Affiliate disclosure

Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases โ€” at no additional cost to you.

Chapter 16 โ€” Further Reading

Windows forensics is the most thoroughly documented corner of DFIR. Start with one practitioner book and one tool author's notes, then go to primary format references when you need to defend a finding byte by byte.

Foundations (๐Ÿ”ฌ deeper / format-level)

  • Brian Carrier, File System Forensic Analysis. The canonical treatment of NTFS internals โ€” $MFT`, `$STANDARD_INFORMATION vs. $FILE_NAME, and how "deleted" works. It is the reference behind this chapter's timestomping detection.
  • Joachim Metz's libyal format documentation (libregf, libevtx, libscca, liblnk, libfwsi, libfwps). Free, exhaustive, byte-level specifications for the registry, .evtx, prefetch, LNK, and shell-item (ShellBags) formats. When you must explain why a parser produced a value, this is where the answer lives.
  • Mandiant, "Leveraging the Application Compatibility Cache in Forensic Investigations" (Andrew Davis). The whitepaper that put ShimCache on the map โ€” and the source of the warning that its timestamp is a file modified time, not an execution time.

Approachable explanations (everyone)

  • Harlan Carvey, Windows Forensic Analysis Toolkit and Windows Registry Forensics. Practitioner-friendly, deeply experienced, and full of "why this matters in a real case" framing. The registry book pairs perfectly with this chapter.
  • 13cubed (Richard Davis), YouTube โ€” the "Investigating Windows Endpoints" series. Short, rigorous, free walk-throughs of Amcache, ShimCache, Prefetch, ShellBags, and USB device tracking. The best fast on-ramp to the artifacts in this chapter.
  • Microsoft Learn โ€” Windows security audit events / logon types reference. The authoritative source for what each 4xxx/7xxx event ID and logon type actually means. Cite it, don't memorize a forum post.
  • ๐Ÿ” Eric Zimmerman's tools (ericzimmerman.github.io) and the SANS "Windows Forensic Analysis" / "Hunt Evil" posters. The posters are a single-page artifact map; the tools (RECmd, PECmd, AmcacheParser, AppCompatCacheParser, LECmd, JLECmd, SBECmd, RBCmd, EvtxECmd, Timeline Explorer) are the field standard used throughout this chapter.
  • ๐Ÿ›ก๏ธ Andrea Fortuna / AboutDFIR artifact catalogs and the SANS DFIR blog. Excellent for persistence (ASEPs, services), event-log triage, and "what survives a log clear" โ€” the spine of Case Study 1.
  • ๐Ÿ”๐Ÿ›ก๏ธ RegRipper (Harlan Carvey) and Autopsy/The Sleuth Kit (Brian Carrier). A free triage-plus-GUI stack; running RegRipper and RECmd and Autopsy against a load-bearing artifact is the "corroborate with independent tools" practice cross-examiners reward.
  • ๐Ÿ“œ NIST SP 800-101r1 (mobile) and SP 800-86 (integrating forensics into IR). For the legal/eDiscovery reader, these anchor your method to a recognized standard.

Reference (this book)

Do, don't just read

  • Build the anchor timeline yourself. Grab a practice image (Appendix J), extract the hives with their .LOG files, run the full EZ suite, and reproduce a sourced USB-exfiltration timeline. You do not understand MountPoints2 until you have matched its GUID to a MountedDevices entry with your own eyes.
  • Break a finding on purpose. Re-report a ShimCache time as an "execution time," then dismantle your own sentence the way the cross-examiner did in Case Study 2. Feeling the impeachment once teaches the limits better than any list.

Next: Chapter 17 โ€” macOS and Linux Forensics: the same method on systems with no registry and no .evtx โ€” plists, FSEvents, unified logging, and ext4/APFS metadata.