Overview
This project explores how digital forensic analysts investigate Windows systems by analyzing forensic artifacts that record program execution, user activity, and system events.
To gain hands-on experience with digital forensics and incident response, I built a Windows investigation lab in Microsoft Azure and analyzed several important Windows artifacts commonly used during DFIR investigations.
The goal of this lab was to understand how investigators reconstruct system activity by correlating evidence across multiple artifacts.
Lab Environment
Platform
Microsoft Azure Virtual Machine
Operating System
Windows Server
Analysis Tools
- Eric Zimmerman DFIR Tools
- PECmd (Prefetch parser)
- EvtxECmd (Windows Event Log parser)
- Registry Explorer
- PowerShell
The Azure VM served as a controlled environment where activity could be generated and forensic artifacts collected for analysis.
Evidence Collection
Forensic artifacts were collected directly from the Windows system and copied into a separate Evidence directory before analysis. This follows standard forensic practice, in which investigators avoid working on original system files.
Investigation Workflow
The investigation followed a simplified DFIR workflow:
- Identify relevant Windows forensic artifacts
- Collect artifacts from the system
- Parse artifacts using forensic tools
- Analyze the results to reconstruct system activity
The artifacts analyzed in this lab were selected because they commonly appear in real-world digital forensic investigations.
Artifact Analysis
1. Amcache
Location
C:\Windows\AppCompat\Programs\Amcache.hve
Purpose
Amcache records metadata about applications that have been executed or exist on the system.
Evidence Extracted
- Executed program paths
- File metadata
- Application installation traces
Amcache is useful for confirming that a program existed on a system and may have been executed.
2. ShimCache (AppCompatCache)
Location
Stored in the SYSTEM registry hive
Purpose
ShimCache stores historical references to executed applications as part of Windows compatibility mechanisms.
Evidence Extracted
- Program execution traces
- Application file paths
ShimCache helps investigators identify applications that were previously executed on a system.
3. Prefetch
Location
C:\Windows\Prefetch
Purpose
Prefetch files record information about recently executed programs in order to improve system performance. In digital forensics, Prefetch artifacts provide strong evidence that an application was executed.
Analysis Tool
PECmd
Evidence Extracted
- Program execution timestamps
- Execution frequency
- Files accessed during execution
Example findings included execution activity for applications such as:
- Notepad
- Microsoft Edge
- Windows Terminal
- Windows Explorer
- Server Manager
4. UserAssist
Location
NTUSER.DAT Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Purpose
UserAssist records applications launched through the Windows graphical user interface.
Analysis Tool
Registry Explorer
Evidence Extracted
- Program launch history
- Run counts
- Last execution timestamps
UserAssist provides insight into user-driven application activity within the operating system.
5. Windows Event Logs
Location
C:\Windows\System32\winevt\Logs
Log Analyzed
Security.evtx
Analysis Tool
EvtxECmd
The Security log records authentication and security-related events on the system.
Results
- Parsed 3,696 security events
- Extracted authentication activity and system event timelines
Important events observed included:
| Event ID | Description |
|---|---|
| 4624 | Successful logon |
| 4625 | Failed logon attempt |
| 4688 | Process creation |
| 1102 | Security log cleared |
These logs help investigators build a timeline of system activity and detect suspicious behavior.
Challenges Encountered
Prefetch artifacts not present on the VM
When examining the system, the C:\Windows\Prefetch directory did not contain usable Prefetch artifacts for analysis. Since Prefetch files are generated based on program execution and system activity, the VM did not provide sufficient artifact data for meaningful investigation.
To continue practicing Prefetch analysis, I obtained sample Prefetch artifacts from Eric Zimmerman’s DFIR datasets on GitHub. These artifacts were placed into the Evidence/Prefetch directory and parsed using PECmd.
Using publicly available forensic datasets is common in DFIR training and allows investigators to practice analyzing artifacts even when real evidence is not available.
Tool execution path issues
While parsing Windows Event Logs using EvtxECmd, PowerShell initially returned an error indicating that the command could not be recognized. This occurred because the tool was executed from the wrong directory.
After navigating to the correct folder and executing the command using: .\EvtxECmd.exe
The logs were successfully parsed and exported.
Artifact access permissions
Certain forensic artifacts required administrative privileges to access. Running PowerShell as an administrator allowed successful extraction and parsing of these files.
Key Takeaways
This investigation demonstrates how multiple forensic artifacts can be correlated to reconstruct activity on a Windows system.
Key observations from the lab include:
- Multiple artifacts can confirm program execution
- Registry artifacts reveal user-driven activity
- Event logs provide authentication and system timelines
- DFIR tools allow efficient parsing of large volumes of forensic evidence
Skills Practiced
- Windows forensic artifact analysis
- Registry investigation
- Event log analysis
- Evidence collection and preservation
- Digital forensics investigation workflow
Tools Used
- Eric Zimmerman DFIR Tools
- PECmd
- EvtxECmd
- Registry Explorer
- PowerShell
- Microsoft Azure
Brute Force Attack Detection using Splunk
