NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files

http://forensicmethods.com/ntfs-index-attribute

Recycle Bin Forensics

http://dereknewton.com/2010/06/recycle-bin-forensics-in-windows-7-and-vista/

MacGyver IT: 21 tools for IT Heroes

http://www.infoworld.com/slideshow/137851/macgyver-it-21-tools-it-heroes-235192?source=IFWNLE_nlt_daily_am_2014-01-30

Windows 7 Forensic Time Information

UTC = Local Time + ActiveTimeBias
Local Time = UTC – ActiveTimeBias
Standard Time = Bias + StandardBias
Daylight Time = Bias + DaylightBias

http://www.forensicfocus.com/downloads/windows-registry-quick-reference.pdf

Forensic Analysis of the Windows 7 Registry

http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1071&context=adf

Yahoo Messenger Forensics

https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2011-11.pdf http://www.cerias.purdue.edu/news_and_events/events/security_seminar/details/index/nj3red9gie9h6bvmu8dklllpgo

Windows 7 Registry Forensics: Part 4

http://www.forensicmag.com/articles/2012/04/windows-7-registry-forensics-part-4#.Us7cCU6BrIU

Windows 7 Last Logon Date/Time

Last logon value is stored in "SAM\Domains\Account\Users\F". Bytes 9-16 of this key stores it.

An Examination of the NTFS Volume Boot Record

http://thestarman.pcministry.com/asm/mbr/NTFSBR.htm

Forensic - Password Hint Location

http://news.softpedia.com/newsImage/Windows-7-and-Windows-8-Registries-Reveal-Password-Hints-Researchers-Find-2.jpg/

Windows 7 Registry Forensics

http://www.dfinews.com/articles/2012/07/windows-7-registry-forensics-part-7#.Usfmck6BrIU