Skip to content

Handbook of windows forensic artifacts across multiple Windows version with interpretation tips and some examples. Work in progress!

License

Notifications You must be signed in to change notification settings

Psmths/windows-forensic-artifacts

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Windows Forensic Artifacts Guide

This repository provides an in-depth guide to the various Windows forensic artifacts that can be utilized when conducting an investigation. Detailed information is provided for each artifact, including its location, available parsing tools, and instructions for interpreting the results of a forensic data extraction. Furthermore, the repository seeks to provide a comprehensive resource for those seeking to expand their understanding of Windows forensics artifacts and how to properly leverage them during a forensic investigation.

Contents

(back to top)

Types of Windows Artifacts

Forensic artifacts on the Windows operatying system can generally be split into four main categories:

  1. Registry
  2. Filesystem
  3. Event Log
  4. Memory

Registry artifacts are found in the Windows registry, which is loaded into memory while a system is in operation and written to disk during shutdown. The registry stores low-level configuration settings for the operating system and contains a wealth of forensic artifacts of interest to an analyst.

Filesystem artifacts are artifacts that arise due to the operation of Windows' filesystem - NTFS (New Technology File System).

Event log artifacts are found in the Windows event log and consist primarily of audit logs from the operating system and its applications.

Memory artifacts are those artifacts found in the endpoint's memory while it is operational. These artifacts must be collected from a live system, and are generally not applicable to dead disk forensics with certain exceptions such as page files and hibernation files that consist of memory that has been written to the disk.

A complete forensic analysis of a Windows endpoint will consist of one or all of these artifacts. They may be collected and parsed individually at the analyst's discretion, or consolidated into "super timelines" with forensic software such as log2timeline.

(back to top)

How to Use this Guide

This guide was created to classify the numerous Windows forensic artifacts and provide a concise list of what information they respectively provide. While it may be used as a general reference, it shines when it comes time to tie separate artifacts together based on mutual/shared datapoints.

For instance, if it is known that an attacker has logged into an endpoint around a certain time, an analyst may want to determine what activity on the endpoint can be attributed to this session. For this, the analyst might begin by looking at 4624 Login events and pull the Logon ID from this artifact. This guide provides a list of every artifact that has the Logon ID field present, providing a quick way to correlate logon activity with other activity on the endpoint filed under the section Logon ID.

As another example, say for instance you are aware that an endpoint may have a malicious file on it. Maybe you want to see when the file was created, or when it was first executed. What about determining what Logon ID is associated with the execution with 4688 events?

Building a visual map in your mind of the relationships between all the artifacts present in Windows is necessary to allow for an analyst to efficiently pivot their focus during an investigation, this guide simply lays it all out and provides useful analysis tips collected during years of forensic experience while doing so.

(back to top)

Artifacts by Category

The forensic artifacts described in this repository are split into the following categories:

Execution

Execution artifacts may provide the following information:

Execution - Command Line Options

What command line was used to spawn this process?

Execution - First Executed

When was this executable furst run?

Execution - Last Executed

When was the last time this executable was run?

Execution - Permissions / Account

What permissions does the process have? What account launced the process?

Execution - Process Tree

How did this process come to be? What spawned this process? Is the ProcessID available?

Execution - Time

When was this process spawned?

Execution - Evidence of Execution

Was a process spawned?

(back to top)

Account Activity

Account activity artifacts may provide the following information:

Account - Creation Time

When was this account created?

Account - Group Membership

What groups is the account a member of?

Account - Last Login

When did this account last log in?

Account - Login History

Identification of specific instances of account logins

Account - Logon ID

Certain activity can be tied to login sessions by means of a Logon ID

Account - Relative Identifier (RID)

What is the account's Relative Identifier?

Account - Security Identifier (SID)

What is the account's Security Identifier?

Account - Username

Determining the username attached to a particular SID, or artifacts where you would expect to find a username

(back to top)

File Activity

File activity artifacts may provide the following information:

File - Creation

When was the file created?

File - Deletion

When was the file deleted?

File - Hash

What is the hash of this file?

File - Last Modified

When was the file last modified?

File - Origin

Where did the file come from?

File - Path

Where is the file located?

File - Size

What is the file's size on disk?

(back to top)

Network Activity

Network activity artifacts may provide the following information:

Network Activity - Evidence of Network Activity

Is there evidence of network activity?

Network Activity - Destination Identification

Can the destination for this activity be identified?

Network Activity - Source Identification

Can the source of this activity be identified?

Network Activity - Transmit Volume

Can the amount of data sent or received be determined?

Network Activity - Browser Activity

Artifacts supporting general forensic analysis for browser activity on an endpoint

(back to top)

Network Activity - Firewall Activity

Artifacts supporting general forensic analysis of events pertaining to the Windows Firewall

(back to top)

Network Activity - Wireless Activity

Artifacts providing evidence of wireless network activity

(back to top)

Browser Activity

Network activity artifacts may provide the following information:

Browser Activity - History

Browser Activity - Bookmarks

(back to top)

User Activity

These miscellaneous artifacts may provide an analyst information regarding certain actions that a user took on a system.

(back to top)

Group Policy Activity

These miscellaneous artifacts may provide an analyst information regarding Group Policy Object (GPO) activity on an Active Directory domain.

(back to top)

Enumeration Artifacts

These artifacts may be leveraged by an analyst to enumerate information from an endpoint that may prove useful during an investigation. While some of these artifacts may not necessarily be looked at for evidence of activity, they may be analyzed to obtain information important to an investigation.

Arifact Information
Select
  • CurrentControlSet
CurrentVersion
  • OS Version
  • Installation Timestamp
TimeZoneInformation
  • System Time Zone
ComputerName
  • System Name
Interfaces
  • IP configuration
Network Cards
  • Network Adapter Enumeration
Group Membership Registry Key
  • Local account group membership enumeration

(back to top)

Artifact Behavioral Mappings

Additionally, these artifacts may be roughly mapped to the MITRE ATT&CK framework to perform analysis on a behavioral basis:

TA0002 Execution

The below artifacts are related to execution. Execution is defined by MITRE as:

...techniques that result in adversary-controlled code running on a local or remote system.

The below artifacts may prove useful in identifying instances of execution on an endpoint:

Arifact Type Artifact
Filesystem Prefetch
Eventlog Security/4688: A new process has been created
Registry/Memory ShimCache
Registry AmCache.hve
Filesystem Scheduled Task Files
Eventlog TaskScheduler/Operational Log
Registry/Filesystem SRUM Database
Filesystem Program Compatibility Assistant (PCA) - PcaAppLaunchDic.txt
Registry Background Activity Montitor
Filesystem Detection History Files
Filesystem Program Compatibility Assistant (PCA) - PcaAppLaunchDic.txt
Registry Tracing Registry Keys
Eventlog Microsoft-Windows-Shell-Core/Operational/9707: Command Execution Started
Filesystem AutomaticDestinations Jumplists
Filesystem Windows Error Reporting Files (.WER)

TA0003 Persistence

The below artifacts are related to persistence activities. Persistence is defined by MITRE as:

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

The below artifacts may prove useful in identifying instances of persistence on an endpoint:

Arifact Type Artifact
Registry Run/RunOnce Keys
Eventlog TaskScheduler/Operational Log
Filesystem Scheduled Task Files
Eventlog Security/4720: A user account was created
Eventlog WMI-Activity/Operational/5861: New WMI Event Consumer
Registry Image File Execution Options
Eventlog Microsoft-Windows-Shell-Core/Operational/9707: Command Execution Started
Registry Services Registry Keys
Eventlog Security/7045: Service Installed
Registry Image File Execution Options
Eventlog Microsoft-Windows-Shell-Core/Operational/9707: Command Execution Started

TA0008 Lateral Movement

The below artifacts are related to lateral movement activities. Lateral movement is defined by MITRE as:

techniques that adversaries use to enter and control remote systems on a network.

The below artifacts may prove useful in identifying instances of lateral movement to or from an endpoint:

Arifact Type Artifact
Eventlog TaskScheduler/Operational Log
Filesystem Scheduled Task Files
Eventlog Security/4778: Session reconnected
Eventlog TerminalServices-RDPClient/Operational/1024: RDP ClientActiveX is trying to connect to the server
Eventlog Security/4648: Logon using explicit credentials
Eventlog Security/4624: An account was successfully logged on
Eventlog Security/4625: An account failed to log on
Filesystem RDP Persistent Bitmap Cache
Registry Terminal Server Client Registry Keys
Eventlog Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational/1149
Eventlog Microsoft-Windows-TerminalServices-LocalSessionManager/Operational/21: Session logon succeeded
Eventlog Microsoft-Windows-TerminalServices-LocalSessionManager/Operational/24: Session has been disconnected

(back to top)