UNCcontent.ie5
content.ie5 时间:2021-05-17 阅读:()
$STANDARD_INFORMATION$FILENAMEWindowsForensicAnalysisPOSTERYouCan'tProtectWhatYouDon'tKnowAboutdigital-forensics.
sans.
org$25.
00DFPS_FOR500_v4.
11_0121PosterCreatedbyRobLeewithsupportoftheSANSDFIRFaculty2021RobLee.
AllRightsReserved.
Modied–NoChangeCreation–NoChangeAccess–NoChangeMetadata–TimeofFileRenameFileRenameModied–NoChangeCreation–NoChangeAccess–NoChangeMetadata–NoChangeFileRenameModied–NoChangeCreation–NoChangeAccess–NoChangeMetadata–TimeofLocalFileMoveLocalFileMoveModied–NoChangeCreation–NoChangeAccess–NoChangeMetadata–NoChangeLocalFileMoveModied–InheritedfromOriginalMetadata–InheritedfromOriginalAccess–TimeofFileMoveviaCLICreation–TimeofFileMoveviaCLIVolumeFileMove(moveviaCLI)Modied–TimeofMoveviaCLIAccess–TimeofMoveviaCLIMetadata–TimeofMoveviaCLICreation–TimeofMoveviaCLIVolumeFileMove(moveviaCLI)Modied–InheritedfromOriginalMetadata–InheritedfromOriginalCreation–InheritedfromOriginalAccess–TimeofCut/PasteVolumeFileMove(cut/pasteviaExplorer)Access–TimeofCut/PasteCreation–TimeofCut/PasteModied–TimeofCut/PasteMetadata–TimeofCut/PasteVolumeFileMove(cut/pasteviaExplorer)Modied–InheritedfromOriginalAccess–TimeofFileCopyCreation–TimeofFileCopyMetadata–TimeofFileCopyFileCopyAccess–TimeofFileCopyCreation–TimeofFileCopyModied–TimeofFileCopyMetadata–TimeofFileCopyFileCopyModied–NoChangeMetadata–NoChangeAccess–TimeofAccess(NoChangeonNTFSVolumes>128GB)Creation–NoChangeFileAccessModied–NoChangeMetadata–NoChangeCreation–NoChangeAccess–NoChangeFileAccessModied–TimeofDataModicationMetadata–TimeofDataModicationCreation–NoChangeFileModicationAccess–NoChangeCreation–NoChangeModied–NoChangeMetadata–NoChangeFileModicationAccess–TimeofFileCreationAccess–TimeofDataModicationMetadata–TimeofFileCreationCreation–TimeofFileCreationModied–TimeofFileCreationFileCreationAccess–TimeofFileCreationMetadata–TimeofFileCreationCreation–TimeofFileCreationModied–TimeofFileCreationFileCreationModied–NoChangeMetadata–NoChangeAccess–NoChangeCreation–NoChangeFileDeletionModied–NoChangeMetadata–NoChangeAccess–NoChangeCreation–NoChangeFileDeletionWindowsArtifactAnalysis:Evidenceof.
.
.
UserAssistDescriptionGUI-basedprogramslaunchedfromthedesktoparetrackedinthelauncheronaWindowsSystem.
LocationNTUSER.
DATHIVE:NTUSER.
DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\CountInterpretationAllvaluesareROT-13EncodedGUIDforXP-75048700ActiveDesktopGUIDforWin7/8/10-CEBFF5CDExecutableFileExecution-F4E57C4BShortcutFileExecutionWindows10TimelineDescriptionWin10recordsrecentlyusedapplicationsandlesina"timeline"accessibleviathe"WIN+TAB"key.
ThedataisrecordedinaSQLitedatabase.
LocationC:\Users\\AppData\Local\ConnectedDevicesPlatform\\ActivitiesCache.
dbInterpretationApplicationexecutionFocuscountperapplicationBAM/DAMDescriptionWindowsBackgroundActivityModerator(BAM)LocationWin10:SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}InvestigativeNotesProvidesfullpathoftheexecutablelethatwasrunonthesystemandlastexecutiondate/timeShimcacheDescriptionWindowsApplicationCompatibilityDatabaseisusedbyWindowstoidentifypossibleapplicationcompatibilitychallengeswithexecutables.
Trackstheexecutableslename,lesize,lastmodiedtime,andinWindowsXPthelastupdatetimeLocationXP:SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibilityWin7/8/10:SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCacheInterpretationAnyexecutablerunontheWindowssystemcouldbefoundinthiskey.
Youcanusethiskeytoidentifysystemsthatspecicmalwarewasexecutedon.
Inaddition,basedontheinterpretationofthetime-baseddatayoumightbeabletodeterminethelasttimeofexecutionoractivityonthesystem.
WindowsXPcontainsatmost96entries-LastUpdateTimeisupdatedwhenthelesareexecutedWindows7containsatmost1,024entries-LastUpdateTimedoesnotexistonWin7systemsAmcache.
hveDescriptionProgramDataUpdater(ataskassociatedwiththeApplicationExperienceService)usestheregistryleAmcache.
hvetostoredataduringprocesscreationLocationWin7/8/10:C:\Windows\AppCompat\Programs\Amcache.
hveInterpretationAmcache.
hve–Keys=Amcache.
hve\Root\File\{VolumeGUID}Entryforeveryexecutablerun,fullpathinformation,File's$StandardInfoLastModicationTime,andDiskvolumetheexecutablewasrunfromFirstRunTime=LastModicationTimeofKeySHA1hashofexecutablealsocontainedinthekeySystemResourceUsageMonitor(SRUM)DescriptionRecords30to60daysofhistoricalsystemperformance.
Applicationsrun,useraccountresponsibleforeach,andapplicationandbytessent/receivedperapplicationperhour.
LocationSOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions{d10ca2fe-6fcf-4f6d-848e-b2e99266fa89}=ApplicationResourceUsageProviderC:\Windows\System32\SRU\InterpretationUsetoolsuchassrum_dump.
exetocrosscorrelatethedatabetweentheregistrykeysandtheSRUMESEDatabase.
JumpListsDescriptionTheWindows7taskbar(JumpList)isengineeredtoallowusersto"jump"oraccessitemstheyhavefrequentlyorrecentlyusedquicklyandeasily.
Thisfunctionalitycannotonlyincluderecentmediales;itmustalsoincluderecenttasks.
ThedatastoredintheAutomaticDestinationsfolderwilleachhaveauniqueleprependedwiththeAppIDoftheassociatedapplication.
LocationWin7/8/10:C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinationsInterpretationFirsttimeofexecutionofapplication.
-CreationTime=FirsttimeitemaddedtotheAppIDle.
Lasttimeofexecutionofapplicationw/leopen.
-ModicationTime=LasttimeitemaddedtotheAppIDle.
ListofJumpListIDs->https://dr.
to/EZJumpListLast-VisitedMRUDescriptionTracksthespecicexecutableusedbyanapplicationtoopenthelesdocumentedintheOpenSaveMRUkey.
Inaddition,eachvaluealsotracksthedirectorylocationforthelastlethatwasaccessedbythatapplication.
Example:Notepad.
exewaslastrunusingtheC:\%USERPROFILE%\DesktopfolderLocationXP:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRUWin7/8/10:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRUInterpretationTrackstheapplicationexecutablesusedtoopenlesinOpenSaveMRUandthelastlepathused.
PrefetchDescriptionIncreasesperformanceofasystembypre-loadingcodepagesofcommonlyusedapplications.
CacheManagermonitorsalllesanddirectoriesreferencedforeachapplicationorprocessandmapsthemintoa.
pfle.
Utilizedtoknowanapplicationwasexecutedonasystem.
Limitedto128lesonXPandWin7Limitedto1024lesonWin8(exename)-(hash).
pfLocationWinXP/7/8/10:C:\Windows\PrefetchInterpretationEach.
pfwillincludelasttimeofexecution,numberoftimesrun,anddeviceandlehandlesusedbytheprogramDate/Timelebythatnameandpathwasrstexecuted-CreationDateof.
pfle(-10seconds)Date/Timelebythatnameandpathwaslastexecuted-Embeddedlastexecutiontimeof.
pfle-Lastmodicationdateof.
pfle(-10seconds)-Win8-10willcontainlast8timesofexecutionProgramExecutionXPSearch–ACMRUDescriptionYoucansearchforawiderangeofinformationthroughthesearchassistantonaWindowsXPmachine.
Thesearchassistantwillrememberauser'ssearchtermsforlenames,computers,orwordsthatareinsideale.
Thisisanexampleofwhereyoucanndthe"SearchHistory"ontheWindowssystem.
LocationNTUSER.
DATHIVENTUSER.
DAT\Software\Microsoft\SearchAssistant\ACMru\####InterpretationSearchtheInternet–####=5001Allorpartofadocumentname–####=5603Awordorphraseinale–####=5604Printers,ComputersandPeople–####=5647ThumbcacheDescriptionThumbnailsofpictures,ofcedocuments,andfoldersexistinadatabasecalledthethumbcache.
Eachuserwillhavetheirowndatabasebasedonthethumbnailsizesviewedbytheuser(small,medium,large,andextra-larger)LocationC:\%USERPROFILE%\AppData\Local\Microsoft\Windows\ExplorerInterpretationThesearecreatedwhenauserswitchesafoldertothumbnailmodeorviewspicturesviaaslideshow.
Asitwere,ourthumbsarenowstoredinseparatedatabaseles.
Win7+has4sizesforthumbnailsandthelesinthecachefolderreectthis:-32->small-96->medium-256->large-1024->extralargeThethumbcachewillstorethethumbnailcopyofthepicturebasedonthethumbnailsizeinthecontentoftheequivalentdatabasele.
Thumbs.
dbDescriptionHiddenleindirectorywhereimagesonmachineexiststoredinasmallerthumbnailgraphics.
thumbs.
dbcatalogspicturesinafolderandstoresacopyofthethumbnailevenifthepicturesweredeleted.
LocationWinXP/Win8|8.
1AutomaticallycreatedanywherewithhomegroupenabledWin7/8/10AutomaticallycreatedanywhereandaccessedviaaUNCPath(localorremote)InterpretationInclude:ThumbnailPictureofOriginalPictureDocumentThumbnail–EvenifDeletedLastModicationTime(XPOnly)OriginalFilename(XPOnly)IE|Edgele://DescriptionAlittle-knownfactabouttheIEHistoryisthattheinformationstoredinthehistorylesisnotjustrelatedtoInternetbrowsing.
Thehistoryalsorecordslocalandremote(vianetworkshares)leaccess,givingusanexcellentmeansfordeterminingwhichlesandapplicationswereaccessedonthesystem,daybyday.
LocationInternetExplorer:IE6-7%USERPROFILE%\LocalSettings\History\History.
IE5IE8-9%USERPROFILE%\AppData\Local\Microsoft\WindowsHistory\History.
IE5IE10-11%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datInterpretationStoredinindex.
datas:file:///C:/directory/lename.
extDoesnotmeanlewasopenedinbrowserSearch–WordWheelQueryDescriptionKeywordssearchedforfromtheSTARTmenubaronaWindows7machine.
LocationWin7/8/10NTUSER.
DATHiveNTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQueryInterpretationKeywordsareaddedinUnicodeandlistedintemporalorderinanMRUlistWin7/8/10RecycleBinDescriptionTherecyclebinisaveryimportantlocationonaWindowslesystemtounderstand.
Itcanhelpyouwhenaccomplishingaforensicinvestigation,aseverylethatisdeletedfromaWindowsrecyclebinawareprogramisgenerallyrstputintherecyclebin.
LocationHiddenSystemFolderWin7/8/10C:\$Recycle.
binDeletedTimeandOriginalFilenamecontainedinseparatelesforeachdeletedrecoveryleInterpretationSIDcanbemappedtouserviaRegistryAnalysisWin7/8/10-FilesPrecededby$I######lescontainOriginalPATHandnameDeletionDate/Time-FilesPrecededby$R######lescontainRecoveryDataLast-VisitedMRUDescriptionTracksthespecicexecutableusedbyanapplicationtoopenthelesdocumentedintheOpenSaveMRUkey.
Inaddition,eachvaluealsotracksthedirectorylocationforthelastlethatwasaccessedbythatapplication.
LocationXPNTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRUWin7/8/10NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRUInterpretationTrackstheapplicationexecutablesusedtoopenlesinOpenSaveMRUandthelastlepathused.
XPRecycleBinDescriptionTherecyclebinisaveryimportantlocationonaWindowslesystemtounderstand.
Itcanhelpyouwhenaccomplishingaforensicinvestigation,aseverylethatisdeletedfromaWindowsrecyclebinawareprogramisgenerallyrstputintherecyclebin.
LocationHiddenSystemFolderWindowsXPC:\RECYCLER"2000/NT/XP/2003Subfolderiscreatedwithuser'sSIDHiddenleindirectorycalled"INFO2"INFO2ContainsDeletedTimeandOriginalFilenameFilenameinbothASCIIandUNICODEInterpretationSIDcanbemappedtouserviaRegistryAnalysisMapslenametotheactualnameandpathitwasdeletedfromDeletedFileorFileKnowledgeOpen/SaveMRUDescriptionInthesimplestterms,thiskeytrackslesthathavebeenopenedorsavedwithinaWindowsshelldialogbox.
Thishappenstobeabigdataset,notonlyincludingwebbrowserslikeInternetExplorerandFirefox,butalsoamajorityofcommonlyusedapplications.
LocationXP:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRUWin7/8/10:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRUInterpretationThe"*"key–ThissubkeytracksthemostrecentlesofanyextensioninputinanOpenSavedialog.
(Threeletterextension)–ThissubkeystoresleinfofromtheOpenSavedialogbyspecicextensionEmailAttachmentsDescriptionTheemailindustryestimatesthat80%ofemaildataisstoredviaattachments.
Emailstandardsonlyallowtext.
AttachmentsmustbeencodedwithMIME/base64format.
LocationOutlookXP:%USERPROFILE%\LocalSettings\ApplicationData\Microsoft\OutlookWin7/8/10:%USERPROFILE%\AppData\Local\Microsoft\OutlookInterpretationMSOutlookdatalesfoundintheselocationsincludeOSTandPSTles.
OneshouldalsochecktheOLKandContent.
Outlookfolder,whichmightroamdependingonthespecicversionofOutlookused.
FormoreinformationonwheretondtheOLKfolderthislinkhasahandychart:http://www.
hancockcomputertech.
com/blog/2010/01/06/nd-the-microsoft-outlook-temporary-olk-folderSkypeHistoryDescriptionSkypehistorykeepsalogofchatsessionsandlestransferredfromonemachinetoanotherThisisturnedonbydefaultinSkypeinstallationsLocationXP:C:\DocumentsandSettings\\Application\Skype\Win7/8/10:C:\%USERPROFILE%\AppData\Roaming\Skype\InterpretationEachentrywillhaveadate/timevalueandaSkypeusernameassociatedwiththeaction.
BrowserArtifactsDescriptionNotdirectlyrelatedto"FileDownload".
Detailsstoredforeachlocaluseraccount.
Recordsnumberoftimesvisited(frequency).
LocationInternetExplorerIE8-9:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\index.
datIE10-11:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datFirefoxv3-25:%userprole%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\downloads.
sqlitev26+:%userprole%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\places.
sqliteTable:moz_annosChrome:Win7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\HistoryInterpretationManysitesinhistorywilllistthelesthatwereopenedfromremotesitesanddownloadedtothelocalsystem.
Historywillrecordtheaccesstotheleonthewebsitethatwasaccessedviaalink.
DownloadsDescriptionFirefoxandIEhasabuilt-indownloadmanagerapplicationwhichkeepsahistoryofeveryledownloadedbytheuser.
Thisbrowserartifactcanprovideexcellentinformationaboutwhatsitesauserhasbeenvisitingandwhatkindsoflestheyhavebeendownloadingfromthem.
LocationFirefox:XP:%userprole%\ApplicationData\Mozilla\Firefox\Proles\.
default\downloads.
sqliteWin7/8/10:%userprole%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\downloads.
sqliteInternetExplorer:IE8-9:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\IE10-11:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datInterpretationDownloadswillinclude:Filename,Size,andTypeDownloadfromandReferringPageFileSaveLocationApplicationUsedtoOpenFileDownloadStartandEndTimesADSZone.
IdentiferDescriptionStartingwithXPSP2whenlesaredownloadedfromthe"InternetZone"viaabrowsertoaNTFSvolume,analternatedatastreamisaddedtothele.
Thealternatedatastreamisnamed"Zone.
Identier.
"InterpretationFileswithanADSZone.
IdentierandcontainsZoneID=3weredownloadedfromtheInternetURLZONE_TRUSTED=ZoneID=2URLZONE_INTERNET=ZoneID=3URLZONE_UNTRUSTED=ZoneID=4FileDownloadThe"Evidenceof.
.
.
"categorieswereoriginallycreatedbySANSDigitalForensicsandIncidenceResponsefacultyfortheSANScourseFOR500:WindowsForensicAnalysis.
Thecategoriesmapaspecicartifacttotheanalysisquestionsthatitwillhelptoanswer.
Usethisposterasacheat-sheettohelpyourememberwhereyoucandiscoverkeyWindowsartifactsforcomputerintrusion,intellectualpropertytheft,andothercommoncybercrimeinvestigations.
SEC504HackerTools,Techniques,Exploits,andIncidentHandlingGCIHFOR508AdvancedIncidentResponse,ThreatHunting,andDigitalForensicsGCFAFOR572AdvancedNetworkForensics:ThreatHunting,Analysis,andIncidentResponseGNFAFOR578CyberThreatIntelligenceGCTIFOR610REM:MalwareAnalysisGREMFOR498BattleeldForensics&DataAcquisitionGBFAFOR308DigitalForensicsEssentialsFOR518MacandiOSForensicAnalysisandIncidentResponseFOR500WindowsForensicsGCFEFOR585SmartphoneForensicAnalysisIn-DepthGASFOPERATINGSYSTEM&DEVICEINDEPTHINCIDENTRESPONSE&THREATHUNTING11WindowsTimeRulesbasedoffoftestingonWindows10Releaseversion1903sansforensics@sansforensicsdr.
to/MAIL-LISTTimezoneDescriptionIdentiesthecurrentsystemtimezone.
LocationSYSTEMHive:SYSTEM\CurrentControlSet\Control\TimeZoneInformationInterpretationTimeactivityisincrediblyusefulforcorrelationofactivityInternalloglesanddate/timestampswillbebasedonthesystemtimezoneinformationYoumighthaveothernetworkdevicesandyouwillneedtocorrelateinformationtothetimezoneinformationcollectedhere.
CookiesDescriptionCookiesgiveinsightintowhatwebsiteshavebeenvisitedandwhatactivitiesmayhavetakenplacethere.
LocationInternetExplorerIE6-8:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\CookiesIE10:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\CookiesIE11:%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookiesFirefoxXP:%USERPROFILE%\ApplicationData\Mozilla\Firefox\Proles\.
default\cookies.
sqliteWin7/8/10:%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\cookies.
sqliteChromeXP:%USERPROFILE%\LocalSettings\ApplicationData\Google\Chrome\UserData\Default\LocalStorageWin7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\LocalStorageNetworkHistoryDescriptionIdentifynetworksthatthecomputerhasbeenconnectedtoNetworkscouldbewirelessorwiredIdentifydomainname/intranetnameIdentifySSIDIdentifyGatewayMACAddressLocationWin7/8/10SOFTWAREHIVE:SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatures\UnmanagedSOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatures\ManagedSOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Nla\CacheInterpretationIdentifyingintranetsandnetworksthatacomputerhasconnectedtoisincrediblyimportantNotonlycanyoudeterminetheintranetname,youcandeterminethelasttimethenetworkwasconnectedtoitbasedonthelastwritetimeofthekeyThiswillalsolistanynetworksthathavebeenconnectedtoviaaVPNMACAddressofSSIDforGatewaycouldbephysicallytriangulatedWLANEventLogDescriptionDeterminewhatwirelessnetworksthesystemassociatedwithandidentifynetworkcharacteristicstondlocationRelevantEventIDs11000–Wirelessnetworkassociationstarted8001–Successfulconnectiontowirelessnetwork8002–Failedconnectiontowirelessnetwork8003–Disconnectfromwirelessnetwork6100–Networkdiagnostics(Systemlog)LocationMicrosoft-Windows-WLAN-AutoCongOperational.
evtxInterpretationShowshistoricalrecordofwirelessnetworkconnectionsContainsSSIDandBSSID(MACaddress),whichcanbeusedtogeolocatewirelessaccesspoint*(noBSSIDonWin8+)BrowserSearchTermsDescriptionRecordswebsitesvisitedbydateandtime.
Detailsstoredforeachlocaluseraccount.
Recordsnumberoftimesvisited(frequency).
Alsotracksaccessoflocalsystemles.
Thiswillalsoincludethewebsitehistoryofsearchtermsinsearchengines.
LocationInternetExplorerIE6-7:%USERPROFILE%\LocalSettings\History\History.
IE5IE8-9:%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.
IE5IE10-11:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datFirefoxXP:%userprole%\ApplicationData\Mozilla\Firefox\Proles\.
default\places.
sqliteWin7/8/10:%userprole%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\places.
sqliteSystemResourceUsageMonitor(SRUM)DescriptionRecords30to60daysofhistoricalsystemperformance.
Applicationsrun,useraccountresponsibleforeach,andapplicationandbytessent/receivedperapplicationperhour.
LocationSOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions{973F5D5C-1D90-4944-BE8E-24B94231A174}=WindowsNetworkDataUsageMonitor{DD6636C4-8929-4683-974E-22C046A43763}=WindowsNetworkConnectivityUsageMonitorSOFTWARE\Microsoft\WlanSvc\Interfaces\C:\Windows\System32\SRU\InterpretationUsetoolsuchassrum_dump.
exetocrosscorrelatethedatabetweentheregistrykeysandtheSRUMESEDatabase.
NetworkActivity/PhysicalLocationOpen/SaveMRUDescriptionInthesimplestterms,thiskeytrackslesthathavebeenopenedorsavedwithinaWindowsshelldialogbox.
Thishappenstobeabigdataset,notonlyincludingwebbrowserslikeInternetExplorerandFirefox,butalsoamajorityofcommonlyusedapplications.
LocationXP:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRUWin7/8/10:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRUInterpretationThe"*"key–ThissubkeytracksthemostrecentlesofanyextensioninputinanOpenSavedialog.
(Threeletterextension)–ThissubkeystoresleinfofromtheOpenSavedialogbyspecicextensionRecentFilesDescriptionRegistryKeythatwilltrackthelastlesandfoldersopenedandisusedtopopulatedatain"Recent"menusoftheStartmenu.
LocationNTUSER.
DAT:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocsInterpretationRecentDocs–Overallkeywilltracktheoverallorderofthelast150lesorfoldersopened.
MRUlistwillkeeptrackofthetemporalorderinwhicheachle/folderwasopened.
Thelastentryandmodicationtimeofthiskeywillbethetimeandlocationthelastleofaspecicextensionwasopened.
Thissubkeystoresthelastleswithaspecicextensionthatwereopened.
MRUlistwillkeeptrackofthetemporalorderinwhicheachlewasopened.
Thelastentryandmodicationtimeofthiskeywillbethetimewhenandlocationwherethelastleofaspecicextensionwasopened.
Folder–Thissubkeystoresthelastfoldersthatwereopened.
MRUlistwillkeeptrackofthetemporalorderinwhicheachfolderwasopened.
Thelastentryandmodicationtimeofthiskeywillbethetimeandlocationofthelastfolderopened.
JumpListsDescriptionTheWindows7taskbar(JumpList)isengineeredtoallowusersto"jump"oraccessitemshavefrequentlyorrecentlyusedquicklyandeasily.
Thisfunctionalitycannotonlyincluderecentmediales;itmustalsoincluderecenttasks.
ThedatastoredintheAutomaticDestinationsfolderwilleachhaveauniqueleprependedwiththeAppIDoftheassociationapplicationandembeddedwithLNKlesineachstream.
LocationWin7/8/10:C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinationsInterpretationUsingtheStructuredStorageViewer,openuponeoftheAutomaticDestinationjumplistles.
EachoneoftheselesisaseparateLNKle.
Theyarealsostorednumericallyinorderfromtheearliestone(usually1)tothemostrecent(largestintegervalue).
ShellBagsDescriptionWhichfolderswereaccessedonthelocalmachine,thenetwork,and/orremovabledevices.
Evidenceofpreviouslyexistingfoldersafterdeletion/overwrite.
Whencertainfolderswereaccessed.
LocationExplorerAccess:USRCLASS.
DAT\LocalSettings\Software\Microsoft\Windows\Shell\BagsUSRCLASS.
DAT\LocalSettings\Software\Microsoft\Windows\Shell\BagMRUDesktopAccess:NTUSER.
DAT\Software\Microsoft\Windows\Shell\BagMRUNTUSER.
DAT\Software\Microsoft\Windows\Shell\BagsInterpretationStoresinformationaboutwhichfoldersweremostrecentlybrowsedbytheuser.
Shortcut(LNK)FilesDescriptionShortcutFilesautomaticallycreatedbyWindows-RecentItems-Openinglocalandremotedatalesanddocumentswillgenerateashortcutle(.
lnk)LocationXP:C:\%USERPROFILE%\RecentWin7/8/10:C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\C:\%USERPROFILE%\AppData\Roaming\Microsoft\Oce\Recent\NotetheseareprimarylocationsofLNKles.
Theycanalsobefoundinotherlocations.
InterpretationDate/Timeleofthatnamewasrstopened-CreationDateofShortcut(LNK)FileDate/Timeleofthatnamewaslastopened-LastModicationDateofShortcut(LNK)FileLNKTargetFile(InternalLNKFileInformation)Data:-Modied,Access,andCreationtimesofthetargetle-VolumeInformation(Name,Type,SerialNumber)-NetworkShareinformation-OriginalLocation-NameofSystemPrefetchDescriptionIncreasesperformanceofasystembypre-loadingcodepagesofcommonlyusedapplications.
CacheManagermonitorsalllesanddirectoriesreferencedforeachapplicationorprocessandmapsthemintoa.
pfle.
Utilizedtoknowanapplicationwasexecutedonasystem.
Limitedto128lesonXPandWin7Limitedto1024lesonWin8-10(exename)-(hash).
pfLocationWinXP/7/8/10:C:\Windows\PrefetchInterpretationCanexamineeach.
pfletolookforlehandlesrecentlyusedCanexamineeach.
pfletolookfordevicehandlesrecentlyusedLast-VisitedMRUDescriptionTracksthespecicexecutableusedbyanapplicationtoopenthelesdocumentedintheOpenSaveMRUkey.
Inaddition,eachvaluealsotracksthedirectorylocationforthelastlethatwasaccessedbythatapplication.
Example:Notepad.
exewaslastrunusingtheC:\Users\Rob\DesktopfolderLocationXP:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRUWin7/8/10:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRUInterpretationTrackstheapplicationexecutablesusedtoopenlesinOpenSaveMRUandthelastlepathused.
IE|Edgele://DescriptionAlittleknownfactabouttheIEHistoryisthattheinformationstoredinthehistorylesisnotjustrelatedtoInternetbrowsing.
Thehistoryalsorecordslocal,removable,andremote(vianetworkshares)leaccess,givingusanexcellentmeansfordeterminingwhichlesandapplicationswereaccessedonthesystem,daybyday.
LocationInternetExplorer:IE6-7:%USERPROFILE%\LocalSettings\History\History.
IE5IE8-9:%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.
IE5IE10-11:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datInterpretationStoredinindex.
datas:le:///C:/directory/lename.
extDoesnotmeanlewasopenedinbrowserOfceRecentFilesDescriptionMSOfceprogramswilltracktheirownRecentFileslisttomakeiteasierforuserstorememberthelastletheywereediting.
LocationNTUSER.
DAT\Software\Microsoft\Oce\VERSION14.
0=Ofce201011.
0=Ofce200312.
0=Ofce200710.
0=OfceXPNTUSER.
DAT\Software\Microsoft\Oce\VERSION\UserMRU\LiveID_####\FileMRU15.
0=Ofce365InterpretationSimilartotheRecentFiles,thiswilltrackthelastlesthatwereopenedbyeachMSOfceapplication.
Thelastentryadded,pertheMRU,willbethetimethelastlewasopenedbyaspecicMSOfceapplication.
File/FolderOpeningBrowserUsageLastLoginDescriptionListsthelocalaccountsofthesystemandtheirequivalentsecurityidentiers.
LocationC:\windows\system32\cong\SAMSAM\Domains\Account\UsersInterpretationOnlythelastlogintimewillbestoredintheregistrykeyLastPasswordChangeDescriptionListsthelasttimethepasswordofaspeciclocaluserhasbeenchanged.
LocationC:\windows\system32\cong\SAMSAM\Domains\Account\UsersInterpretationOnlythelastpasswordchangetimewillbestoredintheregistrykeyRDPUsageDescriptionTrackRemoteDesktopProtocollogonstotargetmachines.
LocationSecurityLogWin7/8/10:%SYSTEMROOT%\System32\winevt\logs\Security.
evtxInterpretationWin7/8/10–Interpretation-EventID4778–SessionConnected/Reconnected-EventID4779–SessionDisconnectedEventlogprovideshostnameandIPaddressofremotemachinemakingtheconnectionOnworkstationsyouwilloftenseecurrentconsolesessiondisconnected(4779)followedbyRDPconnection(4778)ServicesEventsDescriptionAnalyzelogsforsuspiciousservicesrunningatboottimeReviewservicesstartedorstoppedaroundthetimeofasuspectedcompromiseLocationAllEventIDsreferencetheSystemLog7034–Servicecrashedunexpectedly7035–ServicesentaStart/Stopcontrol7036–Servicestartedorstopped7040–Starttypechanged(Boot|OnRequest|Disabled)7045–Aservicewasinstalledonthesystem(Win2008R2+)4697–Aservicewasinstalledonthesystem(fromSecuritylog)InterpretationAllEventIDsexcept4697referencetheSystemLogAlargeamountofmalwareandwormsinthewildutilizeServicesServicesstartedonbootillustratepersistence(desirableinmalware)ServicescancrashduetoattackslikeprocessinjectionLogonTypesDescriptionLogonEventscangiveusveryspecicinformationregardingthenatureofaccountauthorizationsonasystemifweknowwheretolookandhowtodecipherthedatathatwend.
Inadditiontotellingusthedate,time,username,hostname,andsuccess/failurestatusofalogon,LogonEventsalsoenablesustodeterminebyexactlywhatmeansalogonwasattempted.
LocationWin7/8/10:EventID4624InterpretationLogonTypeExplanation2Logonviaconsole3NetworkLogon4BatchLogon5WindowsServiceLogon7Credentialsusedtounlockscreen8Networklogonsendingcredentials(cleartext)9Differentcredentialsusedthanloggedonuser10Remoteinteractivelogon(RDP)11Cachedcredentialsusedtologon12Cachedremoteinteractive(similartoType10)13Cachedunlock(similartoType7)AuthenticationEventsDescriptionAuthenticationmechanismsLocationRecordedonsystemthatauthenticatedcredentialsLocalAccount/Workgroup=onworkstationDomain/ActiveDirectory=ondomaincontrollerWin7/8/10:%SYSTEMROOT%\System32\winevt\logs\Security.
evtxInterpretationEventIDCodes(NTLMprotocol)4776:Successful/FailedaccountauthenticationEventIDCodes(Kerberosprotocol)4768:TicketGrantingTicketwasgranted(successfullogon)4769:ServiceTicketrequested(accesstoserverresource)4771:Pre-authenticationfailed(failedlogon)Success/FailLogonsDescriptionDeterminewhichaccountshavebeenusedforattemptedlogons.
Trackaccountusageforknowncompromisedaccounts.
LocationWin7/8/10:%systemroot%\System32\winevt\logs\Security.
evtxInterpretationWin7/8/10–Interpretation4624–SuccessfulLogon4625–FailedLogon4634|4647–SuccessfulLogoff4648–Logonusingexplicitcredentials(Runas)4672–Accountlogonwithsuperuserrights(Administrator)4720–AnaccountwascreatedAccountUsageKeyIdenticationDescriptionTrackUSBdevicespluggedintoamachine.
LocationSYSTEM\CurrentControlSet\Enum\USBSTORSYSTEM\CurrentControlSet\Enum\USBInterpretationIdentifyvendor,product,andversionofaUSBdevicepluggedintoamachineIdentifyauniqueUSBdevicepluggedintothemachineDeterminethetimeadevicewaspluggedintothemachineDevicesthatdonothaveauniqueserialnumberwillhavean"&"inthesecondcharacteroftheserialnumber.
First/LastTimesDescriptionDeterminetemporalusageofspecicUSBdevicesconnectedtoaWindowsMachine.
LocationFirstTimePlugandPlayLogFilesXP:C:\Windows\setupapi.
logWin7/8/10:C:\Windows\inf\setupapi.
dev.
logInterpretationSearchforDeviceSerialNumberLogFiletimesaresettolocaltimezoneLocationFirst,Last,andRemovalTimes(Win7/8/10Only)SystemHive:\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\####0064=FirstInstall(Win7-10)0066=LastConnected(Win8-10)0067=LastRemoval(Win8-10)UserDescriptionFindUserthatusedtheUniqueUSBDevice.
LocationLookforGUIDfromSYSTEM\MountedDevicesNTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2InterpretationThisGUIDwillbeusednexttoidentifytheuserthatpluggedinthedevice.
Thelastwritetimeofthiskeyalsocorrespondstothelasttimethedevicewaspluggedintothemachinebythatuser.
Thenumberwillbereferencedintheuser'spersonalmountpointskeyintheNTUSER.
DATHive.
ExternalDevice/USBUsageHistoryDescriptionRecordswebsitesvisitedbydateandtime.
Detailsstoredforeachlocaluseraccount.
Recordsnumberoftimesvisited(frequency).
Alsotracksaccessoflocalsystemles.
LocationInternetExplorerIE6-7:%USERPROFILE%\LocalSettings\History\History.
IE5IE8-9:%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.
IE5IE10,11,Edge:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datFirefoxXP:%USERPROFILE%\ApplicationData\Mozilla\Firefox\Proles\.
default\places.
sqliteWin7/8/10:%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\places.
sqliteChromeXP:%USERPROFILE%\LocalSettings\ApplicationData\Google\Chrome\UserData\Default\HistoryWin7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\HistoryCookiesDescriptionCookiesgiveinsightintowhatwebsiteshavebeenvisitedandwhatactivitiesmayhavetakenplacethere.
LocationInternetExplorerIE8-9:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\CookiesIE10:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\CookiesIE11:%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookiesEdge:%USERPROFILE%\AppData\Local\Packages\microsoft.
microsoftedge_\AC\MicrosoftEdge\CookiesFirefoxXP:%USERPROFILE%\ApplicationData\Mozilla\Firefox\Proles\.
default\cookies.
sqliteWin7/8/10:%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\cookies.
sqliteChromeXP:%USERPROFILE%\LocalSettings\ApplicationData\Google\Chrome\UserData\Default\LocalStorage\Win7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\LocalStorage\CacheDescriptionThecacheiswherewebpagecomponentscanbestoredlocallytospeedupsubsequentvisitsGivestheinvestigatora"snapshotintime"ofwhatauserwaslookingatonline-Identieswebsiteswhichwerevisited-Providestheactuallestheuserviewedonagivenwebsite-Cachedlesaretiedtoaspeciclocaluseraccount-TimestampsshowwhenthesitewasrstsavedandlastviewedLocationInternetExplorerIE8-9:%USERPROFILE%\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.
IE5IE10:%USERPROFILE%\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.
IE5IE11:%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IEEdge:%USERPROFILE%\AppData\Local\Packages\microsoft.
microsoftedge_\AC\MicrosoftEdge\CacheFirefoxXP:%USERPROFILE%\LocalSettings\ApplicationData\Mozilla\Firefox\Proles\.
default\CacheWin7/8/10:%USERPROFILE%\AppData\Local\Mozilla\Firefox\Proles\.
default\CacheChromeXP:%USERPROFILE%\LocalSettings\ApplicationData\Google\Chrome\UserData\Default\Cache-data_#andf_######Win7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\Cache\-data_#andf_######Flash&SuperCookiesDescriptionLocalStoredObjects(LSOs),orFlashCookies,havebecomeubiquitousonmostsystemsduetotheextremelyhighpenetrationofFlashapplicationsacrosstheInternet.
Theytendtobemuchmorepersistentbecausetheydonotexpire,andthereisnobuilt-inmechanismwithinthebrowsertoremovethem.
Infact,manysiteshavebegunusingLSOsfortheirtrackingmechanismsbecausetheyrarelygetclearedliketraditionalcookies.
LocationWin7/8/10:%APPDATA%\Roaming\Macromedia\FlashPlayer\#SharedObjects\InterpretationWebsitesvisitedUseraccountusedtovisitthesiteWhencookiewascreatedandlastaccessedSessionRestoreDescriptionAutomaticCrashRecoveryfeaturesbuiltintothebrowser.
LocationInternetExplorerWin7/8/10:%USERPROFILE%/AppData/Local/Microsoft/InternetExplorer/RecoveryFirefoxWin7/8/10:%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\sessionstore.
jsChromeWin7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\Files=CurrentSession,CurrentTabs,LastSession,LastTabsInterpretationHistoricalwebsitesviewedineachtabReferringwebsitesTimesessionendedModiedtimeof.
datlesinLastActivefolderTimeeachtabopened(onlywhencrashoccurred)Creationtimeof.
datlesinActivefolderGoogleAnalyticsCookiesDescriptionGoogleAnalytics(GA)hasdevelopedanextremelysophisticatedmethodologyfortrackingsitevisits,useractivity,andpaidsearch.
SinceGAislargelyfree,ithasacommandingshareofthemarket,estimatedatover80%ofsitesusingtrafcanalysisandover50%ofallsites.
__utma–UniquevisitorsDomainHashVisitorIDCookieCreationTimeTimeof2ndmostrecentvisitTimeofmostrecentvisitNumberofvisits__utmb–SessiontrackingDomainhashPageviewsincurrentsessionOutboundlinkclicksTimecurrentsessionstarted__utmz–TrafcsourcesDomainHashLastUpdatetimeNumberofvisitsNumberofdifferenttypesofvisitsSourceusedtoaccesssiteGoogleAdwordscampaignnameAccessMethod(organic,referral,cpc,email,direct)Keywordusedtondsite(non-SSLonly)PnPEventsDescriptionWhenaPlugandPlaydriverinstallisattempted,theservicewillloganID20001eventandprovideaStatuswithintheevent.
ItisimportanttonotethatthiseventwilltriggerforanyPlugandPlay-capabledevice,includingbutnotlimitedtoUSB,Firewire,andPCMCIAdevices.
LocationSystemLogFileWin7/8/10:%systemroot%\System32\winevt\logs\System.
evtxInterpretationEventID:20001–PlugandPlaydriverinstallattemptedEventID20001TimestampDeviceinformationDeviceserialnumberStatus(0=noerrors)VolumeSerialNumberDescriptionDiscovertheVolumeSerialNumberoftheFilesystemPartitionontheUSB.
(NOTE:ThisisnottheUSBUniqueSerialNumber,whichishardcodedintothedevicermware.
)LocationSOFTWARE\Microsoft\WindowsNT\CurrentVersion\ENDMgmtUseVolumeNameandUSBUniqueSerialNumberto:-Findlastintegernumberinline-ConvertDecimalSerialNumberintoHexSerialNumberInterpretationKnowingboththeVolumeSerialNumberandtheVolumeName,youcancorrelatethedataacrossSHORTCUTFile(LNK)analysisandtheRECENTDOCskey.
TheShortcutFile(LNK)containstheVolumeSerialNumberandNameRecentDocsRegistryKey,inmostcases,willcontainthevolumenamewhentheUSBdeviceisopenedviaExplorerDriveLetterandVolumeNameDescriptionDiscoverthelastdriveletteroftheUSBDevicewhenitwaspluggedintothemachine.
LocationXP:FindParentIdPrex–SYSTEM\CurrentControlSet\Enum\USBSTORUsingParentIdPrexDiscoverLastMountPoint–SYSTEM\MountedDevicesWin7/8/10:SOFTWARE\Microsoft\WindowsPortableDevices\DevicesSYSTEM\MountedDevices-ExamineDriveLetterslookingatValueDataLookingforSerialNumberInterpretationIdentifytheUSBdevicethatwaslastmappedtoaspecicdriveletter.
Thistechniquewillonlyworkforthelastdrivemapped.
Itdoesnotcontainhistoricalrecordsofeverydrivelettermappedtoaremovabledrive.
Shortcut(LNK)FilesDescriptionShortcutlesautomaticallycreatedbyWindowsRecentItemsOpenlocalandremotedatalesanddocumentswillgenerateashortcutle(.
lnk)LocationXP:%USERPROFILE%\RecentWin7/8/10%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent%USERPROFILE%\AppData\Roaming\Microsoft\Oce\RecentInterpretationDate/Timeleofthatnamewasrstopened-CreationDateofShortcut(LNK)FileDate/Timeleofthatnamewaslastopened-LastModicationDateofShortcut(LNK)FileLNKTargetFile(InternalLNKFileInformation)Data:-Modied,Access,andCreationtimesofthetargetle-VolumeInformation(Name,Type,SerialNumber)-NetworkShareinformation-OriginalLocation-NameofSystem
sans.
org$25.
00DFPS_FOR500_v4.
11_0121PosterCreatedbyRobLeewithsupportoftheSANSDFIRFaculty2021RobLee.
AllRightsReserved.
Modied–NoChangeCreation–NoChangeAccess–NoChangeMetadata–TimeofFileRenameFileRenameModied–NoChangeCreation–NoChangeAccess–NoChangeMetadata–NoChangeFileRenameModied–NoChangeCreation–NoChangeAccess–NoChangeMetadata–TimeofLocalFileMoveLocalFileMoveModied–NoChangeCreation–NoChangeAccess–NoChangeMetadata–NoChangeLocalFileMoveModied–InheritedfromOriginalMetadata–InheritedfromOriginalAccess–TimeofFileMoveviaCLICreation–TimeofFileMoveviaCLIVolumeFileMove(moveviaCLI)Modied–TimeofMoveviaCLIAccess–TimeofMoveviaCLIMetadata–TimeofMoveviaCLICreation–TimeofMoveviaCLIVolumeFileMove(moveviaCLI)Modied–InheritedfromOriginalMetadata–InheritedfromOriginalCreation–InheritedfromOriginalAccess–TimeofCut/PasteVolumeFileMove(cut/pasteviaExplorer)Access–TimeofCut/PasteCreation–TimeofCut/PasteModied–TimeofCut/PasteMetadata–TimeofCut/PasteVolumeFileMove(cut/pasteviaExplorer)Modied–InheritedfromOriginalAccess–TimeofFileCopyCreation–TimeofFileCopyMetadata–TimeofFileCopyFileCopyAccess–TimeofFileCopyCreation–TimeofFileCopyModied–TimeofFileCopyMetadata–TimeofFileCopyFileCopyModied–NoChangeMetadata–NoChangeAccess–TimeofAccess(NoChangeonNTFSVolumes>128GB)Creation–NoChangeFileAccessModied–NoChangeMetadata–NoChangeCreation–NoChangeAccess–NoChangeFileAccessModied–TimeofDataModicationMetadata–TimeofDataModicationCreation–NoChangeFileModicationAccess–NoChangeCreation–NoChangeModied–NoChangeMetadata–NoChangeFileModicationAccess–TimeofFileCreationAccess–TimeofDataModicationMetadata–TimeofFileCreationCreation–TimeofFileCreationModied–TimeofFileCreationFileCreationAccess–TimeofFileCreationMetadata–TimeofFileCreationCreation–TimeofFileCreationModied–TimeofFileCreationFileCreationModied–NoChangeMetadata–NoChangeAccess–NoChangeCreation–NoChangeFileDeletionModied–NoChangeMetadata–NoChangeAccess–NoChangeCreation–NoChangeFileDeletionWindowsArtifactAnalysis:Evidenceof.
.
.
UserAssistDescriptionGUI-basedprogramslaunchedfromthedesktoparetrackedinthelauncheronaWindowsSystem.
LocationNTUSER.
DATHIVE:NTUSER.
DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\CountInterpretationAllvaluesareROT-13EncodedGUIDforXP-75048700ActiveDesktopGUIDforWin7/8/10-CEBFF5CDExecutableFileExecution-F4E57C4BShortcutFileExecutionWindows10TimelineDescriptionWin10recordsrecentlyusedapplicationsandlesina"timeline"accessibleviathe"WIN+TAB"key.
ThedataisrecordedinaSQLitedatabase.
LocationC:\Users\\AppData\Local\ConnectedDevicesPlatform\\ActivitiesCache.
dbInterpretationApplicationexecutionFocuscountperapplicationBAM/DAMDescriptionWindowsBackgroundActivityModerator(BAM)LocationWin10:SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}InvestigativeNotesProvidesfullpathoftheexecutablelethatwasrunonthesystemandlastexecutiondate/timeShimcacheDescriptionWindowsApplicationCompatibilityDatabaseisusedbyWindowstoidentifypossibleapplicationcompatibilitychallengeswithexecutables.
Trackstheexecutableslename,lesize,lastmodiedtime,andinWindowsXPthelastupdatetimeLocationXP:SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibilityWin7/8/10:SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCacheInterpretationAnyexecutablerunontheWindowssystemcouldbefoundinthiskey.
Youcanusethiskeytoidentifysystemsthatspecicmalwarewasexecutedon.
Inaddition,basedontheinterpretationofthetime-baseddatayoumightbeabletodeterminethelasttimeofexecutionoractivityonthesystem.
WindowsXPcontainsatmost96entries-LastUpdateTimeisupdatedwhenthelesareexecutedWindows7containsatmost1,024entries-LastUpdateTimedoesnotexistonWin7systemsAmcache.
hveDescriptionProgramDataUpdater(ataskassociatedwiththeApplicationExperienceService)usestheregistryleAmcache.
hvetostoredataduringprocesscreationLocationWin7/8/10:C:\Windows\AppCompat\Programs\Amcache.
hveInterpretationAmcache.
hve–Keys=Amcache.
hve\Root\File\{VolumeGUID}Entryforeveryexecutablerun,fullpathinformation,File's$StandardInfoLastModicationTime,andDiskvolumetheexecutablewasrunfromFirstRunTime=LastModicationTimeofKeySHA1hashofexecutablealsocontainedinthekeySystemResourceUsageMonitor(SRUM)DescriptionRecords30to60daysofhistoricalsystemperformance.
Applicationsrun,useraccountresponsibleforeach,andapplicationandbytessent/receivedperapplicationperhour.
LocationSOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions{d10ca2fe-6fcf-4f6d-848e-b2e99266fa89}=ApplicationResourceUsageProviderC:\Windows\System32\SRU\InterpretationUsetoolsuchassrum_dump.
exetocrosscorrelatethedatabetweentheregistrykeysandtheSRUMESEDatabase.
JumpListsDescriptionTheWindows7taskbar(JumpList)isengineeredtoallowusersto"jump"oraccessitemstheyhavefrequentlyorrecentlyusedquicklyandeasily.
Thisfunctionalitycannotonlyincluderecentmediales;itmustalsoincluderecenttasks.
ThedatastoredintheAutomaticDestinationsfolderwilleachhaveauniqueleprependedwiththeAppIDoftheassociatedapplication.
LocationWin7/8/10:C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinationsInterpretationFirsttimeofexecutionofapplication.
-CreationTime=FirsttimeitemaddedtotheAppIDle.
Lasttimeofexecutionofapplicationw/leopen.
-ModicationTime=LasttimeitemaddedtotheAppIDle.
ListofJumpListIDs->https://dr.
to/EZJumpListLast-VisitedMRUDescriptionTracksthespecicexecutableusedbyanapplicationtoopenthelesdocumentedintheOpenSaveMRUkey.
Inaddition,eachvaluealsotracksthedirectorylocationforthelastlethatwasaccessedbythatapplication.
Example:Notepad.
exewaslastrunusingtheC:\%USERPROFILE%\DesktopfolderLocationXP:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRUWin7/8/10:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRUInterpretationTrackstheapplicationexecutablesusedtoopenlesinOpenSaveMRUandthelastlepathused.
PrefetchDescriptionIncreasesperformanceofasystembypre-loadingcodepagesofcommonlyusedapplications.
CacheManagermonitorsalllesanddirectoriesreferencedforeachapplicationorprocessandmapsthemintoa.
pfle.
Utilizedtoknowanapplicationwasexecutedonasystem.
Limitedto128lesonXPandWin7Limitedto1024lesonWin8(exename)-(hash).
pfLocationWinXP/7/8/10:C:\Windows\PrefetchInterpretationEach.
pfwillincludelasttimeofexecution,numberoftimesrun,anddeviceandlehandlesusedbytheprogramDate/Timelebythatnameandpathwasrstexecuted-CreationDateof.
pfle(-10seconds)Date/Timelebythatnameandpathwaslastexecuted-Embeddedlastexecutiontimeof.
pfle-Lastmodicationdateof.
pfle(-10seconds)-Win8-10willcontainlast8timesofexecutionProgramExecutionXPSearch–ACMRUDescriptionYoucansearchforawiderangeofinformationthroughthesearchassistantonaWindowsXPmachine.
Thesearchassistantwillrememberauser'ssearchtermsforlenames,computers,orwordsthatareinsideale.
Thisisanexampleofwhereyoucanndthe"SearchHistory"ontheWindowssystem.
LocationNTUSER.
DATHIVENTUSER.
DAT\Software\Microsoft\SearchAssistant\ACMru\####InterpretationSearchtheInternet–####=5001Allorpartofadocumentname–####=5603Awordorphraseinale–####=5604Printers,ComputersandPeople–####=5647ThumbcacheDescriptionThumbnailsofpictures,ofcedocuments,andfoldersexistinadatabasecalledthethumbcache.
Eachuserwillhavetheirowndatabasebasedonthethumbnailsizesviewedbytheuser(small,medium,large,andextra-larger)LocationC:\%USERPROFILE%\AppData\Local\Microsoft\Windows\ExplorerInterpretationThesearecreatedwhenauserswitchesafoldertothumbnailmodeorviewspicturesviaaslideshow.
Asitwere,ourthumbsarenowstoredinseparatedatabaseles.
Win7+has4sizesforthumbnailsandthelesinthecachefolderreectthis:-32->small-96->medium-256->large-1024->extralargeThethumbcachewillstorethethumbnailcopyofthepicturebasedonthethumbnailsizeinthecontentoftheequivalentdatabasele.
Thumbs.
dbDescriptionHiddenleindirectorywhereimagesonmachineexiststoredinasmallerthumbnailgraphics.
thumbs.
dbcatalogspicturesinafolderandstoresacopyofthethumbnailevenifthepicturesweredeleted.
LocationWinXP/Win8|8.
1AutomaticallycreatedanywherewithhomegroupenabledWin7/8/10AutomaticallycreatedanywhereandaccessedviaaUNCPath(localorremote)InterpretationInclude:ThumbnailPictureofOriginalPictureDocumentThumbnail–EvenifDeletedLastModicationTime(XPOnly)OriginalFilename(XPOnly)IE|Edgele://DescriptionAlittle-knownfactabouttheIEHistoryisthattheinformationstoredinthehistorylesisnotjustrelatedtoInternetbrowsing.
Thehistoryalsorecordslocalandremote(vianetworkshares)leaccess,givingusanexcellentmeansfordeterminingwhichlesandapplicationswereaccessedonthesystem,daybyday.
LocationInternetExplorer:IE6-7%USERPROFILE%\LocalSettings\History\History.
IE5IE8-9%USERPROFILE%\AppData\Local\Microsoft\WindowsHistory\History.
IE5IE10-11%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datInterpretationStoredinindex.
datas:file:///C:/directory/lename.
extDoesnotmeanlewasopenedinbrowserSearch–WordWheelQueryDescriptionKeywordssearchedforfromtheSTARTmenubaronaWindows7machine.
LocationWin7/8/10NTUSER.
DATHiveNTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQueryInterpretationKeywordsareaddedinUnicodeandlistedintemporalorderinanMRUlistWin7/8/10RecycleBinDescriptionTherecyclebinisaveryimportantlocationonaWindowslesystemtounderstand.
Itcanhelpyouwhenaccomplishingaforensicinvestigation,aseverylethatisdeletedfromaWindowsrecyclebinawareprogramisgenerallyrstputintherecyclebin.
LocationHiddenSystemFolderWin7/8/10C:\$Recycle.
binDeletedTimeandOriginalFilenamecontainedinseparatelesforeachdeletedrecoveryleInterpretationSIDcanbemappedtouserviaRegistryAnalysisWin7/8/10-FilesPrecededby$I######lescontainOriginalPATHandnameDeletionDate/Time-FilesPrecededby$R######lescontainRecoveryDataLast-VisitedMRUDescriptionTracksthespecicexecutableusedbyanapplicationtoopenthelesdocumentedintheOpenSaveMRUkey.
Inaddition,eachvaluealsotracksthedirectorylocationforthelastlethatwasaccessedbythatapplication.
LocationXPNTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRUWin7/8/10NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRUInterpretationTrackstheapplicationexecutablesusedtoopenlesinOpenSaveMRUandthelastlepathused.
XPRecycleBinDescriptionTherecyclebinisaveryimportantlocationonaWindowslesystemtounderstand.
Itcanhelpyouwhenaccomplishingaforensicinvestigation,aseverylethatisdeletedfromaWindowsrecyclebinawareprogramisgenerallyrstputintherecyclebin.
LocationHiddenSystemFolderWindowsXPC:\RECYCLER"2000/NT/XP/2003Subfolderiscreatedwithuser'sSIDHiddenleindirectorycalled"INFO2"INFO2ContainsDeletedTimeandOriginalFilenameFilenameinbothASCIIandUNICODEInterpretationSIDcanbemappedtouserviaRegistryAnalysisMapslenametotheactualnameandpathitwasdeletedfromDeletedFileorFileKnowledgeOpen/SaveMRUDescriptionInthesimplestterms,thiskeytrackslesthathavebeenopenedorsavedwithinaWindowsshelldialogbox.
Thishappenstobeabigdataset,notonlyincludingwebbrowserslikeInternetExplorerandFirefox,butalsoamajorityofcommonlyusedapplications.
LocationXP:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRUWin7/8/10:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRUInterpretationThe"*"key–ThissubkeytracksthemostrecentlesofanyextensioninputinanOpenSavedialog.
(Threeletterextension)–ThissubkeystoresleinfofromtheOpenSavedialogbyspecicextensionEmailAttachmentsDescriptionTheemailindustryestimatesthat80%ofemaildataisstoredviaattachments.
Emailstandardsonlyallowtext.
AttachmentsmustbeencodedwithMIME/base64format.
LocationOutlookXP:%USERPROFILE%\LocalSettings\ApplicationData\Microsoft\OutlookWin7/8/10:%USERPROFILE%\AppData\Local\Microsoft\OutlookInterpretationMSOutlookdatalesfoundintheselocationsincludeOSTandPSTles.
OneshouldalsochecktheOLKandContent.
Outlookfolder,whichmightroamdependingonthespecicversionofOutlookused.
FormoreinformationonwheretondtheOLKfolderthislinkhasahandychart:http://www.
hancockcomputertech.
com/blog/2010/01/06/nd-the-microsoft-outlook-temporary-olk-folderSkypeHistoryDescriptionSkypehistorykeepsalogofchatsessionsandlestransferredfromonemachinetoanotherThisisturnedonbydefaultinSkypeinstallationsLocationXP:C:\DocumentsandSettings\\Application\Skype\Win7/8/10:C:\%USERPROFILE%\AppData\Roaming\Skype\InterpretationEachentrywillhaveadate/timevalueandaSkypeusernameassociatedwiththeaction.
BrowserArtifactsDescriptionNotdirectlyrelatedto"FileDownload".
Detailsstoredforeachlocaluseraccount.
Recordsnumberoftimesvisited(frequency).
LocationInternetExplorerIE8-9:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\index.
datIE10-11:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datFirefoxv3-25:%userprole%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\downloads.
sqlitev26+:%userprole%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\places.
sqliteTable:moz_annosChrome:Win7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\HistoryInterpretationManysitesinhistorywilllistthelesthatwereopenedfromremotesitesanddownloadedtothelocalsystem.
Historywillrecordtheaccesstotheleonthewebsitethatwasaccessedviaalink.
DownloadsDescriptionFirefoxandIEhasabuilt-indownloadmanagerapplicationwhichkeepsahistoryofeveryledownloadedbytheuser.
Thisbrowserartifactcanprovideexcellentinformationaboutwhatsitesauserhasbeenvisitingandwhatkindsoflestheyhavebeendownloadingfromthem.
LocationFirefox:XP:%userprole%\ApplicationData\Mozilla\Firefox\Proles\.
default\downloads.
sqliteWin7/8/10:%userprole%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\downloads.
sqliteInternetExplorer:IE8-9:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\IE10-11:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datInterpretationDownloadswillinclude:Filename,Size,andTypeDownloadfromandReferringPageFileSaveLocationApplicationUsedtoOpenFileDownloadStartandEndTimesADSZone.
IdentiferDescriptionStartingwithXPSP2whenlesaredownloadedfromthe"InternetZone"viaabrowsertoaNTFSvolume,analternatedatastreamisaddedtothele.
Thealternatedatastreamisnamed"Zone.
Identier.
"InterpretationFileswithanADSZone.
IdentierandcontainsZoneID=3weredownloadedfromtheInternetURLZONE_TRUSTED=ZoneID=2URLZONE_INTERNET=ZoneID=3URLZONE_UNTRUSTED=ZoneID=4FileDownloadThe"Evidenceof.
.
.
"categorieswereoriginallycreatedbySANSDigitalForensicsandIncidenceResponsefacultyfortheSANScourseFOR500:WindowsForensicAnalysis.
Thecategoriesmapaspecicartifacttotheanalysisquestionsthatitwillhelptoanswer.
Usethisposterasacheat-sheettohelpyourememberwhereyoucandiscoverkeyWindowsartifactsforcomputerintrusion,intellectualpropertytheft,andothercommoncybercrimeinvestigations.
SEC504HackerTools,Techniques,Exploits,andIncidentHandlingGCIHFOR508AdvancedIncidentResponse,ThreatHunting,andDigitalForensicsGCFAFOR572AdvancedNetworkForensics:ThreatHunting,Analysis,andIncidentResponseGNFAFOR578CyberThreatIntelligenceGCTIFOR610REM:MalwareAnalysisGREMFOR498BattleeldForensics&DataAcquisitionGBFAFOR308DigitalForensicsEssentialsFOR518MacandiOSForensicAnalysisandIncidentResponseFOR500WindowsForensicsGCFEFOR585SmartphoneForensicAnalysisIn-DepthGASFOPERATINGSYSTEM&DEVICEINDEPTHINCIDENTRESPONSE&THREATHUNTING11WindowsTimeRulesbasedoffoftestingonWindows10Releaseversion1903sansforensics@sansforensicsdr.
to/MAIL-LISTTimezoneDescriptionIdentiesthecurrentsystemtimezone.
LocationSYSTEMHive:SYSTEM\CurrentControlSet\Control\TimeZoneInformationInterpretationTimeactivityisincrediblyusefulforcorrelationofactivityInternalloglesanddate/timestampswillbebasedonthesystemtimezoneinformationYoumighthaveothernetworkdevicesandyouwillneedtocorrelateinformationtothetimezoneinformationcollectedhere.
CookiesDescriptionCookiesgiveinsightintowhatwebsiteshavebeenvisitedandwhatactivitiesmayhavetakenplacethere.
LocationInternetExplorerIE6-8:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\CookiesIE10:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\CookiesIE11:%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookiesFirefoxXP:%USERPROFILE%\ApplicationData\Mozilla\Firefox\Proles\.
default\cookies.
sqliteWin7/8/10:%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\cookies.
sqliteChromeXP:%USERPROFILE%\LocalSettings\ApplicationData\Google\Chrome\UserData\Default\LocalStorageWin7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\LocalStorageNetworkHistoryDescriptionIdentifynetworksthatthecomputerhasbeenconnectedtoNetworkscouldbewirelessorwiredIdentifydomainname/intranetnameIdentifySSIDIdentifyGatewayMACAddressLocationWin7/8/10SOFTWAREHIVE:SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatures\UnmanagedSOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatures\ManagedSOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Nla\CacheInterpretationIdentifyingintranetsandnetworksthatacomputerhasconnectedtoisincrediblyimportantNotonlycanyoudeterminetheintranetname,youcandeterminethelasttimethenetworkwasconnectedtoitbasedonthelastwritetimeofthekeyThiswillalsolistanynetworksthathavebeenconnectedtoviaaVPNMACAddressofSSIDforGatewaycouldbephysicallytriangulatedWLANEventLogDescriptionDeterminewhatwirelessnetworksthesystemassociatedwithandidentifynetworkcharacteristicstondlocationRelevantEventIDs11000–Wirelessnetworkassociationstarted8001–Successfulconnectiontowirelessnetwork8002–Failedconnectiontowirelessnetwork8003–Disconnectfromwirelessnetwork6100–Networkdiagnostics(Systemlog)LocationMicrosoft-Windows-WLAN-AutoCongOperational.
evtxInterpretationShowshistoricalrecordofwirelessnetworkconnectionsContainsSSIDandBSSID(MACaddress),whichcanbeusedtogeolocatewirelessaccesspoint*(noBSSIDonWin8+)BrowserSearchTermsDescriptionRecordswebsitesvisitedbydateandtime.
Detailsstoredforeachlocaluseraccount.
Recordsnumberoftimesvisited(frequency).
Alsotracksaccessoflocalsystemles.
Thiswillalsoincludethewebsitehistoryofsearchtermsinsearchengines.
LocationInternetExplorerIE6-7:%USERPROFILE%\LocalSettings\History\History.
IE5IE8-9:%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.
IE5IE10-11:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datFirefoxXP:%userprole%\ApplicationData\Mozilla\Firefox\Proles\.
default\places.
sqliteWin7/8/10:%userprole%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\places.
sqliteSystemResourceUsageMonitor(SRUM)DescriptionRecords30to60daysofhistoricalsystemperformance.
Applicationsrun,useraccountresponsibleforeach,andapplicationandbytessent/receivedperapplicationperhour.
LocationSOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions{973F5D5C-1D90-4944-BE8E-24B94231A174}=WindowsNetworkDataUsageMonitor{DD6636C4-8929-4683-974E-22C046A43763}=WindowsNetworkConnectivityUsageMonitorSOFTWARE\Microsoft\WlanSvc\Interfaces\C:\Windows\System32\SRU\InterpretationUsetoolsuchassrum_dump.
exetocrosscorrelatethedatabetweentheregistrykeysandtheSRUMESEDatabase.
NetworkActivity/PhysicalLocationOpen/SaveMRUDescriptionInthesimplestterms,thiskeytrackslesthathavebeenopenedorsavedwithinaWindowsshelldialogbox.
Thishappenstobeabigdataset,notonlyincludingwebbrowserslikeInternetExplorerandFirefox,butalsoamajorityofcommonlyusedapplications.
LocationXP:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRUWin7/8/10:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRUInterpretationThe"*"key–ThissubkeytracksthemostrecentlesofanyextensioninputinanOpenSavedialog.
(Threeletterextension)–ThissubkeystoresleinfofromtheOpenSavedialogbyspecicextensionRecentFilesDescriptionRegistryKeythatwilltrackthelastlesandfoldersopenedandisusedtopopulatedatain"Recent"menusoftheStartmenu.
LocationNTUSER.
DAT:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocsInterpretationRecentDocs–Overallkeywilltracktheoverallorderofthelast150lesorfoldersopened.
MRUlistwillkeeptrackofthetemporalorderinwhicheachle/folderwasopened.
Thelastentryandmodicationtimeofthiskeywillbethetimeandlocationthelastleofaspecicextensionwasopened.
Thissubkeystoresthelastleswithaspecicextensionthatwereopened.
MRUlistwillkeeptrackofthetemporalorderinwhicheachlewasopened.
Thelastentryandmodicationtimeofthiskeywillbethetimewhenandlocationwherethelastleofaspecicextensionwasopened.
Folder–Thissubkeystoresthelastfoldersthatwereopened.
MRUlistwillkeeptrackofthetemporalorderinwhicheachfolderwasopened.
Thelastentryandmodicationtimeofthiskeywillbethetimeandlocationofthelastfolderopened.
JumpListsDescriptionTheWindows7taskbar(JumpList)isengineeredtoallowusersto"jump"oraccessitemshavefrequentlyorrecentlyusedquicklyandeasily.
Thisfunctionalitycannotonlyincluderecentmediales;itmustalsoincluderecenttasks.
ThedatastoredintheAutomaticDestinationsfolderwilleachhaveauniqueleprependedwiththeAppIDoftheassociationapplicationandembeddedwithLNKlesineachstream.
LocationWin7/8/10:C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinationsInterpretationUsingtheStructuredStorageViewer,openuponeoftheAutomaticDestinationjumplistles.
EachoneoftheselesisaseparateLNKle.
Theyarealsostorednumericallyinorderfromtheearliestone(usually1)tothemostrecent(largestintegervalue).
ShellBagsDescriptionWhichfolderswereaccessedonthelocalmachine,thenetwork,and/orremovabledevices.
Evidenceofpreviouslyexistingfoldersafterdeletion/overwrite.
Whencertainfolderswereaccessed.
LocationExplorerAccess:USRCLASS.
DAT\LocalSettings\Software\Microsoft\Windows\Shell\BagsUSRCLASS.
DAT\LocalSettings\Software\Microsoft\Windows\Shell\BagMRUDesktopAccess:NTUSER.
DAT\Software\Microsoft\Windows\Shell\BagMRUNTUSER.
DAT\Software\Microsoft\Windows\Shell\BagsInterpretationStoresinformationaboutwhichfoldersweremostrecentlybrowsedbytheuser.
Shortcut(LNK)FilesDescriptionShortcutFilesautomaticallycreatedbyWindows-RecentItems-Openinglocalandremotedatalesanddocumentswillgenerateashortcutle(.
lnk)LocationXP:C:\%USERPROFILE%\RecentWin7/8/10:C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\C:\%USERPROFILE%\AppData\Roaming\Microsoft\Oce\Recent\NotetheseareprimarylocationsofLNKles.
Theycanalsobefoundinotherlocations.
InterpretationDate/Timeleofthatnamewasrstopened-CreationDateofShortcut(LNK)FileDate/Timeleofthatnamewaslastopened-LastModicationDateofShortcut(LNK)FileLNKTargetFile(InternalLNKFileInformation)Data:-Modied,Access,andCreationtimesofthetargetle-VolumeInformation(Name,Type,SerialNumber)-NetworkShareinformation-OriginalLocation-NameofSystemPrefetchDescriptionIncreasesperformanceofasystembypre-loadingcodepagesofcommonlyusedapplications.
CacheManagermonitorsalllesanddirectoriesreferencedforeachapplicationorprocessandmapsthemintoa.
pfle.
Utilizedtoknowanapplicationwasexecutedonasystem.
Limitedto128lesonXPandWin7Limitedto1024lesonWin8-10(exename)-(hash).
pfLocationWinXP/7/8/10:C:\Windows\PrefetchInterpretationCanexamineeach.
pfletolookforlehandlesrecentlyusedCanexamineeach.
pfletolookfordevicehandlesrecentlyusedLast-VisitedMRUDescriptionTracksthespecicexecutableusedbyanapplicationtoopenthelesdocumentedintheOpenSaveMRUkey.
Inaddition,eachvaluealsotracksthedirectorylocationforthelastlethatwasaccessedbythatapplication.
Example:Notepad.
exewaslastrunusingtheC:\Users\Rob\DesktopfolderLocationXP:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRUWin7/8/10:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRUInterpretationTrackstheapplicationexecutablesusedtoopenlesinOpenSaveMRUandthelastlepathused.
IE|Edgele://DescriptionAlittleknownfactabouttheIEHistoryisthattheinformationstoredinthehistorylesisnotjustrelatedtoInternetbrowsing.
Thehistoryalsorecordslocal,removable,andremote(vianetworkshares)leaccess,givingusanexcellentmeansfordeterminingwhichlesandapplicationswereaccessedonthesystem,daybyday.
LocationInternetExplorer:IE6-7:%USERPROFILE%\LocalSettings\History\History.
IE5IE8-9:%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.
IE5IE10-11:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datInterpretationStoredinindex.
datas:le:///C:/directory/lename.
extDoesnotmeanlewasopenedinbrowserOfceRecentFilesDescriptionMSOfceprogramswilltracktheirownRecentFileslisttomakeiteasierforuserstorememberthelastletheywereediting.
LocationNTUSER.
DAT\Software\Microsoft\Oce\VERSION14.
0=Ofce201011.
0=Ofce200312.
0=Ofce200710.
0=OfceXPNTUSER.
DAT\Software\Microsoft\Oce\VERSION\UserMRU\LiveID_####\FileMRU15.
0=Ofce365InterpretationSimilartotheRecentFiles,thiswilltrackthelastlesthatwereopenedbyeachMSOfceapplication.
Thelastentryadded,pertheMRU,willbethetimethelastlewasopenedbyaspecicMSOfceapplication.
File/FolderOpeningBrowserUsageLastLoginDescriptionListsthelocalaccountsofthesystemandtheirequivalentsecurityidentiers.
LocationC:\windows\system32\cong\SAMSAM\Domains\Account\UsersInterpretationOnlythelastlogintimewillbestoredintheregistrykeyLastPasswordChangeDescriptionListsthelasttimethepasswordofaspeciclocaluserhasbeenchanged.
LocationC:\windows\system32\cong\SAMSAM\Domains\Account\UsersInterpretationOnlythelastpasswordchangetimewillbestoredintheregistrykeyRDPUsageDescriptionTrackRemoteDesktopProtocollogonstotargetmachines.
LocationSecurityLogWin7/8/10:%SYSTEMROOT%\System32\winevt\logs\Security.
evtxInterpretationWin7/8/10–Interpretation-EventID4778–SessionConnected/Reconnected-EventID4779–SessionDisconnectedEventlogprovideshostnameandIPaddressofremotemachinemakingtheconnectionOnworkstationsyouwilloftenseecurrentconsolesessiondisconnected(4779)followedbyRDPconnection(4778)ServicesEventsDescriptionAnalyzelogsforsuspiciousservicesrunningatboottimeReviewservicesstartedorstoppedaroundthetimeofasuspectedcompromiseLocationAllEventIDsreferencetheSystemLog7034–Servicecrashedunexpectedly7035–ServicesentaStart/Stopcontrol7036–Servicestartedorstopped7040–Starttypechanged(Boot|OnRequest|Disabled)7045–Aservicewasinstalledonthesystem(Win2008R2+)4697–Aservicewasinstalledonthesystem(fromSecuritylog)InterpretationAllEventIDsexcept4697referencetheSystemLogAlargeamountofmalwareandwormsinthewildutilizeServicesServicesstartedonbootillustratepersistence(desirableinmalware)ServicescancrashduetoattackslikeprocessinjectionLogonTypesDescriptionLogonEventscangiveusveryspecicinformationregardingthenatureofaccountauthorizationsonasystemifweknowwheretolookandhowtodecipherthedatathatwend.
Inadditiontotellingusthedate,time,username,hostname,andsuccess/failurestatusofalogon,LogonEventsalsoenablesustodeterminebyexactlywhatmeansalogonwasattempted.
LocationWin7/8/10:EventID4624InterpretationLogonTypeExplanation2Logonviaconsole3NetworkLogon4BatchLogon5WindowsServiceLogon7Credentialsusedtounlockscreen8Networklogonsendingcredentials(cleartext)9Differentcredentialsusedthanloggedonuser10Remoteinteractivelogon(RDP)11Cachedcredentialsusedtologon12Cachedremoteinteractive(similartoType10)13Cachedunlock(similartoType7)AuthenticationEventsDescriptionAuthenticationmechanismsLocationRecordedonsystemthatauthenticatedcredentialsLocalAccount/Workgroup=onworkstationDomain/ActiveDirectory=ondomaincontrollerWin7/8/10:%SYSTEMROOT%\System32\winevt\logs\Security.
evtxInterpretationEventIDCodes(NTLMprotocol)4776:Successful/FailedaccountauthenticationEventIDCodes(Kerberosprotocol)4768:TicketGrantingTicketwasgranted(successfullogon)4769:ServiceTicketrequested(accesstoserverresource)4771:Pre-authenticationfailed(failedlogon)Success/FailLogonsDescriptionDeterminewhichaccountshavebeenusedforattemptedlogons.
Trackaccountusageforknowncompromisedaccounts.
LocationWin7/8/10:%systemroot%\System32\winevt\logs\Security.
evtxInterpretationWin7/8/10–Interpretation4624–SuccessfulLogon4625–FailedLogon4634|4647–SuccessfulLogoff4648–Logonusingexplicitcredentials(Runas)4672–Accountlogonwithsuperuserrights(Administrator)4720–AnaccountwascreatedAccountUsageKeyIdenticationDescriptionTrackUSBdevicespluggedintoamachine.
LocationSYSTEM\CurrentControlSet\Enum\USBSTORSYSTEM\CurrentControlSet\Enum\USBInterpretationIdentifyvendor,product,andversionofaUSBdevicepluggedintoamachineIdentifyauniqueUSBdevicepluggedintothemachineDeterminethetimeadevicewaspluggedintothemachineDevicesthatdonothaveauniqueserialnumberwillhavean"&"inthesecondcharacteroftheserialnumber.
First/LastTimesDescriptionDeterminetemporalusageofspecicUSBdevicesconnectedtoaWindowsMachine.
LocationFirstTimePlugandPlayLogFilesXP:C:\Windows\setupapi.
logWin7/8/10:C:\Windows\inf\setupapi.
dev.
logInterpretationSearchforDeviceSerialNumberLogFiletimesaresettolocaltimezoneLocationFirst,Last,andRemovalTimes(Win7/8/10Only)SystemHive:\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\####0064=FirstInstall(Win7-10)0066=LastConnected(Win8-10)0067=LastRemoval(Win8-10)UserDescriptionFindUserthatusedtheUniqueUSBDevice.
LocationLookforGUIDfromSYSTEM\MountedDevicesNTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2InterpretationThisGUIDwillbeusednexttoidentifytheuserthatpluggedinthedevice.
Thelastwritetimeofthiskeyalsocorrespondstothelasttimethedevicewaspluggedintothemachinebythatuser.
Thenumberwillbereferencedintheuser'spersonalmountpointskeyintheNTUSER.
DATHive.
ExternalDevice/USBUsageHistoryDescriptionRecordswebsitesvisitedbydateandtime.
Detailsstoredforeachlocaluseraccount.
Recordsnumberoftimesvisited(frequency).
Alsotracksaccessoflocalsystemles.
LocationInternetExplorerIE6-7:%USERPROFILE%\LocalSettings\History\History.
IE5IE8-9:%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.
IE5IE10,11,Edge:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datFirefoxXP:%USERPROFILE%\ApplicationData\Mozilla\Firefox\Proles\.
default\places.
sqliteWin7/8/10:%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\places.
sqliteChromeXP:%USERPROFILE%\LocalSettings\ApplicationData\Google\Chrome\UserData\Default\HistoryWin7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\HistoryCookiesDescriptionCookiesgiveinsightintowhatwebsiteshavebeenvisitedandwhatactivitiesmayhavetakenplacethere.
LocationInternetExplorerIE8-9:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\CookiesIE10:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\CookiesIE11:%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookiesEdge:%USERPROFILE%\AppData\Local\Packages\microsoft.
microsoftedge_\AC\MicrosoftEdge\CookiesFirefoxXP:%USERPROFILE%\ApplicationData\Mozilla\Firefox\Proles\.
default\cookies.
sqliteWin7/8/10:%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\cookies.
sqliteChromeXP:%USERPROFILE%\LocalSettings\ApplicationData\Google\Chrome\UserData\Default\LocalStorage\Win7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\LocalStorage\CacheDescriptionThecacheiswherewebpagecomponentscanbestoredlocallytospeedupsubsequentvisitsGivestheinvestigatora"snapshotintime"ofwhatauserwaslookingatonline-Identieswebsiteswhichwerevisited-Providestheactuallestheuserviewedonagivenwebsite-Cachedlesaretiedtoaspeciclocaluseraccount-TimestampsshowwhenthesitewasrstsavedandlastviewedLocationInternetExplorerIE8-9:%USERPROFILE%\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.
IE5IE10:%USERPROFILE%\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.
IE5IE11:%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IEEdge:%USERPROFILE%\AppData\Local\Packages\microsoft.
microsoftedge_\AC\MicrosoftEdge\CacheFirefoxXP:%USERPROFILE%\LocalSettings\ApplicationData\Mozilla\Firefox\Proles\.
default\CacheWin7/8/10:%USERPROFILE%\AppData\Local\Mozilla\Firefox\Proles\.
default\CacheChromeXP:%USERPROFILE%\LocalSettings\ApplicationData\Google\Chrome\UserData\Default\Cache-data_#andf_######Win7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\Cache\-data_#andf_######Flash&SuperCookiesDescriptionLocalStoredObjects(LSOs),orFlashCookies,havebecomeubiquitousonmostsystemsduetotheextremelyhighpenetrationofFlashapplicationsacrosstheInternet.
Theytendtobemuchmorepersistentbecausetheydonotexpire,andthereisnobuilt-inmechanismwithinthebrowsertoremovethem.
Infact,manysiteshavebegunusingLSOsfortheirtrackingmechanismsbecausetheyrarelygetclearedliketraditionalcookies.
LocationWin7/8/10:%APPDATA%\Roaming\Macromedia\FlashPlayer\#SharedObjects\InterpretationWebsitesvisitedUseraccountusedtovisitthesiteWhencookiewascreatedandlastaccessedSessionRestoreDescriptionAutomaticCrashRecoveryfeaturesbuiltintothebrowser.
LocationInternetExplorerWin7/8/10:%USERPROFILE%/AppData/Local/Microsoft/InternetExplorer/RecoveryFirefoxWin7/8/10:%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\sessionstore.
jsChromeWin7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\Files=CurrentSession,CurrentTabs,LastSession,LastTabsInterpretationHistoricalwebsitesviewedineachtabReferringwebsitesTimesessionendedModiedtimeof.
datlesinLastActivefolderTimeeachtabopened(onlywhencrashoccurred)Creationtimeof.
datlesinActivefolderGoogleAnalyticsCookiesDescriptionGoogleAnalytics(GA)hasdevelopedanextremelysophisticatedmethodologyfortrackingsitevisits,useractivity,andpaidsearch.
SinceGAislargelyfree,ithasacommandingshareofthemarket,estimatedatover80%ofsitesusingtrafcanalysisandover50%ofallsites.
__utma–UniquevisitorsDomainHashVisitorIDCookieCreationTimeTimeof2ndmostrecentvisitTimeofmostrecentvisitNumberofvisits__utmb–SessiontrackingDomainhashPageviewsincurrentsessionOutboundlinkclicksTimecurrentsessionstarted__utmz–TrafcsourcesDomainHashLastUpdatetimeNumberofvisitsNumberofdifferenttypesofvisitsSourceusedtoaccesssiteGoogleAdwordscampaignnameAccessMethod(organic,referral,cpc,email,direct)Keywordusedtondsite(non-SSLonly)PnPEventsDescriptionWhenaPlugandPlaydriverinstallisattempted,theservicewillloganID20001eventandprovideaStatuswithintheevent.
ItisimportanttonotethatthiseventwilltriggerforanyPlugandPlay-capabledevice,includingbutnotlimitedtoUSB,Firewire,andPCMCIAdevices.
LocationSystemLogFileWin7/8/10:%systemroot%\System32\winevt\logs\System.
evtxInterpretationEventID:20001–PlugandPlaydriverinstallattemptedEventID20001TimestampDeviceinformationDeviceserialnumberStatus(0=noerrors)VolumeSerialNumberDescriptionDiscovertheVolumeSerialNumberoftheFilesystemPartitionontheUSB.
(NOTE:ThisisnottheUSBUniqueSerialNumber,whichishardcodedintothedevicermware.
)LocationSOFTWARE\Microsoft\WindowsNT\CurrentVersion\ENDMgmtUseVolumeNameandUSBUniqueSerialNumberto:-Findlastintegernumberinline-ConvertDecimalSerialNumberintoHexSerialNumberInterpretationKnowingboththeVolumeSerialNumberandtheVolumeName,youcancorrelatethedataacrossSHORTCUTFile(LNK)analysisandtheRECENTDOCskey.
TheShortcutFile(LNK)containstheVolumeSerialNumberandNameRecentDocsRegistryKey,inmostcases,willcontainthevolumenamewhentheUSBdeviceisopenedviaExplorerDriveLetterandVolumeNameDescriptionDiscoverthelastdriveletteroftheUSBDevicewhenitwaspluggedintothemachine.
LocationXP:FindParentIdPrex–SYSTEM\CurrentControlSet\Enum\USBSTORUsingParentIdPrexDiscoverLastMountPoint–SYSTEM\MountedDevicesWin7/8/10:SOFTWARE\Microsoft\WindowsPortableDevices\DevicesSYSTEM\MountedDevices-ExamineDriveLetterslookingatValueDataLookingforSerialNumberInterpretationIdentifytheUSBdevicethatwaslastmappedtoaspecicdriveletter.
Thistechniquewillonlyworkforthelastdrivemapped.
Itdoesnotcontainhistoricalrecordsofeverydrivelettermappedtoaremovabledrive.
Shortcut(LNK)FilesDescriptionShortcutlesautomaticallycreatedbyWindowsRecentItemsOpenlocalandremotedatalesanddocumentswillgenerateashortcutle(.
lnk)LocationXP:%USERPROFILE%\RecentWin7/8/10%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent%USERPROFILE%\AppData\Roaming\Microsoft\Oce\RecentInterpretationDate/Timeleofthatnamewasrstopened-CreationDateofShortcut(LNK)FileDate/Timeleofthatnamewaslastopened-LastModicationDateofShortcut(LNK)FileLNKTargetFile(InternalLNKFileInformation)Data:-Modied,Access,andCreationtimesofthetargetle-VolumeInformation(Name,Type,SerialNumber)-NetworkShareinformation-OriginalLocation-NameofSystem
- UNCcontent.ie5相关文档
- Sutcliffecontent.ie5
- Comparingcontent.ie5
- humancontent.ie5
- librarycontent.ie5
- Z52Svb2rcontent.ie5
- briskcontent.ie5
牦牛云(3.5USD/月 )阿里云国际版云服务器 1核1G40G
收到好多消息,让我聊一下阿里云国际版本,作为一个阿里云死忠粉,之前用的服务器都是阿里云国内版的VPS主机,对于现在火热的阿里云国际版,这段时间了解了下,觉得还是有很多部分可以聊的,毕竟,实名制的服务器规则导致国际版无需实名这一特点被无限放大。以前也写过几篇综合性的阿里云国际版vps的分析,其中有一点得到很多人的认同,那句是阿里云不管国内版还是国际版的IO读写速度实在不敢恭维,相对意义上的,如果在这...
HyperVMart:加拿大vps,2核/3G/25G NVMe/G口不限流量/季付$10.97,免费Windows系统
hypervmart怎么样?hypervmart是一家成立了很多年的英国主机商家,上一次分享他家还是在2年前,商家销售虚拟主机、独立服务器和VPS,VPS采用Hyper-V虚拟架构,这一点从他家的域名上也可以看出来。目前商家针对VPS有一个75折的优惠,而且VPS显示的地区为加拿大,但是商家提供的测速地址为荷兰和英国,他家的优势就是给到G口不限流量,硬盘为NVMe固态硬盘,这个配置用来跑跑数据非常...
LOCVPS-2021年6月香港便宜vps宽带升级,充值就送代金券,其它八折优惠!
LOCVPS怎么样?LOCVPS是一家成立于2011年的稳定老牌国人商家,目前提供中国香港、韩国、美国、日本、新加坡、德国、荷兰等区域VPS服务器,所有机房Ping延迟低,国内速度优秀,非常适合建站和远程办公,所有机房Ping延迟低,国内速度优秀,非常适合做站。XEN架构产品的特点是小带宽无限流量、不超售!KVM架构是目前比较流行的虚拟化技术,大带宽,生态发展比较全面!所有大家可以根据自己业务需求...
content.ie5为你推荐
-
Dimensionfastreport2标准论文格式范例规范债券127generatedgoogle模式ios8支持ipad支持ipad支持ipadipad如何上网ipad如何允许app使用网络iexplore.exe应用程序错误iexplore.exe---应用程序错误.是什么意思?