Chapter 5

Windows system artifacts

Abstract

Microsoft Windows is the most widely used operating system in the world. Thus, digital forensic examiners must have an understanding of how artifacts are created in Windows and how they can be used to track a user’s activity. This chapter covers deleted data and artifacts such as restore points, metadata, the Recycle Bin, and more.

Keywords

Deleted Data

Hiberfile.sys

Registry

Print Spooling

Recycle Bin

Metadata

Thumbnail Cache

Most Recently Used (MRU)

Restore Points (RPs)

Shadow Copies

“You see, but you do not observe. The distinction is clear.”

—Sherlock Holmes in A Scandal in Bohemia

Information in this chapter

• Finding Deleted Data

• Hibernation Files

• Examining the Windows Registry

• Print ...

Get The Basics of Digital Forensics, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

The Basics of Digital Forensics, 2nd Edition by John Sammons

Windows system artifacts

Abstract

Keywords

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly