Forensic Analysis

Artifacts, Tools & Investigation Methods

Document 3 of 5 | Cybersecurity Forensics Series

Prepared: May 2026
1. Introduction to Forensic Analysis
Forensic analysis is the systematic examination of acquired digital evidence to reconstruct
events, identify actors, and answer investigative questions. Unlike acquisition, which is a
mechanical process, analysis requires skill, knowledge, and judgment. The same evidence can
yield vastly different conclusions depending on the investigator's expertise.

Analysis involves examining file system artifacts, registry entries, log files, memory contents,
network traffic, and application data. Each artifact type tells part of the story; the investigator's
task is to weave these pieces into a coherent timeline of events.

2. File System Forensics

2.1 NTFS Forensics (Windows)
NTFS (New Technology File System) is the default Windows file system and contains a wealth
of forensic artifacts. The Master File Table (MFT) is the heart of NTFS — it contains an entry for
every file and directory, including those that have been deleted until their MFT entries are
overwritten.

2.2 Key NTFS Artifacts

Artifact Forensic Value
$MFT (Master File Table) Complete file listing including deleted files,
timestamps, file size, and location
$LogFile NTFS transaction log showing recent file
system operations
$UsnJrnl (Change Journal) Record of all file/directory changes with
timestamps and operation types
Alternate Data Streams Hidden data attached to files that can conceal
malware or exfiltrated data
File Timestamps (MACB) Modified, Accessed, Changed, Birth times for
each file
Recycle Bin ($[Link]) Deleted files with original paths and deletion
timestamps
Volume Shadow Copies Point-in-time snapshots containing previous file
versions
2.3 Timestamp Analysis (MACB)
Every file has four timestamps in NTFS: Modified (last content modification), Accessed (last
read), Changed ($MFT entry change), and Born (file creation). These timestamps can be
manipulated by attackers — a technique called timestomping — but inconsistencies between
the MFT timestamps and the $UsnJrnl often reveal manipulation.

Anti-Forensics Alert
Timestomping is the deliberate modification of file timestamps to obscure malicious
activity. Tools like Metasploit's timestomp module can alter all four MACB timestamps.
Always cross-reference timestamps from multiple sources: MFT, $LogFile, $UsnJrnl, event logs.

3. Windows Registry Forensics

The Windows Registry is a hierarchical database storing configuration settings for the operating
system and installed applications. For forensic investigators, it is one of the richest sources of
evidence, containing records of user activity, installed software, connected devices, network
connections, and much more.

3.1 Key Registry Hives

Hive Location & Forensic Relevance
SYSTEM C:\Windows\System32\config\SYSTEM —
Services, drivers, mounted devices, USB
history
SOFTWARE C:\Windows\System32\config\SOFTWARE —
Installed programs, Windows settings, run keys
SAM C:\Windows\System32\config\SAM — Local
user accounts and password hashes
SECURITY C:\Windows\System32\config\SECURITY —
Security policies, cached domain credentials
[Link] C:\Users\<user>\[Link] — Per-user
settings, recently opened files, typed URLs
[Link] C:\Users\<user>\AppData\Local — Shell bag
data, folder view settings
3.2 Critical Registry Forensic Keys
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run — Programs set to auto-
start (persistence)
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs — Recently
accessed documents
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths — URLs typed
in Explorer
• HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR — USB devices ever connected
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
LastVisitedPidlMRU — Files opened via dialogs
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList — Networks the
system connected to

4. Windows Event Log Forensics

Windows Event Logs record system, security, and application events. They are an invaluable
timeline source for forensic investigations. Key logs include Security (logon/logoff, privilege
use), System (service starts/stops, hardware changes), and Application logs.

4.1 Critical Event IDs

Event ID Description
4624 Successful logon — includes logon type,
username, source IP
4625 Failed logon attempt — brute force indicator
4648 Logon with explicit credentials — lateral
movement indicator
4688 Process creation — shows what programs
were launched and by whom
4698 Scheduled task created — persistence
mechanism
4720 User account created
4732 Member added to security group
7045 New service installed — common malware
persistence method
4663 Object access — file/folder read or write
 1102 Security log cleared — strong indicator of anti-
forensics

5. Memory Forensics
5.1 Memory Analysis with Volatility
Volatility is the premier open-source memory forensics framework, supporting Windows, Linux,
and macOS memory images. It provides plugins to extract processes, network connections,
loaded modules, injected code, and much more from memory dumps.

5.2 Essential Volatility Commands

• imageinfo / info — Identify the OS version and architecture of the memory image
• pslist / pstree — List running processes with parent-child relationships
• psscan — Scan for EPROCESS structures (finds hidden/terminated processes)
• cmdline — Show command line arguments for each process
• netscan / connections — List active and recently closed network connections
• dlllist — List DLLs loaded by each process
• malfind — Detect memory regions with suspicious characteristics (injected code)
• hashdump — Extract NTLM password hashes from the SAM database in memory
• filescan — Scan for FILE_OBJECT structures to find open files
• dumpfiles — Extract files from memory for further analysis

5.3 Detecting Code Injection

Code injection is a technique used by malware to hide within legitimate processes. Common
injection methods include DLL injection, process hollowing, reflective DLL injection, and
AtomBombing. Memory forensics can detect these through analysis of memory permissions
(executable regions in non-executable processes), discrepancies between process names and
loaded modules, and the malfind plugin's detection of VAD (Virtual Address Descriptor) regions
with suspicious properties.
6. Log Analysis and Timeline Reconstruction
6.1 Building a Super Timeline
A super timeline aggregates timestamps from multiple sources — file system, registry, event
logs, browser history, prefetch files, link files, and more — into a single chronological record.
Tools like log2timeline (Plaso) automate this process, creating a timeline that can contain
millions of events.

Timeline analysis helps investigators identify the initial compromise, track attacker movement
through the environment, identify data accessed or exfiltrated, and determine the sequence and
duration of malicious activity.

6.2 Key Artifacts for Timeline Analysis

• Prefetch files: Record of program execution with timestamps and file references
• LNK files: Windows shortcut files recording recently accessed files with timestamps
• Jump Lists: Recent and pinned files for applications
• Browser history: Visited URLs, downloads, form data with precise timestamps
• $UsnJrnl: File system change journal with operation-level granularity
• Event logs: System events with second-level precision
• Shellbags: Records of folder access and navigation in Windows Explorer

Forensic analysis is as much art as science. The tools and techniques described here provide
the means to extract evidence, but interpreting that evidence correctly requires deep knowledge
of how operating systems work, how attackers operate, and how legitimate activity differs from
malicious behavior.