Windows Artefacts as Evidence

This is a long-form Windows DFIR series about interpretation.

Most Windows artefacts are easy to collect and easy to misread. They feel like telemetry, but they’re usually just system memory: partial traces created for operating system or application reasons, shaped by configuration, user behaviour, and normal background activity. They support narrow claims well, and broad claims poorly.

The purpose of this series is to train analysts to treat artefacts as evidence, not as indicators that “mean” something on their own. That sounds simple, but it changes how you build timelines, how you corroborate, and how you write conclusions you can defend.

This series is written for DFIR analysts working in modern enterprise environments, primarily Windows 10 and 11. It assumes you already know the basics. The focus here is judgement.

How to Read This Series

Each article does three things.

1. First, it explains what Windows or an application is trying to achieve, because artefacts make more sense when you understand the design goal behind them.
2. Second, it narrows the evidentiary claim. Not what the artefact suggests, but what it can actually support.
3. Third, it spends time on common failure reasons. Not because edge cases are rare, but because investigations tend to fail in predictable ways when pressure and timelines meet ambiguity.

If you only remember one rule, make it this: artefacts become valuable when they’re constrained, and they become dangerous when they’re treated as deterministic.

Articles

Coming soon March 2026

ShellBags and User Navigation

ShellBags are a record of navigation, not access. This article shows how to treat them as evidence of exploration and context, while resisting the urge to turn “was here” into “opened that”.

What’s Coming Next

The series moves from endpoint artefacts into visibility, reconstruction, and defensibility: logging, timelines, negative space, and what Windows can’t tell you.

Once more posts are live, this landing page will include a more explicit progression guide.

If You’re Reading This During an Investigation

These articles aren’t a substitute for casework discipline. They’re an attempt to make that discipline easier to maintain when time pressure and ambiguity start pulling analysis toward certainty that the evidence doesn’t support.

If you need a fast mental model in the middle of a triage decision, start with the first post, then jump to the artefact you’re dealing with. If you need to defend a conclusion in writing, pay attention to the sections that narrow claims and describe common challenges and failures. That’s where most reports succeed or fail.

This series is intentionally practitioner-focused. If you’re building an organisational incident response capability and want the strategic layer that sits above evidence collection and interpretation, Lykos Defence publishes complementary material on planning, playbooks, exercises, and collection management.