f:["$","$L17",null,{"module":{"slug":"module-5","title":"Windows Forensics: Artifacts","description":"Prefetch, Jump Lists, LNK files, and Shellbags.","order":5,"sections":[{"id":"prefetch","title":"Prefetch Files","type":"content","content":"\n

\n Windows creates .pf files to speed up application loading.\n
\n Location: C:\\Windows\\Prefetch\n

Forensic Value

\n Proves a program was executed, even if deleted. Contains last run time and run count.\n

\n "},{"id":"lnk","title":"LNK Files (Shortcuts)","type":"content","content":"\n

Shortcut Forensics

\n .lnk files contain metadata about the target file, including:\n
- Original file path\n
- MAC times\n
- File size\n
- Volume serial number\n

\n "},{"id":"quiz","title":"Artifacts Quiz","type":"quiz","quizQuestions":[{"id":1,"type":"multiple-choice","question":"What is the primary forensic value of Prefetch files?","options":["They prove a program was executed","They contain user passwords","They store deleted files","They log network connections"],"correct":"They prove a program was executed"}]}]},"courseSlug":"digital-forensics-101","nextModuleSlug":"module-6"}]