This article concludes our series on Windows forensic artefacts and the role they play in real-world investigations. Over the past several weeks, we looked at evidence sources that help investigators understand activity at the system level, from Windows Event Logs and the Windows Registry to file system traces stored under C:\Windows and C:\ProgramData. Those artefacts are indispensable when reconstructing the broader picture: system startup and shutdown, service activity, software installation, persistence mechanisms, and signs of compromise affecting the machine as a whole. Yet system-wide telemetry has an obvious limitation. It can tell us that something happened, but not always who was behind it. This is where the focus shifts from the operating system to the individual user.

Modern Windows systems are designed to isolate user environments from the core OS. Documents, downloads, application caches, cloud sync data, shortcuts, thumbnails, temporary files, and countless other traces of day-to-day activity are pushed into the user profile. In that sense, C:\Users\<username> is perhaps the closest thing Windows has to a behavioral map of a specific person using that system.

In this final installment, we move away from system-level evidence and into user-specific artefacts stored under the profile directory. This is where attribution becomes more precise, where ordinary folders such as Desktop, Downloads, and Documents contain data created or acquired by the user, and where hidden application data can reveal what a user opened, downloaded, edited, synchronized, or tried to remove.

C:\Users vs. %USERPROFILE%

Before looking at specific artefacts, let’s make one practical distinction: user profile data is accessed differently on a live system and in offline analysis. The C:\Users directory is the physical, hardcoded root for user profiles on a standard Windows installation. In forensic work, that path is most often associated with dead-box analysis. Once an examiner mounts a forensic disk image, this static directory offers a complete view of every profile stored on the system, not just the account that was active at the moment the machine was seized. That wider view matters in real cases, where disabled accounts, long-forgotten profiles, or attacker-created local users may still hold useful evidence.

%USERPROFILE%, on the other hand, is a live environment variable that resolves to the home directory of the user currently logged into that session, which makes it useful during live system analysis and rapid triage. Investigators can use %USERPROFILE% to point scripts and collection tools at the active account. In practice, that makes it a natural fit for PowerShell scripts and other automated workflows.

Although this article focuses on file system artefacts, we have to mention the user’s registry hives. The two key files are %USERPROFILE%\NTUSER.DAT and %USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat. The first is the main per-user hive, storing user-specific settings, execution traces, and file access history. The second contains valuable shell-related artefacts such as ShellBags and MUICache entries, and is particularly important on modern Windows systems. We will leave those hives aside here to keep the focus on file system evidence, but they should always be acquired together with the rest of the profile. For a deeper discussion, see our earlier article on the Windows Registry.

Caveat: C:\Users is only the default profile root and must not be assumed in every installation. The system-wide base path for user profiles is recorded in the Registry at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory, while a specific user’s actual profile path (%USERPROFILE%) is defined per SID at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID>\ProfileImagePath. In other words, profiles may be redirected to another volume, so analysts should verify the registered profile paths instead of relying on the presence of a C:\Users folder alone.

Predefined User Folders and Native Applications

When Windows creates a user profile, it also creates a set of default folders under C:\Users\<username>. To the user, these are convenient save locations. To an investigator, they are some of the most productive artefacts on the system. Windows, browsers, email clients, Office apps, and built-in tools all write to these folders by default, which makes them a practical record of what the user downloaded, opened, edited, staged, or tried to remove.

The Downloads folder

What it is: Downloads, typically located at %USERPROFILE%\Downloads, is the default save location for files arriving from the Internet, email, messaging apps, and local networks.

Forensic value: This is often where a compromise first touches disk. The file itself matters, but the hidden metadata can matter even more. On NTFS volumes, Windows may attach a Zone.Identifier alternate data stream, which marks the file as a Web download. That stream can preserve the security zone, referrer URL, and direct host URL of the downloaded file. Even if the payload is later renamed, that metadata may still point to the phishing page, malware host, or delivery server that brought it onto the endpoint. Missing or stripped Zone.Identifier data on executables, scripts, or archives can also be meaningful, as removing the Mark of the Web is a common way to suppress security warnings. Investigators should also check %USERPROFILE%\Links, which may contain Downloads.lnk pointing back to this folder.

The Desktop folder

What it is: The Desktop is the user’s visible workspace, holding files, folders, and shortcuts shown directly in the shell. Depending on configuration, it may be stored locally at %USERPROFILE%\Desktop or redirected into OneDrive at %USERPROFILE%\OneDrive\Desktop.

Forensic value: People use the Desktop as a scratchpad, and attackers do too. In insider cases, it is often used to stage files before compression, copying, or exfiltration. In intrusion cases, it commonly holds payloads, scripts, and ransom notes placed where the user will see them immediately. Even when the original file is gone, a leftover .lnk shortcut on the Desktop may still show that the user had direct access to it. A second place worth checking is %USERPROFILE%\Links, which may contain Desktop.lnk pointing to the active Desktop location.

The Documents folder

What it is: Documents, usually stored in %USERPROFILE%\Documents, remains the default save location for Office files, PDFs, text files, exports, and other work product.

Forensic value: In many cases, this is where the data of interest actually lives. That alone makes it a prime target in theft and ransomware incidents. It can also contain useful secondary traces. One example is the temporary Office lock file, usually prefixed with ~$. If one of these files is left behind, it can show that the corresponding document was open and being edited when the system crashed, was shut down abruptly, or the session ended unexpectedly.

Pictures, Music, and Videos

What it is: These are the default Windows libraries for media storage and browsing, typically located at %USERPROFILE%\Pictures, %USERPROFILE%\Music, and %USERPROFILE%\Videos.

Forensic value: Media folders are easy to skip in enterprise cases, but they can be highly valuable. One reason is Thumbs.db. In older Windows versions, and still in some network-folder scenarios, Windows stores thumbnail previews in hidden Thumbs.db files inside image folders. Those thumbnails may survive after the original files are deleted, giving investigators proof that a given image once existed in that location. Large media folders can also provide cover for hidden payloads or stolen data concealed inside otherwise ordinary-looking files.

The Recent folder and LNK files

What it is: Windows maintains a hidden Recent folder at %APPDATA%\Microsoft\Windows\Recent (physically %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent). When a user opens a document, picture, or application, Windows often creates a shortcut file pointing to that target and stores it there.

Forensic value: These .lnk files are some of the most useful profile artefacts available. They often survive after the original file has been deleted or the USB drive has been disconnected. More importantly, an LNK file is not just a pointer. It can preserve the original target path, target timestamps, and storage-device details such as volume serial number and drive type. That makes Recent especially useful when the goal is to prove file access, not just file presence.

The Favorites folder

What it is: Favorites, typically located at %USERPROFILE%\Favorites, is a legacy shell folder originally used by Internet Explorer to store bookmarked web links and shortcuts.

Forensic value: While less prominent on modern systems, this folder still appears on many Windows installations and can retain useful historical traces. In older user profiles, it may preserve bookmarked URLs, manually saved shortcuts, or application-created links that help reconstruct browsing habits, user interests, or access to specific internal and external resources. In some cases, its value is less about current activity and more about persistence: artefacts left in Favorites can survive browser changes and remain in the profile long after the original workflow has been abandoned.

Microsoft OneDrive

What it is: OneDrive is built into Windows 10 and 11 as the default cloud sync engine. Its visible sync root is usually %USERPROFILE%\OneDrive, and it supports local files, cloud-only placeholders, and Files On-Demand.

Important: Partial sync is a real issue, affecting both offline and live system analysis – just in different ways. We strongly recommend familiarizing yourself with the issue by reading The Cloud Gap: Forensic Triage vs. Disk Imaging in the Age of On-Demand Sync.

Forensic value: OneDrive extends the user profile beyond the local disk. Investigators should look in three places. The first is the visible sync root, usually %USERPROFILE%\OneDrive, where cloud-only files may appear as placeholders. Even without the full file body on disk, those entries can still show that the user knew about the file and had access to it. The second is %LOCALAPPDATA%\Microsoft\OneDrive\logs, which stores .odl synchronization logs. These can help reconstruct uploads, downloads, renames, deletions, and, in some cases, sharing activity. The third is %LOCALAPPDATA%\Microsoft\OneDrive\settings, where files such as UserCid.dat and SyncEngineDatabase.db can link the local Windows account to a Microsoft identity and expose the structure of synchronized cloud data.

Windows 11 Notepad

What it is: On Windows 11, Notepad is no longer a bare-bones text editor. It now supports session persistence and can restore unsaved tabs.

Forensic value: That feature leaves a useful artefact behind. Notepad stores active tab contents in binary .bin files under %LOCALAPPDATA%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState. In practice, that means unsaved text may still be recoverable after the user closes the app without saving. Notes, pasted credentials, IP lists, and command fragments can all survive in TabState, turning what used to be volatile user activity into file-system evidence.

Paint, WordPad, and other lightweight native editors

What it is: Tools such as Paint, WordPad, and the legacy Write application are basic editors that are present on many Windows systems by default.

Forensic value: Their value lies in how often they are used precisely because they are already there. Paint can leave cache-related traces in AppData while an image is being edited, which may help show that a screenshot or graphic was manipulated locally. WordPad and Write can generate temporary files and .lnk traces in the Recent folder when documents are opened or edited. In practice, that may be enough to show that a user viewed or modified a file without ever installing third-party software.

AppData and Dot-Prefixed Folders

%USERPROFILE%\AppData has the hidden file-system attribute set. The goal is not to conceal it from the user or the examiner, but to reduce visual clutter in File Explorer. This is where Windows and applications store configuration data and other files not intended for routine user access: settings, caches, session state, temporary files, logs, browser data, and similar artefacts generated during normal use. It is also one of the richest sources of user-attributed evidence on the system, regardless of whether the software is built into Windows or installed separately.

AppData is divided into three subfolders with distinct roles: Roaming, Local, and LocalLow. That split reflects how Windows treats user data. Some data is meant to follow the user between domain-connected systems, some stays with a specific machine, and some is written by sandboxed low-integrity processes. Forensic analysis of these folders helps separate user behavior that is portable from artefacts tied to one endpoint or one restricted execution context.

The Roaming subfolder

What it is: %APPDATA%, which resolves to %USERPROFILE%\AppData\Roaming, stores data intended to follow the user across multiple domain-connected systems. In a traditional Active Directory environment, this can include application preferences, bookmarks, dictionaries, and other portable settings. Notably, in standalone or workgroup setups, Roaming still exists and still holds the same application data – it just never leaves the machine.

Forensic value: Roaming often ties application activity to the user rather than to a single machine. It commonly stores core profiles for browsers, messaging tools, FTP clients, and other communication software, making it a useful source of chat histories, saved credentials, bookmarks, and application settings. In domain environments, the same synchronized artefacts appearing across multiple endpoints can help link repeated activity to the same user account. Roaming is also a common location for malware persistence. Standard users can write there without administrative rights, making it a practical drop point for scripts, keyloggers, loaders, and disguised executables (double extension, icon spoofing, masquerading as known app subfolders and so on). Unexpected binaries in Roaming deserve attention.

The Local subfolder

What it is: %LOCALAPPDATA%, or %USERPROFILE%\AppData\Local, stores data tied to the specific machine. It does not roam with the user, even in a domain environment. Windows and applications use it for large caches, temporary content, update packages, installer remnants, and other data that is too bulky or too device-specific to sync efficiently.

Note: %LOCALAPPDATA%\Programs: this is where user-level application installs typically land (no UAC prompt/admin rights required), making it a common drop location for both legitimate portable apps and malware that needs persistence without elevation.

Forensic value: Local is often where device-specific activity is recorded. Modern browsers keep much of their cache data here, which can help reconstruct browsing activity, recover fragments of viewed content, and trace downloads in more detail than the visible Downloads folder alone. Local also contains important Windows artefacts, including the centralized thumbnail cache under %LOCALAPPDATA%\Microsoft\Windows\Explorer. Those Thumbcache databases can show images viewed on the system even when the original files are gone. Another high-value location is %LOCALAPPDATA%\Temp, where installers, updaters, and many malicious payloads unpack working files. Timestamps in Temp can help build a detailed execution or installation timeline. Notably, %TEMP% and %TMP% typically resolve there, but some users may override their locations (e.g. to point to a scratch disk).

The LocalLow subfolder

What it is: %USERPROFILE%\AppData\LocalLow is separate from Local for security reasons. It is the designated write location for processes running at low integrity under Windows Mandatory Integrity Control. In practice, sandboxed or partially isolated applications often use LocalLow instead of the standard Roaming or Local paths.

Forensic value: LocalLow is most relevant in cases involving browsers, app sandboxes, or exploit chains. Low-integrity processes have limited write access, so their caches, temporary files, and session artefacts often end up here. That makes LocalLow useful for tracing protected browser activity, low-integrity execution, and the early stages of web-based compromise. If an attacker gained an initial foothold through a browser sandbox or another constrained process, traces of that activity may remain in LocalLow before privilege escalation or sandbox escape shifted activity elsewhere.

Configuration folders: the dot-prefixed directories

What they are: Windows traditionally stored most per-user settings in the Registry and AppData, but modern cross-platform tools increasingly use Unix-style configuration files and folders in the root of the user profile. Common examples include %USERPROFILE%\.ssh, %USERPROFILE%\.aws, %USERPROFILE%\.vscode, and %USERPROFILE%\.gitconfig. These locations often store authentication material, connection history, and cloud or development tool settings.

Forensic value: Dot-prefixed artefacts can be highly significant. The .ssh folder may contain private keys such as id_rsa or id_ed25519, along with known_hosts, which records servers the user connected to. That can help map lateral movement and identify access to internal Linux systems or cloud infrastructure. The .aws folder may contain plaintext access keys and secret tokens used by AWS command-line tools. .gitconfig can link the local Windows account to a developer identity through names, email addresses, and repository settings. The .vscode directory can expose workspace settings, remote connection history, and extension data, helping show what repositories were accessed and whether a malicious extension was used. In incident response, these folders often connect a compromised workstation to activity in source code systems, cloud environments, or remote servers.

Conclusion

User profile artefacts are some of the most revealing traces on a Windows system, but they rarely make sense in isolation. A file in Downloads, a shortcut in Recent, a thumbnail cache entry, a OneDrive sync log, or a leftover Notepad tab snapshot may each tell only part of the story. The real value comes from correlation. Investigators have to connect visible folders, hidden AppData stores, shell artefacts, cloud traces, and configuration files into a single timeline that explains not just what happened on the machine, but which user likely did it.

That is what makes C:\Users such an important forensic location. System-wide telemetry can show that an event occurred, that software was installed, or that a payload executed. The user profile is where those technical facts start to become attributable. It is where downloaded files meet recently opened documents, where application caches confirm user activity, and where synchronized cloud data or stored authentication material can extend the investigation beyond the local endpoint. During incident response, this kind of granular, localized evidence is often the difference between observing suspicious activity and confidently tying that activity to a specific human operator.

With this article, we conclude our planned series on Windows artefacts. We began with Event Logs and the Registry, moved through file system artefacts under C:\Windows and C:\ProgramData, and finished with the user profile, the part of the system where technical activity and human behavior intersect most directly. Taken together, these sources form a practical map for Windows forensic analysis: broad system telemetry for context, and user-level artefacts for attribution.

Previous articles in the series:

1. Forensic Analysis of Windows 10 and 11 Event Logs (ElcomSoft blog)
2. Investigating Windows Registry (ElcomSoft blog)
3. Investigating Windows File System Artifacts Under C:\Windows (ElcomSoft blog)
4. Windows File System Artefacts Under C:\ProgramData (ElcomSoft blog)

Many thanks to the authors and researchers of the prior work cited below. Their research, writeups, and public tooling helped shape both this article and the broader DFIR community.

1. About User Profiles (Microsoft Learn)
2. Folder Redirection and Roaming User Profiles in Windows and Windows Server (Microsoft Learn)
3. Windows Forensic Artifacts User Activity (Elite Digital Forensics)
4. Mark of the Web Bypass (Red Canary Threat Detection Report)
5. Thumbs.db (Forensics Wiki)
6. Windows thumbcache (Forensics Wiki)
7. Lnk (Forensics Wiki)
8. Reading OneDrive Logs (Yogesh Khatri’s forensic blog)
9. OneDrive Forensics: Investigating Cloud Storage on Windows Systems (CyberEngage)
10. Exploring windows artifacts notepad files (u0041)
11. What makes Windows 11 interesting from a digital forensics perspective (Securelist)