Windows, being the most widely used operating system in the world, is the reason a significant focus of digital forensics research is aimed at it. Although the operating system does not specifically maintain records for forensic purposes, what it does is generate a wealth of data related to user activities and preferences. This data is used by the system to enhance usability, such as providing quick access to recently opened files or improving network connections. For forensic professionals, this wealth of data provides an opportunity to piece together a timeline of user activities on a Windows device and get insights into a user’s behavior. Understanding the Windows operating system and the various data artifacts it produces is an essential skill for any digital forensics practitioner.

6.1 New Technology File System (NTFS)

The New Technology File System (NTFS)¹ provides several advantages over other Table 6.1 like File Allocation Table (FAT) and Extended File Allocation Table (exFAT) including features like:

1. Metadata: NTFS stores detailed metadata for each file, including security attributes, access control lists, and owner information.
2. Advanced file structure: NTFS supports advanced file structures such as alternate data streams, which allow multiple data streams to be associated with a single file.
3. Journaling: NTFS includes a journaling feature that helps ensure the consistency and integrity of the file system in the event of a system crash or power ...