When a security incident occurs on a Windows system, the clock starts ticking immediately. Every action taken – or not taken – can determine whether critical evidence is preserved or permanently lost. Windows digital forensics is the discipline that allows IT security teams to systematically uncover what happened, when it happened, and who was responsible. From analyzing low-level file system structures to tracing user activity through registry hives, Windows provides a remarkably rich trail of artifacts for investigators who know where to look. This guide walks through the essential techniques every IT security team should understand before they face a live incident.
Understanding NTFS and the Master File Table: Windows Digital Forensics
The New Technology File System (NTFS) is the foundation of Windows forensics. Unlike older file systems, NTFS maintains detailed metadata about every file and directory on a volume, much of which persists even after deletion. At the heart of NTFS is the Master File Table (MFT), a database that contains at least one record for every file on the volume.
What the MFT Reveals
Each MFT record stores critical forensic metadata including file creation time, last modification time, last access time, and MFT record change time – collectively known as MACB timestamps. These four timestamps are invaluable for building a timeline of activity. Investigators should be aware that standard file copy operations update timestamps, which is why forensic imaging must always be performed before analysis.
- $MFT – the Master File Table itself, containing records for all files
- $LogFile – a journal of file system transactions, useful for recovering recently deleted data
- $UsnJrnl – the Update Sequence Number Journal, tracking file changes over time
- $Bitmap – tracks which clusters are allocated or free on the volume
Tools such as MFTECmd from Eric Zimmerman’s suite allow investigators to parse the MFT and export records to CSV for timeline analysis. Running MFTECmd.exe -f C:\$MFT --csv C:\output on a forensic image produces a structured output that can be loaded into timeline analysis tools. The $UsnJrnl is equally important: MFTECmd.exe -f C:\$Extend\$UsnJrnl:$J --csv C:\output extracts a log of file system events that may reveal file creation and deletion sequences that are no longer visible through standard directory listings.
LNK File Analysis for Forensic Investigation
Windows automatically creates LNK shortcut files whenever a user opens a file from Windows Explorer or certain applications. These files are stored in the user’s recent items folder and contain metadata about the target file, including its original path, volume serial number, MAC timestamps, and even the host name and MAC address of the system where the file originated if it was accessed from a network share or removable media.
Where LNK Files Are Found
C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Recent\– general recent filesC:\Users\[username]\AppData\Roaming\Microsoft\Office\Recent\– Office document history- Custom application jump lists stored alongside LNK data in
AutomaticDestinationsandCustomDestinationsfolders
The LECmd tool parses LNK files effectively. The command LECmd.exe -f "C:\path\to\file.lnk" --csv C:\output extracts all embedded metadata. For bulk processing of an entire Recent directory, use LECmd.exe -d "C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Recent" --csv C:\output. LNK analysis is particularly powerful for proving that a user accessed a specific file on a specific date, even if that file has since been deleted from its original location.
Recycle Bin Forensics with Rifiuti2
The Windows Recycle Bin stores deleted files along with metadata that can be critical in an investigation. When a file is deleted and moved to the Recycle Bin, Windows creates two associated files: one prefixed with $R containing the actual file data, and one prefixed with $I containing metadata such as the original file path, file size, and the date and time of deletion. These $I files persist even after the $R file has been permanently deleted from the Recycle Bin.
Using Rifiuti2 Step by Step
Rifiuti2 is an open-source command-line tool designed specifically for parsing Windows Recycle Bin artifacts. Follow these steps during an investigation:
- Step 1 – Locate the Recycle Bin on the target volume:
C:\$Recycle.Bin\[SID]\where SID corresponds to the user’s Security Identifier - Step 2 – List all
$Ifiles in the directory to confirm artifacts are present:dir C:\$Recycle.Bin\S-1-5-21-*\$I* - Step 3 – Run Rifiuti2 against the folder:
rifiuti2.exe -o output.txt "C:\$Recycle.Bin\S-1-5-21-[SID]" - Step 4 – For XML output suitable for further processing:
rifiuti2.exe -x -o output.xml "C:\$Recycle.Bin\S-1-5-21-[SID]" - Step 5 – For legacy Windows systems using
INFO2format (XP and earlier):rifiuti.exe -o output.txt "C:\RECYCLER\S-1-5-21-[SID]\INFO2"
The output will display the original file name, original path, deletion timestamp, and file size for each deleted item. This evidence is admissible in many jurisdictions and can directly connect a user to files they attempted to destroy. For maintaining integrity of this evidence, ensure all artifacts are stored using secure file storage solutions that provide tamper-evident logging and access controls throughout the investigation lifecycle.
Windows Registry Forensic Analysis
The Windows Registry is one of the most information-dense forensic sources available to investigators. It records software installations, user activity, hardware connections, network history, and much more. The registry is organized into hives, each stored as a binary file on disk, and each containing distinct categories of forensic evidence.
Key Registry Hives for Investigators
NTUSER.DAT– stored in each user’s profile, contains user-specific settings, recently accessed files (RecentDocs), typed URLs, and application usage dataSYSTEM– located atC:\Windows\System32\config\SYSTEM, contains USB device connection history underSYSTEM\CurrentControlSet\Enum\USBSTORSOFTWARE– located atC:\Windows\System32\config\SOFTWARE, records installed applications, run keys for persistence, and Windows version informationSAM– Security Accounts Manager, stores local user account information including last login times and login countsSECURITY– contains audit policy settings and cached domain credentials
Critical Registry Keys for Forensic Investigation
Several registry keys deserve particular attention during investigations. The UserAssist key at NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist records applications executed by the user, encoded in ROT-13. The MUICache at NTUSER.DAT\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache tracks executables that have been run. The ShimCache (AppCompatCache) at SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache logs executables present on the system, whether or not they were run by the current user. Use Registry Explorer or RegRipper to parse these hives efficiently outside of a live system: rip.exe -r NTUSER.DAT -p userassist extracts UserAssist data in human-readable form.
Email Artifact Investigation on Modern Windows
Email remains a primary vector for both data exfiltration and initial compromise, making email artifact analysis a critical component of any Windows investigation. Modern Windows environments typically use Microsoft 365 or Outlook as the primary mail client, each leaving distinct artifacts on the local system.
Outlook and Microsoft 365 Artifacts
When Outlook is configured with a local data store, it creates OST (Offline Storage Table) or PST (Personal Storage Table) files that may contain cached copies of emails, attachments, contacts, and calendar data. These files are typically located at C:\Users\[username]\AppData\Local\Microsoft\Outlook\. Even when a user deletes emails, the data often remains recoverable from OST files using forensic tools capable of parsing MAPI-formatted data.
- OST files cache cloud mailbox data locally and persist after account disconnection
- PST files are portable archives that may be moved or hidden by users attempting to conceal email activity
- Outlook search indexes stored in
C:\Users\[username]\AppData\Local\Microsoft\Outlook\RoamCache\can reveal search terms used by the user - Attachment temporary files in
C:\Users\[username]\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\may retain copies of opened attachments
For organizations relying on cloud-based Microsoft 365, local artifacts may be minimal. In these cases, administrative access to the Microsoft 365 compliance portal is essential for email preservation and export. Ensuring a robust Microsoft 365 backup strategy is in place before an incident occurs means that investigators can access historical mailbox data without depending on Microsoft’s retention policies, which may not align with investigative timelines.
Establishing User Attribution in Investigations
Connecting artifacts to a specific user is often the most critical – and most contested – step in a forensic investigation. Windows provides several mechanisms for establishing attribution beyond simple file ownership.
Combining Artifacts for Attribution
Effective user attribution requires correlating multiple artifact sources rather than relying on any single indicator. A robust attribution case combines login event logs with artifact timestamps, physical access records, and behavioral patterns.
- Windows Event Log at
C:\Windows\System32\winevt\Logs\Security.evtxrecords logon events (Event ID 4624), logoff events (Event ID 4634), and failed logon attempts (Event ID 4625) with associated usernames and logon types - Prefetch files at
C:\Windows\Prefetch\log executable names, run counts, and last run timestamps – parse with PECmd:PECmd.exe -d C:\Windows\Prefetch --csv C:\output - Windows Timeline database at
C:\Users\[username]\AppData\Local\ConnectedDevicesPlatform\[GUID]\ActivitiesCache.dbrecords application usage and file activity with precise timestamps - SRUM (System Resource Usage Monitor) database at
C:\Windows\System32\sru\SRUDB.dattracks application network usage, data sent and received, and execution duration per user
When multiple independent artifact sources converge on the same user account performing the same actions within the same time window, the resulting attribution is difficult to credibly dispute. Document each artifact source separately and note the methodology used to correlate them.
Forensic Readiness Preparation
The best time to prepare for a forensic investigation is long before an incident occurs. Forensic readiness means configuring systems, policies, and procedures in advance so that when something goes wrong, the evidence needed to investigate is already being collected and preserved.
Key Preparation Steps
- Enable and configure Windows audit policies to capture logon events, object access, process creation, and privilege use – without these, Event Logs will be largely empty during an investigation
- Increase Event Log maximum sizes beyond the default to extend retention: Security log should be set to at least 256 MB in high-security environments
- Enable PowerShell Script Block Logging via Group Policy to capture PowerShell commands executed on endpoints
- Deploy Sysmon (System Monitor) from Sysinternals to capture detailed process creation, network connection, and file creation events beyond what native logging provides
- Establish a documented chain of custody process before any incident occurs, including approved forensic imaging tools and evidence storage locations
- Regularly test forensic procedures through tabletop exercises and simulated incident scenarios
Forensic readiness also depends on having resilient data infrastructure. Organizations should maintain comprehensive disaster recovery capabilities that include verified, offline backups of critical systems. These backups serve double duty – they protect against ransomware and system failures while also providing pre-incident snapshots that investigators can compare against post-incident system states to identify exactly what changed and when. Engaging IT security consulting expertise during the preparation phase ensures that logging configurations, retention policies, and incident response playbooks are aligned with both forensic best practices and applicable compliance requirements before an incident forces the issue.
Conclusion
Windows digital forensics is a discipline that rewards preparation and systematic methodology. By understanding how NTFS stores file metadata, how LNK files record user access patterns, how Rifiuti2 extracts Recycle Bin evidence, and how the registry chronicles nearly every significant system and user action, IT security teams can build comprehensive, defensible investigations from the artifacts that Windows leaves behind. The key is combining multiple evidence sources, maintaining strict forensic integrity, and documenting every step of the investigation process to ensure findings hold up under scrutiny. If your organization needs support building a forensic readiness program or responding to an active incident, contact the SSE team at https://clients.sse.to/contact.php to discuss how we can help you investigate, contain, and recover from security incidents with confidence.
