Windows Forensics Β· Canonical Hub Β· 2026

Windows Forensics Services and Expert Analysis

Independent, court-qualified Windows forensic examiners for criminal defense, civil litigation, family law, and corporate investigations. We analyze digital evidence, user activity, files, logs, registry hives, and system artifacts on Windows 10 and Windows 11 computers, servers, and virtual machines.

Quick Answer. Windows forensics is the disciplined recovery, preservation, and analysis of digital evidence from Windows computers. A Windows forensic examination reconstructs which user account was active, which files were opened, created, modified, or deleted, which USB devices were connected, which programs ran, which websites were visited, and whether remote access occurred. Findings rely on registry hives (SYSTEM, SOFTWARE, SAM, NTUSER.DAT, UsrClass.dat), Windows event logs, NTFS metadata (MFT, USN journal, $LogFile), Prefetch, Amcache, Shimcache, SRUM, BAM, Volume Shadow Copies, and browser data. When acquisition and analysis follow accepted procedures (write-blocked imaging, hash verification, documented chain of custody), the resulting findings are admissible under Federal Rule of Evidence 702 and Daubert.

What Windows forensics covers

Windows powers the majority of desktops, laptops, workstations, and business servers in the United States. That share is why Windows evidence appears in nearly every kind of matter we handle: employment disputes, trade secret theft, insider data exfiltration, unauthorized access allegations, matrimonial disputes, criminal defense, and cyber incident response. A properly scoped Windows forensic examination answers concrete, decision-ready questions:

  • Who was logged into this computer at a specific date and time?
  • Which files were opened, created, changed, deleted, or renamed?
  • Which USB drives, phones, or external devices were connected?
  • Which programs ran, and were they run interactively by the user or by the system?
  • Was the computer accessed remotely, and by whom?
  • What was searched, visited, downloaded, or uploaded?
  • Does the technical record support or contradict a factual claim?

The Windows evidence surface at a glance

Every action on a Windows computer leaves traces across multiple, independent artifacts. That redundancy is what makes Windows forensics reliable, because a single deleted or wiped artifact rarely defeats the analysis when four or five others corroborate the same event.

CategoryPrimary artifactsWhat it answers
Account activitySecurity event log (4624, 4625, 4634, 4648, 4672, 4720), SAM hive, LogonUIWho logged in, when, from where, using which credentials
User configurationNTUSER.DAT, UsrClass.dat, SOFTWARE hivePer-user preferences, installed apps, recent activity
File activity$MFT, $LogFile, $UsnJrnl, LNK shortcuts, ShellBags, RecentDocs, jump listsFiles created, opened, modified, deleted, renamed
Program executionPrefetch, Amcache.hve, Shimcache, BAM, DAM, SRUM, UserAssistWhich executables ran, when, and by which user
External devicesUSBSTOR, MountedDevices, MountPoints2, setupapi.dev.logWhich USB drives, phones, cameras were connected
Remote accessTerminalServices-LocalSessionManager, RemoteConnectionManager, 4778/4779, RDPCacheRemote Desktop, remote assistance, and remote access tools
Internet activityChrome History, Edge WebCacheV01.dat, Firefox places.sqlite, IE index.datSites visited, downloads, search terms, cached content
System stateVolume Shadow Copies, System Restore, hibernation file, pagefileHistorical states, deleted data, memory residue

Windows registry: the operating system’s memory

The Windows registry is a hierarchical database of configuration data that Windows and installed applications read and write continuously. For a forensic examiner, the registry is a chronological record of user behavior, hardware history, and program state. Five hives carry the bulk of the evidence.

  • SYSTEM: hardware enumeration (USB, disks, network adapters), services, control set, computer name.
  • SOFTWARE: installed applications, Windows version and install date, Uninstall entries, Amcache references.
  • SAM: local user accounts, SIDs, last logon, password change dates, group membership.
  • SECURITY: local security policy and cached credentials.
  • NTUSER.DAT (per user): recently opened files, typed paths, TypedURLs, UserAssist (GUI program launches with run counts and last executed time), MountPoints2, Shellbags.
  • UsrClass.dat (per user): additional Shellbags, associations, and Explorer state.

Volume Shadow Copies routinely preserve older versions of registry hives, letting us compare state across days, weeks, or months. Registry timestamps and value data together produce hard evidence about what a specific user did on a specific machine.

Windows event logs: the audit trail

Modern Windows records tens of thousands of structured events per day across roughly two dozen active event log files stored at C:\Windows\System32\winevt\Logs\*.evtx. The most forensically relevant channels are Security, System, Application, and specialized channels for RDP, PowerShell, task scheduling, and USB device installs. Event IDs that carry the most evidentiary weight include:

  • 4624 logon success (logon type identifies interactive vs network vs RDP vs unlock)
  • 4625 logon failure (with reason and account name)
  • 4634 / 4647 logoff
  • 4648 logon using explicit credentials (runas)
  • 4672 special privileges assigned to logon
  • 4720 / 4726 account created / deleted
  • 4778 / 4779 session reconnect / disconnect (RDP indicator)
  • 1149 RDP user authentication succeeded (RemoteConnectionManager)
  • 4688 process creation (when command line auditing is enabled)

Event logs can be cleared (Event ID 1102 records that), but clearance itself is an audit event, and shadow copies frequently retain earlier .evtx files.

File system and user activity

NTFS is not just a file system; it is a transactional log. Every file operation touches the Master File Table ($MFT), the transaction log ($LogFile), and the change journal ($UsnJrnl:$J). Together they let us reconstruct file lifecycle events (create, rename, modify, delete) at millisecond resolution for millions of files. On top of that, Windows Explorer and the shell write user-attributable artifacts every time a user opens a folder, saves a document, or runs a program:

  • LNK shortcut files in Recent and Office Recent record target path, target size, MAC times, and volume serial.
  • Jump lists (AutomaticDestinations and CustomDestinations) show which files a user opened in each pinned application.
  • ShellBags in the user hives preserve every folder a user browsed in Explorer, including on removable and network volumes that no longer exist.
  • RecentDocs, TypedPaths, and OpenSavePidlMRU record recently opened, typed, and dialog-selected paths.
  • Thumbnail caches (thumbcache_*.db) preserve image previews after the images themselves are deleted.

Program execution artifacts

Windows tracks program execution in several parallel, mutually corroborating locations. No single artifact is authoritative on its own; taken together they answer the question “did this executable run on this machine, when, and by whom” with high confidence.

  • Prefetch (C:\Windows\Prefetch\*.pf): last eight run times, run count, and file references for the previous execution.
  • Amcache.hve: SHA-1 of executables, first-seen time, publisher, and product for programs registered by the Program Compatibility Assistant.
  • Shimcache (AppCompatCache in SYSTEM): last modification time and path of executed binaries, useful even when Prefetch is disabled.
  • BAM and DAM (SYSTEM hive): background and desktop activity moderator entries showing last execution time per SID.
  • SRUM (SRUDB.dat): 30 to 60 days of process, network, and energy usage keyed by SID and executable path.
  • UserAssist (NTUSER.DAT): ROT13-encoded record of GUI programs launched from the Start menu or Explorer, with run counts and last executed timestamps.

External devices, remote access, and browsing

Three questions dominate insider and unauthorized-access work: what plugged in, who connected remotely, and what did the user browse or search. Windows answers all three, in depth.

  • USB and external storage: USBSTOR, MountedDevices, per-user MountPoints2, and setupapi.dev.log capture vendor, product, and unique serial for each device ever attached, plus per-user attribution and first-install time.
  • Remote Desktop: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational and RemoteConnectionManager/Operational (Event IDs 21, 22, 24, 25, 39, 40, 1149) show connect/disconnect and source IP; RDP bitmap cache can even reveal fragments of what was displayed.
  • Browsing history: Chrome and Edge (Chromium) store history, downloads, autofill, and searches in History SQLite databases; Firefox uses places.sqlite; legacy IE data lives in WebCacheV01.dat. Cache, cookies, and downloaded files corroborate the URL record.

Speak with a court-qualified Windows examiner

Free, confidential 20 minute consultation. We will scope the analysis, tell you what the evidence can and cannot show, and quote in writing.

Request Confidential Consultation

Building a Windows forensic timeline

A timeline is the single most persuasive product of a Windows forensic exam. We combine file system metadata, event logs, registry timestamps, prefetch, browser history, and application logs into a unified chronological record. Small facts corroborate each other: a Security 4624 interactive logon at 09:14, a USBSTOR key updated at 09:15, a LNK file pointing to E:\Q3_pricing.xlsx at 09:17, an Excel jumplist entry at 09:18, a Prefetch update to EXCEL.EXE-*.pf at 09:18, and a Chrome download at 09:22 all describe the same twenty minute window with independent, tamper-resistant sources.

Anti-forensics, evidence preservation, and what to avoid

The single biggest mistake in a Windows matter is continuing to use the computer after an incident is suspected. Every reboot, every login, every application launch overwrites artifacts, updates timestamps, ages Prefetch entries, and may trigger scheduled cleaners. If preservation matters, isolate the device and image it under controlled conditions. Common anti-forensics techniques (registry cleaners, secure delete utilities, timestamp manipulation, hibernation file scrubbing) rarely defeat a competent examination because most of them miss the corroborating artifacts (event logs, shadow copies, application-specific logs, cloud sync caches, remote endpoint records).

Windows 10 vs Windows 11: what changed for examiners

AreaWindows 10Windows 11
Timeline / Activity HistoryActivitiesCache.db populatedActivitiesCache.db largely deprecated; SRUM, Prefetch, and Amcache remain
Recall / SnapshotsNot availableWindows Recall (Copilot+ PCs) can produce timestamped screenshots and OCR text where enabled
Default browser dataEdge (Chromium) or ChromeEdge (Chromium), still SQLite-based
TPM / BitLockerCommon on business hardwareRequired for setup on most consumer hardware
Account modelLocal or Microsoft accountMicrosoft account strongly preferred, more OneDrive integration

Common misconceptions

  • “Deleting the file removes the evidence.” Not on NTFS. The MFT record, USN journal entry, shadow copy, LNK, jumplist, and thumbnail cache commonly survive.
  • “BitLocker means you can’t examine the drive.” BitLocker protects data at rest. When the drive is unlocked or a recovery key is available, examination proceeds normally. Even sealed, some metadata remains recoverable outside the encrypted volume.
  • “If a user cleared event logs, we’re done.” Log clearance is itself logged (Event ID 1102), and Volume Shadow Copies frequently retain earlier logs.
  • “SSDs erase everything with TRIM.” TRIM affects unallocated space over time; allocated files, MFT records, shadow copies, and application-specific artifacts are unaffected.
  • “Windows only tracks the last USB device.” Windows retains a record of every USB storage device it has ever enumerated, subject to cleanup.

When Windows forensics applies

  • Employment: alleged data theft, policy violation, harassment, or resignation with a suspicious download pattern.
  • Civil: trade secret cases, contract disputes over authorship or timing, family law matters involving computer evidence.
  • Criminal defense: alleged unauthorized access, evidence tampering, planting, or timing challenges.
  • Incident response: business email compromise, ransomware, insider threat, third-party access.
  • Regulatory: HIPAA, PCI, financial services, and government audit response.

When Windows forensics does not apply

  • The activity of interest happened only on a phone, a cloud tenant, or a non-Windows server. Ask us about the correct forensic surface.
  • The device has been wiped and reimaged with no image, shadow copy, or backup preserved. In that case we assess what remains available from other endpoints, network telemetry, or cloud.

How Elite Digital Forensics helps

We are independent, defense-aligned Windows forensic examiners retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every Windows matter we take begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected.

What you get

  • Independent scoping call: what is realistic, what is not, and what it will cost.
  • Hash-verified acquisition (E01/AFF4/raw), following NIST SP 800-86 aligned procedures.
  • Analysis of registry, event logs, file system, program execution, USB, remote access, and browsing.
  • Plain-English written report, exhibits, and, where required, a full forensic timeline.
  • Court-qualified expert witness testimony under Federal Rule of Evidence 702 and Daubert.

About Elite Digital Forensics

Elite Digital Forensics is a nationwide, defense-aligned digital forensics practice staffed by former law enforcement forensic examiners and court-qualified experts. Our work spans criminal defense, civil litigation, family law, and corporate internal investigations. When retained through counsel, our work product is protected. All engagements begin with a free confidential consultation.

Related Windows forensics resources

Frequently asked questions

What is Windows forensics?

Windows forensics is the disciplined recovery, preservation, and analysis of digital evidence from Windows computers. It reconstructs what a user did, when they did it, and which files, devices, applications, and network resources were involved, using registry hives, event logs, file system metadata, prefetch, amcache, shimcache, SRUM, browser history, and dozens of related artifacts.

What can Windows forensics prove?

It can typically prove which user account was logged in at a given moment, which files were opened, created, modified, or deleted, which USB devices were connected, which programs ran, which websites were visited, and whether remote access occurred. It can also often rule out claims of unauthorized access, malware, or evidence tampering.

How long does a Windows forensic examination take?

A focused examination of a single Windows computer typically takes two to six weeks depending on drive size, scope, and encryption. Urgent matters can be prioritized. Timelines are set in writing at engagement.

Can Windows forensics recover deleted files?

Often yes. Deleted files may remain in unallocated space, in the MFT, in shadow copies, in system restore points, or in cloud sync caches. Whether a specific file is recoverable depends on when it was deleted, how the drive has been used since, and whether TRIM has run on an SSD.

Is Windows forensic evidence admissible in court?

Yes, when acquisition and analysis follow accepted forensic procedures (write-blocked imaging, hash verification, documented chain of custody, reproducible tooling). Federal Rule of Evidence 702 and Daubert govern expert testimony; findings that rest on well-documented artifacts routinely survive challenge.

Do we need the physical computer, or can you work from an image?

Both work. A forensic image (E01, AFF4, or raw dd) with matching hash values is analytically equivalent to the original for most purposes. When the physical device is available, we prefer to image it under controlled conditions.

Ready to move on your Windows matter?

Tell us about the computer, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. Microsoft: Windows Event Log documentation. learn.microsoft.com
  2. Microsoft: Audit Logon Events. learn.microsoft.com
  3. Microsoft: NTFS Overview. learn.microsoft.com
  4. NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response. csrc.nist.gov
  5. SANS DFIR Poster: Windows Forensic Analysis. www.sans.org
  6. Federal Rules of Evidence, Rule 702 (Expert Witnesses). law.cornell.edu

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#DigitalForensics #WindowsForensics #ComputerForensics #ExpertWitness #DigitalForensicExperts #EliteDigitalForensics #ForensicInvestigation #CriminalDefenseForensics #DFIR #EventLogAnalysis #RegistryForensics #IncidentResponse

Assistant Icon Elite Digital Forensics Assistant
πŸ‘‹ Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime.Β 

IMPORTANT: Please remember to check your spam or junk folder