When conducting digital incident response, what locations on a compromised computer do you examine—and what artifacts should you watch out for?

As you may know already, most cyber incidents start from a simple phishing email. The downloading of a malicious executable comes next. Therefore, once you successfully identify the source of an infection, it makes sense for you to search for traces of malware or, at least, find some artifacts pointing to its execution.

In this article, which is a continuation of our Incident Response series, we will examine the common forensic artifacts that point to code execution on Windows systems. We will cover other operating systems in subsequent articles. Windows is the most widely used operating system and also suffers the most attacks, so it was only logical that we started first with Microsoft’s OS.