Windows Digital Forensics

When windows goes in to hibernation mode, it will dump all of the RAM contents onto the disk by in the Hiberfil.sys file.
When created it is stored at C:\Hiberfil.sys
It can be read with a program called Sandman, here is a good paper that the author wrote.

*.spl files store computer name, printer name, and time of print request

Every image on your computer, especially ones opened in viewer have a thumbnail saved for icon use into the Windows thumbnail database.
You can use the software here to view the database:
Off everything on this list, I think this is the most impressive, you will find thumbnails for images long thought forgotten and out of mind.


Typed URLs
Internet explorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURL

All data is stored here
in one or multiple profiles, the most interesting file is
which is all of the saved passwords are stored.

USB History
Want to check the someone has put a usb drive in your computer? Go no further than
This log file tracks the usb device's GUID, time inserted and removed.

All saved wifi passwords are stored here in an XML file

Windows password
needed for John the Ripper, while we only need a few of them, why not grab the whole config dir?

If you have just a minute on someone's machine you can use a quick program to harvest Windows sensitive files off of your thumb drive. Albeit, buggy and thoroughly untested. I believe in you.