- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Investigate suspected unauthorized access, malware, persistence, suspicious programs, credential theft, and unexplained system changes on Windows endpoints and servers — with court-ready findings.
Quick Answer. Unauthorized-access and malware forensics on Windows correlates authentication anomalies (4625/4740/4776, 4624 LogonType 3/10 from unexpected sources), persistence artifacts (Run/RunOnce, Services with unsigned or LOLBin ImagePath, scheduled tasks, WMI event subscriptions, Winlogon shell hijacks, Image File Execution Options debugger keys), program execution evidence (Prefetch, Amcache SHA-1, Shimcache), PowerShell script-block logs (4104), network telemetry (SRUM, DNS cache), and known-bad IOC matching. The output is a written finding — with or without malware attribution — supporting or refuting the client’s factual claim.
| Mechanism | Location | Evidence recorded |
|---|---|---|
| Run / RunOnce (all-user) | SOFTWARE\Microsoft\Windows\CurrentVersion\Run(Once) | Value name, command line, LastWrite |
| Run / RunOnce (per-user) | NTUSER.DAT\…\Run(Once) | Per-account autoruns, SID attribution |
| Services | SYSTEM\CurrentControlSet\Services\ | ImagePath, ServiceDll, Start type, Type; System 7045 install event |
| Scheduled Tasks | C:\Windows\System32\Tasks\ + SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache | XML author, principal, triggers, actions |
| WMI event subscriptions | OBJECTS.DATA in \wbem\Repository\ | EventFilter + Consumer + Binding for persistence |
| Winlogon | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell, Userinit, Notify keys |
| Image File Execution Options | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ | Debugger hijack (accessibility-key attacks) |
| AppInit_DLLs | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | Auto-loaded DLLs across processes |
| Startup folders | \ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp and per-user | Legacy but still used |
| Print / Netsh / LSA providers | Various registry keys | Advanced persistence via provider DLLs |
Attackers increasingly avoid custom malware and abuse signed Microsoft binaries. We review execution of the following against timing and command-line context:
powershell.exe / pwsh.exe with -EncodedCommand, -NoProfile, -WindowStyle Hiddenmshta.exe, rundll32.exe, regsvr32.exe, certutil.exe -urlcachewmic.exe, bitsadmin.exe, msbuild.exe, installutil.execurl.exe, wget equivalents, Invoke-WebRequestntdsutil.exe, vssadmin.exe delete shadows (pre-encryption ransomware signal)net use, net localgroup administrators, psexecntds.dit or SAM/SYSTEM copies outside System32\config\.vssadmin create shadow followed by copy operations from the shadow — a classic credential-dump pattern.Where ransomware is suspected — or must be ruled out — we look for the tell-tale precursors: vssadmin delete shadows, wbadmin delete catalog, bcdedit /set {default} recoveryenabled No, mass rename operations in $UsnJrnl (thousands of renames within minutes), a new service or scheduled task installed just before mass encryption, and Defender / EDR tampering (Sysmon 26, Defender events 5001/5007).
Many matters end with a defense-favorable conclusion: no evidence of malware execution, no unauthorized access, and observed behavior fully consistent with the legitimate user. In those cases the report enumerates what was searched, what would have appeared had the alleged event occurred, and why the absence of those artifacts is meaningful — anchored to the artifact categories detailed in the Windows Forensics hub.
Elite Digital Forensics is an independent, defense-aligned Windows forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Windows Forensics hub for the full analytical framework we bring to every matter.
Rarely in absolute terms, but we can state to a high degree of confidence when every relevant artifact (Amcache, Prefetch, Sysmon, Defender history, persistence keys, network telemetry) is negative. Reports state confidence explicitly.
Amcache SHA-1 records, Prefetch, USN journal CREATE + DELETE pairs, and Shimcache entries commonly survive deletion of the executable itself.
Signed-publisher records in Amcache, cert-chain validity, install path (user Temp vs Program Files), Prefetch parent-process context, and UserAssist presence together separate legitimate installs from covert placement.
When retained for incident response, yes: containment, eviction, credential rotation, and hardening. When retained through counsel for litigation only, the report focuses on findings; remediation is left to the client’s IT or a separately scoped engagement.
Tell us about the computer, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant