Windows Digital Forensics
When windows goes in to hibernation mode, it will dump all of the RAM contents onto the disk by in the Hiberfil.sys file.
When created it is stored at C:\Hiberfil.sys
It can be read with a program called Sandman, here is a good paper that the author wrote.
*.spl files store computer name, printer name, and time of print request
Every image on your computer, especially ones opened in viewer have a thumbnail saved for icon use into the Windows thumbnail database.
You can use the software here to view the database:
Off everything on this list, I think this is the most impressive, you will find thumbnails for images long thought forgotten and out of mind.
All data is stored here
in one or multiple profiles, the most interesting file is
which is all of the saved passwords are stored.
Want to check the someone has put a usb drive in your computer? Go no further than
This log file tracks the usb device's GUID, time inserted and removed.
All saved wifi passwords are stored here in an XML file
needed for John the Ripper, while we only need a few of them, why not grab the whole config dir?
If you have just a minute on someone's machine you can use a quick program to harvest Windows sensitive files
off of your thumb drive. Albeit, buggy and thoroughly untested. I believe in you.