FTK

ActiveDirectory:

  • VSS Shadows can be mounted; check them for persistent code

Check for:

Recent executed:

Applications Hive path: 
Software\Microsoft\Windows\CurrentVersion\Search\RecentApps
Docs Hive path:
Hive path: Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\

Jumplist Location: 
C:\users\[user]\Appdata\Roaming\Microsoft\Windows\Recent\
PreviousManual ForensicsNextBulkExtractor & BulkExtractor-Rec

Last updated