Important Files


$MFT Master File Table

  • Kind of index of all files on the hard drive
  • All the entries of the MFT have a reference number, composed of the number of the MFT entry (6 bytes) and the sequence number (2 bytes) in hexadecimal.
  • Ref: 0x002E00000000F1AB -> MFT entry: 00000000F1AB, Sequence number: 0x002E
  • Can be dumped with:

MRU Most Recently Used

  • NTUSER.dat
  • Can be read with RegRipper with the plugin runmru.
  • Pulling the UserAssist, which stores the latest applications, shortcuts and documents opened by the user
    • rip.exe -p userassist -r ../NTUSER.DAT

USN Journal (Update Sequence Number Journal)

  • Keeps a log of the changes that are made in an NTFS volume
  • Extract the log with FTK Imager
  • parse this journal with the NTFS Log Tracker:
C: \ $ Extend \ $ UsrJrnl,


C: \ Windows \ system32 \ winevt \ logs

User logins

Each time a session is started the user profile is loaded. This action leaves a record in the Microsoft-Windows-User Profile Service log/Operational.evtx


C: \ Windows \ system32 \ config
  • Timezone: HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
  • Computer Name: HKLM\SYSTEM\CurrentControlSet\Control\ComputerName
  • Last Shutdown: HKLM\SYSTEM\CurrentControlSet\Control\Windows -> ShutdownTime
  • Build Number: HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion\CurrentBuildNumber

  • Important Registry Locations Collection:


File extensions of interest