SANS Digital Forensics and Incident Response Blog

New Windows Forensics Evidence of Poster Released


Link for new poster ->

The "Evidence of..." categories were originally created by SANS Digital Forensics and Incidence Response faculty for the SANS course FOR408: Windows Forensics. The categories map a specific artifact to the analysis questions that it will help to answer. Use this poster as a cheat-sheet to help you remember where you can discover key Windows artifacts for computer intrusion, intellectual property theft, and other common cyber crime investigations.

Proper digital forensic and incident response analysis is essential to successfully solving today's complex cases. Each analyst should examine the artifacts and then analyze the activity that they describe to determine a clear picture of which user was involved, what the user was doing, when the user was doing it, and why. The data here will help you in finding multiple locations that can substantiate facts related to your casework.

Each of the rows listed on the poster describes a series of artifacts found on a Windows system that can help determine if an action occurred. Usually multiple artifacts will be discovered that all point to the same activity. These locations are a guide to help you focus your analysis on the areas in Windows that can best help you answer simple but critical questions.

The updated SANS Digital Forensics and Incident Response Poster has been released. This new updates include many new artifacts and locations from Windows XP through Windows 8.1. You can receive (download and/or in the mail) your very own copy of the SANS DFIR Poster by clicking on this link and registering for it by June 12, 2015 ->