Microsoft Forensics

Looking for:

Forensic Artifact

Program Execution

Prefetch, ShimCache, AmCache, UserAssist, SRUM

File Opening

Shortcut files, Jump Lists, ShellBags, Prefetch, OpenSaveMRU

File Knowledge

WordWheelQuery, Last Visited MRU, Shortcut Files, Recycle Bin, Types Paths

Event Logs

User Logons, RDP Activity, RunAs events, Process Tracking, PowerShell Logs

Browser Usage

History, Cookies, Cache, Session Restore, TypedURLs

Forensics locations:

Object

Location

EVTX

# Post 2008 R2
C:\Windows\System32\winevt\logs

Scheduled Tasks

C:\windows\tasks
C:\windows\System32\Tasks
C:\windows\sysWOW64\Tasks

Jumplist / RecentFiles and RecentFileCache

# User files
C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Recent\
C:\Users[username]\AppData\Local\Microsoft\Windows\FileHistory\Data
# Office Files:
C:\Users\AppData\Roaming\Microsoft\Office\Recent\

# Recent File cache
%systemroot%\AppCompat\Programs\RecentFileCache.bcf

C:\Users\*\AppData\Local\Microsoft\Windows\INetCookies
C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies\Low

Hibernation File

%SystemDrive%/hiberfil.sys
# Can be used to get memory of a powered off image

Page File

%SystemDrive%/pagefile.sys
# Can be used to get memory of a powered off image

Memory Dump

%WinDir%/MEMORY.DMP

Prefetch

C:\Windows\Prefectch

Shellbags

C:\Users\<USERNAME>\NTUSER.DAT
C:\Users\<USERNAME>\NTUSER.DAT.LOG1
C:\Users\<USERNAME>\NTUSER.DAT.LOG2
C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat
C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2

AmCache

C:\Windows\AppCompay\Programs\Amcache.hve

ShimCache/ AppCompatCache

Registry

C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SECURITY
C:\Windows\System32\config\SOFTWARE
C:\Windows\System32\config\SAM.LOG1
C:\Windows\System32\config\SAM.LOG2
C:\Windows\System32\config\SYSTEM.LOG1
C:\Windows\System32\config\SYSTEM.LOG2
C:\Windows\System32\config\SECURITY.LOG1
C:\Windows\System32\config\SECURITY.LOG2
C:\Windows\System32\config\SOFTWARE.LOG1
C:\Windows\System32\config\SOFTWARE.LOG2

NTFS & $MFT

C:\$MFT
C:\$J
C:\$Logs

Shellbags

Use magnet to check if a disk is encrypted (edd.exe - https://www.magnetforensics.com/resources/encrypted-disk-detector/)

Main forensics artifacts:

To get the custom Triage extract using CyLR (https://github.com/orlikoski/CyLR) use:

CyLR.exe -c config.txt

CyLR config file:


C:\$Recycle.Bin
C:\$LogFile
C:\Windows\Tasks
C:\Windows\Prefectch
C:\Windows\inf\setupapi.dev.log
C:\Windows\Appcompat\Programs 
C:\Windows\System32\sru
C:\Windows\System32\winevt\logs

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\
C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent

C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\Explorer

https://www.comae.iowww.comae.io

PreviousAnti-Forensics NextShimCache/ AppCompatCache

Last updated 1 year ago

hashtagForensics locations:

hashtagMain forensics artifacts:

hashtagCyLR config file:

Forensics locations:

Main forensics artifacts:

CyLR config file: