MS Windows Forensic Analysis
1.1. Windows NT
1.2. Windows 2000
1.3. Windows XP
1.4. Windows XP SP2
1.5. Windows Server 2003
1.6. Windows Vista
1.7. Windows Server 2008
1.8. Windows 7
1.9. Windows 8
1.10. Windows Server 2012
1.11. Windows 10
2.1. Security policies
2.2. SAM
2.3. SID
2.4. User and SID pairing
2.5. Type of accounts
2.6. User accounts logs
2.7. Deleted accounts
2.8. User activities
2.9. NTUSER.dat
3.1. Hive / Key / SuKey
3.2. Registry hives
3.3. XP
3.4. Vista / Win7 / Win10
3.5. System
3.6. Security
3.7. Enum
3.8. Software
3.9. Operating system records
3.10. Installed software
3.11. Reference modeling
3.11.1. Predefined folders• Operating system file and folders
• User files and folders3.11.2. Predefined software
• Windows Explorer
• Windows Edge
• Internet Explorer3.11.3. MS Office Applications and logs
• Office 97-2000
• Office 2003
• Office 2007 / 2010 / 2016
• Office 365
• Metadata analysis
• Creation, modification and last access
• File system records3.11.4. Internet History
• İnternet explorer
• Cookie
• History
• Temporary internet files
• Registry records
• Chrome
• Firefox
• Safari
• Opera3.11.5. System Restore Points (Volume Shadow Copies)
• Change.log
• Rp.log
• Snapshot records
• XP
• Vista / Win7 /Win10
• Volume shadow copy3.11.6. Windows Artifacts
• Jump Lists
• Prefect files
• LNK files
• MRU files
• Shell Bags
• Word Wheel
• Other artifacts3.11.7. Thumb.db / Thumbcache Files
• Image cache
• Thumbcache history
• Thumbcache creation system
• Thumbcache fodler
• Thumbcache index file
5.1. Application and service records
5.2. Browsing event logs and searching
5.3. Tools for event logs browsing
6.1. USB devices
6.2. Finding connected devices
6.3. Serial numbers of USB devices
6.4. Registry analysis for USB devices
7.1. EMF
7.2. Bitlocker
7.3. PGP Disk
7.4. TrueCrypt
7.5. Veracrypt
8.1. Passware
8.2. Elcomsoft
8.3. DIFOSE PCU