Differences

This shows you the differences between two versions of the page.

--- soc:forensics:windows:start [2026/06/09 16:53] – titannet
+++ soc:forensics:windows:start [2026/06/09 17:17] (current) – titannet
@@ Line 33: / Line 33: @@
   * Defined change rules (see below)
+=== Volume Shadow Copy ===
+  * Block/cluster level backup of changes in NTFS
+  * Snapshots created approximately weekly (schedules, software install/uninstall, manual)
+  * Default 3-5% of disk space
+  * (Recovery and Windows Restore are separate mechanisms)
+  * VSC Tools:
+    *
@@ Line 75: / Line 86: @@
 | 4624 || Succesful Logon |
-|| 0 || System 	Used only by the System account, for example at system startup.
+| | 0 | System 	Used only by the System account, for example at system startup.|
-|| 2 ||	Interactive 	A user logged on to this computer.
+| | 2 | Interactive 	A user logged on to this computer.|
-|| 3 ||	Network 	A user or computer logged on to this computer from the network.
+| | 3 | Network 	A user or computer logged on to this computer from the network.|
-|| 4 ||	Batch 	Batch logon type is used by batch servers, where processes can be run on behalf of a user without their direct intervention.
+| | 4 | Batch 	Batch logon type is used by batch servers, where processes can be run on behalf of a user without their direct intervention.|
-|| 5 ||	Service 	The Service Control Manager started a service.
+| | 5 | Service 	The Service Control Manager started a service.|
-|| 7 || Unlock 	This workstation was unlocked.
+| | 7 | Unlock 	This workstation was unlocked.|
-|| 8 ||	NetworkCleartext 	A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials don't traverse the network in plaintext (also called cleartext).
+| | 8 | NetworkCleartext 	A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials don't traverse the network in plaintext (also called cleartext).|
-|| 9 ||	NewCredentials 	A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
+| | 9 | NewCredentials 	A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.|
-|| 10 || RemoteInteractive 	A user logged on to this computer remotely using Terminal Services or Remote Desktop.
+| | 10 | RemoteInteractive 	A user logged on to this computer remotely using Terminal Services or Remote Desktop.|
-|| 11 || CachedInteractive 	A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller wasn't contacted to verify the credentials.
+| | 11 | CachedInteractive 	A user logged on to this computer with network credentials that were stored locally on the computer.  The domain controller wasn't contacted to verify the credentials. |
-|| 12 || CachedRemoteInteractive 	Same as RemoteInteractive. This type is used for internal auditing.
+| | 12 | CachedRemoteInteractive 	Same as RemoteInteractive. This type is used for internal auditing. |
-|| 13 || CachedUnlock 	Workstation logon.
+| | 13 | CachedUnlock 	Workstation logon. |
 | 4625 || Failed Logon |
+| | 2 | Interactive 	A user logged on to this computer. |
+| | 3 | Network 	A user or computer logged on to this computer from the network. |
+| | 4 | Batch 	Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.|
+| | 5 | Service 	A service was started by the Service Control Manager.|
+| | 7 | Unlock 	This workstation was unlocked.|
+| | 8 | NetworkCleartext 	A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).|
+| | 9 | NewCredentials 	A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.|
+| | 10 | RemoteInteractive 	A user logged on to this computer remotely using Terminal Services or Remote Desktop.|
+| | 11 | CachedInteractive 	A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.|
 | 4634 || |
 | 4672 || Special Privileges Assigned |
 | 4720/4726 || User account creation/deletion |
-| 4648 Logon with explicit credentials |
+| 4648 || Logon with explicit credentials, connected to other events via Account Name, Account Domain, Logon GUID |
+==== Service? ====
+|  ||  |
+|  ||  |
+|  ||  |
 / 6006 — Event Log Service Started/Stopped:
@@ Line 250: / Line 274: @@
 times (only one time available pre-Win8), total number of times
 executed, and device and file handles used by the program
-CapabilityAccessManager
-Description
+==== CapabilityAccessManager ====
 Records application use of the microphone, camera, and other
 application-specific settings.
@@ Line 262: / Line 287: @@
 • LastUsedTimeStart and LastUsedTimeStop track the last session times
 • The NonPackaged key tracks non-Microsoft applications
-UserAssist
-Description
+==== UserAssist ====
 UserAssist records metadata on GUI-based program executions.
 <code>
@@ Line 277: / Line 303: @@
 ===== File and Folder Opening =====
-Open/Save MRU
+==== Open/Save MRU ====
-Description
 In the simplest terms, this key tracks files that have been opened or saved
 within a Windows shell dialog box. This happens to be a big data set,
@@ Line 292: / Line 318: @@
 • .??? (Three letter extension) – This subkey stores file info from the
 OpenSave dialog by specific extension
-Recent Files
-Description
+==== Recent Files ====
 Registry key tracking the last files and folders opened. Used to populate
 data in places like the “Recent” menus present in some Start menus.
@@ Line 311: / Line 338: @@
 time of the key, providing the time of opening for that folder.
 MS Word Reading Locations
-Description
+==== Description ====
 Beginning with Word 2013, the last known position of the user within a
 Word document is recorded.
@@ Line 336: / Line 365: @@
 identified via this registry key.
 Shortcut (LNK) Files
-Description
+==== Description ====
 Shortcut files are automatically created by Windows, tracking files and
 folders opened by a user.
@@ Line 356: / Line 387: @@
  - Original Location
  - Name of System
-Office Recent Files
-Description
+==== Office Recent Files ====
 MS Office programs track their own recent files list, to make it easier for
 users to access previously opened files.
@@ Line 377: / Line 409: @@
 • Unlike the Recent Files registry key, full path information is recorded
 along with a last opened time for each entry
-Shell Bags
-Description
+==== Shell Bags ====
 Shell bags identifies which folders were accessed on the local machine, via
 the network, and on removable devices, per user. It also shows evidence of
@@ Line 395: / Line 428: @@
 • “Exotic” items recorded like mobile device info, control panel access, and
 Zip archive access
-Jump Lists
-Description
+==== Jump Lists ====
 Windows Jump Lists allow user access to frequently or recently used items
 quickly via the task bar. First introduced in Windows 7, they can identify
@@ Line 414: / Line 448: @@
  - Local Drive | Removable Media | Network Share Info
  - Entries kept in MRU order including a timestamp for each item
-Office Trust Records
-Description
+==== Office Trust Records ====
 Records trust relationships afforded to documents by a user when
 presented with a security warning. This is stored so the user is only
@@ Line 436: / Line 471: @@
 • Events include the program name and dialog message, showing some
 user activity within the application
-Internet Explorer file:///
-Description
+==== Internet Explorer file:/// ====
 Internet Explorer History databases have long held information on local
 and remote file access (via network shares), giving us an excellent means
@@ Line 453: / Line 489: @@
 ===== Deleted Items and File Existence =====
-Thumbs.db
+==== Thumbs.db ====
-Description
 The hidden database file is created in directories where images
 were viewed as thumbnails. It can catalog previous contents of a
@@ Line 468: / Line 504: @@
 • Most relevant for XP systems, but Thumbs.db files can be
 created on more modern OS versions in unusual circumstances
 such as when folders are viewed via UNC paths.
-Windows Search Database
-Description
+==== Windows Search Database ====
 Windows Search indexes more than 900 file types, including
 email and file metadata, allowing users to search based on
@@ Line 486: / Line 523: @@
 • Extensive file metadata and even partial content can be present
-Internet Explorer file:///
+==== Internet Explorer file:/// ====
-Description
 Internet Explorer History databases have long held information on local and remote (via
 network shares) file access, giving us an excellent means for determining files accessed on
@@ Line 499: / Line 536: @@
 • Entries are recorded as: file:///C:/<directory>/<filename>.<ext>
 • It does not mean the file was opened in a browser
-Search – WordWheelQuery
-Description
+==== Search – WordWheelQuery ====
 This maintains an ordered list of terms put into the File Explorer search dialog.
 <code>
@@ Line 517: / Line 555: @@
 drives or network shares
-Thumbcache
+==== Thumbcache ====
-Description
 Thumbnails of pictures, documents, and folders exist in a set of
 databases called the thumbcache. It is maintained for each user
@@ Line 533: / Line 571: @@
 Cache ID can be cross-referenced within the Windows Search
 Database to identify filename, path, and additional file metadata
-Recycle Bin
-Description
+==== Recycle Bin ====
 The recycle bin collects items soft-deleted by each user and
 associated metadata—only relevant for recycle-bin aware
@@ Line 553: / Line 592: @@
 ===== Browser Activity =====
-History and Download History
+==== History and Download History ====
-Description
 History and Download History records websites visited by date and time.
 <code>
@@ Line 570: / Line 609: @@
 • Look for multiple profiles in Chromium browsers, including “Default”, and
 “Profile1”, etc.
-Media History
-Description
+==== Media History ====
 Media History tracks media usage (audio and video played) on visited
 websites (Chromium browsers).
@@ Line 582: / Line 622: @@
 • Includes URLs, last play time, watch time duration, and last video position
 • Not cleared when other history data is cleared
-HTML5 Web Storage
-Description
+==== HTML5 Web Storage ====
 HTML5 Web Storage are considered to be “Super Cookies”. Each domain
 can store up to 10MB of text-based data on the local system.
@@ Line 595: / Line 636: @@
 Chrome uses a LevelDB database, Firefox uses SQLite, and IE/EdgeHTML
 store data within XML files
-HTML5 FileSystem
-Description
+==== HTML5 FileSystem ====
 HTML5 FileSystem implements the HTML5 local storage FileSystem API. It is
 similar to Web Storage, but designed to store larger binary data.
@@ Line 608: / Line 650: @@
 • Files are stored temporarily (“t” subfolders) or in permanent (“p”
 subfolders) storage
-Auto-Complete Data
-Description
+==== Auto-Complete Data ====
 Many databases store data that a user has typed into the browser.
 <code>
@@ Line 635: / Line 678: @@
 • Includes typed-in data, as well as data types
 • Connects typed data and knowledge to a user account
-Browser Preferences
-Description
+==== Browser Preferences ====
 Configuration data associated with the browser application, including
 privacy settings and synchronization preferences.
@@ Line 652: / Line 696: @@
  - Contains synchronization status, last sync time and artifacts selected to sync
 • Edge preferences include account_info, clear_data_on_exit, and sync settings
-Cache
-Description
+==== Cache ====
 The cache is where web page components can be stored locally to speed
 up subsequent visits.
@@ Line 679: / Line 724: @@
 user account
 • Timestamps show when the site was first saved and last viewed
-Bookmarks
-Description
+==== Bookmarks ====
 Bookmarks include default items, as well as those the user chose to save
 for future reference.
@@ Line 700: / Line 746: @@
 • Note: not all bookmarks are user-generated; it is possible to bookmark a
 site and never visit it
-Stored Credentials
-Description
+==== Stored Credentials ====
 Browser-based credential storage typically uses Windows DPAPI
 encryption. If the login account is a Microsoft cloud account in Windows
@@ Line 720: / Line 767: @@
 encrypted. Actual credentials are easiest to retrieve on a live system
 with the user account logged in.
-Browser Downloads
-Description
+==== Browser Downloads ====
 Modern browsers include built-in download manager applications
 capable of keeping a history of every file downloaded by the user. This
@@ Line 744: / Line 792: @@
 • File system save location
 • State information including success and failure
-Extensions
-Description
+==== Extensions ====
 Browser functionality can be extended through the use of extensions, or
 browser plugins.
@@ Line 771: / Line 820: @@
 permissions, and version.
  - The preferences file can also include additional extension data
-Session Restore
-Description
+==== Session Restore ====
 Automatic crash recovery features are built into the browser.
 <code>
@@ Line 797: / Line 847: @@
 • HTML, JavaScript, XML, and form data from the page
 • Other artifacts such as transition type, browser window size and pinned tabs
-Cookies
-Description
+==== Cookies ====
 Cookies provide insight into what websites have been visited and what
 activities might have taken place there.
@@ Line 813: / Line 864: @@
 ===== Cloud Storage =====
-OneDrive
+===== OneDrive =====
-Description
 OneDrive is installed by default on Windows 8+ systems, although it must
 be enabled by a user authenticating to their Microsoft Cloud account
@@ Line 839: / Line 890: @@
 • OneDrive for Business Unified Audit Logs in Microsoft 365 provide 90
 days of user activity logging
-Google Drive for
-Desktop
+===== Google Drive for Desktop =====
-Description
 Google Drive for Desktop is the new name
 for the merged Google Backup and Sync
@@ Line 865: / Line 916: @@
 • metadata_sqlite_db database uses protobuf
 format for many important fields
-Box Drive
-Description
+===== Box Drive =====
 Box Drive uses a virtual filesystem,
 implemented as an NTFS reparse point.
@@ Line 892: / Line 944: @@
 • Detailed usage logging available, but may
 only go back a few weeks
-Dropbox
-Description
+===== Dropbox =====
 Dropbox can be a challenging application to investigate. Older
 versions encrypt most metadata using Windows DPAPI, but
@@ Line 922: / Line 975: @@
 ===== Account Usage =====
-Cloud Account Details
+===== Cloud Account Details =====
-Description
 Microsoft Cloud Accounts store account information in the SAM hive, including
 the email address associated with the account.
@@ Line 941: / Line 994: @@
 • Last login time, last password change, login counts, group membership,
 account creation time and more can be determined
-Service Events
-Description
+===== Service Events =====
 Analyze logs for suspicious Windows service creation, persistence, and services
 started or stopped around the time of a suspected compromise. Service events
@@ Line 961: / Line 1015: @@
 • Services started on boot illustrate persistence (desirable in malware)
 • Services can crash due to attacks like process injection
-User Accounts
-Description
+===== User Accounts =====
 Identify both local and domain accounts with interactive logins to the
 system.
@@ Line 972: / Line 1027: @@
 indicating the user’s profile path
 Remote Desktop Protocol (RDP)
-Usage
-Description
+===== Usage =====
 Track RDP logons and session reconnections to target machines.
 <code> Security Log
@@ Line 986: / Line 1042: @@
 • Multiple dedicated RDP/Terminal Services logs are also available on
 modern Windows versions
-Successful/Failed Logons
-Description
+===== Successful/Failed Logons =====
 Profile account creation, attempted logons, and account usage.
 <code>
 Win7+: % SYSTEM ROOT%\System32\winevt\logs\Security.evtx
 </code>
 • Win7+:
  - 4624 – Successful Logon
@@ Line 999: / Line 1057: @@
  - 4672 – Account logon with superuser rights (Administrator)
  - 4720 – An account was created
-Authentication Events
-Description
+===== Authentication Events =====
 Authentication Events identify where authentication of credentials occurred.
 They can be particularly useful when tracking local vs. domain account
@@ Line 1016: / Line 1075: @@
  - 4769: Service Ticket requested (access to server resource)
  - 4771: Pre-authentication failed (failed logon)
-Logon Event Types
-Description
+===== Logon Event Types =====
 Logon Events provide very specific information regarding the nature of
 account authorizations on a system. In addition to date, time, username,
@@ Line 1042: / Line 1102: @@
 ===== Network Activity and Physical Location =====
-Network History
+===== Network History =====
-Description
 Identify networks to which the computer
 connected. Available information includes domain
@@ Line 1074: / Line 1134: @@
  - 71 (0x47) = Wireless
  - 243 (0xF3) = Mobile Broadband
-Browser URL
-Parameters
+===== Browser URL Parameters =====
-Description
 Information leaked within browser history URL
 parameters can provide clues to captive portal
@@ Line 1087: / Line 1146: @@
 t+Place+Portland-Old+Port,+433+Fore+St,+Portland,+ME+04101
 <code>
-Multiple – see the history information within the
+Multiple – see the history information within the Browser Usage section
-Browser Usage section
-Timezone
+===== Timezone =====
-Description
 Registry data identifies the current system
 time zone. Event logs may be able to provide
@@ Line 1103: / Line 1161: @@
 • Event ID 6013 in the System.evtx log can provide
 information on historical time zone settings
-WLAN Event Log
-Description
+===== WLAN Event Log =====
 Determine historical view of wireless networks associations.
 <code>
@@ Line 1118: / Line 1177: @@
  - 8003 – Disconnect from wireless network
  - 6100 – Network diagnostics (System log)
-Network Interfaces
-Description
+===== Network Interfaces =====
 List available network interfaces and their last known configurations.
 <code>
@@ Line 1131: / Line 1190: @@
 • The two keys are mapped via the interface GUID value
 • Unlikely to be a complete view of every connected network
-System Resource
+===== System Resource Usage Monitor (SRUM) =====
-Usage Monitor (SRUM)
-Description
+SRUM records 30 to 60 days of historical system performance including applications run, user accounts responsible, network connections, and bytes sent/received per application per hour.
-SRUM records 30 to 60 days of historical
-system performance including applications
-run, user accounts responsible, network
-connections, and bytes sent/received per
-application per hour.
 <code>
 Win8+: C:\Windows\System32\SRU\SRUDB.dat
@@ Line 1157: / Line 1211: @@
 ===== External Device/USB Usage =====
-USB Device Identification
+==== USB Device Identification ====
-Description
 Track USB devices plugged into a machine.
 <code>
@@ Line 1181: / Line 1235: @@
 SYSTEM\Setup\Upgrade\PnP\CurrentControlSet\Control\DeviceMigration
 • HID key tracks peripherals connected to the system
-Event Logs
-Description
+==== Event Logs ====
 Removable device activity can be audited in multiple Windows event logs.
 <code>
@@ Line 1199: / Line 1254: @@
 </code>
 • Event ID 1006 is recorded for each device connect/disconnect
-Drive Letter and Volume Name
-Description
+==== Drive Letter and Volume Name ====
 Discover the last drive letter and volume name of a device when it was
 plugged into the system.
@@ Line 1215: / Line 1271: @@
 • Only the last USB device mapped to a specific drive letter can be
 identified. Historical records not available.
-User Information
-Description
+==== User Information ====
 Identify user accounts tied to a unique USB Device.
 <code>
@@ Line 1224: / Line 1281: @@
 If a Volume GUID match is made within MountPoints2, we can conclude the
 associated user profile was logged in while that device was present.
-Shortcut (LNK) Files
-Description
+==== Shortcut (LNK) Files ====
 Shortcut files are automatically created by Windows, tracking files and
 folders opened by a user.
@@ Line 1245: / Line 1303: @@
  - Original Location
  - Name of System
-Connection Timestamps
-Description
+==== Connection Timestamps ====
 Connection timestamps determine temporal usage of specific USB devices
 connected to a Windows Machine.
@@ Line 1271: / Line 1329: @@
 • Event ID 1006 is recorded for each device connect/disconnect
 • Log cleared during major OS updates
-Volume Serial Number (VSN)
-Description
+==== Volume Serial Number (VSN) ====
 Discover the VSN assigned to the file system partition on the USB.
 (NOTE: This is not the USB Unique Serial Number, which is hardcoded into

Tools

menus and quick search

quick search

site status

Page Tools

meta data for this page

Differences