I am thrilled to announce the latest release of the SANS DFIR Windows Forensic Analysis poster. This version was a nearly complete re-write of the poster with significant updates made to every section. The “Evidence of…” categories were originally created by SANS Digital Forensics and Incident Response faculty for the SANS FOR500: Windows Forensics course, mapping specific Windows forensic artifacts to the analysis questions they can help to answer. The poster is designed to be used as a cheat sheet to remember and discover important Windows operating system artifacts relevant to investigations into computer intrusions, insider threats, fraud, employee misuse, and many other common cybercrimes. Changes in this version include:
Putting these posters together takes an immense amount of time and I would like to give special thanks to Kathryn Hedley (@4enzikat0r) for her assistance on this version. We sincerely hope that free resources like this will benefit forensic examiners around the world. Download the PDF version here and look for the shiny new printed versions at select in-person SANS conferences!
