The Windows Artifact Taxonomy

Six categories of Windows forensic artifacts

A Windows system generates hundreds of potential artifact sources. Without a systematic taxonomy, the examiner either wastes time analyzing irrelevant artifacts or misses critical evidence because they didn't know the artifact existed. The taxonomy below maps every major artifact to the forensic question it answers, its persistence characteristics, and its vulnerability to anti-forensic manipulation.

Filesystem artifacts: what happened to files

Filesystem artifacts answer the fundamental forensic question: what files existed, when were they created, modified, accessed, or deleted, and how did they get there. On NTFS, the primary source is the Master File Table ($MFT), which contains a record for every file and directory on the volume. Each record stores multiple timestamps, the file path via parent directory references, the file size, and for small files, the file content itself.

The $MFT is the single most important forensic artifact on a Windows system. It persists until the volume is formatted. It records files that have been deleted (the MFT record is marked as free but not zeroed). It provides nanosecond-precision timestamps that reveal the exact sequence of file operations. And it stores two independent sets of timestamps ($STANDARD_INFORMATION and $FILE_NAME) that can be compared to detect timestomping.

Supporting the $MFT are two change logs. The USN Journal ($UsnJrnl:$J) records every change to every file on the volume with a timestamp and reason code. On a typical enterprise workstation, the journal (default 32MB) may retain 24-48 hours on a busy system or weeks on a quiet one. The $LogFile records NTFS transactions at a lower level, providing redo/undo operations that can recover file operations even when the USN Journal has been cleared. The directory index ($I30) provides deleted file evidence in index slack space, persisting until the directory index is compacted.

Execution artifacts: what programs ran

Execution artifacts answer the second fundamental question: what programs ran, when, how many times, and what did they access. Windows maintains multiple independent records of program execution, each capturing different aspects.

This is what a Prefetch record looks like when parsed with PECmd. It answers "was this program run?" with high confidence:

Executable:    7Z.EXE                                    ◄ The program that ran
Hash:          A4F2B1C3
Run count:     14                                         ◄ Executed 14 times
Last run:      2026-03-12 16:47:22
Other runs:    2026-03-11 09:14:08
               2026-03-10 14:22:33
               2026-03-08 11:05:17
               2026-03-07 16:33:41
               2026-03-05 10:18:22
               2026-03-04 14:51:09
               2026-03-01 09:22:14                        ◄ 8 timestamps (Windows 10+)
Volume:        C:\
Directories:   \USERS\D.CHEN\DOWNLOADS
               \USERS\D.CHEN\DOCUMENTS\ENGINEERING        ◄ Folders accessed during execution
Files loaded:  7z.dll, kernel32.dll, ntdll.dll, ...

This single Prefetch file proves 7-Zip executed 14 times, shows the last 8 execution timestamps, and reveals which folders the program accessed during execution. For an insider threat investigation, the directories referenced during execution tell you where the archiving tool read files from.

Prefetch is the strongest single-source execution evidence. Located in C:\Windows\Prefetch\, each .pf file records the executable name, a path hash, the last 8 execution timestamps (Windows 8+), the total execution count, and files referenced during the first 10 seconds of each execution. Prefetch files are created by the SysMain service, not by the program itself.

Amcache.hve at C:\Windows\appcompat\Programs\Amcache.hve records the file path, SHA1 hash, file size, publisher, and a timestamp. The SHA1 hash is particularly valuable for threat intelligence comparison. Shimcache in the SYSTEM hive records compatibility lookups. On Windows 10+, presence includes an execution flag. On earlier versions, presence only proves evaluation, not execution.

BAM and DAM (Windows 10 1709+) record full executable paths with timestamps and user SIDs, providing user-level execution attribution that Prefetch and Amcache lack. UserAssist in NTUSER.DAT records GUI program execution (ROT13 encoded) with execution count and last execution timestamp, specifically for programs launched through the Windows shell.

User activity artifacts: what the user interacted with

User activity artifacts matter most in insider threat and unauthorized access investigations. They record folder navigation, file opening, and application-specific file history, persisting even after the files themselves are deleted.

ShellBags in NTUSER.DAT and UsrClass.dat record every folder the user navigated in Explorer, including folders that have since been deleted. LNK files are created automatically in the Recent folder when a file is opened, containing the target file's full path, three timestamp sets, file size, volume serial number, and the machine's NetBIOS name. Jump Lists provide per-application recent file history, proving not just that a file was accessed but which application opened it.

System artifacts: OS events and configuration

Windows Event Logs provide timestamped records of security events (logon/logoff, process creation, privilege use), system events (service changes, driver loading), and application events (PowerShell execution, Sysmon telemetry, Defender detections). Event Logs are the most commonly targeted artifact in anti-forensic operations.

The Windows Registry stores system configuration, user preferences, and critically for forensics: persistence mechanisms, USB device connections, network history, user accounts, and installed software. Five hive files contain the bulk of forensic evidence: SYSTEM, SOFTWARE, SAM, NTUSER.DAT, and UsrClass.dat.

Network and volatile artifacts

Network artifacts bridge endpoint activity and external communication. SRUM (System Resource Usage Monitor) records per-application network usage with 30+ days of history. Browser artifacts capture URLs, downloads, and cookies. DNS cache records recent resolutions. Cloud sync logs (OneDrive, Dropbox, Teams) record file synchronization activity.

Volatile artifacts exist only in memory and are lost at shutdown. Process lists, active network connections, loaded DLLs (including injected modules), in-memory registry state, and clipboard content. Volatile artifacts have the highest reliability (they represent the current actual state) but zero persistence. For active compromise investigations, collect volatile evidence first.

Artifact selection by investigation type

Common analysis issues

"This taxonomy has too many artifact types — I can't learn them all." You don't analyze all artifact types in every investigation. The taxonomy is a reference that ensures you know what exists so you can select the right artifacts for each investigation type. An insider threat investigation focuses on user activity and network artifacts. A ransomware investigation focuses on execution and system artifacts. The selection matrix at the end of this subsection maps investigation types to artifact priorities.

"We use EDR — our EDR captures all of this." EDR captures process telemetry, file operations, network connections, and registry modifications in real time. What EDR does not capture: ShellBag history (folder browsing), SRUM data transfer volumes, Amcache SHA1 hashes for files that were deleted before EDR ingested them, LNK file metadata for files accessed before EDR was deployed, or MFT resident data for small files. EDR is a powerful current-state telemetry source. Forensic artifacts are a historical record that predates and extends beyond EDR's collection window.

"Volatile artifacts are too fragile — we should focus on disk artifacts." For historical investigations (what happened over the last 30 days), disk artifacts are primary. For active compromise investigations (what is the attacker doing right now), volatile artifacts are essential. The decision depends on the investigation timeline: if you're reconstructing past activity, prioritize disk artifacts. If you're investigating an ongoing compromise, collect volatile evidence first — then image the disk.

System artifacts: what the operating system recorded

System artifacts capture operating system events — authentication, process execution, service management, scheduled tasks, and configuration changes. The primary system artifacts are Windows Event Logs and the Windows Registry.

Windows Event Logs (EVTX format) provide timestamped records of security events (logon/logoff, process creation, privilege use, object access), system events (service state changes, driver loading, shutdown/restart), and application events (including PowerShell script execution, Sysmon telemetry, and Windows Defender detections). Event Logs are the most commonly targeted artifact in anti-forensic operations — clearing the Security log is often the attacker's first post-compromise action.

The Windows Registry stores system configuration, user preferences, application settings, and. Critically for forensics — evidence of persistence mechanisms, USB device connections, network history, user accounts, and installed software. Five hive files contain the bulk of forensic evidence: SYSTEM (hardware config, services, USB, network), SOFTWARE (installed programs, network profiles, OS info), SAM (user accounts, logon data), NTUSER.DAT (per-user settings, MRU lists, UserAssist, TypedPaths), and UsrClass.dat (per-user class registration, ShellBags).

Network artifacts: what external communication occurred

Network artifacts bridge the gap between endpoint activity and external communication. They answer questions about what the system connected to, how much data was transferred, and what external resources were accessed.

SRUM (System Resource Usage Monitor) is the most underutilized forensic artifact in most investigations. Stored in C:\Windows\System32\sru\SRUDB.dat, it records per-application network usage (bytes sent and received), CPU time, memory usage, and energy consumption. With hourly granularity over 30-60 days. In data exfiltration investigations, SRUM provides quantitative evidence of how much data was transferred by each application, replacing the imprecise "the user could have exfiltrated data" with "OneDrive.exe sent 4.7GB between March 1 and March 15."

Browser artifacts (history, downloads, cache, cookies) provide evidence of web-based activity. Cloud storage artifacts (OneDrive, Dropbox, Google Drive sync logs) provide evidence of cloud-based file transfer. DNS cache provides evidence of recent name resolution. Wi-Fi profiles provide evidence of network connections.

Artifact interaction and correlation

No single artifact category answers an investigation question alone. The filesystem tells you what files exist. The execution artifacts tell you what programs ran. The user activity artifacts tell you what the user interacted with. But the investigation question is usually: "Did this user run this program to access this file at this time?" Answering that requires correlating across categories: MFT timestamps (filesystem) with Prefetch entries (execution) with ShellBags (user activity) with Event Log authentication (system). The taxonomy is a mental organizer. The investigation is a cross-category correlation exercise.