Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
1K views2 pages

Windows Forensic Artifacts Cheat Sheet

This document summarizes key Windows forensic artifacts that can provide evidence of system and user activity. It outlines registry hives, registry keys, files, and logs that may contain metadata on installed applications, executed files, network activity, user interactions, and other digital artifacts. Locations are provided for artifacts on the system, software, security, and user hives, as well as files like the Master File Table, index attributes, and various log files. Tools are recommended for parsing specific artifact types.

Uploaded by

prasenjit_bose
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views2 pages

Windows Forensic Artifacts Cheat Sheet

This document summarizes key Windows forensic artifacts that can provide evidence of system and user activity. It outlines registry hives, registry keys, files, and logs that may contain metadata on installed applications, executed files, network activity, user interactions, and other digital artifacts. Locations are provided for artifacts on the system, software, security, and user hives, as well as files like the Master File Table, index attributes, and various log files. Tools are recommended for parsing specific artifact types.

Uploaded by

prasenjit_bose
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Windows Forensic Artifacts Cheat Sheet Application Compatibility Artifacts

• “Shim Cache” – Contains path and time metadata for files that ran on the system
HKLM\SYSTEM\ControlSet###\Control\Session Manager\AppCompatCache\AppCompatCache
Registry Hives • “Amcache” – Contains path, time, and SHA1 hash metadata for files that ran on the system
Hierarchical databases that store system, application, and user configuration “Amcache” Path: %Systemroot%\AppCompat\Programs\Amcache.hve
data • “Recent File Cache” – Contains file path for files that ran on the system
• System Hives: SYSTEM, SECURITY, SOFTWARE, SAM “Recent File Cache” Path: %Systemroot%\AppCompat\Programs\RecentFileCache.bcf
• System Hives Path: %Systemroot%\System32\config\ Tools: Mandiant ShimCacheParser.py, AppCompatCacheParser, AmcacheParser, rfcparse.py
• User Hives: NTUSER.DAT, USRCLASS.DAT
• User Hives Paths:
\Users\<user>\NTUSER.DAT,
Common Autorun Registry Keys
\Users\<user>\AppData\Local\Microsoft\Windows\USRCLASS.DAT
• Active Setup
Tools: Regripper, Regedit (built-in), Registry Explorer
HKLM\Software\Microsoft\Active Setup\Installed Components\%APPGUID%
• AppInit DLLs
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Registry Hive Mappings • Run Keys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run, RunOnce
SYSTEM HKLM\System • Services and ServiceDLLs
HKLM\System\ControlSet###\Services\<Servicename>,<ImagePath>
SOFTWARE HKLM\Software
HKLM\System\ControlSet###\Services\<Servicename>\Parameters,<servicedll>
• Shell Extensions
SECURITY HKLM\Security
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions
SAM HKLM\SAM • UserInit
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit

NTUSER.DAT HKEY_USERS\<SID> HKEY_CURRENT_USER


User Hive Registry Keys
HKEY_CURRENT_USER\Software\ • Shellbags: Keys in User Hives that track Explorer usage. Analysis can yield accessed file
USRCLASS.DAT HKEY_USERS\<SID>_Classes
Classes
metadata.
HKCU\Local Settings\Software\Microsoft\Windows\Shell\
Tools: Shellbags.py, Shellbags Explorer
System Configuration Registry Keys • “Most Recently Used” or “MRU” keys
• Computer Name HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\RunMRU
HKLM\System\ControlSet###\Control\Computername\ HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32\
• Domain, Hostname, IP Address, DHCP Server OpenSaveMRU
HKLM\System\ControlSet###\Services\Tcpip\Parameters\ • MUICache (Recently Executed Applications)
• Firewall Configuration HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKLM\System\ControlSet###\Services\Sharedaccess\Parameters\ HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\
Firewallpolicy\ MuiCache
• Map SIDs to Users • Mounted Volumes & Mapped Network Drives
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
• Network Shares MountPoints2\<drive/GUID>
HKLM\System\ControlSet###\Services\Lanmanserver\Shares HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map
• OS Version and Product Name Network Drive MRU
HKLM\Software\Microsoft\Windows NT\Currentversion • Opened Documents
• System Time Zone HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\
HKLM\System\ControlSet###\Control\Windows RecentDocs
• Users that Logged On to the System • Remote Desktop – Last Accessed History
HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\ HKCU\Software\Microsoft\Terminal Server Client\Default
Defaultusername, Altdefaultusername • TypedURLs (Manually inputted into Internet Explorer)
• Users Active Directory Group Membership “HKCU\Software\Microsoft\Internet Explorer\TypedURLs”
HKLM\Microsoft\Windows\CurrentVersion\Group Policy\[USER_ OR “…\TypedPaths” (Vista & later)
SID]\GroupMembership • UserAssist (Frequently Executed Applications)
• USB Storage Devices HKCU\Software\Microsoft\Windows\CurrentVersion\
HKLM\System\ControlSet###\Enum\USBSTOR\ Explorer\UserAssist

*Note: Locations assume use of Vista/2008+ systems


Master File Table (MFT) Event Logs
Stores information about every file and directory on an NTFS Volume. Windows’ built-in logging mechanism
Location: <drive>\$MFT Key Logs: Application, Security, System, Terminal Services Logs for evidence of RDP
Tools: Acquire with FTK Imager, other raw disk access.  Parse with MFT2CSV access (Microsoft-Windows-TerminalServices-LocalSessionManager, Microsoft-Windows-
TerminalServices-RemoteconnectionManager); Task Scheduler log for evidence of scheduled tasks
(Microsoft-Windows-TaskScheduler)
INDX Attributes Location: %systemroot%\System32\winevt\Logs\*.evtx
Contains metadata about files stored within a directory Tools: Event Viewer (built-in), Microsoft Log Parser, Event Log Explorer (commercial)
Location: $I30 files (a.k.a. “INDX” files) within each directory
Tools: Acquire with FTK Imager or other raw disk access.  Parse with
INDXParse.py
Windows Logon Types
Type Code Type Code

Windows Management Instrumentation Interactive 2 NetworkCleartext 8


WMI can provide malware persistence and record evidence of program Network Logons 3 NewCredentials 9
execution
Location: %systemroot%\System32\wbem\Repository\OBJECTS.DATA Batch 4 RemoteInteractive 10
Tools: https://github.com/fireeye/flare-wmi/tree/master/python-cim Service 5 CacheInteractive 11
Unlock 7
Browser History
• Internet Explorer 10 & 11 Windows Event Log Codes
C:\Users\<user>\AppData\Local\Microsoft\Windows\WebCache
• Google Chrome Status Message Windows Status Message Windows
C:\Users\<user>\AppData\Local\Google\Chrome\User Data Vista/2008+ Vista/2008+
• Mozilla Firefox Scheduled Task Registered 106 New Process 4688
C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\
Profiles\<profile> Remote Desktop Auth Succeeded 1149 Process Exit 4689
Audit Logs Clearedz 1102 Scheduled Task Created 4698
Powershell Scriptblock contents 4104 Scheduled Task Deleted 4699
Scheduled Tasks
“SchedLgU.txt” Log: History of scheduled tasks that previously ran on the Powershell Scriptblock start 4105 Scheduled Task Updated 4702
system Powershell Scriptblock stop 4106 Service Start / Stop Control 7035
%systemroot%\tasks\SchedLgU.txt, Microsoft-Windows-
TaskScheduler%4Operational.evtx Network Logons 4624 Service Running / Stopped 7036
“.job” file path: %systemroot%\tasks\*.job Logon Using Explicit Credentials 4648 Service Installation 7045
Tools: Text editor for “SchedLgU.txt”, hex editor or “jobparser.py” for “.job” files
Windows Timestamps
$STD_INFORMATION Rename Local Volume Copy Access Modify Create Delete
Prefetch Move Move
Cached data for files that have previously executed on a system.
Location: %systemroot%\prefetch\*.pf Modified X X
Tools: WinPrefetchView, strings Accessed X X X

Created X X

Common A/V Log Locations Entry Modified X X X X


• McAfee: %allusersprofile%\McAfee\DesktopProtection\*.txt
• Symantec: %allusersprofile%\Symantec\Symantec $FN_NAME Rename Local Volume Copy Access Modify Create Delete
EndpointProtection\Logs\AVMan.log Move Move
• Trend Micro: Path listed at HKLM\SOFTWARE\TrendMicro\PC-
Modified X X X X X
cillinNTCorp\CurrentVersion\
• Sophos: C:\ProgramData\Sophos\Sophos Anti-Virus\logs\sav.txt Accessed X X X
• Windows Defender: C:\ProgramData\Microsoft\Windows Defender\
Created X X X
Support\*.log
Entry Modified X X X X X

You might also like