Windows Forensic Artifacts Reference
Every artifact a responder needs. Categorized. With registry paths, tools, and investigative context.
Seven artifact categories covering what attackers leave behind on Windows systems — persistence mechanisms, program execution evidence, file and folder activity, user account usage, network indicators, USB device history, and event log forensics. Each artifact includes the registry path or file location, the tool to extract it, what it proves, and what to look for during an investigation.
For the full investigation methodology — how to interpret these artifacts in context, build investigation timelines, and reconstruct attack chains — see the Practical Incident Response course (IR3: Execution and Persistence, IR4: Filesystem and Registry, IR5: Event Log Analysis) and the Incident Triage course (TR3: Windows Triage). Start the free IR modules →