Some features of Windows operating systems produce a great number of valuable artifacts that can be further used as pieces of digital evidence. The most common sources of such artifacts are the Recycle Bin, Windows Event Logs, LNK files, and Prefetch files.

The Recycle Bin contains files and folders that have been deleted by the user via the right-click menu. In fact, these files are not deleted from the file system, but only moved from their original location into the Recycle Bin. There are two formats of the Recycle Bin: the Recycler format (Windows 2000, XP) - files are stored under C:Recycler\%SID% and their metadata is stored in the INFO2 file; and the $Recycle.Bin format - files are stored under C:$Recycle.Bin\%SID% in $R file, and their metadata is stored in $I files.

As you can guess from the name, Windows Event Logs collect information about different system events. Windows 2000, XP, and 2003 (except for server versions) store these logs in three files: Application, System, and Security. These files can be found under C:Windowssystem32config. With Windows Vista, the Event Logs format has been changed to XML. These EVTX files can be found under C:WindowsSystem32WinevtLogs.

LNK files or Windows Shortcut files refer to other files: applications, documents, and so on. These can be found system-wide, and can help a digital forensic examiner to uncover some of the suspect's activities, including recently used files, applications, and so on.

And, finally, Prefetch files. You can find these files in C:WindowsPrefetch, and they contain lots of valuable information about used applications, including their run count, last run date and time, and so on.

In this chapter, you will learn how to analyze all of these sources of digital evidence with both commercial and free digital forensics tools.