Introduction

This Wiki is designed to assist law enforcement and government agencies to gain the tools required for basic Windows forensic analysis geared towards child pornography and human trafficking cases. This resource is for law enforcement agents to help walk them through understanding Windows artifacts on a system and how these artifacts can be used in investigations. The goal is also to walk them through how to obtain and analyze these artifacts in a way that provides evidence for a case.

Background

To view the environment and tools used, look at Windows Environment.

To view the the data generation process to create the artifacts discussed in this Wiki, look at Windows Data Generation.

Evidence

Image & Video Artifacts

• Thumbcache
• Prefetch Files
• Recycle Bin
• Recent Items
• Yara

Also check out Using Yara

USB Device Forensics

• USBDeview
• USB Windows Registry Script
• setupapi.dev

Web Browser History Forensics

• Chrome
• Edge/IE
• Firefox
• Tor