Differences

This shows you the differences between two versions of the page.

--- soc:forensics:windows:start [2026/06/09 15:25] – titannet
+++ soc:forensics:windows:start [2026/06/09 17:17] (current) – titannet
@@ Line 7: / Line 7: @@
   * Binary file storage, ''%WinDir%\System32\config''
   * For OS, applications and users
+  * Classes/Hives (key value store)
+    * HKCR, Classes Root
+    * HKCU, Current User, ''%UserProfile%\ntuser.dat'', mirrored/alias to HKU\SID\ (?)
+      * ''NTUSER\Software\Microsoft\CurrentVersion\Run''
+      * UAC -> AppData\Local\Microsoft\Windows\UsrClass.dat
+        *
+    * HKLM, Local Machine
+      * SAM, Local Account information incl. users and groups
+      * Security, Security information, policy and identifiers
+      * Software, Configuration for applications including OS
+      * System, Configuration for hardware devices and system services
+      * BCD, Boot system
+    * HKU, Users
+    * HKCC, Current Config, alias to ''HKLM\System\ControlSet001''
+  * Format:
+    * Hive -> Keys -> Subkeys -> Value name : Value type : Value
+      * Only subkeys have timestamps (value do not)
+==== MFT ====
+==== NTFS ====
+  * Defined change rules (see below)
+=== Volume Shadow Copy ===
+  * Block/cluster level backup of changes in NTFS
+  * Snapshots created approximately weekly (schedules, software install/uninstall, manual)
+  * Default 3-5% of disk space
+  * (Recovery and Windows Restore are separate mechanisms)
+  * VSC Tools:
+    *
+==== Event Logs ====
+  * All windows logs
+  * In ''%systemroot%\System32\winevt\logs'', (can be configured)
+  * Separate files per log
+    * Security.evtx
+    * System.evtx
+    * Appliation.evtx
+    * [...]
+      * Custom log symbols can be stored in application specific files (-> Elmo tool to recover)
+  * Logging extent and forwarding can be defined (WEF)
+  * Types
+    * Error
+    * Warning
+    * Information
+    * Success Audit
+    * Failure Audit
+  * Categories
+    * Account Logon
+    * Accoung Mgmt
+    * Directory Service
+    * Logon Events
+    * Object Access
+    * Policy Change
+    * Privilege Use
+    * Process Tracking
+    * System Events
+  * Events
+    * lots of event IDs
+  * Type code
+    * Important distinction via type code
+===== Log Events =====
+==== Security ====
+| 4624 || Succesful Logon |
+| | 0 | System 	Used only by the System account, for example at system startup.|
+| | 2 | Interactive 	A user logged on to this computer.|
+| | 3 | Network 	A user or computer logged on to this computer from the network.|
+| | 4 | Batch 	Batch logon type is used by batch servers, where processes can be run on behalf of a user without their direct intervention.|
+| | 5 | Service 	The Service Control Manager started a service.|
+| | 7 | Unlock 	This workstation was unlocked.|
+| | 8 | NetworkCleartext 	A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials don't traverse the network in plaintext (also called cleartext).|
+| | 9 | NewCredentials 	A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.|
+| | 10 | RemoteInteractive 	A user logged on to this computer remotely using Terminal Services or Remote Desktop.|
+| | 11 | CachedInteractive 	A user logged on to this computer with network credentials that were stored locally on the computer.  The domain controller wasn't contacted to verify the credentials. |
+| | 12 | CachedRemoteInteractive 	Same as RemoteInteractive. This type is used for internal auditing. |
+| | 13 | CachedUnlock 	Workstation logon. |
+| 4625 || Failed Logon |
+| | 2 | Interactive 	A user logged on to this computer. |
+| | 3 | Network 	A user or computer logged on to this computer from the network. |
+| | 4 | Batch 	Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.|
+| | 5 | Service 	A service was started by the Service Control Manager.|
+| | 7 | Unlock 	This workstation was unlocked.|
+| | 8 | NetworkCleartext 	A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).|
+| | 9 | NewCredentials 	A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.|
+| | 10 | RemoteInteractive 	A user logged on to this computer remotely using Terminal Services or Remote Desktop.|
+| | 11 | CachedInteractive 	A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.|
+| 4634 || |
+| 4672 || Special Privileges Assigned |
+| 4720/4726 || User account creation/deletion |
+| 4648 || Logon with explicit credentials, connected to other events via Account Name, Account Domain, Logon GUID |
+==== Service? ====
+|  ||  |
+|  ||  |
+|  ||  |
+/ 6006 — Event Log Service Started/Stopped:
+— Service State Change:
+— New Service Installed:
@@ Line 23: / Line 135: @@
 </code>
-Any executable present in the file system could be found in this key. Data
+Any executable present in the file system could be found in this key.
-can be particularly useful to identify the presence of malware on devices
-where other application execution data is missing (such as Windows
-servers).
 • Full path of executable
-• Windows 7+ contains up to 1,024 entries (96 entries in WinXP)
+• Windows 7+ contains up to 1,024
-• Post-WinXP no execution time is available
+• Executables can be preemptively added prior to execution. ->
-• Executables can be preemptively added to the database prior to execution.
 The existence of an executable in this key does not prove actual execution.
@@ Line 40: / Line 148: @@
 </code>
-Interpretation
 • Only tracks GUI applications
 • Does not include timestamps
@@ Line 55: / Line 162: @@
 <code>
 C:\Windows\AppCompat\Programs\Amcache.hve
+Amcache.hve\Root\File\{Volume GUID}\###
 </code>
-Interpretation
 • A complete registry hive, with multiple sub-keys
 • Full path, file size, file modification time, compilation time, and publisher
@@ Line 72: / Line 179: @@
 </code>
-Interpretation
 • Each jump list file is named according to an application identifier
 (AppID). List of Jump List IDs -> https://dfir.to/EZJumpList
@@ Line 80: / Line 186: @@
 • Automatic Jump List Modification Time = Last time item added to the
 jump list. Typically, the last time the application opened an object.
-Last Visited MRU
-Description
+==== Last Visited MRU ====
-Tracks applications in use by the user and the directory location for the
+//Tracks applications in use by the user and the directory location for the
-last file accessed by the application.
+last file accessed by the application.//
-Location
+<code>
 • XP: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
-• Win7+: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
+• Win7+: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
-LastVisitedPidlMRU
+</code>
-Interpretation
 We get two important pieces of information from this key: applications
 executed by the user, and the last place in the file system that those
 applications interacted with. Interesting and hidden directories are often
 identified via this registry key.
-Commands Executed in the Run Dialog
-Description
+==== Commands Executed in the Run Dialog ====
-A history of commands typed into the Run dialog box are stored for
+//History of commands typed into the Run dialog box per user.//
-each user.
-Location
+<code>
 NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
-Interpretation
+</code>
-It is an MRU key, so it has temporal order via the MRUList key
-Windows 10 Timeline
+Temporal order via MRUList key
-Description
-Win10 records recently used applications and files in a “timeline”
+==== Windows 10 Timeline ====
-database in SQLite format.
+//Win10 records recently used applications and files in a “timeline” sqlite db.//
-Location
+<code>
 C:\Users\<profile>\AppData\Local\ConnectedDevicesPlatform\<account-ID>\ActivitiesCache.db
-Interpretation
+</code>
 • Full path of executed application
 • Start time, end time, and duration
@@ Line 113: / Line 222: @@
 • URLs visited
 • Databases still present even after feature deprecation in late-Win10
-BAM/DAM
-Description
+==== BAM/DAM ====
 Windows Background/Desktop Activity Moderator (BAM/DAM) is
 maintained by the Windows power management sub-system. (Available in
 Win10+)
-Location
+<code>
 • SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}
 • SYSTEM\CurrentControlSet\Services\dam\State\UserSettings\{SID}
-Interpretation
+</code>
 • Provides full path of file executed and last execution date/time
 • Typically up to one week of data available
 • “State” key used in Win10 1809+
-System Resource Usage Monitor
+==== System Resource Usage Monitor ====
 (SRUM)
 Description
@@ Line 131: / Line 244: @@
 applications run, user accounts responsible, network connections, and
 bytes sent/received per application per hour.
-Location
+<code>
 Win8+: C:\Windows\System32\SRU\SRUDB.dat
-Interpretation
+</code>
 • SRUDB.dat is an Extensible Storage Engine database
 • Three tables in SRUDB.dat are particularly important:
@@ Line 139: / Line 252: @@
  - {d10ca2fe-6fcf-4f6d-848e-b2e99266fa89} = Application Resource Usage
  - {DD6636C4-8929-4683-974E-22C046A43763} = Network Connectivity Usage
-Prefetch
-Description
+==== Prefetch ====
 Prefetch increases performance of a system by pre-loading code pages
 of commonly used applications. It monitors all files and directories
@@ Line 147: / Line 260: @@
 • Limited to 128 files on XP and Win7
 • Up to 1024 files on Win8+
-Location
+<code>
 • C:\Windows\Prefetch
 Naming format: (exename)-(hash).pf
@@ Line 153: / Line 266: @@
 EnablePrefetcher value
 (0 = disabled; 3 = application launch and boot enabled)
-Interpretation
+</code>
 • Date/Time file by that name and path was first executed
  - Creation date of .pf file (-10 seconds)
@@ Line 161: / Line 274: @@
 times (only one time available pre-Win8), total number of times
 executed, and device and file handles used by the program
-CapabilityAccessManager
-Description
+==== CapabilityAccessManager ====
 Records application use of the microphone, camera, and other
 application-specific settings.
-Location
+<code>
 • Win 10 1903+: SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\
 ConsentStore
 • Win 10 1903+: NTUSER\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\
 ConsentStore
-Interpretation
+</code>
 • LastUsedTimeStart and LastUsedTimeStop track the last session times
 • The NonPackaged key tracks non-Microsoft applications
-UserAssist
-Description
+==== UserAssist ====
 UserAssist records metadata on GUI-based program executions.
-Location
+<code>
 NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count
-Interpretation
+</code>
 • GUIDs identify type of execution (Win7+)
  - CEBFF5CD Executable File Execution
@@ Line 188: / Line 303: @@
 ===== File and Folder Opening =====
-Open/Save MRU
+==== Open/Save MRU ====
-Description
 In the simplest terms, this key tracks files that have been opened or saved
 within a Windows shell dialog box. This happens to be a big data set,
 including Microsoft Office applications, web browsers, chat clients, and a
 majority of commonly used applications.
-Location
+<code>
 • XP: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
 • Win7/8/10: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
 OpenSavePIDlMRU
-Interpretation
+</code>
 • The “*” key – This subkey tracks the most recent files of any extension
 input in an OpenSave dialog
 • .??? (Three letter extension) – This subkey stores file info from the
 OpenSave dialog by specific extension
-Recent Files
-Description
+==== Recent Files ====
 Registry key tracking the last files and folders opened. Used to populate
 data in places like the “Recent” menus present in some Start menus.
-Location
+<code>
 NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
-Interpretation
+</code>
 • RecentDocs – Rollup key tracking the overall order of the last 150 files or
 folders opened. MRU list tracks the temporal order in which each file/
@@ Line 222: / Line 338: @@
 time of the key, providing the time of opening for that folder.
 MS Word Reading Locations
-Description
+==== Description ====
 Beginning with Word 2013, the last known position of the user within a
 Word document is recorded.
-Location
+<code>
 NTUSER\Software\Microsoft\Office\<Version>\Word\Reading Locations
-Interpretation
+</code>
 • Another source tracking recent documents opened
 • The last closed time is also tracked along with the last position within the
@@ Line 237: / Line 355: @@
 Tracks applications in use by the user and the directory location for the
 last file accessed by the application.
-Location
+<code>
 • XP: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
 • Win7+: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\
 LastVisitedPidlMRU
-Interpretation
+</code>
 We get two important pieces of information from this key: applications
 executed by the user and the last place in the file system that those
@@ Line 247: / Line 365: @@
 identified via this registry key.
 Shortcut (LNK) Files
-Description
+==== Description ====
 Shortcut files are automatically created by Windows, tracking files and
 folders opened by a user.
-Location
+<code>
 • XP: %USERPROFILE%\Recent
 • Win7+: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\
@@ Line 256: / Line 376: @@
 Note these are primary locations of LNK files. They can also be found in
 other locations.
-Interpretation
+</code>
 • Date/Time file of that name was first opened
  - Creation Date of Shortcut (LNK) File
@@ Line 267: / Line 387: @@
  - Original Location
  - Name of System
-Office Recent Files
-Description
+==== Office Recent Files ====
 MS Office programs track their own recent files list, to make it easier for
 users to access previously opened files.
-Location
+<code>
 • NTUSER.DAT\Software\Microsoft\Office\<Version>\<AppName>\File MRU
  - 16.0 = Office 2016/2019/M365
@@ Line 283: / Line 404: @@
 • NTUSER.DAT\Software\Microsoft\Office\<Version>\UserMRU\ADAL_####\File MRU
  - Microsoft 365 (Azure Active Directory)
-Interpretation
+</code>
 • Similar to the Recent Files registry key, this tracks the last files opened by
 each MS Office application
 • Unlike the Recent Files registry key, full path information is recorded
 along with a last opened time for each entry
-Shell Bags
-Description
+==== Shell Bags ====
 Shell bags identifies which folders were accessed on the local machine, via
 the network, and on removable devices, per user. It also shows evidence of
 previously existing folders still present after deletion/overwrite.
-Location
+<code>
 Primary Data:
 • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
@@ Line 300: / Line 422: @@
 • NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
 • NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
-Interpretation
+</code>
 • Massive collection of data on folders accessed by each user
 • Folder file system timestamps are archived in addition to first and last
@@ Line 306: / Line 428: @@
 • “Exotic” items recorded like mobile device info, control panel access, and
 Zip archive access
-Jump Lists
-Description
+==== Jump Lists ====
 Windows Jump Lists allow user access to frequently or recently used items
 quickly via the task bar. First introduced in Windows 7, they can identify
 applications in use and a wealth of metadata about items accessed via
 those applications.
-Location
+<code>
 • %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
 • %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
-Interpretation
+</code>
 • Each jump list file is named according to an application identifier (AppID).
 List of Jump List IDs -> https://dfir.to/EZJumpList
@@ Line 325: / Line 448: @@
  - Local Drive | Removable Media | Network Share Info
  - Entries kept in MRU order including a timestamp for each item
-Office Trust Records
-Description
+==== Office Trust Records ====
 Records trust relationships afforded to documents by a user when
 presented with a security warning. This is stored so the user is only
 required to grant permission the first time the document is opened.
-Location
+<code>
 NTUSER\Software\Microsoft\Office\<Version>\<AppName>\Security\Trusted Documents\TrustRecords
-Interpretation
+</code>
 • Can identify documents opened by the user and user interaction in
 trusting the file
@@ Line 341: / Line 465: @@
 MS Office programs produce alerts for the user when they attempt actions
 such as closing a file without saving it first.
-Location
+<code>
 OAlerts.evtx
-Interpretation
+</code>
 • All Office applications use Event ID 300
 • Events include the program name and dialog message, showing some
 user activity within the application
-Internet Explorer file:///
-Description
+==== Internet Explorer file:/// ====
 Internet Explorer History databases have long held information on local
 and remote file access (via network shares), giving us an excellent means
 for determining files accessed on the system, per user. Information can be
 present even on Win11+ systems missing the Internet Explorer application.
-Location
+<code>
 Internet Explorer:
 IE6–7: %USERPROFILE%\LocalSettings\History\History.IE5
 IE8–9: %USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5
 IE10–11 & Win10+: %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
-Interpretation
+</code>
 • Entries recorded as: file:///C:/directory/filename.ext
 • Does not mean file was opened in a browser
@@ Line 364: / Line 489: @@
 ===== Deleted Items and File Existence =====
-Thumbs.db
+==== Thumbs.db ====
-Description
 The hidden database file is created in directories where images
 were viewed as thumbnails. It can catalog previous contents of a
 folder even upon file deletion.
-Location
+<code>
 Each folder maintains a separate Thumbs.db file after being
 viewed in thumbnail view (OS version dependent)
-Interpretation
+</code>
 Includes:
 • Thumbnail image of original picture
@@ Line 379: / Line 504: @@
 • Most relevant for XP systems, but Thumbs.db files can be
 created on more modern OS versions in unusual circumstances
 such as when folders are viewed via UNC paths.
-Windows Search Database
-Description
+==== Windows Search Database ====
 Windows Search indexes more than 900 file types, including
 email and file metadata, allowing users to search based on
 keywords.
-Location
+<code>
 • Win XP: C:\Documents and Settings\All Users\Application Data\ Microsoft\Search\Data\
 Applications\Windows\Windows.edb
@@ Line 391: / Line 517: @@
 • Win7+: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\
 SystemIndex
-Interpretation
+</code>
 • Database in Extensible Storage Engine format
 • Gather logs contain a candidate list for files to be indexed over
@@ Line 397: / Line 523: @@
 • Extensive file metadata and even partial content can be present
-Internet Explorer file:///
+==== Internet Explorer file:/// ====
-Description
 Internet Explorer History databases have long held information on local and remote (via
 network shares) file access, giving us an excellent means for determining files accessed on
 the system, per user. Information can be present even on Win11+ systems missing the Internet
 Explorer application.
-Location
+<code>
 • IE6-7: %USERPROFILE%\LocalSettings\History\History.IE5
 • IE8-9: %USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5
 • IE10-11 and Win10+: %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
-Interpretation
+</code>
 • Entries are recorded as: file:///C:/<directory>/<filename>.<ext>
 • It does not mean the file was opened in a browser
-Search – WordWheelQuery
-Description
+==== Search – WordWheelQuery ====
 This maintains an ordered list of terms put into the File Explorer search dialog.
-Location
+<code>
 Win7+: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
-Interpretation
+</code>
 Keywords are added in Unicode and listed in temporal order in an MRUlist
 User Typed Paths
@@ Line 421: / Line 548: @@
 A user can type a path directly into the File Explorer path bar to locate a file instead of navigating
 the folder structure. Folders accessed in this manner are recorded in the TypedPaths key.
-Location
+<code>
 NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
-Interpretation
+</code>
 • This indicates a user had knowledge of a particular file system location
 • It can expose hidden and commonly accessed locations, including those present on external
 drives or network shares
-Thumbcache
+==== Thumbcache ====
-Description
 Thumbnails of pictures, documents, and folders exist in a set of
 databases called the thumbcache. It is maintained for each user
@@ Line 435: / Line 562: @@
 and extra large). It can catalog previous contents of a folder even
 upon file deletion. (Available in Windows Vista+)
-Location
+<code>
 %USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer
-Interpretation
+</code>
 • Database files are named similar to: Thumbcache_256.db
 • Each database file represents thumbnails stored as different sizes
@@ Line 444: / Line 571: @@
 Cache ID can be cross-referenced within the Windows Search
 Database to identify filename, path, and additional file metadata
-Recycle Bin
-Description
+==== Recycle Bin ====
 The recycle bin collects items soft-deleted by each user and
 associated metadata—only relevant for recycle-bin aware
 applications.
-Location
+<code>
 Hidden System Folder
 • Win XP: C:\Recycler
 • Win7+: C:\$Recycle.Bin
-Interpretation
+</code>
 • Each user is assigned a SID sub-folder that can be mapped to a
 user via the Registry
@@ Line 464: / Line 592: @@
 ===== Browser Activity =====
-History and Download History
+==== History and Download History ====
-Description
 History and Download History records websites visited by date and time.
-Location
+<code>
 Firefox
 • XP: %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\<randomtext>.default\places.sqlite
@@ Line 476: / Line 604: @@
 • Win7+: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\History
 • Win7+: %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\History
-Interpretation
+</code>
 • Web browser artifacts are stored for each local user account
 • Most browsers also record number of times visited (frequency)
 • Look for multiple profiles in Chromium browsers, including “Default”, and
 “Profile1”, etc.
-Media History
-Description
+==== Media History ====
 Media History tracks media usage (audio and video played) on visited
 websites (Chromium browsers).
-Location
+<code>
 Chrome/Edge
 • %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Media History
 • %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Media History
-Interpretation
+</code>
 • Three primary tables: playbackSession, origin, playback
 • Includes URLs, last play time, watch time duration, and last video position
 • Not cleared when other history data is cleared
-HTML5 Web Storage
-Description
+==== HTML5 Web Storage ====
 HTML5 Web Storage are considered to be “Super Cookies”. Each domain
 can store up to 10MB of text-based data on the local system.
-Location
+<code>
 Firefox
 • %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\webappstore.sqlite
@@ Line 503: / Line 633: @@
 • %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Local Storage
 • %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Local Storage
-Interpretation
+</code>
 Chrome uses a LevelDB database, Firefox uses SQLite, and IE/EdgeHTML
 store data within XML files
-HTML5 FileSystem
-Description
+==== HTML5 FileSystem ====
 HTML5 FileSystem implements the HTML5 local storage FileSystem API. It is
 similar to Web Storage, but designed to store larger binary data.
-Location
+<code>
 Chrome/Edge
 • %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\File System
 • %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\File System
-Interpretation
+</code>
 • A LevelDB database in this folder stores visited URLs and assigned
 subfolders to locate the data
 • Files are stored temporarily (“t” subfolders) or in permanent (“p”
 subfolders) storage
-Auto-Complete Data
-Description
+==== Auto-Complete Data ====
 Many databases store data that a user has typed into the browser.
-Location
+<code>
 Firefox
 • %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\places.sqlite
@@ Line 543: / Line 675: @@
 • %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\ Login Data
  - Stores inputted user credentials
-Interpretation
+</code>
 • Includes typed-in data, as well as data types
 • Connects typed data and knowledge to a user account
-Browser Preferences
-Description
+==== Browser Preferences ====
 Configuration data associated with the browser application, including
 privacy settings and synchronization preferences.
-Location
+<code>
 Firefox
 • %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\prefs.js
@@ Line 556: / Line 689: @@
 • %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Preferences
 • %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Preferences
-Interpretation
+</code>
 • Firefox prefs.js shows sync status, last sync time, and artifacts selected to sync
 • Chrome uses JSON format
@@ Line 563: / Line 696: @@
  - Contains synchronization status, last sync time and artifacts selected to sync
 • Edge preferences include account_info, clear_data_on_exit, and sync settings
-Cache
-Description
+==== Cache ====
 The cache is where web page components can be stored locally to speed
 up subsequent visits.
-Location
+<code>
 Firefox
 • XP: %USERPROFILE%\Local Settings\Application Data\Mozilla\Firefox\Profiles\<randomtext>.
@@ Line 582: / Line 716: @@
 • Win7+: %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Cache\ - data_# and
 f_######
-Interpretation
+</code>
 • Gives the investigator a “snapshot in time” of what a user was looking
 at online
@@ Line 590: / Line 724: @@
 user account
 • Timestamps show when the site was first saved and last viewed
-Bookmarks
-Description
+==== Bookmarks ====
 Bookmarks include default items, as well as those the user chose to save
 for future reference.
-Location
+<code>
 Firefox 3+
 • %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\places.sqlite
@@ Line 604: / Line 739: @@
 • %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Bookmarks.bak
 • %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Bookmarks.msbak
-Interpretation
+</code>
 • Provides the website of interest and the specific URL that was saved
 • Firefox bookmarkbackups folder can contain multiple backup copies of
@@ Line 611: / Line 746: @@
 • Note: not all bookmarks are user-generated; it is possible to bookmark a
 site and never visit it
-Stored Credentials
-Description
+==== Stored Credentials ====
 Browser-based credential storage typically uses Windows DPAPI
 encryption. If the login account is a Microsoft cloud account in Windows
 or 11, DPAPI uses a 44-character randomly generated password in lieu
 of the account password.
-Location
+<code>
 Firefox
 • %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json
@@ Line 623: / Line 759: @@
 • %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Login Data
 • %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Login Data
-Interpretation
+</code>
 • Firefox stores the hostname and URL, creation time, last used time,
 times used, and time of last password change in JSON format.
@@ Line 631: / Line 767: @@
 encrypted. Actual credentials are easiest to retrieve on a live system
 with the user account logged in.
-Browser Downloads
-Description
+==== Browser Downloads ====
 Modern browsers include built-in download manager applications
 capable of keeping a history of every file downloaded by the user. This
 browser artifact can provide excellent information about websites visited
 and corresponding items downloaded.
-Location
+<code>
 Firefox 3-25
 • %USERPROFILE%\AppData\Roaming\Mozilla\ Firefox\Profiles\<random text>.default\
@@ Line 648: / Line 785: @@
 • %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\History
  - downloads and download_url_chains tables
-Interpretation
+</code>
 Download metadata includes:
 • Filename, size, and type
@@ Line 655: / Line 792: @@
 • File system save location
 • State information including success and failure
-Extensions
-Description
+==== Extensions ====
 Browser functionality can be extended through the use of extensions, or
 browser plugins.
-Location
+<code>
 Firefox 4-25
 • %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\extensions.sqlite
@@ Line 669: / Line 807: @@
 • %USERPROFILE%\AppData\Local\Google\Chrome\User Data\<Profile>\Extensions\<GUID>\<version>
 • %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Extensions\<GUID>\<version>
-Interpretation
+</code>
 • The newer Firefox JSON format stores more information than in older
 versions
@@ Line 682: / Line 820: @@
 permissions, and version.
  - The preferences file can also include additional extension data
-Session Restore
-Description
+==== Session Restore ====
 Automatic crash recovery features are built into the browser.
-Location
+<code>
 Firefox (older versions)
 • Win7+: %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<randomtext>.default\
@@ Line 702: / Line 841: @@
 • Win7+: %USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\<Profile>\Sessions
  - Restore files = Session_<timestamp>, Tabs_<timestamp>
-Interpretation
+</code>
 • Historical websites viewed in each tab
 • Referring websites
@@ Line 708: / Line 847: @@
 • HTML, JavaScript, XML, and form data from the page
 • Other artifacts such as transition type, browser window size and pinned tabs
-Cookies
-Description
+==== Cookies ====
 Cookies provide insight into what websites have been visited and what
 activities might have taken place there.
-Location
+<code>
 Firefox
 • XP: %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\<randomtext>.default\cookies.sqlite
@@ Line 724: / Line 864: @@
 ===== Cloud Storage =====
-OneDrive
+===== OneDrive =====
-Description
 OneDrive is installed by default on Windows 8+ systems, although it must
 be enabled by a user authenticating to their Microsoft Cloud account
 before use.
-Location
+<code>
 Default local file storage:
 • %USERPROFILE%\OneDrive (Personal)
@@ Line 741: / Line 881: @@
 • %USERPROFILE%\AppData\Local\Microsoft\OneDrive\settings\<Personal | Business1>
  - <UserCid>.dat
-Interpretation
+</code>
 • It is critical to check the registry to confirm the local file storage location
 • Metadata files only exist if OneDrive is enabled
@@ Line 750: / Line 890: @@
 • OneDrive for Business Unified Audit Logs in Microsoft 365 provide 90
 days of user activity logging
-Google Drive for
-Desktop
+===== Google Drive for Desktop =====
-Description
 Google Drive for Desktop is the new name
 for the merged Google Backup and Sync
@@ Line 759: / Line 899: @@
 which is only accessible to the user when
 they are logged in.
-Location
+<code>
 Local drive letter for the virtual volume and
 account ID:
@@ Line 769: / Line 909: @@
 • %USERPROFILE%\AppData\Local\Google\DriveFS\<account
 identifier>\metadata_sqlite_db
-Interpretation
+</code>
 • Assigned drive letter can help tie file and
 folder access artifacts to Google Drive
@@ Line 776: / Line 916: @@
 • metadata_sqlite_db database uses protobuf
 format for many important fields
-Box Drive
-Description
+===== Box Drive =====
 Box Drive uses a virtual filesystem,
 implemented as an NTFS reparse point.
 Excellent metadata logging is available.
-Location
+<code>
 Default reparse point to virtual filesystem:
 • %USERPROFILE%\Box
@@ Line 793: / Line 934: @@
 metadata
  - metrics.db – user account info
-Interpretation
+</code>
 • Metadata available for both local and
 cloud-only files, including SHA1 hashes
@@ Line 803: / Line 944: @@
 • Detailed usage logging available, but may
 only go back a few weeks
-Dropbox
-Description
+===== Dropbox =====
 Dropbox can be a challenging application to investigate. Older
 versions encrypt most metadata using Windows DPAPI, but
 recent versions tend to have more information available.
-Location
+<code>
 Default local file storage:
 • %USERPROFILE%\Dropbox
@@ Line 821: / Line 963: @@
  - v90-: filecache.dbx, config.dbx – encrypted with Windows DPAPI
  - info.json – app configuration data
-Interpretation
+</code>
 • Metadata for local, cloud, and deleted files can all be
 identified
@@ Line 833: / Line 975: @@
 ===== Account Usage =====
-Cloud Account Details
+===== Cloud Account Details =====
-Description
 Microsoft Cloud Accounts store account information in the SAM hive, including
 the email address associated with the account.
-Location
+<code>
 SAM\Domains\Account\Users\<RID>\InternetUserName
-Interpretation
+</code>
 • InternetUserName value contains the email address tied to the account
 • The presence of this value identifies the account as a Microsoft cloud account
@@ Line 846: / Line 988: @@
 The SAM registry hive maintains a list of local accounts and associated
 configuration information.
-Location
+<code>
 SAM\Domains\Account\Users
-Interpretation
+</code>
 • Accounts listed by their relative identifiers (RID)
 • Last login time, last password change, login counts, group membership,
 account creation time and more can be determined
-Service Events
-Description
+===== Service Events =====
 Analyze logs for suspicious Windows service creation, persistence, and services
 started or stopped around the time of a suspected compromise. Service events
 also record account information.
-Location
+<code>
 • Win7+: %SYSTEM ROOT%\System32\winevt\logs\System.evtx
 • Win10+: %SYSTEM ROOT%\System32\winevt\logs\Security.evtx
-Interpretation
+</code>
 • Most relevant events are present in the System Log:
  - 7034 – Service crashed unexpectedly
@@ Line 872: / Line 1015: @@
 • Services started on boot illustrate persistence (desirable in malware)
 • Services can crash due to attacks like process injection
-User Accounts
-Description
+===== User Accounts =====
 Identify both local and domain accounts with interactive logins to the
 system.
-Location
+<code>
 SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
-Interpretation
+</code>
 • Useful for mapping SID to user account name
 • Subkeys are named for user SIDs and contain a ProfileImagePath
 indicating the user’s profile path
 Remote Desktop Protocol (RDP)
-Usage
-Description
+===== Usage =====
 Track RDP logons and session reconnections to target machines.
-Location Security Log
+<code> Security Log
 Win7+: %SYSTEM ROOT%\System32\winevt\logs\Security.evtx
-Interpretation
+</code>
 • Multiple events can be used to track accounts used for RDP
  - Event ID 4624 – Logon Type 10
@@ Line 897: / Line 1042: @@
 • Multiple dedicated RDP/Terminal Services logs are also available on
 modern Windows versions
-Successful/Failed Logons
-Description
+===== Successful/Failed Logons =====
 Profile account creation, attempted logons, and account usage.
-Location
+<code>
 Win7+: % SYSTEM ROOT%\System32\winevt\logs\Security.evtx
-Interpretation
+</code>
 • Win7+:
  - 4624 – Successful Logon
@@ Line 910: / Line 1057: @@
  - 4672 – Account logon with superuser rights (Administrator)
  - 4720 – An account was created
-Authentication Events
-Description
+===== Authentication Events =====
 Authentication Events identify where authentication of credentials occurred.
 They can be particularly useful when tracking local vs. domain account
 usage.
-Location
+<code>
 Win7+: %SYSTEM ROOT%\System32\winevt\logs\Security.evtx
-Interpretation
+</code>
 • Recorded on system that authenticated credentials
  - Local Account/Workgroup = on workstation
@@ Line 927: / Line 1075: @@
  - 4769: Service Ticket requested (access to server resource)
  - 4771: Pre-authentication failed (failed logon)
-Logon Event Types
-Description
+===== Logon Event Types =====
 Logon Events provide very specific information regarding the nature of
 account authorizations on a system. In addition to date, time, username,
 hostname, and success/failure status of a logon, Logon Events also enable
 us to determine by exactly what means a logon was attempted.
-Location
+<code>
 Win7+: %SYSTEM ROOT%\System32\winevt\logs\Security.evtx
-Interpretation
+</code>
 Event ID 4624
 Logon Type Explanation
@@ Line 953: / Line 1102: @@
 ===== Network Activity and Physical Location =====
-Network History
+===== Network History =====
-Description
 Identify networks to which the computer
 connected. Available information includes domain
 name/intranet name, SSID, first and last time
 connected, and Gateway MAC Address.
-Location
+<code>
 • SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
 • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
@@ Line 970: / Line 1119: @@
 • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\
 Profiles
-Interpretation
+</code>
 • Multiple registry keys can be correlated to
 provide a rich picture of network activity.
@@ Line 985: / Line 1134: @@
  - 71 (0x47) = Wireless
  - 243 (0xF3) = Mobile Broadband
-Browser URL
-Parameters
+===== Browser URL Parameters =====
-Description
 Information leaked within browser history URL
 parameters can provide clues to captive portal
@@ Line 997: / Line 1145: @@
 &fb=1&sa=X&geocode=KWv-o9E_nLJBBdixYmN41uvu&daddr=Hyat
 t+Place+Portland-Old+Port,+433+Fore+St,+Portland,+ME+04101
-Location
+<code>
-Multiple – see the history information within the
+Multiple – see the history information within the Browser Usage section
-Browser Usage section
-Timezone
+===== Timezone =====
-Description
 Registry data identifies the current system
 time zone. Event logs may be able to provide
 additional historical information.
-Location
+<code>
 • SYSTEM\CurrentControlSet\Control\TimeZoneInformation
 • %SYSTEM ROOT%\System32\winevt\logs\System.evtx
-Interpretation
+</code>
 • Some log files and artifact timestamps can only
 be correctly interpreted by knowing the system
@@ Line 1014: / Line 1161: @@
 • Event ID 6013 in the System.evtx log can provide
 information on historical time zone settings
-WLAN Event Log
-Description
+===== WLAN Event Log =====
 Determine historical view of wireless networks associations.
-Location
+<code>
 Win7+: Microsoft-Windows-WLAN-AutoConfig Operational.evtx
-Interpretation
+</code>
 • Provides historical record of wireless network connections
 • SSID can be used to correlate and retrieve additional network
@@ Line 1029: / Line 1177: @@
  - 8003 – Disconnect from wireless network
  - 6100 – Network diagnostics (System log)
-Network Interfaces
-Description
+===== Network Interfaces =====
 List available network interfaces and their last known configurations.
-Location
+<code>
 • SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
 • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
-Interpretation
+</code>
 • Interfaces key includes the last known IP address, DHCP and domain
 information for both physical and virtual network adapters. Subkeys
@@ Line 1042: / Line 1190: @@
 • The two keys are mapped via the interface GUID value
 • Unlikely to be a complete view of every connected network
-System Resource
+===== System Resource Usage Monitor (SRUM) =====
-Usage Monitor (SRUM)
-Description
+SRUM records 30 to 60 days of historical system performance including applications run, user accounts responsible, network connections, and bytes sent/received per application per hour.
-SRUM records 30 to 60 days of historical
+<code>
-system performance including applications
-run, user accounts responsible, network
-connections, and bytes sent/received per
-application per hour.
-Location
 Win8+: C:\Windows\System32\SRU\SRUDB.dat
-Interpretation
+</code>
 • SRUDB.dat is an Extensible Storage Engine
 database
@@ Line 1068: / Line 1211: @@
 ===== External Device/USB Usage =====
-USB Device Identification
+==== USB Device Identification ====
-Description
 Track USB devices plugged into a machine.
-Location
+<code>
 • SYSTEM\CurrentControlSet\Enum\USBSTOR
 • SYSTEM\CurrentControlSet\Enum\USB
 • SYSTEM\CurrentControlSet\Enum\SCSI
 • SYSTEM\CurrentControlSet\Enum\HID
-Interpretation
+</code>
 • Identify vendor, product, and version of a USB device plugged into a
 machine
@@ Line 1092: / Line 1235: @@
 SYSTEM\Setup\Upgrade\PnP\CurrentControlSet\Control\DeviceMigration
 • HID key tracks peripherals connected to the system
-Event Logs
-Description
+==== Event Logs ====
 Removable device activity can be audited in multiple Windows event logs.
-Location
+<code>
 Win7+: %SYSTEM ROOT%\System32\winevt\logs\System.evtx
-Interpretation
+</code>
 • Event IDs 20001, 20003 – Plug and Play driver install attempted
-Location
+<code>
 %SYSTEM ROOT%\System32\winevt\logs\Security.evtx
-Interpretation
+</code>
 • 4663 – Attempt to access removable storage object (Security log)
 • 4656 – Failure to access removable storage object (Security log)
 • 6416 – A new external device was recognized on system (Security log)
 • Security log events are dependent on system audit settings
-Location Connection Times
+<code> Connection Times
 • Win10+: %SYSTEM ROOT%\System32\winevt\logs\Microsoft-Windows-Partition/Diagnostic.evtx
-Interpretation
+</code>
 • Event ID 1006 is recorded for each device connect/disconnect
-Drive Letter and Volume Name
-Description
+==== Drive Letter and Volume Name ====
 Discover the last drive letter and volume name of a device when it was
 plugged into the system.
-Location
+<code>
 XP:
 • Find ParentIdPrefix – SYSTEM\CurrentControlSet\Enum\USBSTOR
@@ Line 1123: / Line 1268: @@
 serial number match in value data
 • Win7+: SOFTWARE\Microsoft\Windows Search\VolumeInfoCache
-Interpretation
+</code>
 • Only the last USB device mapped to a specific drive letter can be
 identified. Historical records not available.
-User Information
-Description
+==== User Information ====
 Identify user accounts tied to a unique USB Device.
-Location
+<code>
 • Document device Volume GUID from SYSTEM\MountedDevices
 • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
-Interpretation
+</code>
 If a Volume GUID match is made within MountPoints2, we can conclude the
 associated user profile was logged in while that device was present.
-Shortcut (LNK) Files
-Description
+==== Shortcut (LNK) Files ====
 Shortcut files are automatically created by Windows, tracking files and
 folders opened by a user.
-Location
+<code>
 • XP: %USERPROFILE%\Recent
 • Win7+: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\
@@ Line 1145: / Line 1292: @@
 Note these are primary locations of LNK files. They can also be found in
 other locations.
-Interpretation
+</code>
 • Date/Time file of that name was first opened
  - Creation Date of Shortcut (LNK) File
@@ Line 1156: / Line 1303: @@
  - Original Location
  - Name of System
-Connection Timestamps
-Description
+==== Connection Timestamps ====
 Connection timestamps determine temporal usage of specific USB devices
 connected to a Windows Machine.
-Location First Time
+<code> First Time
 Plug and Play Log Files
 • XP: C:\Windows\setupapi.log
 • Win7+: C:\Windows\inf\setupapi.dev.log
-Interpretation
+</code>
 • Search for Device Serial Number
 • Log File times are set to local time zone
-Location First, Last, and Removal Times
+<code> First, Last, and Removal Times
 • Win7+: SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_&Prod_\USBSerial#\Properties\
 {83da6326-97a6-4088-9453-a19231573b29}\####
@@ Line 1175: / Line 1322: @@
  - 0066 = Last Connected (Win8+)
  - 0067 = Last Removal (Win8+)
-Interpretation
+</code>
 Timestamps are stored in Windows 64-bit FILETIME format
-Location Connection Times
+<code> Connection Times
 • Win10+: %SYSTEM ROOT%\System32\winevt\logs\Microsoft-Windows-Partition/Diagnostic.evtx
-Interpretation
+</code>
 • Event ID 1006 is recorded for each device connect/disconnect
 • Log cleared during major OS updates
-Volume Serial Number (VSN)
-Description
+==== Volume Serial Number (VSN) ====
 Discover the VSN assigned to the file system partition on the USB.
 (NOTE: This is not the USB Unique Serial Number, which is hardcoded into
 the device firmware, nor the serial number on any external labels attached
 to the device.)
-Location
+<code>
 • SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EMDMgmt
  - Find a key match using Volume Name and USB Unique Serial Number:
@@ Line 1199: / Line 1347: @@
 within each VBR
  - Log cleared during major OS updates
-Interpretation
+</code>
 The VSN and device Volume Name can help correlate devices to specific
 files via shell items present in LNK files and registry locations.

Tools

menus and quick search

quick search

site status

Page Tools

meta data for this page

Differences