Home > Digital Forensics

User Activity Artefacts

Windows stores a wide range of artifacts that reveal what users did on the system—what files they opened, which programs they ran, websites they visited, devices they connected, and much more. These artifacts are spread across the file system, registry, logs, and memory. Forensic investigators rely on these traces to reconstruct user behavior, detect suspicious actions, and validate events during an investigation.

This chapter explains the most important Windows user activity artifacts and where they are located.

Prefetch Files

Location:
C:\Windows\Prefetch\

Prefetch files record details about programs that have been executed.
Each time an application runs, Windows creates or updates a corresponding .pf file.

Prefetch artifacts contain:

  • Executable name

  • Number of times executed

  • Last execution time

  • Related file paths

  • Device information

They help confirm program execution even if logs were cleared.

Recent Files & Jump Lists

Recent Files

Location:
C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Recent\

Windows stores shortcuts to recently accessed files. Each shortcut contains:

  • Target file path

  • Last access time

  • Metadata about user actions

Jump Lists

Location:
C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\

Jump Lists record:

  • Recently opened files per application

  • Application usage patterns

  • Timestamps of access

These artifacts help track file interaction across multiple apps.

UserAssist

Registry Path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\

UserAssist tracks programs run by the user. Entries are encoded using ROT13.

It records:

  • Program names

  • Number of executions

  • Last run time

This often reveals user application behavior even when Prefetch is disabled.

RunMRU & Typed Paths

RunMRU

Registry Path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Tracks commands typed in the Run dialog (Win+R).

TypedPaths

Registry Path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

Records paths typed into File Explorer address bar.

These entries show how users navigated files and folders.

Shellbags

Shellbags track folder views and navigation history in Windows Explorer.

Registry Paths:
HKCU\Software\Microsoft\Windows\Shell\Bags\
HKCU\Software\Microsoft\Windows\Shell\BagMRU\

They reveal:

  • Folders accessed

  • Folder view preferences

  • Deleted folder activity

  • USB drive folder structures

Shellbags are extremely useful for identifying activity in directories that no longer exist.

Browser Artifacts

Browsers store extensive user activity data, including:

  • History

  • Cookies

  • Cache

  • Downloads

  • Saved passwords

  • Search queries

Typical locations include:

  • Chrome:
    C:\Users\<User>\AppData\Local\Google\Chrome\User Data\

  • Edge/IE:
    C:\Users\<User>\AppData\Local\Microsoft\Edge\

  • Firefox:
    C:\Users\<User>\AppData\Roaming\Mozilla\Firefox\Profiles\

Browser forensics often reveals communication patterns, visited URLs, and downloaded files.

Event Logs (User Focused)

Windows event logs contain detailed records of system and user actions.

Important logs:

  • Security.evtx: Logins, logouts, authentication

  • Application.evtx: Software activity

  • PowerShell.evtx: Script execution

  • System.evtx: Shutdowns, restarts

  • TerminalServices-LocalSessionManager: RDP usage

These logs help correlate user actions with system-level events.

LNK (Shortcut) Files

Location:
C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Recent\

LNK files store:

  • File path

  • Original location

  • Creation and access timestamps

  • Volume serial number of the drive

They are especially useful when original files have been deleted.

Recycle Bin Artifacts

Location:
C:\$Recycle.Bin\

Recycle Bin entries contain:

  • Deleted filenames

  • Original paths

  • Deletion timestamps

  • Unique identifiers

This helps reconstruct deletion patterns and recover evidence.

USB Device History

Registry Paths:
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\
HKLM\SYSTEM\MountedDevices\

USB artifacts reveal:

  • Device serial numbers

  • First and last used timestamps

  • Drive letter assignments

  • User who connected the device

Crucial for data exfiltration and insider threat investigations.

PowerShell & Command Line History

PowerShell logs provide script execution details.

Location:
C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

CMD artifacts include:

  • Prefetch entries

  • RunMRU entries

  • AppCompat/ShimCache

These help track command-line activity used for administration or attacks.

RDP (Remote Desktop) Traces

Artifacts include:

  • Login records

  • Saved credentials

  • Connection history

  • Session creation events

  • Network traces

Useful for identifying unauthorized remote access sessions.

Summary

Windows stores a vast collection of user activity artifacts across the registry, file system, logs, and application caches. Key indicators such as Prefetch files, UserAssist, Jump Lists, browser data, LNK files, shellbags, and event logs allow investigators to reconstruct what users did, when they did it, and how the system was used. Mastering these artifacts is crucial for accurate Windows forensic investigations.

HOME COMMUNITY CAREERS DASHBOARD