Windows has long reigned supreme as the operating system of choice in the PC market. In fact, Windows makes up approximately 47 percent of the users visiting government websites, with the second most popular PC operating system, macOS, making up only 8.5 percentage. There is no reason to suspect that this will be changing anytime soon, especially with the warm reception that Windows 10 has received. Therefore, it is exceedingly likely that future investigations will continue to require the analysis of Windows artifacts.

This chapter covers many types of artifacts and how to interpret them with Python, using various first and third-party libraries, directly from forensic evidence containers. We will leverage the framework we developed in Chapter 8, Working with Forensic Evidence Container Recipes to process these artifacts directly from forensic acquisitions. In this manner, we can provide captured raw or EWF images to our code and not worry about the process of extracting the required files or mounting the image prior to processing the data. Specifically, we will cover:

• Interpreting $I files to learn more about files sent to the Recycle Bin
• Reading content and metadata from Sticky Notes on Window 7 systems
• Extracting values from the registry to learn about the operating system version and other configuration details
• Revealing user activity related to searches, typed paths, and run commands
• Parsing LNK files to learn about historical and recent file access
• Examining Windows.edb for information about indexed files, folders, and messages