🕵️ Windows Forensics: Investigating Microsoft Systems 🧠🪟 From SOC analysts to blue teamers, mastering Windows forensics is key to detecting compromise, tracing attacker actions, and securing endpoints.

Here’s a quick breakdown of what to analyze and the tools that help uncover digital evidence: 🧰 Core Windows Forensics Areas 📁 1. File System Artifacts • $MFT, $LogFile, $UsnJrnl – Track file creation/deletion • Recover deleted files using forensic tools

⌨️ 2. User Activity • Analyze RunMRU, RecentDocs, Jump Lists, Shellbags • Reveal executed commands, opened files, folder access 🧠 3. Memory Analysis • Use Volatility or Rekall to:  - List active processes  - Dump DLLs / detect code injection  - Extract creds from memory

🕒 4. Timeline Reconstruction • Combine event logs, Prefetch, browser history, and timezone data • Map attacker movement over time 🧩 5. Registry Keys • Check persistence: Run, RunOnce, Services, AppInit_DLLs • User behavior: TypedPaths, UserAssist, RecentApps

📄 6. Event Log Analysis • Review logs: Application, System, Security, PowerShell • Key event IDs:  - 4624 (logon)  - 4688 (process creation)  - 4720–4760 (user account changes) 🌐 7. Network Forensics • Inspect firewall logs, DNS cache, netstat output

🛠️ Go-To Tools Volatility • KAPE • FTK Imager • Magnet AXIOM • Autopsy • Sysinternals Suite • Event Log Explorer