Affiliate disclosure
Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases โ at no additional cost to you.
Chapter 16 โ Further Reading
Windows forensics is the most thoroughly documented corner of DFIR. Start with one practitioner book and one tool author's notes, then go to primary format references when you need to defend a finding byte by byte.
Foundations (๐ฌ deeper / format-level)
- Brian Carrier, File System Forensic Analysis. The canonical treatment of NTFS internals โ
$MFT`, `$STANDARD_INFORMATIONvs.$FILE_NAME, and how "deleted" works. It is the reference behind this chapter's timestomping detection. - Joachim Metz's libyal format documentation (
libregf,libevtx,libscca,liblnk,libfwsi,libfwps). Free, exhaustive, byte-level specifications for the registry,.evtx, prefetch, LNK, and shell-item (ShellBags) formats. When you must explain why a parser produced a value, this is where the answer lives. - Mandiant, "Leveraging the Application Compatibility Cache in Forensic Investigations" (Andrew Davis). The whitepaper that put ShimCache on the map โ and the source of the warning that its timestamp is a file modified time, not an execution time.
Approachable explanations (everyone)
- Harlan Carvey, Windows Forensic Analysis Toolkit and Windows Registry Forensics. Practitioner-friendly, deeply experienced, and full of "why this matters in a real case" framing. The registry book pairs perfectly with this chapter.
- 13cubed (Richard Davis), YouTube โ the "Investigating Windows Endpoints" series. Short, rigorous, free walk-throughs of Amcache, ShimCache, Prefetch, ShellBags, and USB device tracking. The best fast on-ramp to the artifacts in this chapter.
- Microsoft Learn โ Windows security audit events / logon types reference. The authoritative source for what each
4xxx/7xxxevent ID and logon type actually means. Cite it, don't memorize a forum post.
In practice (๐พ Recovery ยท ๐ Examiner ยท ๐ก๏ธ IR ยท ๐ Legal)
- ๐ Eric Zimmerman's tools (ericzimmerman.github.io) and the SANS "Windows Forensic Analysis" / "Hunt Evil" posters. The posters are a single-page artifact map; the tools (
RECmd,PECmd,AmcacheParser,AppCompatCacheParser,LECmd,JLECmd,SBECmd,RBCmd,EvtxECmd, Timeline Explorer) are the field standard used throughout this chapter. - ๐ก๏ธ Andrea Fortuna / AboutDFIR artifact catalogs and the SANS DFIR blog. Excellent for persistence (ASEPs, services), event-log triage, and "what survives a log clear" โ the spine of Case Study 1.
- ๐๐ก๏ธ RegRipper (Harlan Carvey) and Autopsy/The Sleuth Kit (Brian Carrier). A free triage-plus-GUI stack; running RegRipper and RECmd and Autopsy against a load-bearing artifact is the "corroborate with independent tools" practice cross-examiners reward.
- ๐ NIST SP 800-101r1 (mobile) and SP 800-86 (integrating forensics into IR). For the legal/eDiscovery reader, these anchor your method to a recognized standard.
Reference (this book)
- Appendix D โ Forensic Artifact Locations: the Windows registry/path cheat sheet for every artifact above.
- Appendix C โ Tool Reference: EZ tools, RegRipper, Autopsy command syntax and options.
- Appendix G โ File System Reference: NTFS
$SI`/`$FNstructure behind timestomping detection. - Chapter 21 โ Timeline Analysis and Chapter 30 โ Anti-Forensics: the next stops for the anchor case.
Do, don't just read
- Build the anchor timeline yourself. Grab a practice image (Appendix J), extract the hives with their
.LOGfiles, run the full EZ suite, and reproduce a sourced USB-exfiltration timeline. You do not understandMountPoints2until you have matched its GUID to aMountedDevicesentry with your own eyes. - Break a finding on purpose. Re-report a ShimCache time as an "execution time," then dismantle your own sentence the way the cross-examiner did in Case Study 2. Feeling the impeachment once teaches the limits better than any list.
Next: Chapter 17 โ macOS and Linux Forensics: the same method on systems with no registry and no .evtx โ plists, FSEvents, unified logging, and ext4/APFS metadata.