According to the author of this chapter, there are three main components to the forensic analysis of any Windows system. First, it is imperative for the investigator to have a strong working knowledge of the FAT and NT file systems. Second, the investigator must be knowledgeable concerning Windows "artefacts," including how to locate them and interpret their properties. Third, the investigator should be knowledgeable about the available computer forensic software. The author of this chapter begins with the assumption that the reader has a working knowledge of the FAT file system. The discussion is focused on the Windows NT file system, but technical examples of the FAT system are offered. Further, this chapter examines the investigative and probative usefulness of Windows artefacts, including Recycle Bin INFO Files, enhanced metafiles, and link files. Finally, this chapter gives an overview of Windows analysis techniques using EnCase and also in a tool-independent environment. Figures, references