Windows forensics begins with understanding how the Windows file system is structured. Most modern Windows systems use NTFS as the default file system, but some removable devices still use FAT32 or exFAT. Knowing how Windows organizes files, directories, metadata, and system areas is essential for locating evidence, recovering deleted data, and analyzing user activity.
This chapter explains the structure of the Windows file system, key components within NTFS, and important directories that commonly contain forensic evidence.
Windows File System Overview
Windows primarily uses:
-
NTFS (New Technology File System) – modern, secure, metadata-rich
-
FAT32/exFAT – used for USB drives, SD cards, older systems
The forensic focus in Windows is on NTFS because it contains detailed records that investigators rely on during examinations.
Structure of NTFS
NTFS organizes data using several critical components:
1. Partitions and Volumes
A Windows disk is divided into partitions. Each partition can hold:
-
Boot data
-
System files
-
User files
-
Recovery environments
Typical modern Windows systems contain:
-
EFI System Partition
-
Microsoft Reserved Partition
-
Windows OS Partition (C:)
-
Recovery Partition
These partitions can contain traces of system activity and boot artifacts.
Master File Table (MFT)
The MFT is the heart of NTFS and one of the most important forensic artifacts.
It stores a record for every file and directory, including system files.
Each MFT entry contains:
-
File name
-
MAC timestamps
-
File size
-
Permissions
-
Locations of data clusters
-
Metadata attributes
Even deleted files leave behind MFT entries until overwritten, making it a key source for recovery.
NTFS System Files
NTFS stores several metadata files (all beginning with “$”). These files control how data is stored and provide forensic value.
Key NTFS system files include:
$MFT
The main table of all file records.
$MFTMirr
Backup of the first few MFT entries for recovery.
$LogFile
Journals file system changes. Helps reconstruct activity such as file creation, renaming, or deletion.
$Bitmap
Tracks used and unused clusters.
$Boot
Contains boot code and partition data.
$Secure
Stores security descriptors and permissions.
$UsnJrnl (Update Sequence Number Journal)
Tracks changes on the volume, including:
-
File creations
-
Modifications
-
Renames
-
Deletes
It is a major resource for timeline analysis.
Windows Directory Structure
Windows organizes its operating system files and user data through a well-defined directory structure.
Some folders hold critical forensic artifacts.
C:\Windows\
Contains all operating system files.
Important subfolders:
-
System32 – core system binaries, logs, executables
-
Prefetch – stores application execution history
-
Temp – temporary files, often containing artifacts from malware or installations
-
WinSxS – backups and system components
C:\Users\
Holds user profiles. This is the most valuable area for user-focused forensics.
Each user profile contains:
-
Desktop
-
Documents
-
Downloads
-
Pictures
-
AppData (hidden but extremely important)
AppData Structure
Inside each profile:
-
AppData\Roaming – application settings synced across devices
-
AppData\Local – browser data, caches, logs
-
AppData\LocalLow – restricted application data
Artifacts found here include:
-
Browser history
-
Cookies
-
Cache files
-
Messaging app data
-
Configuration files
-
Temp data from apps
-
Malware footprints
Registry Structure
The Windows Registry is a hierarchical database containing configuration data for the OS, hardware, software, and users. It is a major forensic data source.
Key registry hives include:
-
SAM – user credentials and accounts
-
SYSTEM – system configuration, USB history
-
SOFTWARE – installed software, programs run
-
SECURITY – policies and access controls
-
NTUSER.DAT – user-specific settings, last accessed files
-
USRCLASS.DAT – file associations, recent items
Registry entries preserve details about logins, last opened files, devices plugged in, installed applications, and more.
Windows Logs
Windows logs are stored in C:\Windows\System32\winevt\Logs\. These logs provide a timeline of system events.
Important logs include:
-
Security.evtx – logins, authentication events
-
System.evtx – system errors and hardware events
-
Application.evtx – program activity
-
Microsoft-Windows-PowerShell.evtx – PowerShell usage
-
Setup.evtx – installations and updates
Event logs help reconstruct user behavior, system changes, malware execution, and attack timelines.
Volume Shadow Copies
Shadow Copies are snapshot backups created by Windows.
They contain:
-
Previous versions of files
-
Deleted or modified data
-
Old registry hives
-
Older system states
Investigators can mount shadow copies to recover past evidence.
Forensic Hotspots in Windows File System
Common locations containing valuable forensic evidence include:
-
MFT
-
USN Journal
-
Registry hives
-
Event logs
-
AppData directories
-
Recycle Bin
-
Temp folders
-
Browser databases
-
Prefetch folder
-
ProgramData
These areas help analysts identify program execution, user activity, malware behavior, file manipulation, and system modifications.
Summary
The Windows file system is built primarily on NTFS, which contains rich metadata and detailed logging structures vital for forensic analysis. Key components such as the MFT, USN Journal, registry hives, and event logs provide insight into system behavior, application activity, and user actions. Understanding how Windows organizes and stores data is the foundation for all further Windows forensic investigation.