Windows Forensics Artifacts

Windows leaves a rich trail of forensic evidence across the registry, file system, and event logs — knowing where to look and what each artifact proves is core GCFA knowledge.

    Key exam principle: Not all artifacts prove execution. Amcache = execution + SHA-1 hash. Prefetch = execution + run count + timestamps. ShimCache (Win8+) = presence, NOT necessarily execution. UserAssist = GUI execution only. Shellbags = folder access, not execution.
  

Five Artifact Categories

🗂️

Registry Forensics

System hives · User hives · Run keys · USB history · Network config · Timezone · Last user

⚙️

Execution Artifacts

Prefetch · ShimCache · Amcache · UserAssist · BAM/DAM · RecentApps

📁

File Access Artifacts

LNK files · Jump Lists · Shellbags · MRU lists · Recent Items · Thumbcache

💾

NTFS Internals

$MFT · $USNJrnl · $LogFile · MACE timestamps · $I30 · Alternate Data Streams

📋

Event Logs & Browser

Security.evtx · System.evtx · Key Event IDs · Chrome/Firefox/Edge artifacts · SQLite DBs

Eric Zimmermann's Tools (EZ-Tools) — Examiner's Best Friends

PECmd

Eric Zimmermann

Prefetch file analysis — run times, loaded files, execution count

AppCompatCacheParser

Eric Zimmermann

ShimCache extraction from SYSTEM hive

AmcacheParser

Eric Zimmermann

Amcache.hve parsing — SHA-1 hashes, install dates

LECmd

Eric Zimmermann

LNK file analysis — original paths, MAC times, volume info

JLECmd

Eric Zimmermann

Jump List analysis — AutomaticDestinations & CustomDestinations

SBECmd / ShellBagsExplorer

Eric Zimmermann

Shellbag extraction — folder access history from UsrClass.dat

MFTECmd

Eric Zimmermann

$MFT and $USNJrnl ($J) parsing — full file system timeline

Registry Explorer / RECmd

Eric Zimmermann

Registry hive browsing and batch processing with bookmarks

Artifact Reliability for Proving Execution

Artifact	Proves Execution?	Timestamps	SHA-1 Hash?	Notes
Prefetch	✅ Yes	Last 8 run times	❌ No	Not on Server OS by default
Amcache.hve	✅ Yes	First execution / install	✅ Yes	Best for IOC matching via hash
UserAssist	✅ GUI only	Last run time	❌ No	ROT13 encoded; GUI programs only
BAM/DAM	✅ Yes	Last execution timestamp	❌ No	Win10+ only; resets on restart
ShimCache (Win7)	✅ Yes	Last modified time	❌ No	Win7 has execution flag
ShimCache (Win8+)	⚠️ Presence only	Last modified time	❌ No	No execution flag; file was present

Registry Forensics

The Windows Registry is a hierarchical database containing system configuration, user activity, and evidence of attacker persistence.

    Key hive structure: HKLM (machine-wide) draws from SYSTEM, SAM, SECURITY, and SOFTWARE hives. HKCU (current user) draws from NTUSER.DAT. Each user also has UsrClass.dat for Shellbags and file associations.
  

System Hive Files — `C:\Windows\System32\config\`

SYSTEM

System Configuration Hive

C:\Windows\System32\config\SYSTEM

Hardware, services, ShimCache (AppCompatCache), network interfaces, USB devices, timezone, computer name. Most forensically rich system hive.

SOFTWARE

Software Configuration Hive

C:\Windows\System32\config\SOFTWARE

Installed programs, system-wide Run keys, OS version info, last logged-on user, Winlogon settings.

SAM

Security Account Manager

C:\Windows\System32\config\SAM

Local user accounts, password hashes (NTLM), last logon times, logon count, account status. Locked while Windows runs — requires offline access or VSS.

SECURITY

Security Policy Hive

C:\Windows\System32\config\SECURITY

Audit policy, cached domain credentials (DCC2), LSA secrets. Requires SYSTEM privileges to access.

User Hive Files

NTUSER.DAT

User Profile Hive (HKCU)

C:\Users\<username>\NTUSER.DAT

User-specific settings: Run keys, UserAssist, MRU lists, typed URLs, RecentDocs, mapped drives, search history. One per user account.

UsrClass.dat

User Class Hive

C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat

File type associations, Shellbags (folder navigation history). Primary source for Shellbag evidence on modern Windows.

Key Registry Locations for Forensics

🔑 Persistence / AutoRun

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Programs launched at boot for all users

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Programs launched at login for this user

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Run once at next boot, then deleted

HKLM\SYSTEM\CurrentControlSet\Services

Installed services — malware often installs as service

👤 User Activity

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

GUI program execution history (ROT13 encoded paths)

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Recently opened files/folders (MRU list)

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

Paths typed directly into Explorer address bar

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Commands typed into the Run dialog (Win+R)

🖥️ System Configuration

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

ShimCache — program compatibility cache (execution evidence)

HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

System timezone — critical for timestamp normalization

HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

USB storage device history (VID/PID, serial number, first/last connect)

HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}

BAM — Background Activity Moderator (Win10+), program execution with timestamps

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Last logged-in user, default username, Userinit/Shell (persistence targets)

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

Network adapter IP configuration history

USB Device Forensics — Key Registry Keys

Registry Key	Evidence Provided
`HKLM\SYSTEM\...\Enum\USBSTOR`	Device VID, PID, serial number, friendly name
`HKLM\SYSTEM\...\Enum\USB`	USB vendor/product IDs for all USB devices
`HKLM\SOFTWARE\...\Windows Portable Devices\Devices`	Drive letter assigned to the device
`HKLM\SOFTWARE\...\MountedDevices`	Volume GUIDs for mounted volumes
`HKCU\SOFTWARE\...\Explorer\MountPoints2`	Drive letters seen by this user account
Windows Event Log (System) Event IDs 20001–20003	Device driver installation timestamps

Execution Artifacts

Windows records program execution across multiple artifact types — each provides different levels of proof and detail. Knowing what each artifact does and does not prove is essential.

    Execution proof hierarchy: Amcache (execution + SHA-1) > Prefetch (execution + run count + 8 timestamps) > BAM/DAM (execution + timestamp, Win10+) > UserAssist (GUI execution + run count) > ShimCache Win7 (execution flag) > ShimCache Win8+ (presence only).
  

Prefetch Files

✅ Proves Execution

C:\Windows\Prefetch\[EXE]-[HASH].pf

Records: last 8 run times, execution count, files/directories accessed within 10 seconds of launch. Hash in filename is of the exe path (not content). Up to 128 entries (Win8+; 128 on Win10).

Tool: PECmd.exe | Not enabled by default on Windows Server

Amcache.hve

✅ Proves Execution + Hash

C:\Windows\appcompat\Programs\Amcache.hve

Contains SHA-1 hash of the executable, publisher, product name, file size, install date, and first execution time. Best artifact for IOC correlation via file hash. Replaced AppCompatCache on Win8+.

Tool: AmcacheParser.exe | Key: InventoryApplicationFile

UserAssist

✅ GUI Execution Only

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

Tracks GUI programs launched via Windows shell (double-click, Start menu). Paths encoded in ROT13. Contains run count, last run time, and focus time. Does NOT track cmd.exe or remote execution.

Tool: Registry Explorer | Decode: ROT13

ShimCache (AppCompatCache)

⚠️ Win8+: Presence Only

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Application Compatibility Cache — tracks executables the OS has processed. Win7: includes execution flag. Win8+: no execution flag; file was present on system but may NOT have run. Written to registry on shutdown.

Tool: AppCompatCacheParser.exe | Survives deletion of the file

BAM / DAM

✅ Proves Execution

HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}

Background Activity Moderator (Win10 1709+). Tracks background process execution per user SID with last execution timestamp. DAM = Desktop Activity Moderator (connected standby). Resets on reboot.

Tool: Registry Explorer | Timestamps in FILETIME format

RecentApps

✅ Proves Execution

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps

Tracks recently launched applications via Windows Search/Taskbar. Contains GUID subkeys with application path and last access time. Useful corroborating artifact on Win10/11.

Tool: Registry Explorer

Prefetch Deep Dive — What's Inside a .pf File

Field	Details	Forensic Value
Executable name	Name of the .exe (up to 29 chars)	Identifies what ran
Run count	Total number of executions recorded	Frequency of use
Last 8 run times	FILETIME timestamps of last 8 executions	Timeline reconstruction
Volume information	Volume serial number, creation time, path	Identify source drive
File references	All files/dirs accessed in first 10 seconds	Loaded DLLs, staged files, data access
Path hash	Hash of the exe's directory path (8 hex chars in filename)	Same exe name, different location = different hash

ShimCache vs. Amcache — Side-by-Side Comparison

ShimCache (AppCompatCache)

Amcache.hve

Purpose

Application compatibility (tracks what OS has processed)

Application inventory and execution tracking

Location

SYSTEM hive (registry)

C:\Windows\appcompat\Programs\Amcache.hve

Proves Execution?

Win7: Yes (execution flag). Win8+: No (presence only)

Yes — records first execution / installation

Provides Hash?

Yes — SHA-1 hash of the executable

Written When?

On system shutdown (in-memory until then)

On execution / installation

Survives File Deletion?

Yes — registry persists after exe deleted

Yes — hive persists after exe deleted

File Access & NTFS Artifacts

File access artifacts record what files and folders a user interacted with. NTFS internals like $MFT and $USNJrnl provide a complete audit trail of file system changes.

    Critical distinction: $USNJrnl records ALL file system changes including deletions — a file entry may persist in the journal even after the file is gone. Shellbags persist even for deleted folders and unmounted USB drives — invaluable for proving access to removed media.
  

File Access Artifacts

LNK Files (Shell Links)

C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\*.lnk

Created when user opens a file by double-clicking
Persists even after source file is deleted
Contains: original full path, file size, MAC timestamps of source, volume serial number, NetBIOS name of host
Reveals access to files on USB drives, network shares, deleted volumes
Zone.Identifier ADS indicates web download origin

Tool: LECmd.exe (Eric Zimmermann)

Jump Lists

...\Recent\AutomaticDestinations\*.automaticDestinations-ms
...\Recent\CustomDestinations\*.customDestinations-ms

AutomaticDestinations: OS-generated; records recently used files per application
CustomDestinations: app-generated; pinned items, frequent locations
AppID in filename identifies the application
Each entry is essentially an LNK record — same rich metadata
Persists records of files even after deletion

Tool: JLECmd.exe | AppID lookup tables available online

Shellbags

UsrClass.dat: HKCU\...\Local Settings\Software\Microsoft\Windows\Shell\Bags
NTUSER.DAT: HKCU\SOFTWARE\...\Explorer\Shell Folders

Records folder view preferences (size, position, sort order, icon view)
Created when any folder is opened in Explorer — including network shares, USB drives, ZIP files
Persist after folder/drive deletion or unmounting
Prove user accessed a folder that no longer exists
Timestamp = when folder was first accessed, last written

Tool: SBECmd.exe / ShellBagsExplorer (Eric Zimmermann)

MRU Lists (Most Recently Used)

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

RecentDocs: files opened recently, organized by extension
RunMRU: commands typed into Win+R Run dialog
OpenSavePidlMRU: files selected in open/save dialogs
Entries stored as binary data with MRUListEx ordering
WordWheelQuery: searches typed into Explorer search bar

Tool: Registry Explorer with bookmarks

NTFS Internal Structures

$MFT

Master File Table

Every file and directory has an MFT entry. Contains: file name, MACE timestamps ($SI and $FN), file size, attributes, data location. Deleted file entries marked as unallocated but data may persist. First record = $MFT itself.

Tool: MFTECmd.exe | Location: \$MFT at root of volume

$USNJrnl ($J)

Update Sequence Number Journal

Change journal recording ALL file system operations: create, modify, rename, delete, security change. Circular buffer — older entries overwritten. File deletions leave records. Proves file existed even after deletion.

Tool: MFTECmd.exe -f $J | Location: \$Extend\$UsnJrnl

$LogFile

NTFS Transaction Log

Records NTFS metadata transactions for crash recovery. Smaller than $USNJrnl and overwrites faster. Can reveal recent file system operations at a low level. Used by NTFS to maintain consistency.

Tool: LogFileParser | Location: \$LogFile

$I30 (Directory Index)

Directory Index Attribute

B-Tree index of files within a directory. Slack space in $I30 may contain entries for previously deleted files. Reveals files that existed in a directory even after deletion — useful for anti-forensics detection.

Tool: istat (The Sleuth Kit) / MFTECmd

MACE Timestamps — $STANDARD_INFORMATION vs $FILE_NAME

Modified

Last time file DATA was modified (content changed)

Accessed

Last time file was read or accessed

Changed

Last time the MFT entry metadata changed

Entry Created

When the MFT entry was created (file born)

$STANDARD_INFORMATION (SI)

$FILE_NAME (FN)

Who Sets It?

User-mode APIs (SetFileTime) can modify

Kernel-mode only — very hard to modify

Timestomping Target?

Yes — commonly backdated by attackers

Rarely modified — reliable ground truth

Detection Rule

If SI < FN (SI earlier than FN) → suspicious

FN timestamp should be ≥ SI creation time

Tool Visibility

Shown by Windows Explorer / dir command

Only visible via forensic tools (MFTECmd)

Event Log & Browser Artifacts

🔒 Security.evtx — Authentication & Process Events

4624

Successful logon — check Logon Type: 2=Interactive, 3=Network, 7=Unlock, 10=RemoteInteractive (RDP), 4=Batch, 5=Service

4625

Failed logon — brute force indicator; check failure reason and source IP

4648

Logon with explicit credentials (runas / pass-the-hash indicator) — shows alternate account used

4672

Special privileges assigned to new logon — admin/SYSTEM token indicator

4688

Process creation — command line visible if audit enabled; critical for detecting LOLBins and malware

4698

Scheduled task created — common persistence mechanism

4720

User account created — detect unauthorized account creation

4732

User added to local group — watch for Administrators group additions

1102

Security audit log cleared — strong attacker anti-forensics indicator

⚙️ System.evtx — Services & System Events

7045

New service installed — common malware persistence; check service binary path for LOLBins or unusual paths

7034

Service crashed unexpectedly — may indicate unstable malware or exploit payload

104

System event log cleared — companion to 1102; both logs often cleared together by attackers

Browser Artifact Locations

Google Chrome

C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\

History / URLsHistory (SQLite)

DownloadsHistory (downloads table)

BookmarksBookmarks (JSON)

CookiesCookies (SQLite)

Saved LoginsLogin Data (SQLite)

CacheCache\ subdirectory

Mozilla Firefox

C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\Profiles\<id>.default\

History / Bookmarksplaces.sqlite

Downloadsplaces.sqlite

Cookiescookies.sqlite

Form Dataformhistory.sqlite

Saved Loginslogins.json + key4.db

Sessionsessionstore.jsonlz4

Microsoft Edge (Chromium)

C:\Users\<user>\AppData\Local\Microsoft\Edge\User Data\Default\

History / URLsHistory (SQLite)

DownloadsHistory (downloads table)

CookiesCookies (SQLite)

Saved LoginsLogin Data (SQLite)

CollectionsCollections (SQLite)

NoteSame structure as Chrome

Practice Quiz

Ten GCFA-style questions on Windows forensic artifacts. Select your answers and submit to see your score.

Question 1 of 10

Which Windows artifact provides evidence of program execution AND includes a SHA-1 hash of the executable?

Prefetch files

ShimCache (AppCompatCache)

Amcache.hve

UserAssist

Amcache.hve records a SHA-1 hash of each executable along with execution/install date — making it the only Windows execution artifact that enables direct IOC correlation via file hash. Prefetch proves execution but contains no hash.

Question 2 of 10

Where are Prefetch files stored on Windows?

C:\Windows\System32\config\

C:\Windows\appcompat\Programs\

C:\Windows\Prefetch\

C:\Users\<user>\AppData\Roaming\

Prefetch files are stored in C:\Windows\Prefetch\ with the naming format [EXECUTABLE]-[HASH].pf. The hash is derived from the directory path of the executable, not its content. C:\Windows\appcompat\Programs\ is the location of Amcache.hve.

Question 3 of 10

Which registry hive contains UserAssist execution tracking entries?

NTUSER.DAT (HKCU)

SOFTWARE (HKLM)

SYSTEM (HKLM)

SAM (HKLM)

UserAssist is stored in NTUSER.DAT (HKCU) under SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count. It tracks per-user GUI program execution, so it lives in the user hive. SYSTEM hive contains ShimCache.

Question 4 of 10

UserAssist encodes program paths using which method?

Base64

AES encryption

ROT13

MD5 hashing

UserAssist uses ROT13 encoding — a simple Caesar cipher shifting each letter by 13 positions. For example, "URYC.RKR" decodes to "HELP.EXE". This is trivially reversible and is not true encryption — it simply obscures the data from casual observation.

Question 5 of 10

Which NTFS artifact records ALL file system changes including file deletions, and can prove a file existed even after it has been deleted?

$MFT (Master File Table)

$LogFile

$USNJrnl ($J data stream)

$BITMAP

$USNJrnl is a change journal that records every file system operation (create, modify, rename, delete). Because it's a sequential log, deletion records persist in the journal even after the file is gone — making it excellent for proving a file existed. $MFT entries for deleted files are marked unallocated and may be overwritten.

Question 6 of 10

Shellbags are forensically valuable primarily because they:

Track network connections made by applications

Record folder access history, including for deleted or unmounted volumes

Log process execution with full command line arguments

Store browser history in an encrypted registry format

Shellbags record folder view preferences (icon size, sort order, window size) for every folder a user has opened in Windows Explorer. The key forensic value is that these entries persist even after the folder is deleted or the USB drive is unmounted — proving a user accessed a location that no longer physically exists on the system.

Question 7 of 10

On Windows 8 and later, ShimCache (AppCompatCache) entries prove:

A program was executed and the exact run timestamps are recorded

A file was downloaded from the internet

A file was present on the system but does not confirm execution

A user manually deleted the file

On Windows 7, ShimCache included an execution flag confirming the program ran. Starting with Windows 8, the execution flag was removed — entries now only confirm the file was present on the filesystem (the OS processed it for compatibility). To prove execution on Win8+, use Prefetch, Amcache, or BAM/DAM instead.

Question 8 of 10

Which Windows Event ID in the System log indicates a new service was installed — a common attacker persistence mechanism?

4698

7045

4688

1102

Event ID 7045 (System log) is generated when a new service is installed. Attackers frequently install malware as a service for persistence. The service binary path in this event often reveals the malware location. Event 4698 is scheduled task creation; 4688 is process creation; 1102 is Security log cleared.

Question 9 of 10

A forensic examiner finds that a file's $STANDARD_INFORMATION (SI) timestamps are significantly earlier than its $FILE_NAME (FN) timestamps. This most likely indicates:

Timestomping — an attacker used SetFileTime() to backdated the visible timestamps

The file was accessed via a network share, which updates only SI timestamps

NTFS compression was applied to the file after creation

The file is a Windows system protected file with special timestamp rules

When SI timestamps are earlier (older) than FN timestamps, it indicates timestomping — the attacker used the Windows API SetFileTime() to backdate the SI timestamps (which tools like Explorer display) to make the file appear older. FN timestamps are set by the kernel and are much harder to modify, so the discrepancy reveals the manipulation.

Question 10 of 10

LNK files are forensically significant primarily because they:

Record all keyboard input captured by linked applications

Contain encrypted credentials for the linked application

Exist only while the source file is present on the system

Preserve original file path, timestamps, and volume info even after source file deletion

LNK files persist after the source file is deleted. They contain the full original file path, the file's MAC timestamps at the time of access, the volume serial number, and even the remote host's NetBIOS name if accessed from a network share. This makes them invaluable for proving file access even when the original evidence has been removed.

out of 10 correct

Review the explanations above for any questions you missed.

Memory Hooks

Mnemonics and high-yield patterns for fast recall on exam day.

🧠

Execution Artifact Hierarchy

Remember: P-A-U-B-S for execution artifacts.
Prefetch (execution + 8 timestamps), Amcache (execution + SHA-1 hash), UserAssist (GUI only + ROT13), BAM/DAM (Win10+, resets on boot), ShimCache (presence only on Win8+).

"Please Allow Users Better Shimmer" — Prefetch, Amcache, UserAssist, BAM, ShimCache

🕐

MACE Timestamps

Four timestamp types on every NTFS file: Modified (data changed), Accessed (data read), Changed ($MFT entry changed), Entry created (born). Two copies: $SI (user-modifiable) and $FN (kernel-protected). SI < FN = timestomping.

"MAC-E your timestamps" — and if SI is Earlier than FN, someone Erased the truth

💾

NTFS Change Journal

$USNJrnl records every file system change including deletions. Even after a file is deleted, the USN record proving it existed lingers in the journal (until overwritten). Parse $J stream with MFTECmd. Think of it as a surveillance log of the entire file system.

"$USN never forgets a deletion" — the journal outlives the file

👜

Shellbags Survive

Shellbags record folder navigation in UsrClass.dat and persist even after the folder, drive, or USB device is deleted/unmounted. They are your best evidence that a user opened a location that no longer exists on the system. Even ZIP file contents browsed via Explorer create shellbags.

"Shell bags stay after the store closes" — evidence persists after volume removal

🔑

Critical Event IDs

4624=logon success · 4625=logon fail · 4648=explicit creds (pass-the-hash) · 4688=process created · 4698=sched task · 4720=account created · 4732=added to local group · 7045=service installed · 1102/104=logs cleared

"7045 = new service (system log); 1102 = Security log silenced"

🔗

LNK Files & Jump Lists

LNK files created on file open — persist after file deletion, contain source path + volume serial + NetBIOS host. Jump Lists = LNK records organized per app (AutomaticDestinations = OS-created; CustomDestinations = app-created/pinned). LECmd parses LNK; JLECmd parses Jump Lists.

"LNK = the link that outlives the file" — LECmd, JLECmd

High-Yield Facts for GCFA — Windows Artifacts

Artifact	Unique Capability	Key Location	Tool
Amcache.hve	Only execution artifact with SHA-1 hash	C:\Windows\appcompat\Programs\	AmcacheParser
Prefetch	Last 8 run times + files accessed in first 10s	C:\Windows\Prefetch\	PECmd
Shellbags	Proves folder access after deletion/unmount	UsrClass.dat	SBECmd
$USNJrnl	Proves file existed even after deletion	\$Extend\$UsnJrnl ($J)	MFTECmd -f $J
LNK files	Source path + timestamps survive file deletion	...\Recent\*.lnk	LECmd
USBSTOR	USB device history (serial, VID/PID, timestamps)	HKLM\SYSTEM\...\Enum\USBSTOR	Registry Explorer
UserAssist	GUI-only execution, ROT13 encoded, run count	NTUSER.DAT (HKCU)	Registry Explorer
BAM/DAM	Per-user execution timestamps (Win10+ only)	HKLM\SYSTEM\...\bam\State\...	Registry Explorer
Event 4648	Explicit credential use (pass-the-hash signal)	Security.evtx	Event Viewer / EQL
Event 7045	New service = persistence detection	System.evtx	Event Viewer / Splunk

Ready for More Practice?

Test yourself with full-length GCFA practice exams on FlashGenius.

Unlock Full Practice Tests on FlashGenius →

Flashcards

Click any card to flip it and reveal the answer.

Registry

What are the five system hive files and their primary forensic content?

Click to flip

Answer

SYSTEM (ShimCache, USB, timezone, network), SOFTWARE (Run keys, installed apps, last user), SAM (local accounts, NTLM hashes), SECURITY (audit policy, cached creds), NTUSER.DAT (UserAssist, MRU, Run keys per user)

Execution Proof

Which artifact proves execution AND provides a SHA-1 hash, and where is it located?

Click to flip

Answer

Amcache.hve — C:\Windows\appcompat\Programs\Amcache.hve. Contains SHA-1 hash, publisher, product name, first execution time. Best artifact for IOC matching. Parse with AmcacheParser.exe.

MACE Timestamps

What do M-A-C-E stand for in NTFS timestamps, and what's the timestomping detection rule?

Click to flip

Answer

Modified (data changed), Accessed (data read), Changed (MFT entry changed), Entry Created (file born). Detection rule: if $STANDARD_INFORMATION timestamps < $FILE_NAME timestamps → timestomping. FN timestamps are kernel-set and harder to manipulate.

Shellbags

Where are Shellbags stored and why are they forensically unique?

Click to flip

Answer

Primary location: UsrClass.dat (C:\Users\...\AppData\Local\Microsoft\Windows\UsrClass.dat). Unique value: persist after folders, USB drives, or network shares are deleted/unmounted. Prove user accessed a location that no longer exists. Parse with SBECmd or ShellBagsExplorer.

Prefetch

What information is stored inside a Prefetch file and what does the filename hash represent?

Click to flip

Answer

Inside: exe name, run count, last 8 execution times, volume info, files/dirs accessed in first 10 seconds of launch. Filename format: [EXE]-[HASH].pf where the 8-char hash is computed from the executable's DIRECTORY PATH (not file content). Same exe in different folders = different hash.

ShimCache

How does ShimCache behavior differ between Windows 7 and Windows 8+?

Click to flip

Answer

Windows 7: includes execution flag — confirms the program was executed. Windows 8+: execution flag removed — only proves the file was PRESENT on the system (OS processed it for compatibility). Written to registry on shutdown, so in-memory data lost on crash. Parse with AppCompatCacheParser.

NTFS Journals

What is the difference between $MFT, $USNJrnl, and $LogFile?

Click to flip

Answer

$MFT: directory of all files/dirs with MACE timestamps; deleted entries marked unallocated. $USNJrnl ($J): change journal logging ALL operations including deletions — files may be evidenced here after deletion. $LogFile: NTFS transaction log for crash recovery; overwrites fastest, least forensic value.

Key Event IDs

What do Event IDs 4624, 4648, 7045, and 1102 each indicate?

Click to flip

Answer

4624: Successful logon (check Logon Type: 2=interactive, 3=network, 10=RDP). 4648: Logon with explicit credentials — pass-the-hash / lateral movement indicator. 7045 (System log): New service installed — attacker persistence. 1102: Security audit log cleared — attacker anti-forensics.

Study Advisor

Choose a category for targeted guidance.

📌 Exam Strategy

⚠️ Common Mistakes

⚡ Quick Review

🔬 Deep Dive

🎯 Practice Tips

Exam Strategy — Windows Artifacts

Execution vs. presence: Know which artifacts prove execution (Prefetch, Amcache, UserAssist, BAM) vs. presence only (ShimCache Win8+). This distinction appears on nearly every GCFA Windows artifact question.
Artifact layering: No single artifact tells the whole story. The GCFA expects you to combine evidence — use Prefetch to confirm execution, $USNJrnl to confirm a file existed, and Shellbags to confirm a folder was accessed.
Know the tools: Questions often ask which EZ-Tool to use. PECmd=Prefetch, AmcacheParser=Amcache, AppCompatCacheParser=ShimCache, SBECmd=Shellbags, LECmd=LNK, JLECmd=Jump Lists, MFTECmd=$MFT and $USNJrnl.
Registry hive location questions: Know SYSTEM hive (ShimCache, USB, timezone), NTUSER.DAT (UserAssist, MRU, user Run keys), UsrClass.dat (Shellbags) — these are tested directly.
Anti-forensics detection: Timestomping (SI < FN timestamps), log clearing (1102/104), $I30 slack (deleted file evidence in directory index) are favorite GCFA test topics.

Common Mistakes — Windows Artifacts

ShimCache proves execution (wrong on Win8+): Many candidates assume ShimCache confirms execution on all Windows versions. On Win8+, no execution flag exists — presence only. Win7 is the exception.
Confusing Amcache location: Amcache.hve is NOT in the registry hive folder — it's at C:\Windows\appcompat\Programs\Amcache.hve. It's a separate registry hive file, not an NTUSER.DAT key.
Forgetting UserAssist is GUI-only: UserAssist misses cmd.exe launched tools, scripts, and remote execution. Don't rely on it for attacker activity that bypasses the GUI shell.
Ignoring Shellbags in USB investigations: When asked to prove a user accessed a USB drive that's no longer available, Shellbags (UsrClass.dat) are the key artifact — not Prefetch or event logs.
Misreading Prefetch hash in filename: The 8-char hash is derived from the DIRECTORY PATH of the executable, not the file content. Two copies of the same exe in different folders = two different Prefetch files with different hashes.
Confusing 1102 (Security log) with 104 (System log): Attackers typically clear both. 1102 = Security audit log cleared. 104 = System log cleared. Both appear in the respective logs.

Quick Review — Windows Artifacts

Proves execution + hash: Amcache.hve (SHA-1) — C:\Windows\appcompat\Programs\
Proves execution + 8 timestamps: Prefetch — C:\Windows\Prefetch\[EXE]-[HASH].pf
GUI execution, ROT13 encoded: UserAssist — NTUSER.DAT (HKCU)
Win10+ execution, resets on boot: BAM/DAM — HKLM\SYSTEM\...\bam\State\...
Win8+ = presence only: ShimCache — HKLM\SYSTEM\...\AppCompatCache
Folder access survives deletion: Shellbags — UsrClass.dat
File access survives file deletion: LNK files — ...\Recent\*.lnk (LECmd)
All file system changes including deletions: $USNJrnl $J — MFTECmd
Timestomping detection: SI timestamps < FN timestamps
USB device history: HKLM\SYSTEM\...\Enum\USBSTOR
New service installed: Event 7045 (System log)
Security log cleared: Event 1102; System log cleared: Event 104

Deep Dive — Advanced Concepts

$MFT entry anatomy: Every file has an MFT entry containing $STANDARD_INFORMATION (timestamps, file attributes — user modifiable) and $FILE_NAME (timestamps, parent directory — kernel set). Carved MFT entries from unallocated space can recover metadata for deleted files.
ShimCache write timing: ShimCache is maintained in memory and only written to the SYSTEM registry hive on clean shutdown. If a system crashes or is hard-powered off, recent entries may not be persisted — important for live response vs. dead disk analysis.
Alternate Data Streams (ADS): NTFS supports multiple data streams per file. Malware uses ADS to hide payloads (e.g., legitimate.exe:hidden.exe). Zone.Identifier ADS records download source (Mark of the Web) — critical for phishing investigations. List ADS with: dir /r or Get-Item -Stream *.
Volume Shadow Copies (VSS): VSS snapshots contain historical versions of registry hives, Prefetch, and even $MFT — allowing timeline reconstruction to before malware ran. Access via: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyN\.
Browser SQLite forensics: Chrome/Edge history, downloads, and cookies are SQLite databases. Deleted records leave behind free pages in the SQLite file — carving these pages can recover deleted browsing history entries. Use DB Browser for SQLite or SQLECmd.
$I30 slack space: Directory index ($I30) uses B-Tree nodes. When files are deleted from a directory, their entries in $I30 may remain in slack space — proving files existed in that directory even after deletion from $MFT. Useful for proving malware staging in directories.

Practice Tips — Windows Artifacts

Build an artifact cheat sheet: Create a table with columns: Artifact | Proves Execution? | Hash? | Location | Tool | Notes. Filling this from memory is excellent exam prep.
Practice with EZ-Tools: Download Eric Zimmermann's tools from ericzimmerman.github.io and run them against a test VM. Seeing real output internalizes the artifact structure far better than reading alone.
Scenario practice: For every scenario, ask: "What artifact do I need? Where is it? What tool do I use? What does a hit prove?" Practice this chain for each artifact type.
SANS FOR508 labs: If you have access to SANS OnDemand, the FOR508 lab exercises are identical to what GCFA tests. Prioritize Registry, Prefetch, and Amcache labs.
Event ID flash drilling: Write the 10 most important Event IDs on cards (4624, 4625, 4648, 4688, 4698, 4720, 4732, 7045, 1102, 104) and drill them until instantaneous recall.
Focus on anti-forensics detection: Timestomping, log clearing, Prefetch disabling, ADS hiding — GCFA heavily tests your ability to recognize when an attacker has tried to cover tracks and which artifacts still survive.

Windows Forensics Artifacts