The purpose of this research was to analyze Microsoft Windows event logs for artifacts that may be pertinent to an investigation. How are investigators using Windows event logs in forensic investigations? How do investigators approach the various types of breaches when collecting data from Windows event logs? What are the best practices to analyze Windows event logs? The world of Digital Forensics is expanding each day. There are many OSs available for use by professionals and casual users to choose from. In 2013 the three main OSs in use on nontablet computers are Windows, Linux and Mac OS. This research focuses on the Windows OS. The first version of Windows was Windows 1.0 which was released in 1985 (Microsoft, 2013). Since that time, there have been 8 major new Windows releases. Table 1 lists Windows OS and their release dates. Table 1 Windows OS Release Years Windows 1.0 1985 Windows 2.0 1987 Windows 3.0 1990 Windows 95 1995 Windows 98 1998 Windows XP 2001 Windows Vista 2006 Windows 7 2009 Windows 8 2012 Note. This table illustrates the various Window OS and when they were released by Microsoft. Mark Hackman (2013), a staff writer for PC World, reports that according to Net Applications’ NetMarketshare tracker in June 2013, about 44.37% of computers are using Windows 7 and another 5.1% are using Windows 8. The newest Windows OS update, Windows 2 8.1, was released to manufacturers on August 27, 2013 (Endler, 2013). Most businesses and home users choose Windows based systems over Macs due to the lower operational and training costs (Menga, 2008). These statistics indicate that over half of the computers currently used are Windows based systems. The amount of Windows based systems in use by businesses and home users gives criminals a broader range of computers to break into for any type of data theft. Home users typically do not keep their systems as secure as they should (Byrne, Howe, Ray, Roberts, & Urbanska, 2012). Programmers often design computer hacking techniques called \"hacks\" to test certain scenarios. Regardless of the purpose they were designed, organized cyber criminals who are computer savvy often employ these hacks for nefarious purposes. The criminals either buy a hack from the author or they find it on a hacking website (Jordan, 1998). Cyber criminals will break into home user systems in order to build a network to attack a corporate or government target (Wash, 2010). This intrusion and victimization of another\'s computer is called a Botnet. The number of Windows event logs has grown over the years. For instance, prior to Windows Vista, there were only three main logs in the event viewer, System, Security and Application. Today there are application specific logs and service logs as well in the main event viewer. There are an additional 100 plus log files, but this research focused on the main three, System, Security and Application. Windows event logs are used to help correlate and prove that certain actions occurred at .