Chapter 16 — Key Takeaways

The big idea

Windows keeps receipts — thousands of them, redundant and cross-correlated — and the skill of Windows forensics is correlation, not memorization. The registry records state (what was configured, connected, used), the event logs record events (what happened, with hard-to-forge system timestamps), execution artifacts record what ran, and access artifacts record what files and folders were opened — even from devices that are long gone. No single key cracks a case; a USB serial in USBSTOR, a matching volume GUID in MountPoints2, a LNK with the same volume serial, and a Jump List timestamp do. One artifact is a lead; three that agree is a finding. And because every action leaves a trace, the artifacts an anti-forensic tool fails to erase — including the one it creates by running — usually convict it.

The registry is files, not a database

  • It is a runtime assembly of separate hive files: SAM (local accounts), SYSTEM (devices, USB history, services), SOFTWARE (installed programs, machine autostart), SECURITY, DEFAULT, and per-user NTUSER.DAT (RecentDocs, TypedURLs/Paths, RunMRU, UserAssist) and UsrClass.dat (ShellBags).
  • Offline you read ControlSet001 (not the runtime-only CurrentControlSet); confirm via SYSTEM\Select\Current.
  • A dirty hive (primary ≠ secondary sequence number) hides its latest changes in .LOG1/.LOG2 — extract and replay the logs or you analyze a stale registry.
  • Every key carries one last-write FILETIME — a tight event proxy for single-purpose keys, nearly meaningless for busy ones.

The USB correlation chain (attribution in three keys)

Step Key Hive Gives you
1 Enum\USBSTOR\… SYSTEM vendor, product, serial, first-install / last-arrival / last-removal
2 MountedDevices SYSTEM drive letter + volume GUID
3 Explorer\MountPoints2\{GUID} NTUSER.DAT user attribution + last-write ≈ when this user mounted it

A second character of & in the instance ID = a Windows-generated serial — not unique, not trackable across machines. Say so.

Execution vs. presence (the table to memorize)

Artifact Proves Key gotcha
Prefetch EXECUTED (≥1×) + run count + last 8 run times often off on servers/SSDs
UserAssist / BAM EXECUTED (per user) + last-run time GUI launches / recent window only
Amcache PRESENT + SHA-1 + compile time presence ≠ execution
ShimCache PRESENT + path + $SI mod time timestamp is not a run time; flushed at shutdown

Say it in one sentence: Prefetch, UserAssist, and BAM indicate execution; Amcache and ShimCache indicate presence.

Events, access, and deletion

  • Event logs (.evtx): 4624/4625 logon/fail (read the logon type — 2 keyboard, 3 network, 10 RDP), 4672 admin, 4720/4726/4732 account changes, 1102 Security-log cleared, 7045 service installed, 6005/6006/6008 boot/shutdown. OS-set timestamps are your strongest time anchors.
  • Access: LNK files and Jump Lists prove a file was opened — with its volume serial and drive type — even after the device leaves. ShellBags prove a folder was browsed, even if it no longer exists.
  • Deletion: $Recycle.Bin` `$I = metadata (original path, size, deletion time), $R = recoverable content; the SID in the folder name attributes the deletion to a user.
  • Anti-forensics defeats itself: a backdated file is unmasked by kernel-set $FILE_NAME` vs. forgeable `$STANDARD_INFORMATION; a cleaner is convicted by its own prefetch, Amcache hash, and the dated gaps it leaves.

You can now…

  • ☐ Locate, extract (with transaction logs), and offline-parse Windows registry hives, reading key last-write times from the regf/hbin structure.
  • ☐ Chain USBSTORMountedDevicesMountPoints2 to attribute a device to a specific user and time.
  • ☐ Read .evtx logon types, account changes, log clears, and service installs as hard-to-forge time anchors.
  • ☐ Distinguish execution (Prefetch/UserAssist/BAM) from presence (Amcache/ShimCache) and avoid the ShimCache-timestamp trap.
  • ☐ Interpret LNK files, Jump Lists, ShellBags, and $I`/`$R pairs — and detect timestomping via $SI`/`$FN contradiction — reporting each with its limits.

Looking ahead

Chapter 17 — macOS and Linux Forensics. The same investigative method meets systems with no registry and no .evtx: plists, FSEvents, unified logging, bash/zsh history, syslog/journald, and ext4/APFS metadata. Technology changes; principles don't.

One sentence to carry forward: Windows does not trust you to remember anything — so it remembers everything, and your job is to read what it wrote and say only what it proves.