Category: Windows

• October 29, 2025

  NTFS Basics

  Introduction NTFS is the current file system for Windows-based OS that was developed by Microsoft. Released in 1993, NTFS was created to address issues with the FAT filesystem (Hassan, 2017). NTFS provides scalability, stability, and support for large storage devices (Carrier, 2005). This article goes over the basics of the NTFS and why it’s used…
• July 18, 2023

  Registry Basics: Part 1

  What is the registry? The Registry is a collection of database files that store vital configuration data for a system. The Registry data can be modified and/or deleted by a user. Components of the Registry An example of a Registry path is NTUSER(Hive)\Software(Key)\Microsoft(subkey)\Run(subkey with the value) Offline Hives The Registry has offline files that live…
• August 28, 2022

  SRUM Forensics (in-progress)

  Introduction System Resource Utilization Monitor (SRUM) is a feature used to track system resource usage such as process and network metrics in a database. Most of the SRUM is not available to the end user. The ‘App History’ section in the Task Manager will show some of the SRUM. The SRUM is integrated into the…
• May 25, 2022

  Prefetch

  Introduction The Prefetch, or called the Prefetcher, helps improve an application’s startup speed. It’s a background monitoring process that watches the first 2-10 seconds of an application executing on a Windows system. The goal is to speed up subsequent launches of an application. The Prefetch caches required files and resources into memory, therefore decreasing the…
• May 20, 2022

  Amcache.hve

  Introduction The Amcache is a part of the Windows Application Compatibility database along with the ShimCache. The Amcache was named RecentFileCache.bcf prior to a late patch in Windows 7. The Amcache replaced RecentFileCache.bcf after the Windows 7 patch. Forensic Value The Amcache is a small registry hive that contains data about applications that have been…
• May 14, 2022

  The ShimCache

  Introduction The ShimCache (or AppCompatCache) is a cache that is a component of the Windows Application Compatibility database. The ShimCache ensures backwards compatibility of older binaries into new versions of Microsoft operating systems. A lookup is performed on the ShimCache to determine if modules need shimming for compatibility. A lookup of database files stored on…