Windows Forensics: Registry, Event Logs, and File System Artifacts

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

Windows systems generate a massive volume of forensic artifacts. The registry, event logs, prefetch files, and NTFS metadata each tell part of the story. Knowing where to look and what each artifact actually proves is the difference between a thorough investigation and one full of gaps.

Registry Analysis

The Windows registry is a database of system and user configuration data. For forensics, it is a gold mine of historical activity.

NTUSER.DAT (per-user hive) contains:

• RecentDocs — recently opened files by extension
• UserAssist — programs executed via Explorer, with run counts and last execution times (ROT13 encoded)
• TypedPaths — paths manually typed in Explorer
• RunMRU — commands typed in the Run dialog

SYSTEM hive contains:

• CurrentControlSet\Services — installed services, including malware persistence
• MountedDevices — USB and external storage device history
• Select — identifies which ControlSet is active

SOFTWARE hive contains:

• Microsoft\Windows\CurrentVersion\Run — auto-start programs
• Microsoft\Windows NT\CurrentVersion\NetworkList — network connection history with SSIDs and timestamps

SAM hive contains local user accounts, last login times, and account creation dates.

Use tools like Registry Explorer (Eric Zimmerman) or RegRipper to parse these hives. On a live system, export hives with reg save. For offline analysis, pull them from C:\Windows\System32\config\ and user profile directories.

Event Log Analysis

Windows Event Logs (EVTX format) are stored in C:\Windows\System32\winevt\Logs\. The three logs that matter most for security investigations:

Security.evtx — authentication events, privilege use, object access:

• 4624: Successful logon (check logon type: 2=interactive, 3=network, 10=RemoteInteractive)
• 4625: Failed logon
• 4648: Explicit credential logon (runas, pass-the-hash)
• 4672: Special privileges assigned (admin logon)
• 4720: User account created
• 4732: Member added to security group

System.evtx — service installations, driver loads, system events:

• 7045: New service installed (common persistence mechanism)
• 7036: Service start/stop

PowerShell logs (Microsoft-Windows-PowerShell/Operational):

• 4104: Script block logging — captures full PowerShell code execution

Parse event logs with tools like EvtxECmd, or use PowerShell’s Get-WinEvent on a live system. Hayabusa and Chainsaw can run Sigma detection rules directly against EVTX files for rapid triage.

Prefetch Files

Prefetch (C:\Windows\Prefetch\) records programs that have been executed on the system. Each .pf file contains the executable name, run count, last eight execution times (on Windows 10+), and files/directories referenced during execution.

Prefetch is particularly useful because it persists even after the executable is deleted. An attacker can remove their tools, but the prefetch file proves they ran. Parse prefetch with PECmd (Eric Zimmerman) for structured output.

NTFS Artifacts

The Master File Table ($MFT) is the file system’s index — every file and directory gets an entry. Parsing the $MFT reveals file creation, modification, and deletion timestamps, including for files that have been deleted but not yet overwritten.

The $UsnJrnl (Update Sequence Number Journal) tracks file system changes: file creation, deletion, renaming, and data modifications. This journal often captures evidence of files the attacker created and then deleted during the intrusion.

$I30 index entries in directory records can reveal previously existing files even after $MFT entries have been reused. This is a less well-known artifact that experienced forensicators use to uncover deleted evidence.

Next Steps

• Assess your Windows forensics knowledge with the skills assessment
• Browse forensic and IR topics in the skills library
• Plan your certification track with the certificate roadmap — GCFE and EnCE focus heavily on Windows artifacts

Related Guides in This Series

• CSIRT and PSIRT Operations: Building Effective Response Teams — HADESS | 2026
• Incident Response Methodology: From Detection to Recovery — HADESS | 2026
• Linux Forensics: Artifacts, Logs, and Investigation Techniques — HADESS | 2026

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.