Chapter 16 — Key Takeaways
The big idea
Windows keeps receipts — thousands of them, redundant and cross-correlated — and the skill of Windows forensics is correlation, not memorization. The registry records state (what was configured, connected, used), the event logs record events (what happened, with hard-to-forge system timestamps), execution artifacts record what ran, and access artifacts record what files and folders were opened — even from devices that are long gone. No single key cracks a case; a USB serial in USBSTOR, a matching volume GUID in MountPoints2, a LNK with the same volume serial, and a Jump List timestamp do. One artifact is a lead; three that agree is a finding. And because every action leaves a trace, the artifacts an anti-forensic tool fails to erase — including the one it creates by running — usually convict it.
The registry is files, not a database
- It is a runtime assembly of separate hive files:
SAM(local accounts),SYSTEM(devices, USB history, services),SOFTWARE(installed programs, machine autostart),SECURITY,DEFAULT, and per-userNTUSER.DAT(RecentDocs, TypedURLs/Paths, RunMRU, UserAssist) andUsrClass.dat(ShellBags). - Offline you read
ControlSet001(not the runtime-onlyCurrentControlSet); confirm viaSYSTEM\Select\Current. - A dirty hive (primary ≠ secondary sequence number) hides its latest changes in
.LOG1/.LOG2— extract and replay the logs or you analyze a stale registry. - Every key carries one last-write FILETIME — a tight event proxy for single-purpose keys, nearly meaningless for busy ones.
The USB correlation chain (attribution in three keys)
| Step | Key | Hive | Gives you |
|---|---|---|---|
| 1 | Enum\USBSTOR\… |
SYSTEM |
vendor, product, serial, first-install / last-arrival / last-removal |
| 2 | MountedDevices |
SYSTEM |
drive letter + volume GUID |
| 3 | Explorer\MountPoints2\{GUID} |
NTUSER.DAT |
user attribution + last-write ≈ when this user mounted it |
A second character of & in the instance ID = a Windows-generated serial — not unique, not trackable across machines. Say so.
Execution vs. presence (the table to memorize)
| Artifact | Proves | Key gotcha |
|---|---|---|
| Prefetch | EXECUTED (≥1×) + run count + last 8 run times | often off on servers/SSDs |
| UserAssist / BAM | EXECUTED (per user) + last-run time | GUI launches / recent window only |
| Amcache | PRESENT + SHA-1 + compile time | presence ≠ execution |
| ShimCache | PRESENT + path + $SI mod time |
timestamp is not a run time; flushed at shutdown |
Say it in one sentence: Prefetch, UserAssist, and BAM indicate execution; Amcache and ShimCache indicate presence.
Events, access, and deletion
- Event logs (
.evtx): 4624/4625 logon/fail (read the logon type — 2 keyboard, 3 network, 10 RDP), 4672 admin, 4720/4726/4732 account changes, 1102 Security-log cleared, 7045 service installed, 6005/6006/6008 boot/shutdown. OS-set timestamps are your strongest time anchors. - Access: LNK files and Jump Lists prove a file was opened — with its volume serial and drive type — even after the device leaves. ShellBags prove a folder was browsed, even if it no longer exists.
- Deletion:
$Recycle.Bin` `$I= metadata (original path, size, deletion time),$R= recoverable content; the SID in the folder name attributes the deletion to a user. - Anti-forensics defeats itself: a backdated file is unmasked by kernel-set
$FILE_NAME` vs. forgeable `$STANDARD_INFORMATION; a cleaner is convicted by its own prefetch, Amcache hash, and the dated gaps it leaves.
You can now…
- ☐ Locate, extract (with transaction logs), and offline-parse Windows registry hives, reading key last-write times from the
regf/hbinstructure. - ☐ Chain
USBSTOR→MountedDevices→MountPoints2to attribute a device to a specific user and time. - ☐ Read
.evtxlogon types, account changes, log clears, and service installs as hard-to-forge time anchors. - ☐ Distinguish execution (Prefetch/UserAssist/BAM) from presence (Amcache/ShimCache) and avoid the ShimCache-timestamp trap.
- ☐ Interpret LNK files, Jump Lists, ShellBags, and
$I`/`$Rpairs — and detect timestomping via$SI`/`$FNcontradiction — reporting each with its limits.
Looking ahead
Chapter 17 — macOS and Linux Forensics. The same investigative method meets systems with no registry and no .evtx: plists, FSEvents, unified logging, bash/zsh history, syslog/journald, and ext4/APFS metadata. Technology changes; principles don't.
One sentence to carry forward: Windows does not trust you to remember anything — so it remembers everything, and your job is to read what it wrote and say only what it proves.