What You'll Learn
- Explain how NTFS organizes files using the Master File Table (MFT) and why MFT entries persist even after file deletion
- Interpret NTFS timestamps (MACB: Modified, Accessed, Changed, Birth) and identify timestamp manipulation (timestomping)
- Navigate the Windows Registry hive structure (HKLM, HKCU, SAM, SYSTEM, SOFTWARE) and locate forensic artifacts in each
- Identify the top 10 registry locations that attackers target for persistence, configuration, and anti-forensics
- Connect file system and registry knowledge to forensic investigation and detection engineering in later modules
The File System: Where Evidence Lives
Every file created, modified, moved, or deleted on a Windows system leaves traces in the file system. When malware drops a payload, when an attacker creates a scheduled task, when a user downloads a phishing attachment — the file system records it.
NTFS (New Technology File System) is the default file system on modern Windows. Understanding how NTFS stores data is essential for two reasons:
- Forensic recovery: NTFS does not immediately erase data when files are deleted. The MFT entry and file content remain on disk until overwritten — giving forensic analysts a window to recover evidence.
- Timestamp analysis: Every file has four timestamps that tell a story. Attackers who modify timestamps to cover their tracks leave artifacts that a trained analyst can detect.
The Master File Table (MFT)
The MFT is the heart of NTFS. It is a database that stores a record for every file and directory on the volume. Each record is typically 1,024 bytes and contains:
| MFT Attribute | What It Stores | Forensic Value |
|---|---|---|
| $STANDARD_INFORMATION | Timestamps (MACB), file permissions, flags | Often modified by timestomping tools — compare with $FILE_NAME timestamps |
| $FILE_NAME | File name, parent directory reference, timestamps | Timestamps here are harder to modify — used to detect timestomping |
| $DATA | Actual file content (if small enough) or pointers to disk clusters | Resident data (< ~700 bytes) is stored directly in the MFT entry |
| $ATTRIBUTE_LIST | Pointers to additional attributes if they don't fit in one MFT entry | Indicates large or complex files |
When a file is "deleted" on NTFS, the MFT entry is marked as available but not erased. The file content remains on disk until the clusters are reused. This is why forensic tools like Autopsy, FTK, and Velociraptor can recover "deleted" files — the data is still there. In Module 9 (Digital Forensics), you will use this property to recover attacker-deleted malware.
MACB Timestamps
Every file on NTFS has four timestamps (stored in both $STANDARD_INFORMATION and $FILE_NAME attributes):
| Letter | Timestamp | Updated When... | Forensic Significance |
|---|---|---|---|
| M | Modified | File content is changed | When was the file last written? |
| A | Accessed | File is read or executed | When was the file last opened? (Disabled by default since Vista for performance) |
| C | Changed (MFT entry) | File metadata changes (rename, permission change, attribute update) | When was the MFT record last modified? |
| B | Birth (Created) | File is created for the first time | When did this file first appear on this system? |
Timestomping is an anti-forensic technique (T1070.006) where attackers modify timestamps to make malicious files appear old or match legitimate system files. They typically modify the $STANDARD_INFORMATION timestamps but leave $FILE_NAME timestamps untouched — because modifying $FILE_NAME requires low-level disk access.
Detection: Compare $STANDARD_INFORMATION timestamps with $FILE_NAME timestamps. If $SI shows a creation date of 2020 but $FN shows 2026, the file was timestomped.
Alternate Data Streams (ADS)
NTFS supports Alternate Data Streams — hidden data attached to a file that does not appear in file size or standard directory listings.
Normal file: report.docx (visible, 50 KB)
Alternate Data Stream: report.docx:hidden_payload (invisible, 100 KB)
Attackers use ADS to hide malware payloads, scripts, or exfiltrated data. The file report.docx appears normal in Explorer, but it carries a hidden payload in its alternate stream.
Detection: Use dir /r or Velociraptor's Windows.NTFS.ADS artifact to enumerate alternate data streams.
The Windows Registry
The Windows Registry is a hierarchical database that stores configuration settings for the operating system, installed software, hardware, and user preferences. For defenders, the registry is both a treasure trove of forensic artifacts and a minefield of persistence mechanisms.
The Five Root Keys
| Root Key | Abbreviation | Hive File on Disk | What It Stores |
|---|---|---|---|
| HKEY_LOCAL_MACHINE | HKLM | C:\Windows\System32\config\SYSTEM, SOFTWARE, SAM, SECURITY | System-wide configuration: services, drivers, installed software, security policies |
| HKEY_CURRENT_USER | HKCU | C:\Users{username}\NTUSER.DAT | Current user's preferences: desktop settings, environment variables, recent files, typed URLs |
| HKEY_USERS | HKU | Multiple NTUSER.DAT files | All user profiles loaded on the system |
| HKEY_CLASSES_ROOT | HKCR | Merged view of HKLM\SOFTWARE\Classes + HKCU\SOFTWARE\Classes | File associations, COM objects |
| HKEY_CURRENT_CONFIG | HKCC | Derived from HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current | Current hardware profile |
The registry hive files are the actual database files stored on disk. When you perform forensic analysis (Module 9), you extract these hive files (SYSTEM, SOFTWARE, SAM, NTUSER.DAT) from the disk image and analyze them offline using tools like Registry Explorer or RegRipper. This gives you access to every registry key and value as it existed at the time of imaging — including deleted entries in the unallocated space of the hive file.
Top 10 Registry Locations for Defenders
These are the registry keys you will check in virtually every Windows investigation. Each one tells you something about what happened on the system.
Persistence Locations (Where Attackers Hide)
1. Run / RunOnce Keys — Programs that auto-execute at logon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ATT&CK: T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys)
2. Services — Configured Windows services
HKLM\SYSTEM\CurrentControlSet\Services\{ServiceName}
ATT&CK: T1543.003 (Create or Modify System Process: Windows Service)
3. Scheduled Tasks — Task configuration in registry
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
ATT&CK: T1053.005 (Scheduled Task/Job: Scheduled Task)
Forensic Artifact Locations (What Happened)
4. ShimCache (AppCompatCache) — Evidence of program execution
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
Records the full path and last modification time of every executable the system has seen — even if it was not executed.
5. Amcache — Detailed execution history
C:\Windows\AppCompat\Programs\Amcache.hve
Records SHA1 hashes, file paths, publisher information, and first execution time for installed programs. Critical for proving an executable ran on the system.
6. UserAssist — Programs launched by the user via Explorer
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Entries are ROT13-encoded. Decoding reveals program names, run count, and last execution time.
7. RecentDocs / TypedPaths — User activity tracking
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
Shows recently opened documents and manually typed folder paths in Explorer.
Security-Critical Locations
8. SAM Database — Local user accounts and password hashes
HKLM\SAM\SAM\Domains\Account\Users
Contains NTLM password hashes for local accounts. Accessible only to SYSTEM. Attackers dump this for offline password cracking.
9. Security Policy — Audit and security settings
HKLM\SECURITY\Policy
Contains LSA secrets, cached domain credentials, and security policy settings.
10. Installed Software — What's on the system
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Build a registry checklist. During any Windows investigation, systematically check: Run keys (persistence), Services (persistence), ShimCache (execution evidence), Amcache (execution + hashes), UserAssist (user activity), and SAM (account manipulation). In Module 9 (Digital Forensics), you will use Velociraptor and Registry Explorer to extract and analyze all of these artifacts from a compromised system.
How the File System and Registry Work Together
In a real investigation, you rarely analyze one in isolation. They complement each other:
| Investigation Question | File System Evidence | Registry Evidence |
|---|---|---|
| "Was malware executed?" | File exists on disk (or MFT shows deleted file) | ShimCache, Amcache, UserAssist show execution |
| "How does the attacker persist?" | Malicious binary location | Run key, Service entry, or Scheduled Task pointing to it |
| "When did the attack happen?" | File timestamps (MACB) | Registry key last-write timestamps |
| "What accounts were compromised?" | N/A | SAM hive shows new accounts, last login times |
| "Was evidence destroyed?" | MFT shows deleted files, $STANDARD_INFORMATION timestamps don't match $FILE_NAME | Registry deleted keys in hive unallocated space |
Attackers who only clean files but not the registry leave evidence. And attackers who only clean the registry but not the file system leave evidence. Thorough anti-forensics requires cleaning both — and even then, MFT residual entries and registry hive slack space often preserve traces. This is why forensic analysis remains effective even against aware adversaries.
Key Takeaways
- NTFS MFT records every file on the volume; "deleted" files remain recoverable until their clusters are reused
- MACB timestamps (Modified, Accessed, Changed, Birth) tell the file's story; comparing $STANDARD_INFORMATION vs $FILE_NAME timestamps detects timestomping (T1070.006)
- Alternate Data Streams allow attackers to hide payloads within normal-looking files — enumerate with
dir /ror Velociraptor - The Windows Registry is organized into five root keys backed by hive files on disk (SYSTEM, SOFTWARE, SAM, SECURITY, NTUSER.DAT)
- The top persistence locations are Run/RunOnce keys (T1547.001), Services (T1543.003), and Scheduled Tasks (T1053.005)
- Forensic artifacts in ShimCache, Amcache, and UserAssist prove program execution even when the program file has been deleted
- The SAM hive contains local password hashes — a primary target for credential attacks
- File system and registry analysis are complementary — always check both during investigations
What's Next
You now understand how Windows stores files and configuration. Lesson 3.3 dives into the Windows Event Log architecture — how Windows records security-relevant activity, the critical Event IDs every defender must know, and what Sysmon adds to close the gaps that default logging leaves open.
Knowledge Check: Windows File System & Registry
10 questions · 70% to pass
What happens to the MFT entry when a file is deleted on NTFS?
An analyst discovers that a suspicious file has a $STANDARD_INFORMATION creation timestamp of 2019, but its $FILE_NAME creation timestamp shows 2026. What technique was likely used?
Which registry location stores programs that automatically execute when any user logs into the system?
What does the 'B' in MACB timestamps stand for, and when is it set?
An attacker hides a payload inside an Alternate Data Stream: report.docx:payload.exe. How can a defender detect this?
Which registry artifact proves that a specific executable was run on the system, even if the file has been deleted?
What is the forensic significance of the SAM registry hive?
In Lab 3.2, you use Velociraptor to collect registry Run keys. You find an entry pointing to C:\Users\Public\updater.exe. Why is this suspicious?
Which NTFS attribute is harder for attackers to modify, making it valuable for detecting timestomping?
Why should forensic investigators check BOTH the file system and the registry when investigating a compromised Windows system?
0/10 answered