meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
soc:forensics:windows:start [2026/06/09 14:14] titannetsoc:forensics:windows:start [2026/06/09 17:17] (current) titannet
Line 1: Line 1:
 ====== Windows ====== ====== Windows ======
 +
 +===== OS Basics =====
 +
 +==== Registry ====
 +
 +  * Binary file storage, ''%WinDir%\System32\config''
 +  * For OS, applications and users
 +  * Classes/Hives (key value store)
 +    * HKCR, Classes Root
 +    * HKCU, Current User, ''%UserProfile%\ntuser.dat'', mirrored/alias to HKU\SID\ (?)
 +      * ''NTUSER\Software\Microsoft\CurrentVersion\Run''
 +      * UAC -> AppData\Local\Microsoft\Windows\UsrClass.dat
 +        * 
 +    * HKLM, Local Machine
 +      * SAM, Local Account information incl. users and groups
 +      * Security, Security information, policy and identifiers
 +      * Software, Configuration for applications including OS
 +      * System, Configuration for hardware devices and system services
 +      * BCD, Boot system
 +    * HKU, Users
 +    * HKCC, Current Config, alias to ''HKLM\System\ControlSet001''
 +
 +  * Format:
 +    * Hive -> Keys -> Subkeys -> Value name : Value type : Value
 +      * Only subkeys have timestamps (value do not)
 +
 +
 +==== MFT ====
 +
 +
 +==== NTFS ====
 +
 +  * Defined change rules (see below)
 +
 +=== Volume Shadow Copy ===
 +
 +  * Block/cluster level backup of changes in NTFS
 +  * Snapshots created approximately weekly (schedules, software install/uninstall, manual)
 +  * Default 3-5% of disk space
 +  * (Recovery and Windows Restore are separate mechanisms)
 +
 +  * VSC Tools:
 +    * 
 +
 +
 +
 +==== Event Logs ====
 +
 +  * All windows logs 
 +  * In ''%systemroot%\System32\winevt\logs'', (can be configured)
 +  * Separate files per log
 +    * Security.evtx
 +    * System.evtx
 +    * Appliation.evtx
 +    * [...]
 +      * Custom log symbols can be stored in application specific files (-> Elmo tool to recover)
 +  * Logging extent and forwarding can be defined (WEF)
 +
 +  * Types
 +    * Error
 +    * Warning
 +    * Information
 +    * Success Audit
 +    * Failure Audit
 +  * Categories
 +    * Account Logon
 +    * Accoung Mgmt
 +    * Directory Service
 +    * Logon Events
 +    * Object Access
 +    * Policy Change
 +    * Privilege Use
 +    * Process Tracking
 +    * System Events
 +
 +  * Events
 +    * lots of event IDs
 +
 +  * Type code
 +    * Important distinction via type code
 +
 +===== Log Events =====
 +
 +==== Security ====
 +
 +| 4624 || Succesful Logon |
 +| | 0 | System Used only by the System account, for example at system startup.|
 +| | 2 | Interactive A user logged on to this computer.|
 +| | 3 | Network A user or computer logged on to this computer from the network.|
 +| | 4 | Batch Batch logon type is used by batch servers, where processes can be run on behalf of a user without their direct intervention.|
 +| | 5 | Service The Service Control Manager started a service.|
 +| | 7 | Unlock This workstation was unlocked.|
 +| | 8 | NetworkCleartext A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials don't traverse the network in plaintext (also called cleartext).|
 +| | 9 | NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.|
 +| | 10 | RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop.|
 +| | 11 | CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer.  The domain controller wasn't contacted to verify the credentials. |
 +| | 12 | CachedRemoteInteractive Same as RemoteInteractive. This type is used for internal auditing. |
 +| | 13 | CachedUnlock Workstation logon. |
 +| 4625 || Failed Logon |
 +| | 2 | Interactive A user logged on to this computer. |
 +| | 3 | Network A user or computer logged on to this computer from the network. |
 +| | 4 | Batch Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.|
 +| | 5 | Service A service was started by the Service Control Manager.|
 +| | 7 | Unlock This workstation was unlocked.|
 +| | 8 | NetworkCleartext A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).|
 +| | 9 | NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.|
 +| | 10 | RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop.|
 +| | 11 | CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.|
 +| 4634 || |
 +| 4672 || Special Privileges Assigned |
 +| 4720/4726 || User account creation/deletion |
 +| 4648 || Logon with explicit credentials, connected to other events via Account Name, Account Domain, Logon GUID |
 +
 +==== Service? ====
 +
 +|  ||  |
 +|  ||  |
 +|  ||  |
 +
 +6005 / 6006 — Event Log Service Started/Stopped:
 +7036 — Service State Change:
 +7045 — New Service Installed: 
 +
  
 ===== Application Execution ===== ===== Application Execution =====
  
 ==== Shimcache ==== ==== Shimcache ====
 +//The Windows Application Compatibility Database is used by Windows to 
 +identify possible application compatibility challenges with executables. It 
 +tracks the executable file path and binary last modified time.// 
 +
 +<code>
 + Win7+: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
 +</code>
 +
 +Any executable present in the file system could be found in this key. 
 +• Full path of executable
 +• Windows 7+ contains up to 1,024 
 +• Executables can be preemptively added prior to execution. -> 
 +The existence of an executable in this key does not prove actual execution.
 +
 +==== Task Bar Feature Usage ====
 +//Tracks taskbar interactions.//
 +
 +<code>
 +Win 10 1903+: NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage
 +</code>
 +
 +• Only tracks GUI applications
 +• Does not include timestamps
 +• AppLaunch tracks data only for pinned applications, showing user 
 +knowledge of the application 
 + - Data persists after an application is unpinned
 +• AppSwitched tracks a count of application focus, showing user 
 +interaction directed at the application
 + - Not tied to pinned applications
 +
 +==== Amcache.hve ====
 +//Track app installation, execution, driver load and more.//
 +
 +<code>
 +C:\Windows\AppCompat\Programs\Amcache.hve
 +Amcache.hve\Root\File\{Volume GUID}\###
 +</code>
 +
 +• A complete registry hive, with multiple sub-keys
 +• Full path, file size, file modification time, compilation time, and publisher 
 +metadata
 +• SHA1 hash of executables and drivers
 +• Amcache should be used as an indication of executable and driver 
 +presence on the system, but not to prove actual execution
 +
 +==== Jump Lists ====
 +//Jump list for access to latest or frequent items.//
 +
 +<code>
 +%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
 +</code>
 +
 +• Each jump list file is named according to an application identifier 
 +(AppID). List of Jump List IDs -> https://dfir.to/EZJumpList
 +• Automatic Jump List Creation Time = First time an item added to 
 +the jump list. Typically, the first time an object was opened by the 
 +application.
 +• Automatic Jump List Modification Time = Last time item added to the 
 +jump list. Typically, the last time the application opened an object. 
 +
 +==== Last Visited MRU ====
 +//Tracks applications in use by the user and the directory location for the 
 +last file accessed by the application.//
 +
 +<code>
 +• XP: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
 +• Win7+: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
 +</code>
 +
 +We get two important pieces of information from this key: applications 
 +executed by the user, and the last place in the file system that those 
 +applications interacted with. Interesting and hidden directories are often 
 +identified via this registry key. 
 +
 +==== Commands Executed in the Run Dialog ====
 +//History of commands typed into the Run dialog box per user.//
 +
 +<code>
 +NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
 +</code>
 +
 +Temporal order via MRUList key
 +
 +==== Windows 10 Timeline ====
 +//Win10 records recently used applications and files in a “timeline” sqlite db.//
 +
 +<code>
 +C:\Users\<profile>\AppData\Local\ConnectedDevicesPlatform\<account-ID>\ActivitiesCache.db
 +</code>
 +
 +• Full path of executed application
 +• Start time, end time, and duration
 +• Items opened within application
 +• URLs visited
 +• Databases still present even after feature deprecation in late-Win10
 +
 +==== BAM/DAM ====
 +Windows Background/Desktop Activity Moderator (BAM/DAM) is 
 +maintained by the Windows power management sub-system. (Available in 
 +Win10+)
 +
 +<code>
 +• SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}
 +• SYSTEM\CurrentControlSet\Services\dam\State\UserSettings\{SID}
 +</code>
 +
 +• Provides full path of file executed and last execution date/time
 +• Typically up to one week of data available
 +• “State” key used in Win10 1809+
 +
 +==== System Resource Usage Monitor ====
 + 
 +(SRUM)
 +Description
 +SRUM records 30 to 60 days of historical system performance including 
 +applications run, user accounts responsible, network connections, and 
 +bytes sent/received per application per hour.
 +<code> 
 +Win8+: C:\Windows\System32\SRU\SRUDB.dat
 +</code>
 +• SRUDB.dat is an Extensible Storage Engine database 
 +• Three tables in SRUDB.dat are particularly important:
 + - {973F5D5C-1D90-4944-BE8E-24B94231A174} = Network Data Usage
 + - {d10ca2fe-6fcf-4f6d-848e-b2e99266fa89} = Application Resource Usage
 + - {DD6636C4-8929-4683-974E-22C046A43763} = Network Connectivity Usage
 +
 +==== Prefetch ====
 +Prefetch increases performance of a system by pre-loading code pages 
 +of commonly used applications. It monitors all files and directories 
 +referenced for each application or process and maps them into a .pf file. 
 +It provides evidence that an application was executed.
 +• Limited to 128 files on XP and Win7
 +• Up to 1024 files on Win8+
 +<code>
 +• C:\Windows\Prefetch
 +Naming format: (exename)-(hash).pf
 +• SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
 +EnablePrefetcher value 
 +(0 = disabled; 3 = application launch and boot enabled)
 +</code>
 +• Date/Time file by that name and path was first executed
 + - Creation date of .pf file (-10 seconds)
 +• Date/Time file by that name and path was last executed
 + - Last modification date of .pf file (-10 seconds)
 +• Each .pf file includes embedded data, including the last eight execution 
 +times (only one time available pre-Win8), total number of times 
 +executed, and device and file handles used by the program
 +
 +==== CapabilityAccessManager ====
 +
 +Records application use of the microphone, camera, and other 
 +application-specific settings.
 +<code>
 +• Win 10 1903+: SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\
 +ConsentStore
 +• Win 10 1903+: NTUSER\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\
 +ConsentStore
 +</code>
 +• LastUsedTimeStart and LastUsedTimeStop track the last session times
 +• The NonPackaged key tracks non-Microsoft applications
 +
 +==== UserAssist ====
 +
 +UserAssist records metadata on GUI-based program executions.
 +<code> 
 +NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count
 +</code>
 +• GUIDs identify type of execution (Win7+)
 + - CEBFF5CD Executable File Execution
 + - F4E57C4B Shortcut File Execution
 +• Values are ROT-13 Encoded
 +• Application path, last run time, run count, focus time and focus count
 +
 +
 +===== File and Folder Opening =====
 +
 +==== Open/Save MRU ====
 +
 +In the simplest terms, this key tracks files that have been opened or saved 
 +within a Windows shell dialog box. This happens to be a big data set, 
 +including Microsoft Office applications, web browsers, chat clients, and a 
 +majority of commonly used applications.
 +<code>
 +• XP: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
 +• Win7/8/10: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
 +OpenSavePIDlMRU
 +</code>
 +• The “*” key – This subkey tracks the most recent files of any extension 
 +input in an OpenSave dialog
 +• .??? (Three letter extension) – This subkey stores file info from the 
 +OpenSave dialog by specific extension
 +
 +==== Recent Files ====
 +
 +Registry key tracking the last files and folders opened. Used to populate 
 +data in places like the “Recent” menus present in some Start menus.
 +<code> 
 +NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
 +</code>
 +• RecentDocs – Rollup key tracking the overall order of the last 150 files or 
 +folders opened. MRU list tracks the temporal order in which each file/
 +folder was opened.
 +• .??? – These subkeys store the last 20 files opened by the user of each 
 +extension type. MRU list tracks the temporal order in which each file was 
 +opened. The most recently used (MRU) item is associated with the last 
 +write time of the key, providing one timestamp of file opening for each file 
 +extension type.
 +• Folder – This subkey stores the last 30 folders opened by the user. The 
 +most recently used (MRU) item in this key is associated with the last write 
 +time of the key, providing the time of opening for that folder.
 +MS Word Reading Locations
 +
 +==== Description ====
 +
 +Beginning with Word 2013, the last known position of the user within a 
 +Word document is recorded.
 +<code>
 +NTUSER\Software\Microsoft\Office\<Version>\Word\Reading Locations
 +</code>
 +• Another source tracking recent documents opened
 +• The last closed time is also tracked along with the last position within the 
 +file
 +• Together with the last opened date in the Office File MRU key, a last 
 +session duration can be determined
 +Last Visited MRU
 +Description
 +Tracks applications in use by the user and the directory location for the 
 +last file accessed by the application.
 +<code>
 +• XP: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
 +• Win7+: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
 +LastVisitedPidlMRU
 +</code>
 +We get two important pieces of information from this key: applications 
 +executed by the user and the last place in the file system that those 
 +applications interacted with. Interesting and hidden directories are often 
 +identified via this registry key. 
 +Shortcut (LNK) Files
 +
 +==== Description ====
 +
 +Shortcut files are automatically created by Windows, tracking files and 
 +folders opened by a user.
 +<code> 
 +• XP: %USERPROFILE%\Recent 
 +• Win7+: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\
 +• Win7+: %USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent\
 +Note these are primary locations of LNK files. They can also be found in 
 +other locations.
 +</code>
 +• Date/Time file of that name was first opened
 + - Creation Date of Shortcut (LNK) File
 +• Date/Time file of that name was last opened
 + - Last Modification Date of Shortcut (LNK) File
 +• LNK Target File (Internal LNK File Information) Data:
 + - Modified, Access, and Creation times of the target file
 + - Volume Information (Name, Type, Serial Number)
 + - Network Share information
 + - Original Location
 + - Name of System
 +
 +==== Office Recent Files ====
 +
 +MS Office programs track their own recent files list, to make it easier for 
 +users to access previously opened files.
 +<code>
 +• NTUSER.DAT\Software\Microsoft\Office\<Version>\<AppName>\File MRU
 + - 16.0 = Office 2016/2019/M365 
 + - 15.0 = Office 2013 
 + - 14.0 = Office 2010 
 + - 12.0 = Office 2007 
 + - 11.0 = Office 2003 
 + - 10.0 = Office XP
 +• NTUSER.DAT\Software\Microsoft\Office\<Version>\UserMRU\LiveID_####\File MRU
 + - Microsoft 365
 +• NTUSER.DAT\Software\Microsoft\Office\<Version>\UserMRU\ADAL_####\File MRU
 + - Microsoft 365 (Azure Active Directory)
 +</code>
 +• Similar to the Recent Files registry key, this tracks the last files opened by 
 +each MS Office application
 +• Unlike the Recent Files registry key, full path information is recorded 
 +along with a last opened time for each entry
 +
 +==== Shell Bags ====
 +
 +Shell bags identifies which folders were accessed on the local machine, via 
 +the network, and on removable devices, per user. It also shows evidence of 
 +previously existing folders still present after deletion/overwrite.
 +<code> 
 +Primary Data:
 +• USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
 +• USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
 +Residual Desktop Items and Network Shares:
 +• NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
 +• NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
 +</code>
 +• Massive collection of data on folders accessed by each user
 +• Folder file system timestamps are archived in addition to first and last 
 +interaction times
 +• “Exotic” items recorded like mobile device info, control panel access, and 
 +Zip archive access
 +
 +==== Jump Lists ====
 +
 +Windows Jump Lists allow user access to frequently or recently used items 
 +quickly via the task bar. First introduced in Windows 7, they can identify 
 +applications in use and a wealth of metadata about items accessed via 
 +those applications.
 +<code>
 +• %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
 +• %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
 +</code>
 +• Each jump list file is named according to an application identifier (AppID). 
 +List of Jump List IDs -> https://dfir.to/EZJumpList
 +• Each Jump List contains a collection of items interacted with (up to ~2000 
 +items per application)
 +• Each entry is represented as a LNK shell item providing additional data
 + - Target Timestamps
 + - File Size
 + - Local Drive | Removable Media | Network Share Info
 + - Entries kept in MRU order including a timestamp for each item
 +
 +==== Office Trust Records ====
 +
 +Records trust relationships afforded to documents by a user when 
 +presented with a security warning. This is stored so the user is only 
 +required to grant permission the first time the document is opened.
 +<code>
 +NTUSER\Software\Microsoft\Office\<Version>\<AppName>\Security\Trusted Documents\TrustRecords
 +</code>
 +• Can identify documents opened by the user and user interaction in 
 +trusting the file
 +• Records file path, time the document was trusted, and which permissions 
 +were granted
 +Office OAlerts
 +Description
 +MS Office programs produce alerts for the user when they attempt actions 
 +such as closing a file without saving it first.
 +<code>
 +OAlerts.evtx
 +</code>
 +• All Office applications use Event ID 300
 +• Events include the program name and dialog message, showing some 
 +user activity within the application
 +
 +==== Internet Explorer file:/// ====
 +
 +Internet Explorer History databases have long held information on local 
 +and remote file access (via network shares), giving us an excellent means 
 +for determining files accessed on the system, per user. Information can be 
 +present even on Win11+ systems missing the Internet Explorer application. 
 +<code> 
 +Internet Explorer:
 +IE6–7: %USERPROFILE%\LocalSettings\History\History.IE5
 +IE8–9: %USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5
 +IE10–11 & Win10+: %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
 +</code>
 +• Entries recorded as: file:///C:/directory/filename.ext
 +• Does not mean file was opened in a browser
 +
 +===== Deleted Items and File Existence =====
 +
 +==== Thumbs.db ====
 +
 +The hidden database file is created in directories where images 
 +were viewed as thumbnails. It can catalog previous contents of a 
 +folder even upon file deletion.
 +<code>
 +Each folder maintains a separate Thumbs.db file after being 
 +viewed in thumbnail view (OS version dependent)
 +</code>
 +Includes:
 +• Thumbnail image of original picture
 +• Last Modification Time (XP Only)
 +• Original Filename (XP Only)
 +• Most relevant for XP systems, but Thumbs.db files can be 
 +created on more modern OS versions in unusual circumstances 
 +such as when folders are viewed via UNC paths.
 + 
 +==== Windows Search Database ====
 +
 +Windows Search indexes more than 900 file types, including 
 +email and file metadata, allowing users to search based on 
 +keywords. 
 +<code>
 +• Win XP: C:\Documents and Settings\All Users\Application Data\ Microsoft\Search\Data\
 +Applications\Windows\Windows.edb
 +• Win7+: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb 
 +• Win7+: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\
 +SystemIndex
 +</code>
 +• Database in Extensible Storage Engine format
 +• Gather logs contain a candidate list for files to be indexed over 
 +each 24 hour period
 +• Extensive file metadata and even partial content can be present
 +
 +==== Internet Explorer file:/// ====
 +
 +Internet Explorer History databases have long held information on local and remote (via 
 +network shares) file access, giving us an excellent means for determining files accessed on 
 +the system, per user. Information can be present even on Win11+ systems missing the Internet 
 +Explorer application. 
 +<code> 
 +• IE6-7: %USERPROFILE%\LocalSettings\History\History.IE5
 +• IE8-9: %USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5
 +• IE10-11 and Win10+: %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
 +</code>
 +• Entries are recorded as: file:///C:/<directory>/<filename>.<ext>
 +• It does not mean the file was opened in a browser
 +
 +==== Search – WordWheelQuery ====
 +
 +This maintains an ordered list of terms put into the File Explorer search dialog. 
 +<code> 
 +Win7+: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
 +</code>
 +Keywords are added in Unicode and listed in temporal order in an MRUlist
 +User Typed Paths
 +Description
 +A user can type a path directly into the File Explorer path bar to locate a file instead of navigating 
 +the folder structure. Folders accessed in this manner are recorded in the TypedPaths key. 
 +<code>
 +NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
 +</code>
 +• This indicates a user had knowledge of a particular file system location
 +• It can expose hidden and commonly accessed locations, including those present on external 
 +drives or network shares
 +
 +==== Thumbcache ====
 +
 +Thumbnails of pictures, documents, and folders exist in a set of 
 +databases called the thumbcache. It is maintained for each user 
 +based on the thumbnail sizes viewed (e.g., small, medium, large, 
 +and extra large). It can catalog previous contents of a folder even 
 +upon file deletion. (Available in Windows Vista+)
 +<code>
 +%USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer
 +</code>
 +• Database files are named similar to: Thumbcache_256.db
 +• Each database file represents thumbnails stored as different sizes 
 +or to fit different user interface components 
 +• Thumbnail copies of pictures can be extracted and the Thumbnail 
 +Cache ID can be cross-referenced within the Windows Search 
 +Database to identify filename, path, and additional file metadata 
 +
 +==== Recycle Bin ====
 +
 +The recycle bin collects items soft-deleted by each user and 
 +associated metadata—only relevant for recycle-bin aware 
 +applications. 
 +<code>
 +Hidden System Folder
 +• Win XP: C:\Recycler
 +• Win7+: C:\$Recycle.Bin
 +</code>
 +• Each user is assigned a SID sub-folder that can be mapped to a 
 +user via the Registry
 +• XP: INFO2 database contains deletion times and original filenames
 +• Win7+: Files preceded by $I###### contain original filename and 
 +deletion date/time
 +• Win7+: Files preceded by $R###### contain original deleted file 
 +contents
 +
 +===== Browser Activity =====
 +
 +==== History and Download History ====
 + 
 +History and Download History records websites visited by date and time.
 +<code> 
 +Firefox 
 +• XP: %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\<randomtext>.default\places.sqlite
 +• Win7+: %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<random text>.default\
 +places.sqlite
 +Chrome/Edge
 +• XP: %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\<Profile>\History
 +• Win7+: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\History
 +• Win7+: %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\History
 +</code>
 +• Web browser artifacts are stored for each local user account
 +• Most browsers also record number of times visited (frequency)
 +• Look for multiple profiles in Chromium browsers, including “Default”, and 
 +“Profile1”, etc. 
 +
 +==== Media History ====
 + 
 +Media History tracks media usage (audio and video played) on visited 
 +websites (Chromium browsers).
 +<code> 
 +Chrome/Edge
 +• %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Media History
 +• %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Media History
 +</code>
 +• Three primary tables: playbackSession, origin, playback 
 +• Includes URLs, last play time, watch time duration, and last video position
 +• Not cleared when other history data is cleared
 +
 +==== HTML5 Web Storage ====
 +
 +HTML5 Web Storage are considered to be “Super Cookies”. Each domain 
 +can store up to 10MB of text-based data on the local system.
 +<code> 
 +Firefox
 +• %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\webappstore.sqlite
 +Chrome/Edge
 +• %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Local Storage
 +• %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Local Storage
 +</code>
 +Chrome uses a LevelDB database, Firefox uses SQLite, and IE/EdgeHTML 
 +store data within XML files
 +
 +==== HTML5 FileSystem ====
 +
 +HTML5 FileSystem implements the HTML5 local storage FileSystem API. It is 
 +similar to Web Storage, but designed to store larger binary data.
 +<code>
 +Chrome/Edge
 +• %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\File System
 +• %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\File System
 +</code>
 +• A LevelDB database in this folder stores visited URLs and assigned 
 +subfolders to locate the data
 +• Files are stored temporarily (“t” subfolders) or in permanent (“p” 
 +subfolders) storage
 +
 +==== Auto-Complete Data ====
 + 
 +Many databases store data that a user has typed into the browser.
 +<code> 
 +Firefox
 +• %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\places.sqlite
 +• %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\
 +formhistory.sqlite
 +Chrome/Edge
 +• %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\History
 +• %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\History
 + - keyword_search_terms – items typed into various search engines
 +• %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Web Data
 +• %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\ Web Data
 + - Items typed into web forms
 +• %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Shortcuts
 +• %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\ Shortcuts
 + - Items typed in the Chrome URL address bar (Omnibox)
 +• %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Network Action Predictor
 +• %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\ Network Action Predictor
 + - Records what was typed, letter by letter
 +• %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Login Data
 +• %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\ Login Data
 + - Stores inputted user credentials
 +</code>
 +• Includes typed-in data, as well as data types
 +• Connects typed data and knowledge to a user account
 +
 +==== Browser Preferences ====
 + 
 +Configuration data associated with the browser application, including 
 +privacy settings and synchronization preferences.
 +<code> 
 +Firefox
 +• %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\prefs.js
 +Chrome/Edge
 +• %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Preferences
 +• %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Preferences
 +</code>
 +• Firefox prefs.js shows sync status, last sync time, and artifacts selected to sync
 +• Chrome uses JSON format
 + - per_host_zoom_levels, media-engagement, and site_engagement can 
 +help to show user interaction
 + - Contains synchronization status, last sync time and artifacts selected to sync
 +• Edge preferences include account_info, clear_data_on_exit, and sync settings
 +
 +==== Cache ====
 +
 +The cache is where web page components can be stored locally to speed 
 +up subsequent visits.
 +<code> 
 +Firefox
 +• XP: %USERPROFILE%\Local Settings\Application Data\Mozilla\Firefox\Profiles\<randomtext>.
 +default\Cache
 +Firefox 31-
 +• Win7+: %USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\<randomtext>.default\Cache
 +Firefox 32+
 +• Win7+: %USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\<randomtext>.default\cache2
 +Chrome/Edge
 +• XP: %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\<Profile>\Cache -
 +data_# and f_######
 +• Win7+: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Cache\ - data_# and 
 +f_######
 +• Win7+: %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Cache\ - data_# and 
 +f_######
 +</code>
 +• Gives the investigator a “snapshot in time” of what a user was looking 
 +at online
 +• Identifies websites which were visited
 +• Provides the actual files the user viewed on a given website
 +• Similar to all browser artifacts, cached files are tied to a specific local 
 +user account
 +• Timestamps show when the site was first saved and last viewed
 +
 +==== Bookmarks ====
 +
 +Bookmarks include default items, as well as those the user chose to save 
 +for future reference. 
 +<code> 
 +Firefox 3+
 +• %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\places.sqlite
 +• %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\
 +bookmarkbackups\bookmarks-<date>.jsonlz4
 +Chrome/Edge
 +• %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Bookmarks
 +• %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Bookmarks
 +• %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Bookmarks.bak
 +• %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Bookmarks.msbak
 +</code>
 +• Provides the website of interest and the specific URL that was saved
 +• Firefox bookmarkbackups folder can contain multiple backup copies of 
 +bookmarks in JSON format. Field names match those in places.sqlite
 +• Chromium Bookmark files are in JSON format
 +• Note: not all bookmarks are user-generated; it is possible to bookmark a 
 +site and never visit it
 +
 +==== Stored Credentials ====
 + 
 +Browser-based credential storage typically uses Windows DPAPI 
 +encryption. If the login account is a Microsoft cloud account in Windows 
 +10 or 11, DPAPI uses a 44-character randomly generated password in lieu 
 +of the account password. 
 +<code> 
 +Firefox
 +• %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json
 +Chrome/Edge
 +• %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Login Data
 +• %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Login Data
 +</code>
 +• Firefox stores the hostname and URL, creation time, last used time, 
 +times used, and time of last password change in JSON format.
 +• Chromium-based browsers use a SQLite database and include the origin 
 +URL, action URL, username, date created, and date last used.
 +• Credential metadata can be available even if actual credentials are 
 +encrypted. Actual credentials are easiest to retrieve on a live system 
 +with the user account logged in. 
 +
 +==== Browser Downloads ====
 + 
 +Modern browsers include built-in download manager applications 
 +capable of keeping a history of every file downloaded by the user. This 
 +browser artifact can provide excellent information about websites visited 
 +and corresponding items downloaded.
 +<code> 
 +Firefox 3-25
 +• %USERPROFILE%\AppData\Roaming\Mozilla\ Firefox\Profiles\<random text>.default\
 +downloads.sqlite
 +Firefox 26+
 +• %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\places.sqlite
 + - moz_annos table
 +Chrome/Edge
 +• %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\History
 +• %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\History
 + - downloads and download_url_chains tables
 +</code>
 +Download metadata includes:
 +• Filename, size, and type
 +• Source website and referring page
 +• Download start and end times
 +• File system save location
 +• State information including success and failure
 +
 +==== Extensions ====
 + 
 +Browser functionality can be extended through the use of extensions, or 
 +browser plugins. 
 +<code> 
 +Firefox 4-25
 +• %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\extensions.sqlite
 +• %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\addons.sqlite
 +Firefox 26+
 +• %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\addons.json
 +• %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\extensions.json
 +Chrome/Edge
 +• %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Extensions\<GUID>\<version>
 +• %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Extensions\<GUID>\<version>
 +</code>
 +• The newer Firefox JSON format stores more information than in older 
 +versions
 + - Extension name, installation source, installation time, last update, and 
 +plugin status
 +• Chrome/Edge extensions each have their own folder on the local system, 
 +named with a GUID, containing the code and metadata
 + - Creation time of the folder indicates the installation time for the 
 +extension. Beware that extensions can be synced across devices 
 +affecting the interpretation of this timestamp.
 + - A manifest.json file provides plugin details including name, URL, 
 +permissions, and version.
 + - The preferences file can also include additional extension data 
 +
 +==== Session Restore ====
 +
 +Automatic crash recovery features are built into the browser.
 +<code> 
 +Firefox (older versions)
 +• Win7+: %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\
 +sessionstore.js
 +Firefox (newer versions)
 +• Win7+: %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\
 +sessionstore.jsonlz4
 +• Win7+: %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\
 +sessionstore-backups\
 +Chrome/Edge (older versions)
 +• Win7+: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\
 +• Win7+: %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\
 + - Restore files = Current Session, Current Tabs, Last Session, Last Tabs
 +Chrome/Edge (newer versions)
 +• Win7+: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Sessions
 +• Win7+: %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Sessions
 + - Restore files = Session_<timestamp>, Tabs_<timestamp>
 +</code>
 +• Historical websites viewed in each tab
 +• Referring websites
 +• Time session started or ended
 +• HTML, JavaScript, XML, and form data from the page
 +• Other artifacts such as transition type, browser window size and pinned tabs
 +
 +==== Cookies ====
 +
 +Cookies provide insight into what websites have been visited and what 
 +activities might have taken place there.
 +<code> 
 +Firefox
 +• XP: %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\<randomtext>.default\cookies.sqlite
 +• Win7+: %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\
 +cookies.sqlite
 +Chrome/Edge
 +• XP: %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\<Profile>\Cookies
 +• Win7+: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Network\Cookies
 +• Win7+: %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Network\Cookies
 +
 +===== Cloud Storage =====
 +
 +===== OneDrive =====
 + 
 +OneDrive is installed by default on Windows 8+ systems, although it must 
 +be enabled by a user authenticating to their Microsoft Cloud account 
 +before use.
 +<code> 
 +Default local file storage:
 +• %USERPROFILE%\OneDrive (Personal)
 +• %USERPROFILE%\OneDrive - <CompanyName> (Business)
 +File storage folder location info:
 +• NTUSER\Software\Microsoft\OneDrive\Accounts\<Personal | Business1>
 +File metadata:
 +• %USERPROFILE%\AppData\Local\Microsoft\OneDrive\logs\<Personal | Business1>
 + - SyncDiagnostics.log
 + - SyncEngine “odl” logs
 +• %USERPROFILE%\AppData\Local\Microsoft\OneDrive\settings\<Personal | Business1>
 + - <UserCid>.dat
 +</code>
 +• It is critical to check the registry to confirm the local file storage location
 +• Metadata files only exist if OneDrive is enabled
 +• SyncDiagnostics.log can sometimes contain file metadata
 +• Some files are only stored in the cloud and will not be stored locally
 +• Deleted items are stored in an online recycle bin for up to 30 days 
 +(personal) or 93 days (business)
 +• OneDrive for Business Unified Audit Logs in Microsoft 365 provide 90 
 +days of user activity logging
 +
 +===== Google Drive for Desktop =====
 +
 +Google Drive for Desktop is the new name 
 +for the merged Google Backup and Sync 
 +and File Stream applications. It uses a 
 +virtual FAT32 volume named “My Drive”, 
 +which is only accessible to the user when 
 +they are logged in.
 +<code> 
 +Local drive letter for the virtual volume and 
 +account ID:
 +• NTUSER\Software\Google\DriveFS\Share\
 +Default local file cache:
 +• %USERPROFILE%\AppData\Local\Google\DriveFS\<account 
 +identifier>\content_cache
 +File metadata:
 +• %USERPROFILE%\AppData\Local\Google\DriveFS\<account 
 +identifier>\metadata_sqlite_db
 +</code>
 +• Assigned drive letter can help tie file and 
 +folder access artifacts to Google Drive
 +• Google Workspace Admin Reports provide 
 +180 days of user activity logging
 +• metadata_sqlite_db database uses protobuf 
 +format for many important fields
 +
 +===== Box Drive =====
 + 
 +Box Drive uses a virtual filesystem, 
 +implemented as an NTFS reparse point. 
 +Excellent metadata logging is available.
 +<code>
 +Default reparse point to virtual filesystem:
 +• %USERPROFILE%\Box 
 +Default local file cache:
 +• %USERPROFILE%\AppData\Local\Box\Box\cache
 +File metadata and configuration data:
 +• %USERPROFILE%\AppData\Local\Box\Box\logs
 + - Box_Streem logs 
 +• %USERPROFILE%\AppData\Local\Box\Box\data 
 + - sync.db & streemsfs.db databases – file 
 +metadata
 + - metrics.db – user account info
 +</code>
 +• Metadata available for both local and 
 +cloud-only files, including SHA1 hashes
 +• A search for the value 
 +“logDriveInformation” within the Box_
 +Streem logs can identify the location of 
 +the virtual filesystem folder if it is not 
 +apparent
 +• Detailed usage logging available, but may 
 +only go back a few weeks
 +
 +===== Dropbox =====
 + 
 +Dropbox can be a challenging application to investigate. Older 
 +versions encrypt most metadata using Windows DPAPI, but 
 +recent versions tend to have more information available.
 +<code> 
 +Default local file storage:
 +• %USERPROFILE%\Dropbox 
 +• %USERPROFILE%\Dropbox\.dropbox.cache (up to 3 days of cached data)
 +File storage folder location:
 +• SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager\
 +Dropbox!<SID>!Personal\UserSyncRoots
 +File metadata and configuration data:
 +• %USERPROFILE%\AppData\Local\Dropbox\
 + - nucleus.sqlite3, sync_history.db, and aggregation.dbx – usage and file 
 +metadata
 + - v90-: filecache.dbx, config.dbx – encrypted with Windows DPAPI
 + - info.json – app configuration data
 +</code>
 +• Metadata for local, cloud, and deleted files can all be 
 +identified
 +• Deleted files can exist in both the local and online recycle 
 +bins. Online recycle bin retention is 30 days (personal) or 120 
 +days (business)
 +• Dropbox business “advanced tier” provides detailed logging 
 +while consumer Dropbox provides only limited logs via 
 +“Events” page
 +
 +===== Account Usage =====
 +
 +===== Cloud Account Details =====
 + 
 +Microsoft Cloud Accounts store account information in the SAM hive, including 
 +the email address associated with the account. 
 +<code> 
 +SAM\Domains\Account\Users\<RID>\InternetUserName
 +</code>
 +• InternetUserName value contains the email address tied to the account
 +• The presence of this value identifies the account as a Microsoft cloud account
 +Last Login and Password Change 
 +Description
 +The SAM registry hive maintains a list of local accounts and associated 
 +configuration information.
 +<code> 
 +SAM\Domains\Account\Users
 +</code>
 +• Accounts listed by their relative identifiers (RID)
 +• Last login time, last password change, login counts, group membership, 
 +account creation time and more can be determined
 +
 +===== Service Events =====
 + 
 +Analyze logs for suspicious Windows service creation, persistence, and services 
 +started or stopped around the time of a suspected compromise. Service events 
 +also record account information.
 +<code> 
 +• Win7+: %SYSTEM ROOT%\System32\winevt\logs\System.evtx
 +• Win10+: %SYSTEM ROOT%\System32\winevt\logs\Security.evtx
 +</code>
 +• Most relevant events are present in the System Log:
 + - 7034 – Service crashed unexpectedly
 + - 7035 – Service sent a Start/Stop control
 + - 7036 – Service started or stopped
 + - 7040 – Start type changed (Boot | On Request | Disabled)
 + - 7045 – A service was installed on the system (Win2008R2+)
 +• Auditing can be enabled in the Security log on Win10+:
 + - 4697 – A service was installed on the system (from Security log)
 +• A large amount of malware and worms in the wild utilize Services
 +• Services started on boot illustrate persistence (desirable in malware)
 +• Services can crash due to attacks like process injection
 +
 +===== User Accounts =====
 + 
 +Identify both local and domain accounts with interactive logins to the 
 +system. 
 +<code> 
 +SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
 +</code>
 +• Useful for mapping SID to user account name
 +• Subkeys are named for user SIDs and contain a ProfileImagePath 
 +indicating the user’s profile path
 +Remote Desktop Protocol (RDP) 
 +
 +===== Usage =====
 +
 +Track RDP logons and session reconnections to target machines.
 +<code> Security Log 
 +Win7+: %SYSTEM ROOT%\System32\winevt\logs\Security.evtx
 +</code>
 +• Multiple events can be used to track accounts used for RDP
 + - Event ID 4624 – Logon Type 10 
 + - Event ID 4778 – Session Connected/Reconnected
 + - Event ID 4779 – Session Disconnected
 +• Event log provides hostname and IP address of remote machine 
 +making the connection
 +• Multiple dedicated RDP/Terminal Services logs are also available on 
 +modern Windows versions
 +
 +===== Successful/Failed Logons =====
 +
 +Profile account creation, attempted logons, and account usage.
 +<code> 
 +Win7+: % SYSTEM ROOT%\System32\winevt\logs\Security.evtx
 +</code>
 +
 +• Win7+:
 + - 4624 – Successful Logon
 + - 4625 – Failed Logon
 + - 4634 | 4647 – Successful Logoff 
 + - 4648 – Logon using explicit credentials (runas)
 + - 4672 – Account logon with superuser rights (Administrator)
 + - 4720 – An account was created
 +
 +===== Authentication Events =====
 + 
 +Authentication Events identify where authentication of credentials occurred. 
 +They can be particularly useful when tracking local vs. domain account 
 +usage.
 +<code> 
 +Win7+: %SYSTEM ROOT%\System32\winevt\logs\Security.evtx
 +</code>
 +• Recorded on system that authenticated credentials
 + - Local Account/Workgroup = on workstation
 + - Domain/Active Directory = on domain controller
 +• Event ID Codes (NTLM protocol)
 + - 4776: Successful/Failed account authentication
 +• Event ID Codes (Kerberos protocol)
 + - 4768: Ticket Granting Ticket was granted (successful logon)
 + - 4769: Service Ticket requested (access to server resource)
 + - 4771: Pre-authentication failed (failed logon)
 +
 +===== Logon Event Types =====
 +
 +Logon Events provide very specific information regarding the nature of 
 +account authorizations on a system. In addition to date, time, username, 
 +hostname, and success/failure status of a logon, Logon Events also enable 
 +us to determine by exactly what means a logon was attempted. 
 +<code> 
 +Win7+: %SYSTEM ROOT%\System32\winevt\logs\Security.evtx
 +</code>
 +Event ID 4624
 +Logon Type Explanation
 + 2 Logon via console
 + 3 Network Logon
 + 4 Batch Logon
 + 5 Windows Service Logon
 + 7 Credentials used to unlock screen; 
 +RDP session reconnect
 + 8 Network logon sending credentials (cleartext)
 + 9 Different credentials used than logged on user
 +10 Remote interactive logon (RDP)
 +11 Cached credentials used to logon 
 +12 Cached remote interactive (similar to Type 10)
 +13 Cached unlock (similar to Type 7)
 +
 +===== Network Activity and Physical Location =====
 +
 +===== Network History =====
 +
 +Identify networks to which the computer 
 +connected. Available information includes domain 
 +name/intranet name, SSID, first and last time 
 +connected, and Gateway MAC Address.
 +<code> 
 +• SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
 +• SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
 +• SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\
 +Signatures\Unmanaged
 +• SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\
 +Signatures\Managed
 +• SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\
 +Nla\Cache
 +• SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\
 +Profiles
 +</code>
 +• Multiple registry keys can be correlated to 
 +provide a rich picture of network activity. 
 + - Interfaces info can be correlated with other 
 +keys via DhcpDomain value
 + - Signatures and Profiles keys are correlated via 
 +the network ProfileGUID value
 +• Network data includes VPN connections
 +• MAC Address of SSID for Gateway can assist with 
 +device geolocation
 +• Network Profile NameType values:
 + - 6 (0x06) = Wired
 + - 23 (0x17) = VPN
 + - 71 (0x47) = Wireless
 + - 243 (0xF3) = Mobile Broadband
 +
 +===== Browser URL Parameters =====
 +Information leaked within browser history URL 
 +parameters can provide clues to captive portal 
 +sign-ins and other similar information sources 
 +that can identify connected networks and even 
 +approximate physical locations.
 +Example: 
 +https://maps.google.com/maps?hl=en-US&gl=US&um=1&ie=UTF-
 +8&fb=1&sa=X&geocode=KWv-o9E_nLJBBdixYmN41uvu&daddr=Hyat
 +t+Place+Portland-Old+Port,+433+Fore+St,+Portland,+ME+04101
 +<code> 
 +Multiple – see the history information within the Browser Usage section
 +
 +===== Timezone =====
 +Registry data identifies the current system 
 +time zone. Event logs may be able to provide 
 +additional historical information.
 +<code> 
 +• SYSTEM\CurrentControlSet\Control\TimeZoneInformation
 +• %SYSTEM ROOT%\System32\winevt\logs\System.evtx
 +</code>
 +• Some log files and artifact timestamps can only 
 +be correctly interpreted by knowing the system 
 +time zone
 +• Event ID 6013 in the System.evtx log can provide 
 +information on historical time zone settings
 +
 +===== WLAN Event Log =====
 +
 +Determine historical view of wireless networks associations.
 +<code> 
 +Win7+: Microsoft-Windows-WLAN-AutoConfig Operational.evtx
 +</code>
 +• Provides historical record of wireless network connections
 +• SSID can be used to correlate and retrieve additional network 
 +information from Network History registry keys 
 +• Relevant Event IDs:
 + - 11000 – Wireless network association started
 + - 8001 – Successful connection to wireless network
 + - 8002 – Failed connection to wireless network
 + - 8003 – Disconnect from wireless network
 + - 6100 – Network diagnostics (System log)
 +
 +===== Network Interfaces =====
 +List available network interfaces and their last known configurations.
 +<code> 
 +• SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
 +• SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
 +</code>
 +• Interfaces key includes the last known IP address, DHCP and domain 
 +information for both physical and virtual network adapters. Subkeys 
 +may be present containing historical network data
 +• NetworkCards key can provide more detail on network availability
 +• The two keys are mapped via the interface GUID value
 +• Unlikely to be a complete view of every connected network
 +===== System Resource Usage Monitor (SRUM) =====
 +
 +SRUM records 30 to 60 days of historical system performance including applications run, user accounts responsible, network connections, and bytes sent/received per application per hour.
 +<code> 
 +Win8+: C:\Windows\System32\SRU\SRUDB.dat 
 +</code>
 +• SRUDB.dat is an Extensible Storage Engine 
 +database 
 +• Three tables in SRUDB.dat are particularly 
 +important:
 + - {973F5D5C-1D90-4944-BE8E-24B94231A174} = 
 +Network Data Usage
 + - {d10ca2fe-6fcf-4f6d-848e-b2e99266fa89} = 
 +Application Resource Usage
 + - {DD6636C4-8929-4683-974E-22C046A43763} 
 += Network Connectivity Usage
 +• Records data approx. once per hour, in 
 +batches
 +
 +===== External Device/USB Usage =====
 +
 +==== USB Device Identification ====
 +
 +Track USB devices plugged into a machine.
 +<code> 
 +• SYSTEM\CurrentControlSet\Enum\USBSTOR
 +• SYSTEM\CurrentControlSet\Enum\USB
 +• SYSTEM\CurrentControlSet\Enum\SCSI 
 +• SYSTEM\CurrentControlSet\Enum\HID
 +</code>
 +• Identify vendor, product, and version of a USB device plugged into a 
 +machine
 +• Determine the first and last times a device was plugged into the machine
 +• Devices that do not have a unique internal serial number will have an “&” 
 +in the second character of the serial number
 +• The internal serial number provided in these keys may not match the 
 +serial number printed on the device
 +• ParentIdPrefix links USB key to SCSI key
 +• SCSI\<ParentIdPrefix>\Device Parameters\Partmgr\DiskId matches 
 +Partition/Diagnostic log and Windows Portable Devices key
 +• Different versions of Windows store this data for different amounts of 
 +time. Windows 10/11 can store up to one year of data
 + - Some older data may be present in 
 +SYSTEM\Setup\Upgrade\PnP\CurrentControlSet\Control\DeviceMigration
 +• HID key tracks peripherals connected to the system 
 +
 +==== Event Logs ====
 +
 +Removable device activity can be audited in multiple Windows event logs.
 +<code>
 +Win7+: %SYSTEM ROOT%\System32\winevt\logs\System.evtx
 +</code>
 +• Event IDs 20001, 20003 – Plug and Play driver install attempted
 +<code>
 +%SYSTEM ROOT%\System32\winevt\logs\Security.evtx
 +</code>
 +• 4663 – Attempt to access removable storage object (Security log)
 +• 4656 – Failure to access removable storage object (Security log)
 +• 6416 – A new external device was recognized on system (Security log)
 +• Security log events are dependent on system audit settings
 +<code> Connection Times 
 +• Win10+: %SYSTEM ROOT%\System32\winevt\logs\Microsoft-Windows-Partition/Diagnostic.evtx
 +</code>
 +• Event ID 1006 is recorded for each device connect/disconnect
 +
 +==== Drive Letter and Volume Name ====
 +
 +Discover the last drive letter and volume name of a device when it was 
 +plugged into the system.
 +<code> 
 +XP: 
 +• Find ParentIdPrefix – SYSTEM\CurrentControlSet\Enum\USBSTOR
 +• Using ParentIdPrefix Discover Last Mount Point – SYSTEM\MountedDevices
 +Win7+: 
 +• SOFTWARE\Microsoft\Windows Portable Devices\Devices
 +• SYSTEM\MountedDevices Examine available drive letter values looking for a 
 +serial number match in value data
 +• Win7+: SOFTWARE\Microsoft\Windows Search\VolumeInfoCache
 +</code>
 +• Only the last USB device mapped to a specific drive letter can be 
 +identified. Historical records not available.
 +
 +==== User Information ====
 +
 +Identify user accounts tied to a unique USB Device. 
 +<code> 
 +• Document device Volume GUID from SYSTEM\MountedDevices 
 +• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
 +</code>
 +If a Volume GUID match is made within MountPoints2, we can conclude the 
 +associated user profile was logged in while that device was present.
 +
 +==== Shortcut (LNK) Files ====
 +
 +Shortcut files are automatically created by Windows, tracking files and 
 +folders opened by a user.
 +<code> 
 +• XP: %USERPROFILE%\Recent 
 +• Win7+: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\
 +• Win7+: %USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent\
 +Note these are primary locations of LNK files. They can also be found in 
 +other locations.
 +</code>
 +• Date/Time file of that name was first opened
 + - Creation Date of Shortcut (LNK) File
 +• Date/Time file of that name was last opened
 + - Last Modification Date of Shortcut (LNK) File
 +• LNK Target File (Internal LNK File Information) Data:
 + - Modified, Access, and Creation times of the target file
 + - Volume Information (Name, Type, Serial Number)
 + - Network Share information
 + - Original Location
 + - Name of System
 +
 +==== Connection Timestamps ====
 +Connection timestamps determine temporal usage of specific USB devices 
 +connected to a Windows Machine. 
 +<code> First Time
 +Plug and Play Log Files
 +• XP: C:\Windows\setupapi.log
 +• Win7+: C:\Windows\inf\setupapi.dev.log
 +</code>
 +• Search for Device Serial Number
 +• Log File times are set to local time zone
 +<code> First, Last, and Removal Times 
 +• Win7+: SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_&Prod_\USBSerial#\Properties\
 +{83da6326-97a6-4088-9453-a19231573b29}\####
 +• Win7+: SYSTEM\CurrentControlSet\Enum\SCSI\Ven_Prod_Version\USBSerial#\Properties\
 +{83da6326-97a6-4088-9453-a19231573b29}\####
 + - 0064 = First Install (Win7+)
 + - 0066 = Last Connected (Win8+)
 + - 0067 = Last Removal (Win8+)
 +</code>
 +Timestamps are stored in Windows 64-bit FILETIME format
 +<code> Connection Times 
 +• Win10+: %SYSTEM ROOT%\System32\winevt\logs\Microsoft-Windows-Partition/Diagnostic.evtx
 +</code>
 +• Event ID 1006 is recorded for each device connect/disconnect
 +• Log cleared during major OS updates
 +
 +==== Volume Serial Number (VSN) ====
  
 +Discover the VSN assigned to the file system partition on the USB.
 +(NOTE: This is not the USB Unique Serial Number, which is hardcoded into 
 +the device firmware, nor the serial number on any external labels attached 
 +to the device.)
 +<code> 
 +• SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EMDMgmt
 + - Find a key match using Volume Name and USB Unique Serial Number:
 + • Find last integer number in matching line
 + • Convert decimal value to hex serial number
 + - This key is often missing from modern systems using SSD devices
 +• Win10+: %SYSTEM ROOT%\System32\winevt\logs\Microsoft-Windows-Partition/Diagnostic.evtx
 + - Event ID 1006 may include VBR data, which contains the VSN
 + - VSN is 4 bytes located at offsets 0x43 (FAT), 0x64 (exFAT), or 0x48 (NTFS) 
 +within each VBR
 + - Log cleared during major OS updates
 +</code>
 +The VSN and device Volume Name can help correlate devices to specific 
 +files via shell items present in LNK files and registry locations.