Hacking Notes
  • Ports & Enumeration
  • Antivirus Evasion
    • AMSI bypass
    • Macros / VBA
    • ETW bypass
    • EDR Evasion
    • EXE Packers
    • Powershell process-injection
    • Shellter
    • Payload generation
  • Port Forwarding
    • SSH
    • NetSH
    • Tools
    • Chisel
    • Meterpreter
  • Cloud
  • Word List Creation
  • Active Directory
    • Domain Enumeration
    • Domain Trusts
    • Domain Mapping
    • discretionary access control list (DACL)
      • ForceChangePassword
      • AddKeyLinkCredential
      • GenericWrite/ GenericAll
      • WriteOwner
      • GPO Exploitation
    • MS SQL
    • gMSA
    • Exchange
    • Group Exploitation
    • Domain Exploitation
    • Kerberos Attacks
    • SCCM
    • NTDS dumping
    • Impacket
    • ADCS exploitation
      • ESC 1
      • ESC4
      • ESC7
    • Privilege Escalation
      • Windows
        • System Enumeration
        • Credentials enumeration
        • Unsecure Service Path
        • Unsecure Path security
        • Misconfigured Reg
        • DLL Hijacking
        • Privilege enumeration
          • Tools
        • Vulnerable Apps
        • UAC Bypass
        • Service Enumeration
      • Unix
        • Linux Enumeration
        • Insecure File Permissions
        • Linux Escalate
        • Restricted shell escape
    • LAPS
  • Cloud
    • Azure
      • Tools
        • AzureCli - AZ
        • AzureCli - PowerShell
        • AzureAD
        • MicroBurst
        • SkyArk
        • PowerZure
        • BlueMap
        • AzureHound
        • BARK
        • GraphRunner
      • User attacks
        • CredMaster
        • TrevorSpray
      • o365
    • G-Cloud
    • Enumeration
      • AWS Cli
        • AWS Cli
      • Pacu
      • Organizational Trust
  • Web Application
    • Info
    • Log Poisoning / PHP Wrapping
    • HTTP Request Smuggling
    • Client Side Desync
    • Enumeration
    • Databases
    • SQL Injection
      • WAF Bypass
    • WebSocket
    • File Inclusion
    • Brute forcing
    • Cross Site Scripting (XSS)
  • Cracking
    • Hashcat
    • John The Ripper
    • Wireless
  • Wireless
    • Tools
    • WPS
    • WEP
    • WPA/ WPA-2/ WPA-3
    • WPA-Enterprise
    • PMKID
    • Captive Portal
  • DFIR
    • Forensics
      • Plaso
      • Microsoft
      • Windows
        • Anti-Forensics
        • Microsoft Forensics
          • ShimCache/ AppCompatCache
          • Defender
          • PowerShell / CMD
          • Registry
          • AmCache
          • Zone.Identifiers ADS
          • RecentFileCache
          • Prefetch
          • Lnk
          • Jumplist / RecentFiles
          • Shellbags
          • BAM/ DAM
          • SRUM
          • NTFS
          • EVTX
            • Security logs
            • WMI-Activity Operations
              • PowerShell/WinRM Operational
            • Task Scheduler
            • RDP Activity
            • Lateral Movement
          • hunting
          • Recycle Bin
          • Scheduled Tasks
        • o365
          • Mailbox Rules
      • Timeline Analysis
      • Forensics Tooling
        • Log2Timline / Plaso
        • Quarantine extraction
        • Scanning
          • Signature Scanning
          • AV Scanning
        • Logon Tracer
        • TimeSketch
        • Bulk_Extractor
        • FLS & Mactime
        • Manual Forensics
        • FTK
        • BulkExtractor & BulkExtractor-Rec
      • Linux
      • Azure
      • Active Directory
      • AnyDesk
    • Memory Analysis
      • Windows
        • Memory Acquisition
        • Code Injection
        • Rootkits
        • Rootkits
        • WMI/ PowerShell
        • Persistence & Lateral movement
        • Memory Acquisition
        • Baseliner
        • Identifying Code injection
        • Rookits
        • Process Objects
      • Tooling
        • Strings, bstrings and grep
        • Volatility
          • VolWeb
          • Memory Baseliner
        • MemProcFS
          • Code Injection
    • ReverseEngineering
    • Mobile
  • Networking
    • Radio
    • Vlans & Wired networking
    • Network Access Control
    • IPV6
    • Wireless
      • cracking
      • Aircrack-ng
      • WEP
      • WPA/ WPA2
      • WPA Enterprise
      • WPS
    • Bluetooth
  • Misc
    • Shells
      • WinRM / PowerShell
      • WinRM
      • Msfconsole
      • WinRM// PowerShell
      • Socat
      • Python
      • Netcat
      • PHP
      • Upgrade Shells
      • PowerCat
    • Buffer Overflow
      • General Information
      • Exploiting BufferOverflow
        • Find the Offset
        • Build the Exploit
        • Identifiy The BufferOverflow Character
        • Identify BadChars
        • Find the Jump Point
        • Generate Payload
        • Create Padding
    • Powershell
      • Quick Commands
      • Powershell Lateral Movement
    • Random Bits
    • Phishing
    • Coding
      • C#
    • Git
  • Command & Control
    • Meterpreter
    • Droppers
    • CobaltStrike
      • teamserver
      • Payload generation
        • Stagers
        • AV/EDR Bypass
          • Obfuscation
          • Sandbox Evasion
          • Win32 API
          • EDR Evasion
          • Encrypters
      • Listeners
      • Malleable Profiles
      • Initial Acces / Aggressors
      • Beacon Object Files (BOF)
      • Cheatsheet
    • Lateral Movement
    • Persistence
      • Low Priv User
      • High Priv User
  • Mobile App Testing
    • IOS
Powered by GitBook
On this page
  • Forensics locations:
  • Main forensics artifacts:
Edit on GitHub
  1. DFIR
  2. Forensics
  3. Windows

Microsoft Forensics

Looking for:
Forensic Artifact

Program Execution

Prefetch, ShimCache, AmCache, UserAssist, SRUM

File Opening

Shortcut files, Jump Lists, ShellBags, Prefetch, OpenSaveMRU

File Knowledge

WordWheelQuery, Last Visited MRU, Shortcut Files, Recycle Bin, Types Paths

Event Logs

Browser Usage

History, Cookies, Cache, Session Restore, TypedURLs

Forensics locations:

Object
Location

Cookies

Hibernation File

Page File

Memory Dump

Main forensics artifacts:

CyLR.exe -c config.txt

CyLR config file: 


C:\$Recycle.Bin
C:\$LogFile
C:\Windows\Tasks
C:\Windows\Prefectch
C:\Windows\inf\setupapi.dev.log
C:\Windows\Appcompat\Programs 
C:\Windows\System32\sru
C:\Windows\System32\winevt\logs

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\
C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent

C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\Explorer

PreviousAnti-ForensicsNextShimCache/ AppCompatCache

Last updated 11 months ago

User Logons, , RunAs events, Process Tracking, PowerShell Logs

and

&

Use magnet to check if a disk is encrypted (edd.exe - )

To get the custom Triage extract using CyLR () use:

# Post 2008 R2
C:\Windows\System32\winevt\logs
C:\windows\tasks
C:\windows\System32\Tasks
C:\windows\sysWOW64\Tasks
# User files
C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Recent\
C:\Users[username]\AppData\Local\Microsoft\Windows\FileHistory\Data
# Office Files:
C:\Users\AppData\Roaming\Microsoft\Office\Recent\

# Recent File cache
%systemroot%\AppCompat\Programs\RecentFileCache.bcf
C:\Users\*\AppData\Local\Microsoft\Windows\INetCookies
C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies\Low
%SystemDrive%/hiberfil.sys
# Can be used to get memory of a powered off image
%SystemDrive%/pagefile.sys
# Can be used to get memory of a powered off image
%WinDir%/MEMORY.DMP
C:\Windows\Prefectch
C:\Users\<USERNAME>\NTUSER.DAT
C:\Users\<USERNAME>\NTUSER.DAT.LOG1
C:\Users\<USERNAME>\NTUSER.DAT.LOG2
C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat
C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
C:\Windows\AppCompay\Programs\Amcache.hve
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SECURITY
C:\Windows\System32\config\SOFTWARE
C:\Windows\System32\config\SAM.LOG1
C:\Windows\System32\config\SAM.LOG2
C:\Windows\System32\config\SYSTEM.LOG1
C:\Windows\System32\config\SYSTEM.LOG2
C:\Windows\System32\config\SECURITY.LOG1
C:\Windows\System32\config\SECURITY.LOG2
C:\Windows\System32\config\SOFTWARE.LOG1
C:\Windows\System32\config\SOFTWARE.LOG2
C:\$MFT
C:\$J
C:\$Logs
https://www.magnetforensics.com/resources/encrypted-disk-detector/
https://github.com/orlikoski/CyLR
RDP Activity
EVTX
Scheduled Tasks
Jumplist / RecentFiles
RecentFileCache
Prefetch
Shellbags
AmCache
ShimCache/ AppCompatCache
Registry
Shellbags
NTFS
https://www.comae.iowww.comae.io
$MFT