Investigating file use and knowledge with Windows 10 artifacts

Windows 10 operating system is the most widely used operating system today that contains many programs and mechanisms for managing computer hardware and software. Looking from a digital forensics point of view these produce valuable records of user activities. In a forensic world, such records are known as Windows artifact which can be described as a system generated records of the user activities that have forensic value. Gaining a deep understanding of how these records are created and what information they contain can help the examiner to acquire valuable data that can be used as evidence and support other evidence. The artifacts can be a great way to focus on relevant data and reduce the need for full examination of constantly increasing data storage that examiners encounter. Through this paper, the focus will be on analyzing different, fewer know artifacts, that aren’t supported by mainstream forensic tools because they vary between versions of Windows, resulting in the need for manual analysis. Their deep understanding is necessary to avoid misinterpreting their content which can result in wrong conclusions. Additionally, the paper presents the results of testing Windows 10 artifacts and open-source tools used in the testing process.