FTK

ActiveDirectory:

• VSS Shadows can be mounted; check them for persistent code

Check for:

Recent executed:

Applications Hive path: 
Software\Microsoft\Windows\CurrentVersion\Search\RecentApps
Docs Hive path:
Hive path: Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\

Jumplist Location: 
C:\users\[user]\Appdata\Roaming\Microsoft\Windows\Recent\