The increased popularity of WhatsApp resulted in its extensive use as a tool in planning unlawful activities. In order to conduct an investigation in WhatsApp, the WhatsApp artefact should be located. This poses challenges to digital forensic investigators. This study investigates WhatsApp artefacts on Windows volatile and non-volatile memories. WhatsApp desktop and WhatsApp web were analysed. A set of four experiments were conducted. Experiment 1 investigates WhatsApp web artefacts via the cloud, experiment 2 investigates WhatsApp web artefacts on non-volatile memory, experiment 3 investigates WhatsApp desktop artefacts on non-volatile memory, and experiment 4 investigates WhatsApp web/desktop artefacts on volatile memory. Results demonstrated that all related artefacts were recovered from the WhatsApp web via the cloud. Moreover, a log file containing user's activities, contact numbers, and browser history, were recovered from non-volatile memory. Messages in clear text and part of images were recovered from volatile memory. This study provided a holistic approach for locating and analysing WhatsApp artefacts.