I am thrilled to announce the latest release of the SANS DFIR Windows Forensic Analysis poster. This version was a nearly complete re-write of the poster with significant updates made to every section. The “Evidence of...” categories were originally created by SANS Digital Forensics and Incident Response faculty for the SANS FOR500: Windows Forensics course, mapping specific Windows forensic artifacts to the analysis questions they can help to answer. The poster is designed to be used as a cheat sheet to remember and discover important Windows operating system artifacts relevant to investigations into computer intrusions, insider threats, fraud, employee misuse, and many other common cybercrimes. Changes in this version include:
- Support for artifacts found on Windows XP through Windows 11
- Updates to the Browser Activity section including the latest artifacts from Chrome, Firefox, and Edge (Chromium)
- New Cloud Storage artifacts for OneDrive, Google Drive, Box, and Dropbox
- External Device and USB Usage updates to support HID, USBSTOR, and USB Attached SCSI device profiling
- Updated Application Execution artifacts including Task Bar Feature Usage and CapabilityAccessManager registry keys
Putting these posters together takes an immense amount of time and I would like to give special thanks to Kathryn Hedley (@4enzikat0r) for her assistance on this version. We sincerely hope that free resources like this will benefit forensic examiners around the world. Download the PDF version here and look for the shiny new printed versions at select in-person SANS conferences!