Windows Forensics Analysis — Windows Artifacts (Part II)

Image for post
Image for post

LNK Files Forensics

“.lnk” files are windows shortcut files. That link or point to other files or executables for ease of access.

  • Timestamp of both the target and the “.lnk” file (Created, Modified, Accessed).
  • File Attributes (System, Hidden…etc.)
  • Details about the disk.
  • Remote or local execution.
  • MAC address of the machines.
  • Etc.

Jump Lists Forensics

Jump Lists are a windows feature introduced with Windows 7. They contain information about recently accessed applications and files.


Prefetch Files Forensics

Preftech Files are a very valuable set of artifacts for anyone doing forensics analysis. They contains a wealth of information about applications that have been run on a system such as

  • Application path
  • Last execution timestamp
  • Creation timestamp
  • Etc.


This conclude the second part of this series. I hope you enjoyed reading and that you learned something along the way.

  • Amcache
  • UserAssist
  • Shellbag

Written by

#ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store