Skip to content
Back to Blog
windowsartifactscollectiontutorialforensics

The Complete Guide to Windows Artifact Collection: From Prefetch to USN Journal

u
unJaena Team
April 5, 202615 min read
The Complete Guide to Windows Artifact Collection: From Prefetch to USN Journal

The Complete Guide to Windows Artifact Collection#

In digital forensics, an artifact is trace data automatically generated by the operating system and applications during normal operation. Windows systems produce a vast amount of artifacts related to user activity, and systematically collecting and analyzing these is the core of forensic investigation.

1. Prefetch Files#

Overview#

Prefetch is a file Windows creates to optimize application loading speed. Each time a program runs, its loading information is recorded as a Prefetch file.

Location#

C:\Windows\Prefetch\*.pf

Forensic Value#

  • Program execution evidence: Determine when and how many times a specific program was executed
  • First execution time: Identify when a program was first run
  • Last execution time: Confirm the most recent execution
  • Execution count: Total number of runs recorded
  • Referenced file list: Files and DLLs accessed during program execution

Analysis Points#

Particularly useful information for malware analysis:

  • Suspicious executables (e.g., POWERSHELL.EXE or CMD.EXE executed at abnormal times)
  • Execution traces of deleted programs (Prefetch remains even after the file is deleted)
  • Ransomware execution timeline reconstruction

2. Windows EventLog#

Overview#

Windows Event Log is the centralized logging system that records system, security, and application events.

Location#

C:\Windows\System32\winevt\Logs\*.evtx

Key Log Files#

Log FileContentsKey Event IDs
Security.evtxAuthentication, account management, auditing4624, 4625, 4648, 4720
System.evtxServices, drivers, system events7034, 7036, 7045, 6005
Application.evtxApplication errors, warnings1000, 1001, 1002
PowerShell/Operational.evtxPowerShell command execution history4104, 4103
TaskScheduler/Operational.evtxScheduled task execution records106, 200, 201

Critical Event IDs for Security Analysis#

  • 4624: Successful login (includes logon type)
  • 4625: Failed login attempt (brute force attack detection)
  • 4648: Login using explicit credentials (pass-the-hash detection)
  • 4720: New account creation (backdoor account detection)
  • 7045: New service installation (malicious service detection)
  • 4104: PowerShell script block logging (malicious script detection)

3. Windows Registry#

Overview#

The Registry is Windows' centralized configuration database, storing system settings, user environment, and software configuration in a hierarchical structure.

Key Hive File Locations#

SYSTEM: C:\Windows\System32\config\SYSTEM SOFTWARE: C:\Windows\System32\config\SOFTWARE SAM: C:\Windows\System32\config\SAM SECURITY: C:\Windows\System32\config\SECURITY NTUSER.DAT: C:\Users\<username>\NTUSER.DAT UsrClass.dat: C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat

Key Registry Keys for Forensics#

Autorun (Persistence Detection):

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SYSTEM\CurrentControlSet\Services

USB Device History:

HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR HKLM\SYSTEM\CurrentControlSet\Enum\USB HKLM\SYSTEM\MountedDevices

Recent Document Access:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

Network Connection History:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures

4. $MFT (Master File Table)#

Overview#

$MFT is the core metadata structure of the NTFS file system, containing records for every file and directory on the volume.

Location#

Volume root $MFT (hidden, system file)

Forensic Value#

  • File existence evidence: If a deleted file's $MFT record remains, it proves the file existed
  • Timestamp analysis: Four timestamps for creation, modification, access, and MFT change
  • $STANDARD_INFORMATION vs $FILE_NAME: Discrepancies between these two attribute timestamps can indicate timestamp forgery
  • File size changes: Track how a file was modified over time
  • Alternate Data Streams (ADS): Detect hidden data

Timestamp Analysis Techniques#

Each file record in $MFT contains two sets of timestamps:

AttributeCreatedModifiedAccessedMFT Modified
$STANDARD_INFORMATIONSI_CSI_MSI_ASI_E
$FILE_NAMEFN_CFN_MFN_AFN_E

Rules for detecting timestamp forgery:

  • FN_C > SI_C: If $FILE_NAME creation time is later than $STANDARD_INFORMATION, possible forgery
  • SI_C > SI_M: If creation time is later than modification time, abnormal

5. USN Journal (Update Sequence Number Journal)#

Overview#

The USN Journal is a change journal that chronologically records changes to files and directories on an NTFS volume.

Location#

$Extend\$UsnJrnl:$J (Alternate Data Stream)

Forensic Value#

  • File change history: Records all changes including file creation, deletion, renaming, and content modification
  • Anti-forensics detection: Detect attempts to delete and overwrite files
  • Ransomware activity: Mass file rename patterns (e.g., adding .encrypted extension)
  • Data exfiltration: Detect mass file copy/move during specific time periods

Recorded Change Types#

FILE_CREATE - File creation FILE_DELETE - File deletion DATA_OVERWRITE - Data overwrite DATA_EXTEND - Data extension DATA_TRUNCATION - Data truncation RENAME_OLD_NAME - Rename (old name) RENAME_NEW_NAME - Rename (new name) SECURITY_CHANGE - Security attribute change

6. Browser Artifacts#

Collection Targets#

Collect the following files from each browser's profile directory:

Chrome/Edge (Chromium-based):

%LocalAppData%\Google\Chrome\User Data\Default\ - History (browsing history, download records) - Cookies - Login Data (saved credentials) - Web Data (autofill data) - Bookmarks - Preferences

Firefox:

%AppData%\Mozilla\Firefox\Profiles\<profile>\ - places.sqlite (browsing history, bookmarks) - cookies.sqlite - formhistory.sqlite - logins.json + key4.db

Forensic Applications#

  • Phishing site access records: Verify visits to malicious URLs
  • File download paths: Trace malware download sources
  • Search history: Understand user intent (e.g., "how to delete evidence")
  • Autofill data: Recover entered information

7. Other Important Artifacts#

Shellbags#

Records folder view settings for directories the user has browsed. Can reveal browsing traces for deleted folders or external storage media.

Jump Lists#

Pinned and recent item lists from the taskbar, showing recently opened files and application usage history.

LNK Files (Shortcuts)#

Windows shortcut files for recently opened files, containing the original file's path, size, MAC timestamps, and volume information.

AmCache / Shimcache#

Program compatibility databases that record paths, hashes, and installation times for installed/executed programs.

SRUM (System Resource Usage Monitor)#

Introduced in Windows 8, this system resource usage monitor records per-application network usage, execution time, and more for 30-60 days.

The Importance of Collection Automation#

Manually collecting the artifacts listed above is time-consuming and error-prone. Using automated collection tools provides:

  • Consistency: Collect the same artifacts every time without omission
  • Integrity: Prevent data tampering during the collection process
  • Speed: Collect dozens of artifact types in minutes
  • Chain of custody: Automatically record collection times and hash values

unJaena Collector is an open-source tool that collects 105+ Windows artifacts with one click. Collected data can be uploaded to the AI analysis platform to begin analysis immediately.

Share

Get the latest forensics insights

We send a monthly newsletter about digital forensics and AI analysis.

Subscribe to Newsletter