Windows Digital Forensics

HIBERFILE.SYS
When windows goes in to hibernation mode, it will dump all of the RAM contents onto the disk by in the Hiberfil.sys file.
When created it is stored at C:\Hiberfil.sys
It can be read with a program called Sandman, here is a good paper that the author wrote.


Spool
*.spl files store computer name, printer name, and time of print request
%SystemRoot%\SYSTEM32\SPOOL\PRINTERS


thumbs.db/thumbcache.db
Every image on your computer, especially ones opened in viewer have a thumbnail saved for icon use into the Windows thumbnail database.
C:\Users\%username%\AppData\Local\Microsoft\Windows\Explorer
You can use the software here to view the database:
https://thumbcacheviewer.github.io
Off everything on this list, I think this is the most impressive, you will find thumbnails for images long thought forgotten and out of mind.


Prefetch
http://windows.microsoft.com/en-us/windows-vista/what-is-the-prefetch-folder
%SystemRoot%\Prefetch

Typed URLs
Internet explorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURL
URLs

Firefox
All data is stored here
%APPDATA%\Mozilla\Firefox\Profiles\
in one or multiple profiles, the most interesting file is
logins.json
which is all of the saved passwords are stored.


USB History
Want to check the someone has put a usb drive in your computer? Go no further than
C:\Windows\inf\setupapi.dev.log
This log file tracks the usb device's GUID, time inserted and removed.
http://www.nirsoft.net/utils/usb_devices_view.html


WifiPasswords
C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces
All saved wifi passwords are stored here in an XML file
https://www.purehacking.com/blog/vitaly-nikolenko/extracting-wireless-wep/wpa/wpa2-preshared-keys/passwords-from-windows-7


Windows password
needed for John the Ripper, while we only need a few of them, why not grab the whole config dir?
%SystemRoot%\System32\config\System


If you have just a minute on someone's machine you can use a quick program to harvest Windows sensitive files off of your thumb drive. Albeit, buggy and thoroughly untested. I believe in you.