Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
186 views1 page

Windows Forensics Cheatsheet

This document provides an overview of key system and application files and registry keys that may contain useful forensic evidence, such as user activity and installed programs. It outlines where to find information on the operating system version, computer name, installed software, recently used files, installed programs, user accounts, connected devices, and evidence of application and file execution. Examining these locations can help reconstruct a user's activities and identify potentially malicious programs.

Uploaded by

happy1990
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
186 views1 page

Windows Forensics Cheatsheet

This document provides an overview of key system and application files and registry keys that may contain useful forensic evidence, such as user activity and installed programs. It outlines where to find information on the operating system version, computer name, installed software, recently used files, installed programs, user accounts, connected devices, and evidence of application and file execution. Examining these locations can help reconstruct a user's activities and identify potentially malicious programs.

Uploaded by

happy1990
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

System info File/folder usage

and accounts or knowledge


OS Version: Recent Files:
SOFTWARE\Microsoft\Windows NT\CurrentVersion NTUSER.DAT\Software\Microsoft\Windows
\CurrentVersion\Explorer\RecentDocs
Current Control set:
HKLM\SYSTEM\CurrentControlSet Office Recent Files:
SYSTEM\Select\Current NTUSER.DAT\Software\Microsoft\Office\VERSION
SYSTEM\Select\LastKnownGood NTUSER.DAT\Software\Microsoft\Office\VERSION
\UserMRU\LiveID_####\FileMRU
Computer Name:
SYSTEM\CurrentControlSet\Control\ComputerName ShellBags:
\ComputerName USRCLASS.DAT\Local Settings\Software\Microsoft
\Windows\Shell\Bags
Time Zone Information: USRCLASS.DAT\Local Settings\Software\Microsoft
SYSTEM\CurrentControlSet\Control \Windows\Shell\BagMRU
\TimeZoneInformation NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
Network Interfaces and Past Networks:
SYSTEM\CurrentControlSet\Services\Tcpip Open/Save and LastVisited Dialog MRUs:
\Parameters\Interfaces NTUSER.DAT\Software\Microsoft\Windows
\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
Autostart Programs (Autoruns): NTUSER.DAT\Software\Microsoft\Windows
NTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
\CurrentVersion\Run
NTUSER.DAT\Software\Microsoft\Windows Windows Explorer Address/Search Bars:
\CurrentVersion\RunOnce NTUSER.DAT\Software\Microsoft\Windows
SOFTWARE\Microsoft\Windows\CurrentVersion \CurrentVersion\Explorer\TypedPaths
\RunOnce NTUSER.DAT\Software\Microsoft\Windows
SOFTWARE\Microsoft\Windows\CurrentVersion \CurrentVersion\Explorer\WordWheelQuery
\policies\Explorer\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SAM hive and user information:


SAM\Domains\Account\Users

Evidence of
External/USB execution
device forensics
UserAssist:
Device identification: NTUSER.DAT\Software\Microsoft\Windows
SYSTEM\CurrentControlSet\Enum\USBSTOR \Currentversion\Explorer\UserAssist\{GUID}\Count
SYSTEM\CurrentControlSet\Enum\USB
ShimCache:
First/Last Times: SYSTEM\CurrentControlSet\Control\Session Manager
SYSTEM\CurrentControlSet\Enum\USBSTOR \AppCompatCache
\Ven_Prod_Version\USBSerial#\Properties
\{83da6326-97a6-4088-9453-a19231573b29}\#### AmCache:
Oo64=first connection Amcache.hve\Root\File\{Volume GUID}\
0066=last connection
0067=last removal BAM/DAM:
SYSTEM\CurrentControlSet\Services\bam\UserSettings
USB device Volume Name: \{SID}
SOFTWARE\Microsoft\Windows Portable Devices SYSTEM\CurrentControlSet\Services\dam\UserSettings
\Devices \{SID}

To learn more about Windows Forensics click here: https://tryhackme.com/room/windowsforensics1

You might also like