What You'll Learn
- Identify the key Windows forensic artifacts that prove program execution, file access, and user activity
- Explain how Prefetch files record execution evidence including timing, frequency, and loaded files
- Describe what Amcache.hve stores and why SHA1 hashes of executed programs are forensically valuable
- Differentiate between ShimCache and Amcache as complementary execution evidence sources
- Analyze UserAssist, Shellbags, Jump Lists, and LNK files to reconstruct user behavior
- Examine browser artifacts and USB device history for investigation context
- Perform Recycle Bin forensics using $I and $R file analysis
- Connect Windows artifact analysis to the forensic investigation you will perform in Lab 9.3
Windows Leaves a Trail of Everything
Windows is, from a forensic perspective, an extraordinarily verbose operating system. Every program execution, every file access, every folder browsed, every USB device connected, and every file deleted leaves traces in specific locations across the filesystem and registry. These traces persist long after the user — or attacker — believes they have covered their tracks.
The artifacts you will learn in this lesson are the same ones that KAPE collects during triage imaging (Lesson 9.2) and that you will analyze in Lab 9.3. They answer the core forensic questions:
| Question | Artifact That Answers It |
|---|---|
| Was this program ever executed? | Prefetch, Amcache, ShimCache, UserAssist |
| When was it first/last executed? | Prefetch (last 8 run times), Amcache (first execution), UserAssist (last run + run count) |
| How many times was it executed? | Prefetch (run count), UserAssist (run count) |
| What files did the program access? | Prefetch (files loaded during first 10 seconds), Jump Lists, LNK files |
| What folders did the user browse? | Shellbags |
| What was the program's SHA1 hash? | Amcache |
| Was a USB device connected? | USBSTOR registry key, setupapi.dev.log |
| What files were deleted? | Recycle Bin ($I/$R files) |
| What websites were visited? | Browser history, cache, cookies, downloads |
Attackers delete tools — but they cannot delete all the traces those tools leave behind. An attacker who runs Mimikatz, deletes the binary, and clears the event logs still leaves Prefetch files, Amcache entries, ShimCache records, and potentially UserAssist data. Each artifact is stored in a different location with a different retention mechanism. Wiping all of them requires specialized anti-forensic tools that most attackers do not deploy — and even those tools leave their own forensic traces.
Prefetch Files
Location: C:\Windows\Prefetch\*.pf
Purpose: Windows Prefetch was designed to speed up application startup by caching information about recently executed programs. For forensic analysts, it is one of the most valuable execution evidence sources on Windows.
When a program executes, Windows creates (or updates) a Prefetch file that records:
| Field | Forensic Value |
|---|---|
| Executable name | Proves which program ran (includes full path hash in filename) |
| Run count | How many times the program has been executed |
| Last 8 execution times | Windows 8+ stores the 8 most recent run timestamps (Windows 7 stores only the last) |
| Files and directories loaded | Every file the program accessed during its first 10 seconds of execution — DLLs, config files, data files |
| Volume information | Which volume the program ran from (useful for USB-connected tools) |
The Prefetch filename format encodes both the executable name and a hash of its path:
MIMIKATZ.EXE-A91E1B0C.pf
│ │
│ └── Hash of the full executable path
└── Executable name (uppercase)
This means if an attacker runs the same tool from two different directories, two separate Prefetch files are created — each recording independent execution history.
# Example: attacker ran mimikatz from two locations
C:\Windows\Prefetch\MIMIKATZ.EXE-A91E1B0C.pf (from C:\Users\Public\)
C:\Windows\Prefetch\MIMIKATZ.EXE-F3B2D1E7.pf (from C:\Temp\tools\)
Parsing Prefetch with PECmd (Eric Zimmerman tool):
# Parse a single Prefetch file
PECmd.exe -f "C:\Windows\Prefetch\MIMIKATZ.EXE-A91E1B0C.pf"
# Parse all Prefetch files and output to CSV
PECmd.exe -d "C:\Windows\Prefetch" --csv "D:\Evidence\Parsed" --csvf prefetch.csv
Prefetch is disabled by default on SSDs in some Windows configurations and on Windows Server editions. If you do not find Prefetch files, check the registry key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters — a value of 0 means Prefetch is disabled. The absence of Prefetch files does not mean a program was never executed; it means this particular artifact source is unavailable, and you must rely on Amcache, ShimCache, and other evidence.
Amcache.hve
Location: C:\Windows\AppCompat\Programs\Amcache.hve
Purpose: Amcache is a registry hive that tracks application compatibility data. For forensic analysts, its killer feature is storing SHA1 hashes of executed programs along with their first execution timestamp.
Amcache records:
| Field | Forensic Value |
|---|---|
| Full file path | Where the executable was located on disk |
| SHA1 hash | Cryptographic hash of the binary — can be checked against VirusTotal, MISP, or malware databases |
| File size | Useful for identifying specific versions of tools |
| First execution timestamp | When the program was first seen/executed (based on file modification time from the $MFT) |
| Publisher | Digital signature publisher information (if signed) |
| Program name and version | From the PE version resource |
| Link date | When the binary was compiled — attackers sometimes forget to change this |
Why the SHA1 hash matters: An attacker can rename mimikatz.exe to svchost.exe to blend in. They can delete the binary after running it. But the Amcache records the SHA1 hash of the original file at the time it first executed. A VirusTotal lookup of that hash immediately reveals the true identity of the program — regardless of what name it was given on disk.
# Parse Amcache with AmcacheParser (Eric Zimmerman tool)
AmcacheParser.exe -f "C:\Windows\AppCompat\Programs\Amcache.hve" \
--csv "D:\Evidence\Parsed" --csvf amcache.csv
Amcache + VirusTotal = instant tool identification. When you find an unknown executable in Amcache, copy its SHA1 hash and search VirusTotal. If 45 out of 70 antivirus engines detect it as "Mimikatz" or "Cobalt Strike Beacon," you have your answer in seconds. This works even after the attacker has deleted the original binary — the hash in Amcache persists.
ShimCache (AppCompatCache)
Location: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
Purpose: The Application Compatibility Cache (ShimCache) tracks executables that Windows has evaluated for compatibility shims. It records metadata about programs that were present on disk — and in many cases, this includes programs that were never actually executed.
ShimCache records:
| Field | Forensic Value |
|---|---|
| Full file path | Location of the executable |
| Last modification time | $STANDARD_INFORMATION last modified timestamp from the MFT entry |
| Execution flag | On Windows 7/Server 2008R2: indicates whether the program was executed. On Windows 8+: this flag is less reliable |
| File size | Size of the executable at the time it was cached |
| Cache entry position | Most recently accessed entries appear at the top of the cache — provides relative ordering |
ShimCache vs Amcache — complementary, not redundant:
| Feature | ShimCache | Amcache |
|---|---|---|
| Records SHA1 hash | No | Yes |
| Records execution time | No (only file modification time) | Yes (first execution) |
| Records files that exist but were not executed | Yes — files merely browsed in Explorer may appear | No — only tracks actual execution |
| Survives file deletion | Yes — entry persists after the file is deleted | Yes — entry persists after the file is deleted |
| Updated when | System shutdown (flushed from memory to registry) | During execution and program installation |
| Maximum entries | ~1,024 (Windows 10) | Varies — typically thousands |
ShimCache is written at shutdown, not at execution time. This is critical for forensic interpretation. If you are analyzing a system that has not been shut down since the compromise, the most recent ShimCache entries may still be in memory and not yet written to the registry. If the system was rebooted after the compromise, the full ShimCache is available in the SYSTEM hive.
# Parse ShimCache with AppCompatCacheParser (Eric Zimmerman tool)
AppCompatCacheParser.exe -f "C:\Windows\System32\config\SYSTEM" \
--csv "D:\Evidence\Parsed" --csvf shimcache.csv
UserAssist
Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count
Purpose: UserAssist tracks GUI-based program executions — applications launched from the Start menu, desktop shortcuts, File Explorer, or Run dialog. It is stored per-user in each user's NTUSER.DAT registry hive.
UserAssist records:
| Field | Forensic Value |
|---|---|
| Program path | Full path to the executed program (ROT13-encoded in the registry) |
| Run count | Number of times the user executed this program |
| Last execution time | Timestamp of the most recent execution |
| Focus time | Total time the application had focus (foreground) |
| Focus count | Number of times the application gained focus |
The ROT13 encoding is trivially reversible — it was never intended as security, just obfuscation. Forensic tools decode it automatically:
Registry value (ROT13): P:\Hfref\Choyvp\zvzvxngm.rkr
Decoded: C:\Users\Public\mimikatz.exe
Why UserAssist matters for investigations: UserAssist proves that a specific user account interactively launched a program — not just that it ran as a system service or scheduled task. This is the difference between "mimikatz.exe ran on this machine" (Prefetch) and "the user jsmith launched mimikatz.exe from the desktop 3 times between February 10 and February 15" (UserAssist).
Shellbags
Location: NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags and UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
Purpose: Shellbags record every folder a user has browsed in Windows Explorer — including view preferences (icon size, sort order, column layout). This creates a detailed history of filesystem navigation.
Shellbags are forensically powerful because they:
- Record folder access even if the folder no longer exists (deleted folders still appear in Shellbags)
- Record access to network shares (
\\server\share), USB drives, and ZIP file contents - Include timestamps for when each folder was first and last accessed
- Persist across reboots and are rarely cleared by users or attackers
Example Shellbag entries from an investigation:
Desktop\Evidence_Staging (first: 2026-02-14 02:14:00, last: 2026-02-15 14:30:00)
E:\USB_DRIVE\exfil_data (first: 2026-02-15 14:22:00, last: 2026-02-15 14:28:00)
\\10.0.1.50\C$\Users (first: 2026-02-15 13:45:00, last: 2026-02-15 13:52:00)
This tells the analyst: the attacker browsed a local staging folder, accessed an administrative share on another host (lateral movement evidence), and then browsed a USB drive labeled "exfil_data" — a clear data exfiltration pattern.
Jump Lists
Location: %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\*.automaticDestinations-ms and %APPDATA%\Microsoft\Windows\Recent\CustomDestinations\*.customDestinations-ms
Purpose: Jump Lists record recently accessed files on a per-application basis. Right-click any program on the taskbar, and the "Recent" list you see comes from Jump Lists.
Each Jump List entry contains:
| Field | Forensic Value |
|---|---|
| Target file path | Full path to the file that was opened |
| Target timestamps | Creation, modification, and access times of the target file |
| Application ID | Hash identifying which application opened the file |
| Volume information | Volume name and serial number — identifies the drive the file was on |
Jump Lists are particularly valuable for tracking document access:
Application: Microsoft Word (AppID: a7bd71699cd38d1c)
Recent files:
D:\Confidential\employee_salaries_2026.xlsx (accessed 2026-02-15 09:12:00)
C:\Users\jsmith\Desktop\resignation_letter.docx (accessed 2026-02-15 10:45:00)
E:\USB\exfil\Q4_financial_report.pdf (accessed 2026-02-15 14:23:00)
LNK Files (Shortcut Analysis)
Location: %APPDATA%\Microsoft\Windows\Recent\*.lnk and various other locations
Purpose: Windows creates LNK (shortcut) files when a user opens a file. These shortcut files contain rich metadata about the target file — even after the target file has been deleted.
LNK files record:
| Field | Forensic Value |
|---|---|
| Target path | Full path to the file that was opened |
| Target timestamps | Creation, modification, and access times of the target |
| Target file size | Size of the file at the time it was accessed |
| Volume serial number | Identifies the specific drive the file was on |
| Volume label | Drive label (e.g., "EVIDENCE_USB") |
| Machine name | NetBIOS name of the machine where the file resides (for network files) |
| MAC address | Network adapter MAC address (in some LNK versions) |
# Parse LNK files with LECmd (Eric Zimmerman tool)
LECmd.exe -d "%APPDATA%\Microsoft\Windows\Recent" \
--csv "D:\Evidence\Parsed" --csvf lnk_files.csv
LNK files prove that a file existed even after deletion. If an attacker opens a file from a USB drive, then removes the USB drive and deletes all traces, the LNK file in the Recent folder still contains the full path, the USB volume serial number, the file size, and timestamps. The attacker would need to specifically hunt down and delete the LNK file — and most do not.
Browser Artifacts
Web browsers store extensive forensic data across multiple databases and files:
| Artifact | Location (Chrome) | Forensic Value |
|---|---|---|
| History | %LOCALAPPDATA%\Google\Chrome\User Data\Default\History | URLs visited with timestamps and visit counts |
| Downloads | Same History database, downloads table | Files downloaded with source URL, save path, and timestamps |
| Cache | %LOCALAPPDATA%\Google\Chrome\User Data\Default\Cache\Cache_Data | Cached copies of web content — can reconstruct visited pages |
| Cookies | %LOCALAPPDATA%\Google\Chrome\User Data\Default\Cookies | Session cookies may reveal authenticated access to external services |
| Autofill | %LOCALAPPDATA%\Google\Chrome\User Data\Default\Web Data | Form data including usernames, addresses, search terms |
| Login Data | %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data | Saved credentials (encrypted with DPAPI on Windows) |
Browser artifacts are critical for insider threat investigations, data exfiltration cases, and initial compromise analysis:
Browser history timeline from insider threat investigation:
09:15 mail.google.com/mail/ (personal Gmail — policy violation)
09:18 drive.google.com/drive/ (Google Drive accessed)
09:22 drive.google.com/upload (file upload initiated)
09:23 Download: employee_database_export.csv (from internal HR portal)
09:25 drive.google.com/upload (another upload — the CSV was exfiltrated)
USB Device History
Location: HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
Purpose: Every USB storage device ever connected to a Windows system is recorded in the USBSTOR registry key. This persists even after the device is disconnected and never reconnected.
USBSTOR records:
| Field | Forensic Value |
|---|---|
| Device class | Disk, CdRom, or other device type |
| Vendor and product | Manufacturer and model (e.g., "SanDisk&Prod_Cruzer") |
| Serial number | Unique identifier for the specific device — can link to a known suspect's USB drive |
| First connection time | From setupapi.dev.log — when the device was first plugged in |
| Last connection time | From SYSTEM\MountedDevices and other registry timestamps |
| Drive letter assigned | What drive letter Windows assigned (e.g., E:) |
| Volume GUID | Links to Shellbags, LNK files, and Jump Lists that reference this volume |
USBSTOR registry entry for a suspect's USB drive:
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\
Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.00\
4C530012345678901234&0
│
└── Serial number: unique to this physical device
Cross-referencing the USB serial number with LNK files and Jump Lists creates a complete picture: this specific USB drive was connected at this time, this user browsed these folders on it (Shellbags), opened these files from it (LNK/Jump Lists), and the files had these sizes and timestamps.
Recycle Bin Analysis
Location: C:\$Recycle.Bin\{USER_SID}\*
Purpose: When a user deletes a file, Windows moves it to the Recycle Bin rather than erasing it. Each deleted file creates two files:
| File | Purpose | Contents |
|---|---|---|
| $I file | Index/metadata file | Original file path, file size, deletion timestamp |
| $R file | Recovery file | The actual file data (renamed but intact) |
The naming convention: $IXXXXXX.ext and $RXXXXXX.ext where XXXXXX is a random identifier and .ext matches the original file extension.
C:\$Recycle.Bin\S-1-5-21-1234567890-987654321-1122334455-1001\
$IA1B2C3.exe → metadata: original path, size, deletion time
$RA1B2C3.exe → the actual deleted file (recoverable)
$ID4E5F6.docx → metadata for a deleted Word document
$RD4E5F6.docx → the deleted Word document itself
Forensic value:
- The $I file proves a file existed at a specific path and was deleted at a specific time — even if the $R file has been emptied from the Recycle Bin
- The $R file contains the actual data — if the Recycle Bin has not been emptied, you can recover the complete file
- The user SID in the directory path identifies which user account deleted the file
- If the attacker "empties" the Recycle Bin, the $I and $R files are truly deleted — but they may still be recoverable from unallocated space in a full disk image
# Parse Recycle Bin with RBCmd (Eric Zimmerman tool)
RBCmd.exe -d "C:\$Recycle.Bin" --csv "D:\Evidence\Parsed" --csvf recyclebin.csv
Attackers who Shift+Delete bypass the Recycle Bin entirely. Holding Shift while pressing Delete permanently deletes a file without sending it to the Recycle Bin — no $I or $R files are created. However, the file data still exists in unallocated space until overwritten, and Prefetch/Amcache/ShimCache evidence of the file's existence persists regardless of deletion method. Shift+Delete eliminates one artifact source but not the others.
Putting It All Together: The Artifact Analysis Workflow
A single artifact rarely tells the full story. Forensic conclusions come from corroborating multiple artifact sources:
Investigation: Did user jsmith run mimikatz.exe?
Prefetch: MIMIKATZ.EXE-A91E1B0C.pf exists
Run count: 3, Last run: 2026-02-15 14:32:07
Files loaded: C:\Users\Public\mimikatz.exe, sekurlse.dll
Amcache: C:\Users\Public\mimikatz.exe
SHA1: a1b2c3d4e5f6... (VirusTotal: 58/70 detect as Mimikatz)
First execution: 2026-02-14 22:15:00
ShimCache: C:\Users\Public\mimikatz.exe
File modification time: 2026-02-14 21:00:00
UserAssist: C:\Users\Public\mimikatz.exe (ROT13 decoded)
Run count: 3, Last run: 2026-02-15 14:32:07
Focus time: 45 seconds
Recycle Bin: $IA7B3C9.exe → C:\Users\Public\mimikatz.exe
Deleted: 2026-02-15 14:33:00 (1 minute after last execution)
Timeline: Feb 14 21:00 — mimikatz.exe placed on disk (ShimCache mod time)
Feb 14 22:15 — First execution (Amcache)
Feb 15 14:32 — Third execution (Prefetch + UserAssist)
Feb 15 14:33 — Attacker deleted mimikatz.exe (Recycle Bin)
Five independent artifact sources corroborate the same conclusion. The attacker can delete the binary, empty the Recycle Bin, and clear event logs — but they cannot erase all five artifact types without specialized anti-forensic tools that themselves leave traces.
Build timelines, not checklists. The goal of artifact analysis is not to find individual artifacts — it is to reconstruct a chronological narrative of what happened. When you parse Prefetch, Amcache, ShimCache, Shellbags, Jump Lists, LNK files, and Recycle Bin data, merge everything into a single timeline sorted by timestamp. The story of the compromise emerges from the sequence of events, not from individual data points.
Key Takeaways
- Windows records program execution across multiple independent artifact sources — Prefetch, Amcache, ShimCache, and UserAssist each store different metadata, and an attacker must neutralize all of them to eliminate execution evidence
- Prefetch records run count, last 8 execution times, and files loaded during the first 10 seconds of execution — even after the program is deleted
- Amcache stores SHA1 hashes of executed programs, enabling immediate malware identification via VirusTotal even when the binary no longer exists on disk
- ShimCache may record files that were present on disk but never executed — useful for proving an attacker staged tools before running them
- UserAssist proves a specific user account interactively launched a program (ROT13-encoded, trivially decoded by forensic tools)
- Shellbags record every folder browsed in Explorer including network shares and deleted directories — invaluable for tracking lateral movement and data staging
- Jump Lists and LNK files record per-application file access with target path, timestamps, volume serial number, and machine name — evidence persists after file and device deletion
- USB device history (USBSTOR) records every USB storage device ever connected, with serial number, vendor, and timestamps that can be cross-referenced with LNK and Shellbag data
- Recycle Bin $I files preserve original path and deletion timestamp; $R files contain the actual deleted data — Shift+Delete bypasses this but does not eliminate other artifact traces
- Forensic conclusions require corroborating multiple artifacts — build chronological timelines from merged artifact data, not isolated findings
What's Next
You now know where Windows hides evidence and how to interpret each artifact type. Lesson 9.4 shifts to Linux Forensic Artifacts — the equivalent locations where Linux records command history, file access, authentication events, and persistence mechanisms. The tools differ but the methodology is the same: identify artifact sources, collect them, parse them, and build a corroborated timeline. In Lab 9.3, you will perform a full Windows forensic investigation — parsing Prefetch, Amcache, ShimCache, Shellbags, and Recycle Bin data to reconstruct an attacker's complete activity timeline on a compromised workstation.
Knowledge Check: Windows Forensic Artifacts
10 questions · 70% to pass
An attacker runs mimikatz.exe, then deletes the binary. Which artifact still contains the SHA1 hash of the original file?
What additional information does a Prefetch file store that helps identify what resources a program accessed during execution?
How does ShimCache differ from Amcache in what it records?
Why is UserAssist forensically significant beyond what Prefetch already provides?
During Lab 9.3, you find Shellbag entries showing the user browsed \\10.0.1.50\C$ and E:\USB_DRIVE\exfil_data. What do these entries indicate?
What forensic information does a Windows LNK (shortcut) file preserve that survives even after the target file and its source device are removed?
In the Recycle Bin, what is the difference between $I and $R files?
An attacker uses Shift+Delete to permanently delete a tool after running it. Which artifact sources are NOT affected by this deletion method?
In Lab 9.3, you analyze a compromised workstation and find a USBSTOR entry with serial number 4C530012345678 and corresponding LNK files referencing files on drive E:. What can you conclude?
Why should forensic analysts build chronological timelines from multiple artifact sources rather than analyzing each artifact type in isolation?
0/10 answered