Sequence Number Journal)#

Overview#

The USN Journal is a change journal that chronologically records changes to files and directories on an NTFS volume.

Location#

$Extend\$UsnJrnl:$J (Alternate Data Stream)

Forensic Value#

• File change history: Records all changes including file creation, deletion, renaming, and content modification
• Anti-forensics detection: Detect attempts to delete and overwrite files
• Ransomware activity: Mass file rename patterns (e.g., adding .encrypted extension)
• Data exfiltration: Detect mass file copy/move during specific time periods

Recorded Change Types#

FILE_CREATE - File creation FILE_DELETE - File deletion DATA_OVERWRITE - Data overwrite DATA_EXTEND - Data extension DATA_TRUNCATION - Data truncation RENAME_OLD_NAME - Rename (old name) RENAME_NEW_NAME - Rename (new name) SECURITY_CHANGE - Security attribute change

6. Browser Artifacts#

Collection Targets#

Collect the following files from each browser's profile directory:

Chrome/Edge (Chromium-based):

%LocalAppData%\Google\Chrome\User Data\Default\ - History (browsing history, download records) - Cookies - Login Data (saved credentials) - Web Data (autofill data) - Bookmarks - Preferences

Firefox:

%AppData%\Mozilla\Firefox\Profiles\<profile>\ - places.sqlite (browsing history, bookmarks) - cookies.sqlite - formhistory.sqlite - logins.json + key4.db

Forensic Applications#

• Phishing site access records: Verify visits to malicious URLs
• File download paths: Trace malware download sources
• Search history: Understand user intent (e.g., "how to delete evidence")
• Autofill data: Recover entered information

7. Other Important Artifacts#

Shellbags#

Records folder view settings for directories the user has browsed. Can reveal browsing traces for deleted folders or external storage media.

Jump Lists#

Pinned and recent item lists from the taskbar, showing recently opened files and application usage history.

LNK Files (Shortcuts)#

Windows shortcut files for recently opened files, containing the original file's path, size, MAC timestamps, and volume information.

AmCache / Shimcache#

Program compatibility databases that record paths, hashes, and installation times for installed/executed programs.

SRUM (System Resource Usage Monitor)#

Introduced in Windows 8, this system resource usage monitor records per-application network usage, execution time, and more for 30-60 days.

The Importance of Collection Automation#

Manually collecting the artifacts listed above is time-consuming and error-prone. Using automated collection tools provides:

• Consistency: Collect the same artifacts every time without omission
• Integrity: Prevent data tampering during the collection process
• Speed: Collect dozens of artifact types in minutes
• Chain of custody: Automatically record collection times and hash values

unJaena Collector is an open-source tool that handles 254 supported artifacts across Windows / macOS / Linux / iOS / Android, plus an AI activity category — including the Windows artifacts described above. Collected data can be uploaded to the AI analysis platform to begin analysis.