-
NTFS Log Tracker
- $MFT, $Usnjrnl:$J, $LogFile
-
REGA, AmcacheParser, libregf
- C:/Windows/System32/config (SAM, SECURITY, SOFTWARE, SYSTEM)
- C:/Users/USERNAME (USERNAME.ntuser.dat)
- C:/Windows/AppData/Local/Microsoft/Windows (USERNAME.UsrClass.dat)
- C:/Windows/appcompat/Programs/Amcache.hve (Amcache)
- AppCompatCache (Shimcache)
-
Event Log (EvtxECmd, pyevtx, python-evtx)
- C:/Windows/System32/winevt/Logs/*
-
Prefetch (PECmd, libscca)
- C:/Windows/Prefetch/*
-
JumpList (JLECmd, JumpLister)
- %UserProfile%/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations, CustomDestinations
-
Shim Database (python-sdb)
- Windows/AppPatch
-
Chrome, IE, Edge (Browser forensic)
- Edge
- AppData/Local/Microsoft/Windows/WebCache/WebCacheV01.dat
- AppData/Local/Packages/Microsoft.Windows.Cortana_cw5n1h2txyewy
- AppData/Local/Packages/Microsoft.MicrosoftEdge_8wekyb3d8bbwe
- Chrome
- AppData/Local/Google/Chrome/User Data/Default
- Edge
-
Windows 10 Timeline (WxTCmd)
- AppData/Local/Connected/DevicesPlatform/Username/ActivitiesCache.db
-
Windows 10 Notification
- AppData/Local/Microsoft/Windows/Notifications/wpndatabase.db
-
Windows 10 MAIL (ESEDB VIEWER ,pyesedb)
- AppData/Local/Comms/UnistoreDB
-
Windows Search Database (pyesedb)
- C:/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb
-
WER
- C:/ProgramData/Microsoft/Windows/WER
-
thumbcache_.db
- AppData/Local/Microsoft/Windows/Explorer/thumbcache_.db
-
WMI (Link)
- Windows/System32/wbem/Repository/OBJECTS.DATA
-
IconCache.db
- Appdata/Local/IconCache.db
-
Volume Shadow Copy (ShadowKit, ShadowExplorer, dfvfs, plaso, Arsenal Image Mounter, VSCMount)
-
Lnk (010 Editor, 20170327_LinkParser, pylnk)
-
Memory Forensic (Volatility, rekall)
-
hiberfil.sys, pagefile.sys, swapfile.sys (strings.. etc)
- C:/
-
Start Menu
- AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup
-
SRUM
- Windows/system32/sru/SRUDB.dat
-
Packages
- AppData/Local/Packages/microsoft.windowscommunicationsapps_8wekyb3d8bbwe
- AppData/Local/Packages/Microsoft.Windows.Cortana_cw5n1h2txyewy .. etc
-
PST, OST (pypff)
-
MITRE (Link)
Created
September 13, 2022 01:22
-
-
Save hyuunnn/dce270daf7819e57d6f3c67825d3cbd7 to your computer and use it in GitHub Desktop.
forensic artifact
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment